Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0582 -- [Appliance][Mac][OSX] iPhone: Multiple Vulnerabilities 18 June 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: iPhone OS Publisher: Apple Operating System: Network Appliance Mac OS X Impact: Execute Arbitrary Code/Commands Access Confidential Data Denial of Service Cross-site Scripting Reduced Security Access: Remote/Unauthenticated CVE Names: CVE-2009-1702 CVE-2009-1701 CVE-2009-1700 CVE-2009-1699 CVE-2009-1698 CVE-2009-1697 CVE-2009-1696 CVE-2009-1695 CVE-2009-1694 CVE-2009-1693 CVE-2009-1692 CVE-2009-1691 CVE-2009-1690 CVE-2009-1689 CVE-2009-1688 CVE-2009-1687 CVE-2009-1686 CVE-2009-1685 CVE-2009-1684 CVE-2009-1683 CVE-2009-1681 CVE-2009-1680 CVE-2009-1679 CVE-2009-1179 CVE-2009-0961 CVE-2009-0960 CVE-2009-0959 CVE-2009-0958 CVE-2009-0946 CVE-2009-0945 CVE-2009-0165 CVE-2009-0155 CVE-2009-0153 CVE-2009-0147 CVE-2009-0146 CVE-2009-0145 CVE-2009-0040 CVE-2008-4409 CVE-2008-4226 CVE-2008-4225 CVE-2008-3652 CVE-2008-3651 CVE-2008-3623 CVE-2008-3529 CVE-2008-3281 CVE-2008-2320 Ref: ESB-2009.0541 ESB-2009.0459 ESB-2008.1123 Original Bulletin: http://support.apple.com/kb/HT3639 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2009-06-17-1 iPhone OS 3.0 Software Update iPhone OS 3.0 Software Update is now available and addresses the following: CoreGraphics CVE-ID: CVE-2008-3623 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in the handling of color spaces within CoreGraphics. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple. CoreGraphics CVE-ID: CVE-2009-0145 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues exist in CoreGraphics' handling of PDF files. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds and error checking. CoreGraphics CVE-ID: CVE-2009-0146, CVE-2009-0147, CVE-2009-0165 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Viewing or downloading a PDF file containing a maliciously crafted JBIG2 stream may lead to an unexpected application termination or arbitrary code execution Description: Multiple heap buffer overflows exist in CoreGraphics' handling of PDF files containing JBIG2 streams. Viewing or downloading a PDF file containing a maliciously crafted JBIG2 stream may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Apple, Alin Rad Pop of Secunia Research, and Will Dormann of CERT/CC for reporting this issue. CoreGraphics CVE-ID: CVE-2009-0155 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer underflow in CoreGraphics' handling of PDF files may result in a heap buffer overflow. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Barry K. Nathan for reporting this issue. CoreGraphics CVE-ID: CVE-2009-1179 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow in CoreGraphics' handling of PDF files may result in a heap buffer overflow. Opening a PDF file containing a maliciously crafted JBIG2 stream may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Will Dormann of CERT/CC for reporting this issue. CoreGraphics CVE-ID: CVE-2009-0946 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Multiple vulnerabilities in FreeType v2.3.8 Description: Multiple integer overflows exist in FreeType v2.3.8, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds checking. Credit to Tavis Ormandy of the Google Security Team for reporting these issues. Exchange CVE-ID: CVE-2009-0958 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Connecting to a malicious Exchange server may lead to the disclosure of sensitive information Description: Accepting an untrusted Exchange server certificate results in storing an exception on a per-hostname basis. On the next visit to an Exchange server contained in the exception list, its certificate is accepted with no prompt and validation. This may lead to the disclosure of credentials or application data. This update addresses the issue through improved handling of untrusted certificate exceptions. Credit to FD of Securus Global for reporting this issue. ImageIO CVE-ID: CVE-2009-0040 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized pointer issue exists in the handling of PNG images. Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of PNG images. Credit to Tavis Ormandy of Google Security Team for reporting this issue. International Components for Unicode CVE-ID: CVE-2009-0153 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Maliciously crafted content may bypass website filters and result in cross-site scripting Description: An implementation issue exists in ICU's handling of certain character encodings. Using ICU to convert invalid byte sequences to Unicode may result in over-consumption, where trailing bytes are considered part of the original character. This may be leveraged by an attacker to bypass filters on websites that attempt to mitigate cross-site scripting. This update addresses the issue through improved handling of invalid byte sequences. Credit to Chris Weber of Casaba Security for reporting this issue. IPSec CVE-ID: CVE-2008-3651, CVE-2008-3652 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Multiple vulnerabilities in the racoon daemon may lead to a denial of service Description: Multiple memory leaks exist in the racoon daemon in ipsec-tools before 0.7.1, which may lead to a denial of service. This update addresses the issues through improved memory management. libxml CVE-ID: CVE-2008-3281, CVE-2008-3529, CVE-2008-4409, CVE-2008-4225, CVE-2008-4226 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Multiple vulnerabilities in libxml2 version 2.6.16 Description: Multiple vulnerabilities in libxml2 version 2.6.16, the most serious of which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by updating the libxml2 system library to version 2.7.3. Mail CVE-ID: CVE-2009-0960 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Users do not have control over the loading of remote images in HTML messages Description: Mail does not provide a preference to turn off the automatic loading of remote images. Opening an HTML email containing a remote image will automatically request it. The server hosting a remote image can determine that the email was read, and the network address of the device. This update addresses the issue by adding a preference to turn off the automatic loading of remote images. Credit to Ronald C.F. Antony of Cubiculum Systems, Stefan Seiz of ERNI Electronics GmbH, Oskar Lissheim-Boethius of iPhone development house OLB Productions, Meyer Consulting, Oliver Quas, Christian Schmitz of MonkeybreadSoftware, Thomas Adams of TynTec, Aviv Raff of aviv.raffon.net, and Collin Mulliner of Fraunhofer SIT for reporting this issue. Mail CVE-ID: CVE-2009-0961 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: An application that causes an alert to apear may initiate a phone call without user interaction Description: If an application causes an alert to apear while Mail's call approval dialog is shown, the call will be placed without user interaction. This update addresses the issue by not dismissing the call approval dialog when other alerts appear. Credit to Collin Mulliner of Fraunhofer SIT for reporting this issue. MPEG-4 Video Codec CVE-ID: CVE-2009-0959 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Viewing a maliciously crafted MPEG-4 video file may lead to an unexpected device reset Description: An input validation issue exists in the handling of MPEG-4 video files. Viewing a maliciously crafted MPEG-4 video file may lead to an unexpected device reset. This update addresses the issue through improved handling of MPEG-4 video files. Credit to Si Brindley for reporting this issue. Profiles CVE-ID: CVE-2009-1679 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Installing a configuration profile may weaken the passcode policy defined by Exchange ActiveSync Description: An issue in the handling of configuration profiles may allow a weaker passcode policy to overwrite the passcode policy already set via Exchange ActiveSync. This may allow a person with physical access to the device to bypass the passcode policy set via Exchange ActiveSync. This update addresses the issue through improved handling of configuration profiles. Safari CVE-ID: CVE-2009-1680 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Clearing Safari's history via the Settings application does not prevent disclosure of the search history to a person with physical access to the device Description: Clearing Safari's history via the Settings application does not reset the search history. In this case, another person with physical access to the device may be able to view the search history. This update addresses the issue by removing the search history when Safari's history is cleared via the Settings application. Credit to Joshua Belsky for reporting this issue. Safari CVE-ID: CVE-2009-1681 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Interacting with a maliciously crafted website may result in unexpected actions on other sites Description: A design issue exists in the same-origin policy mechanism used to limit interactions between websites. This policy allows websites to load pages from third-party websites into a subframe. This frame may be positioned to entice the user to click a particular element within the frame, an attack referred to as "clickjacking". A maliciously crafted website may be able to manipulate a user into taking an unexpected action, such as initiating a purchase. This update addresses the issue through adoption of the industry-standard 'X-Frame-Options' extension header, that allows individual web pages to opt out of being displayed within a subframe. Telephony CVE-ID: CVE-2009-1683 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: A remote attacker may cause an unexpected device reset Description: A logic issue in the handling of ICMP echo request packets may cause an assertion to be triggered. By sending a maliciously crafted ICMP echo request packet, a remote attacker may be able to cause an unexpected device reset. This update addresses the issue by removing the assertion. Credit to Masaki Yoshida for reporting this issue. WebKit CVE-ID: CVE-2008-2320 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in WebKit's handling of invalid color strings in Cascading Style Sheets. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved sanitization of color strings. Credit to Thomas Raffetseder of the International Secure Systems Lab for reporting this issue. WebKit CVE-ID: CVE-2009-0945 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue exists in WebKit's handling of SVGList objects. Visiting a maliciously crafted website may lead to arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Nils working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2009-1684 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may result in cross- site scripting Description: A cross-site scripting issue exists in the separation of JavaScript contexts. A maliciously crafted web page may use an event handler to execute a script in the security context of the next web page that is loaded in its window or frame. This update addresses the issue by ensuring that event handlers are not able to directly affect an in-progress page transition. Credit to Michal Zalewski of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2009-1685 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may result in cross- site scripting Description: A cross-site scripting issue exists in the separation of JavaScript contexts. By enticing a user to visit a maliciously crafted web page, the attacker may overwrite the 'document.implementation' of an embedded or parent document served from a different security zone. This update addresses the issue by ensuring that changes to 'document.implementation' do not affect other documents. Credit to Dean McNamee of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2009-1686 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A type conversion issue exists in WebKit's JavaScript exception handling. When an attempt is made to assign the exception to a variable that is declared as a constant, an object is cast to an invalid type, causing memory corruption. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that assignment in a const declaration writes to the variable object. Credit to Jesse Ruderman of Mozilla Corporation for reporting this issue. WebKit CVE-ID: CVE-2009-1687 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in WebKit's JavaScript garbage collector implementation. If an allocation fails, a memory write to an offset of a NULL pointer may result, leading to an unexpected application termination or arbitrary code execution. This update addresses the issue by checking for allocation failure. Credit to SkyLined of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2009-1688, CVE-2009-1689 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may result in a cross-site scripting attack Description: Multiple issues in WebKit's handling of javascript objects may lead to a cross-site scripting attack. This update addresses the issues through improved handling of cross-site interaction with javascript objects. Credit to Adam Barth of UC Berkeley, and Collin Jackson of Stanford University for reporting these issues. WebKit CVE-ID: CVE-2009-1690 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may result in an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in WebKit's handling of recursion in certain DOM event handlers. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved memory management. Credit to SkyLined of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2009-1691 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may lead to cross- site scripting Description: A cross-site scripting issue in Safari allows a maliciously crafted website to alter standard JavaScript prototypes of websites served from a different domain. By enticing a user to visit a maliciously crafted web page, an attacker may be able to alter the execution of JavaScript served from other websites. This update addresses the issue through improved access controls on these prototypes. WebKit CVE-ID: CVE-2009-1692 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may lead to an unexpected device reset Description: A memory consumption issue exists in the handling of HTMLSelectElement objects. Visiting a maliciously crafted webpage containing an HTMLSelectElement with a very large length attribute may lead to an unexpected device reset. This update addresses the issue through improved handling of HTMLSelectElement objects. Credit to Thierry Zoller of G-SEC (www.g-sec.lu) for reporting this issue. WebKit CVE-ID: CVE-2009-1693 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may disclose images from other sites Description: A cross-site image capture issue exists in WebKit. By using a canvas with an SVG image, a maliciously crafted website may load and capture an image from another website. This update addresses the issue by restricting the reading of canvases that have images loaded from other websites. Credit to Chris Evans of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2009-1694 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may disclose images from other sites Description: A cross-site image capture issue exists in WebKit. By using a canvas and a redirect, a maliciously crafted website may load and capture an image from another website. This update addresses the issue through improving the handling of redirects. Credit to Chris Evans of for reporting this issue. WebKit CVE-ID: CVE-2009-1695 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may result in a cross-site scripting attack Description: An issue in WebKit allows the contents of a frame to be accessed by an HTML document after a page transition has taken place. This may allow a maliciously crafted website to perform a cross-site scripting attack. This update addresses the issue through an improved domain check. Credit to Feng Qian of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2009-1696 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Websites may surreptitiously track users Description: Safari generates random numbers for JavaScript applications using a predictable algorithm. This could allow a website to track a particular Safari session without using cookies, hidden form elements, IP addresses, or other techniques. This update addresses the issue by using a better random number generator. Credit to Amit Klein of Trusteer for reporting this issue. WebKit CVE-ID: CVE-2009-1697 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may result in a cross-site scripting attack Description: A CRLF injection issue exists in the handling of XMLHttpRequest headers in WebKit. This may allow a malicious website to bypass the same-origin policy by issuing an XMLHttpRequest that does not contain a Host header. XMLHttpRequests without a Host header may reach other websites on the same server, and allow attacker- supplied JavaScript to interact with those sites. This update addresses the issue through improved handling of XMLHttpRequest headers. Credit to Per von Zweigbergk for reporting this issue. WebKit CVE-ID: CVE-2009-1698 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized pointer issue exists in the handling of the CSS 'attr' function. Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of CSS elements. Credit to Thierry Zoller working with TippingPoint's Zero Day Initiative, and Robert Swiecki of the Google Security Team for reporting this as a security issue. WebKit CVE-ID: CVE-2009-1699 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may result in an information disclosure Description: An XML External Entity issue exists in WebKit's handling of XML. Visiting a maliciously crafted website may result in the website being able to read files from the user's system. This update addresses the issue by not loading external entities across origins. Credit to Chris Evans of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2009-1700 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may result in the disclosure of sensitive information Description: WebKit does not properly handle redirects when processing Extensible Stylesheet Language Transformations (XSLT). This allows a maliciously crafted website to retrieve XML content from pages on other websites, which could result in the disclosure of sensitive information. This update addresses the issue by ensuring that documents referenced in transformations are downloaded from the same domain as the transformation itself. Credit to Chris Evans of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2009-1701 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in WebKit's handling of the JavaScript DOM. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document elements. Credit to wushi & ling of team509 working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2009-1702 Available for: iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1 Impact: Visiting a malicious website may lead to a cross-site scripting attack Description: An issue in WebKit's handling of Location and History objects may result in a cross-site scripting attack when visiting a malicious website. This update addresses the issue through improved handling of Location and History objects. Credit to Adam Barth and Joel Weinberger of UC Berkeley for reporting this issue. Installation note: This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone or iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting "don't install" will present the option the next time you connect your iPhone or iPod touch. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the "Check for Update" button within iTunes. After doing this, the update can be applied when your iPhone or iPod touch is docked to your computer. To check that the iPhone or iPod touch has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "3.0 (7A341)" or later Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJKORy2AAoJEHkodeiKZIkBvncH/00Ma6A+fGmXSNpbZJi2hWqB 7N7739niPo351AZvcgJdvTQaC7NfWMEWXfoDO9zfNvxjRStjc2aL7qQurSQVVF/f XhMIH0ilnMgJw22lbbt/Tpjs4Xk0GzJQwVBXgfJ8nmwN2yHEmv1kmUZWuGmYWC3j XRpHu9rO7J0knPITbvpNslK9Xrxxc/okSwEjGLg/89Qbx1pC8g47ly2nlUUhpNMU a/ef2AIAvQyKWMEUCFAyGTWHJbGM9OLZlD6o4R4NNtFbdFpEwYZmwzEEBzA5vMtM EoUAVNUrxSRUxtbUx7Y1Aj5FLe6+1qJhshovOfCSWZ5Ip8qG0G4WMT4tCjx36j0= =LJQh - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKOZ/6NVH5XJJInbgRAk5UAKCEi/413Iz3BYTCgoR+frAVG6QOqACeLHTv TooW/R0x6mGhQxwRXrIlfNU= =zaoJ -----END PGP SIGNATURE-----