VMware has released security updates to address vulnerabilities in ESXi, vCenter Server, Fusion, and Workstation. Exploitation of one of these vulnerabilities could allow a remote attacker to take control of an affected system.
US-CERT encourages users and administrators to review VMware Security Advisory VMSA-2017-0015 and apply the necessary updates.
The Federal Trade Commission (FTC) has released an alert on scams related to the Equifax data breach. FTC warns consumers to be wary of calls or emails purporting to be from Equifax agents. Legitimate Equifax representatives will not contact consumers to ask for verification of their information.
US-CERT encourages consumers to report fraudulent calls and emails to the FTC Complaint Assistant and to refer to the FTC Alert and US-CERT Tips on Avoiding Social Engineering and Phishing Attacks and Preventing and Responding to Identity Theft for more information.
US-CERT is aware of a collection of Bluetooth vulnerabilities, known as BlueBorne, potentially affecting millions of unpatched mobile phones, computers, and Internet of Things (IoT) devices. A remote attacker could exploit several of these vulnerabilities to take control of affected devices.
US-CERT recommends that users and administrators read Vulnerability Note VU#240311 for more information.
Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of a system.
Adobe has released security updates to address vulnerabilities in Adobe RoboHelp, Flash Player, and ColdFusion. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.
Cisco has released an update to address an Apache Struts 2 vulnerability affecting multiple Cisco products. A remote attacker could exploit this vulnerability to take control of an affected system.
US-CERT encourages users and administrators to review the Cisco Security Advisory and apply the necessary update.
As the peak of the 2017 hurricane season approaches, US-CERT warns users to be watchful for various malicious cyber activity targeting both disaster victims and potential donors. Users should exercise caution when handling emails that relate to recent hurricanes, even if those emails appear to originate from trusted sources. Disaster-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, or door-to-door solicitations relating to the recent hurricanes.
To avoid becoming a victim of fraudulent activity, users and administrators should consider taking the following preventive measures:
- Review the information from the Federal Trade Commission (FTC) on Wise Giving in the Wake of Hurricane Harvey.
- Review information from the Federal Bureau of Investigation on Building a Digital Defense Against Charity Fraud.
- Use caution when opening email attachments, and do not click on links in unsolicited email messages. Refer to the US-CERT Security Tip Using Caution with Email Attachments.
- Refer to US-CERT's Security Tip on Avoiding Social Engineering and Phishing Attacks.
Google has released Chrome version 61.0.3163.79 for Windows, Mac, and Linux. This version addresses multiple vulnerabilities that an attacker could exploit to take control of an affected system.
Users and administrators are encouraged to review the Chrome Releases page and apply the necessary updates.
The Apache Software Foundation has released a security update to address a vulnerability in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system.
US-CERT encourages users and administrators to review the Apache Security Bulletin and upgrade to Struts 2.5.13.
US-CERT warns users to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey. Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Harvey, even if it appears to originate from a trusted source. Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters.
US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:
- Do not follow unsolicited web links in email messages.
- Use caution when opening email attachments. Refer to the US-CERT Tip Using Caution with Email Attachments for more information on safely handling email attachments.
- Keep antivirus and other computer software up-to-date.
- Refer to the Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
- Review the Federal Trade Commission information on Charity Scams.
- Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. You can find trusted contact information for many charities on the BBB National Charity Report Index.
The Federal Communications Commission (FCC) has released a public notice encouraging communications service providers to voluntarily use security best practices recommended by the Communications Security, Reliability, and Interoperability Council (CSRIC), a federal advisory committee to the FCC. These best practices help prevent exploitation of Signaling System 7 (SS7) network infrastructure, a signaling protocol that connects communication networks.