Warns Public of Fraudulent Phishing Email.

US-CERT is aware of a recent surge in fraudulent phishing e-mail messages. The messages, claiming to be from the United States National Medical Association, contain a subject line that reads "The United States National Medical Association" and a link that, when followed, will direct the user to a malicious website. These messages are not from any United States government agency.

Users are encouraged to take the following measures to protect themselves from phishing attacks:

• Do not follow unsolicited web links received in email messages.


• Verify the legitimacy of the email by contacting the company or agency directly through a trusted contact number.


• Visit the Anti-Phishing Working Group for more information on known phishing attacks.

Mozilla Releases Update to Address URI Sanitization Vulnerability

Mozilla has released an update for the Firefox browser to address two vulnerabilities with URI sanitization.  These vulnerabilities may allow a remote, unauthenticated attacker to execute arbitrary code on an affected system. 

More information regarding these vulnerabilities and the Firefox update can be found in the following:

• Vulnerability Note VU#783400
  
• Vulnerability Note VU#403150
  
• Mozilla Foundation Security Advisory 2007-27
  
• Mozilla Firefox update

US-CERT encourages users to upgrade to Firefox 2.0.0.6 which has been released to address these vulnerabilities.

Microsoft Windows URI Protocol Handling Vulnerability

US-CERT is aware of a vulnerability in the way Microsoft Windows determines how to handle URIs, which may be be leveraged by a remote attacker to execute arbitrary commands on an affected system.  Public reports demonstrate that Mozilla Firefox can be used to pass malicious URIs to Windows, but other applications may also act as attack vectors for this vulnerability.

More information regarding this vulnerability can be found in Vulnerability Note VU#403150.