> *************************
> Widely Deployed Software
> *************************
>
> (1) CRITICAL: Microsoft Graphics Rendering Engine Overflow
> Affected:
> Windows 2000, XP SP1 and SP2, 2003 and 2003 SP1
>
> Description: Windows Metafile (WMF) and Enhanced Metafile
> (EMF) are file
> formats that store images as a sequence of drawing commands and
> settings. These image formats are processed by the Gdi32.dll library.
> This library contains multiple integer overflows in handling
> WMF or EMF
> files with specially crafted "record" sizes. These overflows
> can be used
> to overwrite the heap memory with content from the metafiles resulting
> in arbitrary code execution. Multiple attack vectors are possible such
> as including the malicious metafiles in a webpage, shared folder,
> e-mail, Office documents or Instant Messenger communication.
> Hence, the
> flaws should be patched on a priority basis. The technical details
> required to exploit the flaws have been publicly posted.
>
> Status: Apply the patch referenced in the Microsoft Security Bulletin
> MS05-053. The patch also fixes a DoS vulnerability in EMF processing.
>
> Council Site Actions: All council sites are responding to this item.
> Some sites have already patched their systems. A few sites have Q&A'd
> the patch and will deploy during their next regularly scheduled system
> update process. One site is relying on the public Microsoft
> Update site
> or will allow their users to obtain the patch through a local update
> server. One site commented that they expect this might pop up in an
> email worm.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx
> eEye Advisories
> http://www.eeye.com/html/research/advisories/AD20051108a.html
> http://www.eeye.com/html/research/advisories/AD20051108b.html
> CERT Advisories
> http://www.kb.cert.org/vuls/id/300549
> http://www.kb.cert.org/vuls/id/433341
> WMF and EMF File Formats
> http://www.fileformat.info/format/wmf/
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/15352
> http://www.securityfocus.com/bid/15356
>
> ****************************************************************
> *****************************************************************
>
> (3) HIGH: Macromedia Flash Player Buffer Overflow
> Affected:
> Macromedia Flash Player version 6 and 7 on Windows Platforms
>
> Description: Macromedia Flash Player is used for viewing webpages with
> enhanced graphics and animation. This player is reportedly
> installed on
> 500 million systems including handhelds. The player contains
> vulnerability in handling SWF files that can be exploited to execute
> arbitrary code. The problem arises because the media player fails to
> check bounds for a value used as an array index which then can be used
> to point to heap memory. eEye researchers report that it is
> possible to
> reliably execute code when a malicious SWF file is opened in Internet
> Explorer using the Macromedia Flash plug-in. A
> proof-of-concept SWF file
> has been posted by Sec Consulting.
>
> Status: Vendor confirmed, upgrade to version 8. Microsoft has also
> published extensive workarounds for this vulnerability.
>
> Council Site Actions: Most of the council sites are
> responding to this
> item as well. Several sites are in the analysis phase and have not
> decided on their final plan. One site had already upgraded
> to Flash 8.
> Two sites plan to distribute the patch during their next regularly
> scheduled system update process. One site does not have a method for
> site-wide deployment of the update so they recommending their
> users get
> the update from the vendor site. The final site does not
> plan to patch
> since their Cisco Security Agent install will prevent the buffer
> overflow from executing code on their desktops.
>
> References:
> Macromedia Advisory
> http://www.macromedia.com/devnet/security/security_zone/mpsb05
> -07.html
> eEye Advisory
> http://archives.neohapsis.com/archives/bugtraq/2005-11/0050.html
> Sec-consult Advisory
> http://archives.neohapsis.com/archives/fulldisclosure/2005-11/
> 0154.html
> Microsoft Advisory
> http://www.microsoft.com/technet/security/advisory/910550.mspx
> Macromedia SWF File Format
> http://www.the-labs.com/MacromediaFlash/SWF-Spec/SWFfileformat.html
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/15332
> http://www.securityfocus.com/bid/15334
>
> *****************************************************************
>
> ****************************************************************
>
> (5) HIGH: ClamAV FSG File Handling Overflow
> Affected:
> Clam AntiVirus versions 0.80 through 0.87
>
> Description: ClamAV is an open-source antivirus software
> designed mainly
> for scanning emails on UNIX mail gateways. The software
> includes a virus
> scanning library - libClamAV. This library is used by many third party
> email, web, FTP scanners as well as mail clients. The library contains
> a buffer overflow that can be triggered by specially crafted
> FSG (Packed
> Executable Format) files. The attacker can send the malicious file via
> email, web, FTP or a file share, and exploit the buffer overflow to
> execute arbitrary code on the system running the ClamAV library. The
> technical details can be obtained by comparing the fixed and the
> affected versions of the software. Note that for compromising the
> mail/web/FTP gateways no user interaction is required.
>
> Status: Version 0.87.1 fixes this overflow. The update also
> fixes other
> DoS vulnerabilities. Please look for third party updates for the
> software linked to libClamAV.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> TippingPoint Advisory
> http://archives.neohapsis.com/archives/bugtraq/2005-11/0041.html
> Third Party Software Using ClamAV
> http://www.clamav.net/whos.html#pagestart (Includes Mac OS X server)
> http://www.clamav.net/3rdparty.html#pagestart
> SecurityFocus BID
> http://www.securityfocus.com/bid/15318
>
> ****************************************************************
>
>
> **********
> Exploits
> **********
>
> (6) Worms Exploiting PHP Software Vulnerabilities
>
> Description: Lupper worm is exploiting remote code execution
> vulnerabilities in PHP XML-RPC library and AWStats package. Note that
> PHP XML-RPC library is used by many bulletin boards and content
> management systems. Hence, users of PHP software using PHP XML-RPC
> should upgrade to latest version immediately. Another worm is
> targeting
> remote file include vulnerabilities in the popular bulletin board,
> phpBB.
>
> References:
> Discussion on Worms
> http://isc.sans.org/diary.php?storyid=834
> http://isc.sans.org/diary.php?storyid=829
> Lupper Worm Information
> http://www.symantec.com/avcenter/venc/data/linux.plupii.html
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam
e=ELF%5FLUPPER%2EB&VSect=P
> Previous @RISK Newsletter Postings
> PHP XML-RPC Library Vulnerabilities
> http://www.sans.org/newsletters/risk/display.php?v=4&i=26#other1
> http://www.sans.org/newsletters/risk/display.php?v=4&i=27#other3
> http://www.sans.org/newsletters/risk/display.php?v=4&i=33#widely5
> AWStats Vulnerability
> http://www.sans.org/newsletters/risk/display.php?v=4&i=3#other2
>
>
> ****************************************************************
> ______________________________________________________________________
>
> 05.45.1 CVE: CAN-2005-2124
> Platform: Windows
> Title: Windows WMF Format Code Execution
> Description: Microsoft Windows supports the Windows Metafile (WMF)
> image format. It is vulnerable to a remote code execution attack due
> to insufficient boundary checking when a user views a malicious WMF
> formatted file. See the service advisory for a listing affected
> Windows systems.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx
> ______________________________________________________________________
>
> 05.45.2 CVE: CAN-2005-2123
> Platform: Windows
> Title: Windows Graphics Rendering Engine WMF/EMF Format Code Execution
> Description: Microsoft Windows supports Windows Metafile (WMF) and
> Enhanced Metafile (EMF) image formats. Its rendering engine is
> affected by a remote code execution vulnerability due to insufficient
> bounds checking performed by the application. The problem presents
> itself when a user views a malicious WMF or EMF formatted file,
> causing the affected engine to attempt to parse it. Microsoft Windows
> versions XP, 2003 and 2000 are affected.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx
> ______________________________________________________________________
>
> ______________________________________________________________________
>
> 05.45.7 CVE: CVE-2005-3374
> Platform: Third Party Windows Apps
> Title: F-Prot Antivirus ZIP Attachment Version Scan Evasion
> Description: F-prot Antivirus is prone to a scan evasion vulnerability
> when dealing with ZIP archive attachments. This issue is due to a
> design error in the application that flags certain ZIP files as
> harmless when it is unable to decompress them. An attacker can exploit
> this vulnerability by crafting a specially designed ZIP file
> containing malicious code and bypass the antivirus software. Visit the
> reference link for a list of vulnerable versions.
> Ref: http://www.securityfocus.com/bid/15293
> ______________________________________________________________________
>
> ______________________________________________________________________
>
> 05.45.20 CVE: Not Available
> Platform: Cross Platform
> Title: Clam Anti-Virus ClamAV TNEF File Handling Denial of Service
> Description: ClamAV is an anti-virus application for Windows and Unix
> like operating systems. It is prone to a denial of service
> vulnerability. This is due to a failure in the application to handle
> malformed TNEF formatted files. ClamAV versions 0.87 and earlier are
> vulnerable.
> Ref: http://www.securityfocus.com/bid/15316
> ______________________________________________________________________
>
> 05.45.21 CVE: Not Available
> Platform: Cross Platform
> Title: Clam Anti-Virus ClamAV CAB File Handling Denial of Service
> Description: ClamAV is an anti-virus application. ClamAV is affected
> by a denial of service issue. The problem presents itself when
> malformed CAB formatted files are being scanned. The
> "libclamav/mspack/cabd.c" source file contains code that may result in
> an infinite loop condition being triggered by attacker-supplied data.
> ClamAV version 0.87.1 has been released to fix this issue.
> Ref: http://www.gentoo.org/security/en/glsa/glsa-200511-04.xml
> ______________________________________________________________________
>
> 05.45.22 CVE: Not Available
> Platform: Cross Platform
> Title: Clam Anti-Virus ClamAV FSG File Handling Buffer Overflow
> Description: ClamAV is an anti-virus application. It is prone to a
> buffer overflow issue due to a failure of the application to properly
> bounds check user-supplied data prior to copying it to an
> insufficiently sized memory buffer. An attacker could exploit this
> issue to execute arbitrary code on a vulnerable system. ClamAV
> versions earlier than 0.87.1 are vulnerable.
> Ref: http://www.securityfocus.com/advisories/9661
> ______________________________________________________________________
>
> ______________________________________________________________________
>
> 05.45.27 CVE: Not Available
> Platform: Cross Platform
> Title: Multiple Vendor Web Browser Cookie Hostname Handling Weakness
> Description: Multiple web browsers are susceptible to a cookie
> hostname handling weakness that potentially discloses sensitive
> information. This issue is due to a failure of the web browsers to
> properly ensure that cookies are properly associated to domain names.
> This issue presents itself when the computer running the affected web
> browser has the DNS resolver library configured with a search path.
> Multiple web browsers are affecetd. Please see the attached link for
> details.
> Ref: http://www.securityfocus.com/bid/15331/info
> ______________________________________________________________________
>
> 05.45.28 CVE: CAN-2005-2628
> Platform: Cross Platform
> Title: Macromedia Flash Array Index Memory Access
> Description: Macromedia Flash plug-in is vulnerable to an input
> validation error that can be reliably exploited to execute arbitrary
> code. An attacker can exploit this vulnerability to execute arbitrary
> code. Macromedia Flash versions 6 and 7 are reportedly affected.
> Ref:
> http://www.macromedia.com/devnet/security/security_zone/mpsb05
> -07.html
> ______________________________________________________________________
>
> 05.45.29 CVE: Not Available
> Platform: Cross Platform
> Title: Macromedia Flash ActionDefineFunction Memory Access
> Description: Macromedia Flash is a dynamic content platform commonly
> used in Web based applications. The Flash plug-in is vulnerable to an
> input validation error that may be exploited to execute arbitrary code
> or carry out a denial of service attack. Macromedia Flash verions 6
> and 7 are reported affected.
> Ref:
> http://www.macromedia.com/devnet/security/security_zone/mpsb05
> -07.html
> ______________________________________________________________________
>