ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 2



> 
> ***************************
> Widely Deployed Software
> ***************************
> 
>  (1) CRITICAL: Microsoft Windows Embedded Font Processing Overflow
> Affected:
> Windows 98/ME/SE/NT/2000/XP/2003
> 
> Description: Embedding fonts in a document guarantees that a user
> receiving the document can successfully read it. Embedded 
> Open Type file
> Format (".eot") can be used to bundle a font in a webpage, 
> and Internet
> Explorer opens the eot files automatically. The library 
> responsible for
> parsing EOT files, T2EMBED.DLL, contains a heap-based 
> overflow that can
> be triggered by a specially crafted EOT file. The problem 
> arises because
> the declared size of the uncompressed block in a EOT file is used to
> allocate memory for the uncompressed data; however, the actual
> uncompressed data size is not compared to the declared size prior to
> writing the section in the heap memory. A malicious webpage 
> can exploit
> the overflow to execute arbitrary code on a user's system 
> when the page
> is viewed using Internet Explorer. The technical details and the code
> disassembly that can be used to craft an exploit have been publicly
> posted. Immunity has also made proof of concept exploits available to
> its partners. Note that the exploitation vectors for the vulnerability
> are similar to the widely exploited WMF flaw, and the 
> extension for EOT
> files can be spoofed.
> 
> Status: Apply the patch referenced in the Microsoft Security Bulletin
> MS06-002. Other vendors like Nortel and Avaya have published 
> patches for
> their affected products.
> 
> Council Site Actions: All reporting council sites are 
> responding to this
> item. Several sites have already distributed the patch and others plan
> to deploy during their next scheduled maintenance window.  A few sites
> are using Microsoft Automatic Updates and hence the patch has already
> been installed.
> 
> References: Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx eEye
> Advisory
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0007.html
> Vulnerable Code Disassembly posted by Piotr Bania
> http://archives.neohapsis.com/archives/fulldisclosure/2006-01/
> 0359.html
> CERT Advisory http://www.kb.cert.org/vuls/id/915930 Immunity, Inc.
> Partner Information http://www.immunityinc.com/partners-index.shtml
> Embedded Font Technology
> http://msdn.microsoft.com/workshop/author/fontembed/font_embed
> .asp#Embedded_Font_Techno
> NOrtel Centrex
> http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUME
> NT/2006/02/020103-01.pdf
> Avaya http://archives.neohapsis.com/archives/secunia/2006-q1/0133.html
> SecurityFocus BID http://www.securityfocus.om/bid/16194
> 
> *********************************************************************
> 
> (2) CRITICAL: Microsoft Exchange and Outlook TNEF Format 
> Processing Overflow
> Affected:
> Microsoft Outlook 2000/2002/2003
> Microsoft Exchange Server versions 5.0, 5.5 and 2000
> Microsoft Office Multilanguage Packs 2000
> Microsoft Office Multilingual UI Packs XP/2003
> Microsoft Office 2003 Language Interface Packs
> 
> Description: Microsoft Outlook and Exchange use Transport Neutral
> Encapsulation Format (TNEF) to handle e-mails written in Rich Text
> Format. The library responsible for decoding the TNEF format 
> contains a
> buffer overflow that can be triggered by a specially crafted 
> e-mail. The
> flaw can be exploited to execute arbitrary code with "SYSTEM" 
> privileges
> in case of the Exchange server. Note that for compromising 
> the Exchange
> server sending an email is sufficient i.e. no user interaction is
> required. The discoverers of the flaw have reported that they will
> disclose the technical details in another 3 months.
> 
> Status: Apply the patch referenced in the Microsoft Security Bulletin
> MS06-003.
> 
> Council Site Actions:  All reporting council sites are responding to
> this item. Several sites have already distributed the patch and others
> plan to deploy during their next scheduled maintenance window.  A few
> sites are using Microsoft Automatic Updates and hence the patch has
> already been installed.
> 
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS06-003.mspx 
> NGSSoftware Advisory
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0009.html 
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0008.html 
> TNEF File Format
> http://cvs.sourceforge.net/viewcvs.py/*checkout*/tnef/tnef/doc
/file-format.tex?content-type=text%2Fplain 
> CERT Advisory
> http://www.kb.cert.org/vuls/id/252146 
> SecurityFocus BID
> http://www.securityfocus.om/bid/16197 
> 
> *********************************************************************
> 
> (3) CRITICAL: Apple QuickTime Multiple File Format Overflows
> Affected:
> QuickTime Player version 7.0.3 and prior on Windows 2000/XP/Mac OS X
> 
> Description: The QuickTime media player from Apple contains multiple
> buffer overflow vulnerabilities in processing the following file
> formats: GIF, MOV, QTIF, JPEG, TGA, TIFF and PICT. A specially crafted
> movie or image file can exploit the overflows to execute 
> arbitrary code
> on the client system. Note that the malicious files can be hosted on a
> webpage, shared folder, P2P folder or sent in an email. The technical
> details required to craft exploits are included in the posted
> advisories.
> 
> Status: Apple has released QuickTime 7.0.4 to address these 
> issues. Note
> that iTunes uses QuickTime for playing media. Hence, iTunes 
> users should
> also apply this update.
> 
> Council Site Actions: Most of the council sites are responding to this
> item and are in the process of pushing the patch or plan to push the
> patch during their next regularly scheduled system maintenance window.
> Some sites are using Apple's Software Update facility and the 
> patch has
> already been installed.
> 
> References:
> Apple Advisory
> http://docs.info.apple.com/article.html?artnum=303101 
> eEye Advisories
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0014.html 
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0013.html 
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0012.html 
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0011.html 
> Cirt.Dk Advisory
> http://cirt.dk/advisories/cirt-41-advisory.pdf 
> Fortinet Advisories
> http://archives.neohapsis.com/archives/fulldisclosure/2006-01/
> 0449.html 
> http://archives.neohapsis.com/archives/fulldisclosure/2006-01/
> 0447.html 
> http://archives.neohapsis.com/archives/fulldisclosure/2006-01/
> 0446.html 
> http://archives.neohapsis.com/archives/fulldisclosure/2006-01/
> 0445.html 
> http://archives.neohapsis.com/archives/fulldisclosure/2006-01/
> 0443.html 
> CERT Advisory
> http://www.us-cert.gov/cas/techalerts/TA06-011A.html 
> SecurityFocus BID
> http://www.securityfocus.om/bid/16202 
> 
> ********************************************************************
> *********
> 
> (5) HIGH: ClamAV UPX Processing Buffer Overflow
> Affected:
> ClamAV versions prior to 0.88
> 
> Description: ClamAV is an open-source antivirus software 
> designed mainly
> for scanning emails on UNIX mail gateways. The software 
> includes a virus
> scanning library - libClamAV. This library is used by many third party
> email, web, FTP scanners as well as mail clients. The library contains
> a buffer overflow that can be triggered by a specially crafted UPX
> packed executable file. The attacker can send the malicious file via
> email, web, FTP or a file share, and exploit the buffer overflow to
> execute arbitrary code on the system running the ClamAV library. The
> technical details can be obtained by comparing the fixed and the
> affected versions of the software. Note that for compromising the
> mail/web/FTP gateways no user interaction is required.
> 
> Council Site Actions: The affected software and/or 
> configuration are not
> in production or widespread use, or are not officially 
> supported at any
> of the council sites. They reported that no action was necessary.
> 
> References:
> ZDI Advisory
> http://www.zerodayinitiative.com/advisories/ZDI-06-001.html 
> Third Party Software Using ClamAV
> http://www.clamav.net/whos.html#pagestart (Includes Mac OS X server)
> http://www.clamav.net/3rdparty.html#pagestart
> SecurityFocus BID
> http://www.securityfocus.om/bid/16191 
> 
> **************************************************************
> *********
> 
> ***************
> Other Software
> ***************
> 
> (6) CRITICAL: BlueCoat WinProxy Buffer Overflow and DoS 
> Vulnerabilities
> Affected:
> WinProxy version 6.0 and prior
> 
> Description: WinProxy proxy suite is designed for secure sharing of a
> Internet connection for small to medium businesses. The WinProxy web
> proxy server contains a stack-based buffer overflow that can be
> triggered by an overlong HTTP "Host" header. An attacker can 
> exploit the
> flaw to execute arbitrary code. Exploit code has been publicly posted.
> 
> Status: WinProxy version 6.1a has been released to address this buffer
> overflow as well as other DoS issues.
> 
> Council Site Actions: The affected software and/or 
> configuration are not
> in production or widespread use, or are not officially 
> supported at any
> of the council sites. They reported that no action was necessary.
> 
> References:
> iDefense Advisories
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0003.html 
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0004.html 
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0002.html 
> Exploit Code
> http://www.frsirt.com/exploits/20060107.Winproxy.pl.php 
> SecurityFocus BIDs
> http://www.securityfocus.om/bid/16147 
> http://www.securityfocus.om/bid/16148 
> http://www.securityfocus.om/bid/16149 
> 
> ********************************************************************
> 
> (7) MODERATE: Apache auth_ldap Module Format String Vulnerabilities
> Affected:
> auth_ldap version 1.6.0 and prior
> 
> Description: auth_ldap module provides LDAP authentication for Apache
> servers on Windows and UNIX platforms. This module contains a format
> string vulnerability that can be triggered by supplying a specially
> crafted username during the LDAP authentication process. An 
> attacker can
> exploit the flaw to execute arbitrary code on the Apache 
> server with the
> privileges of the "apache" process. The technical details required to
> craft an exploit can be gathered by examining the fixed and the
> vulnerable code.
> 
> Status: Vendor has released version 1.6.1. Linux vendors such 
> as Red Hat
> have also released their own updates.
> 
> Council Site Actions: Two of the reporting council sites are using the
> affected software.  One site is awaiting the patch and will install
> during their next regularly scheduled system update cycle. The second
> site is still assessing and will likely handle at next scheduled
> maintenance window.
> 
> References:
> Posting by Digitalarmaments
> http://archives.neohapsis.com/archives/bugtraq/2006-01/0121.html 
> RedHat Advisory
> http://rhn.redhat.com/errata/RHSA-2006-0179.html 
> Vendor Homepage
> http://www.rudedog.org/auth_ldap/ 
> SecurityFocus BID
> http://www.securityfocus.com/bid/16177 
> 
> *********************************************************************
> 
> ***************
> Exploits
> ***************
> 
> (8) Sun Java Plugin Security Bypass
> 
> Description: CERT has notified of a malicious website that is 
> exploiting
> a vulnerability in Sun JRE (reported in November 2004). This is the
> first report of an active exploitation for this vulnerability. Please
> ensure that the Sun JRE is updated to the latest version.
> 
> References:
> CERT Current Activity
> http://www.us-cert.gov/current/current_activity.html#javaapi 
> Previous @RISK Newsletter Posting
> http://www.sans.org/newsletters/risk/display.php?v=3&i=47#widely2 
> 
> **************************************************************
> *********
> ______________________________________________________________________
> 
> 06.2.1 CVE: CVE-2006-0010
> Platform: Windows
> Title: Windows Embedded Web Font Buffer Overflow
> Description: Microsoft Windows is vulnerable to a remotely exploitable
> buffer overflow issue due to insufficient handling of embedded web
> fonts that have been maliciously malformed. See Microsoft security
> bulletin MS06-002 for further details.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx 
> ______________________________________________________________________
> 
> 06.2.2 CVE: Not Available
> Platform: Microsoft Office
> Title: Microsoft Excel Unspecified Code Execution
> Description: Microsoft Excel is susceptible to an unspecified code
> execution vulnerability. The issue presents itself when Microsoft
> Excel attempts to process malformed or corrupted XLS files. Please
> visit the reference link provided for a list of vulnerable versions.
> Ref: http://www.securityfocus.com/bid/16181 
> ______________________________________________________________________
> 
> 06.2.3 CVE: CVE-2006-0002
> Platform: Other Microsoft Products
> Title: Microsoft Outlook / Microsoft Exchange TNEF Decoding Remote
> Code Execution
> Description: Microsoft Exchange Server and Outlook email clients use
> the Transport Neutral Encapsulation (TNEF) format when sending Rich
> Text Format (RTF) messages. They are prone to a remote code execution
> vulnerability due to insufficient boundary checks performed by the
> applications. This issue affects Microsoft Outlook, Microsoft
> Exchange, and Microsoft Office Multilingual User Interface (MUI)
> Packs.
> Ref: http://www.securityfocus.com/archive/1/421518 
> ______________________________________________________________________
> 
> 06.2.4 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Visual Studio UserControl Remote Code Execution
> Description: Microsoft Visual Studio is prone to a vulnerability that
> could allow remote arbitrary code execution. This is due to a design
> flaw that executes code contained in a project file without first
> notifying users. If a "UserControl" object is added to a Form in a
> Visual Studio project, the "UserControl_Load" function will execute it
> without notifying the user, without prior confirmation, and without
> compiling or executing the project. Microsoft Visual Studio 2005 is
> reportedly vulnerable to this issue.
> Ref: http://www.securityfocus.com/bid/16225 
> ______________________________________________________________________
> 
> 
> 06.2.7 CVE: CVE-2005-2340, CVE-2005-3707, CVE-2005-3708,
> CVE-2005-3709, CVE-2005-3710, CVE-2005-3711, CVE-2005-3713
> Platform: Mac Os
> Title: Apple QuickTime Multiple Code Execution Vulnerabilities
> Description: QuickTime Player is the media player distributed by Apple
> for QuickTime as well as other media files. It is affected by multiple
> remote code execution issues due to failure of the application to
> perform boundary checks prior to copying user-supplied data into
> sensitive process buffers. QuickTime versions prior to 7.0.4 are
> affected.
> Ref: http://www.securityfocus.com/bid/16202 
> ______________________________________________________________________
> 
 
> 06.2.9 CVE: CVE-2006-0150
> Platform: Linux
> Title: Dave Carrigan Auth_LDAP Remote Format String
> Description: Dave Carrigan's Auth_ldap is an Apache authentication
> module that utilizes Lightweight Directory Access Protocol. It is
> vulnerable to a remote format string issue due to insufficient
> sanitization of user-supplied input to the  
> "auth_ldap_log_reason()" function. Dave Carrigan's auth_ldap version
> 1.6.1 resolves this issue.
> Ref: http://rhn.redhat.com/errata/RHSA-2006-0179.html 
> http://www.rudedog.org/auth_ldap/Changes.html 
> ______________________________________________________________________
> 
> 06.2.10 CVE: CVE-2006-0054
> Platform: BSD
> Title: FreeBSD IPFW IP Fragment Remote Denial of Service
> Description: FreeBSD IPFW is a packet filtering firewall that is
> integrated into the operating system's kernel. It is susceptible to a
> remote denial of service vulnerability. This issue is due to a flaw in
> affected kernels that results in an uninitialized kernel memory access
> when handling ICMP IP fragments. FreeBSD version 6.0 is affected.
> Ref: http://www.securityfocus.com/advisories/10003 
> ______________________________________________________________________
> 
> 
> 06.2.13 CVE: CAN-2004-0780
> Platform: Solaris
> Title: Sun Solaris uustat Local Buffer Overflow
> Description: The Sun Solaris uustat utility is used to display status 
> information about the Unix to Unix CoPy (UUCP) system. The utility
> is prone to a local buffer overflow vulnerability. The vulnerability
> arises when an attacker supplies excessive string data to the utility
> through the "-S" command line argument. A user-supplied string
> containing 1152 or more bytes can overflow a finite sized buffer
> leading to memory corruption. An attacker can exploit this issue to
> execute arbitrary code and gain "uucp" user privileges which
> correspond to user ID 5 by default.
> Ref: 
> http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-
101933-1 
> ______________________________________________________________________
> 
> 06.2.15 CVE: Not Available
> Platform: Solaris
> Title: Sun Solaris Operating System Unspecified Privilege Escalation
> Description: Sun Solaris on x86 platforms is prone to an unspecified
> privilege escalation issue. This vulnerability is due to an
> unspecified security issue which may allow a local unprivileged user
> to gain elevated privileges or panic the kernel. This issue affects
> Solaris 9 and 10.
> Ref: http://www.securityfocus.com/bid/16224 
> ______________________________________________________________________
> ______________________________________________________________________
> 
> 06.2.19 CVE: CAN-2005-2340
> Platform: Cross Platform
> Title: QuickTime PictureViewer JPEG/PICT File Buffer Overflow
> Description: QuickTime Player is the media player. It is vulnerable to
> a buffer overflow issue due to insufficient handling of malformed JPEG
> and PICT files. QuickTime versions 6.5.2 and 7.0.3 are vulnerable.
> Ref: http://www.cirt.dk/advisories/cirt-41-advisory.pdf 
> ______________________________________________________________________
> 
> 
> 06.2.23 CVE: Not Available
> Platform: Cross Platform
> Title: Clam Anti-Virus ClamAV Unspecified UPX File Buffer Overflow
> Description: ClamAV is an anti-virus application. It is prone to an
> unspecified heap buffer overflow vulnerability due to a failure of the
> application to properly bounds check user-supplied data prior to
> copying it to an insufficiently sized memory buffer. Exploitation of
> this issue could allow attacker-supplied machine code to be executed
> in the context of the affected application. Please refer to the 
> following link for more details.
> Ref: http://www.securityfocus.com/archive/1/421741 
> ______________________________________________________________________
> 
> 06.2.24 CVE: CVE-2005-4591, CVE-2005-4592
> Platform: Cross Platform
> Title: Bogofilter Multiple Remote Buffer Overflow Vulnerabilities
> Description: Bogofilter is a Bayesian spam filtering application
> designed to be run on Linux and Unix platforms. Multiple remote buffer
> overflow vulnerabilities affect Bogofilter. These issues are due to a
> failure of the application to properly handle invalid input sequences
> and validate the length of user-supplied strings prior to copying them
> into static process buffers. Please visit the reference link for a
> list of vulnerable versions.
> Ref: http://www.securityfocus.com/bid/16171 
> ______________________________________________________________________
> 
> 
> 06.2.31 CVE: Not Available
> Platform: Web Application
> Title: PHP MySQLI Error Logging Remote Format String
> Description: PHP is a free and widely used web page development
> language. It is susceptible to a remote format string vulnerability in
> the "mysqli" extension. This issue is due to insufficient sanitization
> of user-supplied input prior to using it in the format-specifier
> argument to a formatted printing function. PHP versions 5.1.0 and
> 5.1.1 are affected.
> Ref: http://www.securityfocus.com/archive/1/421705 
> ______________________________________________________________________
> 
> 06.2.32 CVE: Not Available
> Platform: Web Application
> Title: PHP 5 User-Supplied Session ID Input Validation
> Description: PHP 5 is prone to an input validation vulnerability due
> to improper sanitization of user-supplied input of PHP session ID's,
> transmitted by way of HTTP headers. PHP 5 version 5.1.1 and prior are
> affected.
> Ref: http://www.hardened-php.net/advisory_012006.112.html 
> ______________________________________________________________________
> 
> 
> 06.2.57 CVE: Not Available
> Platform: Network Device
> Title: Cisco Aironet Wireless Access Point ARP Memory Exhaustion
> Denial of Service
> Description: The Cisco Aironet Wireless Access Point devices are a
> series of devices that provide wireless access points. They are
> vulnerable to a denial of service issue due to a failure of the
> device to properly limit the memory consumption of its ARP table. This
> issue allows attackers that can successfully associate with a
> vulnerable access point to exhaust the memory of the affected device.
> This issue affects various devices running Cisco IOS, and not the
> models running the VxWorks-based operating system (version 12.05 and
> earlier).
> Ref: 
> http://www.cisco.com/warp/public/707/cisco-sa-20060112-wireless.shtml 
> ______________________________________________________________________
> 
> 06.2.58 CVE: Not Available
> Platform: Network Device
> Title: Cisco CS-MARS Default Administrative Password
> Description: Cisco Security Monitoring, Analysis and Response System
> (CS-MARS) is a security management appliance. The appliace sets a
> default administrative password during installation. Cisco Security
> Monitoring, Analysis and Response System version 4.1.3 resolves this
> issue.
> Ref: 
> http://www.cisco.com/warp/public/707/cisco-sa-20060111-mars.shtml 
> ______________________________________________________________________
> 
> 06.2.62 CVE: Not Available
> Platform: Hardware
> Title: Cisco IP Phone 7940 Remote Denial of Service
> Description: Cisco IP Phone 7940 is prone to a remote denial of
> service vulnerability which arises when the device handles malformed
> network data containing a packetcount of 1000 and a packetdelay of
> 0.002 over TCP port 80. Successful exploitation causes the phone to
> restart.
> Ref: http://www.securityfocus.com/bid/16200/info 
> ______________________________________________________________________



 




Copyright © Lexa Software, 1996-2009.