> *************************
> Widely-Deployed Software
> *************************
>
> (1) HIGH: NullSoft Winamp WMA Remote Code Execution
> Affected:
> Winamp versions prior to 5.13
>
> Description: Winamp media player contains another code execution
> vulnerability in addition to the one reported in the previous @RISK
> newsletter. This flaw can be triggered by a specially crafted playlist
> file (".pls" or ".m3u" extension) that contains a long ".wma"
> filename.
> A malicious webpage or an HTML email can exploit this flaw to execute
> arbitrary code on a user's system. Systems configured with
> Winamp as the
> default player are at a greater risk of being compromised.
>
> Status: Winamp has released version 5.13 that contains a fix for this
> as well as last week's flaw.
>
> Council Site Actions: This application is not officially supported at
> the reporting council sites. However, a few sites plan to notify their
> users and advise them to patch their systems.
>
> References:
> iDefense Advisory
> http://archives.neohapsis.com/archives/bugtraq/2006-02/0002.html
> M3U File Format
> http://forums.winamp.com/showthread.php?threadid=65772
> PlayList FileFormat
> http://developer.apple.com/documentation/QuickTime/QT6WhatsNew
> /Chap1/chapter_1_section_58.html
> Winamp Homepage
> http://www.winamp.com
> SecurityFocus BID
> http://www.securityfocus.com/bid/16462
>
> **************************************************************
> *********
>
> (2) HIGH: Firefox and Thunderbird Multiple Vulnerabilities
> Affected:
> Firefox version 1.5 and prior
> Thunderbird version 1.5 and prior
>
> Description: Firefox browser and Thunderbird email client contain
> multiple vulnerabilities. The flaws exist in the garbage collection
> routine for the Javascript engine, XML parsing,
> E4X/SVG/Canvas features,
> "XULDocument.persist" function, QueryInterface" method of the Location
> and Navigator objects, and dynamic style handling. A malicious webpage
> or an HTML email may exploit these flaws to execute arbitrary
> code. The
> technical details required to craft exploit code are included in the
> Mozilla bug repository.
>
> Council Site Actions: Most of the council sites commented that Mozilla
> is not a support application. However, they informed their
> users of the
> problem and advised them to patch or upgrade their systems
> immediately.
> Some users are set up for automatic updates.
>
> References:
> Mozilla Advisories
> http://www.mozilla.org/security/announce/mfsa2006-01.html
> http://www.mozilla.org/security/announce/mfsa2006-02.html
> http://www.mozilla.org/security/announce/mfsa2006-04.html
> http://www.mozilla.org/security/announce/mfsa2006-05.html
> http://www.mozilla.org/security/announce/mfsa2006-06.html
> http://www.mozilla.org/security/announce/mfsa2006-07.html
> http://www.mozilla.org/security/announce/mfsa2006-08.html
> SecurityFocus BID
> http://www.securityfocus.com/bid/16476
>
> ****************************************************************
>
> *********
>
> (5) HIGH: CommuniGate Pro Server LDAP Multiple Vulnerabilities
> Affected:
> Communigate Pro Server version 5.06 and prior
>
> Description: The Communigate Pro is a multi-platform server that
> supports multiple protocols such as LDAP, RADIUS, IMAP, SIP, OP, HTTP
> etc. The LDAP component contains multiple vulnerabilities that can be
> exploited by an unauthenticated attacker to crash the LDAP server and
> possibly execute arbitrary code. The test suite used for
> discovering the
> bugs is not publicly available.
>
> Status: The vendor has released a new version 5.07 with the fix.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> Posting by Evgeny Legerov
> http://archives.neohapsis.com/archives/fulldisclosure/2006-01/
> 0923.html
> http://www.gleg.net/protover_ldap.shtml
> Product Homepage
> http://www.stalker.com/CommuniGatePro/default.html
> SecurityFocus BID
> http://www.securityfocus.com/bid/16501
>
> **************************************************************
> *********
>
> ************************************
> Technical Details and Exploit Code
> ************************************
>
> (6) Oracle PL/SQL Gateway Security Bypass
>
> References:
> Posting by David Litchfield
> http://archives.neohapsis.com/archives/bugtraq/2006-02/0023.html
> http://archives.neohapsis.com/archives/bugtraq/2006-02/0024.html
> Previous @RISK Newsletter Posting
> http://www.sans.org/newsletters/risk/display.php?v=5&i=4#widely2
>
> **********************************************************************
> (7) Cisco VPN 3000 Concentrator DoS
>
> References:
> Posting by Eldon
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0039.html
> Previous @RISK Newsletter Posting
> http://www.sans.org/newsletters/risk/display.php?v=5&i=4#other2
>
> **********************************************************************
>
> (8) BlueCoat WinProxy Buffer Overflow
>
> References:
> Exploit Code
> http://www.frsirt.com/exploits/20060131.bluecoat_winproxy.pm.php
> Previous @RISK Newsletter Posting
> http://www.sans.org/newsletters/risk/display.php?v=5&i=2#other1
>
> **********************************************************************
>
> 06.5.1 CVE: Not Available
> Platform: Windows
> Title: Microsoft Internet Explorer Flash ActionScript JScript Handling
> Denial of Service
> Description: Microsoft Internet Explorer is vulnerable to a denial of
> service issue when it handles a specially crafted call to the
> "document.write()" method that is executed through a VBScript
> procedure contained in ActionScript code of a Flash animation. A
> remote attacker may trigger a crash in the browser by enticing users
> to visit a malicious Web site. All current versions are vulnerable.
> Ref: http://www.securityfocus.com/archive/1/423675
> ______________________________________________________________________
>
> 06.5.2 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer ActiveX Control Kill Bit Bypass
> Description: Microsoft Internet Explorer does not properly check the
> kill bit on ActiveX controls. A remote attacker could construct an
> HTML page that bypasses the kill bit check on any embedded ActiveX
> controls within the page. This could allow an unsafe ActiveX control
> with a known vulnerability to be invoked. The impact of the
> vulnerability is dependent on the ActiveX control being invoked,
> however consequences may range from denial of service to arbitrary
> code execution.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx
> ______________________________________________________________________
>
> 06.5.3 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer URLMon.DLL Denial of Service
> Description: Internet Explorer is prone to a remote denial of service
> vulnerability. This issue is due to improper handling of user-supplied
> data. The problem occurs when the "urlmon.dll" attempts to parse a
> malformed HTML file containing a "BGSOUND SRC=file://----" where the
> "-" is repeated approximately 344 times. This issue affects version
> Internet Explorer 7.0 beta 2.
> Ref: http://www.securityfocus.com/bid/16463
> ______________________________________________________________________
>
> 06.5.4 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Nullsoft Winamp Malformed Playlist File Handling Remote Buffer
> Overflow
> Description: Winamp is susceptible to a buffer overflow vulnerability.
> This issue presents itself when the application handles a
> specially-crafted playlist (.pls) file. A successful attack can
> corrupt process memory and facilitate arbitrary code execution. Winamp
> versions 5.12 and earlier are reportedly affected.
> Ref: http://www.securityfocus.com/archive/1/423436
> ______________________________________________________________________
>
>
> 06.5.7 CVE: CVE-2005-3188
> Platform: Third Party Windows Apps
> Title: Nullsoft Winamp Malformed Playlist File WMA Extension Remote
> Buffer Overflow
> Description: Winamp is a freely available media player from Nullsoft.
> It is susceptible to a buffer-overflow vulnerability. It fails to
> properly bounds-check input data before copying it into a fixed-size
> memory buffer. This issue presents itself when the application handles
> a specially crafted playlist (.pls, or .m3u) file containing
> excessively long filenames that have a ".wma" extension. Winamp
> version 5.094 is vulnerable.
> Ref: http://www.securityfocus.com/archive/1/423685
> ______________________________________________________________________
>
> 06.5.8 CVE: CVE-2006-0035, CVE-2006-0036, CVE-2006-0037
> Platform: Linux
> Title: Linux Kernel Multiple Security Vulnerabilities
> Description: The Linux kernel is prone to multiple vulnerabilities.
> These issues can allow attackers to trigger denial of service
> conditions or corrupt memory to potentially execute arbitrary code. If
> an attacker is able to execute arbitrary code due to memory
> corruption, a complete compromise is possible.
> Ref: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;
> a=commit;h=15db34702cfafd24acc60295cf14861e497502ab
> ______________________________________________________________________
>
> 06.5.11 CVE: CVE-2006-0433
> Platform: BSD
> Title: FreeBSD TCP SACK Remote Denial of Service
> Description: FreeBSD is susceptible to a remote denial of service
> vulnerability. This issue is due to a flaw in affected kernels that
> potentially results in an infinite loop condition when handling TCP
> SACK packets. Various releases of FreeBSD versions 5.3 and 5.4 are
> vulnerable.
> Ref: http://www.securityfocus.com/bid/16466
> ______________________________________________________________________
> ______________________________________________________________________
>
> 06.5.17 CVE: CVE-2006-0496
> Platform: Cross Platform
> Title: Firefox XBL -MOZ-BINDING Property Cross-Domain Scripting
> Description: Mozilla Firefox "-MOZ-BINDING" property is vulnerable to
> a security issue that could let a web page execute malicious script
> code in the context of an arbitrary domain. This is due to the browser
> Same Origin Policy is not enforced on the "-moz-binding" property.
> Mozilla Firefox versions 1.5 beta 2 and earlier are vulnerable.
> Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=324253
> ______________________________________________________________________
>
> ______________________________________________________________________
>
> 06.5.25 CVE: CVE-2006-0292, CVE-2006-0293, CVE-2006-0294,
> CVE-2006-0295, CVE-2006-0296, CVE-2006-0297, CVE-2006-0298,
> CVE-2006-0299
> Platform: Cross Platform
> Title: Multiple Mozilla Products Memory Corruption/Code
> Injection/Access Restriction Bypass Vulnerabilities
> Description: Multiple Mozilla products are prone to multiple
> vulnerabilities. These issues include various memory corruption, code
> injection and access restriction bypass vulnerabilities. Please refer
> to the link below for a list of vulnerable software.
> Ref: http://www.securityfocus.com/bid/16476
> ______________________________________________________________________