> ************************
> Widely Deployed Software
> ************************
>
> (1) CRITICAL: Windows Media Player Bitmap Handling Overflow
> Affected:
> Windows Media Player versions 7.1 through 10
>
> Description: Windows Media Player contains a heap-based
> buffer overflow
> that can be triggered by a specially crafted bitmap(BMP) file. The
> problem arises because Windows Media Player does not properly
> process a
> bitmap file that declares its size as 0 bytes. In this case, the Media
> Player allocates 0 bytes of heap memory prior to copying the file into
> heap memory. Hence, a malicious bitmap file can execute arbitrary code
> with the privileges of the logged-on user. The bitmap file can be
> embedded in any media format such as ".asx" or ".wmv" or media player
> skin file. Such a media or skin file can then be posted on a web page,
> a shared folder or a peer-to-peer file share. Windows systems having
> Windows Media Player as their default media player are at
> greatest risk
> from this vulnerability. Exploit code has been publicly posted.
>
> Status: Microsoft Security Bulletin MS06-005 contains the
> patch as well
> as workarounds to mitigate this vulnerability.
>
> Council Site Actions: All reporting council sites are in the
> process of
> responding to this item. Some are rolling out the patches on an
> expedited basis, and some during their next regularly scheduled system
> update process. One site commented they were patching
> workstations and
> Citrix servers on an expedited basis, but non-Citrix servers on a
> standard scheduled. One site is using the automated Update feature
> from Microsoft, and thus the patches are already installed.
> Many of the
> sites also have gateway anti-virus for both web and mail.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx
> eEye Advisory
> http://www.eeye.com/html/research/advisories/AD20060214.html
> Exploit Code
> http://blacksecurity.org/~redsand/public/MS06-005
> http://archives.neohapsis.com/archives/bugtraq/2006-02/0252.html
> http://www.frsirt.com/exploits/20060216.redms06-005.py.php
> Bitmap File Format
> http://www.fortunecity.com/skyscraper/windows/364/bmpffrmt.html
> SecurityFocus BID
> http://www.securityfocus.com/bid/16633
>
> *********************************************************************
>
> (2) HIGH: Internet Explorer WMF Handling Vulnerability
> Affected:
> Internet Explorer version 5.01 SP4 on Windows 2000 SP4 and
> Internet Explorer version 5.5 SP2 on Windows ME
>
> Description: Microsoft has released a cumulative patch MS06-004 for
> Internet Explorer that fixes another WMF file handling vulnerability.
> This flaw was discussed in the last issue of the @RISK
> newsletter. As a
> general security practice Internet Explorer should be upgraded to the
> latest available version.
>
> Council Site Actions: All reporting council sites are in the process
> of responding to this item. Some are rolling out the patches on an
> expedited basis, and some during their next regularly scheduled system
> update process. One site commented they were patching
> workstations and
> Citrix servers on an expedited basis, but non-Citrix servers on a
> standard schedule. One site is using the automated Updates feature
> from Microsoft and thus the patches are already installed.
> Many of the
> sites also have gateway anti-virus for both web and mail.
>
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS06-004.mspx
> Last Week's @RISK Newsletter Posting
> http://www.sans.org/newsletters/risk/display.php?v=5&i=6#widely1
> Updated SecurityFocus BID
> http://www.securityfocus.com/bid/16516
>
> **********************************************************************
>
>
> (3) HIGH: Windows Media Player Plug-in Buffer Overflow
> Affected:
> Windows Media Player versions 9 and 10 when invoked by browsers other
> than Internet Explorer such as Mozilla Firefox or Netscape
>
> Description: Windows Media Player plug-in component is automatically
> installed when the Media player is installed. Popularly used browsers
> as alternatives to Internet Explorer such as Firefox and Netscape can
> detect this plug-in, and open files associated with Windows
> media player
> automatically. This plug-in contains a stack-based buffer
> overflow when
> launched by browsers other than Internet Explorer. The overflow is
> triggered by an HTML page containing an "EMBED" tag with an overlong
> "SRC" attribute. The flaw can be exploited to execute arbitrary code
> with the privileges of the logged-on user. Exploit code has been
> publicly posted. Enterprises with Firefox installations should apply
> this patch on a priority basis.
>
> Status: Microsoft Security Bulletin MS06-006 contains the patch. A
> workaround is to disable the Windows Media Player plug-in in
> Firefox by
> visiting "Tools->Options->Downloads->Plug-ins" menu.
>
> Council Site Actions: All reporting council sites are in the
> process of
> responding to this item. Some are rolling out the patches on an
> expedited basis, and some during their next regularly scheduled system
> update process. One site commented they were patching
> workstations and
> Citrix servers on an expedited basis, but non-Citrix servers on a
> standard scheduled. One site is using the automated Updates feature
> from Microsoft, and thus the patches are already installed.
> Many of the
> sites also have gateway anti-virus for both web and mail.
>
>
> References:
> Microsoft Advisory
> http://www.microsoft.com/technet/security/bulletin/MS06-006.mspx
> iDefense Advisory
> http://www.securityfocus.com/archive/1/424974/30/30/threaded
> Exploit Code
> http://archives.neohapsis.com/archives/fulldisclosure/2006-02/
> 0381.html
> http://www.frsirt.com/exploits/20060217.wmp_overflow.php
> http://www.frsirt.com/exploits/20060217.wmp_overflow.php
> SecurityFocus BID
> http://www.securityfocus.com/bid/16644
>
> **************************************************************
> *********
>
> (4) HIGH: Winamp Playlist File Processing Overflows
> Affected:
> Winamp version 5.13 and prior
>
> Description: Winamp, a popular media player, contains the following
> buffer overflows in handling certain playlist files i.e. files with
> ".m3u" or ".pls" extensions. (a) An overflow that can be
> triggered by a
> playlist file containing an overlong filename with ".wma"
> extension. (b)
> An overflow that can be triggered by a playlist file containing an
> overlong filename beginning with "cda://". (c) An overflow that can be
> triggered by an overlong name of ".m3u" file. A web page containing a
> malicious playlist file can exploit these vulnerabilities to execute
> arbitrary code.
>
> Status: No patch available from the vendor yet. Go to
> "Tools->Folder-Options->FileTypes" and remove Winamp as the default
> handler for "M3U" and "PLS" files. This will prevent a malicious web
> page from automatically launching Winamp.
>
> Council Site Actions: The affected software is not officially
> supported
> at any of the reporting council sites. Several sites have
> advised their
> users to apply appropriate patches or remove it from their systems.
>
> References:
> http://archives.neohapsis.com/archives/fulldisclosure/2006-02/
> 0348.html
> Posting by Alan McCaig and b0fnet
> http://www.securityfocus.com/archive/1/424903/30/60/threaded
> Vendor Homepage
> http://www.winamp.com
> SecurityFocus BID
> http://www.securityfocus.com/bid/16623
>
> **************************************************************
> *********
>
> (5) MODERATE: Windows IGMPv3 Processing Denial of Service
> Affected:
> Windows XP SP1 and SP2
> Windows 2003 including SP1
>
> Description: IGMP protocol allows IP hosts to participate in
> multicasting. Windows XP and 2003, which support version 3 of the IGMP
> protocol, contain a DoS vulnerability that can be triggered by a
> specially crafted IGMP packet. A vulnerable Windows system will stop
> responding to any further requests after receiving such a packet. The
> technical details required to craft a malicious IGMP packet have not
> been posted yet.
>
> Status: Microsoft Security Bulletin MS06-007 contains the
> patch as well
> as workarounds to mitigate this vulnerability.
>
> Council Site Actions: The affected software is in use at a few of the
> reporting council sites. They plan to deploy the patches during their
> next regularly scheduled maintenance cycle. One site uses the
> automated
> Updates feature from Microsoft.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx
> IGMP version 3 RFC
> http://www.faqs.org/rfcs/rfc3376.html
> SecurityFocus BID
> http://www.securityfocus.com/bid/16645
>
> **************************************************************
> *********
>
> (6) MODERATE: Microsoft Web Client Service Remote Code Execution
> Affected:
> Windows XP SP1 and SP2
> Windows 2003 including SP1
>
> Description: The Web Client Service on Windows XP/2003 systems allows
> users to create and modify files on web servers via WebDAV
> protocol. The
> service can be reached via "DAV RPC SERVICE" named pipe on
> ports 139/tcp
> and 445/tcp. This service contains a flaw that can be exploited by
> authenticated users to execute arbitrary code. Note that this service
> is enabled by default on Windows XP, and if the "Guest" access is
> enabled the flaw can be exploited by any user. No technical details
> regarding how to trigger the vulnerability have been disclosed yet.
>
> Status: Apply the update referenced in Microsoft Security Bulletin
> MS06-008. Block ports 139/tcp and 445/tcp at the network perimeter to
> prevent access to this service from the Internet.
>
> Council Site Actions: The affected software is in use at a few of the
> reporting council sites. They plan to deploy the patches during their
> next regularly scheduled maintenance cycle. One site uses the
> automated
> Updates feature from Microsoft.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS06-008.mspx
> WebClient Service RPC Interface
> http://www.hsc.fr/ressources/articles/win_net_srv/ch04s10s22.html
> SecurityFocus BID
> http://www.securityfocus.com/bid/16636
>
> ****************************************************************
>
> (7) LOW: Microsoft PowerPoint 2000 Information Disclosure
> Affected:
> PowerPoint 2000
>
> Description: This vulnerability in PowerPoint 2000 allows an attacker
> to access objects in the Temporary Internet Files folder on a client
> system. This folder contains objects like cookies that may be used by
> the attacker to obtain unauthorized access to websites visited by the
> logged-on user. In order to exploit this flaw, an attacker has to set
> up a web page containing a Powerpoint presentation and entice a victim
> to view this presentation. If the victim views the presentation using
> Internet Explorer, the attacker's script can read contents from the
> temporary internet files folder.
>
> Status: Apply the update referenced in Microsoft Security Bulletin
> MS06-010.
>
> Council Site Actions: Only a few of the council sites plan to address
> this issue. They plan to deploy the patches during their next
> regularly
> scheduled maintenance cycle. One site is using the automated Updates
> feature from Microsoft and the patches are already installed.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS06-010.mspx
> SecurityFocus BID
> Not available yet.
> ****************************************************************
>
> (8) LOW: Internet Explorer Multiple Vulnerabilities
> Affected:
> Internet Explorer versions 5.01, 5.5 and 6.0
>
> description: (a) Another 0-day "drag and drop" vulnerability has been
> reported in Internet Explorer. A specially crafted HTML page
> can exploit
> this flaw to install malware on a client system. Exploitation proceeds
> as follows: The user is enticed to drag and drop an object
> from a Window
> opened by Internet Explorer. By carefully timing when the
> drag and drop
> operation is initiated, a malicious file object from the pop-under
> window of the original window can be dropped to a folder such as
> "SharedDocs" or "Scheduled Tasks" on the user's system. The
> probability
> of successful exploitation is believed to be low since the exploit
> vector critically depends on correctly timing the user's actions. A
> proof-of-concept exploit has been created but not publicly posted.
> Microsoft plans to fix this issue in a service pack and not a security
> bulletin unless further research shows that the remote compromise can
> be easily achieved.
>
> (b) Internet Explorer Javascript and VBscript engines contain a
> vulnerability that can be exploited to exhaust the process
> stack memory.
> Viewing a malicious web page, which exploits this flaw, crashes IE.
> Remote code execution may be possible but is believed to be difficult.
>
> Status: A suggested workaround for the drag and drop issue is
> to set the
> kill bit for "Shell.Explorer" control. Note that the workaround will
> stop Internet Explorer from displaying any "folder" views for
> local/network file shares and web folders. Further details
> and the tool,
> which can be used to set this kill-bit, are available in the
> Securiteam
> Advisory. Microsoft has not acknowledged the DoS flaw in
> script engines.
>
> References:
> Postings by Matt Murphy
> http://www.securiteam.com/windowsntfocus/5MP0B0UHPA.html
> http://www.securityfocus.com/archive/1/424939/30/60/threaded
> Microsoft Blog Post
> http://blogs.technet.com/msrc/archive/2006/02/13/419439.aspx
> Posting by porkythepig
> http://archives.neohapsis.com/archives/bugtraq/2006-02/0295.html
> Posting by 3APA3A
> http://archives.neohapsis.com/archives/bugtraq/2006-02/0299.html
> SecurityFocus BID
> http://www.securityfocus.com/bid/16352
>
>
> *********************************************************************
>
> 06.7.1 CVE: CVE-2006-0013
> Platform: Windows
> Title: Microsoft Windows Web Client Buffer Overflow
> Description: The Microsoft Windows Web Client is a service that allows
> applications to access documents on the Internet using the WebDAV
> protocol. It is vulnerable to a buffer overflow issue that could allow
> a remote, authenticated attacker to execute arbitrary code on a
> vulnerable computer with System level privileges. Please refer to the
> underlying link for a list of vulnerable systems.
> Ref: http://www.microsoft.com/technet/security/bulletin/ms06-008.mspx
> ______________________________________________________________________
>
> 06.7.2 CVE: CVE-2006-0008
> Platform: Windows
> Title: Windows Korean Input Method Editor Privilege Escalation
> Description: Microsoft Windows Korean Input Method Editor (IME)
> identifies keystrokes pressed by a user and converts them into Korean
> characters. It is vulnerable to a local privilege escalation issue
> because the application insecurely exposes some functionality that
> runs with SYSTEM privileges. See the Microsoft advisory for further
> details.
> Ref: http://www.microsoft.com/technet/security/bulletin/ms06-009.mspx
> ______________________________________________________________________
>
> 06.7.3 CVE: CVE-2006-0021
> Platform: Windows
> Title: Microsoft Windows IGMPv3 Denial of Service
> Description: The Internet Group Management Protocol (IGMP) is used to
> provide multicast group information for a physical subnet. This
> information is used by routers to properly forward multicast datagrams
> between subnets. IGMP is part of the IP network layer, similar to
> ICMP. A vulnerability in the handling of IGMPv3 packets could result
> in a denial of service.
> Ref: http://www.microsoft.com/technet/security/bulletin/ms06-007.mspx
> ______________________________________________________________________
>
> 06.7.4 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer Drag And Drop File Installation Vulnerability
> Variant
> Description: Microsoft Internet Explorer is affected by an issue that
> may allow unauthorized installation of malicious executables. It is
> reported that drag and drop along with browser style functionality may
> be employed by an attacker to install a file onto a victim's system
> with some degree of user interaction.
> Ref: http://www.securityfocus.com/bid/16590
> ______________________________________________________________________
>
> 06.7.5 CVE: CVE-2006-0006
> Platform: Other Microsoft Products
> Title: Windows Media Player Bitmap Handling Buffer Overflow
> Description: Microsoft Windows Media Player is prone to a remote
> buffer overflow vulnerability. The issue arises when the application
> handles a specially crafted Bitmap image. Microsoft Windows 2000
> Service Pack 4 with Windows Media Player 7.1 and Windows XP Service
> Pack 1 with Windows Media Player 8 are not vulnerable to direct
> web-based attacks, however, exploitation is still possible if the file
> is downloaded and opened using Windows Media Player. All other
> versions are affected.
> Ref: http://www.securityfocus.com/bid/16633
> ______________________________________________________________________
>
> 06.7.6 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer Script Engine Buffer Overflow
> Description: Microsoft Internet Explorer is prone to a remote buffer
> overflow vulnerability. This issue exists in the VBScript and JScript
> engines. This vulnerability affects Internet Explorer 6 running on
> Windows 2000 SP4, Windows XP Professional, and Windows 98SE.
> Ref: http://www.securityfocus.com/archive/1/425283
> ______________________________________________________________________
>
> 06.7.7 CVE: CVE-2006-0708
> Platform: Third Party Windows Apps
> Title: Winamp M3U File Denial of Service
> Description: Nullsoft Winamp is a media player. It is vulnerable to a
> denial of service issue due to insufficient handling of "m3u" files
> with long names. Nullsoft Winamp version 5.13 is vulnerable.
> Ref: http://www.securityfocus.com/archive/1/424903
> ______________________________________________________________________
>
> ______________________________________________________________________
>
> 06.7.12 CVE: CVE-2006-0481
> Platform: Linux
> Title: LibPNG Graphics Library PNG_Set_Strip_Alpha Buffer Overflow
> Description: LibPNG is the official Portable Network Graphics (PNG)
> reference library. It susceptible to a buffer overflow vulnerability
> due to improper bounds checking of user-supplied input. This issue
> presents itself in the "png_set_strip_alpha()" function when the
> library is called to strip the alpha channel out of a malicious PNG
> file.
> Ref: http://rhn.redhat.com/errata/RHSA-2006-0205.html
> ______________________________________________________________________
>
>
> 06.7.25 CVE: CVE-2006-0553
> Platform: Cross Platform
> Title: PostgreSQL Remote SET ROLE Privilege Escalation
> Description: PostgreSQL is susceptible to a remote privilege
> escalation vulnerability. This issue is due to a flaw in the error
> path of the "SET ROLE" function and it allows remote attackers with
> database access to gain administrative access to affected database
> servers.
> Ref: http://www.securityfocus.com/archive/1/425037
> ______________________________________________________________________
>
> 06.7.26 CVE: CVE-2006-0553
> Platform: Cross Platform
> Title: PostgreSQL Set Session Authorization Denial of Service
> Description: PostgreSQL is a relational database suite. It is
> vulnerable to a remote denial of service issue due to an unspecified
> error in "SET SESSION AUTHORIZATION". PostgreSQL versions 8.1.0
> through 8.1.2 are reported to be vulnerable.
> Ref:
> http://archives.postgresql.org/pgsql-announce/2006-02/msg00008.php
> ______________________________________________________________________
>
> 06.7.28 CVE: Not Available
> Platform: Cross Platform
> Title: Mirabilis ICQ File Transfer Extension Hiding
> Description: Mirabilis ICQ is an instant messaging application that
> also allows users to transfer files. It is prone to an issue that
> could allow the file extension of a transferred file to be hidden. If
> the name of the directory and a file contained within it are between
> 30 and 31 characters long and the names are all in capitals, the file
> extension will not be displayed to the receiving user during the file
> transfer. ICQ versions 2003 and ICQ Lite versions 4.0 and 4.1 are
> affected.
> Ref: http://www.securityfocus.com/bid/16655
> ______________________________________________________________________