ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 38



> 
> The Internet Explorer VMP vulnerability is being actively exploited.
> Immediate action (probably by unregistering VGX.DLL) SANS 
> Internet Storm
> Center has been providing regular updates http://isc.sans.org/.
> 

> *************************
> Widely Deployed Software
> *************************
> 
> (1) CRITICAL: Microsoft Internet Explorer VML Buffer Overflow (0day)
> Affected:
> Microsoft Internet Explorer version 6, and possibly prior
> 
> Description: Microsoft Internet Explorer contains a 
> remotely-exploitable
> buffer overflow in the parsing of VML (Vector Markup 
> Language) data. VML
> is an XML-based language used to define vector graphics images. A
> specially-crafted HTML document (posted on a webpage or included in an
> email) could exploit this buffer overflow and execute arbitrary code
> with the privileges of the current user. Several exploits for this
> vulnerability have been publicly posted, and at least one Trojan has
> been seen active in the wild (tentatively named 
> "Trojan.Vimalov"). Users
> can mitigate the impact of this vulnerability by unregistering the
> "VGX.DLL" library. Note that this will prevent normal VML usage.
> 
> Status: Microsoft confirmed, no updates available. 
> 
> Council Site Actions: All responding council sites are waiting on the
> release of the patch from the vendor. They will deploy the 
> patch during
> their next regularly scheduled update process or via their AutoUpdate
> capability.
> 
> References:
> Microsoft Security Advisory
> http://www.microsoft.com/technet/security/advisory/925568.mspx
> SANS Handler's Diary Posting
> http://www.incidents.org/diary.php?storyid=1727&isc=61e243bd34
> 8e5a31bf9097e6f2965ab9
> Trojan.Vmalov Information from Symantec
> http://www.symantec.com/enterprise/security_response/writeup.j
> sp?docid=2006-091914-1801-99&tabid=1
> Posting by Matthew Murphy (discusses mitigation strategies)
> http://blogs.securiteam.com/index.php/archives/624
> Wikipedia Article on Vector Markup Language
> http://en.wikipedia.org/wiki/Vector_Markup_Language
> Proofs-of-Concept
> http://downloads.securityfocus.com/vulnerabilities/exploits/20096.html
> http://downloads.securityfocus.com/vulnerabilities/exploits/vml.c
> http://downloads.securityfocus.com/vulnerabilities/exploits/20096.pl
> Unofficial Patch From ZERT (Not tested by Microsoft)
> http://isotf.org/zert/
> SecurityFocus BID
> http://www.securityfocus.com/bid/20096
> 
> ****************************************************************
> 
> (2) HIGH: Mozilla Suite Multiple Vulnerabilities
> Affected:
> Mozilla Firefox version 1.5.0.7 and prior
> Mozilla Thunderbird version 1.5.0.7 and prior
> Mozilla SeaMonkey version 1.0.5 and prior
> 
> Description: The Mozilla foundation has released several security
> advisories for vulnerabilities in Firefox, Thunderbird, and SeaMonkey.
> These vulnerabilities can be exploited for remote code execution,
> cross-site-scripting and spoofing attacks. Technical details 
> for several
> of these vulnerabilities except remote code execution flaws have been
> publicly posted. As these products are open source, further 
> details can
> be easily obtained via source code analysis. Some simple
> proofs-of-concept are included when available in the security 
> advisories
> referenced below.
> 
> Status: Mozilla confirmed, updates available.
> 
> References:
> Mozilla Security Advisories
> http://www.mozilla.org/security/announce/2006/mfsa2006-64.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-63.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-62.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-61.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-58.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-57.html
> SecurityFocus BID
> http://www.securityfocus.com/bid/20042
> 
> ****************************************************************
> 
> 
> (3) MODERATE: Microsoft PowerPoint Remote Code Execution 
> Affected:
> Microsoft PowerPoint 2000, and possibly other versions
> 
> Details: A Trojan has been observed in the wild exploiting a
> vulnerability in Microsoft PowerPoint. Currently, the Trojan seems to
> be targeting the Chinese localization of PowerPoint; it is unknown if
> other localizations are vulnerable. It is also not known whether this
> vulnerability is a new 0-day issue or related to the vulnerability
> patched in the Microsoft Security Bulletin MS06-012. Some antivirus
> vendors have classified this Trojan as "Trojan.PPDropper.E".
> 
> Status: Microsoft has not confirmed, no updates available.
> 
> Council Site Actions: All responding council sites are waiting on
> additional information from the vendor and a patch. They will most
> likely deploy the patch during their next regularly scheduled update
> process or via their AutoUpdate capability.
> 
> 
> References:
> SANS Internet Storm Center Handler's Blog Entry
> http://www.incidents.org/diary.php?storyid=1717
> Microsoft Security Bulletin MS06-012
> http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
> SecurityFocus BID
> http://www.securityfocus.com/bid/20059
> 
> ****************************************************************
> 
> ************************
> Other Software
> ************************
> 
> (4) HIGH: Ipswitch WS_FTP Multiple Remote Buffer Overflows
> Affected:
> Ipswitch WS_FTP Server version 5.08 (first vulnerability), 
> version 5.05
> (remaining vulnerabilities)
> 
> Description: Ipswitch WS_FTP, a popular FTP server for Microsoft
> Windows, contains multiple remotely-exploitable buffer overflow
> vulnerabilities: (1) Failure to properly validate user-supplied
> responses to the FTP PASV command can overflow a fixed-sized buffer.
> This overflow occurs in the parsing of PASV responses, requiring the
> vulnerable server to connect back to the attacker's system. 
> (2) Failure
> to properly validate user-supplied input to the extended XMD5, XSHA1,
> and XCRC commands can result overflow a fixed-sized buffer. By sending
> a specially-crafted request using one of these commands, an
> authenticated attacker (possibly anonymous or ftp user) could exploit
> one of these buffer overflows and execute arbitrary code with the
> privileges of the FTP server process - often SYSTEM. The technical
> details and at least one exploit for these vulnerabilities have been
> publicly posted.
> 
> Status: Ipswitch confirmed, updates available.
> 
> References:
> Ipswitch Hotfix
> http://ipswitch.com/support/ws_ftp-server/releases/wr505hf1.asp
> Proof-of-Concept by h07
> http://downloads.securityfocus.com/vulnerabilities/exploits/ws
> _ftp-5.0.8-PASV-rce.c
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/20121
> http://www.securityfocus.com/bid/20076
> 
> ****************************************************************
> 
> (5) MODERATE: Cisco IPS Multiple Vulnerabilities
> Affected:
> Cisco IDS versions prior to 4.1(5c)
> Cisco IPS versions prior to 5.0(6p1) and 5.1(2)
> 
> Description: The Cisco Intrusion Prevention System contains multiple
> remotely-exploitable vulnerabilities: (1) By sending a 
> specially-crafted
> SSL request to the web administration interface of a 
> vulnerable system,
> an attacker could cause the "mainApp" administrative process to crash.
> This process is not restarted automatically, leading to a
> denial-of-service condition. Successfully exploiting this 
> vulnerability
> would prevent system administration (via either the web or 
> command line
> interfaces), stop the reporting of alerts to remote monitoring systems
> (including SNMP traps), and prevent the automatic reconfiguration of
> other Cisco devices. (2) By specially fragmenting traffic passing
> through a network segment monitored by a Cisco IPS device, an attacker
> could bypass the traffic inspection afforded by the device. 
> This traffic
> will be passed unchanged, allowing potentially malicious traffic to
> traverse the network undetected.
> 
> Status: Cisco confirmed, updates available.
> 
> Council Site Actions: The affected software and/or 
> configuration are not
> in production or widespread use, or are not officially 
> supported at any
> of the council sites. They reported that no action was necessary.
> 
> References:
> Cisco Security Advisory
> http://www.cisco.com/warp/public/707/cisco-sa-20060920-ips.shtml
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/20124
> http://www.securityfocus.com/bid/20127
> 
> ****************************************************************
> 
> (6) MODERATE: Cisco IOS DOCSIS Default SNMP Community String
> Affected:
> Cisco IAD Integrated Access Device models 2430, 2431, 2432
> Cisco VG224 Analog Phone Gateway
> Cisco MWR Mobile Wireless Edge Router models 1900, 1941
> 
> Description: Several Cisco devices contain a remotely-exploitable
> configuration error. The operating system software on these devices is
> incorrectly configured to support the DOCSIS (Data Over Cable Service
> Interface Specification) standard. As part of this support, an
> additional hard coded SNMP community string with read-write privileges
> has been included in the SNMP configuration. This community string
> ("cable-docsis") cannot be removed or disabled. An attacker using this
> community string could alter the configuration of the device 
> arbitrarily
> allowing the attacker to take complete control of the affected system.
> 
> Status: Cisco confirmed, updates available. Possible 
> workarounds include
> disabling the SNMP process as a whole or configuring SNMP 
> access control
> lists.
> 
> Council Site Actions: Only one of the responding council 
> sites is using
> the affected software. They are currently reviewing their
> inventory/configurations and will distribute the patch at their next
> scheduled update, if applicable.
> 
> References:
> Cisco Security Advisory
> http://www.cisco.com/warp/public/707/cisco-sa-20060920-docsis.shtml
> Wikipedia Article on DOCSIS
> http://en.wikipedia.org/wiki/DOCSIS
> SecurityFocus BID
> http://www.securityfocus.com/bid/20125
> 
> 
> 06.38.1 CVE: CVE-2006-3866
> Platform: Windows
> Title: Microsoft Internet Explorer Vector Markup Language Buffer
> Overflow
> Description: Microsoft Internet Explorer is prone to a buffer overflow
> vulnerability due to an error in the processing of Vector Markup
> Language documents. Version 6.0 on a fully patched system is reported
> to be vulnerable. Previous versions may also be affected.
> Ref: http://www.microsoft.com/technet/security/advisory/925568.mspx
> ______________________________________________________________________
> 
> 06.38.2 CVE: CVE-2006-4777
> Platform: Windows
> Title: Microsoft Internet Explorer Daxctle.OCX KeyFrame Method Heap
> Buffer Overflow
> Description: Microsoft Internet Explorer is exposed to a heap buffer
> overflow issue. Please refer to the link below for further details.
> Ref: http://www.microsoft.com/technet/security/advisory/925444.mspx
> ______________________________________________________________________
> 
> 06.38.3 CVE: Not Available
> Platform: Microsoft Office
> Title: Microsoft PowerPoint Remote Code Execution
> Description: Microsoft PowerPoint is prone to a remote code execution
> vulnerability. This issue is being actively exploited in the wild as
> Trojan.PPDropper. This issue is currently known to affect only Office
> 2000 (Chinese version only) on Windows XP (Chinese).
> Ref: http://www.securityfocus.com/bid/20059
> ______________________________________________________________________
> 
> 06.38.4 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Ipswitch WS_FTP Server XCRC XSHA1 and XMD5 Commands Buffer
> Overflow Vulnerabilities
> Description: Ipswitch WS_FTP Server is a file transfer and data
> management server. It is vulnerable to multiple stack overflow issues
> due to insufficient boundary checking. Ipswitch WS_FTP Server version
> 5.05 is vulnerable.
> Ref: http://ipswitch.com/support/ws_ftp-server/releases/wr505hf1.asp
> ______________________________________________________________________
> 
> 06.38.6 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Symantec Norton Personal Firewall SymEvent Driver Local Denial
> of Service
> Description: Symantec Norton Personal Firewall is prone to a local
> denial of service issue when attackers send malformed data to the
> "SymEvent" driver. Norton Personal Firewall 2006 version 9.1.0.33 is
> affected.
> Ref: http://www.securityfocus.com/bid/20051
> ______________________________________________________________________
> 
> 06.38.8 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Ipswitch WS_FTP PASV Response Remote Buffer Overflow
> Description: Ipswitch WS_FTP Server is an FTP implementation that is
> available for Windows. It is prone to a remote buffer overflow that
> may be exploited when the PASV command is supplied with excessively
> long arguments. Version 5.08 is reported to be vulnerable.
> Ref: http://www.securityfocus.com/bid/20121
> ______________________________________________________________________
> 
> 06.38.9 CVE: CVE-2006-4761
> Platform: Third Party Windows Apps
> Title: SharpReader Atom Feed Script HTML Injection
> Description: SharpReader is an RSS/Atom Aggregator available for
> Windows. It is prone to an HTML injection vulnerability due to
> insufficient sanitization of RSS/Atom feeds. Version 0.9.7.0 is
> reported to be vulnerable.
> Ref: http://www.securityfocus.com/bid/20128
> ______________________________________________________________________
> 
> 06.38.10 CVE: CVE-2006-4762
> Platform: Third Party Windows Apps
> Title: RSSReader RSS Feeds Atom Feed Multiple HTML Injection
> Vulnerabilities
> Description: RSSReader is an application that displays any RSS and
> Atom news feed. RSSReader is prone to multiple HTML injection
> vulnerabilities. Version 1.0.96.0 beta RC3 is reported to be
> vulnerable.
> Ref: http://www.securityfocus.com/bid/20129
> ______________________________________________________________________
> 
> 06.38.16 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Firefox/Thunderbird/Seamonkey Multiple Remote
> Vulnerabilities
> Description: The Mozilla Foundation has released six security
> advisories regarding security vulnerabilities in Mozilla Firefox,
> SeaMonkey, and Thunderbird. Please refer to the link below for further
> details.
> Ref: http://www.securityfocus.com/bid/20042/references
> ______________________________________________________________________
> 
> 06.38.17 CVE:
> CVE-2006-4334,CVE-2006-4335,CVE-2006-4336,CVE-2006-4337,CVE-2006-4338
> Platform: Cross Platform
> Title: GNU GZip Archive Handling Multiple Remote Vulnerabilities
> Description: The GZip utility is vulnerable to multiple remote buffer
> overflow and denial of service issues when handling malicious archive
> files. See the advisory for further details.
> Ref: http://www.kb.cert.org/vuls/id/381508
> ______________________________________________________________________
> 
> 06.38.18 CVE: Not Available
> Platform: Cross Platform
> Title: Cisco IPS/IDS Fragmented Packets Inspection Bypass
> Vulnerability
> Description: Cisco Intrusion Prevention System (IPS/IDS) is a family
> of devices that provide threat prevention services. They are affected
> by an inspection bypass issue due to improper handling of malformed
> packets. This issue is being tracked by Cisco bug IDs CSCse17206 and
> CSCsf12379.
> Ref: http://www.securityfocus.com/bid/20127
> ______________________________________________________________________
> 
> 06.38.92 CVE: Not Available
> Platform: Network Device
> Title: Cisco IOS Multiple VLAN Trunking Protocol Vulnerabilities
> Description: Cisco IOS is vulnerable to multiple issues when handling
> VLAN Trunking Protocol (VTP) packets. Cisco IOS 12.1(19)is vulnerable.
> See the advisory for further details.
> Ref: http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml
> ______________________________________________________________________
> 
> 06.38.93 CVE: Not Available
> Platform: Network Device
> Title: Citrix Access Gateway AAC LDAP Authentication Bypass
> Description: Citrix Access Gateway is a SSL/VPN appliance. It is prone
> to an authentication bypass vulnerability when the Advanced Access
> Control (AAC) option is configured to use LDAP authentication. This
> issue only affects AAC version 4.2 when using LDAP authentication.
> Ref: http://www.securityfocus.com/bid/20066
> ______________________________________________________________________
> 
> 06.38.94 CVE: Not Available
> Platform: Network Device
> Title: Cisco Guard Meta-Refresh Cross-Site Scripting
> Description: Cisco Guard is a distributed denial of service appliance
> to mitigate against malicious traffic. It is prone to a cross-site
> scripting vulnerability because it fails to properly sanitize
> user-supplied input. When the anti-spoofing feature is enabled the
> device inspects all diverted HTTP traffic and then a meta-refresh is
> sent to the client.  However, if the original link followed contains
> malicious HTML or script code, the meta-refresh will contain this code
> and it will execute in the client browser in the context of the
> visited site.
> Ref:
> http://www.cisco.com/warp/public/707/cisco-sa-20060920-guardxss.shtml
> ______________________________________________________________________
> 
> 06.38.95 CVE: Not Available
> Platform: Network Device
> Title: Cisco IOS DOCSIS SNMP Community String Unauthorized Access
> Description: Cisco IOS devices are prone to an unauthorized access
> vulnerability. The devices are inadvertently configured with a hard
> coded SNMP community string for supporting DOCSIS (Data Over Cable
> Service Interface Specifications) compliant interfaces.
> Ref: http://www.securityfocus.com/archive/1/446499
> ______________________________________________________________________
> 
> 06.38.96 CVE: Not Available
> Platform: Hardware
> Title: Nokia Phones Firmware MMC Local Authentication Bypass
> Description: Nokia Mobile Phones are exposed to an authentication
> bypass issue due to a design error which allows an attacker with local
> access to the affected device to boot from a MMC card, bypassing the
> device lock mechanism.
> Ref: http://www.securityfocus.com/bid/20003/info
> ______________________________________________________________________
> 
> 06.38.97 CVE: Not Available
> Platform: Hardware
> Title: Cisco IPS/IDS Web Administration Interface Denial Of Service
> Description: The web administration interface of Cisco IPS/IDS is
> exposed to a denial of service issue due to a failure in the
> application to properly handle a malformed SSLv2 Client Hello packet.
> Please refer to the link below for further details.
> Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060920-ips.shtml



 




Copyright © Lexa Software, 1996-2009.