> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Both Firefox and JAVA Run Time Environment and SDK have high risk
> vulnerabilities that need attention because their
> exploitation is easy.
>
> All of us at SANS hope you have a healthy and satisfying year in 2007.
> We look forward to your comments, contributions, and
> criticisms, and to
> seeing you at one of SANS educational programs.
>
>
> *****************************
> Widely Deployed Software
> *****************************
>
> (1) HIGH: Mozilla Products Multiple Vulnerabilities
> Affected:
> Mozilla Thunderbird versions prior to 1.5.0.9
> Mozilla SeaMonkey versions prior to 1.0.7
> Mozilla Firefox versions prior to 2.0.1
> Mozilla Firefox versions prior to 1.5.0.9
>
> Description: Various Mozilla products, including Thunderbird (an email
> client), SeaMonkey (an integrated suite of network applications), and
> Firefox (a web browser), contain multiple vulnerabilities, including
> remote code execution, cross-site scripting, privilege escalation,
> content spoofing, and denials-of-service. At least one of the remote
> code execution vulnerabilities is known to be exploitable by simply
> viewing a malicious web page. Some of the technical details have not
> been publicly posted yet; they may be obtained via source
> code analysis.
>
> Status: Mozilla confirmed, updates available.
>
> Council Site Actions: All reporting council sites are using Mozilla,
> although it is not officially supported by their perspective IT
> departments. Thus, all sites are relying on Mozilla's Auto Update
> features to install the latest updates.
>
> References:
> Mozilla Security Advisories
> http://www.mozilla.org/security/announce/2006/mfsa2006-68.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-69.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-70.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-71.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-72.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-73.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-74.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-75.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-76.html
> Zero Day Initiative Advisory
> http://www.zerodayinitiative.com/advisories/ZDI-06-051.html
> SecurityFocus BID
> http://www.securityfocus.com/bid/21668
>
> ****************************************************************
>
> (2) HIGH: Sun Java Runtime Environment Multiple Vulnerabilities
> Affected:
> Sun JDK and JRE 5.0 Update 7 and prior
> Sun SDK and JRE 1.4.2_12 and prior
> Sun SDK and JRE 1.3.1_18 and prior
>
> Description: The Sun Java Runtime Environment and the Sun
> Java Software
> Developer Kit (SDK) contain multiple vulnerabilities. These
> vulnerabilities include remote code execution, privilege
> escalation, and
> information disclosure. If a user browses a webpage containing a
> malicious Java applet, the applet may be able to execute
> arbitrary code
> on the client system with the privileges of the logged-on user. Note
> that the Java applets are automatically downloaded and executed in
> typical browser configurations. Also, the Sun Java Runtime Environment
> is installed by default on Microsoft Windows systems prior to Windows
> XP, many Unix and Unix-like operating systems (including Sun Solaris),
> and many Linux distributions. Previous flaws in JRE have been
> exploited
> to compromise systems in the wild; hence, this update should
> be applied
> on an expedited basis.
>
> Status: Sun confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to this
> issue. They are either relying on the vendors' Auto Update feature or
> they plan to distribute the updates during their next regularly
> scheduled system maintenance cycle.
>
> References:
> Sun Security Advisories
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-10272
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-10273
2-1&searchclause=
> Wikipedia Article Explaining Java Applets
> http://en.wikipedia.org/wiki/Java_applet
> Sun Java Home Page
> http://java.sun.com
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/21673
> http://www.securityfocus.com/bid/21674
> http://www.securityfocus.com/bid/21675
>
> ****************************************************************
>
> (3) LOW: Microsoft Windows MessageBoxA Memory Corruption
> Affected:
> Microsoft Windows XP
> Microsoft Windows Vista Beta
> Microsoft Windows Server 2003
> Microsoft Windows 2000
>
> Description: The Microsoft Windows MessageBoxA function, used
> to display
> graphical message boxes, contains a kernel memory corruption
> vulnerability that can be triggered by passing a specially-crafted
> argument to the function. It is believed that this vulnerability may
> also be exploited to execute arbitrary code. The flaw can be
> exploited
> remotely if any application that accepts remote data passes that data
> to the vulnerable function. No such application is currently known
> publicly. The technical details and a proof-of-concept are publicly
> available.
>
> Status: Microsoft has not confirmed, no updates are available. The
> Microsoft Security Response Center Blog has a blog post that may refer
> to this issue (see below), but it does not confirm that the
> issue exists
> or is exploitable.
>
> Council Site Actions: All reporting council sites are waiting on
> additional information and a patch from the vendor. Once available,
> they plan to distribute during their next regularly scheduled system
> maintenance cycle.
>
> References:
> Microsoft Security Response Center Blog Posting
> http://blogs.technet.com/msrc/archive/2006/12/22/new-report-of
> -a-windows-vulnerability.aspx
> Determina Security Research Advisory
> http://www.determina.com/security.research/vulnerabilities/csr
> ss-harderror.html
> Posting by 3APA3A
> http://www.securityfocus.com/archive/1/455061
> http://www.securityfocus.com/archive/1/455042
> MessageBox Function Documentation from Microsoft (related function)
> http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/winui/winui/windowsuserinterface/windowing/dialogboxes/dial
> ogboxreference/dialogboxfunctions/messagebox.asp
> SecurityFocus BID
> http://www.securityfocus.com/bid/21688
>
> ****************************************************************
>
> (4) LOW: Mozilla Firefox Information Disclosure
> Affected:
> Mozilla Firefox versions 2.0.1 and prior
>
> Description: Mozilla Firefox's password manager component contains an
> information disclosure weakness. The password manager can be used to
> automatically fill out username and password forms. If this capability
> is used on web pages that can have arbitrary HTML code included by an
> attacker, the attacker could gain these username and password entries.
> This vulnerability can be exploited to conduct phishing
> attacks such as
> stealing MySpace passwords etc. Note that this issue is distinct from
> the other Mozilla issues outlined in this edition of @RISK. A proof of
> concept for this vulnerability is publicly available.
>
> Status: Mozilla confirmed, updates available.
>
> Council Site Actions: All reporting council sites are using Mozilla,
> although it is not officially supported by their perspective IT
> departments. Thus, all sites are relying on Mozilla's Auto Update
> features to install the latest updates.
>
> Status:
> Mozilla Bugzilla Entry
> https://bugzilla.mozilla.org/show_bug.cgi?id=360493
> Posting by fash1on@xxxxxxxxx
> http://www.securityfocus.com/archive/1/452382
> Proof of Concept
> http://www.info-svc.com/news/11-21-2006/rcsr1/
> Article by Chapin Information Services
> http://www.info-svc.com/news/11-21-2006/
> SecurityFocus BID
> http://www.securityfocus.com/bid/21240
>
>
> ****************
> Other Software
> ****************
>
> (5) HIGH: ESET NOD32 CAB Parsing Heap Overflow
> Affected:
> ESET NOD32 Antivirus versions prior to 1.1743
>
> Description: ESET NOD32, a popular antivirus solution, contains a heap
> overflow in its handling of CAB ("cabinet") archive files. A
> specially-crafted CAB file could exploit this vulnerability
> and execute
> arbitrary code with the privileges of the scanning process.
>
> Status: ESET confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> n.runs Security Advisory
> http://archives.neohapsis.com/archives/bugtraq/2006-12/0341.html
> ESET Home Page
> http://eset.com
> Wikipedia Article on the Cabinet Archive Format
> http://en.wikipedia.org/wiki/Cabinet_(file_format)
> SecurityFocus BID
> Not yet available.
>
>
> 06.51.3 CVE: Not Available
> Platform: Windows
> Title: Microsoft Windows Explorer and Media Player Denial of Service
> Description: Microsoft Windows Explorer and Windows Media Player are
> both exposed to a denial of service issue. Please see the link below
> for further details.
> Ref: http://www.securityfocus.com/archive/1/454502
> ______________________________________________________________________
>
> 06.51.4 CVE: Not Available
> Platform: Windows
> Title: Microsoft Windows MessageBoxA Denial of Service
> Description: Microsoft Windows is prone to a local denial of service
> vulnerability because the operating system fails to handle certain API
> calls with unexpected parameters. Specifically, the vulnerability
> occurs when the executable makes an API call to the "MessageBoxA"
> message box and passes certain malicious parameters.
> Ref: http://www.securityfocus.com/bid/21688
> ______________________________________________________________________
>
> 06.51.5 CVE: Not Available
> Platform: Microsoft Office
> Title: Microsoft Project Server 2003 PDSRequest.ASP XML Request
> Information Disclosure
> Description: Microsoft Project Server 2003 is prone to an information
> disclosure vulnerability when an XML request in the
> "/logon/pdsrequest.asp" script is sent to the HTTP server.
> Ref: http://www.securityfocus.com/bid/21611
> ______________________________________________________________________
>
> 06.51.6 CVE: Not Available
> Platform: Microsoft Office
> Title: Microsoft Outlook ActiveX Control Remote Internet Explorer
> Denial of Service
> Description: The Microsoft Office Outlook Recipient Control is exposed
> to a denial of service issue due to a flawed interaction between
> Microsoft Outlook and Internet Explorer. Microsoft Outlook XP and
> prior versions are affected.
> Ref: http://www.securityfocus.com/bid/21649/info
> ______________________________________________________________________
>
> 06.51.7 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Yahoo! Messenger Unspecified ActiveX Control Remote Buffer
> Overflow
> Description: Yahoo! Messenger is a freely available chat client
> distributed and maintained by Yahoo!. An unspecified ActiveX control
> shipped with Yahoo! Messenger is prone to a buffer overflow
> vulnerability because it fails to perform sufficient bounds checking
> of user-supplied input before copying it to an insufficiently sized
> memory buffer. Yahoo! Messenger versions released prior to November 2,
> 2006 are affected.
> Ref: http://messenger.yahoo.com/security_update.php?id=120806
> ______________________________________________________________________
>
> 06.51.8 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Intel 2200BG 802.11 Driver Beacon Frame Remote Code Execution
> Description: Intel 2200BG driver is prone to a remote code execution
> vulnerability due to a race condition which occurs when "w29n51.sys"
> fails to properly handle a flood of malformed beacon frames. Intel
> 2200BG (Mini-PCI) driver version 9.0.3.9 is affected.
> Ref: http://www.securityfocus.com/bid/21641
> ______________________________________________________________________
>
> 06.51.12 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: NOD32 Anti-Virus Multiple File Parsing Vulnerabilities
> Description: NOD32 Anti-Virus is an anti-virus application available
> for Microsoft Windows.
> It is exposed to a divide by zero issue when attempting to process CHM
> files and also to a heap-based buffer overflow issue when attempting
> to process DOC files. NOD32 Anti-Virus versions prior to 1.1743 are
> affected.
> Ref: http://www.securityfocus.com/bid/21682
> ______________________________________________________________________
>
> 06.51.13 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: McAfee NeoTrace ActiveX Control Remote Buffer Overflow
> Description: NeoTrace is a utility that allows users to map computers
> on the Internet. The NeoTraceExplorer.NeoTraceLoader ActiveX control
> is vulnerable to a buffer overflow issue when receiving a string of
> over 500 bytes to the "TraceTarget()" function. McAfee NeoTrace
> Express version 3.25 and NeoTrace Professional version 3.25 are
> vulnerable.
> Ref: http://www.securityfocus.com/bid/21697
> ______________________________________________________________________
>
> 06.51.15 CVE: CVE-2006-6106
> Platform: Linux
> Title: Linux Kernel Bluetooth CAPI Packet Remote Buffer Overflow
> Description: The Linux kernel is prone to a buffer overflow
> vulnerability because it fails to bounds check user-supplied data
> before copying it into an insufficiently sized buffer. Specifically,
> this issue occurs when the Bluetooth driver attempts to handle
> excessively large CAPI packets. Versions prior to 2.4.33.5 are
> affected.
> Ref: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.33.5
> ______________________________________________________________________
>
> 06.51.19 CVE: Not Available
> Platform: Cross Platform
> Title: Multiple Vendor Firewall HIPS Process Spoofing Vulnerability
> Description: Multiple vendor firewalls and HIPS (host-based intrusion
> prevention systems) are prone to a process spoofing vulnerability. An
> attacker can exploit this issue to have an arbitrary malicious program
> appear to run as a trusted process and function undetected on an
> affected victim's computer. Please see the advisory for further
> information.
> Ref: http://www.securityfocus.com/bid/21615
> ______________________________________________________________________
>
> 06.51.20 CVE: Not Available
> Platform: Cross Platform
> Title: OpenOffice Remote Integer Overflow Denial of Service
> Description: OpenOffice is exposed to a remote denial of service issue
> because of an integer overflow flaw in the "WW8PLCF::GeneratePLCF()"
> method when attempting to process malformed Word files. OpenOffice
> version 2.1 is vulnerable to this issue.
> Ref: http://www.securityfocus.com/archive/1/454514
> http://www.securityfocus.com/bid/21618/info
> ______________________________________________________________________
>
> 06.51.22 CVE: Not Available
> Platform: Cross Platform
> Title: Multiple BitDefender Products Parsing Engine Integer Overflow
> Vulnerabilities
> Description: Multiple BitDefender applications are exposed to an
> integer overflow issue because they fail to ensure that integer values
> are not overrun. When the applications parse crafted packed PE files,
> a heap-based buffer overflow occurs, resulting from the integer
> overflow issue. BitDefender for MS Exchange 5.5 0 and prior versions
> are affected.
> Ref:
> http://www.bitdefender.com/KB323-en--cevakrnl.xmd-vulnerability.html
> http://www.securityfocus.com/bid/21610
> ______________________________________________________________________
>
> 06.51.24 CVE: Not Available
> Platform: Cross Platform
> Title: Kerio MailServer Remote Unspecified LDAP Denial of Service
> Description: Kerio MailServer is prone to a denial of service
> vulnerability because the software fails to properly handle malformed
> LDAP traffic, resulting in an application crash. All current versions
> are affected.
> Ref: http://www.securityfocus.com/bid/21602
> ______________________________________________________________________
>
> 06.51.27 CVE: Not Available
> Platform: Cross Platform
> Title: Sun Java Runtime Environment Multiple Remote Privilege
> Escalation Vulnerabilities
> Description: Sun Java Runtime Environment is an enterprise development
> platform. It is vulnerable to multiple unspecified privilege
> escalation issues. See the advisory for further details.
> Ref: http://www.securityfocus.com/bid/21673
> ______________________________________________________________________
>
> 06.51.28 CVE: Not Available
> Platform: Cross Platform
> Title: Sun Java Runtime Environment Information Disclosure
> Vulnerabilities
> Description: The Sun Java runtime environment is prone to multiple
> information disclosure vulnerabilities. These issues are due to a
> design flaw in the affected application. Specifically, untrusted
> applets are inappropriately allowed to access data from other applets
> in two different circumstances.
> Ref:
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-10273
2-1&searchclause=
> ______________________________________________________________________
>
> 06.51.29 CVE: Not Available
> Platform: Cross Platform
> Title: Sun Java RunTime Environment Multiple Buffer Overflow
> Vulnerabilities
> Description: The Java Runtime Environment is an application that
> allows users to run Java applications. It is prone to multiple
> unspecified buffer overflow vulnerabilities. Please refer to the
> advisory for further information.
> Ref:
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-10272
9-1&searchclause=
> ______________________________________________________________________
>
> 06.51.33 CVE: Not Available
> Platform: Cross Platform
> Title: ESET NOD32 Antivirus CAB File Parsing Engine Integer Overflow
> Description: ESET NOD32 Antivirus is an antivirus application. It is
> vulnerable to an integer overflow issue as it fails to ensure that
> integer values are not overrun. Versions prior to 1.1743 are affected.
> Ref: http://www.securityfocus.com/bid/21701/info
> ______________________________________________________________________
>
> 06.51.74 CVE: Not Available
> Platform: Network Device
> Title: Allied Telesis AT-9000/24 Ethernet Switch Unauthorized
> Management VLAN Access
> Description: Allied Telesis AT-9000/24 devices are managed Ethernet
> switches. They are prone to an unauthorized management VLAN access
> issue. When multiple VLANs are configured, attackers can access the
> management VLAN by guessing the IP configuration that the management
> interface is configured to respond to.
> Ref: http://www.securityfocus.com/bid/21628
> ______________________________________________________________________
>
>
> 06.51.76 CVE: Not Available
> Platform: Network Device
> Title: HP Printer FTP Print Server List Command Buffer Overflow
> Description: HP FTP Print Server is an application that allows
> computers to access various printers. It is vulnerable to a
> buffer overflow issue due to insufficient handling of multiple "LIST"
> and "NLIST" commands with arbitrary long strings. See the advisory for
> further details.
> Ref: http://www.securityfocus.com/archive/1/454817
> ______________________________________________________________________
>
> (c) 2006. All rights reserved. The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only. In some
> cases, copyright for material in this newsletter may be held
> by a party
> other than Qualys (as indicated herein) and permission to use such
> material must be requested from the copyright owner.
>