>
> *****************************
> Widely-Deployed Software
> *****************************
>
> (1) CRITICAL: Microsoft Vector Markup Language Integer
> Overflow (MS07-004)
> Affected:
> Microsoft Internet Explorer 5/6/7
>
> Description: The Microsoft Vector Markup Language (VML)
> parser contains
> an integer overflow vulnerability in the way it parses VML
> data. VML is
> used to describe complex vector-based graphics and other
> documents. The
> VML parser is used by Internet Explorer, and is believed to
> also be used
> by Outlook, Outlook Express, and Microsoft Office. A specially-crafted
> VML document could exploit this vulnerability to execute
> arbitrary code
> with the privileges of the current user. VML documents are
> automatically
> rendered in Microsoft Internet Explorer and Microsoft Outlook Express.
> A working exploit is available to the members of Immunity's partners'
> program. According to the Microsoft advisory, this flaw is being
> actively exploited.
>
> Status: Microsoft confirmed, updates available. Users are advised to
> read email in plain text mode only, as this will eliminate the email
> attack vector. Additionally, users can mitigate the impact of this
> vulnerability by unregistering the "vgx.dll" system
> component, using the
> command '"%SystemRoot%\System32\regsvr32.exe" -u
> "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"'. Microsoft's
> security bulletin provides other mitigating strategies.
>
> Council Site Actions: All reporting council sites are
> responding to this
> issue. They all plan to deploy the patch during their next regularly
> scheduled maintenance cycle.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
> iDefense Security Advisory
> http://www.securityfocus.com/archive/1/456414
> Wikipedia Article on Vector Markup Language
> http://en.wikipedia.org/wiki/Vector_Markup_Language
> Microsoft Knowledge Base Article on "Regsvr32"
> http://support.microsoft.com/kb/249873
> SecurityFocus BID
> http://www.securityfocus.com/bid/21930
>
> *********************************************************************
>
> (3) HIGH: Microsoft Excel Multiple Vulnerabilities (MS07-002)
> Affected:
> Microsoft Office 2000 SP3
> Microsoft Office XP SP3
> Microsoft Office 2003 SP2
> Microsoft Works 2004/2005
> Microsoft Office 2004 for Mac
> Microsoft Office v.X for Mac
>
> Description: Microsoft Excel contains multiple vulnerabilities in the
> parsing of Excel spreadsheet files. A specially-crafted Excel file
> containing a malformed record or string could exploit one of these
> vulnerabilities and allow arbitrary code execution with the privileges
> of the current user. Currently, no technical details or exploits for
> these vulnerabilities are known to be publicly available. Note that
> Office 2003 and later versions do not open Excel documents
> without user
> prompting; hence, they affected to a lesser extent.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are responding to
> this issue. They all plan to deploy the patch during their next
> regularly scheduled maintenance cycle.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS07-002.mspx
> iDefense Security Advisories
> http://labs.idefense.com/intelligence/vulnerabilities/display.
> php?id=460
> http://labs.idefense.com/intelligence/vulnerabilities/display.
> php?id=461
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/21925
> http://www.securityfocus.com/bid/21922
> http://www.securityfocus.com/bid/21856
> http://www.securityfocus.com/bid/21877
> http://www.securityfocus.com/bid/21952
>
> ****************************************************************
>
> (4) HIGH: Adobe Acrobat Reader Heap Memory Corruption
> Affected:
> Adobe Acrobat Reader version 7.0.8 and prior
>
> Description: Adobe Acrobat Reader contains a heap memory corruption
> vulnerability. A specially-crafted PDF file could exploit this
> vulnerability and overwrite a function pointer, allowing attackers to
> execute arbitrary code with the privileges of the current user. PDF
> files are generally configured to open without prompting on most
> platforms. The technical details for this vulnerability are publicly
> available.
>
> Status: Adobe confirmed, updates available.
>
> References:
> Advisory by Piotr Bania
> http://www.piotrbania.com/all/adv/adobe-acrobat-adv.txt
> Adobe Security Advisory
> http://www.adobe.com/support/security/bulletins/apsb07-01.html
> Adobe Acrobat Home Page
> http://www.adobe.com/products/acrobat/
>
> **************************************************************
> ************
>
> (6) HIGH: Microsoft Outlook Multiple Vulnerabilities (MS07-003)
> Affected:
> Microsoft Outlook 2000/2002/2003
>
> Description: Microsoft Outlook contains the following vulnerabilities:
> (1) A specially-crafted iCalendar meeting request (used to transmit
> meeting and calendaring information) containing a malformed VEVENT
> record could trigger a memory corruption vulnerability. Note that iCal
> meeting requests transmitted through an Exchange server (i.e.
> via MAPI)
> are automatically sanitized and rendered benign. (2) A
> specially-crafted
> Office Saved Searches (OSS) file (used to store search information)
> could trigger a memory corruption vulnerability. Note that OSS files
> attached to emails are not automatically opened. Successful
> exploitation
> of either of these vulnerabilities can lead to arbitrary code
> execution
> with the privileges of the current user.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to this
> issue. They all plan to deploy the patch during their next regularly
> scheduled maintenance cycle.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
> Computer Terrorism UK Advisory
> http://archives.neohapsis.com/archives/bugtraq/2007-01/0302.html
> Wikipedia Article on iCalendar
> http://en.wikipedia.org/wiki/ICalendar
> RFC 2445 (defines the iCalendar standard)
> http://tools.ietf.org/html/rfc2445
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/21936
> http://www.securityfocus.com/bid/21931
>
> ********************************************************************
>
> (7) MODERATE: MIT Kerberos kadmind Remote Code Execution
> Affected:
> krb5-1.4 through krb5-1.4.4
> krb5-1.5 through krb5-1.5.1
> Third-party applications calling the RPC or GSS-API library
> included in the affected Kerberos releases
>
> Description: kadmind provides remote administrative access to the
> Kerberos authentication database, and runs on the Key Distribution
> Center (KDC) server of a Kerberos realm. The kadmind daemon
> contains two
> vulnerabilities that can be exploited by unauthenticated attackers to
> execute arbitrary code with typically root privileges. The problems
> occur due to the way kadmind handles initializing and freeing certain
> pointers. Note that any third party software using the MIT Kerberos
> GSS-API or RPC library may also be vulnerable.
>
> Status: MIT Kerberos has released patches for these issues. The fixes
> will be included in the upcoming releases.
>
> References:
> MIT Kerberos Advisories
> http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-003
> -mechglue.txt
> http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-002
> -rpc.txt
> CERT Advisory
> http://www.us-cert.gov/cas/techalerts/TA07-009B.html
> Wikipedia Article on Kerberos
> http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
>
> **************************************************************
> ************
>
>
> ****************
> Other Software
> ****************
>
> (9) MODERATE: Microsoft Office 2003 Brazilian Portuguese
> Grammar Checker
> Memory Corruption (MS07-001)
> Affected:
> Microsoft Office 2003
>
> Description: The Microsoft Office 2003 Brazilian Portuguese Grammar
> Checker contains a memory corruption vulnerability. A
> specially-crafted
> document opened in a vulnerable version of Microsoft Office with this
> component installed could exploit this vulnerability and execute
> arbitrary code with the privileges of the current user. Note that
> Microsoft Office 2003 does not automatically open documents without
> prompting.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS07-001.mspx
> SecurityFocus BID
> http://www.securityfocus.com/bid/21942
>
> **************************************************************
> ************
>
> *******************
> Exploits and Tools
> *******************
>
> (10) Sun JRE Remote Code Execution
>
> US-CERT reports that exploit code is now available for Sun JRE remote
> code vulnerabilities announced during December 2006. Systems with Sun
> JRE installed should be updated on a priority basis.
>
> References:
> US-CERT Posting
> http://www.us-cert.gov/current/current_activity.html
> Previous @RISK Newsletter Posting
> http://www.sans.org/newsletters/risk/display.php?v=5&i=51&port
> al=f1a636b753deeae68b584da59bc6946c#widely2
>
>
> 07.3.1 CVE: Not Available
> Platform: Windows
> Title: Microsoft Windows Explorer WMF File Denial of Service
> Description: Microsoft Windows Explorer is prone to a denial of
> service issue. A specially-crafted WMV (Windows Media Video) file
> will crash the application when the file is processed. See the
> advisory for further details.
> Ref: http://www.securityfocus.com/bid/21992
> ______________________________________________________________________
>
> 07.3.2 CVE: CVE-2007-0099
> Platform: Windows
> Title: Microsoft Internet Explorer MSXML3 Race Condition Memory
> Corruption
> Description: Microsoft Internet Explorer is exposed to a remote memory
> corruption issue due to a race condition. This issue could
> result in a NULL
> pointer dereference, read and write operations to invalid
> addresses and
> other memory-corruption issues.
> Ref: http://www.securityfocus.com/bid/21872
> ______________________________________________________________________
>
> 07.3.3 CVE: CVE-2006-1305
> Platform: Microsoft Office
> Title: Microsoft Outlook Malformed Email Header Remote Denial of
> Service
> Description: Microsoft Outlook is an email client available for
> various Microsoft platforms. It is exposed to a remote denial of
> service vulnerability because the application fails to properly handle
> malformed email messages. Please refer to the link below for further
> details.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
> ______________________________________________________________________
>
> 07.3.4 CVE: CVE-2006-5574
> Platform: Microsoft Office
> Title: Microsoft Office Brazilian Portuguese Grammar Checker Remote
> Code Execution
> Description: Microsoft Office is prone to a remote code execution
> vulnerability. This issue occurs when the application processes
> certain Microsoft Office files. Please see the advisory for further
> information.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-001.mspx
> ______________________________________________________________________
>
> 07.3.5 CVE: CVE-2007-0034
> Platform: Microsoft Office
> Title: Microsoft Outlook Advanced Find Remote Code Execution
> Description: Microsoft Outlook is prone to a remote code execution
> vulnerability because the application fails to properly handle
> malformed Office Saved Searches (OSS) files. Please refer to the
> advisory for further details.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
> ______________________________________________________________________
>
> 07.3.6 CVE: CVE-2007-0029
> Platform: Microsoft Office
> Title: Microsoft Excel Malformed String Remote Code Execution
> Description: Microsoft is prone to a remote code execution
> vulnerability that occurs when the application parses files that
> contain malformed strings. Please see the advisory for further
> information.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-002.mspx
> ______________________________________________________________________
>
> 07.3.7 CVE:
> CVE-2007-0027,CVE-2007-0028,CVE-2007-0029,CVE-2007-0030,CVE-2007-0031
> Platform: Microsoft Office
> Title: Microsoft Excel Malformed Palette Record Remote Code Execution
> Description: Microsoft Excel is affected by a remote code execution
> issue. The issue exists in the handling of "PALETTE" records
> existing in
> "BIFF8" files, which contain strings that are encoded in UTF-16LE
> format.
> Ref: http://www.securityfocus.com/bid/21922
> ______________________________________________________________________
>
> 07.3.8 CVE: CVE-2007-0030
> Platform: Microsoft Office
> Title: Microsoft Excel Malformed Column Record Remote Code Execution
> Description: Microsoft Excel is a spreadsheet application. Excel is
> prone to a remote code execution vulnerability. Please refer to the
> link below for further details.
> Ref: http://www.securityfocus.com/archive/1/456417
> ______________________________________________________________________
>
> 07.3.9 CVE: CVE-2007-0027
> Platform: Microsoft Office
> Title: Microsoft Excel IMDATA Record Remote Code Execution
> Description: Microsoft Excel is prone to a remote code execution
> vulnerability. This issue occurs when the application parses files
> that contain malformed IMDATA records. Please refer to the advisory
> for further information.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-002.mspx
> ______________________________________________________________________
>
> 07.3.10 CVE: CVE-2007-0028
> Platform: Microsoft Office
> Title: Microsoft Excel Opcode Handling Unspecified Remote Code
> Execution
> Description: Microsoft Excel is reportedly susceptible to an
> unspecified remote code execution vulnerability. Please refer to the
> link for further details.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-002.mspx
> ______________________________________________________________________
>
> 07.3.11 CVE: CVE-2007-0024
> Platform: Other Microsoft Products
> Title: Microsoft Windows Vector Markup Language Buffer Overrun
> Description: Microsoft Windows is prone to a buffer overrun
> vulnerability that arises because of an error in the processing of
> Vector Markup Language documents in "Vgx.dll". See the advisory for
> further details.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
> ______________________________________________________________________
>
> 07.3.12 CVE: CVE-2007-0033
> Platform: Other Microsoft Products
> Title: Microsoft Outlook VEVENT Record Remote Code Execution
> Description: Microsoft Outlook is an email client available for
> various Microsoft platforms. It is exposed to a remote code execution
> issue because the application fails to properly handle malformed iCal
> requests. Specifically, malformed "VEVENT" records contained in iCal
> meeting requests may trigger this issue.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
> ______________________________________________________________________
>
> 07.3.27 CVE: Not Available
> Platform: Linux
> Title: Grsecurity Kernel PaX Local Privilege Escalation
> Description: Grsecurity Kernel PaX is a security application addon to
> the linux kernel using multi-layered detection, prevention, and a
> containment model. It is exposed to a local privilege escalation
> vulnerability. Kernel patch versions 2.1.8 and earlier are affected.
> Ref: http://www.securityfocus.com/bid/22014
> ______________________________________________________________________
>
> 07.3.29 CVE: Not Available
> Platform: Linux
> Title: X.Org BDE And Render Extensions Multiple Integer Overflow
> Vulnerabilities
> Description: The X.Org X Windows server is an open-source X Window
> System for UNIX, Linux, and variants. It is exposed to multiple
> integer overflow issues.
> Ref: http://www.securityfocus.com/bid/21968
> ______________________________________________________________________
>
> 07.3.32 CVE: Not Available
> Platform: BSD
> Title: FreeBSD Jail RC.D Multiple Local Symbolic Link Vulnerabilities
> Description: Jail RC.D environments are an extension of chroot that
> allow administrators to limit the ability for processes to interact
> with resources located outside of the configured environment. It is
> affected by multiple local symbolic link issues due to a failure of
> the jail startup "rc.d" script's handling of symbolic links. FreeBSD
> versions 5.3 and greater are affected.
> Ref: http://www.securityfocus.com/bid/22011
> ______________________________________________________________________
>
> 07.3.36 CVE: Not Available
> Platform: Unix
> Title: Fetchmail Multiple Remote Denial of Services Vulnerabilities
> Description: Fetchmail is a mail-retrieval utility. It is affected by
> multiple denial of service vulnerabilities when it processes messages
> that use the "mda" option. Fetchmail version 6.3.5 is affected.
> Ref: http://www.securityfocus.com/bid/21902
> ______________________________________________________________________
>
>
> 07.3.43 CVE: Not Available
> Platform: Cross Platform
> Title: Snort GRE Packet Decoding Denial of Service
> Description: Snort is a network intrusion detection system. It is
> vulnerable to a denial of service issue due to an integer underflow
> flaw in the "DecodeGRE()" function in the "decode.c" source file.
> Snort version 2.6.1.2 is vulnerable.
> Ref: http://www.securityfocus.com/archive/1/456598
> ______________________________________________________________________
>
> 07.3.48 CVE: CVE-2006-6143
> Platform: Cross Platform
> Title: MIT Kerberos 5 RPC Library Remote Code Execution
> Description: MIT Kerberos 5 is a suite of applications and libraries
> designed to implement the Kerberos network authentication protocol.
> MIT Kerberos 5 is prone to a remote code execution vulnerability that
> resides in the server-side portion of the Kerberos RPC
> library. Currently,
> the "kadmind" service is known to be vulnerable. Other applications
> that utilize this library may also be affected.
> Ref: http://www.securityfocus.com/bid/21970
> ______________________________________________________________________
>
> 07.3.49 CVE: CVE-2006-6144
> Platform: Cross Platform
> Title: MIT Kerberos Administration Daemon Free Pointers Remote Code
> Execution
> Description: MIT Kerberos 5 is a suite of applications and libraries
> designed to implement the Kerberos network authentication protocol.
> MIT Kerberos 5 is exposed to a remote code execution issue. See the
> advisory for further details.
> Ref: http://www.securityfocus.com/bid/21975
> ______________________________________________________________________
>
> 07.3.51 CVE: CVE-2006-5857
> Platform: Cross Platform
> Title: Adobe Acrobat Reader Unspecified Heap Corruption Vulnerability
> Description: Adobe Acrobat Reader is a free document viewer for
> reading and commenting on PDF and PostScript files. It is exposed to a
> remote code execution issue. Please refer to the link below for
> further details.
> Ref: http://www.piotrbania.com/all/adv/adobe-acrobat-adv.txt
> ______________________________________________________________________
>
> 07.3.54 CVE: Not Available
> Platform: Cross Platform
> Title: Adobe Reader Plugin Open Parameters Cross-Site Scripting
> Description: Adobe Reader is prone to a cross-site scripting
> vulnerability because it fails to properly sanitize user-supplied
> input. Please refer to the advisory for further information.
> Ref: http://www.adobe.com/support/security/advisories/apsa07-01.html
> ______________________________________________________________________
>
> 07.3.56 CVE: Not Available
> Platform: Cross Platform
> Title: Multiple PDF Readers Multiple Remote Buffer Overflow
> Vulnerabilities
> Description: Portable Documents Format (PDF) is a file format
> developed by Adobe. Multiple PDF readers are exposed to multiple
> remote buffer overflow vulnerabilities. See the advisory for further
> details.
> Ref: http://www.securityfocus.com/bid/21910
> ______________________________________________________________________
>
> 07.3.58 CVE: Not Available
> Platform: Cross Platform
> Title: Kaspersky AntiVirus Scan Engine PE File Denial of Service
> Description: Kaspersky Antivirus is prone to a denial of service
> vulnerability when an invalid value is specified for the
> "NumberofRVaAndSizes" field in the header of a portable executable
> (PE) file. Multiple versions prior to and including 6.0 are
> reportedly vulnerable.
> Ref: http://www.securityfocus.com/bid/21901
> ______________________________________________________________________
>
> 07.3.104 CVE: Not Available
> Platform: Network Device
> Title: Cisco IOS Data-link Switching Denial of Service
> Description: Cisco IOS Data-link Switching (DLSw) is prone to a denial
> of service vulnerability that occurs when the affected service that
> manages the DLSw partners exchanges a list of supported capabilities.
> If a device running the affected service receives an invalid option
> during this exchange, the vulnerability is triggered. Cisco IOS
> versions 11.0 through 12.4 are reportedly vulnerable.
> Ref:
> http://www.cisco.com/en/US/products/products_security_advisory
> 09186a00807bd128.shtml
> ______________________________________________________________________
>
> 07.3.108 CVE: Not Available
> Platform: Network Device
> Title: Cisco Secure Access Control Server Multiple Remote
> Vulnerabilities
> Description: Cisco Secure Access Control Server Remote Access Dial-In
> User Service (RADIUS) and Terminal Access Control System Plus
> (TACACS+) security server are exposed to multiple remote
> vulnerabilities.
> Please refer to the link below for further details.
> Ref:
> http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml
> ______________________________________________________________________
>
> (c) 2007. All rights reserved. The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only. In some
> cases, copyright for material in this newsletter may be held
> by a party
> other than Qualys (as indicated herein) and permission to use such
> material must be requested from the copyright owner.
>
> Subscriptions: @RISK is distributed free of charge to people
> responsible
> for managing and securing information systems and networks. You may
> forward this newsletter to others with such responsibility inside or
> outside your organization.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (Darwin)
>
> iD8DBQFFq/t0+LUG5KFpTkYRAg8EAJ9R2DVFrv0ytOatRqiWUEovj2sfxwCfXWy2
> m/iJVyQ+qUF80ko2b9EsAMI=
> =+s8F
> -----END PGP SIGNATURE-----
>