> *****************************
> Widely-Deployed Software
> *****************************
>
> (1) CRITICAL: NullSoft Winamp MP4 File Parsing Buffer Overflow
> Affected:
> NullSoft Winamp versions 5.02 to 5.34
>
> Description: NullSoft Winamp, a popular media player for Microsoft
> Windows, contains a flaw in its parsing of MP4 files. MP4 files (also
> called MPEG-4 Part 14 files) are used to store digital media streams
> such as music and video. A specially-crafted MP4 file could trigger a
> buffer overflow that can be exploited by an attacker to execute
> arbitrary code with the privileges of the current user. Note that,
> depending on configuration, MP4 files may be opened automatically by
> Winamp without prompting. Full technical details and a working exploit
> are publicly available for this vulnerability.
>
> Status: NullSoft confirmed, no updates available. NullSoft has stated
> that the next version of Winamp will fix this vulnerability.
>
> References:
> Exploit by Marsu
> http://downloads.securityfocus.com/vulnerabilities/exploits/23723.c
> Wikipedia Article on MP4
> http://en.wikipedia.org/wiki/MPEG-4_Part_14
> Product Home Page
> http://www.winamp.com/
> SecurityFocus BID
> http://www.securityfocus.com/bid/23723
>
> *********************************************************************
>
> (6) LOW: Internet Systems Consortium BIND Denial of Service
> Affected:
> ISC BIND versions 9.40 and 9.5.0a1 - 9.5.0a3
>
> Description: ISC BIND, the Berkeley Internet Name Domain (formerly
> Daemon), is by far the most popular Domain Name System (DNS) server on
> the Internet. BIND fails to properly handle certain sequences of DNS
> queries. An attacker sending a specially-crafted sequence of queries
> could trigger a denial-of-service condition, preventing further DNS
> queries. Note that BIND is vulnerable in its default
> configuration, and
> by nature most BIND (and other DNS) servers are exposed to the public
> Internet. Note that since BIND is open source, technical details for
> this vulnerability can be obtained via source code analysis.
> The default
> configuration of BIND may be altered by operating system vendors and
> integrators; it is recommended that users verify their BIND
> configurations.
>
> Status: ISC confirmed, updates available. Users can mitigate
> the impact
> of this vulnerability by disabling DNS recursion by adding the line
> "recursion no" to the "named.conf" file, if recursive querying is not
> required.
>
> References:
> ISC BIND Security Posting
> http://www.isc.org/index.pl?/sw/bind/bind-security.php
> ISC Home Page
> http://www.isc.org/index.pl
> SecurityFocus BID
> http://www.securityfocus.com/bid/23738
>
>
> (9) HIGH: IrfanView IFF File Handling Buffer Overflow
> Affected:
> IrfanView versions 4.00 and prior
>
> Description: IrfanView, a popular image viewing and conversion
> application for Microsoft Windows, contains a flaw in its handling of
> IFF (Interchange File Format) files. A specially-crafted IFF
> file could
> trigger a buffer overflow in IrfanView. Successfully exploiting this
> buffer overflow would allow an attacker to execute arbitrary code with
> the privileges of the current user. Note that, depending on
> configuration, IFF files may be opened automatically by IrfanView
> without prompting. Technical details and a working exploit
> are available
> for this vulnerability.
>
> Note that it is unclear if all IFF files are capable of
> triggering this
> vulnerability: IFF was originally developed for the Commodore
> Amiga and
> was designed to carry arbitrary data, including image data. IFF images
> are generally stored in ILBM (Inter-Leaved Bit Map) format. It is
> currently believed that only IFF files containing ILBM data
> will trigger
> this vulnerablity.
>
> Status: IrfanView has not confirmed, no updates available.
>
> References:
> Proof of Concept by Marsu
> http://downloads.securityfocus.com/vulnerabilities/exploits/23692.c
> Wikipedia Article on IFF
> http://en.wikipedia.org/wiki/Interchange_File_Format
> Wikipedia Article on ILBM
> http://en.wikipedia.org/wiki/ILBM
> Vendor Home Page
> http://www.irfanview.com/
> SecurityFocus BID
> http://www.securityfocus.com/bid/23692
>
> *********************************************************************
>
> *********
> Patches
> *********
>
> (9) CRITICAL: Apple QuickTime Java Remote Code Execution Vulnerability
> Description: The vulnerability in Apple's QuickTime leading to remote
> code execution on Java-enabled web browsers has been patched by Apple,
> and the details for this vulnerability have been publicly disclosed.
> This patch is available via Apple's Software Update facility.
>
> References:
> Zero Day Initiative Advisory
> http://www.zerodayinitiative.com/advisories/ZDI-07-023.html
> Apple Security Advisory
> http://docs.info.apple.com/article.html?artnum=305446
> Blog Posting by Matasano Chargen
> http://www.matasano.com/log/849/details-on-dinos-quicktime-adv
isory-with-code-snippet/
> Previous @RISK Entry
> http://www.sans.org/newsletters/risk/display.php?v=6&i=18#widely2
>
> *********************************************************************
> Part II - Comprehensive List of Newly Discovered Vulnerabilities from
> Qualys (www.qualys.com)
>
> _____________________________________________________________________
>
> 07.19.2 CVE: Not Available
> Platform: Microsoft Office
> Title: Office OCX Office Viewer ActiveX Denial of Service
> Vulnerabilities
> Description: Office Viewer (Oa.ocx) is used to integrate an
> Office file
> in a form or webpage. The application is exposed to multiple denial of
> services issues. Office Viewer ActiveX Control version 3.2.0.5 is
> affected. Please refer to the advisory for further details.
> Ref:
> http://moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx
> -v-32.html
> ______________________________________________________________________
>
> 07.19.3 CVE: Not Available
> Platform: Microsoft Office
> Title: Office OCX Word Viewer ActiveX Denial of Service
> Vulnerabilities
> Description: Word Viewer (WordViewer.ocx) is used to host a Word file
> on a website. Word Viewer ActiveX control is exposed to multiple
> denial of service issues. Word Viewer ActiveX Control version 3.2.0.5
> is affected.
> Ref:
> http://moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-mu
ltiple_03.html
> ______________________________________________________________________
>
> 07.19.4 CVE: Not Available
> Platform: Microsoft Office
> Title: Office OCX Excel Viewer ActiveX Denial of Service
> Vulnerabilities
> Description: Excel Viewer (ExcelViewer.ocx) is used to host an Excel
> file on a website. Excel Viewer ActiveX control is exposed to multiple
> denial of service issues in the following methods: DoOleCommand,
> FTPDownloadFile, FTPUploadFile, FTPUploadFile,
> HttpUploadFile, Save and
> SaveWebFile. Excel Viewer ActiveX Control version 3.1 is affected.
> Ref: http://moaxb.blogspot.com/2007_05_02_archive.html
> ______________________________________________________________________
>
> 07.19.5 CVE: Not Available
> Platform: Microsoft Office
> Title: Office OCX PowerPoint Viewer ActiveX Denial of Service
> Vulnerabilities
> Description: PowerPoint Viewer (PowerPointViewer.ocx) is used to host
> a PowerPoint file on a Web site. PowerPoint Viewer ActiveX control is
> exposed to multiple denial of service issues. PowerPoint Viewer
> ActiveX Control version 3.1 is affected.
> Ref:
> http://moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html
> ______________________________________________________________________
>
>
> 07.19.12 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Winamp MP4 File Parsing Buffer Overflow
> Description: Winamp is a multi format media player application. The
> application is exposed to a buffer overflow issue when processing
> certain MP4 files because it fails to perform proper boundary
> checks on
> user-supplied data. Winamp versions 5.34 and prior are affected.
> Ref: http://www.securityfocus.com/bid/23723
> ______________________________________________________________________
>
>
> 07.19.15 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: IrfanView .IFF Format Handling Remote Buffer Overflow
> Description: IrfanView is an image viewing and manipulation
> application that supports multiple image file formats. The application
> is exposed to a remote buffer overflow issue due to a failure of the
> software to properly bounds check user-supplied input prior to copying
> it to an insufficiently sized memory buffer. IrfanView version 4.00 is
> affected.
> Ref: http://www.securityfocus.com/bid/23692
> ______________________________________________________________________
>
> 07.19.16 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Multiple Image Editing Applications .PNG Format Handling Remote
> Buffer Overflow
> Description: Adobe Photoshop and Corel Paint Shop Pro are photo and
> image editing applications. These applications are exposed to a remote
> buffer overflow issue when handling specially crafted .PNG
> files. Adobe
> Photoshop CS2, CS3 and Elements 5.0 are affected. Corel Paint Shop Pro
> 11.20 is affected.
> Ref: http://www.securityfocus.com/bid/23698
> ______________________________________________________________________
>
> 07.19.19 CVE: Not Available
> Platform: Linux
> Title: X.Org X Window System Xserver Denial of Service
> Description: The X.Org X Windows System is an open-source X Window
> System for UNIX, Linux and variants. The Xserver is exposed to a
> denial of service issue due to a failure of the software to properly
> handle exceptional conditions. Xserver version 1.3.0 is affected.
> Ref: http://www.securityfocus.com/bid/23741
> ______________________________________________________________________
>
> 07.19.20 CVE: CVE-2007-0771
> Platform: Linux
> Title: Linux Kernel UTrace Unspecified Local Denial of Service
> Description: The Linux kernel is exposed to a denial of service issue
> due to a flaw in utrace support. Please refer to the advisory for
> further details.
> Ref: http://rhn.redhat.com/errata/RHSA-2007-0169.html
> ______________________________________________________________________
>
> 07.19.26 CVE: CVE-2007-2241
> Platform: Unix
> Title: ISC BIND Query_AddSOA Denial of Service
> Description: ISC BIND (Berkley Internet Domain Name) is an
> implementation of DNS protocols. The application is exposed to a
> denial of service issue because it fails to handle certain sequences
> of malicious queries. ISC BIND versions 9.40, 9.5.0a1, 9.5.0a2, and
> 9.5.0a3 are affected.
> Ref: http://www.kb.cert.org/vuls/id/718460
> ______________________________________________________________________
>
> 07.19.28 CVE: CVE-2006-4520
> Platform: Novell
> Title: Novell eDirectory NCP Fragment Length Denial of Service
> Description: Novell eDirectory is a Lightweight Directory Access
> Protocol (LDAP) server that also implements NCP (NetWare Core
> Protocol). The application is exposed to a remote denial of service
> issue because it fails to handle malformed request packets. This issue
> affects the application's NCP functionality. Novell eDirectory 8.8,
> 8.8.1, 8.7.3.8 and earlier versions are affected.
> Ref:
> http://www.novell.com/support/search.do?cmd=displayKC&docType=
kc&externalId=3924657&sliceId=SAL_Public
> ______________________________________________________________________
>
> 07.19.32 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Firefox Href Denial of Service
> Description: Firefox is exposed to a remote denial of service issue
> when processing an excessively large parameter from the "href" HTML
> tag. This causes the application to consume excessive CPU resources
> and crash. Firefox version 2.0.0.3 is affected.
> Ref: http://www.securityfocus.com/bid/23747
> ______________________________________________________________________
>
> 07.19.33 CVE: Not Available
> Platform: Cross Platform
> Title: Sun Java System Directory Server BER Decoding Denial of Service
> Description: Sun Java System Directory Server is an LDAP (Lightweight
> Directory Access Protocol) server distributed with multiple Sun
> products. The application is exposed to a denial of service issue due
> to an unspecified "BER decoding" issue in the LDAP SDK (Software
> Development Kit) for C.
> Ref:
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-10289
5-1&searchclause=
> ______________________________________________________________________
>
> 07.19.34 CVE: CVE- 2007-1337,CVE-2007-1877,CVE-2007-1069,CVE-2007-1876
> Platform: Cross Platform
> Title: VMware Multiple Denial of Service Vulnerabilities
> Description: VMWare Workstation is a desktop virtualization
> application. The application is exposed to multiple denial of service
> issues. VMWare Workstation version 5.5.3 build 34685 is affected.
> Ref: http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html#554
> ______________________________________________________________________
>
> 07.19.37 CVE: CVE-2007-1744
> Platform: Cross Platform
> Title: VMWare Workstation Shared Folders Directory Traversal
> Description: VMWare Workstation is a desktop virtualization
> application. The application is exposed to a directory traversal issue
> due to a lack of proper input sanitization. VMWare version 5.5.3 build
> 34685 on Windows XP SP2 is affected.
> Ref:
> http://labs.idefense.com/intelligence/vulnerabilities/display.
> php?id=521
> ______________________________________________________________________
>
> 07.19.38 CVE: Not Available
> Platform: Cross Platform
> Title: Sun Java Web Start Unauthorized Access
> Description: Sun Java Web Start is a utility included in the Java
> Runtime Environment. It enables Java applications to launch either
> from a desktop or from a web page. The application is exposed to an
> access validation issue that may allow remote attackers to gain
> unauthorized access to a vulnerable computer.
> Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102881-1
> ______________________________________________________________________
>
> 07.19.39 CVE: Not Available
> Platform: Cross Platform
> Title: Imager 8 Bit BMP Heap Based Buffer Overflow
> Description: Imager is a Perl extension library used for generating 24
> bit images. The application is exposed to a heap based buffer overflow
> issue because it fails to properly bounds check user-supplied input
> before copying it to an insufficiently sized memory buffer. Imager
> versions prior to 0.57 are affected.
> Ref: http://www.securityfocus.com/bid/23711
> ______________________________________________________________________
>
>
> 07.19.41 CVE: Not Available
> Platform: Cross Platform
> Title: Symantec Multiple Products Local Buffer Overflow and
> Information Disclosure Vulnerabilities
> Description: Multiple Symantec products are exposed to a buffer
> overflow issue and an information disclosure issue. The information
> disclosure issue is due to a failure of the application to protect
> authentication credentials to remote shares. These authentication
> credentials are used for scheduled backups of local disks to network
> remote shares and are saved in the application directory with read
> access to other users.
> Ref:
> http://labs.idefense.com/intelligence/vulnerabilities/display.
> php?id=520
> ______________________________________________________________________
>
> 07.19.89 CVE: Not Available
> Platform: Network Device
> Title: HP ProCurve 9300m Switches Unspecified Denial of Service
> Description: ProCurve 9300m are a series of networking switches
> available from HP. HP ProCurve 9300m Switches are exposed to an
> unspecified remote denial of service issue due to a failure in the
> device to properly sanitize user-supplied input. HP ProCurve 9300m
> Switches running software versions 08.0.01c to 08.0.01j are affected.
> Ref: http://www.securityfocus.com/archive/1/467492
> ______________________________________________________________________
>
> 07.19.90 CVE: Not Available
> Platform: Network Device
> Title: Cisco PIX and ASA Appliances Multiple Remote Vulnerabilities
> Description: Cisco PIX and ASA Appliances are network devices which
> provide firewall, intrusion detection, anti-X, VPN and secure
> connectivity services. They are vulnerable to multiple remote
> vulnerabilities. Please refer to the advisory for further details.
> These issues are monitored by Cisco Bug IDs CSCsi16248 and CSCsh81111.
> Ref: http://www.kb.cert.org/vuls/id/337508
> ______________________________________________________________________
>
> 07.19.93 CVE: Not Available
> Platform: Network Device
> Title: Cisco PIX/ASA DHCP Relay Remote Denial of Service
> Description: Cisco PIX and ASA are exposed to a remote denial of
> service issue because the software fails to properly handle DHCP
> packets in certain circumstances. Cisco PIX and ASA devices software
> versions 7.2(1) through 7.2(2.14) are affected. This issue is being
> tracked by Cisco Bug ID CSCsh50277.
> Ref: http://www.kb.cert.org/vuls/id/530057
> ______________________________________________________________________
>
>
> (c) 2007. All rights reserved. The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only. In some
> cases, copyright for material in this newsletter may be held
> by a party
> other than Qualys (as indicated herein) and permission to use such
> material must be requested from the copyright owner.
>