>
> *****************************
> Widely Deployed Software
> *****************************
>
> (1) CRITICAL: Microsoft XML Core Services Memory Corruption (MS07-042)
> Affected:
> Microsoft Windows 2000
> Microsoft Windows XP
> Microsoft Windows Server 2003
> Microsoft Windows Vista
> Microsoft Office 2003/2007
>
> Description: Microsoft XML Core Services provides eXtensible Markup
> Language (XML) parsing services for applications on Microsoft Windows,
> including such applications as Microsoft Internet Explorer
> and Microsoft
> Office. A flaw in the handling of methods exported by this
> service could
> result in a memory corruption. Successfully exploiting this memory
> corruption would allow an attacker to execute arbitrary code with the
> privileges of the current user. Vulnerable components are
> reachable via
> scripts on web pages; therefore a malicious web page would be able to
> exploit this vulnerability. A proof-of-concept and technical
> details are
> publicly available for this vulnerability.
>
> Status: Microsoft confirmed, updates available.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/ms07-042.mspx
> Zero Day Initiative Advisory
> http://zerodayinitiative.com/advisories/ZDI-07-048.html
> iDefense Advisory
> http://labs.idefense.com/intelligence/vulnerabilities/display.
> php?id=576
> Proof-of-Concept
> http://downloads.securityfocus.com/vulnerabilities/exploits/25031.js
> Product Home Page
> http://msdn2.microsoft.com/en-us/xml/default.aspx
> Wikipedia Article on XML
> http://en.wikipedia.org/wiki/XML
> SecurityFocus BID
> http://www.securityfocus.com/bid/25301
>
> **************************************************************
> ***********
>
> (2) CRITICAL: Microsoft OLE Automation Remote Code Execution
> (MS07-043)
> Affected:
> Microsoft Windows 2000
> Microsoft Windows XP
> Microsoft Windows Server 2003
> Microsoft Office 2004 for Mac
> Microsoft Visual Basic version 6.0
>
> Description: Microsoft Object Linking and Embedding (OLE)
> Automation is
> a protocol that allows applications to share data and control other
> applications. A flaw in the handling of OLE scripts can result in a
> memory corruption vulnerability. Successfully exploiting this memory
> corruption would allow an attacker to execute arbitrary code with the
> privileges of the current user. Vulnerable components are
> reachable via
> scripts on web pages; therefore a malicious web page would be able to
> exploit this vulnerability. Some technical details are available for
> this vulnerability.
>
> Status: Microsoft confirmed, updates available.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/ms07-043.mspx
> Zero Day Initiative Advisory
> http://zerodayinitiative.com/advisories/ZDI-07-048.html
> iDefense Advisory
> http://labs.idefense.com/intelligence/vulnerabilities/display.
> php?id=576
> Wikipedia Article on Object Linking and Embedding
> http://en.wikipedia.org/wiki/Object_Linking_and_Embedding
> SecurityFocus BID
> http://www.securityfocus.com/bid/25282
>
> **************************************************************
> ***********
>
> (3) CRITICAL: Microsoft Internet Explorer Multiple
> Vulnerabilities (MS07-045)
> Affected:
> Microsoft Windows 2000
> Microsoft Windows XP
> Microsoft Windows Server 2003
> Microsoft Windows Vista
> Microsoft Internet Explorer versions 6 and 7
>
> Description: Microsoft Internet Explorer contains multiple
> vulnerabilities. A failure to properly parse Cascading Style Sheets
> (CSS), used to provide styling information for web pages, can
> lead to a
> memory corruption vulnerability. Style sheets are automatically
> downloaded by Internet Explorer when visiting a web site that
> uses them.
> Additionally, several ActiveX components that were not intended to be
> instantiated by Internet Explorer can, in fact, be instantiated by
> Internet Explorer. A malicious web site that instantiates these
> components can trigger a memory corruption vulnerability. Successfully
> exploiting any of these vulnerabilities would allow an attacker to
> execute arbitrary code with the privileges of the current user.
>
> Status: Microsoft confirmed, updates available. Users can mitigate the
> impact of the ActiveX vulnerabilities by disabling the
> affected controls
> via Microsoft's "kill bit" mechanism for the following CLSIDs:
> 8B217746-717D-11CE-AB5B-D41203C10000,
> 8B217752-717D-11CE-AB5B-D41203C10000,
> 8B21775E-717D-11CE-AB5B-D41203C10000, and
> 0DDF3B5C-E692-11D1-AB06-00AA00BDD685.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx
> Wikipedia Article on Cascading Style Sheets
> http://en.wikipedia.org/wiki/Cascading_Style_Sheets
> Microsoft Knowledge Base Article (details the "kill bit" mechanism)
> http://support.microsoft.com/kb/240797
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/25288
> http://www.securityfocus.com/bid/25295
> http://www.securityfocus.com/bid/25289
>
> **************************************************************
> ***********
>
> (4) CRITICAL: Microsoft Vector Markup Language Remote Code
> Execution (MS07-050)
> Affected:
> Microsoft Windows 2000
> Microsoft Windows XP
> Microsoft Windows Server 2003
> Microsoft Windows Vista
> Microsoft Internet Explorer version 5 and 6
>
> Description: The Vector Markup Language (VML) is an XML-based markup
> language used to draw vector images. It is supported by Microsoft
> Internet Explorer to display vectored images on websites. Internet
> Explorer contains a flaw in its handling of compressed image data
> referenced by VML documents. A specially crafted web page
> could exploit
> this vulnerability and allow an attacker to execute arbitrary
> code with
> the privileges of the current user. Note that VML data is rendered
> automatically by Internet Explorer. A simple proof-of-concept and some
> technical details are available for this vulnerability.
>
> Status: Microsoft confirmed, updates available.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/ms07-050.mspx
> eEye Security Advisory
> http://www.securityfocus.com/archive/1/476498
> Wikipedia Article on Vector Markup Language
> http://en.wikipedia.org/wiki/Vector_Markup_Language
> SecurityFocus BID
> http://www.securityfocus.com/bid/25310/
>
> **************************************************************
>
> **************************************************************
> ***********
>
> (7) HIGH: Microsoft Excel File Parsing Remote Code Execution
> (MS07-044)
> Affected:
> Microsoft Office 2000
> Microsoft Office XP
> Microsoft Office 2003
> Microsoft Office 2004 for Mac
>
> Description: Microsoft Excel contains a flaw in its parsing of Excel
> spreadsheet files. A specially crafted spreadsheet file could exploit
> this vulnerability to execute arbitrary code with the
> privileges of the
> current user. It is believed that only Excel Workspace files are
> affected. Note that some technical details are publicly available for
> this vulnerability. Excel files do not open without first prompting on
> versions of Microsoft Office later than Microsoft Office 2000.
>
> Status: Microsoft confirmed, updates available.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/ms07-044.mspx
> Secunia Advisory
> http://secunia.com/advisories/26145/
> SecurityFocus BID
> http://www.securityfocus.com/bid/25280
>
> **************************************************************
> ***********
>
> (8) HIGH: Opera Web Browser JavaScript Remote Code Execution
> Affected:
> Opera Web Browser versions prior to 9.23
>
> Description: The Opera Web Browser (generally just called Opera) is a
> popular multiplatform web browser. Opera contains a
> vulnerability in its
> handling of JavaScript scripts. A specially crafted web page
> containing
> such a script could trigger this vulnerability and execute arbitrary
> code with the privileges of the current user. Note that some technical
> details, including details on vulnerability discovery and instructions
> for exploitation, are publicly available. Opera is commonly
> deployed on
> mobile and embedded devices, but is widely used in desktop
> environments
> as well.
>
> Status: Opera confirmed, updates available.
>
> References:
> Opera Security Advisory
> http://www.opera.com/support/search/view/865/
> Opera Home Page
> http://www.opera.com
> SecurityFocus BID
> http://www.securityfocus.com/bid/25331
>
> **************************************************************
> ***********
>
> (9) HIGH: Sun Java Runtime Environment Font Processing Overflow
> Affected:
> Sun Java Runtime Environment versions prior to 1.5.0_10 and 1.4.2_15
>
> Description: The Sun Java Runtime Environment contains a flaw in the
> handling of font files. These files can be included with remotely
> launched Java applets and applications. A specially crafted font file
> could exploit this flaw and trigger a buffer overflow. Successfully
> exploiting this buffer overflow would allow an attacker to execute
> arbitrary code with the privileges of the current user. Note that Java
> applets are often loaded automatically in web pages. The Sun Java
> Runtime Environment is installed by default on Sun Solaris, Apple Mac
> OS X, and several other operating systems. It is often installed on
> Microsoft Windows as well.
>
> Status: Sun confirmed, updates available.
>
> References:
> Sun Security Advisory
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-103024-1
> Sun Java Home Page
> http://java.sun.com
> SecurityFocus BID
> http://www.securityfocus.com/bid/25340
>
> **************************************************************
> ***********
>
> (10) MODERATE: Microsoft GDI Remote Code Execution (MS07-046)
> Affected:
> Microsoft Windows 2000
> Microsoft Windows XP
> Microsoft Windows Server 2003
>
> Description: The Microsoft Graphics Device Interface (GDI) allows
> applications to produce graphics and text on various devices. The GDI
> fails to properly handle the rendering of certain Windows
> Metafile image
> files. A specially crafted image file could trigger this vulnerability
> and leverage this vulnerability to execute arbitrary code with the
> privileges of the current user. Note that Windows Metafile image files
> are not normally rendered by Internet Explorer; therefore
> malicious web
> sites cannot normally exploit this vulnerability. Other avenues of
> exploitation may include email attachments and downloaded files. Some
> technical details are available for this vulnerability.
>
> Status: Microsoft confirmed, updates available.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx
> eEye Security Advisory
> http://www.securityfocus.com/archive/1/476505
> Wikipedia Article on the Windows Metafile Format
> http://en.wikipedia.org/wiki/Windows_Metafile
> SecurityFocus BID
> http://www.securityfocus.com/bid/25302
>
> **************************************************************
> ***********
>
> (11) MODERATE: Microsoft Windows Media Player Multiple
> Vulnerabilities (MS07-047)
> Affected:
> Microsoft Windows 2000
> Microsoft Windows XP
> Microsoft Windows Server 2003
> Microsoft Windows Vista
>
> Description: Microsoft Windows Media Player is Microsoft's streaming
> media player for Microsoft Windows. This player supports "skinning" -
> the ability to alter the appearance and behavior of the player's user
> interface according to "skin" files. Windows Media Player contains
> several vulnerabilities in the parsing of skin files. A specially
> crafted skin file could exploit one of these vulnerabilities
> to execute
> arbitrary code with the privileges of the current user. Note that, in
> most configurations, users are prompted before downloading a
> skin file.
> To exploit this vulnerability, an attacker would have to
> convince a user
> to apply the skin once it had been downloaded.
>
> Status: Microsoft confirmed, updates available.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/MS07-047.mspx
> Zero Day Initiative Advisories
> http://zerodayinitiative.com/advisories/ZDI-07-046.html
> http://zerodayinitiative.com/advisories/ZDI-07-047.html
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/25305
> http://www.securityfocus.com/bid/25307
>
> **************************************************************
> ***********
>
> (12) MODERATE: Microsoft Windows Vista Gadgets Multiple
> Vulnerabilities (MS07-048)
> Affected:
> Microsoft Windows Vista
>
> Description: Microsoft Windows Vista allows users to run small
> applications on the desktop, referred to as "gadgets". These
> gadgets are
> generally visible and are often used to display continuously updated
> information (such as weather information). Several gadgets fail to
> properly validate their input, leading to an exploitable
> condition. The
> Feed Headlines Gadget (used to read RSS feeds), the Weather
> Gadget (used
> to display weather information), and the Contacts Gadget (used to
> display contact information) are all vulnerable. A specially
> crafted RSS
> feed, contact file, or link could allow an attacker to
> execute arbitrary
> code with the privileges of the current user.
>
> Status: Microsoft confirmed, updates available.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/MS07-048.mspx
> iDefense Advisory
> http://labs.idefense.com/intelligence/vulnerabilities/display.
> php?id=575
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/25304
> http://www.securityfocus.com/bid/25306
> http://www.securityfocus.com/bid/25307
>
>
> **************************************************************
> ***********
>
> (14) MODERATE: Rsync Multiple Buffer Overflows
> Affected:
> Rsync versions 2.6.9 and prior
>
> Description: Rsync is a file synchronization utility used and
> installed
> by default on a variety of Unix, Unix-like, and Linux systems
> (including
> Apple Mac OS X). This utility can be run in server mode,
> allowing remote
> clients to connect and synchronize data. This utility contains two
> buffer overflow vulnerabilities in its handling of overlong filenames.
> An attacker could exploit these buffer overflows to execute arbitrary
> code with the privileges of the vulnerable process. Note that full
> technical details are available for this vulnerability, both in the
> advisory and through source code analysis.
>
> Status: Rsync has not confirmed, no updates available.
>
> References:
> Blog Posing by Sebastian Kramer
> http://c-skills.blogspot.com/2007/08/cve-2007-4091.html
> Secunia Advisory
> http://secunia.com/advisories/26493/
> Rsync Home Page
> http://rsync.samba.org
> SecurityFocus BID
> http://www.securityfocus.com/bid/25336
>
> **************************************************************
> ***********
>
> Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
> Week 34 2007
____________________
>
> (c) 2007. All rights reserved. The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only. In some
> cases, copyright for material in this newsletter may be held
> by a party
> other than Qualys (as indicated herein) and permission to use such
> material must be requested from the copyright owner.
>