> ********************************************************
>
> (2) HIGH: Samba Multiple Buffer Overflows
> Affected:
> Samba versions prior to 3.0.27
>
> Description: Samba is an open source suite of applications designed to
> provide interoperability between clients using Microsoft Windows and
> servers running Unix or Unix-like operating systems. Several flaws in
> the handling of various requests could lead to a buffer overflow.
> Successfully exploiting this buffer overflow would allow an
> attacker to
> execute arbitrary code with the privileges of the vulnerable process,
> often root. Full technical details for these vulnerabilities is
> available via source code analysis.
>
> Status: Samba confirmed, updates available.
>
> References:
> Secunia Security Advisory
> http://secunia.com/secunia_research/2007-90/advisory/
> Samba Security Advisories
> http://www.securityfocus.com/archive/1/483742
> http://www.securityfocus.com/archive/1/483743
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/26455
> http://www.securityfocus.com/bid/26454
>
> ********************************************************
>
> (3) MODERATE: Microsoft Windows Shell URI Handling
> Vulnerability (MS07-061)
> Affected:
> Microsoft Windows XP
> Microsoft Windows Server 2003
>
> Description: The Microsoft Windows Shell, the portion of the operating
> system responsible for managing the user interface, contains a flaw in
> its handling of URIs passed to it by applications. A malicious URI
> passed to an application that is then passed to the shell
> could exploit
> this vulnerability to execute arbitrary commands with the
> privileges of
> the current user. Numerous applications are known to pass URIs to the
> Windows Shell in an insecure manner. Technical details and several
> proofs-of-concept are available for this vulnerability. This
> vulnerability has been discussed in a previous issue of @RISK.
>
> Status: Microsoft confirmed, updates available.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/MS07-061.mspx
> Microsoft Security Response Center Blog Posting
> http://blogs.technet.com/msrc/archive/2007/10/10/msrc-blog-add
itional-details-and-background-on-security-advisory-943521.aspx
> Proof-of-Concept (PDF file)
> http://www.securityfocus.com/bid/25945/exploit
> Previous @RISK Entry
> http://www.sans.org/newsletters/risk/display.php?v=6&i=42#widely5
> SecurityFocus BID
> http://www.securityfocus.com/bid/25945
>
> ********************************************************
>
> (4) MODERATE: Microsoft DNS Server Spoofing Vulnerability (MS07-062)
> Affected:
> Microsoft Windows 2000
> Microsoft Windows Server 2003
>
> Description: Microsoft's DNS server, shipped as part of Microsoft's
> server offerings, contain a flaw in its algorithm used to generate
> random transaction ID numbers. These numbers are used by the DNS
> protocol to identify and pair requests and responses. If the
> transaction
> ID is guessed, an attacker could provide a false reply to a DNS server
> or otherwise impersonate actors in other requests, and
> potentially cause
> the vulnerable DNS server to return false responses to its
> clients. This
> would allow an attacker to divert traffic to attacker-controlled or
> otherwise malicious locations. The random number generation flaw would
> allow an attacker who could observe several transaction IDs to predict
> future transaction IDs. This flaw may be related to a flaw in
> ISC BIND,
> the de facto DNS server software for Unix and other systems. The flaw
> in ISC BIND was discussed in an earlier edition of @RISK. Multiple
> proofs-of-concept are publicly available for this vulnerability.
>
> Status: Microsoft confirmed, updates available.
>
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/MS07-062.mspx
> Proofs-of-Concept
> http://downloads.securityfocus.com/vulnerabilities/exploits/25919.pl
> http://downloads.securityfocus.com/vulnerabilities/exploits/25
> 919-spoofer-ms.pl
> Wikipedia Article on DNS Cache Poisoning
> http://en.wikipedia.org/wiki/DNS_cache_poisoning
> Previous @RISK Entry
> https://www.sans.org/newsletters/risk/display.php?v=6&i=31#widely8
> SecurityFocus BID
> http://www.securityfocus.com/bid/25919
>
> ********************************************************
>
> (5) MODERATE: Linux CIFS Buffer Overflow
> Affected:
> Linux kernel versions 2.6.23.1 and prior
>
> Description: The Linux kernel, the core of operating systems generally
> described as Linux, contains a flaw in its handling of the Common
> Internet Filesystem (CIFS) protocol. The CIFS protocol is based on the
> older Server Message Block (SMB) protocol, used primarily by Microsoft
> Windows systems to share filesystems and other resources. A malicious
> CIFS server could trigger a buffer overflow in the SendReceive()kernel
> function in any Linux clients connected to the server. This
> would allow
> an attacker to execute arbitrary code with kernel level
> privileges. Full
> technical details for this vulnerability are publicly available.
>
> Status: Linux kernel developers have confirmed the flaw. A preliminary
> patch is available.
>
> References:
> Posting by Przemyslaw Wegrzyn
> http://marc.info/?l=linux-kernel&m=119455843205403&w=2
> Kernel Patch Log
> http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git
;a=commit;h=133672efbc1085f9af990bdc145e1822ea93bcf3
> Wikipedia Article on CIFS
> http://en.wikipedia.org/wiki/Server_Message_Block
> SecurityFocus BID
> http://www.securityfocus.com/bid/26438
>
> ********************************************************
>
> (6) MODERATE: Multiple FLAC Parsers Multiple Vulnerabilities
> Affected:
> LibFLAC versions prior to 1.2.1
> Other FLAC parsers are reported vulnerable
>
> Description: FLAC is the Free Lossless Audio Codec, used to compress
> audio data. It is supported by many popular software and
> hardware media
> players. Several flaws have been found in multiple FLAC parsers. A
> specially crafted FLAC file could trigger one of these
> vulnerabilities.
> Several of these vulnerabilities would allow an attacker to execute
> arbitrary code with the privileges of the current user. Note that,
> depending on the application used and system configuration, FLAC files
> may be opened automatically. Some of these vulnerabilities have been
> discussed in earlier issues of @RISK. Technical details for these
> vulnerabilities is available via source code analysis.
>
> Status: LibFLAC confirmed, updates available.
>
> References:
> eEye Security Advisory
> http://research.eeye.com/html/advisories/published/AD20071115.html
> Previous @RISK Entry
> https://www2.sans.org/newsletters/risk/display.php?v=6&i=42#widely10
> LibFLAC Home Page
> http://flac.sourceforge.net/
> Wikipedia Article on FLAC
> http://en.wikipedia.org/wiki/FLAC
> SecurityFocus BID
> http://www.securityfocus.com/bid/26042
>
> ********************************************************
>
> (8) LOW: Linux Kernel TCP Processing Denial-of-Service
> Affected:
> Linux kernel versions prior to 2.6.23.8
>
> Description: The Linux kernel, the core of operating systems generally
> described as Linux, contains a flaw in its handling of Transmission
> Control Protocol (TCP) packets. A specially crafted sequence of TCP
> packets could trigger a denial-of-service condition, leading
> to a system
> crash. Practically all systems exposed to the internet expose
> themselves
> to TCP packets, making this vulnerability potentially widely
> exploitable. It is not believed to be possible to leverage this
> vulnerability to lead to remote code execution. Full technical details
> are publicly available for this vulnerability.
>
> Status: Linux kernel developers confirmed, updates available.
>
> References:
> Kernel Change Log
> http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.8
> Wikipedia Article on TCP
> http://en.wikipedia.org/wiki/Transmission_Control_Protocol
> SecurityFocus BID
> http://www.securityfocus.com/bid/26474
>
> ****************************************************
>
> Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
> Week 47, 2007
> This list is compiled by Qualys (www.qualys.com) as part of that
> company's ongoing effort to ensure its vulnerability management web
> service tests for all known vulnerabilities that can be scanned. As of
> this week Qualys scans for 5549 unique vulnerabilities. For
> this special
> SANS community listing, Qualys also includes vulnerabilities
> that cannot
> be scanned remotely.
>
> ______________________________________________________________________
> ______________________________________________________________________
>
> 07.47.2 CVE: Not Available
> Platform: Microsoft Office
> Title: Microsoft Office Web Component Memory Access Violation Denial
> of Service
> Description: Microsoft Office Component is a collection of Component
> Object Model (COM) controls for publishing and viewing spreadsheets,
> charts, and databases on websites. The application is exposed to a
> memory access violation denial of service issue that occurs when a new
> ActiveXObject "OWC.11.DataSourceControl" is instantiated in a
> web page. OWC11 for Microsoft Office 2003 is affected.
> Ref:
> http://www.microsoft.com/downloads/details.aspx?familyid=72872
52c-402e-4f72-97a5-e0fd290d4b76&displaylang=en
> ______________________________________________________________________
>
>
> 07.47.6 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Microsoft Forms 2.0 ActiveX Control Memory Access Violation
> Denial of Service Vulnerabilities
> Description: Microsoft Forms 2.0 ActiveX Control is a collection of
> standard form controls that can be used on websites. It includes
> textboxes, different types of buttons, checkboxes, etc. Forms 2.0
> ActiveX is distributed with any application that includes Visual Basic
> for Applications 5.0. The application is exposed to multiple
> memory access violation denial of service issues.
> Ref: http://www.securityfocus.com/bid/26414
> ______________________________________________________________________
>
> 07.47.17 CVE: CVE-2005-4872, CVE-2006-7227, CVE-2006-7228
> Platform: Linux
> Title: PCRE Regular Expression Library Multiple Integer and Buffer
> Overflow Vulnerabilities
> Description: PCRE is a set of functions that implement regular
> expressions using the same syntax and semantics as Perl 5. A buffer
> overflow issue affects the library because it fails to properly count
> the number of named capturing subpatterns in a regular expression.
> PCRE versions prior to 6.2 are affected.
> Ref: http://scary.beasts.org/security/CESA-2007-006.html
> ______________________________________________________________________
>
> 07.47.19 CVE: Not Available
> Platform: Unix
> Title: ClamAV Unspecified Remote Code Execution
> Description: ClamAV is an open source antivirus toolkit for UNIX that
> is designed to scan email. The application is exposed to an
> unspecified remote code execution issue. ClamAV version 0.91.1 is
> affected.
> Ref:
> http://wabisabilabi.blogspot.com/2007/11/focus-on-clamav-remote-code-execution.html
> ______________________________________________________________________
>
> 07.47.22 CVE: CVE-2007-4887
> Platform: Cross Platform
> Title: PHP 5.2.4 and Prior Versions Multiple Vulnerabilities
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The application is exposed to multiple security issues. PHP versions
> 5.2.4 and earlier are affected.
> Ref:
> http://www.securityfocus.com/archive/1/archive/1/478988/100/0/threaded
> ______________________________________________________________________
>
> 07.47.35 CVE: CVE-2007-4572
> Platform: Cross Platform
> Title: Samba NMBD Logon Request Remote Buffer Overflow
> Description: Samba is a software suite that provides file and print
> services for "SMB/CIFS" clients. It is available for multiple
> operating platforms. The application is exposed to a buffer overflow
> issue because it fails to perform adequate boundary checks on
> user-supplied data. Samba versions 3.0.0 through 3.0.26a are affected.
> Ref: http://www.securityfocus.com/archive/1/483742
> ______________________________________________________________________
>
> (c) 2007. All rights reserved. The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only. In some
> cases, copyright for material in this newsletter may be held
> by a party
> other than Qualys (as indicated herein) and permission to use such
> material must be requested from the copyright owner.
>