> *************************
> Widely Deployed Software
> *************************
>
> (1) CRITICAL: Microsoft Internet Explorer Cumulative Security
> Update (MS05-054)
> Affected:
> Internet Explorer versions 5.01, 5.5 and 6.0
>
> Description: Microsoft released a cumulative security update for
> Internet Explorer that fixes the following vulnerabilities.
>
> (a) Internet Explorer contains a remote code execution flaw
> in handling
> the JavaScript "window()" function invoked via the "onload" event.
> Exploit code for this flaw has been posted since November 21,
> 2005. The
> vulnerability has also been exploited in the wild by Trojans Clunky-B
> and Delf.DH.
>
> (b) Internet Explorer contains a heap memory corruption issue in
> instantiating COM objects as ActiveX controls. Microsoft has been
> identifying and setting kill bits for many COM objects since the past
> few Internet Explorer updates.
>
> (c) Internet Explorer contains vulnerability while displaying "file
> download" dialogue box that can be exploited to execute arbitrary code
> on a client system. The problem arises because a malicious webpage can
> hide the "file download" dialogue box behind another browser window.
> When the user clicks on the other browser window, the clicks could be
> interpreted by the file download dialogue box to download and run the
> malware on the user's system. Note that a fair amount of user
> interaction would be required to exploit the flaw. (d) The update has
> also set the kill bit for Microsoft MciWndx and
> First4Internet XCP (Sony
> BMG) ActiveX controls.
>
> Status: Apply the update referenced in the Microsoft Security Bulletin
> MS05-054 on an expedited basis as one of the flaws is being actively
> exploited. A general workaround to prevent complete compromise of
> systems running Internet Explorer is to run Internet Explorer with
> limited privileges. Microsoft "DropMyRights" tool can be used for such
> purposes.
>
> Council Site Actions: All of the reporting council sites are
> responding
> to this issue. Some are treating this as a high priority update and
> pushing out as soon as the QA process is finished. Other sites plan to
> deploy during their next regularly scheduled maintenance window (after
> QA). One site has already completed their deployment of the update.
>
> References:
> Microsoft Security Bulletin
>
> Previous @RISK Posting (IE window() Flaw)
>
> Trojan Clunky-B Information
>
> Trojan Delf.DH Information
>
> Secunia Advisory (IE Dialogue Box Spoofing)
>
>
> Microsoft DropMyRights Tool
>
2004.asp
> SecurityFocus BIDs
>
>
>
>
> ****************************************************************
>
> ************
> Exploit Code
> ************
>
> (3) HP Openview Network Node Manager Remote Code Execution
>
> Council Site Actions: Only three of the responding council sites are
> using the affected software and all of these sites have
> already deployed
> the patches.
>
> References:
> Exploit Code
>
> s_exec.pm.php
> Previous @RISK Newsletter Posting
>
>
> ****************************************************************
> ______________________________________________________________________
>
> 05.50.1 CVE: CAN-2005-2829
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer Dialog Manipulation
> Description: Microsoft Internet Explorer is prone to a remote code
> execution vulnerability through manipulation of custom dialog boxes.
> This issue arises when a user visits a malicious web site designed to
> exploit this flaw. A custom dialog box can be displayed that asks a
> user to enter certain keystrokes. The custom dialog is then able to
> pass the keystrokes to a download dialog, potentially allowing a
> remote file to be executed on the computer. The flaw exists because
> the download dialog accepts keystrokes passed to it from the custom
> dialog. Internet Explorer versions 6.0 SP1 and earlier are reported to
> be vulnerable.
> Ref:
> ______________________________________________________________________
>
> 05.50.2 CVE: CAN-2005-2830
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer HTTPS Proxy Information Disclosure
> Description: Microsoft Internet Explorer is prone to an information
> disclosure vulnerability when using an authenticating proxy server for
> HTTPS communications. If the authenticating proxy server uses Basic
> Authentication, an attacker on the same network could potentially
> access the user's authentication credentials. In order to exploit this
> vulnerability, the attacker would have to be able to capture traffic
> between the user and the authenticating proxy server during HTTPS
> communications.
> Ref:
> ______________________________________________________________________
>
> ______________________________________________________________________
>
> 05.50.6 CVE: CVE-2005-3651
> Platform: Cross Platform
> Title: Ethereal OSPF Protocol Dissection Stack Buffer Overflow
> Description: Ethereal is a multi-platform network protocol sniffer and
> analyzer. A remote buffer overflow vulnerability reportedly affects
> Ethereal. This issue is due to a failure of the application to
> securely copy network-derived data into sensitive process buffers. The
> specific issue exists in the OSPF (Open Shortest Path First) protocol
> dissector. Ethereal versions 0.10.13 and prior are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 05.50.10 CVE: Not Available
> Platform: Cross Platform
> Title: Lyris ListManager Command Execution
> Description: Lyris ListManager is a mailing list manager application.
> It is prone to a CRLF injection vulnerability when using the web
> interface to subscribe a new user to a mailing list. The "pw"
> parameter is not properly sanitized; arbitrary mailing list
> administration commands may be executed using CRLF sequences appended
> to this parameter. Lyris ListManager versions 5.0 through 8.8a are
> vulnerable; other versions may also be affected.
> Ref:
> ______________________________________________________________________
> ______________________________________________________________________
>
> 05.50.18 CVE: Not Available
> Platform: Cross Platform
> Title: Opera Web Browser Long Title Element Bookmark Denial of Service
> Description: Opera is a web browser available for a number of
> platforms. It is prone to a denial of service vulnerability when a web
> page with a long title element is bookmarked. This issue occurs if the
> Input Method Editor (IME) is installed. Opera Web Browser versions
> 8.50 and earlier are reported to be vulnerable.
> Ref:
> ______________________________________________________________________
>
> 05.50.20 CVE: Not Available
> Platform: Cross Platform
> Title: Alt-N MDaemon WorldClient Denial of Service
> Description: MDaemon is an email application. It is vulnerable to a
> denial of service issue due to insufficient sanitization of
> user-supplied input in the "Subject" header field. Alt-N MDaemon
> version 8.1.3 is vulnerable.
> Ref:
> ______________________________________________________________________
>
>
> 05.50.24 CVE: CAN-2005-2407
> Platform: Cross Platform
> Title: Opera Download Dialog File Execution
> Description: Opera Web Browser is vulnerable to remote code execution
> issue through manipulation of download dialog boxes. Opera Web Browser
> versions 8.01 and earlier are reported to be vulnerable.
> Ref:
> ______________________________________________________________________
>
>
> 05.50.53 CVE: CVE-2005-3352
> Platform: Web Application
> Title: Apache Mod_IMAP Referer Cross-Site Scripting
> Description: Mod_IMAP is an Apache module for server-side imagemap
> processing. It is prone to a cross-site scripting vulnerability due to
> insufficient sanitization of user-supplied input. This issue occurs
> when using the "Referer" directive with image maps. Apache versions
> 2.0.55 and earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
