>
> *************************
> Widely-Deployed Software
> *************************
>
> (1) HIGH: Internet Explorer WMF Handling Vulnerability
> Affected:
> Internet Explorer version 5.01 SP4 on Windows 2000 SP4 and
> 5.5 SP2 on Windows ME
>
> Description: A vulnerability, which was initially reported to cause a
> denial-of-service in Internet Explorer, has now been confirmed to lead
> to remote code execution. This flaw exists in Internet Explorer's
> handling of Windows metafiles, and can be reportedly
> triggered by a WMF
> file with a specially crafted header. The malicious WMF image can be
> posted on a webpage, shared folder or sent in an email. Note that this
> vulnerability is different from the one patched by the
> security bulletin
> MS06-001. The technical details required to craft a malicious WMF file
> have been posted.
>
> Status: Microsoft is aware of the flaw but no patches are available.
> Upgrade to Internet Explorer 6.0 SP1 that is not vulnerable.
>
> Council Site Actions: Most of the council sites are not running IE on
> Win2k or ME thus no action was needed. One site was waiting
> for patches
> and a second site has already upgraded to version 6 and prohibits web
> browsing from servers. Another site has requested that folks still on
> the older platforms upgrade to the latest release as soon as possible.
>
> References:
> Microsoft Security Advisory
>
> CVE-2006-0020
>
> SecurityFocus BID
> Not posted yet.
>
> ****************************************************************
>
> (2) HIGH: Sun Java JRE and Java Web Start Security Bypass
> Affected:
> JDK and JRE 5.0 Update 5 and prior
> SDK and JRE 1.4.2_09 and prior
> SDK and JRE 1.3.1_16 and prior
> Java Web Start in J2SE versions 5.0 Update 5 and prior
>
> Description: The Sun Java Plug-in technology, a part of the
> Java Runtime
> Environment (JRE), enables applets on websites to run on a client's
> browser. The Java Security Manager controls the resources a downloaded
> applet can access ("sandbox" model). Multiple vulnerabilities
> in the Sun
> JRE Reflection API can be exploited by a malicious applet to break out
> of this "sandbox", and access any local resources. As a result, if a
> user browses a webpage containing the malicious applet, the applet may
> be able to read/write files or execute arbitrary commands on
> the client
> system with the privileges of the logged-on user. Note that
> applets are
> automatically downloaded and executed in typical browser
> configurations,
> and past vulnerabilities in JRE have been exploited in the wild.
>
> Status: Sun has released fixed versions for the affected software.
>
> Council Site Actions: Several of the council sites have already begun
> the patching process. Another site will soon begin the test and QA
> process since JRE is used by a large number of applications. A final
> site commented that they had not upgraded to the affected version and
> had deployed A/V gateways for web and email as well as mobile code
> inspection engines that filter Java, JavaScript, and ActiveX downloads
> for malicious patterns. They plan to upgrade to the new release in the
> near future.
>
> References:
> Sun Security Advisories
>
>
> Recently Reported Attack Using Previous JRE Vulnerabilities
>
> Applet Security
>
> ndex.html
> SecurityFocus BID
>
>
> ****************************************************************
>
> (3) HIGH: IBM Lotus Notes Multiple Vulnerabilities
> Affected:
> Lotus Notes versions 6.5.4, 7.0 and prior
>
> Description: IBM Lotus Notes enjoys a significant share of the e-mail
> client market with a large number of enterprise deployments.
> Lotus Notes
> contains a number of stack-based buffer overflows that can be
> exploited
> to execute arbitrary code when a Notes user views a specially crafted
> attachment or clicks on a link within a crafted e-mail. The flaws can
> be triggered by specially crafted ZIP, TAR and UUE archives containing
> an overlong filename or an email containing an overlong link
> (more than
> 800 characters). In addition, the program also contains a directory
> traversal vulnerability while handling ZIP, TAR and UUE archives. This
> flaw can be exploited to overwrite files in a local directory such as
> "Startup" on Windows. Note that user interaction is required
> to exploit
> these vulnerabilities.
>
> Status: IBM has released fixed versions 6.5.5 and 7.0.1.
>
> References:
> IBM Advisory
>
> Secunia Advisories
>
>
>
>
>
> SecurityFocus BID
>
>
> ***************************************************************
>
> *********
> Exploits
> *********
>
> (3) Mozilla Firefox Remote Code Execution
>
> Council Site Actions: Most of the council sites do not officially
> support Firefox. However, they are making the latest release available
> for their users. Some sites have automatic update turned on and thus
> have already received the patch/update. One site is blocking the
> affected versions at their proxy servers.
>
> References:
> Exploit Code
>
> _mac.pm.php
> Previous @RISK Newsletter Posting
>
>
> ****************************************************************
> 06.6.1 CVE: CVE-2006-0020
> Platform: Windows
> Title: Microsoft Windows Graphics Rendering Engine Unspecified Memory
> Corruption
> Description: Microsoft Windows WMF graphics-rendering engine is
> affected by an unspecified memory-corruption vulnerability. This issue
> is allegedly due to an integer-overflow flaw that leads to corrupted
> heap memory. This issue could potentially be exploited remotely
> through any means that would allow an attacker to transmit the
> malicious image to a user, including through a malicious website and
> HTML email or embedding it in an Office document.
> Ref:
> ______________________________________________________________________
>
> 06.6.7 CVE: CVE-2006-0454
> Platform: Linux
> Title: Linux Kernel ICMP_Send Remote Denial Of Service
> Description: The Linux kernel is vulnerable to a remote
> denial-of-service issue when certain malformed ICMP packets are
> processed by the "icmp_send()" function in the "net/ipv4/icmp.c"
> source file. Linux kernel versions 2.6.15.2 and earlier in the 2.6
> series are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.6.10 CVE: CVE-2005-3623
> Platform: Linux
> Title: Linux Kernel NFS ACL Access Control Bypass
> Description: The Linux kernel contains support for ACLs (Access
> Control Lists) in NFSv2 and NFSv3 filesystems. The Linux kernel's NFS
> implementation is susceptible to a remote access control bypass
> vulnerability. This issue is due to a failure to validate the
> privileges of remote users before setting ACLs. Linux Kernel versions
> prior to 2.6.14.5 in the 2.6 kernel series are vulnerable to this
> issue.
> Ref:
> ______________________________________________________________________
>
> 06.6.11 CVE: Not Available
> Platform: Linux
> Title: SUSE LD Insecure RPATH / RUNPATH Arbitrary Code Execution
> Description: LD is the GNU linker application. SUSE LD is susceptible
> to an insecure RPATH / RUNPATH vulnerability. This can allow attackers
> to place malicious libraries in a directory and trick users to execute
> an application from that directory, which would be dynamically linked
> at run-time when the application is executed. This would result in the
> execution of arbitrary code with the privileges of the user who
> executes the application.
> Ref:
> ______________________________________________________________________
>
>
> 06.6.15 CVE: Not Available
> Platform: Unix
> Title: ProFTPD Mod_Radius Buffer Overflow
> Description: ProFTPD is an FTP server. ProFTPD's mod_radius is
> vulnerable to a buffer overflow issue due to insufficient boundry
> checking of the "radius_add_password" function. ProFTPD versions 1.3
> .0rc2 and earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.6.16 CVE: Not Available
> Platform: Unix
> Title: GnuTLS Libtasn1 DER Decoding Denial of Service Vulnerabilities
> Description: GNU Transport Layer Security Library (GnuTLS) is a
> library that implements the TLS 1.0 and SSL 3.0 protocols. Libtasn1
> library is vulnerable to multiple denial of service issues which can
> be triggered through specifically crafted data. Libtasn1 versions
> earlier than 0.2.18 are vulnerable.
> Ref:
> . html
> ______________________________________________________________________
>
>
> 06.6.22 CVE: Not Available
> Platform: Cross Platform
> Title: Sun Java Web Start Untrusted Application Unauthorized Access
> Description: Sun Java Web Start is a utility included in the Java
> Runtime Environment. It is affected by an issue that may allow remote
> attackers to gain unauthorized access to a vulnerable computer due to
> access-validation errors. Java Web Start in Java 2 Platform Standard
> Edition (J2SE) versions 5.0 Update 5 and earlier are affetced.
> Ref:
> ______________________________________________________________________
>
> 06.6.23 CVE: Not Available
> Platform: Cross Platform
> Title: Sun ONE Directory Server Remote Denial of Service
> Description: Sun ONE Directory Server is a LDAP directory server. It
> is vulnerable to a remote denial of service issue due to insufficient
> handling of malformed network traffic. Sun ONE Directory Server
> versions 5.2 patch 4 and earlier are vulnerable.
> Ref:
>
> ______________________________________________________________________
>
> 06.6.24 CVE: CVE-2006-0056
> Platform: Cross Platform
> Title: PAM-MySQL Code Execution And Denial Of Service
> Description: PAM-MySQL is a PAM (pluggable authentication module)
> module that allows system administrators to setup authentication
> schemes using MySQL databases as a back-end. PAM-MySQL is susceptible
> to two vulnerabilities. The first issue is a denial of service
> vulnerability in the module's SQL logging facility. The second issue
> is a double-free vulnerability in the "pam_get_item()" function.
> Applications that execute the PAM module with superuser privileges
> will allow attackers to completely compromise affected computers.
> Ref:
> ______________________________________________________________________
>
> 06.6.47 CVE: Not Available
> Platform: Web Application
> Title: phpBB HTTP Referer Information Disclosure
> Description: phpBB is a web bulletin board application. The
> application fails to secure the session ID when accessing an external
> avatar image or external BBCode image which exposes it to an
> information disclosure issue. phpBB versions 2.0.19 and earlier are
> affected.
> Ref:
> ______________________________________________________________________
>
> 06.6.62 CVE: Not Available
> Platform: Network Device
> Title: Sony Ericsson Multiple Phones Remote Denial of Service
> Vulnerabilities
> Description: Multiple Phones by Sony Ericsson are vulnerable to a
> remote denial of service issue that affects the Bluetooth stack of the
> devices. The vulnerability presents itself when the devices handle a
> specially crafted raw L2CAP packet. Sony Ericsson devices K600i,
> V600i, W800i and T68i are reported to be vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.6.63 CVE: Not Available
> Platform: Hardware
> Title: Samsung E730 Phone Remote Denial of Service
> Description: Samsung E730 is vulnerable to a remote denial of service
> issue when the device parses unspecified network data.
> Ref:
> ______________________________________________________________________
>
> 06.6.64 CVE: Not Available
> Platform: Hardware
> Title: Nokia N70 Remote Denial of Service
> Description: Nokia N70 is a mobile telephone. It is vulnerable to a
> remote denial of service issue when the device parses unspecified
> network data. Nokia model N70 is vulnerable.
> Ref:
> ______________________________________________________________________
>
