ïÎÉ ÔÏÌØËÏ ÎÅ ÐÒÁ×Ù × ÏÔÎÏÛÅÎÉÉ ÞÉÓÌÁ ÓÁÊÔÏ× Ó ÜËÓÐÌÏÊÔÏÍ - SANS ÇÏ×ÏÒÉÔ, ÞÔÏ
ÉÈ ÕÖÅ ÚÁ 200.
>
> *************************
> Widely Deployed Software
> *************************
>
> (1) CRITICAL: Internet Explorer createTextRange Method Remote
> Code Execution
> Affected:
> Internet Explorer 5.01, 6 and 7 Beta 2
>
> Description: Internet Explorer contains a heap memory corruption
> vulnerability that can be triggered by a JavaScript call to
> "createTextRange" method. This method is used to create "textRange"
> object that represents text in an HTML element. Invoking the
> "createTextRange" method on a "checkbox" object can be exploited to
> corrupt heap memory that leads to arbitrary code execution. A
> specially
> crafted webpage or an HTML email can exploit this flaw to compromise a
> user's system. Exploit code has been publicly posted and attacks have
> been recorded in the wild. SANS Internet Storm Center reports that
> around 100 sites using the exploit to install Trojans and
> other malware
> on compromised systems. A researcher has posted a tool that
> can be used
> to stress test the implementation of other DHTML methods, and reported
> that Internet Explorer crashes on three other instances. Another
> researcher has reportedly found a flaw in IE that can be used to run
> arbitrary HTA code.
>
> Status: Microsoft is aware of the issues and is working on
> releasing the
> fix along with the April patches. Microsoft is also planning to roll
> changes in IE's automatic handling of multimedia content in the next
> patch that may cause issues with certain websites (EOLAS changes). A
> workaround is to turn off the "Active Scripting" option in IE (which
> will break normal functioning of many webpages) or use another browser
> like Firefox. Use updated AV and IDS/IPS signatures to prevent users
> from loading malicious webpages or emails.
>
> Council Site Actions:
> Most are reviewing turning off "Active Scripting", but will
> likely wait
> for vendor patch/fix. The great majority will obtain the
> update through
> the public Microsoft Update site, or through their local WSUS server,
> whenever Microsoft releases a patch. Antivirus may buy some degree of
> protection in the meantime.
>
> References:
> Secunia Advisory
>
> Microsoft Advisory
>
> Microsoft Security Response Center Blog
>
> SANS Incident Handler's Diary
>
>
> Tool for Testing DHTML Methods
>
> Undisclosed vulnerability in IE
>
> Exploit Code
>
>
> IE Changes Planned for Next Update (EOLAS)
>
> ry/0,10801,109866,00.html?source=NLT_SEC&nid=109866
> SecurityFocus BIDs
>
>
> ****************************************************************
>
> (2) HIGH: Sendmail Signal Handling Memory Corruption
> Affected:
> Open Source: Sendmail version 8.13.5 and prior
> Commercial Products:
> Sendmail Sentrion Appliance version 1.1
> Sendmail Switch/Managed MTA/Multi-Switch version 3.1.7 and prior
> Sendmail Advanced Message Server and Message Store version
> 2.2 and prior
> Intelligent Quarantine version 3.0
> All other OSes and third party software using affected
> versions of Sendmail.
>
> Description: Sendmail is the most common mail transfer agent
> (MTA) used
> on the Internet and according to certain estimates handles between 50
> and 75% of the e-mail traffic. Sendmail contains a
> vulnerability in its
> "signal" handling code that deals with "timeouts" during SMTP
> connections. (Signals are used to communicate to a process or a thread
> about certain events.) A remote attacker can trigger the vulnerability
> by sending a sequence of SMTP commands with certain timing conditions
> along with a specially crafted e-mail message. The flaw can
> be exploited
> to corrupt the process stack or heap memory, and execute
> arbitrary code
> with the privileges of sendmail process (root in older versions).
> Proof-of-concept exploit has been publicly posted.
>
> Status: Sendmail has released version 8.13.6 to fix the
> problem. Patches
> for versions 8.15.5 and 8.12.11 are also available. Major
> Linux vendors
> like RedHat, Gentoo, OpenPKG, Fedora have released updated sendmail
> packages. Sun and IBM have also released patches for Solaris and AIX
> respectively. For other affected vendors, please refer to the CERT
> advisory.
>
> Council Site Actions: One site has sendmail enabled only to listen on
> loopback only mode and they plan to deploy the patch during their next
> regularly scheduled system maintenance cycle. Another site
> is affected
> only on its Sun platforms and they are currently testing the
> patches and
> will deploy soon. The third site plans to deploy patches for heavily
> used systems after some initial testing over the next few weeks. Their
> lightly used system will automatically obtain updates from their Linux
> distributors.
>
> References:
> ISS Advisory
>
> Sendmail Advisory
>
> CERT Advisory
>
> Posting by Mark Dowd (discoverer)
>
> Posting by Dave Aitel
>
> PoC Code
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (3) HIGH: RealNetworks RealPlayer Multiple Vulnerabilities
> Affected:
> RealPlayer, RealOne Player, Mac Real Player, Mac RealOne Player, Helix
> Player, Linux RealPlayer
>
> Description: RealPlayer contains multiple vulnerabilities
> that can lead
> to remote compromise of users' systems running the vulnerable version
> of the media players.
>
> (a) The players contain a buffer overflow in handling
> specially crafted
> SWF and MBC file formats. A malicious media file posted on a webpage,
> P2P or shared folder can exploit the overflows to execute
> arbitrary code
> on a client system. The technical details required to craft an exploit
> have not been released yet.
>
> (b) The players contain a heap-based overflow that can be triggered by
> specially crafted "chunked data" during HTTP download. Chunk transfer
> mechanism allows an HTTP server to break the data into smaller pieces
> or "chunks", and each chunk of data is preceded by its
> length. The heap
> corruption can be triggered by chunk with size -1 or chunk with data
> size greater than the declared length. A malicious server hosting a
> media file can exploit this overflow to execute arbitrary code on a
> client system.
>
> Status: RealPlayer has issued fixed version for all the affected media
> players. Enable the "Autoupdate" feature available on the players to
> keep them updated.
>
> Council Site Actions: The software is not officially supported at the
> reporting council sites, although it is used by many at the respective
> sites. Two sites are relying on the "Autoupdate" feature to download
> the latest version. The third site uses SMS to search for and remove
> the software from their workstations on a regular basis. This forces
> their user community to download and install the latest releases when
> they want to use the software.
>
> References:
> RealNetworks Advisory
>
> iDefense Advisory
>
> SecurityFocus BIDs
>
>
>
> 06.12.1 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer Unspecified Remote HTA Execution
> Description: Microsoft Internet Explorer is affected by an unspecified
> remote issue. HTA files are HTML applications that are given higher
> levels of trust and access to the local system that remote web pages
> are normally given. Due to this higher level of trust, successful
> exploits may possibly facilitate arbitrary remote code execution and
> the compromise of affected computers. This vulnerability affects
> Internet Explorer 6.0 running on Microsoft Windows 98, Windows XP, and
> Windows Server 2003.
> Ref:
> ______________________________________________________________________
>
> 06.12.2 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer CreateTextRange Remote Code
> Execution
> Description: Microsoft Internet Explorer is affected by a remote code
> execution issue due to a flaw in the application that results in an
> invalid table pointer dereference. Certain uses of the
> "createTextRange()" JavaScript method exposes this issue. Internet
> Explorer 6 and 7 beta 2 are affected.
> Ref:
> ______________________________________________________________________
> ______________________________________________________________________
>
> 06.12.8 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Microsoft ASP.NET COM Components W3WP Remote Denial of Service
> Description: w3wp.exe is a worker process associated with the
> Microsoft IIS access pool. ASP.NET is a set of tools based on the .NET
> framework for building web applications. The application is affected
> by a remote denial of service issue due to the "ASPCompat" directive
> when accessing COM and COM+ components.
> Ref:
> ______________________________________________________________________
>
>
> 06.12.13 CVE: Not Available
> Platform: Linux
> Title: Linux Kernel Netfilter Do_Replace Remote Buffer Overflow
> Description: The Linux kernel is susceptible to a remote buffer
> overflow vulnerability due to improper boundary checking of user
> supplied input before using it in a memory copy operation. Linux
> kernel versions prior to 2.6.16 in the 2.6 series are affected by this
> issue.
> Ref:
> ______________________________________________________________________
>
> 06.12.15 CVE: CVE-2006-1342, CVE-2006-1343
> Platform: Linux
> Title: Linux Kernel sockaddr_In.Sin_Zero Kernel Memory Disclosure
> Vulnerabilities
> Description: The Linux kernel is affected by multiple local memory
> disclosure vulnerabilities. These issues are due to a failure of the
> kernel to properly clear previously used kernel memory prior to
> returning it to local users. These issues return 6 bytes of
> previously-used kernel memory in the "sockaddr_in.sin_zero" memory
> buffer when local users call the following functions: accept(),
> getpeername(), getsockname(), getsockopt() with the "SO_ORIGINAL_DST"
> flag. Linux kernel versions 2.6.16 -rc1 and earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.12.18 CVE: CVE-2006-0905
> Platform: BSD
> Title: FreeBSD IPsec Replay Vulnerability
> Description: FreeBSD's IPsec implementation is vulnerable to remote
> replay attacks due to a flaw in the "fast_ipsec(4)" which allows all
> packets to pass the anti-replay sequence number validation check.
> FreeBSD versions 6.0 and earlier are vulnerable.
> Ref:
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-0
6:11.ipsec.asc
> ______________________________________________________________________
>
> 06.12.20 CVE: CVE-2006-1329
> Platform: Unix
> Title: Jabber Studio JabberD Remote Denial of Service
> Description: Jabber Studio JabberD is an instant messaging protocol
> application. It is vulnerable to a remote denial of service issue due
> to insufficient handling of malformed network messages. Jabber Server
> versions 2.0 s10 and earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.12.21 CVE: Not Available
> Platform: Unix
> Title: FreeRADIUS EAP-MSCHAPv2 Authentication Bypass
> Description: FreeRADIUS is a freely available, open source
> implementation of the RADIUS protocol. It is available for the Unix
> and Linux platforms. FreeRADIUS is prone to an authentication bypass
> vulnerability. This issue exists because adequate input validation was
> not being performed in the EAP-MSCHAPv2 client state machine. This
> could allow a user to manipulate the EAP-MSCHAPv2 client state machine
> to convince the server to bypass authentication checks. FreeRADIUS
> versions 1.0.0 to 1.1.0 are vulnerable.
> Ref:
> ______________________________________________________________________
>
>
> 06.12.32 CVE: CVE-2006-0058
> Platform: Cross Platform
> Title: Sendmail Asynchronous Signal Handling Remote Code Execution
> Description: Sendmail is a widely used MTA for Unix and Microsoft
> Windows systems. It is prone to a remote code execution vulnerability
> due to an unspecified race condition error. Sendmail versions prior to
> 8.13.6 are vulnerable to this issue.
> Ref:
> ______________________________________________________________________
>
> 06.12.33 CVE: CVE-2006-0323, CAN-2005-2922
> Platform: Cross Platform
> Title: RealNetworks Multiple Products Multiple Buffer Overflow
> Vulnerabilities
> Description: Various RealNetworks products are prone to multiple
> buffer overflow vulnerabilities. These issues arise because the
> applications fail to perform boundary checks prior to copying
> user-supplied data into sensitive process buffers. Please see the
> advisory below for details.
> Ref:
> ______________________________________________________________________
>
> 06.12.35 CVE: CVE-2006-0058
> Platform: Cross Platform
> Title: Sendmail SM_SysLog Remote Memory Leak Denial Of Service
> Description: Sendmail is a widely used MTA for UNIX and Microsoft
> Windows systems. Sendmail is prone to a remote denial of service
> vulnerability. This issue is due to a failure of the application to
> properly free allocated memory regions when it is finished with them.
> Remote attackers may leverage this issue to consume excessive memory,
> eventually crashing the application. Sendmail versions prior to 8.13.6
> are vulnerable to this issue.
> Ref:
