> ****************************************************************
>
> (3) HIGH: LibPNG Chunk Processing Buffer Overflow
> Affected:
> LibPNG versions 1.2.11 and prior
>
> Description: LibPNG, a popular library for processing PNG (Portable
> Network Graphics) images, is installed and used by default on
> all Linux,
> UNIX, BSD, and Mac OS X systems. Certain applications may also install
> the library on Windows systems. The library contains a buffer overflow
> that can be triggered by a specially crafted PNG image "chunk". Any
> application that delivers a malformed PNG image (web, email, IM) can
> exploit the overflow to execute arbitrary code with the privileges of
> the current user. Since LibPNG is open source, the technical
> details for
> this exploit can be obtained by examining the fixed code.
>
> Status: LibPNG confirmed, updates available.
>
> Council Site Actions: The responding council sites using the affected
> software plan to install any patches that come out for OS or
> applications they use within regular patching intervals. One
> also said
> they don't run graphical applications that take input from the outside
> world on their UNIX systems.
>
> References:
> LibPNG Release Notes (contains vulnerability announcement)
>
ease_id=428123
> PNG File Format
>
> LibPNG Home Page
>
> SecurityFocus BID
>
>
> ****************************************************************
> **************************************************************
> *********
>
> (5) HIGH: OpenOffice.org Multiple Document Handling Vulnerabilities
> Affected:
> OpenOffice.org versions 1.1.x
> OpenOffice.org versions 2.0.2 and prior
>
> Description: OpenOffice.org, a popular Open Source office suite for
> Windows, Mac OS X, Linux, Solaris, and other operating
> systems, contains
> several vulnerabilities in the way it handles documents. (a)
> By tricking
> a user into opening a specially-crafted XML document, an attacker can
> trigger a buffer overflow and execute arbitrary code with the
> privileges
> of the current user. (b) Several built-in macros can be
> executed without
> user confirmation, allowing an attacker to execute arbitrary code with
> the privileges of the current user; this applies to multiple
> OpenOffice.org formats. (c) Specially-crafted Java applets can read or
> create arbitrary files without the users' knowledge, when
> these applets
> are embedded in any OpenOffice.org documents. Note that, since
> OpenOffice.org is Open Source, technical details on these exploits can
> be easily obtained.
>
> Status: OpenOffice.org confirmed, updates available.
>
> References:
> OpenOffice.org Security Advisories
>
>
>
>
> Posting by NGSSoftware Insight Security Research
>
> SecurityFocus BID (XML vulnerability)
>
> SecurityFocus BID (Macro vulnerability)
>
> SecurityFocus BID (Java vulnerability)
>
>
> **************************************************************
> **************************************************************
> *********
>
> (7) MODERATE: Computer Associates Multiple Products Format
> String Vulnerability
> Affected:
> Computer Associates eTrust Antivirus, PestPatrol and Integrated Threat
> Management version 8.0
>
> Description: Several Computer Associates antivirus products contain a
> format string vulnerability. The vulnerability can be triggered by a
> "Scan job" containing a format string such as %s in its description
> field. A remote attacker with the ability to create a scan job can
> exploit this flaw to execute arbitrary code on the system running the
> affected products. Note that clients running the AV software are at a
> risk only from local attackers. The servers running the AV scanning
> engine via an HTTP interface are only vulnerable if anonymous or
> authenticated users can submit scan job requests. The
> technical details
> for this vulnerability have been publicly posted.
>
> Status: Computer Associates confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References: Computer Associates Vulnerability Information
> Center Article
> Posting
> by Deral Heiland Layered
> Defense Advisory
> SecurityFocus BID
>
> **************************************************************
> *********
>
> (8) MODERATE: Microsoft Windows Live Messenger Contact List
> Buffer Overflow
> Affected:
> Microsoft Windows Live Messenger version 8.0 and prior
>
> Description: Microsoft Windows Live Messenger, a popular instant
> messaging and voice/video conferencing client for Microsoft
> Windows, is
> vulnerable to a buffer overflow. By tricking a user into opening a
> specially-crafted contact list, an attacker could execute
> arbitrary code
> with the privileges of the current user. Note that
> proof-of-concept code
> for this vulnerability has been publicly released.
>
> Status: Microsoft has not confirmed, no updates available.
>
> References:
> Proof-of-Concept Exploit
>
> Posting by JAAScois
>
> Microsoft Live Messenger Home Page
>
> SecurityFocus BID
>
>
> **************************************************************
> *************
>
> ********************
> Other Software
> ********************
>
> (9) HIGH: ArGoSoft Mail Server POP3 Remote Buffer Overflow
> Affected:
> ArGoSoft Mail Server Pro/Plus/FreeWare versions 1.8.x and prior
>
> Description: ArGoSoft Mail Server contains an undisclosed
> remotely-exploitable buffer overflow. By sending specially-crafted
> traffic (believed to be related to the POP3 DELETE verb), an attacker
> could trigger this buffer overflow and execute arbitrary code with the
> privileges of the mail server process - often SYSTEM. Exploit code has
> been privately published via the Immunity Partners program, and is
> available to registered users of that program.
>
> Status: Vendor has not confirmed, no updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References: Immunity Security Partner's Exploit
>
> ArGoSoft Mail Server Home Page
>
> SecurityFocus
> BID
>
> ****************************************************************
>
> (10) HIGH: Cisco Wireless Control System Multiple Vulnerabilities
> Affected:
> Cisco Wireless Control System versions 3.2 and 4.0 and earlier
>
> Description: Cisco Wireless Control System (WCS) is used to administer
> Cisco wireless devices from a centralized management point. The Cisco
> WCS suffers from multiple remotely-exploitable
> vulnerabilities. (a) Any
> user with access to the vulnerable system can gain access to the
> internal database due to a hard coded username and password. These
> credentials are easily determined. (b) A remote attacker can also read
> and write arbitrary files on the WCS server via the built-in TFTP
> server, if the server's root path contains a space character. (c) The
> login page of the WCS web interface does not properly sanitize
> user-supplied input, leaving it open to cross-site-scripting attacks.
> (d) WCS systems are shipped with a default administrator username and
> password, neither of which is changed by default during
> installation or
> initial login. By exploiting these vulnerabilities, any attacker with
> network access to the WCS system could potentially take
> complete control
> of the WCS system, or gain sensitive information about the wireless
> system (including encryption keys and passwords).
>
> Status: Cisco confirmed, updates available.
>
> Council Site Actions: Only two of the reporting council
> sites are using
> the affected software. One site has implemented the available
> workaround on their affected systems. The other site is still in the
> process of investing their exposure level.
>
> References:
> Cisco Security Advisory
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (11) MODERATE: Hashcash Remote Heap Buffer Overflow
> Affected:
> Hashcash reference implementation versions 1.20 and prior
>
> Description: Hashcash is a system for combating unsolicited email
> ("spam"), by requiring senders to perform an easily-verified but
> difficult-to-calculate hash operation. This incurs a cost (in
> time) for
> senders, making it more difficult for them to send out mass
> emails. The
> reference Hashcash implementation, available on multiple platforms,
> suffers from a remotely-exploitable buffer overflow. By sending a
> specially-crafted Hashcash string to a vulnerable server, an attacker
> could exploit this overflow and execute arbitrary code with the
> privileges of the mail verification system - often root. Note that
> simply sending an email to a vulnerable server would be sufficient to
> trigger this overflow. Since this project is Open Source, technical
> details for this vulnerability are easily available.
>
> Status: Hashcash confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References: Hashcash Change Log (includes vulnerability announcement)
> Hashcash Home Page
> SecurityFocus BID
>
>
> ****************************************************************
> ****************************************************************
>
> (13) MODERATE: Cisco Wireless Access Point Authentication Bypass
> Affected:
> Cisco Wireless Access Points/Bridge running IOS versions
> 12.3(8)JA or 12.3(8)JA1
>
> Description: This vulnerability in the Cisco Wireless Access
> Point's web
> interface allows a remote attacker to completely control an affected
> Access Point. The flaw occurs when the Access Point's authentication
> method is changed from "Global Password" (default) to "Local User List
> Only". This configuration change results in revoking any
> authentication
> checks for accessing the device.
>
> Status: Cisco confirmed, updates available.
>
> References:
> Cisco Security Advisory
>
>
> **************************************************************
> **********
>
> ****************
> Exploits
> ****************
>
> (14) Microsoft Windows TCP/IP Remote Code Execution (MS06-032)
>
> Description: A proof-of-concept exploit has been released for this
> issue, discussed in a previous @RISK newsletter posting. This exploit
> results in a denial-of-service condition on vulnerable systems.
>
> References:
> security.nnov.ru Posting
>
> Proof-of-Concept exploit
>
> Previous @RISK Newsletter Posting
>
>
>
> 06.26.1 CVE: CVE-2006-328
> Platform: Windows
> Title: Internet Explorer OuterHTML Redirection Handling Information
> Disclosure
> Description: Microsoft Internet Explorer is susceptible to an
> information disclosure vulnerability. This issue is due to a failure
> of the application to properly enforce cross-domain policies.
> Microsoft Internet Explorer version 6.0 on Windows XP SP2 is
> vulnerable to this issue.
> Ref:
>
47398.html
> ______________________________________________________________________
>
> 06.26.2 CVE: CVE-2006-3250
> Platform: Other Microsoft Products
> Title: Windows Live Messenger Contact List Processing Remote Heap
> Overflow
> Description: Microsoft Windows Live Messenger is an instant messaging
> client. It is vulnerable to a remote heap overflow issue when the
> application processes a malicious contact list (.ctt) file. Windows
> Live Messenger version 8.0 is vulnerable.
> Ref:
>
47365.html
> ______________________________________________________________________
>
> 06.26.3 CVE: CVE-2006-3277
> Platform: Third Party Windows Apps
> Title: MailEnable SMTP HELO Command Remote Denial of Service
> Description: MailEnable is a commercially available mail server. It is
> prone to an unspecified remote denial of service vulnerability. All
> current versions are affected.
> Ref:
> ______________________________________________________________________
>
> 06.26.7 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: ArGoSoft Mail Server POP3 Server Unspecified Remote Buffer
> Overflow
> Description: The ArGoSoft Mail Server POP3 service is susceptible to a
> remote buffer overflow vulnerability. This issue allows remote
> attackers to execute arbitrary machine code in the context of the
> affected service. Visit the reference link for more details.
> Ref:
> ______________________________________________________________________
>
> 06.26.12 CVE: Not Available
> Platform: Linux
> Title: libpng Graphics Library Chunk Error Processing Buffer Overflow
> Description: libpng is the official Portable Network Graphics (PNG)
> reference library. It is vulnerable to a buffer overflow issue when
> handling malformed PNG files. libpng3 version 1.2.12 is not
> vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.26.18 CVE: CAN-2006-0119
> Platform: Cross Platform
> Title: Lotus Domino SMTP Meeting Request Remote Denial of Service
> Description: Lotus Domino is affected by a remote denial of service
> when the application receives malformed meeting requests via its SMTP
> service. These malicious vCal email messages are sent to the routing
> server "NROUTER.EXE" to be handled. When the routing server attempts
> to process the malicious request all available CPU resources are
> consumed indefinitely. Lotus Domino versions prior to 6.5.4 FP1, 6.5.5
> and 7.0 are affected.
> Ref:
> ______________________________________________________________________
>
> 06.26.21 CVE: Not Available
> Platform: Cross Platform
> Title: F-Secure Multiple Products Scan Evasion Vulnerabilities
> Description: Multiple products by F-Secure are prone to scan evasion
> issues. Some products do not properly scan files with specially
> crafted names. Others stops scanning files on removable media when the
> "Scan network drives" option has been disabled.
> Ref:
> ______________________________________________________________________
>
> 06.26.22 CVE: Not Available
> Platform: Cross Platform
> Title: Cisco Wireless Control System Multiple Security Vulnerabilities
> Description: Wireless Control System is a centralized, systems level
> application for managing and controlling lightweight access points and
> wireless LAN controllers for the Cisco Unified Wireless Network. It is
> prone to multiple security vulnerabilities like authorizaton bypass,
> arbitrary file access, cross-site scripting and information
> disclosure. Cisco Wireless Control System Software versions 4.0 and
> 3.2 are affected.
> Ref:
> ______________________________________________________________________
>
> 06.26.79 CVE: CVE-2006-3226
> Platform: Network Device
> Title: Cisco Secure ACS Authentication Bypass
> Description: Cisco Secure ACS (Access Control Server) is an
> authentication, authorization, and accounting software package. It is
> vulnerable to an authentication bypass issue because of an insecure
> session management feature. Cisco Secure ACS for Windows versions 4.x
> series are vulnerable.
> Ref:
> ______________________________________________________________________
