Widely Deployed Software
(1) CRITICAL: DirectShow Buffer Overflow (MS05-050)
Affected: Microsoft DirectX 7.0, 8.1 and 9.0 on various Windows
Operating Systems
Description: Microsoft DirectShow is an architecture for streaming media
on the Microsoft Windows platform and provides for capture and playback
of multimedia streams. It supports a wide variety of formats, including
MPEG, AVI, MP3 and Wav. DirectShow is integrated with DirectX
technologies. A buffer overflow vulnerability exists in Microsoft
Windows DirectX component when processing AVI (Audio Visual Interleave)
media files. An AVI file contains multiple streams of different types of
data - audio/video streams. Due to lack of validation a malformed
streamname chunk 'strn' with a specifically chosen length field causes a
memory modification. This could be exposed through applications that
employ DirectShow to process avi files. Successful exploitation will
permit execution of arbitrary code in the context of the user who opens
the malicious avi file.
Status: Vendor has released patches.
Council Site Actions: All reporting council sites are responding to this
item; however, their patch deployment schedules vary. Some sites have
already started to update their systems or will in the next 24 hours.
Other sites are still in the Q&A phase and will deploy on an expedited
schedule as soon as testing is complete.
References:
Microsoft Security Advisory
EEye Advisory (discovered by Fang Xing)
SecurityFocus BID
(2) CRITICAL: Vulnerabilities in MSDTC AND COM+ (MS05-051)
Affected: Windows 2000 SP4, XP SP1 and SP2, XP Professional x64 and
Server 2003
Description: The Microsoft Distributed Transaction Controller (MSDTC)
provides a method for disparate processes to complete atomic
transactions. The Transaction Internet Protocol (TIP) is a two-phase
commit protocol to enable heterogeneous Transaction Managers to agree on
the outcome of a distributed transaction. TIP is one the ways that the
MSDTC service can be accessed. The MSDTC service is part of a standard
installation on all Windows platforms. This Microsoft bulletin contains
4 vulnerabilities: (a) MSDTC Vulnerability: The MSDTC service is an RPC
interface. It suffers from a buffer overflow vulnerability that can be
exploited and cause remote code execution. The MIDL_user_allocate
function always allocates a page of memory, but an input string larger
than that size will cause a buffer overflow. MSDTC listens on port
tcp/3372 and a high dynamic port and is enabled by default on Windows
2000. This issue has the potential to turn into a worm on windows 2000
systems. It has been reported that a proof of concept is available for
this issue. (b) COM+ Vulnerability: COM+ is a next step after COM and
MTS (Microsoft Transaction Server) and handles resource management
tasks, such as thread allocation and security. A vulnerability exists in
the process used to create and use memory structures. On windows 2000 an
anonymous attacker could try to exploit this vulnerability. (c) MSDTC
TIP DoS Vulnerability: A DoS exists because of a flaw in processing
responses from foreign servers. A certain command sequence can be sent
to the DTC service that causes the DTC service to throw an exception and
crash, resulting in a DoS attack. (d) MSDTC Packet Relay DoS
Vulnerability: A DDoS vulnerability specifically exists because the TIP
protocol accepts a remote IP address and port number for a connection.
The attack can be performed by connecting to the MSDTC server and
providing an identifier that contains the IP address and port number to
flood. The attacker can force an error after a specific sequence of
commands and cause the MSDTC service to connect to the target IP and
port. The MSDTC service will continue to make connections to that host
and port and stall resulting in a DDoS.
Status: Patches are available. As a workaround, you can block port
tcp/3372 at the perimeter.
Council Site Actions: All reporting council sites are responding to this
item; however, their patch deployment schedule varies. Some sites have
already started to update their system or will begin in the next 24
hours. Other sites are still in the Q&A phase and will deploy on an
expedited schedule as soon as testing is complete. One council site said
they were contacted by their MS sales account manager to be sure they
new about the problem.
References: Microsoft Security Advisory
EEye
Advisory on MSDTC vulnerability (discovered by Fang Xing)
iDefense
Advisory on MSDTC TIP DoS Vulnerability
ies&
amp;flashstatus=true
iDefense Advisory on MSDTC Packet Relay DoS
ies&
amp;flashstatus=true
SecurityFocus BIDs
(3) CRITICAL: COM Object Instantiation in Internet Explorer (MS05-052)
Affected: Windows 2000 SP4, XP SP1 and SP2, XP Professional x64 and
Server 2003.
Description: Internet Explorer contains a heap-based overflow when
certain DLLs are instantiated as ActiveX controls. This update sets the
"kill bit" for 40 similar ActiveX controls associated with DLLs. This
update also includes a kill bit for the ADODB.Stream object. Multiple
exploits targeting the "ADODBStream" and msdds.dll have been publicly
posted.
Status: Vendor has released patches. As a workaround, "kill bit" can be
set in the registry.
Council Site Actions: All reporting council sites are responding to this
item; however, their patch deployment schedules vary. Some sites have
already started to update their systems or will in the next 24 hours.
Other sites are still in the Q&A phase and will deploy on an expedited
schedule as soon as testing is complete. One site commented that much
Q&A is needed before the development teams will accept a new version if
IE. This site plans to implement filters for ActiveX controls.
References:
Microsoft Security Advisory
SecurityFocus BID
(4) HIGH: Windows Plug and Play Buffer Overflow (MS05-047)
Affected: Windows 2000 SP4 and XP SP1 and SP2
Description: Windows Plug and Play service is designed to provide device
management and notification. This service is started by default on all
Windows 2000/XP/2003 systems, and is reachable remotely via "ntsvcs"
named pipe on ports 139/tcp or 445/tcp. This service contains a
stack-based buffer overflow that can be triggered by malformed RPC
messages to certain functions, resulting in arbitrary code execution
with "SYSTEM" privileges. Windows 2000 systems are critically affected
as any anonymous user can connect remotely to this service and trigger
the overflow. Windows XP and 2003 systems require user authentication
before the overflow can be leveraged.
Status: Apply the patch referenced in the Microsoft Security Bulletin
MS05-047. A workaround is to block ports 139/tcp and 445/tcp at the
network perimeter. Note that the Zotob worm exploited a similar
vulnerability in the PnP service in August 2005. Systems that are
patched with MS05-039 cannot be exploited remotely by anonymous users.
Council Site Actions: All council sites are responding to this item and
plan to deploy the patch during their next regularly scheduled system
update process. A few sites have already pushed this patch. A few sites
have already installed the Zotob patch on their systems as protection
against the exploit.
References:
Microsoft Security Advisory
SecurityFocus BID
(5) HIGH: Windows Shell Vulnerability (MS05-049)
Affected: Windows 2000 SP4, XP SP1 and SP2, XP Professional x64 and
Server 2003
Description: This bulletin covers three vulnerabilities. Two of them are
in .lnk files and the third in Web View. (a & b) Windows Shell is prone
to a remote code execution vulnerability when handling a malicious
shortcut (.lnk) file. An .lnk file points to another file providing a
"shortcut" to that program. These files contain properties that are
passed on to the target program. The vulnerability is due to the way
Windows handles certain properties associated with .lnk files. An
attacker can exploit this issue by crafting a malicious .lnk file and
placing it on a Web site or sending it to a user through email followed
by enticing them to open or preview the file. (c) The third
vulnerability is an "Web View script injection vulnerability". WebView
gives the user the look-and-feel of a web-browser when viewing file and
folder information. A vulnerability exists in the process used by
Windows Explorer to validate HTML characters in certain document fields
when in WebView.
Status: Vendor Patches are available
Council Site Actions: All council sites are responding to this item and
plan to deploy the patch during their next regularly scheduled system
update process. A few sites have already pushed this patch.
References:
Microsoft Security Advisory
SecurityFocus BIDs
(6) MODERATE: Windows Collaboration Data Objects Buffer Overflow
(MS05-048)
Affected: Windows 2000 SP4, XP SP1 and SP2, XP Professional x64 and
Server 2003
Description: Microsoft CDO is susceptible to a remote buffer overflow
vulnerability. This issue is due to a failure of the library to properly
bounds check user-supplied data prior to copying it to an insufficiently
sized memory buffer. This issue presents itself when an attacker sends a
specifically crafted email message to an email server utilizing the
affected library. This issue allows remote attackers to execute
arbitrary machine code in the context of the application utilizing the
library.
Status: Vendor patches are available.
Council Site Actions: All council sites are responding to this item and
plan to deploy the patch during their next regularly scheduled system
update process. A few sites have already pushed this patch.
References:
Microsoft Security Advisory
SecurityFocus BID
(7)MODERATE: Client Service for Netware Buffer Overflow (MS05-046)
Affected: Windows 2000 SP4, XP SP1 and SP2 and Server 2003 and Server
2003 SP1.
Description: Client Services for Netware (CSNW) or Gateway Service for
Netware provides a Windows workstation with basic file, printer and
directory services to Netware. There is a buffer overflow on the RPC
interface of certain functions. A remote attacker can exploit this
vulnerability to execute arbitrary code and completely compromise the
computer.
Status: Vendor Patches are available. CSNW is not enabled by default.
Status: Apply the patch referenced in the Microsoft Security Bulletin
MS05-039. A workaround is to block ports 139/tcp and 445/tcp at the
network perimeter. Note that last year's Sasser worm exploited a similar
vulnerability in the LSASS service.
Council Site Actions: All reporting council sites are responding to this
item. Some are deploying the patches at the same time as the other MS
update. Other sites will deploy this patch during their next regularly
scheduled system update process. One site said they would be
uninstalling from whatever systems this might still be hanging around
on.
References:
Microsoft Security Advisory
SecurityFocus BID
(8) MODERATE: Windows FTP Client Directory Traversal Vulnerability
(MS05-044)
Affected: Windows 2000 SP4, XP SP2, XP Professional x64 and Server 2003.
Description: Microsoft Windows FTP client is reportedly prone to a
directory traversal vulnerability. This issue is due to a failure of the
application to properly sanitize user-supplied input. A remote attacker
may place files in an arbitrary location on a vulnerable computer.
Status: Vendor has released patches.
Council Site Actions: All reporting council sites are responding to this
item; however, their patch deployment schedules vary. Some sites have
already started to update their systems. Other sites are still in the
Q&A phase and will deploy during their next regularly schedule system
update process.
References:
Microsoft Security Advisory
SecurityFocus bid
(9) MODERATE: Kaspersky Anti-Virus CHM File Parser Buffer Overflow
Affected: All products using the Kaspersky Anti-Virus Engine including
Kaspersky Anti-Virus On-Demand Scanner for Linux 5.0.5
Kaspersky Personal 5.0.227
F-Secure Anti-Virus for Linux 4.50
Description: Kaspersky Anti-Virus Engine is a virus scanning engine for
Windows and Linux that is incorporated into vendor's mail gateways and
host-based anti-virus products. Scanning a malformed CHM files causes a
heap overflow due to a vulnerability in the CHM file parser within the
KAV engine. On Linux platforms this disables anti-virus functionality
and could lead to infected hosts and remote code execution. On Microsoft
platforms, the anti-virus will fail to scan any files, allowing infected
files to get through but remote code execution is not possible.
Status: Vendor has released a patch.
Council Site Actions: Only one of the reporting council sites is using
the affected software and only then on a small number of systems. They
are not attempting to identify the affected systems, but will assist the
system users in converting to their supported anti-virus software if
they wish. Their users are also able to obtain the Kaspersky update and
install it on their own.
References:
SecurityFocus BID
iDefense Advisory
es&a
mp;flashstatus=true
Vendor Home Page
Other Software
------------------------------------------------------------------------
--------
05.41.1 - CVE: CAN-2005-1978
Platform: Windows
Title: Windows MSDTC COM+ Remote Code Execution
Description: Microsoft Windows is prone to a vulnerability in the COM+
functionality of the MSDTC service. It may permit remote and local
attackers to execute arbitrary code in the context of the service by
creating and accessing memory structures.
Ref:
------------------------------------------------------------------------
--------
05.41.2 - CVE: CAN-2005-1979
Platform: Windows
Title: Windows MSDTC TIP Denial of Service
Description: The Microsoft Windows MSDTC (Microsoft Distribution
Transaction Coordinator) service is prone to a denial of service
vulnerability. The vulnerability exists in the TIP (Transaction Internet
Protocol) functionality that is provided by MSDTC. This vulnerability is
remotely exploitable on default configurations on Windows 2000. Please
check the reference link for a list of affected systems.
Ref:
------------------------------------------------------------------------
--------
05.41.3 - CVE: CAN-2005-1980
Platform: Windows
Title: Windows MSDTC TIP Distributed Denial Of Service
Description: The Microsoft MSDTC (Microsoft Distribution Transaction
Coordinator) service is prone to a vulnerability that may permit denial
of service attacks against the service or facilitate distributed denial
of service attacks against other computers. The vulnerability exists in
the TIP (Transaction Internet Protocol) functionality that is provided
by MSDTC. This vulnerability is remotely exploitable on default
configurations on Windows 2000. TIP is not enabled by default on Windows
XP and Windows Server 2003 even if the MSDTC service is running. Please
visit the reference link provided to get information on vulnerable
versions.
Ref:
------------------------------------------------------------------------
--------
05.41.4 - CVE: CAN-2005-1987
Platform: Windows
Title: Windows Collaboration Data Objects Remote Buffer Overflow
Description: Microsoft Collaboration Data Objects (CDO) is a library
designed to send email through SMTP or Exchange servers. It is
susceptible to a remote buffer overflow vulnerability due to a failure
of the library to properly bounds check user-supplied data prior to
copying it to an insufficiently sized memory buffer. This issue allows
remote attackers to execute arbitrary machine code in the context of the
application utilizing the library. Please refer to the advisory below
for the list of vulnerable software.
Ref:
------------------------------------------------------------------------
--------
05.41.5 - CVE: CAN-2005-2120
Platform: Windows
Title: Windows Plug and Play Unspecified Buffer Overflow
Description: Microsoft Windows Plug and Play (PnP) service is used by
the operating system to detect new hardware. It is reported to be
vulnerable to a buffer overflow due to improper sanitization of
user-supplied input.
Ref:
------------------------------------------------------------------------
--------
05.41.6 - CVE: CAN-2005-2117
Platform: Windows
Title: Windows Explorer Web View Script Injection
Description: Microsoft Windows Web View is a format provided by Windows
Explorer for previewing file and folder information in a thumbnail view
before opening them. It is affected by an arbitrary script injection
vulnerability due to insufficient sanitization of user-supplied data as
Windows Explorer renders HTML characters in certain document fields.
Microsoft Windows 2000 Server SP4 and earlier, Microsoft Windows 2000
Professional SP4 and earlier, Microsoft Windows 2000 Datacenter Server
SP4 and earlier are affected by this issue.
Ref:
------------------------------------------------------------------------
--------
05.41.7 - CVE: CAN-2005-2122
Platform: Windows
Title: Windows Malicious Shortcut Handling Remote Code Execution
Description: Microsoft Windows is prone to a remote code execution
vulnerability when handling a malicious shortcut (.lnk) file. This issue
may allow an attacker to completely compromise a vulnerable computer.
This vulnerability can facilitate arbitrary code execution with SYSTEM
privileges. Please check the reference link for a list of affected
systems.
Ref:
------------------------------------------------------------------------
--------
05.41.8 - CVE: CAN-2005-2118
Platform: Windows
Title: Windows Malicious Shortcut Handling Remote Code Execution Variant
Description: Microsoft Windows is prone to a remote code execution
vulnerability when handling a malicious shortcut (.lnk) file. The
vulnerability arises because Windows does not handle certain properties
of an .lnk file in a secure manner. It should be noted that remote
exploitation of this issue requires user interaction as a vulnerable
user must follow certain steps after visiting an attacker's site before
this vulnerability is triggered. If email is employed as an attack
vector, the user must open the .lnk file sent as an email attachment
before this issue presents itself. This vulnerability can facilitate
arbitrary code execution with SYSTEM privileges. Please visit the
reference link provided to get information on vulnerable versions.
Ref:
------------------------------------------------------------------------
--------
05.41.9 - CVE: CAN-2005-1985
Platform: Windows
Title: Windows Client Service for Netware Buffer Overflow
Description: Microsoft Client Service for Netware allows Windows client
machines to access NetWare file, print, and directory services. It is
affected by a buffer overflow vulnerability that could permit the
execution of arbitrary code. Please check the reference link for a list
of affected systems.
Ref:
------------------------------------------------------------------------
--------
05.41.10 - CVE: CAN-2005-2128
Platform: Windows
Title: Windows DirectX DirectShow AVI Processing Buffer Overflow
Description: Microsoft DirectShow is used for streaming media on Windows
operating systems. It is vulnerable to a buffer overflow due to the
quartz.dll component which does not properly check the boundary of data
within .AVI files. See the Microsoft advisory for list of vulnerable
software.
Ref:
------------------------------------------------------------------------
--------
05.41.11 - CVE: CAN-2005-2119
Platform: Windows
Title: Windows MSDTC Buffer Overflow
Description: Microsoft Windows MSDTC (Microsoft Distribution Transaction
Coordinator) service is vulnerable to a buffer overflow issue due to
insufficient boundary checking of external data that is supplied to the
service. See the Microsoft security bulletin for a listing of all
affected software.
Ref:
------------------------------------------------------------------------
--------
05.41.12 - CVE: CAN-2005-2127
Platform: Other Microsoft Products
Title: Internet Explorer COM Object Buffer Overflow
Description: Microsoft Internet Explorer is vulnerable to a buffer
overflow issue that is related to instantiation of COM objects due to
insufficient bound checking when certain COM objects are instantiated
from Internet Explorer. Microsoft Internet Explorer versions 6.0 SP2 and
ealier are vulnerable.
Ref:
------------------------------------------------------------------------
--------
05.41.13 - CVE: Not Available
Platform: Third Party Windows Apps
Title: GFI MailSecurity for Exchange/SMTP Web Interface Remote Buffer
Overflow
Description: GFI MailSecurity for Exchange/SMTP acts as an email
firewall and protects networks from email viruses, exploits and threats.
It is affected by a remote buffer overflow issue due to a failure of the
application to perform boundary checks prior to copying user-supplied
data into finite sized process buffers. An attacker can successfully
exploit this issue to completely compromise the vulnerable computer. GFI
MailSecurity for Exchange/SMTP version 8.1 is vulnerable.
Ref:
------------------------------------------------------------------------
--------
05.41.14 - CVE: Not Available
Platform: Third Party Windows Apps
Title: RARLAB WinRAR Multiple Remote Vulnerabilities
Description: RARLAB WinRAR is a compression utility capable of reading
and writing files using several different archival formats. It is prone
to multiple remote vulnerabilities including a format string and a
buffer overflow vulnerability. Successful exploitation may allow an
attacker to execute arbitrary code on a vulnerable computer. WinRAR
versions 3.50 and earlier are vulnerable to these issues.
Ref:
------------------------------------------------------------------------
--------
05.41.15 - CVE: CAN-2005-2937
Platform: Third Party Windows Apps
Title: Kaspersky Anti-Virus Engine CHM File Parser Remote Buffer
Overflow
Description: Kaspersky Anti-Virus Engine is prone to a remote buffer
overflow vulnerability due to a failure in the application to perform
boundary checks prior to copying user-supplied data into sensitive
process buffers. Kaspersky Labs Anti-Virus for Linux Servers and
Workstations version 5.0.5, Kaspersky Labs Anti-Virus Personal version
5.0.227 are affected.
Ref:
------------------------------------------------------------------------
--------
05.41.18 - CVE: CAN-2005-3053, CAN-2005-3106,
CAN-2005-3107,CAN-2005-3108, CAN-2005-3109, CAN-2005-3110
Platform: Linux
Title: Linux Kernel Multiple Security Vulnerabilities
Description: Linux kernel is prone to multiple vulnerabilities. These
issues may allow local and remote attackers to trigger denial of service
conditions and disclose sensitive kernel memory. Linux kernel version
2.6.x is affected.
Ref:
------------------------------------------------------------------------
--------
------------------------------------------------------------------------
--------
05.41.28 - CVE: CAN-2005-2969
Platform: Cross Platform
Title: OpenSSL Insecure Protocol Negotiation Weakness
Description: OpenSSL is an open source implementation of the SSL
protocol. It is vulnerable to a remote protocol negotiation weakness due
to the implementation of the "SSL_OP_MSIE_SSLV2_RSA_PADDING" option to
maintain compatibility with third party software. The attacker may then
exploit various insecurities in SSL version 2 to gain access to or
tamper with the cleartext communications between the targeted client and
server. OpenSSL versions earlier than 0.9.7h are vulnerable.
Ref:
------------------------------------------------------------------------
--------
------------------------------------------------------------------------
--------
05.41.33 - CVE: Not Available
Platform: Cross Platform
Title: Multiple Vendor Antivirus Products Malformed Archives Scan
Evasion Vulnerability
Description: Multiple antivirus products from various vendors are
reported to be vulnerable to a scan evasion vulnerability. The issue
arises when an affected application processes a specially altered
archive file that contains a fake, misleading header.
Ref:
------------------------------------------------------------------------
--------
------------------------------------------------------------------------
--------
05.41.42 - CVE: Not Available
Platform: Cross Platform
Title: Mozilla Firefox IFRAME Handling Remote Buffer Overflow
Description: Mozilla Firefox is reported to be vulnerable to a remote
buffer overflow issue due to improper boundary checks prior to copying
user-supplied data into sensitive process buffers. Mozilla Firefox
versions 1.0.7 and 1.0.6 are reported to be vulnerable.
Ref:
------------------------------------------------------------------------
--------
