ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 1



-------------
This issue was delayed because we were waiting for the Microsoft patch
for the wmf vulnerability.  It is now available directly from Microsoft.


***************************
Widely Deployed Software
***************************

(1) UPDATE: Microsoft WMF Handling Remote Code Execution
 
Description: Updated exploit code has been publicly posted that
initially bypassed many AV software as well as IDS/IPS systems. The new
exploit code pads the malicious WMF file with certain benign metafile
function records. It is possible to create further variants by changing
the function numbers used in the padding. Reports indicate that the
malicious WMF files (that can be camouflaged with benign extensions like
jpg or gif) are being sent via links in IM chat. NIST has reported that
Lotus Notes uses the vulnerable Windows DLL to open WMF images and hence
is affected by the flaw as well. An unofficial patch has been published
by Ilfak Guilfanov (creator of IDAPro). The patch has been verified by
SANS Incident Handlers and works as intended. Due to a large number of
attack vectors for this vulnerability i.e. the malicious WMF file can
be downloaded via HTTP, file sharing, IM, e-mail, it is recommended to
apply the unofficial patch to protect the client systems. In the
meanwhile, Microsoft is getting ready to release the patch next Tuesday
(Jan 10, 2006) along with other security updates.

Council Site Actions: All reporting council sites are responding to this
issue.  Most are keeping their AV signatures up to date and are waiting
for the official MS patch. Most sites will deploy the MS patch on an
expedited basis when it arrives and after they have completed QA.   Some
sites have also updated their IDS/IPS signatures and are also
black-holing URLS with malicious content as they become known and
removing all WMF attachments.  Several sites have tested unregistering
the DLL but this broke several of their applications.  Several sites are
also considering deploying the unofficial patch if the risk increases.

References:
Updated Exploit Code
http://metasploit.com/projects/Framework/exploits.ie_xp_pfv_metafile.pm 
SANS Handler's Diary Posting (Includes Excellent FAQ Regarding the
Vulnerability)
http://isc.sans.org/diary.php?date=2006-01-02 
http://isc.sans.org/diary.php?date=2006-01-01 
Unofficial Patch Download
http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi 
http://handlers.sans.org/tliston/wmffix_hexblog14.exe 
Metafile Format
http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt 
NIST Posting About Lotus Notes
http://www.nist.org/nist_plugins/content/content.php?content.25 
IM Worm Exploiting the Vulnerability
http://www.viruslist.com/en/weblog?discuss=176892530&return=1 
Microsoft Patch Announcement
http://www.microsoft.com/technet/security/advisory/912840.mspx 

****************************************************************

06.01.3 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer MSHTML.DLL HTML Parsing Denial of
Service
Description: Microsoft Internet Explorer is affected by a denial of
service vulnerability issue because the application fails to properly
parse certain malformed HTML content. An attacker may exploit this issue
by enticing a user to visit a malicious site resulting in a denial of
service condition in the application. Internet Explorer versions 6.0
and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/16079/info  
______________________________________________________________________


06.01.10 CVE: Not Available
Platform: Cross Platform
Title: VMWare ESX Server Management Interface Code Execution
Description: VMWare ESX Server is a virtual machine server that allows
for multiple virtual servers to be deployed and managed. VMWare ESX
Server is prone to an unspecified remote code execution vulnerability.
Please refer to the following advisory for a list of vulnerable
versions.
Ref: http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2001 
______________________________________________________________________

06.01.11 CVE: CVE-2005-3417
Platform: Web Application
Title: PHPBB Multiple Unspecified Input Validation Vulnerabilities
Description: PHPBB is a bulletin board application. It is vulnerable
to multiple unspecified vulnerabilities due to insufficient sanitization
of user-supplied data. PHPBB versions 2.0.19 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/420537 
______________________________________________________________________

06.01.24 CVE: Not Available
Title: Windows Graphics Rendering Engine WMF Format Code Execution
Description: Microsoft Windows supports the Windows Metafile (WMF)
image format. A remote code execution issue presents itself when a user
views a malicious WMF formatted file. The vulnerability is triggered
when the engine attempts to parse the file. Any code execution that
occurs will be with SYSTEM privileges due to the nature of the affected
engine. Please see the attached link for a list of affected systems.
Ref: http://www.microsoft.com/technet/security/advisory/912840.mspx 

______________________________________________________________________




 




Copyright © Lexa Software, 1996-2009.