>
> ***************************
> Widely Deployed Software
> ***************************
>
> (1) CRITICAL: Microsoft Windows Embedded Font Processing Overflow
> Affected:
> Windows 98/ME/SE/NT/2000/XP/2003
>
> Description: Embedding fonts in a document guarantees that a user
> receiving the document can successfully read it. Embedded
> Open Type file
> Format (".eot") can be used to bundle a font in a webpage,
> and Internet
> Explorer opens the eot files automatically. The library
> responsible for
> parsing EOT files, T2EMBED.DLL, contains a heap-based
> overflow that can
> be triggered by a specially crafted EOT file. The problem
> arises because
> the declared size of the uncompressed block in a EOT file is used to
> allocate memory for the uncompressed data; however, the actual
> uncompressed data size is not compared to the declared size prior to
> writing the section in the heap memory. A malicious webpage
> can exploit
> the overflow to execute arbitrary code on a user's system
> when the page
> is viewed using Internet Explorer. The technical details and the code
> disassembly that can be used to craft an exploit have been publicly
> posted. Immunity has also made proof of concept exploits available to
> its partners. Note that the exploitation vectors for the vulnerability
> are similar to the widely exploited WMF flaw, and the
> extension for EOT
> files can be spoofed.
>
> Status: Apply the patch referenced in the Microsoft Security Bulletin
> MS06-002. Other vendors like Nortel and Avaya have published
> patches for
> their affected products.
>
> Council Site Actions: All reporting council sites are
> responding to this
> item. Several sites have already distributed the patch and others plan
> to deploy during their next scheduled maintenance window. A few sites
> are using Microsoft Automatic Updates and hence the patch has already
> been installed.
>
> References: Microsoft Security Bulletin
> eEye
> Advisory
>
> Vulnerable Code Disassembly posted by Piotr Bania
>
> 0359.html
> CERT Advisory Immunity, Inc.
> Partner Information
> Embedded Font Technology
>
> .asp#Embedded_Font_Techno
> NOrtel Centrex
>
> NT/2006/02/020103-01.pdf
> Avaya
> SecurityFocus BID
>
> *********************************************************************
>
> (2) CRITICAL: Microsoft Exchange and Outlook TNEF Format
> Processing Overflow
> Affected:
> Microsoft Outlook 2000/2002/2003
> Microsoft Exchange Server versions 5.0, 5.5 and 2000
> Microsoft Office Multilanguage Packs 2000
> Microsoft Office Multilingual UI Packs XP/2003
> Microsoft Office 2003 Language Interface Packs
>
> Description: Microsoft Outlook and Exchange use Transport Neutral
> Encapsulation Format (TNEF) to handle e-mails written in Rich Text
> Format. The library responsible for decoding the TNEF format
> contains a
> buffer overflow that can be triggered by a specially crafted
> e-mail. The
> flaw can be exploited to execute arbitrary code with "SYSTEM"
> privileges
> in case of the Exchange server. Note that for compromising
> the Exchange
> server sending an email is sufficient i.e. no user interaction is
> required. The discoverers of the flaw have reported that they will
> disclose the technical details in another 3 months.
>
> Status: Apply the patch referenced in the Microsoft Security Bulletin
> MS06-003.
>
> Council Site Actions: All reporting council sites are responding to
> this item. Several sites have already distributed the patch and others
> plan to deploy during their next scheduled maintenance window. A few
> sites are using Microsoft Automatic Updates and hence the patch has
> already been installed.
>
> References:
> Microsoft Security Bulletin
>
> NGSSoftware Advisory
>
>
> TNEF File Format
>
/file-format.tex?content-type=text%2Fplain
> CERT Advisory
>
> SecurityFocus BID
>
>
> *********************************************************************
>
> (3) CRITICAL: Apple QuickTime Multiple File Format Overflows
> Affected:
> QuickTime Player version 7.0.3 and prior on Windows 2000/XP/Mac OS X
>
> Description: The QuickTime media player from Apple contains multiple
> buffer overflow vulnerabilities in processing the following file
> formats: GIF, MOV, QTIF, JPEG, TGA, TIFF and PICT. A specially crafted
> movie or image file can exploit the overflows to execute
> arbitrary code
> on the client system. Note that the malicious files can be hosted on a
> webpage, shared folder, P2P folder or sent in an email. The technical
> details required to craft exploits are included in the posted
> advisories.
>
> Status: Apple has released QuickTime 7.0.4 to address these
> issues. Note
> that iTunes uses QuickTime for playing media. Hence, iTunes
> users should
> also apply this update.
>
> Council Site Actions: Most of the council sites are responding to this
> item and are in the process of pushing the patch or plan to push the
> patch during their next regularly scheduled system maintenance window.
> Some sites are using Apple's Software Update facility and the
> patch has
> already been installed.
>
> References:
> Apple Advisory
>
> eEye Advisories
>
>
>
>
> Cirt.Dk Advisory
>
> Fortinet Advisories
>
> 0449.html
>
> 0447.html
>
> 0446.html
>
> 0445.html
>
> 0443.html
> CERT Advisory
>
> SecurityFocus BID
>
>
> ********************************************************************
> *********
>
> (5) HIGH: ClamAV UPX Processing Buffer Overflow
> Affected:
> ClamAV versions prior to 0.88
>
> Description: ClamAV is an open-source antivirus software
> designed mainly
> for scanning emails on UNIX mail gateways. The software
> includes a virus
> scanning library - libClamAV. This library is used by many third party
> email, web, FTP scanners as well as mail clients. The library contains
> a buffer overflow that can be triggered by a specially crafted UPX
> packed executable file. The attacker can send the malicious file via
> email, web, FTP or a file share, and exploit the buffer overflow to
> execute arbitrary code on the system running the ClamAV library. The
> technical details can be obtained by comparing the fixed and the
> affected versions of the software. Note that for compromising the
> mail/web/FTP gateways no user interaction is required.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> ZDI Advisory
>
> Third Party Software Using ClamAV
> (Includes Mac OS X server)
>
> SecurityFocus BID
>
>
> **************************************************************
> *********
>
> ***************
> Other Software
> ***************
>
> (6) CRITICAL: BlueCoat WinProxy Buffer Overflow and DoS
> Vulnerabilities
> Affected:
> WinProxy version 6.0 and prior
>
> Description: WinProxy proxy suite is designed for secure sharing of a
> Internet connection for small to medium businesses. The WinProxy web
> proxy server contains a stack-based buffer overflow that can be
> triggered by an overlong HTTP "Host" header. An attacker can
> exploit the
> flaw to execute arbitrary code. Exploit code has been publicly posted.
>
> Status: WinProxy version 6.1a has been released to address this buffer
> overflow as well as other DoS issues.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> iDefense Advisories
>
>
>
> Exploit Code
>
> SecurityFocus BIDs
>
>
>
>
> ********************************************************************
>
> (7) MODERATE: Apache auth_ldap Module Format String Vulnerabilities
> Affected:
> auth_ldap version 1.6.0 and prior
>
> Description: auth_ldap module provides LDAP authentication for Apache
> servers on Windows and UNIX platforms. This module contains a format
> string vulnerability that can be triggered by supplying a specially
> crafted username during the LDAP authentication process. An
> attacker can
> exploit the flaw to execute arbitrary code on the Apache
> server with the
> privileges of the "apache" process. The technical details required to
> craft an exploit can be gathered by examining the fixed and the
> vulnerable code.
>
> Status: Vendor has released version 1.6.1. Linux vendors such
> as Red Hat
> have also released their own updates.
>
> Council Site Actions: Two of the reporting council sites are using the
> affected software. One site is awaiting the patch and will install
> during their next regularly scheduled system update cycle. The second
> site is still assessing and will likely handle at next scheduled
> maintenance window.
>
> References:
> Posting by Digitalarmaments
>
> RedHat Advisory
>
> Vendor Homepage
>
> SecurityFocus BID
>
>
> *********************************************************************
>
> ***************
> Exploits
> ***************
>
> (8) Sun Java Plugin Security Bypass
>
> Description: CERT has notified of a malicious website that is
> exploiting
> a vulnerability in Sun JRE (reported in November 2004). This is the
> first report of an active exploitation for this vulnerability. Please
> ensure that the Sun JRE is updated to the latest version.
>
> References:
> CERT Current Activity
>
> Previous @RISK Newsletter Posting
>
>
> **************************************************************
> *********
> ______________________________________________________________________
>
> 06.2.1 CVE: CVE-2006-0010
> Platform: Windows
> Title: Windows Embedded Web Font Buffer Overflow
> Description: Microsoft Windows is vulnerable to a remotely exploitable
> buffer overflow issue due to insufficient handling of embedded web
> fonts that have been maliciously malformed. See Microsoft security
> bulletin MS06-002 for further details.
> Ref:
> ______________________________________________________________________
>
> 06.2.2 CVE: Not Available
> Platform: Microsoft Office
> Title: Microsoft Excel Unspecified Code Execution
> Description: Microsoft Excel is susceptible to an unspecified code
> execution vulnerability. The issue presents itself when Microsoft
> Excel attempts to process malformed or corrupted XLS files. Please
> visit the reference link provided for a list of vulnerable versions.
> Ref:
> ______________________________________________________________________
>
> 06.2.3 CVE: CVE-2006-0002
> Platform: Other Microsoft Products
> Title: Microsoft Outlook / Microsoft Exchange TNEF Decoding Remote
> Code Execution
> Description: Microsoft Exchange Server and Outlook email clients use
> the Transport Neutral Encapsulation (TNEF) format when sending Rich
> Text Format (RTF) messages. They are prone to a remote code execution
> vulnerability due to insufficient boundary checks performed by the
> applications. This issue affects Microsoft Outlook, Microsoft
> Exchange, and Microsoft Office Multilingual User Interface (MUI)
> Packs.
> Ref:
> ______________________________________________________________________
>
> 06.2.4 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Visual Studio UserControl Remote Code Execution
> Description: Microsoft Visual Studio is prone to a vulnerability that
> could allow remote arbitrary code execution. This is due to a design
> flaw that executes code contained in a project file without first
> notifying users. If a "UserControl" object is added to a Form in a
> Visual Studio project, the "UserControl_Load" function will execute it
> without notifying the user, without prior confirmation, and without
> compiling or executing the project. Microsoft Visual Studio 2005 is
> reportedly vulnerable to this issue.
> Ref:
> ______________________________________________________________________
>
>
> 06.2.7 CVE: CVE-2005-2340, CVE-2005-3707, CVE-2005-3708,
> CVE-2005-3709, CVE-2005-3710, CVE-2005-3711, CVE-2005-3713
> Platform: Mac Os
> Title: Apple QuickTime Multiple Code Execution Vulnerabilities
> Description: QuickTime Player is the media player distributed by Apple
> for QuickTime as well as other media files. It is affected by multiple
> remote code execution issues due to failure of the application to
> perform boundary checks prior to copying user-supplied data into
> sensitive process buffers. QuickTime versions prior to 7.0.4 are
> affected.
> Ref:
> ______________________________________________________________________
>
> 06.2.9 CVE: CVE-2006-0150
> Platform: Linux
> Title: Dave Carrigan Auth_LDAP Remote Format String
> Description: Dave Carrigan's Auth_ldap is an Apache authentication
> module that utilizes Lightweight Directory Access Protocol. It is
> vulnerable to a remote format string issue due to insufficient
> sanitization of user-supplied input to the
> "auth_ldap_log_reason()" function. Dave Carrigan's auth_ldap version
> 1.6.1 resolves this issue.
> Ref:
>
> ______________________________________________________________________
>
> 06.2.10 CVE: CVE-2006-0054
> Platform: BSD
> Title: FreeBSD IPFW IP Fragment Remote Denial of Service
> Description: FreeBSD IPFW is a packet filtering firewall that is
> integrated into the operating system's kernel. It is susceptible to a
> remote denial of service vulnerability. This issue is due to a flaw in
> affected kernels that results in an uninitialized kernel memory access
> when handling ICMP IP fragments. FreeBSD version 6.0 is affected.
> Ref:
> ______________________________________________________________________
>
>
> 06.2.13 CVE: CAN-2004-0780
> Platform: Solaris
> Title: Sun Solaris uustat Local Buffer Overflow
> Description: The Sun Solaris uustat utility is used to display status
> information about the Unix to Unix CoPy (UUCP) system. The utility
> is prone to a local buffer overflow vulnerability. The vulnerability
> arises when an attacker supplies excessive string data to the utility
> through the "-S" command line argument. A user-supplied string
> containing 1152 or more bytes can overflow a finite sized buffer
> leading to memory corruption. An attacker can exploit this issue to
> execute arbitrary code and gain "uucp" user privileges which
> correspond to user ID 5 by default.
> Ref:
>
101933-1
> ______________________________________________________________________
>
> 06.2.15 CVE: Not Available
> Platform: Solaris
> Title: Sun Solaris Operating System Unspecified Privilege Escalation
> Description: Sun Solaris on x86 platforms is prone to an unspecified
> privilege escalation issue. This vulnerability is due to an
> unspecified security issue which may allow a local unprivileged user
> to gain elevated privileges or panic the kernel. This issue affects
> Solaris 9 and 10.
> Ref:
> ______________________________________________________________________
> ______________________________________________________________________
>
> 06.2.19 CVE: CAN-2005-2340
> Platform: Cross Platform
> Title: QuickTime PictureViewer JPEG/PICT File Buffer Overflow
> Description: QuickTime Player is the media player. It is vulnerable to
> a buffer overflow issue due to insufficient handling of malformed JPEG
> and PICT files. QuickTime versions 6.5.2 and 7.0.3 are vulnerable.
> Ref:
> ______________________________________________________________________
>
>
> 06.2.23 CVE: Not Available
> Platform: Cross Platform
> Title: Clam Anti-Virus ClamAV Unspecified UPX File Buffer Overflow
> Description: ClamAV is an anti-virus application. It is prone to an
> unspecified heap buffer overflow vulnerability due to a failure of the
> application to properly bounds check user-supplied data prior to
> copying it to an insufficiently sized memory buffer. Exploitation of
> this issue could allow attacker-supplied machine code to be executed
> in the context of the affected application. Please refer to the
> following link for more details.
> Ref:
> ______________________________________________________________________
>
> 06.2.24 CVE: CVE-2005-4591, CVE-2005-4592
> Platform: Cross Platform
> Title: Bogofilter Multiple Remote Buffer Overflow Vulnerabilities
> Description: Bogofilter is a Bayesian spam filtering application
> designed to be run on Linux and Unix platforms. Multiple remote buffer
> overflow vulnerabilities affect Bogofilter. These issues are due to a
> failure of the application to properly handle invalid input sequences
> and validate the length of user-supplied strings prior to copying them
> into static process buffers. Please visit the reference link for a
> list of vulnerable versions.
> Ref:
> ______________________________________________________________________
>
>
> 06.2.31 CVE: Not Available
> Platform: Web Application
> Title: PHP MySQLI Error Logging Remote Format String
> Description: PHP is a free and widely used web page development
> language. It is susceptible to a remote format string vulnerability in
> the "mysqli" extension. This issue is due to insufficient sanitization
> of user-supplied input prior to using it in the format-specifier
> argument to a formatted printing function. PHP versions 5.1.0 and
> 5.1.1 are affected.
> Ref:
> ______________________________________________________________________
>
> 06.2.32 CVE: Not Available
> Platform: Web Application
> Title: PHP 5 User-Supplied Session ID Input Validation
> Description: PHP 5 is prone to an input validation vulnerability due
> to improper sanitization of user-supplied input of PHP session ID's,
> transmitted by way of HTTP headers. PHP 5 version 5.1.1 and prior are
> affected.
> Ref:
> ______________________________________________________________________
>
>
> 06.2.57 CVE: Not Available
> Platform: Network Device
> Title: Cisco Aironet Wireless Access Point ARP Memory Exhaustion
> Denial of Service
> Description: The Cisco Aironet Wireless Access Point devices are a
> series of devices that provide wireless access points. They are
> vulnerable to a denial of service issue due to a failure of the
> device to properly limit the memory consumption of its ARP table. This
> issue allows attackers that can successfully associate with a
> vulnerable access point to exhaust the memory of the affected device.
> This issue affects various devices running Cisco IOS, and not the
> models running the VxWorks-based operating system (version 12.05 and
> earlier).
> Ref:
>
> ______________________________________________________________________
>
> 06.2.58 CVE: Not Available
> Platform: Network Device
> Title: Cisco CS-MARS Default Administrative Password
> Description: Cisco Security Monitoring, Analysis and Response System
> (CS-MARS) is a security management appliance. The appliace sets a
> default administrative password during installation. Cisco Security
> Monitoring, Analysis and Response System version 4.1.3 resolves this
> issue.
> Ref:
>
> ______________________________________________________________________
>
> 06.2.62 CVE: Not Available
> Platform: Hardware
> Title: Cisco IP Phone 7940 Remote Denial of Service
> Description: Cisco IP Phone 7940 is prone to a remote denial of
> service vulnerability which arises when the device handles malformed
> network data containing a packetcount of 1000 and a packetdelay of
> 0.002 over TCP port 80. Successful exploitation causes the phone to
> restart.
> Ref:
> ______________________________________________________________________
