Thread-topic: @RISK: The Consensus Security Vulnerability Alert Vol. 5 No.8
> ************************
> Widely Deployed Software
> ************************
>
>
> (1) CRITICAL: Mac OS X Safari Remote Code Execution
> Affected:
> Safari current and possibly all prior versions
>
> Description: Safari, the default browser on Mac OS X systems, contains
> a vulnerability that allows an attacker to execute arbitrary code on a
> user's system. The problem arises because Safari opens "Safe" files
> automatically after downloading and also trusts the user-supplied
> metadata associated with a file. For instance, an attacker
> can create a
> shell script, rename the shell script with a safe extension
> like ".mov"
> and store the metadata for the shell script in the "__MacOSX" folder.
> The attacker can then create a zip archive that contains the shell
> script and the metadata, and post this crafted zip archive on a
> webserver. When a user visits the attacker's site, the zip
> file will be
> automatically downloaded and the shell script executed by the program
> indicated by the metafile. Note that no user interaction is
> required to
> leverage this flaw other than browsing a malicious webpage.
> Exploit code
> has been publicly posted.
>
> Status: Apple has not released an update yet. A workaround is
> to disable
> Safari's "Open safe files after downloading" option.
>
> Council Site Actions: Only two of the reporting council sites are
> using/supporting MacOS. One site uses Firefox as the supported browser
> for the Macs; however, its Safari users were advised to
> disable Safari's
> open-safe-files option in lieu of a patch. They plan to push out the
> official patch when it becomes available. The second site has a large
> number of Mac systems. They use Apple's Software Update Facility;
> therefore, Safari will be updated when Apple releases a patch. This
> site has also started publicizing new Mac OS X threats at the top of
> their Central IT Department home page. They currently have
> two Mac OS X
> messages at the top, and will likely add one about this Safari issue.
> At this time they are undecided about recommending a reconfiguration
> that prevents the automatic opening of safe files.
>
> References:
> CERT Advisory
>
> Exploit Code
>
>
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (2) HIGH: Winamp M3U Playlist File Handling Overflow
> Affected:
> Winamp version 5.13 and prior
>
> Description: Last week another buffer overflow vulnerability was
> reported in Winamp. This overflow is triggered by a playlist file (m3u
> format) that contains a specially crafted playlist file (m3u or pls
> format). Note that several buffer overflows have been
> reported in Winamp
> during this month. Exploit code has not been posted for this flaw yet.
>
> Status: Winamp has released version 5.2 that fixes all the
> vulnerabilities reported so far. Hence, an upgrade to this version is
> recommended at the earliest.
>
> References:
> Posting by IRM Security
>
> NSFocus Advisory
>
> Vendor Homepage
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (3) HIGH: Adobe Macromedia Shockwave Player ActiveX Buffer Overflow
> Affected:
> Shockwave player 10.1.0.11 and prior
>
> Description: According to Macromedia, the Shockwave player has been
> installed on more than 390 million systems. The Shockwave installer
> ActiveX control contains a stack-based buffer overflow that can be
> triggered by passing overlong parameters. A malicious webpage can
> exploit this flaw to execute arbitrary code on a user's system. The
> technical details required to craft an exploit have not been posted.
>
> Status: Adobe Macromedia has issued a fix for the installer ActiveX
> control. Note that Macromedia has been pushing the security update via
> the automatic update feature of the player prior to this announcement.
>
> Council Site Actions: All reporting council sites are responding to
> this issue. Most plan to distribute the patch during their next
> regularly scheduled system update process. One site will prepare an
> announcement that advises their end users to download the updated
> version of Shockwave Player.
>
> References:
> TippingPoint Advisory
>
> 0590.html
> Macromedia Advisory
>
> -02.html
> Product Homepage
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> ******************
> Other Software
> ******************
>
> 06.8.4 CVE: CVE-2006-0720
> Platform: Third Party Windows Apps
> Title: Nullsoft Winamp M3U File Processing Buffer Overflow
> Description: Winamp is a media player. It is prone to a buffer
> overflow vulnerability when processing malformed M3U playlist files.
> This issue occurs when an M3U playlist is paused or stopped. Winamp
> makes an insecure "strncpy()" call to reset the title of the program,
> which can result in a static buffer being overrun. Winamp versions
> 5.12 and 5.13 are affected; earlier versions may also be vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.8.5 CVE: CVE-2006-0813
> Platform: Third Party Windows Apps
> Title: Winace ARJ File Handling Buffer Overflow
> Description: Winace is a file compression and decompression
> application. It is vulnerable to a buffer overflow when handling
> malformed ARJ archives. Winace version 2.60 is vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.8.6 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: The Bat! Remote Buffer Overflow
> Description: The Bat! is a web mail client for various Microsoft
> Windows platforms. It is prone to a remote buffer overflow
> vulnerability. The problem presents itself when the application
> receives an email where the "Subject" field is 4038 bytes. This
> results in a buffer overflow and subsequent memory corruption. An
> attacker can exploit this issue to control program flow and execute
> arbitrary attacker-supplied code in the context of the victim user
> running the affected application.
> Ref:
> ______________________________________________________________________
>
> 06.8.7 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Winace Remote Directory Traversal
> Description: Winace is a file compression/decompression application. A
> vulnerablity in Winace may allow an attacker to place files and
> overwrite files in arbitrary locations on a vulnerable computer.
> Winace versions 2.6.05 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 06.8.9 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: ArGoSoft Mail Server Pro POP3 Server Remote Information
> Disclosure
> Description: ArGoSoft Mail Server Pro is a mail server application. It
> is affected by a remote information disclosure issue by a issuing
> "_DUMP" command prior to authenticating to the POP3 service. This will
> return potentially sensitive configuration information. ArGoSoft Mail
> Server Pro version 1.8.8.1 is affected.
> Ref:
> ______________________________________________________________________
>
> 06.8.11 CVE: CVE-2005-3630
> Platform: Linux
> Title: Fedora Directory Server Password Information Disclosure
> Description: Fedora Directory Server is vulnerable to an information
> disclosure issue because the application allows for an unauthorized
> user to view the administrative password which is stored in the
> adm.conf file. RedHat Fedora Directory Server version 1.0 is
> vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.8.12 CVE: CVE-2004-2607
> Platform: Linux
> Title: Linux Kernel SDLA_XFER Kernel Memory Disclosure
> Description: The Linux kernel is affected by a local memory disclosure
> issue which presents itself in the "sdla_xfer" function of the SDLA
> WAN driver. A flawed integer to short cast causes a memory copy
> operation to copy zero bytes. Kernel versions 2.4.x up to 2.4.29-rc1
> and 2.6.x up to 2.6.5 are affected.
> Ref:
>
> 06.8.15 CVE: Not Available
> Platform: Linux
> Title: Zoo Misc.c Buffer Overflow
> Description: Zoo is an archiving tool that uses a Lempel-Ziv
> compression. It is prone to a buffer overflow vulnerability due to
> insufficient boundry checking on user-supplied data. Zoo version 2.10
> is vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.8.16 CVE: CVE-2006-0195, CVE-2006-0377, CVE-2006-0188
> Platform: Unix
> Title: SquirrelMail Multiple Cross-Site Scripting and IMAP Injection
> Vulnerabilities
> Description: SquirrelMail is a web mail application implemented in
> PHP4. It is susceptible to multiple cross-site scripting and IMAP
> injection vulnerabilities due to insufficient sanitization of
> user-supplied input. All versions prior to SquirrelMail 1.4.6-cvs are
> vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.8.20 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Firefox HTML Parsing Denial of Service
> Description: Mozilla Firefox is prone to a remote denial of service
> vulnerability. This issue occurs when the browser parses certain
> malformed HTML content. The browser may fail due to a null pointer
> dereference. In some cases, the browser may simply no longer respond.
> Mozilla Firefox versions prior to 1.5.0.1 are prone to this issue.
> Ref:
> ______________________________________________________________________
>
> 06.8.26 CVE: CVE-2006-0839
> Platform: Cross Platform
> Title: Snort Frag3 Processor Fragmented Packet Detection Evasion
> Description: Snort is an intrusion detection system (IDS). Reports
> indicate that the Frag3 preprocessor, which is used to handle
> fragmented IP packets, does not analyze [ip_option_length] bytes from
> the end of the IP options during reassembly. A successful attack can
> allow attackers to bypass intrusion detection. Snort version 2.4.3 is
> affected.
> Ref:
> ______________________________________________________________________
>
> 06.8.27 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Thunderbird Address Book Import Remote Denial of
> Service
> Description: Mozilla Thunderbird is an email client. It is vulnerable
> to a remote denial of service issue due to insufficient handling of
> specially crafted address books containing excessive data. Mozilla
> Thunderbird version 1.5 is vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.8.28 CVE: CVE-2006-0300
> Platform: Cross Platform
> Title: GNU Tar Invalid Headers Buffer Overflow
> Description: GNU Tar is a program that allows users to create and
> manipulate archive files in various formats. It is prone to a buffer
> overflow vulnerability. This issue occurs when archives containing
> malformed headers are processed. GNU Tar versions 1.14 and above are
> vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.8.29 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Thunderbird IFRAME JavaScript Execution
> Description: Mozilla Thunderbird is an email client. It is prone to a
> script execution vulnerability due to insufficient sanitization of
> user-supplied data. The vulnerability presents itself when an attacker
> supplies a specially crafted email to a user containing malicious
> script code in the "SRC" attribute of an IFRAME and the user attempts
> to reply to the mail. Mozilla Thunderbird 1.0.7 and prior versions are
> reportedly affected.
> Ref:
> ______________________________________________________________________
>
> 06.8.31 CVE: Not Available
> Platform: Cross Platform
> Title: Macromedia Shockwave Player ActiveX Control Buffer Overflow
> Description: Macromedia Shockwave by Adobe is a multi-platform
> multimedia playback application. It is affected by a stack-based
> buffer overflow issue which occurs when the affected ActiveX control
> is passed overly long parameters specified from a malicious web site.
> Macromedia Shockwave Player versions 10.1.0.11 and earlier are
> affected.
> Ref:
> ______________________________________________________________________
>
> 06.8.34 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Error Message Cross-Site Scripting
> Description: PHP is a general-purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> It is prone to a cross-site scripting vulnerability due to improper
> sanitization of user-supplied input before using it in generated error
> messages. PHP versions 5.1.1 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
>
> 06.8.65 CVE: CVE-2006-0042
> Platform: Web Application
> Title: Apache Libapreq2 Quadratic Behavior Denial of Service
> Description: The Libapreq2 is a function library for the Apache
> webserver. It is vulnerable to a denial of service due to a design
> error affecting the "apreq_parse_headers()" and
> "apreq_parse_urlencoded()" functions of the application. The Libapreq2
> versions 2.0.6 and earlier are vulnerable.
> Ref: ?
> rev=376998&view=markup
> ______________________________________________________________________
