ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 31




> 
> *****************************
> Widely-Deployed Software
> *****************************
> 
> ****************************************************************
> 
> (2) CRITICAL: Computer Associates eTrust AntiVirus WebScan 
> Multiple Vulnerabilities
> Affected: eTrust AntiVirus WebScan versions 1.1.0.1047 and prior.
> 
> Description: Computer Associates eTrust AntiVirus WebScan uses an
> ActiveX component that contains multiple remotely-exploitable
> vulnerabilities. By causing a user to visit a malicious web page that
> instantiates the component and instructs it to update the application,
> an attacker could execute arbitrary code with the privileges of the
> current user, or severely limit the protection afforded to the user by
> the antivirus engine. Two of the flaws are due to improper validation
> of the updated files list: files may be replaced by malicious versions
> (leading to remote code execution) or outdated versions (leading to
> limited protection). Additionally, an overly-long filename in the
> updated file list may lead to a buffer overflow and arbitrary code
> execution.  Note that no user interaction beyond visiting a malicious
> web page is necessary for exploitation.
> 
> Status: Computer Associates confirmed, updates available.
> 
> References:
> TippingPoint Security Research Team Advisories (including 
> technical details)
> http://www.tippingpoint.com/security/advisories/TSRT-06-05.html
> http://www.tippingpoint.com/security/advisories/TSRT-06-06.html
> Computer Associates Security Advisory
> http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509
> SecurityFocus BID
> http://www.securityfocus.com/bid/19351
> 
> ****************************************************************
> 
> (3) HIGH: Multiple Vendor WiFi Card Driver Vulnerabilities
> Affected: WiFi (802.11a/b/g) wireless cards from multiple vendors.
> 
> Description: Researchers have discovered flaws in several 
> device drivers
> for various WiFi network cards that could be exploited to execute
> arbitrary code. By sending specially-crafted WiFi protocol 
> traffic to a
> target machine, an attacker can take complete control of the 
> vulnerable
> system. A proof-of-concept for a third-party WiFi card under Mac OS X
> was demonstrated recently at the Black Hat 2006 security conference.
> According to the initial disclosure, flaws were discovered in several
> other operating system/WiFi card combinations. Because these 
> flaws exist
> at the device driver level, the target machine does not need to be
> associated to a wireless network; simply having an active WiFi card is
> sufficient for exploitation. The list of vulnerable card/operating
> system combinations is currently unknown.
> 
> Status: Intel has released updated Microsoft Windows drivers that
> apparently fix this issue. However, Intel did not 
> specifically reference
> the initial Black Hat 2006 disclosure in the update documentation. It
> is unknown what if any other vendors are affected.
> 
> Council Site Actions:  All responding council sites are investigating
> this issue. Most will deploy the updates very soon; the 
> others are still
> investigating how they will remediate the issue.
> 
> References:
> Video: Breaking into a MacBook
> http://news.com.com/Flawed+Wi-Fi+drivers+can+expose+PCs/1606-2
> _3-6101573.html?tag=fd_cars 
> 
> SANS Internet Storm Center Handler's Diary Entry
> http://isc.sans.org/diary.php?storyid=1540 
> Blog Posting by Brian Krebs
> http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a
> _macbook_in_60_seco_1.html
> Intel Centrino Wireless Support Article (includes information 
> on driver updates)
> http://support.intel.com/support/wireless/wlan/sb/CS-023065.htm
> Wikipedia Article Explaining Device Drivers
> http://en.wikipedia.org/wiki/Device_driver
> SecurityFocus BID (Intel only)
> http://www.securityfocus.com/bid/19298
> 
> 
> ****************************************************************
> 
> (4) MODERATE: Mozilla Firefox Unspecified Remote Code Execution
> Affected: Mozilla Firefox version 1.5 and prior
> 
> Description: Mozilla Firefox reportedly contains a vulnerability that
> can be exploited to execute arbitrary code. The flaw, a race 
> condition,
> arises from the browser's failure to properly validate multiple "CSS"
> attributes stacked across "SPAN HTML" tags. No technical details for
> this vulnerability have been publicly posted. A proof-of-concept
> creating a denial-of-service condition has been publicly posted to the
> TOR network (an anonymous routing network). A remote code execution
> proof-of-concept is available for a fee, though this is not confirmed
> to work.
> 
> Status: Firefox has not confirmed, no updates available.
> 
> Council Site Actions: Most of the responding council sites do not yet
> formally support Firefox. However many sites use it and they 
> rely on the
> user population employing the Auto Update feature to keep the software
> up to date.
> 
> References:
> Posting by Andrew A (includes link to proof-of-concept)
> http://archives.neohapsis.com/archives/fulldisclosure/2006-07/
> 0723.html 
> SecurityFocus BID
> http://www.securityfocus.com/bid/18228 
> 
> ****************************************************************
> 
> 
> (5) MODERATE: PHP Functions Multiple Vulnerabilities
> Affected: PHP version 4.4.3 and prior.
> 
> Description: PHP, the popular web-centric programming 
> language, contains
> several remotely-exploitable vulnerabilities. The exact 
> nature of these
> flaws has not been publicly disclosed. Flaws have been reported in the
> wordwrap(), tempnam(), error_log(), substr_compare(), and phpinfo()
> functions as well as the code used to parse session names. Users of
> these functions, and users who allow arbitrary individuals to 
> upload PHP
> scripts, are advised to upgrade immediately. Because PHP is 
> open source
> software, technical details for these vulnerabilities can be easily
> obtained by analyzing the source code.
> 
> Status: PHP confirmed, updates available.
> 
> Council Site Actions:  Only one of the responding council sites plans
> to address this issue -- their servers will be updated within the next
> week.
> 
> References:
> PHP 4.4.3 Release Announcement
> http://www.php.net/release_4_4_3.php 
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/17363 
> http://www.securityfocus.com/bid/19349 
> 
> ****************************************************************
> 
> (6) MODERATE: LibTIFF Library Multiple Vulnerabilities
> Affected: LibTIFF version 3.8.2 and prior
> 
> Description: LibTIFF, a popular library for parsing TIFF images, is
> reported to contain multiple remotely-exploitable vulnerabilities. The
> TIFF image file format is popular in scientific imaging and high-end
> graphics applications. By causing a user to view a specially-crafted
> TIFF image file, an attacker could execute arbitrary code with the
> privileges of the current user. LibTIFF is installed by default on Mac
> OS X systems, and installed on the vast majority of Linux, Unix, and
> Unix-like systems. Some applications may also install LibTIFF on
> Microsoft Windows systems.  Depending on system configuration, no user
> interaction beyond viewing a malicious web page or email message would
> be necessary for exploitation. Because LibTIFF is open source 
> software,
> technical details for these vulnerabilities can be easily obtained by
> analyzing the source code.
> 
> Status: Updates are available from various Linux vendors.
> 
> Council Site Actions:  Only two of the responding council 
> sites plan to
> remediate this issue and both will deploy the updates during 
> their next
> regularly scheduled system update process.
> 
> References:
> LibTIFF Home Page
> http://www.remotesensing.org/libtiff 
> RedHat Security Advisory
> http://rhn.redhat.com/errata/RHSA-2006-0603.html 
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/19282  
> http://www.securityfocus.com/bid/19283 
> http://www.securityfocus.com/bid/19284 
> http://www.securityfocus.com/bid/19286 
> http://www.securityfocus.com/bid/19288 
> http://www.securityfocus.com/bid/19290 
> 
> ****************************************************************
> 
> (7) MODERATE: McAfee SecurityCenter Unspecified Remote Code Execution
> Affected: McAfee SecurityCenter 4.3 - 6.0.22
> 
> Description: McAfee SecurityCenter, a comprehensive client security
> suite, contains an unspecified remote code execution vulnerability. By
> causing a user to click on a malicious URL, an attacker could execute
> arbitrary code with the privileges of the current user. No technical
> details for this vulnerability have been publicly posted.
> 
> Status: McAfee confirmed, updates available. McAfee has also made the
> fixed versions available via their live update servers.
> 
> References:
> McAfee Security Bulletin
> http://ts.mcafeehelp.com/faq3.asp?docid=407052
> eEye Security Advisory
> http://www.eeye.com/html/research/upcoming/20060719.html
> SecurityFocus BID
> http://www.securityfocus.com/bid/19265
> 
> ****************************************************************
> ______________________________________________________________________
> 
> 06.31.1 CVE: Not Available
> Platform: Windows
> Title: Microsoft Windows SMB PIPE Remote Denial of Service
> Description: Microsoft Windows is reportedly prone to a remote denial
> of service vulnerability. This issue is triggered with specially
> crafted SMB PIPE traffic that causes a NULL pointer dereference in the
> "srv.sys" server driver.
> Ref: http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspx
> ______________________________________________________________________
> 
> 06.31.2 CVE: Not Available
> Platform: Windows
> Title: Windows Graphical Device Interface Plus Library Denial of
> Service
> Description: The Microsoft Windows Graphical Device Interface (GDI+)
> is a library that provides two-dimensional vector graphics, imaging,
> and typography functionality to Microsoft Windows XP and Windows
> Server 2003. Its "gdiplus.dll" library is exposed to a denial of
> service vulnerability. The vulnerability exists when the affected
> library is invoked by an application to process a specifically
> malformed image file.
> Ref: http://www.securityfocus.com/archive/1/441548
> ______________________________________________________________________
> 
> 06.31.3 CVE: Not Available
> Platform: Windows
> Title: Microsoft Windows Routing and Remote Access Denial of Service
> Description: Microsoft Windows Routing and Remote Access is prone to a
> denial of service vulnerability. This issue is reportedly due to a
> NULL pointer dereference error when handling maliciously designed RRAS
> requests.
> Ref: http://www.securityfocus.com/bid/19300
> ______________________________________________________________________
> 
> 06.31.4 CVE: Not Available
> Platform: Windows
> Title: Microsoft August Advance Notification Multiple Vulnerabilities
> Description: Microsoft has released advance notification that the
> vendor will be releasing twelve security bulletins for Windows and
> Office on August 8, 2006. 
> - - Ten bulletins for Microsoft Windows. The highest severity 
> rating for
> these issues is Critical.
> - - Two bulletins for Microsoft Office. The highest severity 
> rating for
> these issues is Critical.
> Ref: http://www.microsoft.com/technet/security/bulletin/advance.mspx
> ______________________________________________________________________
> 
> 06.31.5 CVE: CVE-2006-3656
> Platform: Microsoft Office
> Title: Microsoft PowerPoint Unspecified Code Execution
> Description: Microsoft PowerPoint is exposed to an unspecified code
> execution issue. This issue arises when a vulnerable user opens a
> malicious read-only PowerPoint file and closes it. Microsoft
> PowerPoint 2003 SP2 French Edition is reported to be is affected;
> other versions may also be affected.
> Ref:
> http://downloads.securityfocus.com/vulnerabilities/exploits/PP
> 2003sp2patched_fr_exploit-method.txt
> ______________________________________________________________________
> 
> 06.31.6 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer Deleted Frame Object Denial of Service
> Description: Microsoft Internet Explorer is affected by a denial of
> service issue  which  presents itself when the browser attempts to
> access a property of an object that is placed inside a deleted frame.
> All current versions are affected.
> Ref:
> http://browserfun.blogspot.com/2006/07/mobb-30-orphan-object-p
roperties.html
> ______________________________________________________________________
> 
> 06.31.7 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer ADODB.Recordset NextRecordset
> Denial of Service
> Description: Internet Explorer is prone to a denial of service
> vulnerability. This issue occurs when the browser processes the
> "NextRecordset" method of the "ADODB.Recordset" object. An attacker
> can trigger this issue by calling the affected method with a long
> string.  This can result in invalid memory access in the
> "SysFreeString" function.
> Ref: http://www.securityfocus.com/bid/19227
> ______________________________________________________________________
> 
> 
> 06.31.11 CVE: CVE-2006-3457
> Platform: Third Party Windows Apps
> Title: Symantec On-Demand Protection Encrypted Data Information
> Disclosure
> Description: Symantec On-Demand Agent (SODA) and On-Demand Protection
> (SODP) provide a virtual desktop environment to secure web-based
> applications and services. They are prone to a vulnerability that
> could disclose potentially sensitive information, as files encrypted
> and saved on the local hard drive may be decrypted via an alternative
> method. The Windows versions of SODA 2.5 MR2 (build 2156) and prior,
> as well as the Windows versions of SODP 2.6 (build 2232) and prior,
> are reported as vulnerable.
> Ref: http://www.securityfocus.com/bid/19248
> ______________________________________________________________________
> 
> 06.31.13 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: PC Tools AntiVirus Local Privilege Escalation
> Description: PC Tools AntiVirus is an antivirus application for
> Windows. It is prone to a local privilege escalation vulnerability.
> The application does not set secure default permissions on the "PC
> Tools AntiVirus" directory and other child objects. PC Tools AntiVirus
> 2.1.0.51 is reported to be vulnerable.
> Ref: http://www.securityfocus.com/bid/19322
> ______________________________________________________________________
> 
> 06.31.19 CVE: CVE-2006-3122
> Platform: Linux
> Title: ISC Memory.C DHCP Server Denial of Service
> Description: ISC DHCP server is exposed to a denial of service issue.
> This issue occurs when an automatic IP address is assigned to a system
> due to an improper boundary condition residing in the
> "supersede_lease()" function of the "memory.c" file. DHCP versions 2
> and 3 are affected.
> Ref: http://www.securityfocus.com/bid/19348
> ______________________________________________________________________
> 
> 
> 06.31.23 CVE: Not Available
> Platform: Unix
> Title: LibTIFF Next RLE Decoder Remote Heap Overflow
> Description: LibTIFF is a library designed to facilitate the reading
> and manipulation of Tag Image File Format (TIFF) files. The Next RLE
> Decoder for libTIFprone to a remote heap overflow vulnerability. This
> issue occurs because the application fails to check boundary
> conditions on certian RLE decoding operations.
> Ref: http://rhn.redhat.com/errata/RHSA-2006-0603.html
> ______________________________________________________________________
> 
> 06.31.24 CVE: Not Available
> Platform: Unix
> Title: LibTIFF Sanity Checks Multiple Denial of Service
> Vulnerabilities
> Description: LibTIFF is a library designed to facilitate the reading
> and manipulation of Tag Image File Format (TIFF) files. LibTIFF is
> affected by multiple denial of service vulnerabilities. The
> vulnerabilities exist in multiple unspecified arithmetic operations
> that are not validated, including bounds-checking to ensure offsets in
> TIFF directories are valid. Also, various codepaths resulted in client
> application calling the abort() function.
> Ref: http://rhn.redhat.com/errata/RHSA-2006-0603.html
> ______________________________________________________________________
> 
> 06.31.32 CVE: Not Available
> Platform: Cross Platform
> Title: Symantec Brightmail AntiSpam Control Center Multiple
> Vulnerabilities
> Description: Symantec Brightmail AntiSpam 6.0 provides enterprises
> with an advanced anti-spam and email threat defense system. It is
> exposed to multiple issues. Please refer to link below for further
> details. Symantec Brightmail Anti-Spam versions 6.0.3 and earlier are
> affected.
> Ref: http://www.symantec.com/avcenter/security/Content/2006.07.27.html
> ______________________________________________________________________
> 
> 06.31.33 CVE: CVE-2006-3747
> Platform: Cross Platform
> Title: Apache Mod_Rewrite Off-By-One Buffer Overflow
> Description: Apache's mod_rewrite is a rule-based rewriting engine
> which rewrites requested URLs for the Apache web server. It is prone
> to a buffer overflow condition that presents itself on a system with
> the active configuration "RewriteEngine on". Versions 2.0.53-55 and
> prior to 1.3.35 are reported as vulnerable.
> Ref: http://www.kb.cert.org/vuls/id/395412
> ______________________________________________________________________
> 
> 06.31.35 CVE: Not Available
> Platform: Cross Platform
> Title: FreePBX Shell Command Execution
> Description: FreePBX is an Asterisk-based PBX software and is
> susceptible to a shell command execution vulnerability. The issue is
> due to the application's failure to properly sanitize user-supplied
> input to the "CALLERID(number)" and "CALLERID(name)" parameters in the
> "amp_conf/astetc/extensions.conf" file. Versions 2.1.1. and prior,
> with "Allow anonymous inbound SIP calls" configured, are reported as
> vulnerable.
> Ref: http://freepbx.org/trac/changeset/2076
> ______________________________________________________________________
> 
> 06.31.38 CVE: Not Available
> Platform: Cross Platform
> Title: McAfee Multiple Products Unspecified Remote Code Execution
> Description: Multiple products by McAfee are exposed to an unspecified
> code execution vulnerability. The cause of this issue is currently
> unknown. Please refer to link below for further details.
> Ref: http://ts.mcafeehelp.com/faq3.asp?docid=407052
> ______________________________________________________________________
> 
> 
> 06.31.40 CVE: CVE-2006-3465
> Platform: Cross Platform
> Title: LibTIFF Library Anonymous Field Merging Denial of Service
> Description: The LibTIFF library is a set of graphic handling routines
> for the Tag Image File Format. It is prone to a denial of service
> vulnerability. Fields with unexpected values can be produced by
> creating anonymous TIFF file fields, and merging them from information
> supplied by a codec.
> Ref: http://www.securityfocus.com/bid/19287
> ______________________________________________________________________
> 
> 06.31.42 CVE: CVE-2006-3459
> Platform: Cross Platform
> Title: LibTIFF TiffFetchShortPair Remote Buffer Overflow
> Description: LibTIFF is a library designed to facilitate the reading
> and manipulation of Tag Image File Format (TIFF) files. It is exposed
> to a buffer-overflow issue. This issue is due to improper proper
> boundary checks before copying user-supplied data into a finite sized
> buffer. The problem occurs in the "TIFFFetchShortPair()" function of
> "tif_dirread.c" file.
> Ref: http://rhn.redhat.com/errata/RHSA-2006-0603.html
> ______________________________________________________________________
> 
> 06.31.43 CVE: CVE-2006-3463
> Platform: Cross Platform
> Title: LibTIFF EstimateStripByteCounts() Denial of Service
> Description: LibTIFF is a library designed to facilitate the reading
> and manipulation of TIFF files. It is affected by a denial of service
> vulnerability, due to the "EstimateStripByteCounts()" function
> improperly handling the iteration of a 16 bit unsigned short over a 32
> bit unsigned value, resulting in an infinite loop. Versions 3.8.2 and
> prior are reported as vulnerable.
> Ref: http://www.securityfocus.com/bid/19284
> ______________________________________________________________________
> 
> 06.31.44 CVE: CVE-2006-3460
> Platform: Cross Platform
> Title: LibTIFF TiffScanLineSize Remote Buffer Overflow
> Description: LibTIFF is a library designed to facilitate the reading
> and manipulation of TIFF files. It is prone to a heap based buffer
> overflow vulnerability. The problem occurs in the jpeg decoder when
> the encoded jpeg stream may conflict with the data returned by
> TIFFScanLineSize() and TIFFReadScanline().
> Ref: http://rhn.redhat.com/errata/RHSA-2006-0603.html
> ______________________________________________________________________
> 
> 06.31.45 CVE: Not Available
> Platform: Cross Platform
> Title: LibTIFF PixarLog Decoder Remote Heap Buffer Overflow
> Description: LibTIFF is a library designed to facilitate the reading
> and manipulation of Tag Image File Format (TIFF) files. The PixarLog
> Decoder for LibTIFF is prone to a remote heap overflow issue. All
> current versions are affected.
> Ref: http://www.securityfocus.com/bid/19290
> ______________________________________________________________________
> 
> 06.31.46 CVE: Not Available
> Platform: Cross Platform
> Title: Cisco CallManager Express SIP User Directory Information
> Disclosure
> Description: Cisco CallManager is a software based call processing
> component of the Cisco IP telepony solution. It is prone to an
> information disclosure vulnerability because the application fails to
> prevent an attacker to manipulate the Session Initiation Protocol
> stack. An attacker could send messages back and forth and obtain the
> names of the users that are stored in the Session Initiation Protocol
> database. Cisco CallManager Express version 3.0 is affected.
> Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml
> ______________________________________________________________________
> 
> 06.31.117 CVE: Not Available
> Platform: Hardware
> Title: Intel PRO/Wireless Network Connection Drivers Remote Code
> Execution
> Description: The Intel PRO/Wireless Network Connection is the
> integrated wireless LAN solution for Intel Centrino mobile technology.
> The Intel PRO/Wireless drivers are prone to multiple remote code
> execution vulnerabilities that likely result from boundary condition
> errors. Intel PRO/Wireless 2200BG and 2915ABG prior to version 10.5
> with driver version 9.0.4.16 for Windows are vulnerable.
> Ref: http://support.intel.com/support/wireless/wlan/sb/CS-023065.htm
> ______________________________________________________________________
> 
> 06.31.118 CVE: Not Available
> Platform: Hardware
> Title: Intel PRO/Wireless 2100 Network Connection Driver Local
> Privilege Escalation
> Description: Intel PRO/Wireless Network Connection is the integrated
> wireless LAN solution for Intel Centrino mobile technology. The
> Wireless 2100 driver for Windows is prone to a local privilege
> escalation vulnerability. Versions prior to 7.1.4.6 with driver
> version 1.2.4.37 are reported as vulnerable.
> Ref:
> http://support.intel.com/support/wireless/wlan/pro2100/sb/CS-0
> 23067.htm
> ______________________________________________________________________




 




Copyright © Lexa Software, 1996-2009.