>
> The huge number of critical new vulnerabilities disclosed by Microsoft
> on Tuesday *do not* appear to reflect increased failures by their
> development process. Instead, the numerous discoveries of Microsoft
> programming flaws are a result of the recent upsurge in organized
> criminal hacker activity that has already shown up in 450% increases
> in bank losses due to cyber fraud (since the first half of 2005),
> broad penetration of US government (and other governments') computers
> as well as those of military contractor systems. The number of people
> engaged in cyber crime as a full-time "profession" in Eastern Europe
> and, especially, in Asia is skyrocketing.
>
>
> *****************************
> Widely Deployed Software
> *****************************
>
> (1) CRITICAL: Microsoft Server Service Remote Code Execution
> (MS06-040)
>
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP1/SP2
> Microsoft Windows Server 2003 SP0/SP1
>
> Description: The Microsoft Windows Server Service, used to provide
> various operating system and networking services, suffers from a
> remotely-exploitable buffer overflow in its RPC (Remote
> Procedure Call)
> interface. By sending a specially-crafted "NetpwPathCanoncalize" RPC
> request, an attacker could exploit this buffer overflow to execute
> arbitrary code and take a complete control of the vulnerable system.
> Exploit code has been publicly posted. The exploit code is being
> actively used by a few bots to infect Windows 2000 and XP SP1 systems.
> Note that CERT and SANS have also seen this vulnerability being
> exploited prior to the release of this security bulletin.
>
> Status: Microsoft has released a patch that is referenced in the
> security bulletin MS06-040. Users are advised to apply this patch
> immediately. eEye and other scanning tools can be used to locate
> vulnerable systems in a network. A workaround is to block TCP and UDP
> ports 445 and 139 at the network perimeter.
>
> Council Site Actions: All reporting council sites are
> responding to all
> Microsoft issues. Several sites are addressing this issue on a fast
> track schedule and have already pushed the patches. Others
> are deploying
> the patch during their next regularly scheduled system update process.
> A few sites are addressing desktops on an urgent basis and
> servers on a
> standard basis.
>
> References:
> Microsoft Security Bulletin
>
> SANS Handler's Diary Bot Analysis
>
8bce943dfaf79508620564
>
> LurHQ Not Analysis
>
> eEye Scanning Tool
>
> 0263.html
>
> Metasploit Exploit
>
> Proof-of-Concept Exploit
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (2) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities
> (MS06-042)
>
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP1/SP2
> Microsoft Windows Server 2003 SP0/SP1
>
> Description: Microsoft Internet Explorer contains multiple
> remotely-exploitable vulnerabilities. These vulnerabilities include
> arbitrary remote code execution with the privileges of the
> current user,
> information disclosure, and the ability to execute arbitrary FTP
> commands embedded in an FTP URL.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to all
> Microsoft issues. Several sites are addressing this issue on a fast
> track schedule and have already pushed the patches. Others
> are deploying
> the patch during their next regularly scheduled system update process.
> A few sites are addressing desktops on an urgent basis and
> servers on a
> standard basis.
>
> References:
> Microsoft Security Bulletin
>
> Zero Day Initiative Advisories
>
>
> SecurityFocus BIDs
>
>
>
>
> ****************************************************************
>
> (3) CRITICAL: Microsoft MHTML Link Parsing Remote Code Execution
> (MS06-043)
>
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP1/SP2
> Microsoft Windows Server 2003 SP0/SP1
>
> Description: Microsoft Windows fails to properly parse MHTML URLs in
> links. MHTML is an extension to HTML (the HyperText Markup
> Language; the
> language used to write most web pages) that allows embedded
> objects and
> metadata. A malicious web page containing a specially-crafted
> MHTML link
> could exploit this vulnerability and execute arbitrary code with the
> privileges of the current user. Because this flaw exists in a core
> library, applications other than web browsers and email clients may be
> affected.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to all
> Microsoft issues. Several sites are addressing this issue on a fast
> track schedule and have already pushed the patches. Others
> are deploying
> the patch during their next regularly scheduled system update process.
> A few sites are addressing desktops on an urgent basis and
> servers on a
> standard basis.
>
> References:
> Microsoft Security Bulletin
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (4) CRITICAL: Microsoft HTML Help ActiveX Component Remote Code
> Execution (MS06-046)
>
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP1/SP2
> Microsoft Windows Server 2003 SP0/SP1
>
> Description: An ActiveX component used by the Microsoft HTML
> help system
> contains a remote code execution vulnerability. A malicious web page
> that instantiates the vulnerable component could trigger this
> vulnerability and execute arbitrary code with the privileges of the
> current user. Users can limit the impact of this vulnerability by
> preventing the vulnerable component from being instantiated inside
> Internet Explorer via the "killbit" mechanism for CLSID
> "{52a2aaae-085d-4187-97ea-8c30db990436}".
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to all
> Microsoft issues. All sites plan to deploy the patch during their next
> regularly scheduled system update process.
>
> References:
> Microsoft Security Bulletin
>
> TippingPoint Security Research Team Advisory
>
> Microsoft Knowledge Base Article (outlines the "killbit" mechanism)
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (5) CRITICAL: Clam AntiVirus UPX Decompression Remote Code Execution
> Affected:
> Clam AntiVirus version 0.88.3 and prior
>
> Description: Clam AntiVirus (ClamAV), a popular open source virus
> scanning engine, contains a remotely-exploitable buffer overflow. By
> sending a specially-crafted UPX-compressed executable as an attachment
> to an email message through a server running ClamAV, an attacker could
> execute arbitrary code with the privileges of the ClamAV process. No
> user interaction is necessary to exploit this vulnerability.
> The default
> configuration of ClamAV is believed to be vulnerable. Users can limit
> the impact of this vulnerability by disabling the scanning of
> UPX-compressed executables. Note that a proof-of-concept is publicly
> available.
>
> Status: ClamAV confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> Posting by Damian Put (includes technical details)
>
> Proof-of-Concept
>
> UPX Executable Packer Home Page
>
> ClamAV Home Page
>
> SecurityFocus BID
> http:/www.securityfocus.com/bid/19381
>
> ****************************************************************
>
> (6) CRITICAL: McAfee Subscription Manager ActiveX Component
> Remote Code
> Execution
>
> Affected:
> Any McAfee product that uses the McAfee Subscription Manager is
> potentially vulnerable. The following products are known to
> contain the
> vulnerable component:
> McAfee AntiSpyware
> McAfee Internet Security Suite
> McAfee Personal Firewall Plus
> McAfee Privacy Service
> McAfee QuickClean
> McAfee SpamKiller
> McAfee VirusScan
> McAfee Wireless Home Network Security
>
> Description: The McAfee Subscription Manager ActiveX component,
> installed along with all McAfee's Home and Home Business products,
> contains a remotely-exploitable buffer overflow. A malicious web page
> that instantiates the vulnerable component could exploit a buffer
> overflow in the McSubMgr.dll component and execute arbitrary code with
> the privileges of the current user. Note that technical
> details for this
> vulnerability are publicly available, as well as a simple
> proof-of-concept. Users may be able to limit the impact of this
> vulnerability by disallowing the instantiation of the vulnerable
> component in Internet Explorer via Microsoft's "killbit" mechanism for
> the CLSID "{9BE8D7B2-329C-442A-A4AC-ABA9D7572602}".
>
> Status: McAfee confirmed, updates available.
>
> Council Site Actions: Only one of the responding council
> sites is using
> the affected software and only on a small scale. They are relying on
> the ability of the end user to take the update directly from
> the vendor.
>
> References:
> eEye Security Advisory (includes simple proof-of-concept)
>
> Microsoft Knowledge Base Article (outlines the "killbit" mechanism)
>
> McAfee Security Bulletin
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (7) HIGH: Microsoft Management Console Remote Code Execution
> (MS06-044)
> Affected:
> Microsoft Windows 2000 SP4
>
> Description: A malicious web site can exploit a cross-site scripting
> vulnerability in Microsoft Windows. This vulnerability allows
> access to
> local HTML resource files in the Microsoft Management Console library;
> access to these files allows remote users to execute
> arbitrary commands
> with the privileges of the current user. Users can limit the impact of
> the vulnerability by disabling Microsoft "Active Scripting"
> for the "My
> Computer" zone. Note that this may affect operating system
> functionality. Users are also advised to read email messages in plain
> text.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to all
> Microsoft issues. All sites plan to deploy the patch during their next
> regularly scheduled system update process.
>
> References:
> Microsoft Security Bulletin
>
> Description of Internet Explorer Security Zones (includes
> information about Active Scripting)
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (8) HIGH: Microsoft Windows Explorer Remote Code Execution (MS06-045)
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP1/SP2
> Microsoft Windows Server 2003 SP0/SP1
>
> Description: Failure to properly handle specially-crafted filenames in
> SMB and WebDAV fileshares could allow an attacker to execute arbitrary
> code with the privileges of the current user. This flaw can
> be exploited
> by visiting a fileshare containing a file with a
> specially-crafted name
> and double-clicking somewhere in that window. If the filename contains
> the GUID (Globally Unique Identifier) of an application, that
> application will be executed. Note that users must first visit a
> malicious share and then double-click in the newly-opened window.
> Technical details and a proof-of-concept for this vulnerability have
> been publicly posted.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to all
> Microsoft issues. All sites plan to deploy the patch during their next
> regularly scheduled system update process.
>
> References:
> Microsoft Security Bulletin
>
> Posting by Plebo Aesdi Nael (includes technical details and a
> proof-of-concept)
>
/20060627/3d930eda/PLEBO-2006.06.16IE_ONE_MINOR_ONE_MAJOR.obj
> SecurityFocus BID
>
>
> ****************************************************************
>
> (9) HIGH: Microsoft Windows Hyperlink Object Library Multiple Remote
> Code Execution Vulnerabilities (MS06-050)
>
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP1/SP2
> Microsoft Windows Server 2003 SP0/SP1
>
> Description: Clicking on a specially crafted link in an email message
> or Office document could result in arbitrary code execution with the
> privileges of the current user. This is due to multiple flaws in the
> Hyperlink Object Library, used to parse and manipulate
> hyperlinks. Note
> that, for at least one of the vulnerabilities, the provided link must
> go to a live website, limiting the life span of any potential malware
> based on this vulnerability. Note that the technical details
> for one of
> the vulnerabilities has been publicly posted. Because this is
> a flaw in
> an operating system library, other applications may be affected.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to all
> Microsoft issues. Several sites are addressing this issue on a fast
> track schedule and have already pushed the patches. Others
> are deploying
> the patch during their next regularly scheduled system update process.
> A few sites are addressing desktops on an urgent basis and
> servers on a
> standard basis.
>
> References:
> Microsoft Security Bulletin
>
> TippingPoint Security Research Team Advisory
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (10) HIGH: Barracuda Spam Firewall Remote Command Injection
> Affected:
> Barracuda Spam Firewall Appliance
>
> Description: The Barracuda spam firewall appliance, a popular
> enterprise
> anti-spam appliance, contains a remote command injection
> vulnerability.
> By sending specially-crafted requests to the
> "/cgi-bin/preview_email.cgi" script on the appliance, an
> unauthenticated
> attacker could execute arbitrary commands with the administrative
> privileges. Technical details for this vulnerability are publicly
> available. Users are advised to block access to the barracuda
> administrative interface at the network perimeter.
>
> Status: Barracuda confirmed, updates available.
>
> Council Site Actions: Only one of the reporting council
> sites is using
> the affected software. They use it for incoming mail for a large user
> population. They noticed that the Matthew Hall bugtraq posting on
> August 4 says "It was noted that the original file input sanitation
> vulnerability seems to have been 'silently' fixed by
> Barracuda Networks
> (as of 11pm GMT 03/08/06), which mitigates the attacks
> above." Thus they
> plan no action at this time.
>
> References:
> Posting by Matthew Hall
>
> Proof-of-Concept Exploit
>
>
> Barracuda Home Page
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (11) MODERATE: Microsoft DNS Multiple Remote Code Execution
> Vulnerabilities (MS06-041)
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP1/SP2
> Microsoft Windows Server 2003 SP0/SP1
>
> Description: Multiple flaws in Microsoft's DNS (Domain Name System)
> client implementation allow attackers to take complete control of the
> vulnerable system. The first flaw may be exercised by a
> specially-crafted web page that forces the vulnerable system
> to call the
> affected API, an attacker could execute arbitrary code with SYSTEM
> privileges. The second flaw can be triggered by forcing the vulnerable
> system to look up a specially-crafted record on a malicious
> nameserver;
> this also allows arbitrary code execution with SYSTEM
> privileges. Users
> can mitigate the impact of the first vulnerability by disabling the
> "Autodial.DLL" library; this will prevent access to the
> vulnerable API.
> The second vulnerability can be mitigated by blocking ATMA, TXT, X25,
> HINFO, and ISDN DNS record responses at the network perimeter.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to all
> Microsoft issues. Several sites are addressing this issue on a fast
> track schedule and have already pushed the patches. Others
> are deploying
> the patch during their next regularly scheduled system update process.
> A few sites are addressing desktops on an urgent basis and
> servers on a
> standard basis.
>
> References:
> Microsoft Security Bulletin
>
> SecurityFocus BID
>
>
> ****************************************************************
> (12) MODERATE: Microsoft Office Visual Basic Remote Code Execution
> (MS06-047)
>
> Affected:
> Microsoft Office 2000/XP
> Microsoft Project 2000/2002
> Microsoft Access 2000
> Microsoft Visio 2002
> Microsoft Works Suite 2004/2005/2006
> Microsoft Visual Basic for Applications SDK 6.0 - 6.4
>
> Description: Opening a malicious Microsoft Office document
> containing a
> specially-crafted Visual Basic document properties could result in
> arbitrary code execution with the privileges of the current user. In
> most common configurations, Office documents are not opened
> automatically. Users are advised to not open documents received from
> untrusted sources. Note that the vulnerable document
> properties are not
> currently publicly known.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to all
> Microsoft issues. All sites plan to deploy the patch during their next
> regularly scheduled system update process.
>
> References:
> Microsoft Security Bulletin
>
> Microsoft Visual Basic for Applications Home Page
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (13) MODERATE: Microsoft PowerPoint BIFF File Format Remote Code
> Execution (MS06-048)
>
> Affected:
> Microsoft PowerPoint 2000
> Microsoft PowerPoint 2002
> Microsoft Office PowerPoint 2003
> PowerPoint 2004/X for Mac
>
> Description: Opening a malicious Microsoft PowerPoint document
> containing specially-crafted document properties could result in
> arbitrary arbitrary code execution with the privileges of the current
> user. In most common configurations other than PowerPoint 2000,
> PowerPoint documents are not opened automatically. Users are
> advised to
> not open documents received from untrusted sources. Some technical
> details for this vulnerability have been publicly posted. This update
> patches a vulnerability mentioned in a previous @RISK entry.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to all
> Microsoft issues. All sites plan to deploy the patch during their next
> regularly scheduled system update process.
>
> References:
> Microsoft Security Bulletin
>
> Posting by Sowhat of Nevis Labs (contains some technical details)
>
> Previous @RISK Newsletter Entry
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (14) MODERATE: Microsoft Kernel Remote Code Execution Vulnerability
> (MS06-051)
>
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP1/SP2
> Microsoft Windows Server 2003 SP0/SP1
>
> Description: Microsoft Windows is vulnerable to an remote
> code execution
> vulnerability through the Windows kernel's exception handling
> facility.
> This attack could be exploited by a malicious web site. No other
> technical details about this vulnerability are publicly available.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to all
> Microsoft issues. Several sites are addressing this issue on a fast
> track schedule and have already pushed the patches. Others
> are deploying
> the patch during their next regularly scheduled system update process.
> A few sites are addressing desktops on an urgent basis and
> servers on a
> standard basis.
>
> References:
> Microsoft Security Bulletin
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> 06.32.1 CVE: Not Available
> Platform: Windows
> Title: Microsoft Windows Explorer GDI32.DLL WMF Remote Denial of
> Service
> Description: Microsoft Windows Explorer is reportedly prone to a
> remote denial of service issue. Please refer to the advisory for
> further details.
> Ref:
> ______________________________________________________________________
>
> 06.32.2 CVE: CVE-2006-3450
> Platform: Windows
> Title: Microsoft Internet Explorer HTML Layout and Positioning Remote
> Code Execution
> Description: Microsoft Internet Explorer is prone to a remote code
> execution vulnerability. The issue is caused by an HTML rendering
> problem, and can be exploited by enticing a victim into visiting a
> malicious web page. Versions of Internet Explorer on Windows 2000,
> Windows XP, and Windows Server 2003 are reported as vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.32.3 CVE: CVE-2006-3451
> Platform: Windows
> Title: Microsoft Internet Explorer Chained Cascading Style Sheets
> Remote Code Execution
> Description: Microsoft Internet Explorer is prone to a remote code
> execution vulnerability that is related to how the browser handles
> chained CSS (Cascading Style Sheets). It can be exploited by a user
> viewing a malicious web page. This issue affects Internet Explorer on
> Windows 2000, Windows XP excluding XP SP2, and Windows Server 2003.
> Ref:
> ______________________________________________________________________
>
> 06.32.4 CVE: CVE-2006-3440
> Platform: Windows
> Title: Microsoft Winsock Gethostbyname Buffer Overflow
> Description: The Microsoft Winsock API is exposed to a buffer overflow
> issue. Please refer to the advisory for further details.
> Ref:
> ______________________________________________________________________
>
> 06.32.5 CVE: CVE-2006-3638
> Platform: Windows
> Title: Internet Explorer COM Object Instantiation Code Execution
> Description: Microsoft Internet Explorer is exposed to a memory
> corruption issue that is related to the instantiation of COM objects.
> This issue results from a design error. Please refer to the advisroy
> for further details.
> Ref:
> ______________________________________________________________________
>
> 06.32.6 CVE: CVE-2006-3443, CVE-2006-3648:
> Platform: Windows
> Title: Windows User Profile Privilege Escalation
> Description: Microsoft Windows is vulnerable to a local privilege
> escalation issue due to an insecure search path for the WinLogon
> facility. Please see the advisory for further details.
> Ref:
> ______________________________________________________________________
>
> 06.32.7 CVE: CVE-2006-3648
> Platform: Windows
> Title: Microsoft Windows Unhandled Exception Remote Code Execution
> Description: Microsoft Windows is prone to a remote code execution
> vulnerability that is caused by an error in how chained exceptions are
> unloaded by the operating system. This vulnerability could be
> exploited by a malicious web page, with a successful exploit
> completely compromising the affected computer. Multiple versions of
> Windows XP, 2000, and 2003 are reported as vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.32.8 CVE: CVE-2006-3444
> Platform: Windows
> Title: Microsoft Windows 2000 Kernel Local Privilege Escalation
> Description: A local privilege escalation vulnerability exists in
> Microsoft Windows 2000 that seems to be caused by insufficient
> checking of an input buffer size in the kernel, and can result in the
> complete compromise of a vulnerable system. Windows 2000 SP4 is
> reported as vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.32.9 CVE: CVE-2006-3281
> Platform: Windows
> Title: Microsoft Windows Explorer Drag and Drop Remote Code Execution
> Description: Microsoft Windows is exposed to a remote code execution
> issue. This issue affects the Windows Explorer component. This issue
> is caused by insecure handling of drag and drop events. Please refer
> to the advisory for further details.
> Ref:
> ______________________________________________________________________
>
> 06.32.10 CVE: CVE-2006-3441
> Platform: Windows
> Title: Microsoft Windows DNS Client Buffer Overrun
> Description: Microsoft Windows is exposed to a remotely exploitable
> buffer overrun condition in the DNS client. Please refer to the
> advisory for further details.
> Ref:
> ______________________________________________________________________
>
> 06.32.11 CVE: CVE-2006-3438
> Platform: Windows
> Title: Microsoft Hyperlink Object Library Function Remote Buffer
> Overflow
> Description: Microsoft's Hyperlink Object Library (HLINK.DLL) is a
> library used to handle operations involving URIs. It is vulnerable to
> a buffer overflow issue when applications utilizing the affected
> library attempt to process malformed URIs. See the advisory for
> further details.
> Ref:
> ______________________________________________________________________
>
> 06.32.12 CVE: Not Available
> Platform: Windows
> Title: Windows Server Service Remote Buffer Overflow
> Description: Microsoft Windows Server Service facilitates sharing of
> local resources over the network including RPC support, file, printer,
> and named pipe sharing. It is affected by a remote buffer overflow
> issue. Please see the attached advisory for details.
> Ref:
> ______________________________________________________________________
>
> 06.32.13 CVE: CVE-2006-3643
> Platform: Windows
> Title: Microsoft Management Console Zone Bypass
> Description: Microsoft Management console is an integrated
> administration user interface and administration model for
> Windows-based environments. It is prone to a cross-zone scripting
> vulnerability, due to the operating system allowing MMC files to be
> referenced from the Internet Zone in some cases. A successful exploit
> could completely compromise the computer. Windows 2000 SP4 is reported
> as vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.32.14 CVE: CVE-2006-3449
> Platform: Microsoft Office
> Title: Powerpoint Remote Code Execution
> Description: Microsoft PowerPoint is vulnerable to a remote code
> execution when the application handles malformed record data within a
> presentation file. See the advisory for futher details.
> Ref:
> ______________________________________________________________________
>
> 06.32.15 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer IFrame Refresh Denial of Service
> Description: Microsoft Internet Explorer is prone to a denial of
> service issue when handling malicious HTML files. The issue is exposed
> when when trying to refresh an iframe containing an XML file. All
> current versions are affected.
> Ref:
> ______________________________________________________________________
>
> 06.32.16 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer Window Location Cross-Domain Information
> Disclosure
> Description: Microsoft Internet Explorer is prone to a cross-domain
> information disclosure issue. The vulnerability occurs because it is
> possible to persist script across navigations. As a result a malicious
> page may gain access to the "window.location" of a web page in another
> domain or Internet Explorer zone. All current versions are affected.
> Ref:
> ______________________________________________________________________
>
> 06.32.17 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer Source Element Cross-Domain Information
> Disclosure
> Description: Microsoft Internet Explorer is prone to an information
> disclosure issue because it fails to properly enforce cross-domain
> policies. All current versions are affected.
> Ref:
> ______________________________________________________________________
>
> 06.32.18 CVE: CVE-2006-3649
> Platform: Other Microsoft Products
> Title: Microsoft Visual Basic for Applications Document Check Buffer
> Overflow
> Description: Microsoft Visual Basic for Applications (VBA) is a
> development platform implemented by various applications. It is
> vulnerable to a buffer overflow vulnerability that is caused by
> insufficient bounds checking when the application parses the
> properties of a malicious document that supports VBA. The issue exists
> in all applications that implement the use of VBA, such as Microsoft
> Office products, except for Office 2003 SP1 and SP2.
> Ref:
> ______________________________________________________________________
>
> 06.32.20 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Computer Associates Virus Definition Downgrade
> Description: Computer Associates WebScan is a web-based virus scanner.
> It is exposed to a flaw which could cause the application's virus
> definitions to become downgraded to a previous version. Computer
> Associates WebScan version 1.1.0.1047 and 1.1.0.1045 are affected.
> Ref:
>
> 06.32.26 CVE: CVE-2006-3468
> Platform: Linux
> Title: Linux Kernel NFS and EXT3 Combination Remote Denial of Service
> Description: The Linux kernel is susceptible to a remote denial of
> service vulnerability, due to a failure of the EXT3 filesystem code to
> properly handle unexpected conditions in malformed "iget()" requests.
> Versions 2.6.17.7 and prior are reported as vulnerable.
> Ref:
> ______________________________________________________________________
>
>
> 06.32.31 CVE: Not Available
> Platform: Cross Platform
> Title: Clam Anti-Virus ClamAV UPX Compressed PE File Heap Buffer
> Overflow
> Description: ClamAV is an antivirus application. It is affecetd by a
> heap overflow issue due to the application's failure to properly user
> supplied data. ClamAV versions 0.88.2 and 0.88.3 are vulnerable to
> this issue.
> Ref:
> ______________________________________________________________________
>
> 06.32.34 CVE: Not Available
> Platform: Cross Platform
> Title: Apache CGI Script Source Code Information Disclosure
> Description: Apache is exposed to an information disclosure issue. The
> problem occurs when the application receives request for a CGI script
> file. The application fails to properly handle the request and returns
> the script source instead of executing it. Apache version 2.2.2 for
> Microsoft Windows is affected.
> Ref:
> ______________________________________________________________________
>
> 06.32.52 CVE: CVE-2006-3975
> Platform: Web Application
> Title: CA eTrust Antivirus WebScan Remote Buffer Overflow
> Description: CA eTrust Antivirus WebScan is a web-based virus scanner.
> It is prone to a remote buffer overflow vulnerability due to an
> unspecified bounds checking error. Versions 1.1.0.1047 and prior are
> reported as vulnerable.
> Ref:
> ______________________________________________________________________
>
> BONUS SECTION: Drive By Port Scanning and Exploitation of Internal
> Networks
>
> SPI Labs has discovered a technique to use JavaScript to portscan an
> internal network, fingerprint all the web-enabled devices found, and
> send attacks or commands to those devices. All the code uses parts of
> the JavaScript standard that are almost ten years old.
> Accordingly, the
> code can execute in nearly any Web browser on nearly any platform when
> a user opens a Webpage that contains the JavaScript. Since this is not
> exploiting any browser bug or vulnerability, there is no patch or
> defense for the end user other than turning off JavaScript support in
> the browser. The code can be part of a Cross-site scripting
> (XSS) attack
> payload, thereby increasing the damage XSS can do.
>
> Simply viewing a page with an embedded scanner will download the
> JavaScript along with the HTML to a user's browser, automatically
> executing the code. The scanner can be included in a site an attacker
> controls, or injected into popular sites using XSS
> vulnerabilities. The
> scanner finds targets by implementing a "ping" feature using the
> JavaScript Image object and an IFrame tag. Uses a blend of these two
> objects allows the scanner to quickly detect hosts and
> confirm they are
> serving HTTP content. Once the scanner has detected a host with a web
> interface, the scanner tries to fingerprint the Web server to
> determine
> its type and version number. This is done using the Image object to
> retrieve graphics from well known locations on the device.
> For example,
> most Microsoft IIS Web server's have an image /pagerror.gif that is 36
> by 48 pixels in size, Linksys WRK54G wireless routers have an image
> /UI_Linksys.gif that is 165 by 57 pixels, and Plone wiki applications
> have an image /plone_powered.gif that is 80 by 15 pixels. Once the
> scanner knows what applications exist on the intranet, it can send
> attacks to exploit known vulnerabilities in the applications. By
> dynamically building HTML forms and automatically submitting them, the
> scanner can send attacks using either GET or POST against the
> application. At the very least, the information collected
> from scanning
> and fingerprinting can be sent to the attacker to assist in planning
> another attack.
>
> SPI Labs has created a proof of concept web page that implements the
> detection and fingerprinting functionality of a full scanner.
> This site
> is available to the public and is listed at the end of this
> article. The
> scanner does not automatically start scanning or attacking
> any internal
> applications.
>
> Most of these traditional XSS attacks target the Website where the XSS
> vulnerability exists and the damage of the attack is limited by the
> features of that Website. For example, session hijacking is only
> damaging if the site that has the XSS vulnerability actually issues
> session state and does something meaningful with it. The
> danger is that
> scanning and attacking internal applications or systems
> targets the end
> user. This means any XSS vulnerability on any site can be
> used to attack
> the end user, regardless of the features of the vulnerable site. There
> is no longer any such thing as a harmless XSS vulnerability.
>
> More information:
> Complete Whitepaper:
>
> Proof of Concept:
>
> Upcoming BlackHat Presentation, Jeremiah Grossman, WhiteHat Security:
>
#Grossman
> Upcoming BlackHat Presentation, Billy Hoffman, SPI Dynamics:
>
#Hoffman2
>
>
>
