ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 37



> 
> *************************
> Widely Deployed Software
> *************************
> 
> (1) CRITICAL: Apple QuickTime Multiple Vulnerabilities
> Affected:
> Apple QuickTime version 7.1.2 and prior for Mac OS X and Microsoft
> Windows XP/2000
> 
> Description: Apple's QuickTime media player and framework contains
> multiple file-parsing vulnerabilities. Failure to properly parse H.264
> movie files, QuickTime movie files, FLC movie files, FlashPix images,
> and SGI images, leads to various remotely-exploitable vulnerabilities.
> A specially-crafted movie or image file could exploit one of these
> vulnerabilities and execute arbitrary code with the privileges of the
> current user. Note that in most common configurations, files 
> handled by
> QuickTime are opened automatically. Technical details for 
> some of these
> vulnerabilities, and a simple proof-of-concept for the FLC
> vulnerability, have been publicly posted.
> 
> Status: Apple confirmed, updates available.
> 
> Council Site Actions: Multiple reporting council plan to 
> distribute the
> patches during their next regularly scheduled maintenance cycle. One
> other site plans to notify their Windows users to obtain the update on
> their own and the Mac OS users will be automatically updates using
> Apple's Software Update Facility.
> 
> References:
> Apple Security Advisory
> http://docs.info.apple.com/article.html?artnum=304357
> Proof-of-Concept FLC Movie (binary file link)
> http://www.securityfocus.com/data/vulnerabilities/exploits/poc_fli.zip
> SecurityFocus BID
> http://www.securityfocus.com/bid/19976 
> 
> ****************************************************************
> 
> (2) HIGH: Adobe Flash Player Multiple Vulnerabilities
> Affected:
> Adobe Flash Player version 8.0.24.0 and prior
> Adobe Flash Professional 8
> Adobe Flash MX 2004
> Adobe Flex 1.5
> 
> Description: Adobe's Flash Player (formerly Macromedia Flash 
> Player), a
> widely-deployed system for rich web content, contains several
> remotely-exploitable vulnerabilities, including remote code execution
> and denial-of-service vulnerabilities: (1) Failure to properly handle
> heap memory when dynamically allocating long strings at runtime leads
> to a controllable memory-overwrite condition. Some technical 
> details for
> this vulnerability have been publicly posted. (2) An unspecified file
> parsing vulnerability can lead to multiple improper memory access
> errors. (3) Microsoft Excel spreadsheets that embed the Adobe Flash
> Player ActiveX object can, with user assistance, execute arbitrary
> JavaScript code. (4) An unspecified vulnerability allows
> specially-crafted Flash file to bypass the internal sandbox protection
> mechanism, allowing privilege escalation. (5) An unspecified file
> parsing vulnerability can lead to a denial-of-service condition by
> crashing the viewing web browser.  A specially-crafted Flash 
> file could
> trigger these vulnerabilities and potentially execute arbitrary code
> with the privileges of the current user. Note that, in the default
> configuration, Flash files are displayed automatically when 
> loaded in a
> web browser.
> 
> Status: Adobe confirmed, updates available.
> 
> Council Site Actions: All responding council sites plan to take action
> - - most will be deploying the patches during their next regular
> maintenance release cycle. One site will rely on individual end users
> to obtain the update.
> 
> References:
> Computer Terrorism Security Advisory
> http://archives.neohapsis.com/archives/bugtraq/2006-09/0185.html 
> Adobe Security Advisory
> http://www.adobe.com/support/security/bulletins/apsb06-11.html 
> Adobe Flash Player Home Page
> http://www.adobe.com/products/flashplayer/ 
> SecurityFocus BID
> http://www.securityfocus.com/bid/19980 
> 
> ****************************************************************
> 
> (3) HIGH: Microsoft Internet Explorer Compressed Content Heap 
> Overflow (MS06-042)
> Affected:
> Microsoft Internet Explorer 5 SP4 with MS06-042 on Windows 2000
> Microsoft Internet Explorer 6 with MS06-042v1/2 on Windows 
> 2000/XP SP1/2003 SP0
> 
> Description: Microsoft has released a third version for the Internet
> Explorer patch MS06-042. The second version of the patch fixed a
> vulnerability introduced by the original version of the 
> patch. However,
> the second version also introduced another related vulnerability.
> Internet Explorer fails to properly handle overlong URLs in certain
> situations involving HTTP redirects and GZIP or deflate data encoding.
> Note that only systems with the initial version of the MS06-042 patch
> are vulnerable, and Windows XP with SP2 is never vulnerable. Technical
> details for this vulnerability have been publicly posted.
> 
> Status: Microsoft confirmed, updates available.
> 
> Council Site Actions: All responding council site plan to 
> take action -
> most will be deploying the patches during their next regular 
> maintenance
> release cycle.
> 
> References:
> eEye Security Advisory
> http://archives.neohapsis.com/archives/bugtraq/2006-09/0191.html 
> W3C HTTP Status Code Definitions (includes information on 
> HTTP redirects)
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html 
> W3C HTTP Protocol Parameter Definitions (includes information 
> on GZIP and deflate encoding)
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html 
> Microsoft Security Bulletin MS06-042
> http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx 
> Previous @RISK Entry detailing initial MS06-042 advisory
> http://www.sans.org/newsletters/risk/display.php?v=5&i=32#widely2 
> Previous @RISK Entry detailing flaw introduced in MS06-042v1
> http://www.sans.org/newsletters/risk/display.php?v=5&i=34#widely1 
> SecurityFocus BID
> http://www.securityfocus.com/bid/19987 
> 
> ****************************************************************
> 
> (4) HIGH: Microsoft Pragmatic General Multicast Buffer 
> Overflow (MS06-052)
> Affected:
> Microsoft Windows XP SP1/SP2
> 
> Description: The Microsoft Message Queueing component (not 
> installed by
> default) in Microsoft Windows XP contains a 
> remotely-exploitable buffer
> overflow vulnerability. Failure to properly handle Pragmatic General
> Multicast (PGM) packets leads to a buffer overflow. A series of
> specially-crafted PGM packets could trigger this buffer overflow and
> allow arbitrary code execution with SYSTEM-level privileges. Users are
> advised to block packets with IP protocol number 113 at the network
> perimeter, if possible.
> 
> Status: Microsoft confirmed, updates available.
> 
> Council Site Actions: All responding council site plan to 
> take action -
> most will be deploying the patches during their next regular 
> maintenance
> release cycle.
> 
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/MS06-052.mspx 
> RFC 3208, Pragmatic General Multicast
> http://www.ietf.org/rfc/rfc3208.txt 
> SecurityFocus BID
> http://www.securityfocus.com/bid/19922 
> 
> ****************************************************************
> 
> (5) HIGH: Microsoft Publisher File Parsing Buffer Overflow (MS06-054)
> Affected:
> Microsoft Office Publisher 2000/2002/2003
> 
> Description: Microsoft Office Publisher, a popular Desktop Publishing
> (DTP) application and Microsoft Office component, contains a
> remotely-exploitable file-format vulnerability. Failure to properly
> validate Publisher files (typically identified via the ".pub" filename
> extension) leads to a buffer overflow. A specially-crafted Publisher
> file could exploit this overflow and execute arbitrary code with the
> privileges of the current user. Note that Publisher files do not open
> by default in versions of Microsoft Office after Office 2000.
> 
> Status: Microsoft confirmed, updates available.
> 
> Council Site Actions: Most responding council site plan to take action
> and will be deploying the patches during their next regular 
> maintenance
> release cycle.
> 
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx 
> Computer Terrorism Security Advisory
> http://archives.neohapsis.com/archives/bugtraq/2006-09/0184.html 
> SecurityFocus BID
> http://www.securityfocus.com/bid/19951 
> 
> ****************************************************************
> 
> (6) MODERATE: Cisco IOS VTP Multiple Vulnerabilities
> Affected:
> Cisco switches running Cisco IOS and CatOS
> 
> Description: The VLAN Trunking Protocol (VTP) is a proprietary Cisco
> protocol used to distribute VLAN configuration information. The
> implementation of VTP on switches running Cisco IOS and CatOS 
> operating
> systems contains several vulnerabilities: (1) VLAN names 
> longer than 100
> bytes can result in a buffer overflow in Cisco IOS. A 
> specially-crafted
> VTP request could trigger this buffer overflow and execute arbitrary
> code on the switch. (2) A specially-crafted VTP request could 
> lead to a
> denial-of-service condition on Cisco IOS-based devices. (3) Specifying
> a large configuration revision number can result in an 
> integer overflow
> in both Cisco IOS and CatOS-based devices. Once this integer overflow
> has been triggered, any VTP updates sent out by the affected 
> switch will
> be ignored by other switches. Users are advised to implement VTP
> password authentication for all VTP domains, if possible.
> 
> Status: Cisco confirmed, updates available.
> 
> Council Site Actions: Three of the responding council sites are using
> the affected software. One site will deploy the patch during 
> their next
> maintenance cycle, another site will deploy the patch later this year
> unless if a DoS is observed, and the third site is still 
> investigating.
> 
> References:
> Cisco Security Advisory
> http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml 
> SecurityFocus BID
> http://www.securityfocus.com/bid/19998 
> 
> ****************************************************************
> 
> (7) MODERATE: HP OpenView Multiple Vulnerabilities
> Affected:
> HP OpenView Operations versions 7.1, 8.0, 8.1
> HP OpenView Operations for Windows versions a.07.21, a.07.20, 
> a.07.10, a.07.00
> 
> Description: HP OpenView, a popular enterprise-level system monitoring
> and management suite, contains multiple unspecified 
> remotely-exploitable
> vulnerabilities. These vulnerabilities include remote unauthorized
> access, possibly allowing for remote command execution, and
> denial-of-service conditions.
> 
> Status: HP confirmed, updates available.
> 
> Council Site Actions: Only one council site is using the affected
> software and they plan to push the patch during their next regularly
> scheduled maintenance cycle.
> 
> References:
> HP Security Advisory
> http://archives.neohapsis.com/archives/bugtraq/2006-09/0203.html
> HP OpenView Home Page
> http://openview.hp.com/
> SecurityFocus BID
> http://www.securityfocus.com/bid/20005
> 
> ****************************************************************
> 
> (8) MODERATE: PHP NULL Processing Arbitrary File Overwrite
> Affected:
> It is unknown how many PHP applications are vulnerable. It has been
> confirmed that both phpBB and punBB are vulnerable.
> 
> Description: Some PHP scripts fail to properly account for NULL (ASCII
> 0) characters in certain user-supplied data. A 
> specially-crafted request
> could exploit this vulnerability and overwrite arbitrary files with
> user-supplied data. A proof-of-concept exploit for phpBB has been
> publicly posted.
> 
> References:
> Posting by ShAnKaR (includes proof-of-concept)
> http://archives.neohapsis.com/archives/bugtraq/2006-09/0168.html
> SecurityFocus BID
> http://www.securityfocus.com/bid/19661 (phpBB)
> http://www.securityfocus.com/bid/20046 (phpBB)
> ****************************************************************
> 
> (9) LOW: Microsoft Indexing Service Cross Site Scripting 
> Vulnerability (MS06-053)
> Affected:
> Microsoft Windows 2000 SP4/XP SP1/XP SP2/2003 SP0/2003 SP1
> 
> Description: The Microsoft Indexing Service, used to index 
> data to allow
> for rapid searches, contains a remotely-exploitable 
> cross-site-scripting
> vulnerability. Failure to properly sanitize user-supplied input would
> allow a specially-crafted web page to execute arbitrary 
> JavaScript code
> with the privileges of the current user, subject to that user's
> JavaScript security settings.
> 
> Status: Microsoft confirmed, updates available.
> 
> Council Site Actions: Most responding council site plan to take action
> and will be deploying the patches during their next regular 
> maintenance
> release cycle.
> 
> References:
> Microsoft Security Bulletin
> http://www.microsoft.com/technet/security/bulletin/ms06-053.mspx
> Microsoft Indexing Service Documentation
> http://www.microsoft.com/resources/documentation/windows/xp/al
> l/proddocs/en-us/snap_idx_srv_mgmt.mspx?mfr=true
> SecurityFocus BID
> http://www.securityfocus.com/bid/19927
> 
> 
> ======
> Exploits
> ======
> 
> (15) Microsoft Internet Explorer 
> 'DirectAnimation.PathControl' Exploit (0day)
> 
> Description: An exploit for the Microsoft Internet Explorer
> "DirectAnimation" vulnerability discussed in a previous @RISK 
> Newsletter
> Entry has been publicly posted. This exploit allows for arbitrary
> remote-code execution with the privileges of the current user.
> 
> References:
> Exploit by XSec
> http://archives.neohapsis.com/archives/bugtraq/2006-09/0206.html
> Previous @RISK Newsletter Entry
> http://www.sans.org/newsletters/risk/display.php?v=5&i=35#widely2 
> 
> 
> 06.37.2 CVE: CVE-2006-0032
> Platform: Windows
> Title: Microsoft Indexing Service Query Validation Cross-Site
> Scripting
> Description: Microsoft Indexing Service is an application to create
> indexed catalogs for the contents and properties of file systems and
> virtual Webs. It is a base service and part of the Internet
> Information Services (IIS). Microsoft Indexing Service is prone to a
> cross-site scripting vulnerability. An attacker may leverage this
> issue to have arbitrary script code executed in the browser of an
> unsuspecting user, in the context of the victim's session.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-053.mspx
> ______________________________________________________________________
> 
> 06.37.3 CVE: CVE-2006-3873
> Platform: Windows
> Title: Microsoft Internet Explorer HTTP 1.1 and Compression Long URI
> Buffer Overflow
> Description: Microsoft Internet Explorer is prone to a remote buffer
> overflow vulnerability. A successful exploit may result in arbitrary
> code execution in the context of the user running the browser. HTML
> content containing overly long URIs pointing to web sites using the
> HTTP/1.1 protocol along with compression may trigger this issue. This
> issue presents itself because the software fails to properly bounds
> check the use of the "lstrcpynA()" function in the "URLMON.DLL"
> library. This issue was introduced with the re-released patches of
> Microsoft advisory MS06-042.
> Ref: http://www.securityfocus.com/bid/19987
> ______________________________________________________________________
> 
> 06.37.4 CVE: Not Available
> Platform: Microsoft Office
> Title: Microsoft Publisher Remote Code Execution
> Description: Microsoft Publisher is prone to a code execution
> vulnerability. This is due to a flaw when handling malformed PUB
> files. This vulnerability may be exploited through email or by placing
> the malicious document on the Web and enticing victim users into
> opening it.
> Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx
> ______________________________________________________________________
> 
> 06.37.7 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: ICQ MCRegEx__Search Remote Heap Buffer Overflow
> Description: ICQ is prone to a remote heap buffer overflow
> vulnerability. This issue may allow attackers to execute arbitrary
> machine code within the context of the vulnerable application or to
> cause a denial of service. This issue affects ICQ Pro 2003b Build
> #3916.
> Ref: http://www.securityfocus.com/archive/1/445513
> ______________________________________________________________________
> 
> 06.37.8 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: ICQ Toolbar Multiple Vulnerabilities
> Description: ICQ Toolbar is communication software for a web browser.
> There are multiple vulnerabilities related to the tool bar such as
> HTML injection and unauthorized access issues. ICQ Toolbar version 1.3
> for Internet Explorer is vulnerable.
> Ref:
> http://www.coresecurity.com/index.php5?module=ContentMod&actio
n=item&id=1510
> ______________________________________________________________________
> 
> 06.37.13 CVE: CVE-2006-4623
> Platform: Linux
> Title: Linux Kernel ULE Packet Handling Remote Denial of Service
> Description: The Linux kernel is susceptible to a remote denial of
> service vulnerability. This issue is triggered when the kernel handles
> a specially crafted Unidirectional Lightweight Encapsulation (ULE)
> packet. Specifically, a packet containing an SNDU length value of 0
> can cause the kernel to crash. Kernel version 2.6.17.8 is reported to
> be vulnerable to this issue.
> Ref: http://lkml.org/lkml/2006/8/20/278
> ______________________________________________________________________
> 
> 06.37.14 CVE: CVE-2006-3739, CVE-2006-3740
> Platform: Linux
> Title: X.Org LibXfont CID Font File Multiple Integer Overflow
> Vulnerabilities
> Description: LibXfont is a font library for X windows. It is prone to
> multiple integer overflow vulnerabilities, due to a failure to
> validate user supplied data when parsing CID encoded Type1 fonts in
> the "type1" module.
> Ref: http://rhn.redhat.com/errata/RHSA-2006-0665.html
> ______________________________________________________________________
> 
> 06.37.15 CVE: CVE-2006-4655
> Platform: Unix
> Title: X.Org X Window Server LibX11 XKEYBOARD Extension Local Buffer
> Overflow
> Description: The X Windows server libX11 library is prone to a local
> buffer overflow vulnerability. The overflow arises when the
> "XKEYBOARD" extension has been enabled. An attacker can trigger this
> issue by supplying an excessive string value through the
> "_XKB_CHARSET" environment variable to overflow a finite sized buffer
> in the "Strcmp" function. A string value containing more that 256
> bytes may corrupt process memory. X11R6 4.0 and prior versions are
> affected.
> Ref:
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-10257
0-1&searchclause=
> ______________________________________________________________________
> 
> 06.37.17 CVE: CVE-2006-3636
> Platform: Unix
> Title: Mailman Multiple Input Validation Vulnerabilities
> Description: Mailman is a mailing list server available for Unix like
> operating systems. It is prone to multiple input validation
> vulnerabilities due to insufficient input sanitization.  Please see
> the advisory for further details. Versions between 2.1.0 and 2.1.8 are
> reported to be vulnerable.
> Ref: http://www.securityfocus.com/bid/20021
> ______________________________________________________________________
> 
> 06.37.19 CVE: Not Available
> Platform: Cross Platform
> Title: Avast! Antivirus Engine Remote LHA Buffer Overflow
> Description: Avast! antivirus engine is an antivirus application. It
> is vulnerable to a buffer overflow issue when handling malformed LHA
> archive files. Avast! antivirus engine less than version 4.7.869 (for
> desktops), or less than version 4.7.660 (for servers) is vulnerable.
> Ref: http://www.hustlelabs.com/advisories/04072006_alwil.pdf
> ______________________________________________________________________
> 
> 06.37.23 CVE:
> CVE-2006-4389,CVE-2006-4381,CVE-2006-4382,CVE-2006-4384,CVE-20
> 06-4385,CVE-2006-4386,CVE-2006-4388
> Platform: Cross Platform
> Title: QuickTime Multiple Overflow and Exception Vulnerabilities
> Description: Apple QuickTime is vulnerable to multiple vulnerabilities
> due to insufficient boundary check and sanitization of user-supplied
> data. See the advisory for further details. QuickTime version 7.1.3
> resolves the issues.
> Ref:
> http://lists.apple.com/archives/Security-announce/2006/Sep/msg
00000.html
> ______________________________________________________________________
> 
> 06.37.24 CVE:
> CVE-2006-3014,CVE-2006-3311,CVE-2006-3587,CVE-2006-3588,CVE-2006-4640
> Platform: Cross Platform
> Title: Adobe Flash Player Multiple Remote Code Execution
> Vulnerabilities
> Description: Adobe Flash Player is prone to multiple remote code
> execution issues due to a lack of proper sanitization of user-supplied
> input. Adobe Flash Player versions 8.0.24.0 and prior, Adobe Flash
> Professional version 8, Flash Basic, Adobe Flash MX and Adobe Flex
> version 1.5 are affected.
> Ref: http://www.securityfocus.com/bid/19980
> ______________________________________________________________________
> 
> 06.37.26 CVE: CVE-2006-3454
> Platform: Cross Platform
> Title: Symantec AntiVirus Corporate Edition Multiple Local Format
> String Vulnerabilities
> Description: Symantec AntiVirus Corporate Edition is prone to a local
> privilege escalation vulnerability because it fails to properly
> sanitize user-supplied input prior to using it in the format argument
> to a formatted printing function located in the alert notification
> process.
> Ref:
> http://securityresponse.symantec.com/avcenter/security/Content
> /2006.09.13.html
> ______________________________________________________________________
> 
> 06.37.27 CVE: Not Available
> Platform: Cross Platform
> Title: HP OpenView Operations Denial of Service and Unauthorized
> Access
> Description: HP OpenView provides network and system administration
> services for managing nodes across multiple network domains. It is
> affected by a denial of service and unauthorized access vulnerability.
> Ref: http://www.securityfocus.com/bid/20005
> ______________________________________________________________________



 




Copyright © Lexa Software, 1996-2009.