> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Once again, lots of critical Windows flaws. But don't let the Windows
> flaws make you miss number 5. Winzip is very widely deployed; a
> vulnerability there can be just as bad as a vulnerability in Windows.
> Most organization do not have automatic patching capabilities that
> encompass Winzip, so exploits using the Winzip vulnerability
> can be much
> more damaging.
>
>
> ************************
> Widely-Deployed Software
> ************************
>
> (1) CRITICAL: Microsoft Windows Workstation Service Buffer
> Overflow (MS06-070)
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP2
>
> Description: The Microsoft Windows Workstation Service, used
> to support
> inter-system communication (including file and printer sharing),
> contains a buffer overflow. By sending a specially-crafted request to
> the service, an attacker could take complete control of the vulnerable
> system. Technical details and several proofs-of-concept are available
> for this vulnerability. Users are advised to block ports ports 139 and
> 445 on both TCP and UDP at the network perimeter if possible.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to the
> majority of the Microsoft issues in the same manner. They plan to
> distribute the patches during their next regularly scheduled system
> maintenance window. They will expedite the process if exploits are
> released.
>
> References:
> Microsoft Security Bulletin
>
> SecuriTeam Advisory (includes proof-of-concept)
>
> eEye Security Advisory
>
> Proofs-of-Concept
>
> 06-070_exploit.txt
>
>
>
> Exploit Modules (Immunity Partners Program)
>
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (2) CRITICAL: Microsoft XML Core Services XMLHTTP ActiveX
> Control Remote
> Code Execution (MS06-071)
> Affected:
> Microsoft XML Core Services versions 4.0 and 6.0
>
> Description: Microsoft XML Core Services, Microsoft's
> implementation of
> various XML technologies, contains a remote code execution
> vulnerability
> in the XMLHTTP ActiveX control. A malicious web page that instantiates
> this control could execute arbitrary code with the privileges of the
> current user. Users can mitigate the impact of this vulnerability by
> disabling the vulnerable ActiveX controls via Microsoft's "kill bit"
> mechanism for CLSIDs "88d96a0a-f192-11d4-a65f-0040963251e5" and
> "88d969c5-f192-11d4-a65f-0040963251e5". This vulnerability is being
> actively exploited in the wild. This vulnerability was covered in a
> previous @RISK entry.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to the
> majority of the Microsoft issues in the same manner. They plan to
> distribute the patches during their next regularly scheduled system
> maintenance window. They will expedite the process if exploits are
> released.
>
> References:
> Microsoft Security Bulletin
>
> Microsoft Knowledge Base Article (details the "kill bit" mechanism)
>
> Previous @RISK Entry
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (3) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities
> (MS06-067)
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP2
> Microsoft Windows 2003 SP0/SP1
>
> Description: Microsoft Internet Explorer contains two vulnerabilities:
> (1) The DirectX DirectAnimation ActiveX control contains a memory
> corruption vulnerability. A malicious web page that instantiates this
> control could exploit this vulnerability. This vulnerability has been
> discussed in a previous issue of @RISK. Users can mitigate the impact
> of this vulnerability by disabling the vulnerable ActiveX control via
> Microsoft's "kill bit" mechanism for CLSID
> "D7A7D7C3-D47F-11D0-89D3-00A0C90833E6". (2) Failure to properly handle
> specially-crafted HTML code can lead to a memory corruption
> vulnerability. A specially-crafted web page could exploit this
> vulnerability. Exploiting ether vulnerability can lead to
> arbitrary code
> execution with the privileges of the current user. Technical
> details and
> proofs-of-concept for these exploits are available.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to the
> majority of the Microsoft issues in the same manner. They plan to
> distribute the patches during their next regularly scheduled system
> maintenance window. They will expedite the process if exploits are
> released.
>
> References:
> Microsoft Security Bulletin
>
> Microsoft Knowledge Base Article (details the "kill bit" mechanism)
>
> Zero Day Initiative Advisory
>
> Proof-of-Concept Exploit
>
> Previous @RISK Entry
>
> SecurityFocus BIDs
>
>
>
> ****************************************************************
>
> (4) CRITICAL: Microsoft Agent Buffer Overflow (MS06-068)
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP2
> Microsoft Windows 2003 SP0/SP1
>
> Description: Microsoft Agent, a set of technologies used to
> enhance and
> manipulate the Microsoft Windows user interface, contains a buffer
> overflow. A specially-crafted web page that instantiates a vulnerable
> ActiveX control could exploit this vulnerability and execute arbitrary
> code with the privileges of the current user. It is believed
> to be also
> possible to exploit this vulnerability via specially-crafted ".ACF"
> file. Users can mitigate the impact of this vulnerability by disabling
> the vulnerable ActiveX controls via Microsoft's "kill bit" mechanisms
> for CLSIDs "D45FD31B-5C6E-11D1-9EC1-00C04FD7081F",
> F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5",
> "4BAC124B-78C8-11D1-B9A8-00C04FD97575",
> "D45FD31D-5C6E-11D1-9EC1-00C04FD7081F", and
> "D45FD31E-5C6E-11D1-9EC1-00C04FD7081F".
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to the
> majority of the Microsoft issues in the same manner. They plan to
> distribute the patches during their next regularly scheduled system
> maintenance window. They will expedite the process if exploits are
> released.
>
> References:
> Microsoft Security Bulletin
>
> Microsoft Knowledge Base Article (details the "kill bit" mechanism)
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (5) CRITICAL: WinZip FileView ActiveX Control Remote Code Execution
> Affected:
> WinZip version 10.0 prior to build 7245
>
> Description: WinZip, a popular archive utility for Microsoft Windows,
> contains a vulnerability in its FileView ActiveX control. A malicious
> web page that instantiates this control could exploit this
> vulnerability
> to execute arbitrary code with the privileges of the current user.
> Several exploits for this vulnerability are publicly available. Users
> can mitigate the impact of this vulnerability by disabling the
> vulnerable ActiveX control via Microsoft's "kill bit" mechanism for
> CLSID " A09AE68F-B14D-43ED-B713-BA413F034904". It is believed that
> installing Microsoft Security Update MS06-067 will also mitigate the
> impact of this vulnerability. There is a similar vulnerability in the
> Sky Software FileView ActiveX control; while these two controls are
> believed to be the same, it is unknown how the two vulnerabilities are
> related.
>
> Status: WinZip confirmed, updates available.
>
> Council Site Actions: most of the council sites are responding to this
> item. The patch for this item will be included in the rollout of the
> Microsoft patches. A few sites don't officially support this
> application and are relying on the user's auto-update feature
> to set the
> relevant kill bits.
>
> References:
> WinZip Change Log
>
> Zero Day Initiative Advisory
>
> Microsoft Knowledge Base Article (details the "kill bit" mechanism)
>
> SANS Internet Storm Center Handler's Diary Entry
>
> Exploits
>
>
> delka-vs-MS-winzip.c
>
> 060-2.html
>
> SecurityFocus BIDs
>
>
>
> ****************************************************************
>
> (6) MODERATE: Microsoft Client Service for NetWare Multiple
> Vulnerabilities (MS06-066)
> Affected:
> Microsoft Windows 2000 SP4
> Microsoft Windows XP SP2
> Microsoft Windows 2003 SP0/SP1
>
> Description: Microsoft Windows Client Service for NetWare, used to
> provide access to Novell NetWare-accessible resources,
> contains multiple
> vulnerabilities: By sending specially-crafted messages to the service,
> an attacker could (1) exploit a buffer overflow in the service and
> execute arbitrary code on the system with SYSTEM privileges and (2)
> cause the system to stop responding. On Windows 2003 systems,
> attackers
> would require authentication to exploit these vulnerabilities.
> Additionally, the vulnerable service is not installed by
> default on any
> version of the vulnerable operating systems. Exploits for this
> vulnerability are available for Immunity CANVAS.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to the
> majority of the Microsoft issues in the same manner. They plan to
> distribute the patches during their next regularly scheduled system
> maintenance window. They will expedite the process if exploits are
> released.
>
> References:
> Microsoft Security Bulletin
>
> Exploit Modules (Immunity Partners Program)
>
>
>
>
> SecurityFocus BIDs
>
>
>
> ****************************************************************
>
>
> (7) MODERATE: Panda ActiveScan Multiple Vulnerabilities
> Affected:
> Panda ActiveScan version 5.53.00 and possibly prior
>
> Description: Panda ActiveScan, a popular anti-spam and anti-malware
> solution, contains multiple vulnerabilities in included ActiveX
> components. A malicious web page that instantiates these ActiveX
> controls could exploit these vulnerabilities to execute arbitrary code
> with the privileges of the current user, disclose sensitive
> information,
> or reboot the victim's system.
>
> Status: Panda confirmed, updates available.
>
> References:
> Secunia Advisory
>
> Panda ActiveScan Home Page
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (8) MODERATE: Adobe Macromedia Flash Player Multiple Vulnerabilities
> (MS06-069)
> Affected:
> Microsoft Windows XP SP2
>
> Description: Adobe Macromedia Flash Player, a popular player for rich
> web content, contains multiple vulnerabilities. This player
> is included
> with Microsoft Windows. These vulnerabilities include remote code
> execution, denial-of-service conditions, and the execution of
> arbitrary
> JavaScript. Note that, by default, Flash content is displayed
> automatically by most browsers. A fixed version of Flash Player was
> released by Adobe in September 2006. This issue is
> specifically for the
> version of Flash Player included by default with Microsoft Windows.
> These issues were discussed in a previous @RISK entry.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: Most of the reporting council sites are
> responding
> to this item. They plan to distribute the patches during their next
> regularly scheduled system maintenance window. A few sites don't
> officially support this application and are investigating appropriate
> action, if any.
>
> References:
> Microsoft Security Bulletin
>
> Adobe Security Bulletin
>
> Previous @RISK Entry
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> **************
> Other Software
> **************
>
>
> (9) HIGH: NetGear Wireless Drivers Multiple Vulnerabilities
> Affected:
> NetGear MA521nd5.SYS driver version 5.148.724.2003 and possibly prior
> NetGear WG111v2.SYS driver version 5.1213.6.316 and possibly prior
>
> Description: The NetGear MA521nd5.SYS and WG111v2.SYS device drivers,
> used to control NetGear wireless cards, contain buffer overflow
> vulnerabilities. By sending a specially-crafted 802.11 (WiFi) frame to
> a vulnerable system, an attacker could exploit these buffer overflows
> and take complete control of the vulnerable system. No authentication
> is required, and attackers need only be within wireless range of the
> vulnerable system. These drivers are primarily designed for Microsoft
> Windows systems, but they are believed to be compatible with the
> "NdisWrapper" cross-platform driver framework, making it
> possible to run
> these drivers under Linux (and possibly other operating
> systems) on the
> Intel platform. These vulnerabilities was discovered as part of a
> project to discover bugs in various operating systems'
> kernels. Working
> exploits are available for these vulnerabilities. These
> vulnerabilities
> are similar to one discovered for Broadcom wireless device
> drivers that
> was documented in a previous issue of @RISK.
>
> Status: NetGear has not confirmed, no updates available.
>
> References:
> Month of Kernel Bugs Advisories
>
>
> Metasploit Modules
>
> os/wireless/netgear_ma521_rates.rb
>
> ndows/driver/netgear_wg111_beacon.rb
> NetGear Home Page
>
> Wikipedia Entry on Device Drivers
>
> NdisWrapper Home Page
>
> Previous @RISK Entry
>
> SecurityFocus BIDs
>
>
>
> ****************************************************************
>
> (10) HIGH: D-Link A5AGU.SYS Wireless Driver Buffer Overflow
> Affected:
> D-Link A5AGU.SYS driver version 1.0.1.41 and possibly prior
>
> Description: The D-Link A5AGU.SYS device driver, used to
> control D-Link
> wireless cards, contains a buffer overflow vulnerability. By sending a
> specially-crafted 802.11 (WiFi) frame to a vulnerable system, an
> attacker could exploit this buffer overflow and take complete control
> of the vulnerable system. No authentication is required, and attackers
> need only be within wireless range of the vulnerable system.
> This driver
> is primarily designed for Microsoft Windows systems, but it
> is believed
> to be compatible with the "NdisWrapper" cross-platform driver
> framework,
> making it possible to run this driver under Linux (and possibly other
> operating systems) on the Intel platform. This vulnerability was
> discovered as part of a project to discover bugs in various operating
> systems' kernels. Working exploits are available for this
> vulnerability.
> This vulnerability is similar to one discovered for Broadcom wireless
> device drivers that was documented in a previous issue of @RISK.
>
> Status: D-Link has not confirmed, no updates available. Newer versions
> of the driver available with some cards appear to resolve this issue.
> Note that some reports have listed the driver as "ASAGU.SYS".
>
> References:
> Month of Kernel Bugs Advisory
>
> Metasploit Module
>
> ndows/driver/dlink_wifi_rates.rb
> D-Link Home Page
>
> Wikipedia Entry on Device Drivers
>
> NdisWrapper Home Page
>
> Previous @RISK Entry
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (12) MODERATE: PowerDNS Recursor Multiple Vulnerabilities
> Affected:
> PowerDNS versions prior to 3.1.4
>
> Description: PowerDNS, a popular Domain Name System (DNS) server,
> contains multiple vulnerabilities in its recursor component: (1) By
> sending a specially-crafted request to the recursor, an attacker could
> exploit a buffer overflow and potentially execute arbitrary code with
> the privileges of the PowerDNS recursor process. (2) Sending a
> specially-crafted request to the recursor can cause the process to
> exhaust its allocated stack space and crash, leading to a
> denial-of-service condition. Because this product is open source,
> technical details for these vulnerabilities can be easily obtained via
> source code analysis.
>
> Status: PowerDNS confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> PowerDNS Security Advisories
>
>
> PowerDNS Home Page
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (13) MODERATE: Grisoft AVG Anti-Virus Multiple Vulnerabilities
> Affected:
> AVG Anti-Virus versions prior to 7.1.407
>
> Description: AVG Anti-Virus, a popular anti-virus system, contains
> multiple vulnerabilities. By sending a specially-crafted file through
> the system, an attacker could exploit these vulnerabilities to execute
> arbitrary code with the privileges of the anti-virus process. No
> technical details for these vulnerabilities are currently available.
>
> Status: Grisoft confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> Grisoft Release Notes
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> 06.46.1 CVE: CVE-2006-4688
> Platform: Windows
> Title: Microsoft Client Service for Netware Denial of Service
> Description: Microsoft Client Service for Netware allows clients to
> have access to NetWare files, print and directory services. It is
> prone to a denial of service vulnerability. This issue occurs because
> the application fails to handle specially crafted network messages.
> Ref:
> ______________________________________________________________________
>
> 06.46.2 CVE: CVE-2006-4691
> Platform: Windows
> Title: Microsoft Windows Workstation Service Remote Code Execution
> Description: Microsoft Windows Workstation service is a routing
> service used by the operating system to determine if file or print
> requests are local or remote in nature. Routing and Remote Access is
> prone to a memory corruption issue due to insufficient sanitization of
> user-supplied network data before copying it to an insufficiently
> sized memory buffer. Microsoft Windows 2000 SP4 and XP SP2 versions
> are affected.
> Ref:
> ______________________________________________________________________
>
> 06.46.3 CVE: CVE-2006-4687
> Platform: Windows
> Title: Microsoft Internet Explorer HTML Rendering Remote Code
> Execution
> Description: Microsoft Internet Explorer is exposed to a remote code
> execution issue. An attacker can exploit this issue by enticing a
> victim into visiting a malicious web page. Please refer to the link
> below for further details.
> Ref:
> ______________________________________________________________________
>
> 06.46.4 CVE: CVE-2006-4688,CVE-2006-4689
> Platform: Windows
> Title: Windows Client Service For Netware Remote Code Execution
> Description: Microsoft Client Service for Netware is vulnerble to a
> remote code execution issue when receiving malformed messages
> containing arbitrary code to the Client Service for Netware. See
> advisory for futher details.
> Ref:
> ______________________________________________________________________
>
> 06.46.5 CVE: CVE-2006-3445
> Platform: Windows
> Title: Microsoft Agent ActiveX Control Remote Code Execution
> Description: Microsoft Agent is a set of software services for
> developers to enhance the user interface of web based applications. It
> is exposed to a remote code execution issue when a malformed ".ACF"
> file is processed.
> Ref:
> ______________________________________________________________________
>
> 06.46.10 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: AVG Anti-Virus Multiple Remote Code Execution Vulnerabilities
> Description: AVG Anti-Virus is an antivirus application. It is prone
> to multiple remote code execution issues due to flaws in the file
> parsing engine of the software. AVG Anti-Virus versions earlier than
> 7.1.407 are affected.
> Ref:
> ______________________________________________________________________
>
> 06.46.11 CVE: CVE-2006-5198
> Platform: Third Party Windows Apps
> Title: WinZip ActiveX Control Remote Code Execution
> Description: WinZip is a file compression utility. It is vulnerable to
> a remote code execution issue in an ActiveX control that is installed
> with the package. WinZip versions in the 10.0 series prior to build
> 7245 are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.46.18 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Outpost Firewall PRO Multiple Local Denial of Service
> Vulnerabilities
> Description: Outpost Firewall PRO is prone to multiple local denial of
> service vulnerabilities because the application fails to properly
> handle unexpected input. Specifically, the hooked SSDT functions that
> the application provides fail to properly handle unexpected input.
> Outpost Firewall PRO versions 4.0 (964.582.059) and 4.0 (971.584.079)
> are vulnerable to these issues.
> Ref:
> ______________________________________________________________________
>
> 06.46.22 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Panda ActiveScan ActiveX Controls Multiple Remote
> Vulnerabilities
> Description: Panda ActiveScan is an online antivirus product. Panda
> ActiveScan ActiveX controls are prone to multiple remote
> vulnerabilities. Panda ActiveScan version 5.53.00 is vulnerable to
> these issues.
> Ref:
> ______________________________________________________________________
>
> 06.46.31 CVE: Not Available
> Platform: Cross Platform
> Title: ProFTPD Unspecified Remote Code Execution
> Description: ProFTPD is an FTP server implementation that is available
> for UNIX and Linux platforms. It is prone to an unspecified remote
> code execution vulnerability. It is conjectured that a remote attacker
> can exploit this issue to gain unauthorized access to a computer in
> the context of the server. This issue is reported to affected version
> 1.3.0. Other versions may be vulnerable as well.
> Ref:
> ______________________________________________________________________
>
> 06.46.32 CVE: Not Available
> Platform: Cross Platform
> Title: D-Link DWL-G132 ASAGU.SYS Wireless Device Driver Stack Buffer
> Overflow
> Description: The D-Link Wireless Device Driver for DWL-G132 devices is
> prone to a stack-based buffer overflow issue because the driver fails
> to properly bounds check user-supplied data before copying it into an
> insufficiently sized memory buffer. Version 1.0.1.41 of the ASAGU.SYS
> driver is affected.
> Ref:
> ______________________________________________________________________
>
> 06.46.33 CVE: CVE-2006-4251, CVE-2006-4252
> Platform: Cross Platform
> Title: PowerDNS Remote Denial of Service and Buffer Overflow
> Vulnerabilities
> Description: PowerDNS is a DNS nameserver application. It is prone to
> a denial of service issue when the "CNAME" records contain circular
> references which lead to an endless lookup taking up all the available
> stack space, resulting in an application crash. The application is
> also prone to a buffer overflow issue due to insufficient sanitization
> of user-supplied parameters to the "pdns_recursor.cc" file. PowerDNS
> Recursor versions 3.1.4 and earlier are affected.
> Ref:
>
> ______________________________________________________________________
