>
> *****************************
> Widely-Deployed Software
> *****************************
>
> (1) CRITICAL: Microsoft Word Multiple Unspecified Remote Code
> Execution
> Vulnerabilities (0day)
> Affected:
> Microsoft Word 2000
> Microsoft Word 2002
> Microsoft Office Word 2003
> Microsoft Word Viewer 2003
> Microsoft Word 2004 for Mac
> Microsoft Word v. X for Mac
> Microsoft Works 2004,2005, and 2006.
>
> Description: Two zero-day vulnerabilities have been discovered in
> Microsoft Word. A specially-crafted Word document file could exploit
> these vulnerabilities to execute arbitrary code with the privileges of
> the current user. Word documents will not open without
> prompting on all
> versions of Word after Word 2000. At least two trojans are known to be
> exploiting one of these vulnerabilities in the wild; the other
> vulnerability is being exploited on a more limited basis.
>
> Status: Microsoft confirmed, no updates available.
>
> Council Site Actions: All of the responding council sites are waiting
> for confirmation and a patch from Microsoft. They plan to deploy the
> patch during their next regularly scheduled system maintenance window,
> or automatically through Microsoft's Automatic Update Feature.
>
> References:
> Microsoft Security Advisory
>
> Microsoft Security Center Blog Entries
>
urity-advisory-929433-posted.aspx
>
> -a-word-zero-day.aspx
> SecurityFocus BID
>
>
> ****************************************************************
>
> (2) CRITICAL: Microsoft Windows Media Player ASX Playlist
> Buffer Overflow
> Affected:
> Microsoft Windows Media Player version 10.0 and possibly prior
>
> Description: A previously-known vulnerability that was originally
> considered to lead only to a denial-of-service condition is
> now believed
> to be exploitable. Microsoft Windows Media Player fails to properly
> handle malformed "REF HREF" elements (used to link to other files) in
> ASX playlist files. It is believed that a specially-crafted ASX file
> could exploit this vulnerability to execute arbitrary code with the
> privileges of the current user. ASX files are opened without prompting
> by default. A simple proof-of-concept and technical details
> are publicly
> available.
>
> Status: Microsoft confirmed, no update available.
>
> Council Site Actions: All of the responding council sites are waiting
> for confirmation and a patch from Microsoft. They plan to
> deploy during
> their next regularly scheduled system maintenance window, or
> automatically through Microsoft's Automatic Update Feature.
>
> References:
> Microsoft Security Response Center Blog Entry
>
> of-concept-code-for-asx-file-format-isssue.aspx
> eEye Security Advisory
>
> IntelliAdmin Article
>
d-in-windows.html
> Posting by Sehato (includes simple proof-of-concept)
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (3) CRITICAL: Adobe Download Manager AOM File Handler Buffer Overflow
> Affected:
> Adobe Download Manager Version 2.1 and prior
>
> Description: Adobe Download Manager, used to download updates
> for Adobe
> software, contains a buffer overflow vulnerability that can
> be triggered
> by a specially-crafted AOM file. AOM files are used to specify
> information about updates. By default, AOM files are opened without
> prompting, including when downloaded from websites. A
> malicious AOM file
> could take advantage of this vulnerability to execute arbitrary code
> with the privileges of the current user. The Adobe Download Manager is
> installed by default with several Adobe products, including Acrobat
> Reader.
>
> Status: Adobe confirmed, updates available.
>
> Council Site Actions: Most of the responding council sites plan to
> address this issue in their next regularly scheduled
> maintenance window.
> Some sites rely on Adobe's Automatic update feature, thus if this
> application is available via that Automatic Update, it will
> get updated.
> Otherwise those sites will need to develop a strategy to
> distribute this
> application.
>
> References:
> Zero Day Initiative Advisory
>
> Adobe Security Advisory
>
> eEye Security Advisory
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (5) HIGH: Barracuda Spam Firewall UUlib Buffer Overflow
> Affected:
> Barracuda Networks Barracuda Spam Firewall versions 3.3.3, 3.1.18,
> 3.1.17, 3.3.03.055, 3.3.03.053, 3.3.01.001, and 3.3.0.54
>
> Description: Barracuda Networks Barracuda Spam Firewall ships with a
> version of the Convert-UUlib Perl module known to be vulnerable to a
> buffer overflow. A specially-crafted email message could exploit this
> vulnerability to take complete control of the vulnerable device.
> Technical details and a proof-of-concept for this vulnerability are
> publicly available.
>
> Status: Barracuda Networks confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> Posting by Jean-Sebastien Guay-Leroux
>
> Proof-of-Concept
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (6) HIGH: Citrix Presentation Server Client ActiveX Remote
> Code Execution
> Affected:
> Citrix Presentation Server Client for Windows versions prior to 9.230
>
> Description: Citrix Presentation Server Client for Windows contains an
> ActiveX control which contains a heap overflow vulnerability in its
> "SendChannelData" method. A page that instantiates this control could
> exploit this vulnerability to execute arbitrary code with the
> privileges
> of the current user.
>
> Status: Citrix confirmed, updates available. Users can mitigate the
> impact of this vulnerability by disabling the vulnerable
> ActiveX control
> via Microsoft's "kill bit" mechanism for CLSID
> "238F6F83-B8B4-11CF-8771-00A024541EE3".
>
> Council Site Actions: Two of the responding council sites are
> addressing
> this issue. One site will address in their next regularly scheduled
> system maintenance window. They will expedite or set the kill-bit if
> an exploit is released. The other site mostly has clients connecting
> from Mac OS X machines. They will send an email to
> potentially affected
> users.
>
> References:
> TippingPoint Security Research Team Advisory
>
> Citrix Security Advisory
>
> Fortconsult Security Advisory
>
> Microsoft Knowledge Base (details the "kill bit" mechanism)
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (7) HIGH: Computer Associates BrightStor ARCServe Buffer Overflow
> Affected:
> Computer Associates Server Protection Suite r2
> Computer Associates Business Protection Suite for Microsoft
> SBS Premium and Standard Editions r2
> Computer Associates Business Protection Suite r2
> Computer Associates BrightStor ARCServe Backup versions prior
> to 11.5.SP2
>
> Description: Computer Associates BrightStor ARCServe, a common
> enterprise backup solution, contains a buffer overflow vulnerability.
> By sending a specially-crafted request to the ARCServe process, an
> attacker could exploit this vulnerability and execute arbitrary code
> with SYSTEM privileges. Currently, only the Microsoft Windows versions
> of the software are believed vulnerable. Because multiple
> vulnerabilities have been found in the Computer Associates backup
> products over the past few years, users are advised to block all ports
> opened by the software at the network perimeter.
>
> Status: Computer Associates confirmed, updates available.
>
> References:
> Computer Associates Security Advisory
>
> Computer Associates BrightStor ARCSeve Product Home Page
>
> Computer Associates Technical Notes (includes information on
> open ports)
>
>
> winxpsp2matrix.asp
> SecurityFocus BID
>
>
> ****************************************************************
> ****************************************************************
>
> (9) MODERATE: Trend Micro OfficeScan Multiple Buffer Overflows
> Affected:
> Trend Micro OfficeScan versions 6.5 and 7.3 and prior
>
> Description: Trend Micro OfficeScan, a popular enterprise security
> suite, contains multiple buffer overflows in its web console.
> By sending
> specially-crafted requests to the "Wizard.exe" or
> "CgiRemoteInstall.exe"
> programs, an attacker could exploit these buffer overflows and execute
> arbitrary code with the privileges of the affected process. Note that
> authentication is required to exploit these vulnerabilities. Users are
> advised to limit access to the web console if possible.
>
> Status: Trend Micro confirmed, updates available.
>
> Referneces:
> Trend Micro Readme Files
>
_en_patch1.1_readme.txt
>
n_en_patch8_Readme.txt
> Trend Micro Home Page
>
> SecurityFocus BID
>
>
> **************
> Other Software
> **************
>
> (10) HIGH: MadWifi WiFi Driver Multiple Vulnerabilities
> Affected:
> MadWifi version 0.9.2 and prior
>
> Description: MadWifi, an open source interface to
> Atheros-chipset based
> wireless cards, contains multiple vulnerabilities in its
> "giwscan_cb()"
> and "encode_ie()" functions. By sending a malformed beacon or probe
> response frame, an attacker could exploit these
> vulnerabilities and take
> complete control of the affected system. No authentication is
> required,
> and attackers need only be within wireless range of the vulnerable
> system. Note that the affected system may need to be actively probing
> for wireless networks to be vulnerable. MadWifi is available
> for Linux,
> FreeBSD, NetBSD, and OpenBSD, as well as other operating
> systems. These
> vulnerabilities are similar to others reported in earlier issues of
> @RISK.
>
> Status: MadWifi confirmed, updates available.
>
> References:
> Previous @RISK Entry
>
> MadWifi Security Advisory
>
itical-security-issue
> MadWifi Home Page
>
> Wikipedia Entry on Device Drivers
>
> SecurityFocus BID
>
>
> *******************************************************************
>
>
> ______________________________________________________________________
>
> 06.49.5 CVE: Not Available
> Platform: Windows
> Title: Outpost Firewall PRO Security Bypass Weakness
> Description: Outpost Firewall PRO is a firewall application. It is
> vulnerable to security bypass weakness that allows local privileged
> attackers to bypass security restrictions. Outpost Firewall PRO
> version 4.0 is affected.
> Ref:
> ______________________________________________________________________
>
>
> 06.49.7 CVE: Not Available
> Platform: Windows
> Title: Microsoft Windows Print Spooler GetPrinterData Denial of
> Service
> Description: Microsoft Windows Print Spooler service (Spoolsv.exe)
> manages printing processes. It is vulnerable to a denial of service
> issue due to insufficient handling of malformed data. Print Spooler on
> Microsoft Windows 2000 SP4 is vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.49.8 CVE: CVE-2006-6179
> Platform: Windows
> Title: Trend Micro OfficeScan Wizard and CgiRemoteInstall Multiple
> Buffer Overflow Vulnerabilities
> Description: Trend Micro OfficeScan is an integrated enterprise level
> security product. The application is vulnerable to multiple
> unspecified buffer overflow issues. Versions prior to and including
> 6.5 and 7.3 are affected. See the advisory for further details.
> Ref:
> ______________________________________________________________________
>
> 06.49.9 CVE: Not Available
> Platform: Windows
> Title: Microsoft Internet Explorer Frame Src Denial of Service
> Description: Microsoft Internet Explorer is prone to a denial of
> service vulnerability because the application fails to handle
> exceptional conditions. The issue occurs when the application
> processes a malicious page that contains frames and the "frame src"
> HTML tag is set to the "3F" invalid character.
> Ref:
> ______________________________________________________________________
>
> 06.49.11 CVE: CVE-2006-5994
> Platform: Microsoft Office
> Title: Microsoft Word Unspecified Remote Code Execution
> Description: Microsoft Word is prone to an unspecified remote code
> execution vulnerability. Please see the advisory for further details.
> Ref:
> ______________________________________________________________________
>
> 06.49.14 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Adobe Reader and Acrobat AcroPDF.dll ActiveX Control Remote
> Code Execution Vulnerabilities
> Description: Adobe Reader and Acrobat with AcroPDF.dll ActiveX control
> are vulnerable to multiple remote code execution issues. See the
> advisory for further details.
> Ref:
> ______________________________________________________________________
>
> 06.49.21 CVE: CVE-2006-6334
> Platform: Third Party Windows Apps
> Title: Citrix Presentation Server Client WFICA.OCX ActiveX Component
> Heap Buffer Overflow
> Description: Citrix Presentation Server Client is an ICA client
> application that includes Citrix support. It is prone to a heap buffer
> overflow vulnerability because it fails to properly bounds check
> user-supplied data to the "DataSize" and "DataType" parameters of the
> "SendChannelData()" function before copying it into an insufficiently
> sized memory buffer. Citrix Presentation Server Client version 9.200
> is vulnerable and others may also be affected.
> Ref:
> ______________________________________________________________________
>
> 06.49.26 CVE: CVE-2006-5751
> Platform: Linux
> Title: Linux Kernel Get_FDB_Entries Buffer Overflow
> Description: The Linux kernel is prone to a buffer overflow
> vulnerability due to a bounds checking flaw in the "get_fdb_entries()"
> function. Versions prior to 2.6.18.4 are reportedly vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.49.28 CVE: CVE-2006-4514
> Platform: Linux
> Title: LibGSF Remote Heap Buffer Overflow
> Description: The GNOME Structured File Library (libgsf) is a utility
> library for reading and writing structured file formats. It is exposed
> to a remote heap buffer overflow issue. This issue occurs in the
> "gsf-infile-msole.c" file. Specifically, the "ole_init_info()"
> function only obtains enough memory for the number specified in
> "num_bat".
> Ref:
> ______________________________________________________________________
>
> 06.49.31 CVE: CVE-2006-6301
> Platform: Linux
> Title: DenyHosts Remote Denial of Service
> Description: DenyHosts is an application designed to monitor SSH
> server authentication failure messages and block hosts that attempt to
> brute force SSH authentication credentials. Due to a flaw in the
> regular expression used to parse the log file, attackers attempting to
> authenticate with usernames containing whitespace characters may add
> arbitrary IP addresses to the "/etc/hosts.deny" file causing a remote
> denial of service to legitimate users.
> Ref:
> ______________________________________________________________________
>
> 06.49.33 CVE: CVE-2006-6332
> Platform: Linux
> Title: MADWiFi Linux Kernel Device Driver Multiple Remote Buffer
> Overflow Vulnerabilities
> Description: TheMADWiFi device driver provides the Linux kernel device
> support for wireless LAN chipsets from Atheros. It is prone to
> multiple remote stack based buffer overflow vulnerabilities. MADWiFi
> device driver prior to version 0.9.2.1 are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.49.34 CVE: Not Available
> Platform: Linux
> Title: Linux Kernel IBMTR.C Remote Denial of Service
> Description: The Linux kernel is exposed to a remote denial of service
> issue. This issue is triggered when the kernel processes incoming
> packets. This vulnerability resides in
> "drivers/net/tokenring/ibmtr.c" and arises when a malicious
> "ip_summed" value is supplied in a packet resulting in memory
> corruption. Kernel versions from 2.6.0 up to and including 2.6.19 are
> affected.
> Ref:
> ______________________________________________________________________
>
> 06.49.38 CVE: Not Available
> Platform: Unix
> Title: F-PROT Antivirus ACE Remote Denial of Service
> Description: F-PROT Antivirus is an antivirus application. It is
> vulnerable to a denial of service issue due to failure of the
> application to properly handle certain file types, resulting in
> excessive consumption of system resources. F-PROT Antivirus version
> 4.6.6 is affected.
> Ref:
> ______________________________________________________________________
>
> 06.49.49 CVE: CVE-2006-5856
> Platform: Cross Platform
> Title: Adobe Download Manager AOM Buffer Overflow
> Description: Adobe Download Manager is a client application for
> managing the retrieval of Adobe software products. It is vulnerable to
> a remote buffer overflow issue. See the advisory for further details.
> Adobe Download Manager versions 2.1 and earlier are vulnerable.
> Ref:
>
> #instructions
> ______________________________________________________________________
>
> 06.49.51 CVE: Not Available
> Platform: Cross Platform
> Title: GnuPG OpenPGP Packet Processing Function Pointer Overwrite
> Description: GNU Privacy Guard (GnuPG) is an encryption application
> available for numerous platforms. It is prone to a vulnerability that
> could permit an attacker to overwrite a function pointer.
> Specifically, the problem occurs when attacker controlled data is
> improperly utilized in a filter when processing OpenPGP packets.
> Ref:
> ______________________________________________________________________
