>
>
> *****************************
> Widely Deployed Software
> *****************************
>
> (1) CRITICAL: Snort DCE-RPC Preprocessor Buffer Overflow
> Affected:
> Snort versions prior to 2.6.1.3
> Snort is shipped as part of many other products including Sourcefire's
> commercial intrusion prevention/detection products and several Linux
> distributions.
>
> Description: Snort, a popular open source intrusion detection and
> prevention system, contains a buffer overflow in its handling of the
> DCE-RPC protocol. Microsoft RPC protocol, based on the DCE-RPC
> reference, is decoded by Snort to detect numerous attacks
> targeting RPC
> vulnerabilities. A sequence of specially-crafted DCE-RPC
> requests could
> trigger this buffer overflow and execute arbitrary code with the
> privileges of the Snort process, often root. Since Snort's DCE-RPC
> preprocessor is enabled by default, attackers can easily send
> malicious
> traffic on a network segment monitored by Snort to exploit this flaw.
> The technical details can be obtained via source code analysis.
>
> Status: Snort confirmed, updates available.
>
> References:
> Snort Security Advisory
>
> IBM ISS X-Force Security Advisory
>
> SANS Internet Storm Center Handler's Diary Entry
>
> Snort Home Page
>
> SecurityFocus BID
>
>
>
> ****************************************************************
>
> (2) CRITICAL: Trend Micro ServerProtect Multiple Vulnerabilities
> Affected:
> Trend Micro ServerProtect for Windows version 5.58
> Trend Micro ServerProtect for EMC version 5.58
> Trend Micro ServerProtect for Network Appliance Filer
> versions 5.61 and 5.62
>
> Description: Trend Micro ServerProtect, an anti-virus product designed
> for file-servers and web-servers, contains multiple vulnerabilities:
>
> (1) ServerProtect runs an RPC service, which can be accessed without
> authentication, on the TCP port 5168. A specially-crafted request to
> this service can trigger buffer overflows in the "StCommon.DLL" or
> "eng50.dll" libraries. Successfully exploiting these overflows allows
> an attacker to execute arbitrary code with "SYSTEM" privileges.
> Comprehensive technical details for these vulnerabilities are publicly
> available.
> (2) ServerProtect's web configuration interface contains an
> authentication-bypass vulnerability. An easily-determined session
> identifier can be sent to the server to spoof an
> authenticated session.
> Successfully exploiting this vulnerability can allow an attacker to
> reconfigure or disable the anti-virus checks.
>
> Status: Trend Micro confirmed, updates available. A workaround is to
> block the port tcp/5168 at the network perimeter to prevent
> attacks from
> the Internet.
>
> References:
> Zero Day Initiative Advisories
>
>
> iDefense Advisory
> .
> php?id=477
> Trend Micro Home Page
>
> SecurityFocus BIDs
>
>
>
> ****************************************************************
>
> (3) HIGH: SupportSoft ActiveX Controls Remote Code Execution
> Affected:
> SupportSoft SmartIssue, RemoteAssist, and Probe ActiveX
> controls running
> on SupportSoft software versions 5.6 and 6.x Note that SupportSoft
> ActiveX Controls are used by multiple vendors including Symantec.
>
> Description: SupportSoft provides "support automation" software to
> resolve end-user technical issues and is used by a number of vendors
> including Symantec. The software uses SmartIssue, RemoteAssist, and
> Probe ActiveX controls that contain stack-based buffer overflow and
> unauthorized access vulnerabilities. A malicious webpage can exploit
> these vulnerabilities to execute arbitrary code on a client
> system with
> the privileges of the logged-on user. The technical details regarding
> the vulnerabilities have not been publicly posted.
>
> Status: SupportSoft has released an update for its software
> versions 5.6
> and 6.x. These ActiveX controls are included in Symantec's Symantec
> Automated Support Assistant, Symantec Norton AntiVirus 2006, Symantec
> Norton Internet Security 2006 and Symantec Norton System Works 2006.
> Symantec disabled the vulnerable controls in its installed
> product base
> via LiveUpdate in November 2006. Symantec has also released software
> updates for its affected products.
>
> References:
> SupportSoft Security Advisory
>
> Symantec Security Advisory
>
> SecurityFocus BID
>
>
> **************************************************************
>
> (5) HIGH: Mozilla Firefox Multiple Vulnerabilities
> Affected:
> Firefox versions 2.x prior to 2.0.0.2
> Firefox versions 1.5.x prior to 1.5.0.10
>
> Description: Mozilla released a security update for Firefox
> browser last
> week. This update fixes 8 security issues with 2 issues rated critical
> and 1 issue rated high by the Mozilla team. The memory corruption
> vulnerability, addressed by this patch, involving the "onUnload"
> Javascript event handler can be potentially exploited to execute
> arbitrary code. The patch also fixes a vulnerability that can allow
> malicious webpages to alter cookies for other domains.
>
> Status: Firefox version 2.0.0.2 and 1.5.0.10, containing the patches,
> have been released. Some of the vulnerabilities also affect
> Thunderbird
> and SeaMonkey software. Thunderbird version 1.5.0.10 and SeaMonkey
> version 1.0.8, when released, will address those vulnerabilities.
>
> References: Mozilla Security Advisory
>
> .html#firefox2.0.0.2
>
> .html#firefox1.5.0.10
> SecurityFocus BID
>
> **************************************************************
> ***********
>
> (6) MODERATE: ClamAV Multiple Vulnerabilities
> Affected:
> ClamAV versions prior to 0.90
> ClamAV is shipped as a part of many other products, including several
> operating systems.
>
> Description: ClamAV (or Clam Anti-Virus) is a popular open source
> antivirus software. It contains two vulnerabilities:
> (1) By sending an email message with a specially-crafted MIME header,
> an attacker could cause ClamAV to overwrite arbitrary files with
> attacker-supplied content.
> (2) By sending a specially-crafted CAB (Microsoft Cabinet
> Archive) file
> to a ClamAV server, an attacker can trigger a resource leak.
> If a number
> of these files are sent to a server, an attacker can exhaust all
> available resources and prevent the server from performing
> future scans.
> Because ClamAV is often configured to automatically scan all email
> messages delivered to a server, an attacker can exploit these
> vulnerabilities by sending emails message to a vulnerable server. Note
> that, because ClamAV is open source, technical details for these
> vulnerabilities can be obtained via source code analysis.
>
> Status: ClamAV confirmed, updates available. Ensure that the ClamAV
> process does not run with "root" privileges. This will prevent the
> vulnerability being exploited to overwrite system files.
>
> References:
> iDefense Security Advisories
> .
> php?id=475
> .
> php?id=476
> Wikipedia Article on Microsoft Cabinet Files
>
> ClamAV Home Page
>
> SecurityFocus BIDs
>
>
>
>
> ****************************************************************
>
> (9) MODERATE: Cisco Unified IP Phone and Conference Station
> Multiple Vulnerabilities
> Affected:
> Cisco Unified IP Phone
> Cisco Unified Conference Station
>
> Description: Cisco's Unified IP Phone and Conference Station products
> contain multiple vulnerabilities:
> (1) The Unified IP Conference Station contains an
> administrative bypass
> vulnerability. An attacker could exploit this vulnerability
> by accessing
> administrative URLs directly, without first authenticating. This
> vulnerability allows unauthorized users to administer the device.
> (2) The Unified IP Phone device contains a hard-coded user
> account. This
> account cannot be disabled, renamed, or have its password changed.
> Attackers could use this account to access the device. Once the device
> has been accessed, an attacker could use a local privilege-escalation
> vulnerability to gain complete control of the device.
> (3) The Unified IP Phone device contains a local privilege escalation
> vulnerability. No further details are available for this
> vulnerability.
>
> Status: Cisco confirmed, updates available.
>
> References:
> Cisco Security Advisories
>
>
> SecurityFocus BIDs
>
>
> **************************************************************
>
> Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
> Week 9 2007
>
> 07.9.1 CVE: CVE-2007-0843
> Platform: Windows
> Title: Microsoft Windows ReadDirectoryChangesW Information Disclosure
> Description: Microsoft Windows is prone to a local information
> disclosure vulnerability because the "bWatchSubtree" parameter in the
> "ReadDirectoryChangesW()" API allows users to monitor changes within a
> directory tree. Multiple versions of Microsoft Windows 2000, XP, 2003
> and Vista are affected. See the reference below for details.
> Ref:
> ______________________________________________________________________
>
> 07.9.2 CVE: CVE-2007-1070
> Platform: Windows
> Title: Trend Micro ServerProtect SPNTSVC.EXE Multiple
> Stack-Based Buffer
> Overflow Vulnerabilities
> Description: Trend Micro ServerProtect is an antivirus application
> designed specifically for servers. It is exposed to multiple remote
> stack-based buffer overflow issues because the application fails to
> properly bounds check user-supplied input. Trend Micro
> ServerProtect for
> Windows 5.58, for Network Appliance Filer 5.62, 5.61, and for EMC 5.58
> are affected.
> Ref:
>
>
> ______________________________________________________________________
>
> 07.9.4 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer Local File Access Vulnerabilities
> Description: Microsoft Internet Explorer is the native web browser for
> Windows systems. It is exposed to multiple local file access issues
> because it fails to properly handle HTML tags. Internet Explorer
> version 6 on a fully patched Windows XP SP2 system is affected.
> Ref:
> ______________________________________________________________________
>
> 07.9.6 CVE: CVE-2006-6490
> Platform: Third Party Windows Apps
> Title: SupportSoft ActiveX Controls Remote Buffer Overflow
> Vulnerabilities
> Description: SupportSoft is a software package for delivering
> technical support. It is included in multiple products from various
> vendors. Once installed, ActiveX controls are made available for
> websites to use. SupportSoft ActiveX controls are prone to multiple
> remote buffer overflow issues because the software fails to properly
> bounds check user-supplied input.
> Ref:
> ______________________________________________________________________
>
> 07.9.21 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Firefox Bookmarks HTML Injection
> Description: Mozilla Firefox is a web browser. It is prone to an HTML
> injection issue because of the way URIs containing inline script code
> are handled. Mozilla Firefox 2.0.1 and earlier versions are affected.
> Ref:
> ______________________________________________________________________
>
> 07.9.22 CVE: CVE-2006-5276
> Platform: Cross Platform
> Title: Snort/Sourcefire DCE/RPC Packet Reassembly Stack-Based
> Buffer Overflow
> Description: Snort is a freely available, open-source NID
> system. Snort
> IDS and Sourcefire Intrusion Sensor are prone to a stack-based buffer
> overflow vulnerability because the network intrusion detection (NID)
> systems fail to handle specially-crafted "DCE" and "RPC" network
> packets. This vulnerability can be exploited to execute malicious code
> in the context of the user running the affected application. Snort
> Project versions 2.6.1.2 and earlier versions are affected.
> Ref:
> ______________________________________________________________________
>
> 07.9.27 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Firefox About:Blank Spoof
> Description: Mozilla Firefox is exposed to a vulnerability that may
> allow attackers to spoof browser windows. This occurs due to
> a flaw in the
> security model of the application's JavaScript engine. Mozilla
> Firefox 2.0.1 and earlier versions are affected.
> Ref:
> ______________________________________________________________________
>
> 07.9.29 CVE: Not Available
> Platform: Web Application - Cross Site Scripting
> Title: Google Desktop Cross-Site Scripting Weakness
> Description: Google Desktop is a freely-available application that
> allows users to search the contents of their computer. It is
> implemented as a combination of a local webserver bound to the
> loopback interface and a sidebar application. It also ties heavily
> into services provided by google.com. Google Desktop is prone to a
> cross-site scripting weakness because the application fails to
> properly sanitize user-supplied input.
> Ref:
> ______________________________________________________________________
>
> 07.9.74 CVE: Not Available
> Platform: Network Device
> Title: Cisco Unified IP Conference Station and Unified IP Phone
> Vulnerabilities
> Description: Cisco Unified IP Conference Station and Unified IP Phone
> are prone to multiple remote vulnerabilities. Cisco Unified IP Phone
> versions 8.0(4)SR1 and earlier are affected. Refer to the advisory for
> further details.
> Ref:
>
> ______________________________________________________________________
>
> 07.9.75 CVE: Not Available
> Platform: Network Device
> Title: Cisco 802.1X Authentication Deployment Products Multiple
> Vulnerabilities
> Description: Cisco CSSC and CTA products are used to deploy a single
> authentication framework using the 802.1X authentication standard
> across multiple wired and wireless networks. It is prone to an
> information disclosure issue and multiple privilege escalation issues
> because of design flaws in the software. Cisco Trust Agent 2.0 and
> 2.1, Cisco Security Agent 5.1 and 5.0, and Cisco Secure
> Services Client
> 4.0 are affected. Refer to the advisory for further details.
> Ref:
>
> ant.shtml
> ______________________________________________________________________
>
> (c) 2007. All rights reserved. The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only. In some
> cases, copyright for material in this newsletter may be held
> by a party
> other than Qualys (as indicated herein) and permission to use such
> material must be requested from the copyright owner.
>
