>
> *****************************
> Widely Deployed Software
> *****************************
>
> (1) CRITICAL: MIT Kerberos "kadmind" Buffer Overflow
> Affected:
> MIT Kerberos version 1.6.1 and prior
> Potentially systems based on MIT Kerberos
>
> Description: MIT Kerberos, a widely popular implementation of the
> Kerberos authentication protocol, contains a buffer overflow in its
> kadmind component. A specially crafted Kerberos request could trigger
> this buffer overflow. Successfully exploiting this vulnerability would
> allow an attacker to execute arbitrary code with the privileges of the
> kadmind process (usually root). The affected component runs
> on Kerberos
> master servers, and therefore successful exploitation of this
> vulnerability could lead to the disclosure or spoofing of
> authentication
> information for other systems in the Kerberos domain. Numerous vendors
> base their implementation of Kerberos on this implementation; these
> vendors may also be vulnerable. A working exploit is known to
> exist, but
> is not currently believed to be in the wild. Full technical details,
> including source code, are available for this vulnerability.
>
> Status: MIT confirmed, updates available. Certain vendors may have
> released updates for their Kerberos implementations.
>
> References:
> MIT Security Advisory
>
> iDefense Security Advisory
> .
> php?id=548
> Sun Security Advisory
>
> Wikipedia Article on Kerberos
>
> Product Home Page
>
> SecurityFocus BID
>
>
> **************************************************************
> ***********
>
> (2) CRITICAL: Real Networks RealPlayer and HelixPlayer SMIL
> Buffer Overflow
> Affected:
> Real Networks RealPlayer version 10.5 and possibly prior
> Real Networks HelixPlayer version 10.5 and possibly prior
>
> Description: Real Networks RealPlayer and its open source version
> HelixPlayer, contain flaws in their parsing of time values in
> Synchronized Multimedia Integration Language (SMIL) files. These files
> are used to synchronize and play multiple media streams simultaneously
> or at given times, as well as to provide metadata about media streams.
> A specially crafted time value in a SMIL file could trigger
> this buffer
> overflow and allow an attacker to execute arbitrary code with the
> privileges of the current user. Note that, in general, RealPlayer and
> HelixPlayer will open SMIL files without prompting. This includes the
> browser-embedded versions of these products, allowing malicious web
> pages to act as a vector for exploitation. Full technical
> details and a
> proof-of-concept exploit for these vulnerabilities are publicly
> available.
>
> Status: Real Networks confirmed, updates available.
>
> References:
> iDefense Security Advisory
> .
> php?id=547
> Proof-of-Concept
>
> Wikipedia Article on SMIL
>
> on_Language
> Product Home Page
>
> SecurityFocus BID
>
>
> **************************************************************
> ***********
>
> (3) HIGH: Sun Java Web Start Arbitrary File Overwrite and
> Command Execution Vulnerability
> Affected:
> Sun Java Development Kit version 5.0
> Sun Java Runtime Environment version 1.4.2
> Sun Java System Development Kit version 1.4.2
>
> Description: The Sun Java Development Kit, System Development Kit, and
> Runtime Environment provide the Java Web Start mechanism that allows
> Java applications to be launched from remote web sites and servers. A
> flaw in the handling of Java Web Start applications can lead to an
> arbitrary file overwrite condition, allowing a malicious
> application to
> overwrite any file accessible by the current user. Note that,
> since the
> permissions accorded to Java Web Start applications are
> controlled by a
> local file (known as ".policy.java" on most platforms), an attacker
> could overwrite this file to remove all execution restrictions on Java
> Web Start applications. No further technical details are available for
> this vulnerability.
>
> Status: Sun confirmed, updates available.
>
> References:
> Sun Security Advisory
>
> SecurityFocus BID
>
>
> **************************************************************
> ***********
> (4) MODERATE: Trend Micro OfficeScan Multiple Vulnerabilities
> Affected:
> Tredn Micro OfficeScan version 8 prior to patch 1042
>
> Description: Trend Micro OfficeScan, a popular anti-malware suite,
> contains multiple vulnerabilities in its web-based administration
> interface. Attackers could exploit a buffer overflow to execute
> arbitrary code with the privileges of the web server process, or could
> send a specially crafted HTTP header to bypass administration
> interface
> authentication.
>
> Status: Trend Micro confirmed, updates available.
>
> References:
> Trend Micro Security Advisory
>
> _en_securitypatch_b1042_readme.txt
> Product Home Page
>
> ?prodgroup=3&family=5
> SecurityFocus BID
>
>
> **************************************************************
> ***********
> (5) MODERATE: GD Library Multiple Vulnerabilities
> Affected:
> GD library versions prior to 2.0.35
> Note that many products embed or otherwise use the GD library
>
> Description: The GD library, a popular open source image
> generation and
> manipulation library, contains multiple vulnerabilities. Any program
> using the GD library would be potentially affected by these
> vulnerabilities. A specially crafted PNG, XBM or GIF image file could
> trigger multiple vulnerabilities, including some that could
> lead to code
> execution. If an attacker had programmatic access to the library (for
> example, by being able to upload PHP code or CGI scripts), an attacker
> could exploit flaws in various API functions. Because GD is
> open source,
> technical information for these flaws is available via source code
> analysis. At least one proof-of-concept is publicly available.
>
> Status: Vendor confirmed updates available.
>
> References:
> GD Library Release Notes
>
> Proof of Concept
>
> 651-integerOverflow.c
> Product Home Page
>
> SecurityFocus BID
>
>
>
> Part II - Comprehensive List of Newly Discovered Vulnerabilities from
> Qualys (www.qualys.com)
> Week 27, 2007
>
>
> 07.27.1 CVE: Not Available
> Platform: Microsoft Office
> Title: Microsoft Excel Sheet Name Remote Denial of Service
> Description: Microsoft Excel is a spreadsheet application that is part
> of the Microsoft Office Suite. The application is exposed to a remote
> denial of service issue when the application processes malicious sheet
> name data in XLS files. Excel 2000 and 2003 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.27.2 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer Document.Domain Cross-Domain Same
> Origin Overwriting
> Description: Microsoft Internet Explorer is exposed to an issue that
> permits an attacker to bypass the same origin policy. Specifically the
> attacker can control the document.domain property, which may permit it
> to access properties of the original domain, or spoof the content from
> an attacker controlled domain.
> Ref:
> ______________________________________________________________________
>
>
> 07.27.17 CVE: CVE-2007-2442
> Platform: Linux
> Title: MIT Kerberos Administration Daemon RPC Library Free Pointer
> Remote Code Execution
> Description: Kerberos is a network authentication protocol. kadmind
> (Kerberos Administration Daemon) is the administration server for
> Kerberos networks. The application is exposed to a remote code
> execution issue. kadmind versions prior to krb5-1.6.1 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.27.18 CVE: CVE-2007-2443
> Platform: Linux
> Title: MIT Kerberos 5 kadmind Server RPC Type Conversion Stack Buffer
> Overflow
> Description: Kerberos is a network authentication protocol. kadmind
> (Kerberos Administration Daemon) is the administration server for
> Kerberos networks. The application is exposed to a stack-based buffer
> overflow issue because it fails to adequately bounds check
> user-supplied data before copying it to an insufficiently sized
> buffer. Kerberos 5 kadmind versions 1.6.1 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 07.27.19 CVE: CVE-2007-1863
> Platform: Linux
> Title: Apache HTTP Server Mod_Cache Denial of Service
> Description: The Apache mod_cache module is exposed to a denial of
> service issue. If caching is enabled, a remote attacker may be able to
> send a malicious request that could cause the child process to crash.
> This could lead to denial of service conditions if the server is using
> a multi-threaded Multi-Processing Module (MPM).
> Ref:
> ______________________________________________________________________
>
> 07.27.20 CVE: CVE-2007-2798
> Platform: Linux
> Title: MIT Kerberos 5 kadmind Server Rename_Principal_2_SVC() Function
> Stack Buffer Overflow
> Description: Kerberos is a network authentication protocol. kadmind
> (Kerberos Administration Daemon) is the administration server for
> Kerberos networks. The application is exposed to a stack-based buffer
> overflow issue because it fails to bounds check user-supplied data
> before copying it into an insufficiently sized buffer. The problem
> occurs in the "rename_principal_2_svc()" function when concatenating
> the source and destination principal names in a sprintf() call.
> Kerberos 5 kadmind 1.6.1, kadmind 1.5.3 and earlier versions are
> affected.
> Ref:
> ______________________________________________________________________
>
> 07.27.23 CVE: CVE-2007-3104
> Platform: Linux
> Title: Red Hat Kernel SysFS_ReadDir NULL Pointer Dereference
> Description: The Red Hat kernel is exposed to a NULL pointer
> dereference issue due to a flaw in the "sysfs_readdir" function of the
> "/fs/sysfs/dir.c" source file. Please refer to the advisory for
> further details.
> Ref:
> ______________________________________________________________________
>
> 07.27.27 CVE: Not Available
> Platform: Solaris
> Title: Sun Solaris TCP Loopback/Fusion Code Local Denial of Service
> Description: Sun Solaris is exposed to a local denial of service
> issue. Solaris 10 SPARC and x86 are affected. Please refer to the
> advisory for further setails.
> Ref:
> ______________________________________________________________________
>
> 07.27.28 CVE: Not Available
> Platform: Solaris
> Title: Sun Solaris KSSL Memory Buffer Denial of Service
> Description: Sun Solaris is exposed to a denial of service issue. An
> unprivileged local or remote attacker may exploit this issue to cause
> a system panic. This will cause the system to hang resulting in
> denial of service conditions. Solaris 10 SPARC and x86 are affected.
> Please refer to the advisory for further details.
> Ref:
> ______________________________________________________________________
>
> 07.27.29 CVE: Not Available
> Platform: Solaris
> Title: Sun Solaris Dtsession Local Buffer Overflow
> Description: Sun Solaris is exposed to a local buffer overflow issue.
> Solaris Common Desktop Environment (CDE) Session Manager contains a
> boundary error where it fails to properly bounds check user-supplied
> input before using it in a memory copy operation. This issue occurs in
> the "dtsession" CDE session manager. Sun Solaris versions 8, 9 and 10
> SPARC and x86 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.27.31 CVE: Not Available
> Platform: Cross Platform
> Title: Intel CORE 2 Multiple Local Denial of Service Vulnerabilities
> Description: Intel CORE 2 64-bit microprocessors are the
> eighth generation of Intel Core micro architecture. These processors
> are exposed to multiple issues. Please refer to the advisory for
> further details.
> Ref:
> ______________________________________________________________________
>
> 07.27.32 CVE: Not Available
> Platform: Cross Platform
> Title: Sun Java Web Start Arbitrary File Overwrite Privilege
> Escalation
> Description: Java Web Start is a deployment solution for Java
> applications. The application is exposed to an issue that can
> result in
> privilege escalation. The malicious application could overwrite the
> .java.policy file to invoke applets or other Java Web Start
> applications that will be executed with the privileges of the victim.
> Java Web Start in JDK and JRE 5.0 Update 11 and earlier are affected.
> Also affected is Java Web Start in SDK and JRE 1.4.2_13 and earlier.
> Ref:
>
> 7-1&searchclause=
> ______________________________________________________________________
>
> 07.27.35 CVE: Not Available
> Platform: Cross Platform
> Title: CA BrightStor ARCserve Backup Server Unspecified Remote Code
> Execution
> Description: Computer Associates BrightStor ARCserve Backup products
> provide backup and restore protection for Windows, NetWare, Linux, and
> UNIX servers as well as Windows, Mac OS X, Linux, UNIX, AS/400, and
> VMS clients. The application is exposed to a remote code execution
> issue. Computer Associates BrightStor ARCServe Backup version
> 11.5.SP3 is affected.
> Ref:
> ______________________________________________________________________
>
> 07.27.36 CVE: CVE-2007-3377, CVE-2007-3409
> Platform: Cross Platform
> Title: Perl Net::DNS Remote Multiple Vulnerabilities
> Description: The Perl Net::DNS module allows scripts written in Perl
> to perform DNS queries. The application is exposed to multiple issues.
> Perl Net::DNS module versions prior to 0.60. are affected.
> Ref:
> ______________________________________________________________________
>
> 07.27.37 CVE: CVE-2007-3389, CVE-2007-3390, CVE-2007-3391,
> CVE-2007-3392, CVE-2007-3393
> Platform: Cross Platform
> Title: Wireshark Multiple Protocol Denial of Service Vulnerabilities
> Description: Wireshark is an application for analyzing network
> traffic. It is available for Microsoft Windows and UNIX-like operating
> systems. Wireshark is the successor to the Ethereal network protocol
> analyzer. The application is exposed to multiple denial of service
> issues when handling certain types of packets and protocols in varying
> conditions. Wireshark versions prior to 0.99.6 are affected.
> Ref:
> ______________________________________________________________________
>
>
> 07.27.39 CVE: CVE-2007-3378
> Platform: Cross Platform
> Title: PHP .Htaccess Safe_Mode and Open_Basedir Restriction Bypass
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The application is exposed to multiple "safe_mode" and "open_basedir"
> restriction bypass issues. PHP versions 5.2.3 and 4.4.7 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.27.40 CVE: CVE-2007-3410
> Platform: Cross Platform
> Title: RealPlayer/HelixPlayer ParseWallClockValue Function Buffer
> Overflow
> Description: RealPlayer and HelixPlayer are media players developed by
> Real Networks. The application is exposed to a buffer overflow issue
> because the applications fails to bounds check user-supplied data
> before copying it into an insufficiently sized buffer. This issue
> occurs in the "parseWallClockValue()" when parsing "HH:mm:ss.f" time
> format. RealPlayer and HelixPlayer version 10.5-GOLD is affected.
> Ref:
> ______________________________________________________________________
>
> 07.27.42 CVE: Not Available
> Platform: Cross Platform
> Title: GD Graphics Library Multiple Vulnerabilities
> Description: The GD Graphics Library (gdlib) is an open source
> graphics library available for multiple platforms, including UNIX
> variants and Microsoft Windows. It is implemented in ANSI C and is
> designed for creating and manipulating PNG, JPEG, and GIF image
> formats. The application is exposed to multiple issues. GD graphics
> library versions prior to 2.0.35 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.27.43 CVE: Not Available
> Platform: Cross Platform
> Title: Symantec Mail Security For SMTP Remote Denial of Service
> Description: Symantec Mail Security for SMTP is an email scanning
> security application for multiple operating platforms. The application
> is exposed to a remote denial of service issue that occurs because it
> fails to perform adequate boundary checks when parsing executable mail
> attachments. Symantec Mail Security for SMTP versions in the 5.0
> series prior to 5.01 Patch 181 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.27.44 CVE: Not Available
> Platform: Cross Platform
> Title: Trend Micro OfficeScan Server CGI Modules Multiple
> Vulnerabilities
> Description: Trend Micro OfficeScan is an integrated enterprise-level
> security product that protects against viruses, spyware, worms, and
> blended threats. The application is exposed to multiple security
> issues. Unspecified CGI modules fail to check the size of data in
> unspecified arguments or fields before copying it into finite-sized
> internal memory buffers, and additionally fail in an unspecified
> manner that allows for an authentication bypass. Trend Micro
> OfficeScan versions prior to edition 8.0 patch build 1042 are
> affected.
> Ref:
>
> _en_securitypatch_b1042_readme.txt
> ______________________________________________________________________
>
> 07.27.63 CVE: CVE-2006-5752
> Platform: Web Application - Cross Site Scripting
> Title: Apache HTTP Server Mod_Status Cross-Site Scripting
> Description: The Apache HTTP Server mod_status module provides
> information on server activity. The module is exposed to a cross-site
> scripting issue because it fails to properly sanitize user-supplied
> input when the "server-status" page is publicly accessibile and
> "ExtendedStatus" is enabled.
> Ref:
> ______________________________________________________________________
>
> 07.27.112 CVE: Not Available
> Platform: Network Device
> Title: 3Com IntelliJack Switch NJ220 Loopback Remote Denial of Service
> Description: 3Com IntelliJack Switch NJ220 is a series of networking
> switches available from 3Com. The application is exposed to a remote
> denial of service issue as a remote attacker can cause a denial of
> service to legitimate users of the affected devices. Specifically,
> this issue occurs when the vulnerable devices processes a loopback
> packet with a length field of zero. 3Com IntelliJack Switch NJ220
> versions prior to 2.0.23 are affected.
> Ref:
> ______________________________________________________________________
>
> (c) 2007. All rights reserved. The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only. In some
> cases, copyright for material in this newsletter may be held
> by a party
> other than Qualys (as indicated herein) and permission to use such
> material must be requested from the copyright owner.
>
