|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 8 No. 24
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Jun 11 2009 - 18:23:10 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A huge number of very critical Microsoft vulnerabilities this week, but
don't ignore the Apple Safari problems.
Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
June 11, 2009 Vol. 8. Week 24
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Windows 7 (#7, #13, #14)
Microsoft Office 11 (#2, #3, #4, #12)
Other Microsoft Products 12 (#1, #5, #9, #11)
Third Party Windows Apps 3
Solaris 3
Aix 1
Unix 2
Cross Platform 23 (#6, #8, #10)
Web Application - Cross Site Scripting 4
Web Application - SQL Injection 4
Web Application 9
Network Device 1
******************** Sponsored By Sourcefire, Inc. **********************
Your Network Security Isn't Good Enough Anymore
Today's threats-and networks-are dynamic. Unfortunately most network
security systems are not.
Join Martin Roesch, Founder and CTO of Sourcefire(r) and Creator of
Snort(r), in a series of seminars, as he shows why network security must
include full network visibility, relevant context, and automated impact
assessment to be effective.
More information http://www.sans.org/info/44693
*************************************************************************
TRAINING UPDATE
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses)
http://www.sans.org/sansfire09/event.php
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses)
http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses)
https://www.sans.org/boston09/index.php
- - National Forensiscs Summit, July 6-14
http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/
Save 25% on all On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and
Singapore all in the next 90 days. For a list of all upcoming events,
on-line and live: www.sans.org
*************************************************************************
Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software
(1) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS09-019)
(2) CRITICAL: Microsoft Excel Multiple Vulnerabilities (MS09-021)
(3) CRITICAL: Microsoft Office Word Multiple Vulnerabilities (MS09-027)
(4) CRITICAL: Microsoft Works Converter Buffer Overflow Vulnerability (MS09-024)
(5) CRITICAL: Microsoft Active Directory Multiple Vulnerabilities (MS09-018)
(6) CRITICAL: Adobe Reader and Acrobat Multiple Vulnerabilities
(7) CRITICAL: Microsoft Windows Print Spooler Multiple Vulnerabilities (MS09-022)
(8) CRITICAL: Apple Safari Multiple Vulnerabilities
(9) HIGH: Microsoft Internet Information Services (IIS) WebDAV Authentication Bypass Vulnerabilities (MS09-020)
(10) MODERATE: MSN Protocol SLP Message Heap Overflow Vulnerability
(11) MODERATE: Microsoft RPC Marshalling Engine Vulnerability (MS09-026)
(12) MODERATE: Microsoft PowerPoint Freelance parsing Vulnerability
(13) LOW: Microsoft Windows Kernel Local Elevation of Privilege Vulnerabilities (MS09-025)
(14) LOW: Microsoft Windows Search Information Disclosure Vulnerability (MS09-023)
************************* Sponsored Links ******************************
1) SANS Recommended Webcast Replay featuring Novell: Enabling a
Productive, Mobile Workforce with Endpoint Security
http://www.sans.org/info/44698
2) SANS Vendor Demo Spotlight: CA - Identity Lifecycle Management -
Increase efficiency & reduce costs! Securely manage identities
throughout their lifecycles with ease.
http://www.sans.org/info/44703
3) Register Now for the Upcoming Webcast: How to Manage Endpoints in a
Distributed, Cloud-based Environment. Sponsored by BigFix
http://www.sans.org/info/44708
*************************************************************************
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)
-- Windows
09.24.1 - Microsoft Windows Pointer Validation Local Privilege Escalation
09.24.2 - Microsoft Windows Argument Validation Local Privilege Escalation
09.24.3 - Microsoft Windows DNS Devolution Third-Level Domain Name Resolving Weakness
09.24.4 - Microsoft Windows Print Spooler Remote Buffer Overflow
09.24.5 - Microsoft Windows Print Spooler Local Information Disclosure
09.24.6 - Microsoft Windows Print Spooler Remote Code Execution
09.24.7 - Microsoft Windows Search Script Injection
-- Microsoft Office
09.24.8 - Microsoft Office Works for Windows Document Converters Remote Code Execution
09.24.9 - Microsoft Word Record Parsing (CVE-2009-0563) Remote Code Execution
09.24.10 - Microsoft Word Record Parsing (CVE-2009-0565) Remote Code Execution
09.24.11 - Microsoft Excel Record Pointer Corruption Remote Code Execution
09.24.12 - Microsoft Excel Record Object Remote Code Execution
09.24.13 - Microsoft Excel Array Indexing Remote Code Execution
09.24.14 - Microsoft Excel String Copy Stack Overflow Remote Code Execution
09.24.15 - Microsoft Excel Field Sanitization Remote Code Execution
09.24.16 - Microsoft Excel Malformed Record Object Integer Overflow
09.24.17 - Microsoft Excel Record Pointer Corruption Variant Remote Code Execution
09.24.18 - Microsoft PowerPoint Freelance Layout Parsing Heap Based Buffer Overflow
-- Other Microsoft Products
09.24.19 - Microsoft Internet Explorer (CVE-2009-1141) Uninitialized Memory Remote Code Execution
09.24.20 - Microsoft Internet Explorer Cached Content Cross Domain Information Disclosure
09.24.21 - Microsoft RPC Marshalling Engine Remote Code Execution
09.24.22 - Microsoft Internet Explorer (CVE-2009-1528) Uninitialized Memory Remote Code Execution
09.24.23 - Microsoft Internet Explorer (CVE-2009-1529) Uninitialized Memory Remote Code Execution
09.24.24 - Microsoft Internet Explorer (CVE-2009-1530) Uninitialized Memory Remote Code Execution
09.24.25 - Microsoft Internet Explorer (CVE-2009-1531) Uninitialized Memory Remote Code Execution
09.24.26 - Microsoft Internet Explorer (CVE-2009-1532) Uninitialized Memory Remote Code Execution
09.24.27 - Microsoft Visual Studio "MSCOMM32.OCX" ActiveX Control Heap Buffer Overflow
09.24.28 - Microsoft Active Directory Memory Leak Denial of service
09.24.29 - Microsoft Active Directory Memory Corruption Remote Code Execution
09.24.30 - Microsoft IIS 5.0 WebDAV Authentication Bypass
-- Third Party Windows Apps
09.24.31 - SAP AG SAPgui "sapirrfc.dll" ActiveX Control Buffer Overflow
09.24.32 - eBay Enhanced Picture Services ActiveX Control Remote Code Execution
09.24.33 - Derivco ActiveX Control Unspecified Security
-- Solaris
09.24.34 - Sun Solaris Kerberos Credential Management Security Bypass
09.24.35 - Sun OpenSolaris "idmap(1M)" Local Denial of Service
09.24.36 - Sun Solaris "rpc.nisd(1M)" Daemon NIS+ Server Remote Denial of Service
-- Aix
09.24.37 - IBM AIX "portmapper" Remote Denial of Service
-- Unix
09.24.38 - CUPS Scheduler Directory Services Remote Denial of Service
09.24.39 - CUPS PDF File Multiple Heap Buffer Overflow Vulnerabilities
-- Cross Platform
09.24.40 - Apache Tomcat Java AJP Connector Invalid Header Denial of Service
09.24.41 - Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness
09.24.42 - Hitachi Web Server Reverse Proxy Denial of Service
09.24.43 - Apache APR-util "apr_strmatch_precompile()" Integer Underflow
09.24.44 - Online Armor Personal Firewall IOCTL Request Local Privilege Escalation
09.24.45 - Sun GlassFish Enterprise Server HTTP Engine/Admin Interface Local Denial of Service
09.24.46 - Libpng 1-bit Interlaced Images Information Disclosure
09.24.47 - XM Easy Personal FTP Server Multiple Command Remote Buffer Overflow Vulnerabilities
09.24.48 - HP Discovery and Dependency Mapping Inventory Unauthorized Access
09.24.49 - Apache APR-util "apr_brigade_vprintf" Off By One
09.24.50 - Apache APR-util "xml/apr_xml.c" Denial of Service
09.24.51 - Serene Bach Session Hijacking
09.24.52 - wxWidgets Multiple Security Vulnerabilities
09.24.53 - Apple Safari Prior to 4.0 Multiple Security Vulnerabilities
09.24.54 - Rasterbar Software libtorrent Arbitrary File Overwrite
09.24.55 - WebKit "XMLHttpRequest" HTTP Response Splitting
09.24.56 - WebKit DOM Event Handler Remote Memory Corruption
09.24.57 - Apache Tomcat "RequestDispatcher" Information Disclosure
09.24.58 - IBM OS/400 JVA-RUN JDK6.0 XML Digital Signature Unspecified Security
09.24.59 - PDFlib Lite PNG Image Size Integer Overflow
09.24.60 - HP OpenView Network Node Manager SNMP and MIB Unspecified Remote Code Execution
09.24.61 - WebKit Drag Event Remote Information Disclosure
09.24.62 - Worldweaver DX Studio Player Browser Plugin Remote Arbitrary Shell Command Injection
-- Web Application - Cross Site Scripting
09.24.63 - IronPort AsyncOS Spam Quarantine Login Cross Site Scripting
09.24.64 - Sun Java System Web Server Reverse Proxy Plug-in Cross-Site Scripting
09.24.65 - moziloCMS Multiple Cross Site Scripting Vulnerabilities
09.24.66 - Kerio MailServer WebMail Cross Site Scripting
-- Web Application - SQL Injection
09.24.67 - Seminar for Joomla! "id" Parameter SQL Injection
09.24.68 - Joomla! and Mambo "com_mosres" Component Multiple SQL Injection Vulnerabilities
09.24.69 - Joomla! ComSchool Component "classid" Parameter SQL Injection
09.24.70 - Joomla! AkoBook Component "Itemid" Parameter SQL Injection
-- Web Application
09.24.71 - Luottokunta Payment Security Bypass
09.24.72 - Drupal Webform Module HTML Injection
09.24.73 - Omilen Photo Gallery Joomla! Component "controller" Parameter Local File Include
09.24.74 - LightNEasy Multiple HTML Injection Vulnerabilities
09.24.75 - LogMeIn "cfgadvanced.html" HTTP Header Injection
09.24.76 - Ideal MooFAQ Joomla! Component "file_includer.php" Local File Include
09.24.77 - Automated Link Exchange Portal Insecure Cookie Authentication Bypass
09.24.78 - Multiple OrdaSoft Joomla! Components "mosConfig_absolute_path" Remote File Include
09.24.79 - MoinMoin Hierarchical ACL Security Bypass
-- Network Device
09.24.80 - Netgear RP614 Wireless Router Cross-Site Request Forgery
______________________________________________________________________
PART I Critical Vulnerabilities
Part I for this issue has been compiled by Rohan Kotian at TippingPoint,
a division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process
*****************************
Widely Deployed Software
*****************************
(1) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS09-019)
Affected:
Microsoft Internet Explorer 5.01 Service Pack 4
Microsoft Internet Explorer 6
Microsoft Internet Explorer 6 Service Pack 1
Microsoft Windows Internet Explorer 7
Microsoft Windows Internet Explorer 8
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP1 (Itanium)
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (32-bit) Service Pack 2
Microsoft Windows Server 2008 (x64)
Microsoft Windows Server 2008 (x64) Service Pack 2
Microsoft Windows Server 2008 (Itanium)
Microsoft Windows Server 2008 (Itanium) Service Pack 2
Description: Microsoft Internet Explorer contains multiple
vulnerabilities in its handling of HTML objects and cached content. A
specially crafted web page could trigger one of these vulnerabilities
using specially crafted HTML or scripts. There is an information
disclosure vulnerability caused due to a race condition that could allow
an attacker to bypass domain restrictions into another domain or
Internet Explorer zone. There is an information disclosure vulnerability
caused due to an error in the way Internet Explorer handles the cached
content. Successful exploitation in the above cases might allow an
attacker to disclose content from the local computer or view content
from the browser window in another domain. There is a DHTML Object
memory corruption vulnerability caused to incorrect handling of certain
unexpected method calls to HTML objects in a Web page, which might lead
to memory corruption and eventually code execution. There are HTML
Objects memory corruption vulnerabilities caused due to an error in the
way Internet Explorer accesses an uninitialized or deleted object. This
causes Internet Explorer to access uninitialized memory thereby leading
to memory corruption and possibly code execution. Some technical details
are publicly available for some of these vulnerabilities.
Status: Vendor confirmed, updates available.
References:
Zero Day Initiative Advisories
http://www.zerodayinitiative.com/advisories/ZDI-09-036
http://www.zerodayinitiative.com/advisories/ZDI-09-037
http://www.zerodayinitiative.com/advisories/ZDI-09-038
http://www.zerodayinitiative.com/advisories/ZDI-09-039
http://www.zerodayinitiative.com/advisories/ZDI-09-041
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx
FortiGuard Advisory (FGA-2009-22)
http://www.fortiguardcenter.com/advisory/FGA-2009-22.html
Core Security Technologies Advisory (CORE-2008-0826)
http://www.coresecurity.com/content/ie-security-zone-bypass
Product HomePage
http://www.microsoft.com/windows/internet-explorer/default.aspx
SecurityFocus BID's
http://www.securityfocus.com/bid/24283
http://www.securityfocus.com/bid/35198
http://www.securityfocus.com/bid/35200
http://www.securityfocus.com/bid/35222
http://www.securityfocus.com/bid/35223
http://www.securityfocus.com/bid/35224
http://www.securityfocus.com/bid/35234
http://www.securityfocus.com/bid/35235
*************************************************************
(2) CRITICAL: Microsoft Excel Multiple Vulnerabilities (MS09-021)
Affected:
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office 2007
Microsoft Office 2008 for Mac
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
Microsoft Office Excel 2007
Microsoft Office Excel Viewer 2003
Microsoft Office Excel Viewer 2007
Microsoft Office SharePoint Server 2007
Microsoft Office XP
Microsoft Open XML File Format Converter for Mac
Description: Microsoft Excel contains multiple vulnerabilities in its
parsing of Excel documents. A specially crafted Excel file that has a
malformed record object could trigger one of these vulnerabilities when
an unsuspecting user opens it with Microsoft Excel. With successful
exploitation an attacker could execute arbitrary code with the
privileges of the current user. To exploit these flaws, an attacker can
take any of the following actions: (a) Create a webpage that downloads
a malicious Excel file from a server, and entice an attacker to visit
his webpage. (b) Send an email with a specially crafted Excel file as
an attachment and convince the user to open it. Note that, on recent
versions of Microsoft Office, documents are not opened upon receipt
without first prompting the user. Some technical details are publicly
available for these vulnerabilities.
Status: Vendor confirmed, updates available.
References:
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-09-040/
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-021.mspx
Secunia Research Advisories
http://secunia.com/secunia_research/2009-1/
http://secunia.com/secunia_research/2009-12/
Product Home Page
http://office.microsoft.com/en-us/excel/default.aspx
SecurityFocus BID's
http://www.securityfocus.com/bid/35215
http://www.securityfocus.com/bid/35241
http://www.securityfocus.com/bid/35242
http://www.securityfocus.com/bid/35243
http://www.securityfocus.com/bid/35244
http://www.securityfocus.com/bid/35245
http://www.securityfocus.com/bid/35246
*************************************************************
(3) CRITICAL: Microsoft Office Word Multiple Vulnerabilities (MS09-027)
Affected:
Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System Service Pack 1
2007 Microsoft Office System Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac
Microsoft Office Word Viewer 2003 Service Pack 3
Microsoft Office Word Viewer
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
Description: Microsoft Word contains multiple vulnerabilities in
file-format processing code. A specially-crafted Word document file
could exploit one of these vulnerabilities. There are two buffer
overflow vulnerabilities in Microsoft Word in the way it handles Word
files with malformed records. One of the vulnerability is a flaw due to
improper boundary checks on the part of Microsoft Word while parsing
vulnerable tags within a crafted Word document. Successful exploitation
leads to memory corruption in such a way that an attacker can execute
arbitrary code with the privileges of the current user. To exploit these
flaws, an attacker might take one of the following actions: (a) Create
a webpage that downloads a malicious Word document from a server, and
entice an attacker to visit his webpage. (b) Send an email with a
specially crafted Word document as an attachment and convince the user
to open it. Note that, on recent versions of Microsoft Office, Word
documents are not opened upon receipt without first prompting the user.
Some technical details are publicly available for these vulnerabilities.
Status: Vendor confirmed, updates available.
References:
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-09-035/
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-027.mspx
Product HomePage
http://office.microsoft.com/en-us/default.aspx
SecurityFocus BID's
http://www.securityfocus.com/bid/35188/
http://www.securityfocus.com/bid/35190
*************************************************************
(4) CRITICAL: Microsoft Works Converter Buffer Overflow Vulnerability (MS09-024)
Affected:
Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System Service Pack 1
Microsoft Works version 8.5
Microsoft Works version 9
Description: The Microsoft Works Converter included with Microsoft Word
is used to convert documents created by Microsoft Works into other
formats. There is a buffer overflow vulnerability caused due to the way
Microsoft Works Converter parses font names in a specially crafted Works
(.wps) files. Successfully exploiting this vulnerability would lead to
denial of service condition or arbitrary code execution with the
privileges of the current user. To exploit these flaws, an attacker
might take one of the following actions: (a) Create a webpage that
downloads a malicious Works document from a server, and entice an
attacker to visit his webpage. (b) Send an email with a specially
crafted Works document as an attachment and convince the user to open
it. Note that on recent versions of Microsoft Office, documents are not
opened upon receipt without user intervention.
Status: Vendor confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-024.mspx
Product HomePage
http://office.microsoft.com/en-us/default.aspx
SecurityFocus BID
http://www.securityfocus.com/bid/35184
*************************************************************
(5) CRITICAL: Microsoft Active Directory Multiple Vulnerabilities (MS09-018)
Affected:
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows XP Professional Service Pack 2
Microsoft Windows XP Professional Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Description: Active Directory is Microsoft's implementation of the
Lightweight Directory Access Protocol (LDAP), a network protocol
designed to provide access to distributed directories, and is an
integral part of several Microsoft products and operating systems. There
are two vulnerabilities in the way LDAP service handles specially
crafted LDAP requests. The first issue is caused because of memory being
freed incorrectly when the LDAP service handles the specially crafted
LDAP or LDAPS (LDAP over SSL) requests. Successful exploitation might
allow an attacker to execute arbitrary code. The second issue because
of improper memory management on the part of LDAP service while
processing specially crafted LDAP or LDAPS requests. Successful
exploitation will lead to a denial of service condition.
Status: Vendor has confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-018.mspx
Wikipedia Article on Active Directory
http://en.wikipedia.org/wiki/Active_directory
Vendor HomePage
http://www.microsoft.com/en/us/default.aspx
SecurityFocus BID's
http://www.securityfocus.com/bid/35225
http://www.securityfocus.com/bid/35226
*************************************************************
(6) CRITICAL: Adobe Reader and Acrobat Multiple Vulnerabilities
Affected:
Adobe Reader versions 9.1.1 and earlier
Adobe Acrobat Standard, Pro, and Pro Extended versions 9.1.1 and earlier
Description: Adobe Acrobat is a program designed to create, manage and
view Portable Document Format (PDF) and Adobe Reader is designed to only
view and print PDF's. Both Adobe reader and Acrobat have been reported
to have multiple vulnerabilities, which could be triggered by opening a
specially crafted PDF file. The issues are heap overflow, stack-based
overflow, integer overflow, and memory corruption in the various
components. One of the issues is a boundary error flaw while parsing
malformed U3D model files in a PDF file, thereby leading to stack
overflow. Another issue is a heap overflow caused due to inadequate
checks while processing Huffman encoded JBIG2 text region segments.
There are about six vulnerabilities in Adobe reader and Acrobat caused
due to improper parsing of JBIG2-encoded data streams in PDF files.
There are other unspecified vulnerabilities in addition to the ones
mentioned above. Successful exploitation might allow an attacker to
execute arbitrary code with the privileges of the current user. Note
that the PDF documents are often opened automatically by the vulnerable
application without the consent of the user. Some details for some of
the vulnerabilities are publicly available.
Status: Vendor has confirmed, updates available.
References:
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-09-042/
Adobe Security Advisory (APSB09-07)
http://www.adobe.com/support/security/bulletins/apsb09-07.html
Secunia Research: Adobe Reader JBIG2 Text Region Segment Buffer Overflow
http://secunia.com/secunia_research/2009-24/
IBM Internet Security Systems Protection Advisory
http://www.iss.net/threats/327.html
Vendor HomePage
http://www.adobe.com/
SecurityFocus BID's
http://www.securityfocus.com/bid/35274
http://www.securityfocus.com/bid/35282
http://www.securityfocus.com/bid/35289
http://www.securityfocus.com/bid/35291
http://www.securityfocus.com/bid/35293
http://www.securityfocus.com/bid/35294
http://www.securityfocus.com/bid/35295
http://www.securityfocus.com/bid/35296
http://www.securityfocus.com/bid/35298
http://www.securityfocus.com/bid/35299
http://www.securityfocus.com/bid/35300
http://www.securityfocus.com/bid/35301
http://www.securityfocus.com/bid/35302
http://www.securityfocus.com/bid/35303
*************************************************************
(7) CRITICAL: Microsoft Windows Print Spooler Multiple Vulnerabilities (MS09-022)
Affected:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Vista
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2008 for 32-bit
Microsoft Windows Server 2008 for 32-bit Service Pack 2
Microsoft Windows Server 2008 x64
Microsoft Windows Server 2008 x64 Service Pack 2
Microsoft Windows Server 2008 for Itanium Systems
Microsoft Windows Server 2008 for Itanium Systems Service Pack 2
Description: Windows print spooler service (spoolsv.exe) is responsible
for tasks related to print jobs such as, retrieving and loading the
correct printer driver, scheduling a print job, sending data to printer.
Multiple vulnerabilities have been identified in the Windows print
spooler service. The first issue is a buffer overflow vulnerability
caused due to improper parsing of certain printing data structures.
Successful exploitation might allow an attacker to execute arbitrary
code. The second issue is information disclosure vulnerability caused
due to inadequate checks, on the part of the Windows Printing Service,
specifically on files what can be included with separator pages. The
third issue is an elevation of privilege vulnerability caused due to
inadequate validation, on the part of Windows Print Spooler service, on
the paths from which a dynamic-link library (DLL) may be loaded.
Successful exploitation might lead to arbitrary code execution.
Status: Vendor has confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-022.mspx
Vendor HomePage
http://www.microsoft.com/en/us/default.aspx
SecurityFocus BID's
http://www.securityfocus.com/bid/35206
http://www.securityfocus.com/bid/35208
http://www.securityfocus.com/bid/35209
*************************************************************
(8) CRITICAL: Apple Safari Multiple Vulnerabilities
Affected:
Apple Safari versions prior to 4.0
Description: Apple's Safari web browser, installed by default on all
recent versions of Mac OS X, contains multiple vulnerabilities. The
first issue is a memory corruption vulnerability caused due to improper
garbage collection of JavaScript set elements in WebCore. The second is
an uninitialized pointer issue caused due to calling a method for an
object that doesn't exist. The third issue is a memory corruption
vulnerability caused to improper handling of attr() function in a CSS
content object. The fourth issue is an error in CFNetwork caused due to
misidentification of certain image files as HTML, leading to JavaScript
execution. The fifth issue is information disclosure vulnerability due
to errors in CFNetwork. The sixth issue is caused due to memory
corruption errors in CoreGraphics while processing arguments. The
seventh issue is also caused to memory corruption errors in CoreGraphics
but while handling TrueType fonts. The eighth issue is in FreeType
v2.3.8, which has multiple integer overflows. The ninth issue is in
CoreGraphics handling malicious PDF files which might lead to memory
corruption. The tenth issue exists while handling PNG files caused due
to uninitialized pointers. The eleventh issue is caused due to improper
handling of certain character encodings by ICU. The twelfth issue is
multiple vulnerabilities in libxml2 version 2.6.16. The thirteenth issue
is bypass of revocation checking caused due to improper handling of EV
certificates. The fourteenth issue is that the Reset button in Reset
Safari may not remove website passwords from memory immediately. The
fifteenth issue is an error in Private Browsing feature. The sixteenth
issue is an error in open-help-anchor URL handler which may lead to
disclosure of local file content. The Seventeenth issue is an error in
Safari Windows Installer which might lead to Safari being run with
elevated privileges for its initial launch. There are some more
cross-site scripting, Website spoofing, memory corruption, type
conversion errors in Apple Webkit which might lead to remote code
execution for the attackers. Some technical details for some of these
vulnerabilities are publicly available.
Status: Vendor has confirmed, updates available.
References:
Zero Day Initiative Advisories
http://www.zerodayinitiative.com/advisories/ZDI-09-032
http://www.zerodayinitiative.com/advisories/ZDI-09-033
http://www.zerodayinitiative.com/advisories/ZDI-09-034
Apple Security Advisory
http://support.apple.com/kb/HT3613
CESA-2009-006 (Chris Evans)
http://scary.beasts.org/security/CESA-2009-006.html
CESA-2009-008 (Chris Evans)
http://scary.beasts.org/security/CESA-2009-008.html
Product HomePage
http://www.apple.com/safari/download/
SecurityFocus BID
http://www.securityfocus.com/bid/35260
*************************************************************
(9) HIGH: Microsoft Internet Information Services (IIS) WebDAV
Authentication Bypass Vulnerabilities (MS09-020)
Affected:
Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1
Microsoft Internet Information Services 6.0
Description: Microsoft Internet Information Services (IIS), a set of
Internet-based services for servers created by Microsoft, has elevation
of privilege vulnerabilities. The specific flaw lies in the WebDAV
plug-in, an extension of HTTP, of the affected IIS servers. The WebDAV
plug-in does not decode the URL's in the HTTP requests properly which
might result in WebDAV applying an incorrect configuration, a
configuration that might allow an anonymous access. Thus a specially
crafted HTTP request then will be able to bypass authentication. Some
technical details about these vulnerabilities are publicly available.
Status: Vendor has confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-020.mspx
Product HomePage
http://www.microsoft.com/windowsserver2003/iis/default.mspx
SecurityFocus BID's
http://www.securityfocus.com/bid/34993
http://www.securityfocus.com/bid/35232
*************************************************************
(10) MODERATE: MSN Protocol SLP Message Heap Overflow Vulnerability
Affected:
Adium 1.x
Pidgin version prior to 2.5.6
Description: Libpurple is a library implementing the Microsoft Network
(MSN) Messenger protocol, which is used for instant messaging.
Libpurple's implementation of this protocol is used by numerous clients,
including Pidgin and Adium. Pidgin is installed by default on numerous
Linux, UNIX, and Unix-like operating systems, and Adium is a popular
instant messaging application for Apple Mac OS X. Libpurple library's
MSN protocol implementation has heap overflow vulnerability specifically
while handling SLP messages. The function "msn_slplink_process_msg()"
does not check the offset value in a SLP packet adequately, as a result
of a specially crafted SLP packet can overflow a heap buffer. Successful
exploitation might lead to arbitrary code execution.
Status: Vendor has confirmed, updates available.
References:
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-09-031
Pidgin Home Page
http://www.pidgin.im/
Adium Home Page
http://adium.im/
SecurityFocus BID
http://www.securityfocus.com/bid/35067
*************************************************************
(11) MODERATE: Microsoft RPC Marshalling Engine Vulnerability (MS09-026)
Affected:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Vista
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (32-bit) Service Pack 2
Microsoft Windows Server 2008 (x64)
Microsoft Windows Server 2008 (x64) Service Pack 2
Microsoft Windows Server 2008 (Itanium)
Microsoft Windows Server 2008 (Itanium) Service Pack 2
Description: Microsoft Windows Remote Procedure Call (RPC) Marshalling
Engine, which provides a common RPC interface between RPC clients and
servers has an elevation of privilege vulnerability. The specific flaw
is caused due to RPC Marshalling Engine not updating its internal state
appropriately, thus resulting to pointer being read from an incorrect
location courtesy a specially crafted RPC message. Successful
exploitation might allow an attacker to execute arbitrary code. Note
that Microsoft Windows are not delivered with any RPC servers and
clients, thus in default configuration users could not be exploited by
this vulnerability. However, the vulnerability could affect third-party
RPC applications. Some technical details about this vulnerability are
publicly available.
Status: Vendor has confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-026.mspx
Vendor HomePage
http://www.microsoft.com/en/us/default.aspx
SecurityFocus BID
http://www.securityfocus.com/bid/35219
*************************************************************
(12) MODERATE: Microsoft PowerPoint Freelance parsing Vulnerability
Affected:
Microsoft Office PowerPoint 2000
Microsoft Office PowerPoint 2002
Description: Microsoft Office PowerPoint, a presentation program from
Microsoft, has heap-based buffer overflow vulnerability. Specially
crafted Freelance files when viewed or opened can trigger this
vulnerability. The flaw is caused due to an array indexing error in the
Microsoft PowerPoint Freelance Windows 2.1 Translator "FL21WIN.DLL"
while parsing layout information. Successful exploitation might lead to
arbitrary code execution. Note that systems with MS09-017 applied are
not vulnerable to this, since the support for Freelance files is
disabled by default, thereby blocking the opening of Freelance files by
default. But there is a workaround to this and the support can be
re-enabled via a key in the registry. Microsoft has stated that no fix
will be issued for this and so, users that have enabled Freelance file
support should not open Freelance files from untrusted sources.
Status: Vendor has confirmed, no updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
Secunia Research: Microsoft PowerPoint Freelance Layout Parsing Vulnerability
http://secunia.com/secunia_research/2009-29/
Product HomePage
http://office.microsoft.com/en-us/FX010857971033.aspx
SecurityFocus BID
http://www.securityfocus.com/bid/35275
*************************************************************
(13) LOW: Microsoft Windows Kernel Local Elevation of Privilege Vulnerabilities (MS09-025)
Affected:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Vista
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (x64)
Microsoft Windows Server 2008 (x64) Service Pack 2
Microsoft Windows Server 2008 (Itanium)
Microsoft Windows Server 2008 (Itanium) Service Pack 2
Description: Microsoft Windows Kernel, the core of the operating system
that provides system level services, has got multiple elevation of
privilege vulnerabilities. The first issue is an error in the way that
Windows kernel validates changes in certain kernel objects. The second
issue is caused due to inadequate validation of pointers from the user
mode. The third issue is caused due inadequate validation of an argument
passed to a system call. The fourth issue is due to inadequate checks
on the inputs from the user mode while editing a specific desktop
parameter. Successful exploitation might allow an attacker to run
arbitrary code in kernel mode. Some technical details for this
vulnerability are publicly available.
Status: Vendor has confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-025.mspx
Product HomePage
http://www.microsoft.com/windows/default.aspx
SecurityFocus BID's
http://www.securityfocus.com/bid/35120
http://www.securityfocus.com/bid/35121
http://www.securityfocus.com/bid/35238
http://www.securityfocus.com/bid/35240
*************************************************************
(14) LOW: Microsoft Windows Search Information Disclosure Vulnerability (MS09-023)
Affected:
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Description: Microsoft Windows Search, a feature that allows instant
search capabilities for files, e-mails, contacts and etc, has an
information disclosure vulnerability. The specific flaw is caused due
to Windows Search not restricting the environment, within which scripts
are executed, adequately. Successful exploitation might allow an
attacker to run a malicious script. Note that the Windows Search
component is not preinstalled by default on Microsoft Windows XP and
Microsoft Windows Server 2003.
Status: Vendor has confirmed, updates available.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-023.mspx
Product HomePage
http://www.microsoft.com/windows/default.aspx
SecurityFocus BID
http://www.securityfocus.com/bid/35220
*************************************************************
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 24, 2009
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 7103 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.
______________________________________________________________________
09.24.1 CVE: CVE-2009-1124
Platform: Windows
Title: Microsoft Windows Pointer Validation Local Privilege Escalation
Description: Microsoft Windows is exposed to a local
privilege escalation vulnerability that occurs in the Windows kernel.
This issue occurs because the software fails to properly validate
certain pointers passed from user mode to kernel mode.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-025.mspx
______________________________________________________________________
09.24.2 CVE: CVE-2009-1125
Platform: Windows
Title: Microsoft Windows Argument Validation Local Privilege
Escalation
Description: Microsoft Windows is exposed to a local privilege
escalation issue that occurs in the Windows kernel. This issue occurs
because the software fails to properly validate arguments passed to a
system call. An attacker can exploit this issue to execute arbitrary
code with kernel-level privileges.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-025.mspx
______________________________________________________________________
09.24.3 CVE: Not Available
Platform: Windows
Title: Microsoft Windows DNS Devolution Third-Level Domain Name
Resolving Weakness
Description: DNS devolution is a feature of the Microsoft Windows DNS
client application. It allows Windows DNS clients to resolve DNS
queries for single-label unqualified hostnames by progressively
removing subdomains until the single-label hostname is found. A
single-label hostname is a name that does not contain a suffix such as
".com" or ".net". Windows is exposed to a weakness that affects the
Windows DNS client and arises because of a design error in the DNS
devolution process. This issue may allow an attacker to host systems
outside of the organizational boundary, but the resolver will treat
the systems as internal to the organization's boundary.
Ref: http://www.microsoft.com/technet/security/advisory/971888.mspx
______________________________________________________________________
09.24.4 CVE: CVE-2009-0228
Platform: Windows
Title: Microsoft Windows Print Spooler Remote Buffer Overflow
Description: Print Spooler is a service in Microsoft Windows that
manages the printing process. The Print Spooler service is exposed to
a buffer overflow issue because the software fails to properly parse
certain printing data structures. Specifically, "ShareName" values
aren't handled properly during enumeration.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-022.mspx
______________________________________________________________________
09.24.5 CVE: CVE-2009-0229
Platform: Windows
Title: Microsoft Windows Print Spooler Local Information Disclosure
Description: Print Spooler is a service in Microsoft Windows that
manages the printing process. The Print Spooler service is exposed to
a local information disclosure issue because it fails to put any
restrictions on the files that can be included from separator pages.
Specifically, the Windows Printing Service allows users to include any
file on the local system.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-022.mspx
______________________________________________________________________
09.24.6 CVE: CVE-2009-0230
Platform: Windows
Title: Microsoft Windows Print Spooler Remote Code Execution
Description: Print Spooler is a service in Microsoft Windows that
manages the printing process. The Print Spooler service is exposed to
a remote code execution issue because it fails to validate the paths
from which a DLL may be loaded.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-022.mspx
______________________________________________________________________
09.24.7 CVE: CVE-2009-0239
Platform: Windows
Title: Microsoft Windows Search Script Injection
Description: Microsoft Windows Search is a search solution for
Windows-based systems. Microsoft Windows Search is exposed to a script
injection issue because it fails to adequately sanitize user-supplied
input when previewing search results. Successful exploits will cause
malicious script code to run in the local context, allowing attackers
to steal potentially sensitive information or perform other attacks.
Windows Search installed on all supported editions of Windows XP and
Windows Server 2003 are affected.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-023.mspx
______________________________________________________________________
09.24.8 CVE: CVE-2009-1533
Platform: Microsoft Office
Title: Microsoft Office Works for Windows Document Converters Remote
Code Execution
Description: Microsoft Office Works for Windows document converters
are used by Microsoft Office applications to interact with documents
in the Microsoft Works file format. Microsoft Office Works for Windows
document converters are exposed to a remote code execution issue
because the application fails to properly handle specially crafted
files. The vulnerability occurs when the application processes a
specially crafted ".wps" file and fails to adequately bounds check
user-supplied data before copying it into a stack-based buffer.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-024.mspx
______________________________________________________________________
09.24.9 CVE: CVE-2009-0563
Platform: Microsoft Office
Title: Microsoft Word Record Parsing (CVE-2009-0563) Remote Code
Execution
Description: Microsoft Word is a word processor available for multiple
platforms. Word is exposed to a remote code execution issue that stems
from a buffer overflow condition when the application processes a
specially crafted Word file with a malformed record value.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-027.mspx
______________________________________________________________________
09.24.10 CVE: CVE-2009-0565
Platform: Microsoft Office
Title: Microsoft Word Record Parsing (CVE-2009-0565) Remote Code
Execution
Description: Microsoft Word is a word processor available for multiple
platforms. Word is exposed to a remote code execution issue that stems
from a buffer overflow condition when the application processes a
specially crafted Word file with a malformed record value.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-027.mspx
______________________________________________________________________
09.24.11 CVE: CVE-2009-0549
Platform: Microsoft Office
Title: Microsoft Excel Record Pointer Corruption Remote Code Execution
Description: Microsoft Excel is a spreadsheet application that is part
of the Microsoft Office suite. Excel is exposed to a remote code
execution issue that occurs when the application parses an Excel file
that contains a malformed record object.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-021.mspx
______________________________________________________________________
09.24.12 CVE: CVE-2009-0557
Platform: Microsoft Office
Title: Microsoft Excel Record Object Remote Code Execution
Description: Microsoft Excel is a spreadsheet application that is part
of the Microsoft Office suite. Excel is exposed to a remote
code execution issue when parsing malformed Excel files. This issue
occurs because of memory corruption when the application handles a
specially crafted record object.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-021.mspx
______________________________________________________________________
09.24.13 CVE: CVE-2009-0558
Platform: Microsoft Office
Title: Microsoft Excel Array Indexing Remote Code Execution
Description: Microsoft Excel is a spreadsheet application that is part
of the Microsoft Office suite. Excel is exposed to a remote code
execution issue when parsing malformed Excel files. This issue occurs
because of memory corruption when the application handles a specially
crafted record object.
Ref: http://www.securityfocus.com/archive/1/504188
______________________________________________________________________
09.24.14 CVE: CVE-2009-0559
Platform: Microsoft Office
Title: Microsoft Excel String Copy Stack Overflow Remote Code
Execution
Description: Microsoft Excel is a spreadsheet application that is part
of the Microsoft Office suite. Excel is exposed to a remote code
execution issue when parsing malformed Excel files. Memory may become
corrupted because a string copy operation could trigger a stack-based
buffer overflow when the application handles a specially crafted Excel
file.
Ref: http://www.securityfocus.com/archive/1/504180
______________________________________________________________________
09.24.15 CVE: CVE-2009-0560
Platform: Microsoft Office
Title: Microsoft Excel Field Sanitization Remote Code Execution
Description: Microsoft Excel is a spreadsheet application that is part
of the Microsoft Office suite. Excel is exposed to a remote code
execution issue when parsing malformed Excel files. This issue occurs
because the software fails to properly handle malformed data in an
unspecified field, which can lead to memory corruption.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-021.mspx
______________________________________________________________________
09.24.16 CVE: CVE-2009-0561
Platform: Microsoft Office
Title: Microsoft Excel Malformed Record Object Integer Overflow
Description: Microsoft Excel is a spreadsheet application that is part
of the Microsoft Office suite. Excel is exposed to an integer overflow
issue when parsing malformed Excel files. This issue occurs because
the software fails to properly handle data in a malformed record
object, which can lead to memory corruption.
Ref: http://www.securityfocus.com/archive/1/504190
______________________________________________________________________
09.24.17 CVE: CVE-2009-1134
Platform: Microsoft Office
Title: Microsoft Excel Record Pointer Corruption Variant Remote Code
Execution
Description: Microsoft Excel is a spreadsheet application that is part
of the Microsoft Office suite. Excel is exposed to a remote code
execution issue when parsing malformed Excel files. This issue occurs
because of memory corruption when the application handles a specially
crafted record object.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-021.mspx
______________________________________________________________________
09.24.18 CVE: CVE-2009-0202
Platform: Microsoft Office
Title: Microsoft PowerPoint Freelance Layout Parsing Heap Based Buffer
Overflow
Description: Freelance files are presentation files used with Lotus
Freelance Graphics which is a presentation software as part of the
Lotus SmartSuite collection. They can be translated and used with
Microsoft PowerPoint. Microsoft PowerPoint is exposed to a heap-based
buffer overflow issue that affects the Microsoft PowerPoint Freelance
Windows 2.1 Translator ("FL21WIN.DLL").
Ref: http://secunia.com/secunia_research/2009-29/
______________________________________________________________________
09.24.19 CVE: CVE-2009-1141
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer (CVE-2009-1141) Uninitialized
Memory Remote Code Execution
Description: Microsoft Internet Explorer is a browser for the Windows
operating system. Internet Explorer is exposed to a remote code
execution issue that arises when the application displays a webpage
containing unexpected calls to HTML objects. Successful exploits will
allow the attacker to execute arbitrary code in the context of the
user running the application, which can compromise the application and
possibly the computer.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx
______________________________________________________________________
09.24.20 CVE: CVE-2009-1140
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer Cached Content Cross Domain
Information Disclosure
Description: Microsoft Internet Explorer is a web browser available
for Microsoft Windows. The browser is exposed to a cross-domain
information disclosure issue because it fails to properly enforce the
same-origin policy. Specifically, it fails to prevent cached content
from being rendered as HTML.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx
______________________________________________________________________
09.24.21 CVE: CVE-2009-0568
Platform: Other Microsoft Products
Title: Microsoft RPC Marshalling Engine Remote Code Execution
Description: Microsoft Windows RPC Marshalling Engine is a component
that provides a common RPC interface between RPC clients and servers.
RPC Marshalling Engine is exposed to a remote code execution issue
because it fails to properly update the internal state, causing a
pointer to be read from an incorrect location.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-026.mspx
______________________________________________________________________
09.24.22 CVE: CVE-2009-1528
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer (CVE-2009-1528) Uninitialized
Memory Remote Code Execution
Description: Microsoft Internet Explorer is a browser for the Windows
operating system. Internet Explorer is exposed to a remote
code execution issue that arises when it tries to access uninitialized
memory related to HTML objects. Attackers can exploit this issue to
execute arbitrary code in the context of the user running the browser.
Successful exploits will compromise the browser and possibly the
computer.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx
______________________________________________________________________
09.24.23 CVE: CVE-2009-1529
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer (CVE-2009-1529) Uninitialized
Memory Remote Code Execution
Description: Microsoft Internet Explorer is a browser for the Windows
operating system. Internet Explorer is exposed to a remote
code execution issue that arises when it tries to access objects that
haven't been properly initialized or have been deleted. The attacker
can exploit this issue to execute arbitrary code in the context of the
user running the browser. Successful exploits will compromise the
browser and possibly the computer.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx
______________________________________________________________________
09.24.24 CVE: CVE-2009-1530
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer (CVE-2009-1530) Uninitialized
Memory Remote Code Execution
Description: Microsoft Internet Explorer is a browser for the Windows
operating system. Internet Explorer is exposed to a remote code
execution issue that arises when it tries to access HTML objects that
have not been initialized or have been deleted. Successful exploits
will allow the attacker to execute arbitrary code in the context of
the user running the browser. Successful exploits will compromise the
browser and possibly the computer.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx
______________________________________________________________________
09.24.25 CVE: CVE-2009-1531
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer (CVE-2009-1531) Uninitialized
Memory Remote Code Execution
Description: Microsoft Internet Explorer is a browser for the Windows
operating system. Internet Explorer is exposed to a remote
code execution issue that arises when it tries to access HTML objects
that haven't been properly initialized or have been deleted. The
attacker can exploit this issue to execute arbitrary code in the
context of the user running the browser. Successful exploits will
compromise the browser and possibly the computer.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx
______________________________________________________________________
09.24.26 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer (CVE-2009-1532) Uninitialized
Memory Remote Code Execution
Description: Microsoft Internet Explorer is a browser for the Windows
operating system. Internet Explorer is exposed to a remote code
execution issue that arises when it tries to access HTML objects that
haven't been properly initialized or have been deleted. The attacker
can exploit this issue to execute arbitrary code in the context of the
user running the browser. Successful exploits will compromise the
browser and possibly the computer.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx
______________________________________________________________________
09.24.27 CVE: CVE-2008-0024
Platform: Other Microsoft Products
Title: Microsoft Visual Studio "MSCOMM32.OCX" ActiveX Control Heap
Buffer Overflow
Description: Microsoft Visual Studio is a suite of tools for software
development. Visual Studio is exposed to a heap-based buffer overflow
issue that affects the "MSCOMM32.OCX" ActiveX control. Successful
exploits will allow attackers to execute arbitrary code within the
context of the affected application that uses the ActiveX control
(typically Internet Explorer).
Ref: http://www.iss.net/threats/328.html
______________________________________________________________________
09.24.28 CVE: CVE-2009-1139
Platform: Other Microsoft Products
Title: Microsoft Active Directory Memory Leak Denial of service
Description: Microsoft Active Directory is an LDAP (Lightweight
Directory Access Protocol) implementation distributed with multiple
Windows operating systems. The application is exposed to a denial of
service issue that stems from improper memory management when
processing specially crafted LDAP or LDAPS requests containing
specific Object Identifier (OID) filters.
Ref: http://www.microsoft.com/technet/security/bulletin/ms09-018.mspx
______________________________________________________________________
09.24.29 CVE: CVE-2009-1138
Platform: Other Microsoft Products
Title: Microsoft Active Directory Memory Corruption Remote Code
Execution
Description: Microsoft Active Directory is an LDAP (Lightweight
Directory Access Protocol) implementation distributed with multiple
Windows operating systems. Microsoft Active Directory is exposed to a
remote code execution issue because the software fails to properly
free memory when handling specially crafted LDAP or LDAPS requests.
Ref: http://www.microsoft.com/technet/security/bulletin/ms09-018.mspx
______________________________________________________________________
09.24.30 CVE: CVE-2009-1122
Platform: Other Microsoft Products
Title: Microsoft IIS 5.0 WebDAV Authentication Bypass
Description: Microsoft Internet Information Services (IIS) is a
webserver available for Microsoft Windows. The application is exposed
to an authentication bypass issue because the WebDAV extension for IIS
fails to properly enforce access restrictions on certain requests to a
site that requires authentication. IIS version 5.0 is affected.
Ref: http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx
______________________________________________________________________
09.24.31 CVE: Not Available
Platform: Third Party Windows Apps
Title: SAP AG SAPgui "sapirrfc.dll" ActiveX Control Buffer Overflow
Description: SAP AG SAPgui is a graphical user interface (GUI)
included in various SAP applications. The application is exposed to a
remote buffer overflow issue because it fails to perform adequate
boundary checks on user-supplied data. SAPgui version 6.4 is affected.
Ref: http://www.securityfocus.com/archive/1/504141
______________________________________________________________________
09.24.32 CVE: CVE-2008-2475
Platform: Third Party Windows Apps
Title: eBay Enhanced Picture Services ActiveX Control Remote Code
Execution
Description: eBay Enhanced Picture Service ActiveX control is an
application that allows a seller to upload pictures to an auction. The
application is available for Microsoft Windows. The eBay Enhanced
Picture Services ActiveX control is exposed to a remote code execution
issue. Successfully exploiting this issue will allow attackers to
execute arbitrary code within the context of the affected application
that uses the ActiveX control.
Ref: http://www.securityfocus.com/bid/35266
______________________________________________________________________
09.24.33 CVE: Not Available
Platform: Third Party Windows Apps
Title: Derivco ActiveX Control Unspecified Security
Description: Derivco ActiveX control is prone to an unspecified
security vulnerability. The ActiveX control can be identified by
CLSID: D8089245-3211-40F6-819B-9E5E92CD61A2. Attackers may exploit
this issue by enticing an unsuspecting victim to view a malicious
webpage.
Ref: http://www.microsoft.com/technet/security/advisory/969898.mspx
______________________________________________________________________
09.24.34 CVE: Not Available
Platform: Solaris
Title: Sun Solaris Kerberos Credential Management Security Bypass
Description: Solaris Kerberos is exposed to a security-bypass issuue
that affects the Kerberos credential cache management. Successful
exploitation may allow a local attacker to gain unauthorized access to
Kerberized NFS mount points.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-252787-1
______________________________________________________________________
09.24.35 CVE: Not Available
Platform: Solaris
Title: Sun OpenSolaris "idmap(1M)" Local Denial of Service
Description: Sun OpenSolaris is a UNIX-based operating system.
OpenSolaris is exposed to a local denial of service issue.
Specifically, an unspecified problem occurs in the idmap(1M) command
that can allow local users to kill the "idpmapd(1M)" daemon on a CIFS
(Common Internet File System/Windows file service) server.
OpenSolaris builds snv_88 through snv_110 are affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-260508-1
______________________________________________________________________
09.24.36 CVE: Not Available
Platform: Solaris
Title: Sun Solaris "rpc.nisd(1M)" Daemon NIS+ Server Remote Denial of
Service
Description: Sun Solaris "rpc.nisd(1M)" daemon may allow remote
attackers to crash an instance of the NIS+ server. Specifically, an
unspecified error in the "rpc.nisd(1M)" allows remote attackers to
exploit this issue to cause the NIS+ service to stop responding to
further requests from NIS+ clients. Sun Solaris 8, Solaris 9, Solaris
10, and OpenSolaris based upon builds snv_01 through snv_103 are
affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-256748-1
______________________________________________________________________
09.24.37 CVE: Not Available
Platform: Aix
Title: IBM AIX "portmapper" Remote Denial of Service
Description: IBM AIX is a UNIX-based operating system. AIX is exposed
to a remote denial of service issue in an unspecified function of
"libtli" in the "portmapper" service. AIX version 5.3 is affected.
Ref: http://www.securityfocus.com/bid/35211
______________________________________________________________________
09.24.38 CVE: CVE-2009-1196
Platform: Unix
Title: CUPS Scheduler Directory Services Remote Denial of Service
Description: CUPS (Common UNIX Printing System) is a widely used set
of printing utilities for UNIX-based systems. The application is
exposed to a denial of service issue caused by a use-after-free error.
This issue affects the scheduler directory services routine. The
attacker can exploit this issue to crash the affected application,
denying service to legitimate users.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=497135
______________________________________________________________________
09.24.39 CVE: CVE-2009-0791
Platform: Unix
Title: CUPS PDF File Multiple Heap Buffer Overflow Vulnerabilities
Description: CUPS (Common UNIX Printing System) is a widely used set
of printing utilities for UNIX-based systems. CUPS is exposed to
multiple remote heap-based buffer overflow issues because it fails to
properly bounds check user-supplied input before copying it into a
finite-sized buffer. Specifically, the problem occurs in the CUPS
"pdftops" filter when handling malformed PDF documents.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=491840
______________________________________________________________________
09.24.40 CVE: CVE-2009-0033
Platform: Cross Platform
Title: Apache Tomcat Java AJP Connector Invalid Header Denial of
Service
Description: Apache Tomcat is a Java-based webserver for multiple
operating systems. Tomcat is exposed to a denial of service issue that
occurs when the Java AJP connector receives a request containing
invalid headers. This will cause the "mod_jk" load balancing worker to
fall into an invalid state.
Ref: http://www.securityfocus.com/archive/1/504044
______________________________________________________________________
09.24.41 CVE: CVE-2009-0580
Platform: Cross Platform
Title: Apache Tomcat Form Authentication Existing/Non-Existing
Username Enumeration Weakness
Description: The application is exposed to a username enumeration
weakness because it displays different responses to login attempts,
depending on whether or not the username exists. Specifically, this
issue occurs when Form Authentication is enabled and the server is
configured to use any of the following authentication realms:
"MemoryRealm. DataSourceRealm, JDBCRealm".
Ref: http://www.securityfocus.com/archive/1/504125
______________________________________________________________________
09.24.42 CVE: Not Available
Platform: Cross Platform
Title: Hitachi Web Server Reverse Proxy Denial of Service
Description: Hitachi Web Server is a web application server available
for multiple operating systems. Hitachi Web Server is exposed to a
denial of service issue because the reverse proxy function fails to
properly handle invalid responses from a remote backend server.
Attackers may exploit this issue to cause denial of service
conditions.
Ref:
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS07-039/index.html
______________________________________________________________________
09.24.43 CVE: CVE-2009-0023
Platform: Cross Platform
Title: Apache APR-util "apr_strmatch_precompile()" Integer Underflow
Description: Apache "APR-util" is a library of utility functions used
by several software applications, including the Apache HTTP server.
"APR-util" is exposed to an integer-underflow issue. This error
affects the "apr_strmatch_precompile()" function in the
"strmatch/apr_strmatch.c" source file. "APR-util" versions prior to
1.3.5 are affected.
Ref: http://svn.apache.org/viewvc?view=rev&revision=779880
______________________________________________________________________
09.24.44 CVE: Not Available
Platform: Cross Platform
Title: Online Armor Personal Firewall IOCTL Request Local Privilege
Escalation
Description: Online Armor Personal Firewall is a security suite for
Microsoft Windows operating systems. The application is exposed to a
local privilege escalation issue because the application fails to
properly validate address space when the "OAmon.sys" device driver
process IOCTL requests. Online Armor Personal Firewall versions
3.5.0.12 and earlier are affected.
Ref: http://www.ntinternals.org/ntiadv0806/ntiadv0806.html
______________________________________________________________________
09.24.45 CVE: Not Available
Platform: Cross Platform
Title: Sun GlassFish Enterprise Server HTTP Engine/Admin Interface
Local Denial of Service
Description: Sun GlassFish Enterprise Server is a web application
framework. The software is exposed to a local denial of service issue
that affects the HTTP Engine and the administration interface.
GlassFish Enterprise Server version 2.1 is affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-258528-1
______________________________________________________________________
09.24.46 CVE: Not Available
Platform: Cross Platform
Title: Libpng 1-bit Interlaced Images Information Disclosure
Description: The "libpng" library is a PNG reference library. The
library is exposed to an information disclosure issue that stems from
an error in parsing crafted 1-bit (2-color) interlaced images whose
widths are not divisible by 8. This may allow an attacker to obtain
several uninitialized bits from certain rows of the interlaced images.
libpng versions prior to 1.2.37 are affected.
Ref: http://www.securityfocus.com/bid/35233
______________________________________________________________________
09.24.47 CVE: Not Available
Platform: Cross Platform
Title: XM Easy Personal FTP Server Multiple Command Remote Buffer
Overflow Vulnerabilities
Description: XM Easy Personal FTP Server is a FTP server application
available for Microsoft Windows. The application is exposed to
multiple remote buffer overflow issues because the software fails to
sufficiently sanitize user-supplied arguments to the "HELP" and "TYPE"
FTP commands. XM Easy Personal FTP Server version 5.7.0 is affected.
Ref: http://www.securityfocus.com/archive/1/504122
______________________________________________________________________
09.24.48 CVE: Not Available
Platform: Cross Platform
Title: HP Discovery and Dependency Mapping Inventory Unauthorized
Access
Description: HP Discovery and Dependency Mapping Inventory (DDMI) is
an asset management application. The software is exposed to an
unspecified unauthorized-access issue that affects the RGS Sender when
running Easy Login.
Ref: http://www.securityfocus.com/bid/35250
______________________________________________________________________
09.24.49 CVE: CVE-2009-1956
Platform: Cross Platform
Title: Apache APR-util "apr_brigade_vprintf" Off By One
Description: Apache "APR-util" is a library of utility functions used
by several software applications, including the Apache HTTP server.
Apache "APR-util" is exposed to an off-by-one issue that may allow
attackers to obtain sensitive information or trigger a
denial of service condition. This issue results from a design error
and affects the "apr_brigade_vprintf" function of the library.
"APR-util" versions prior to 1.3.5 on big-endian platforms are
affected.
Ref: http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
______________________________________________________________________
09.24.50 CVE: CVE-2009-1955
Platform: Cross Platform
Title: Apache APR-util "xml/apr_xml.c" Denial of Service
Description: Apache "APR-util" is a library of utility functions used
by several software applications, including the Apache HTTP server.
Apache "APR-util" is exposed to a denial of service issue.
Specifically, the issue affects the expat XML parser in the
"apr_xml_*" interface of the "xml/apr_xml.c" file. "APR-util" versions
prior to 1.3.7 are affected.
Ref: http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
______________________________________________________________________
09.24.51 CVE: Not Available
Platform: Cross Platform
Title: Serene Bach Session Hijacking
Description: Serene Bach is a Japanese blogging application. The
application is exposed to a session-hijacking issue. The application
fails to protect session identifiers and may create predictable
session ID sequences. This may allow an attacker to gain access to the
affected application by guessing a valid session ID. Serene Bach
versions prior to 2.21R are affected.
Ref: http://www.securityfocus.com/bid/35254
______________________________________________________________________
09.24.52 CVE: Not Available
Platform: Cross Platform
Title: wxWidgets Multiple Security Vulnerabilities
Description: wxWidgets is a library and API for creating GUI
applications on multiple platforms. The library is exposed to multiple
security issues. Exploiting these issues may allow remote attackers to
execute arbitrary code in the context of the affected application.
Failed exploit attempts will likely cause denial of service.
Ref:
http://svn.wxwidgets.org/svn/wx/wxWidgets/branches/WX_2_8_BRANCH/docs/changes.txt
______________________________________________________________________
09.24.53 CVE: CVE-2009-1718, CVE-2009-1715, CVE-2009-1714,
CVE-2009-1713, CVE-2009-1712, CVE-2009-1711, CVE-2009-1710,
CVE-2009-1709, CVE-2009-1703, CVE-2009-1702, CVE-2009-1701,
CVE-2009-1700, CVE-2009-1699, CVE-2009-1698, CVE-2009-1697,
CVE-2009-1696, CVE-2009-1695, CVE-2009-1694, CVE-2009-1693,
CVE-2009-1691, CVE-2009-1690, CVE-2009-1689, CVE-2009-1688,
CVE-2009-1687, CVE-2009-1686, CVE-2009-1685, CVE-2009-1684,
CVE-2009-1681, CVE-2009-1708, CVE-2009-1707, CVE-2009-1706,
CVE-2009-1682, CVE-2009-1705, CVE-2009-1716, CVE-2009-1704
Platform: Cross Platform
Title: Apple Safari Prior to 4.0 Multiple Security Vulnerabilities
Description: Apple Safari is a web browser available for Mac OS X and
Microsoft Windows. Safari is exposed to multiple security issues.
Attackers may exploit these issues to execute arbitrary code, launch
cross-site scripting attacks, elevate privileges, or obtain sensitive
information. Safari versions prior to 4.0 running on Apple Mac OS X
10.4.11 and 10.5.7, Microsoft Windows XP, and Windows Vista are
affected.
Ref: http://www.zerodayinitiative.com/advisories/ZDI-09-034/
______________________________________________________________________
09.24.54 CVE: CVE-2009-1760
Platform: Cross Platform
Title: Rasterbar Software libtorrent Arbitrary File Overwrite
Description: The "libtorrent" library is a BitTorrent library
available for multiple platforms. The library is exposed to an
arbitrary file overwrite issue that occurs due to a failure to handle
malformed data contained in a ".torrent" BitTorrent file.
Specifically, the library fails to properly validate "path" elements
used to specify file locations. libtorrent versions prior to 0.14.4
are affected.
Ref: http://census-labs.com/news/2009/06/08/libtorrent-rasterbar/
______________________________________________________________________
09.24.55 CVE: CVE-2009-1697
Platform: Cross Platform
Title: WebKit "XMLHttpRequest" HTTP Response Splitting
Description: WebKit is a browser framework used in multiple
applications, including Apple Safari and Google Chrome browsers.
WebKit is exposed to an HTTP response-splitting issue because it fails
to adequately sanitize user-supplied input. This issue can occur
because CRLF characters may be injected into "XMLHttpRequest" headers.
When the request does not contain a "Host" header, the same-origin
policy can be bypassed, allowing attacker-supplied JavaScript to
interact with other sites hosted on the same server.
Ref: http://www.securityfocus.com/archive/1/504187
______________________________________________________________________
09.24.56 CVE: CVE-2009-1690
Platform: Cross Platform
Title: WebKit DOM Event Handler Remote Memory Corruption
Description: WebKit is a browser framework used in multiple
applications, including Apple Safari and Google Chrome browsers.
WebKit is exposed to a remote memory corruption issue because it fails
to handle recursion over unspecified DOM events. Very few details are
available regarding this issue.
Ref:
http://googlechromereleases.blogspot.com/2009/06/stable-update-2-webkit-security-fixes.html
______________________________________________________________________
09.24.57 CVE: CVE-2008-5515
Platform: Cross Platform
Title: Apache Tomcat "RequestDispatcher" Information Disclosure
Description: Apache Tomcat is a Java-based web server for multiple
operating systems. The application is exposed to a remote information
disclosure issue that exists in the "RequestDispatcher". An attacker
can exploit this issue by constructing and submitting a specially
crafted request parameter. Apache Tomcat versions 6.0.0 through
6.0.18, 5.5.0 through 5.5.27 and 4.1.0 through 4.1.39 are affected.
Ref:
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html
______________________________________________________________________
09.24.58 CVE: Not Available
Platform: Cross Platform
Title: IBM OS/400 JVA-RUN JDK6.0 XML Digital Signature Unspecified
Security
Description: IBM OS/400 is an operating system for IBM Power systems.
IBM OS/400 is exposed to an unspecified issue that occurs due to an
error in XML Digital Signature verification process. IBM OS/400
versions V6R1M0 and V5R4M0 are affected.
Ref:
http://www-01.ibm.com/support/docview.wss?uid=nas2e858199605d67111862575cc003c7276
______________________________________________________________________
09.24.59 CVE: Not Available
Platform: Cross Platform
Title: PDFlib Lite PNG Image Size Integer Overflow
Description: PDFlib Lite is a library used to construct PDF files. The
library is exposed to an integer overflow issue because it fails to
perform adequate boundary checks on user-supplied data before using it
to allocate memory buffers. This issue occurs when processing
malformed PNG images. PDFlib Lite versions prior to 7.0.4p4 are
affected.
Ref: http://www.securityfocus.com/bid/35266
______________________________________________________________________
09.24.60 CVE: CVE-2009-1420
Platform: Cross Platform
Title: HP OpenView Network Node Manager SNMP and MIB Unspecified
Remote Code Execution
Description: HP OpenView Network Node Manager (NNM) is a
fault management application for IP networks. The application is
exposed to a remote code execution issue caused by an unspecified
error. This issue occurs when the application is configured with SNMP
(Simple Network Management Protocol) and MIB (Management Information
Base). NNM versions 7.51, and 7.53 are affected.
Ref: http://www.securityfocus.com/archive/1/504183
______________________________________________________________________
09.24.61 CVE: CVE-2009-1718
Platform: Cross Platform
Title: WebKit Drag Event Remote Information Disclosure
Description: WebKit is a browser framework used in multiple
applications, including Apple Safari and Google Chrome browsers.
WebKit is exposed to a remote information disclosure issue related to
the drag-and-drop functionality. Specifically, this issue allows a
malicious webpage to access sensitive information when content is
dragged across the browser window.
Ref:
http://googlechromereleases.blogspot.com/2009/06/stable-update-2-webkit-security-fixes.html
______________________________________________________________________
09.24.62 CVE: CVE-2009-2011
Platform: Cross Platform
Title: Worldweaver DX Studio Player Browser Plugin Remote Arbitrary
Shell Command Injection
Description: Worldweaver DX Studio is a development environment for
creating 3D graphics. The Player application is a browser plugin used
for displaying DX Studio documents in Internet Explorer or Firefox.
The application is exposed to a remote command injection issue because
it fails to adequately sanitize user-supplied input data.
Specifically, commands sent to the "shell.execute()" method will
execute without warning in the Firefox plugin. DX Studio Player
versions prior to 3.0.29.1 are affected.
Ref: http://www.coresecurity.com/content/DXStudio-player-firefox-plugin
______________________________________________________________________
09.24.63 CVE: CVE-2009-1162
Platform: Web Application - Cross Site Scripting
Title: IronPort AsyncOS Spam Quarantine Login Cross-Site Scripting
Description: Cisco IronPort appliances are used for email and web
security. IronPort AsyncOS is exposed to a cross-site scripting issue
because it fails to sanitize user-supplied input. This issue affects
the "referrer" parameter to the Spam Quarantine login page. IronPort
series C, M, and X appliances running AsyncOS versions prior to 6.5.2
are affected.
Ref: http://tools.cisco.com/security/center/viewAlert.x?alertId=18365
______________________________________________________________________
09.24.64 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Sun Java System Web Server Reverse Proxy Plug-in Cross-Site
Scripting
Description: Sun Java System Web Server is an enterprise-level
web server application. The application is exposed to a cross-site
scripting issue because it fails to properly sanitize unspecified
user-supplied input to the Reverse Proxy plug-in. Sun Java System Web
Server version 6.1 on SPARC, x86, Linux, Windows, HP-UX, and AIX
platforms is affected.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-259588-1
______________________________________________________________________
09.24.65 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: moziloCMS Multiple Cross-Site Scripting Vulnerabilities
Description: moziloCMS is a web-based content manager implemented in
PHP. The application is exposed to multiple cross-site scripting
issues because it fails to sufficiently sanitize user-supplied data to
the "cat" and "file" parameters of the "admin/index.php" script when
the "action" parameter is set to "editsite". moziloCMS version 1.11.1
is affected.
Ref: http://www.securityfocus.com/archive/1/504091
______________________________________________________________________
09.24.66 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Kerio MailServer WebMail Cross-Site Scripting
Description: Kerio MailServer is a mail manager used as an alternative
to Microsoft Exchange. WebMail is a mail client for the Kerio
MailServer. The application is exposed to a cross-site scripting issue
because it fails to sanitize user-supplied input. This issue affects
the Integration page. Kerio MailServer versions 6.6.0, 6.6.1, 6.6.2,
and 6.7.0 are affected.
Ref: http://www.kerio.com/support/security-advisories#0906
______________________________________________________________________
09.24.67 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Seminar for Joomla! "id" Parameter SQL Injection
Description: Seminar for Joomla! is a event booking component for the
Joomla! content manager. The application is exposed to an SQL
injection issue because it fails to sufficiently sanitize
user-supplied data to the "id" parameter of the "com_seminar"
component before using it an SQL query. Seminar for Joomla! version
1.28 is affected.
Ref: http://www.securityfocus.com/bid/35192
______________________________________________________________________
09.24.68 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! and Mambo "com_mosres" Component Multiple SQL Injection
Vulnerabilities
Description: The "com_momres" component is a PHP-based application for
the Mambo and Joomla! content managers. The application is exposed to
multiple SQL injection issues because it fails to sufficiently
sanitize user-supplied data to the "property_uid" and "regID"
parameters of the "com_momres" component before using it in an SQL
query. "com_momres" version 1.0f is affected.
Ref: http://www.milw0rm.com/exploits/8872
______________________________________________________________________
09.24.69 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! ComSchool Component "classid" Parameter SQL Injection
Description: ComSchool is an education component for the Joomla!
content manager. The application is exposed to an SQL injection issue
because it fails to sufficiently sanitize user-supplied data to the
"classid" parameter of the "com_school" component before using it an
SQL query. ComSchool version 1.4 is affected.
Ref: http://www.securityfocus.com/bid/35257
______________________________________________________________________
09.24.70 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla! AkoBook Component "Itemid" Parameter SQL Injection
Description: AkoBook is a guestbook component for the Joomla! content
manager. The application is exposed to an SQL injection issue because
it fails to sufficiently sanitize user-supplied data to the "Itemid"
parameter of the "com_akobook" component before using it an SQL
query.AkoBook SE version 2.3 is affected.
Ref: http://www.securityfocus.com/bid/35268
______________________________________________________________________
09.24.71 CVE: Not Available
Platform: Web Application
Title: Luottokunta Payment Security Bypass
Description: Luottokunta is a payment module for osCommerce.
Luottokunta is exposed to a security bypass issue. This issue is due
to an unspecified design error in when processing orders. ttackers can
exploit this issue to make a purchase without paying. Successfully
exploiting this issue may lead to other attacks. Luottokunta versions
prior to 1.3 are affected.
Ref: http://www.cert.fi/haavoittuvuudet/2009/haavoittuvuus-2009-046.html
______________________________________________________________________
09.24.72 CVE: Not Available
Platform: Web Application
Title: Drupal Webform Module HTML Injection
Description: Webform is a Drupal module that is used to create
questionnaires, contact forms, surveys, and other forms. The
application is exposed to an HTML injection issue because it fails to
sufficiently sanitize user-supplied input before using it in
dynamically generated content. The issue occurs when displaying
results of a Webform input submission. Webform versions prior to
5.x-2.7 and 6.x-2.7 are affected.
Ref: http://drupal.org/node/481268
______________________________________________________________________
09.24.73 CVE: Not Available
Platform: Web Application
Title: Omilen Photo Gallery Joomla! Component "controller" Parameter
Local File Include
Description: Omilen Photo Gallery is a component for the Joomla!
content manager. The application is exposed to a local file include
issue because it fails to properly sanitize user-supplied input to the
"controller" parameter of the "com_omphotogallery" component. Omilen
Photo Gallery version 0.5b is affected.
Ref: http://www.securityfocus.com/bid/35201
______________________________________________________________________
09.24.74 CVE: Not Available
Platform: Web Application
Title: LightNEasy Multiple HTML Injection Vulnerabilities
Description: LightNEasy is a web-based content manager. The
application is exposed to multiple HTML injection issues because it
fails to sufficiently sanitize user-supplied data to the following
parameters: "commentmessage", "commentemail" and "commentname".
LightNEasy versions 2.2.1 no database and 2.2.2 SQLite are affected.
Ref:
http://forum.intern0t.net/intern0t-advisories/1081-intern0t-lightneasy-2-2-2-html-injection-vulnerability.html
______________________________________________________________________
09.24.75 CVE: Not Available
Platform: Web Application
Title: LogMeIn "cfgadvanced.html" HTTP Header Injection
Description: LogMeIn is a secure login application. The application is
exposed to an issue that allows attackers to inject arbitrary HTTP
headers because it fails to sanitize input. Specifically the
application fails to sanitize CRLF characters passed to the "lang"
parameter passed to the "cfgadvanced.html" script. LogMeIn version
4.0.784 is affected.
Ref:
http://securethoughts.com/2009/06/multiple-vulnerabilities-in-logmein-web-interface-can-be-used-to-control-your-computer-and-steal-arbitary-files/
______________________________________________________________________
09.24.76 CVE: Not Available
Platform: Web Application
Title: Ideal MooFAQ Joomla! Component "file_includer.php" Local File
Include
Description: MooFAQ is a component for the Joomla! content manager.
The application is exposed to a local file include issue because it
fails to properly sanitize user-supplied input to the "file" parameter
of the "file_includer.php" script in the "com_moofaq" component.
MooFAQ version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/35259
______________________________________________________________________
09.24.77 CVE: Not Available
Platform: Web Application
Title: Automated Link Exchange Portal Insecure Cookie Authentication
Bypass
Description: ZaoCMS is a web application. The application is exposed
to an authentication bypass issue because it fails to adequately
verify user-supplied input used for cookie-based authentication.
Specifically, attackers can gain administrative access to the
application by setting the "userid" cookie parameter to "1" and the
"path" parameter to "/". Automated Link Exchange Portal version 1.3 is
affected.
Ref: http://www.securityfocus.com/bid/35261
______________________________________________________________________
09.24.78 CVE: Not Available
Platform: Web Application
Title: Multiple OrdaSoft Joomla! Components "mosConfig_absolute_path"
Remote File Include
Description: OrdaSoft products a number of components for the Joomla!
content manager. Multiple OrdaSoft components are exposed to a remote
file include issue because they fail to sufficiently sanitize
user-supplied input to the "mosConfig_absolute_path" parameter of the
"toolbar_ext.php" script.
Ref: http://www.securityfocus.com/bid/35269
______________________________________________________________________
09.24.79 CVE: Not Available
Platform: Web Application
Title: MoinMoin Hierarchical ACL Security Bypass
Description: MoinMoin is a freely available, open-source wiki written
in Python. It is available for Unix and Linux platforms. The
application is exposed to a security bypass issue due to an error when
processing hierarchical ACLs. MoinMoin version 1.8.3 is affected.
Ref: http://moinmo.in/MoinMoinRelease1.8
______________________________________________________________________
09.24.80 CVE: Not Available
Platform: Network Device
Title: Netgear RP614 Wireless Router Cross-Site Request Forgery
Description: The Netgear RP614 wireless router is a network device
designed for home use. The router is exposed to a cross-site request
forgery issue that exists in the web administration interface.
Attackers can exploit this issue by tricking a victim into visiting a
malicious web page. The page will consist of specially crafted script
code designed to perform some action on the attacker's behalf. Netgear
RP614 running firmware 1.0.5_04.23 is affected.
Ref: http://holisticinfosec.org/content/view/116/45/
______________________________________________________________________
(c) 2009. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.
Subscriptions: RISK is distributed free of charge by the SANS Institute
to people responsible for managing and securing information systems and
networks. You may forward this newsletter to others with such
responsibility inside or outside your organization.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkoxiPwACgkQ+LUG5KFpTkZk4gCeO5Uafk7HnULylhqyX5BL1Ulf
LIcAoIqs/X/deQGqM95OE/0cEVAQUd+Q
=KkEa
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]