@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Google Chrome Multiple Security Vulnerabilities
• (2) HIGH: Microsoft Windows Media '.dvr-ms' Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.11.1 - Microsoft Windows Media Player/Windows Media Center ".dvr-ms" File Code Execution

Other Microsoft Products

• 11.11.2 - Microsoft Internet Explorer Popup Window Address Bar Spoofing Weakness
• 11.11.3 - Microsoft .NET Runtime Optimization Service Local Privilege Escalation
• 11.11.4 - Microsoft Remote Desktop Connection Client DLL Loading Arbitrary Code Execution

Third Party Windows Apps

• 11.11.5 - HP MFP Digital Sending Software Unspecified Authentication Bypass

Linux

• 11.11.6 - Linux Kernel RPC Server Socket Remote Denial of Service
• 11.11.7 - Linux Kernel "oops" on Reset NULL Pointer Dereference Remote Denial of Service

BSD

• 11.11.8 - NetBSD "kern.proc" Sysctl Arguments Local Denial of Service

Novell

• 11.11.9 - Novell Vibe OnPrem Unspecified Remote Code Execution

Cross Platform

• 11.11.10 - Samba "FD_SET" Memory Corruption
• 11.11.11 - PDF-Pro Multiple Security Vulnerabilities
• 11.11.12 - Wireshark 6LoWPAN Packet Denial of Service
• 11.11.13 - Apple iTunes JPEG Image Heap-Based Buffer Overflow
• 11.11.14 - Mozilla Firefox/SeaMonkey Text Run Construction Memory Corruption
• 11.11.15 - Apache Tomcat "@ServletSecurity" Annotations Security Bypass
• 11.11.16 - Subversion "mod_dav_svn" Apache Server NULL Pointer Dereference Denial of Service
• 11.11.17 - IBM WebSphere Application Server prior to 7.0.0.15 Multiple Security Vulnerabilities
• 11.11.18 - WebKit "Runin" Box Use-After-Free Memory Corruption
• 11.11.19 - Wing FTP Server SFTP Connection Denial of Service
• 11.11.20 - Foxit Reader JavaScript API Arbitrary File Creation or Overwrite
• 11.11.21 - GNU patch Path Name Directory Traversal
• 11.11.22 - VMware ESX/ESXi Service Location Protocol Daemon Local Denial of Service
• 11.11.23 - Google Chrome Multiple Security Vulnerabilities
• 11.11.24 - KDE kdelibs IP Address SSL Certificate Security Bypass
• 11.11.25 - Wireshark NTLMSSP NULL Pointer Dereference Denial of Service
• 11.11.26 - TeamViewer Insecure Directory Permissions Privilege Escalation

Web Application - SQL Injection

• 11.11.27 - IBM Tivoli Netcool/OMNIbus Unspecified SQL Injection
• 11.11.28 - vBulletin cChatBox "messageid" Parameter SQL Injection

Web Application

• 11.11.29 - PHP Speedy Plugin for WordPress "admin_container.php" Remote PHP Code Execution

Network Device

• 11.11.30 - Nokia N97 ".m3u" File Remote Buffer Overflow

PART I Critical Vulnerabilities

______________________________________________________________________ PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 10, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 10953 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 11.11.1 - CVE: CVE-2011-0042, CVE-2011-0032
• Platform: Windows
• Title: Microsoft Windows Media Player/Windows Media Center ".dvr-ms" File Code Execution
• Description: Microsoft Windows Media Player is a multimedia application available for the Windows operating system. Windows Media Center is a digital video recorder and media player from Microsoft. Microsoft Windows Media Player and Windows Media Center are exposed to a remote code execution issue when handling specially crafted media content.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-015.mspx

• 11.11.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Popup Window Address Bar Spoofing Weakness
• Description: Microsoft Internet Explorer is a browser for the Windows operating system. Microsoft Internet Explorer is prone to a popup window address-bar-spoofing weakness. This issue occurs because it is possible to display a popup window with only a portion of the address bar initially displayed to the user.
• Ref: http://archives.neohapsis.com/archives/fulldisclosure/2011-03/0072.html

• 11.11.3 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft .NET Runtime Optimization Service Local Privilege Escalation
• Description: The Microsoft .NET Framework is a software framework for applications designed to run under Microsoft Windows. Microsoft .NET Runtime Optimization Service is exposed to a local privilege escalation issue that occurs because the "msocrsvw.exe" service can be overwritten by non-administrative domain users and local power users.
• Ref: http://www.securityfocus.com/bid/46773

• 11.11.4 - CVE: CVE-2011-0029
• Platform: Other Microsoft Products
• Title: Microsoft Remote Desktop Connection Client DLL Loading Arbitrary Code Execution
• Description: Microsoft Remote Desktop Connection (formerly known as Terminal Services Client) uses Remote Desktop Protocol to provide remote access to Microsoft operating systems. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for Dynamic Link Library files in the current working directory.
• Ref: http://www.microsoft.com/technet/security/advisory/2269637.mspx

• 11.11.5 - CVE: CVE-2011-0279
• Platform: Third Party Windows Apps
• Title: HP MFP Digital Sending Software Unspecified Authentication Bypass
• Description: HP MFP Digital Sending Software is a digital document management application available for Microsoft Windows. MFP Digital Sending Software is exposed to an unspecified authentication bypass issue that can be exploited to disable authentication for managed devices.
• Ref: http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02738104&ad
  mit=109447626+1299646403361+28353475

• 11.11.6 - CVE: CVE-2011-0714
• Platform: Linux
• Title: Linux Kernel RPC Server Socket Remote Denial of Service
• Description: The Linux kernel is exposed to a remote denial of service issue that exists in the implementation of the RPC server socket implementation. This issue occurs when handling packets containing malformed data.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=678144

• 11.11.7 - CVE: CVE-2011-1093
• Platform: Linux
• Title: Linux Kernel "oops" on Reset NULL Pointer Dereference Remote Denial of Service
• Description: The Linux kernel is exposed to a remote denial of service issue that affects the execution order of the "dccp_rcv_state_process()" function. A NULL-pointer deference error can be triggered when specially crafted packets are received after closing the socket.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=682954

• 11.11.8 - CVE: Not Available
• Platform: BSD
• Title: NetBSD "kern.proc" Sysctl Arguments Local Denial of Service
• Description: NetBSD is exposed to a local denial of service issue when "kern.proc" sysctl tree handler fails to properly validate the quantity of user-supplied command arguments.
• Ref: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-003.txt.asc

• 11.11.9 - CVE: CVE-2011-0464
• Platform: Novell
• Title: Novell Vibe OnPrem Unspecified Remote Code Execution
• Description: Novell Vibe 3 BETA OnPrem is an enterprise application for collaboration and conferencing. The application is exposed to an unspecified remote code execution issue. Novell Vibe OnPrem version 3.0 is affected.
• Ref: http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5088845.
  html

• 11.11.10 - CVE: CVE-2011-0719
• Platform: Cross Platform
• Title: Samba "FD_SET" Memory Corruption
• Description: Samba is a suite of software that provides file and print services for "SMB/CIFS" clients. It is available for multiple operating platforms. Samba is exposed to a stack-based memory corruption issue because the application fails to properly perform range-checks on file descriptors passed to the "FD_SET" macro. Samba versions prior to 3.5.7 are affected.
• Ref: http://samba.org/samba/security/CVE-2011-0719.html

• 11.11.11 - CVE: Not Available
• Platform: Cross Platform
• Title: PDF-Pro Multiple Security Vulnerabilities
• Description: PDF-Pro is an application for creating and handling PDF files on the Windows operating system. The application is exposed to multiple issues. PDF-Pro version 4.0.1.758 with ePapyrusReader.ocx version 1.6.2.1874 is affected.
• Ref: http://www.securityfocus.com/bid/46634

• 11.11.12 - CVE: Not Available
• Platform: Cross Platform
• Title: Wireshark 6LoWPAN Packet Denial of Service
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. The application is exposed to a denial of service issue when reading a malformed 6LoWPAN packet. Wireshark versions prior to 1.4.4 are affected.
• Ref: http://www.wireshark.org/news/20110301.html

• 11.11.13 - CVE: CVE-2011-0170
• Platform: Cross Platform
• Title: Apple iTunes JPEG Image Heap-Based Buffer Overflow
• Description: Apple iTunes is a media player for Microsoft Windows and Apple Mac OS X. Apple iTunes is exposed to a heap-based buffer overflow issue because it fails to adequately bounds check user-supplied data before copying it into an insufficiently sized buffer. Apple iTunes versions prior to 10.2 are affected.
• Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=897

• 11.11.14 - CVE: CVE-2011-0058
• Platform: Cross Platform
• Title: Mozilla Firefox/SeaMonkey Text Run Construction Memory Corruption
• Description: Firefox is a browser and SeaMonkey is a suite of applications that includes a browser and an email client. The applications are exposed to a memory corruption issue that occurs when handling very long strings in an HTML document. Firefox versions prior to 3.6.14 and 3.5.17 are affected. SeaMonkey versions prior to 2.0.12 are affected.
• Ref: http://www.mozilla.org/security/announce/2011/mfsa2011-07.html

• 11.11.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Apache Tomcat "@ServletSecurity" Annotations Security Bypass
• Description: Apache Tomcat is an HTTP server application. Apache Tomcat is exposed to a security bypass issue because the application ignores "@ServletSecurity" annotations, which allows attackers to bypass certain security restrictions. Apache Tomcat versions prior to 7.0.10 are affected.
• Ref: http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.70
  50106@apache.org%3E

• 11.11.16 - CVE: CVE-2011-0715
• Platform: Cross Platform
• Title: Subversion "mod_dav_svn" Apache Server NULL Pointer Dereference Denial of Service
• Description: Subversion is an open-source version control application that is available for numerous platforms. The server is exposed to a remote denial of service issue caused by a NULL pointer dereference error. Subversion versions prior to 1.6.16 are affected.
• Ref: http://seclists.org/fulldisclosure/2011/Mar/54

• 11.11.17 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM WebSphere Application Server prior to 7.0.0.15 Multiple Security Vulnerabilities
• Description: IBM WebSphere Application Server is an application server used for service-oriented architecture. IBM WebSphere Application Server is exposed to multiple issues. IBM WebSphere Application Server versions prior to 7.0.0.15 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg24028875

• 11.11.18 - CVE: CVE-2011-0132
• Platform: Cross Platform
• Title: WebKit "Runin" Box Use-After-Free Memory Corruption
• Description: WebKit is a browser framework used in multiple applications, including the Apple Safari and Google Chrome browsers. WebKit is exposed to a use-after-free memory corruption issue that affects the implementation of a "Runin" box, as specified in CSS 2.1.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-098/

• 11.11.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Wing FTP Server SFTP Connection Denial of Service
• Description: Wing FTP Server is a secure multi-protocol file server for Windows, Linux, Mac, FreeBSD, and Solaris. Wing FTP Server is exposed to a denial of service issue that occurs because the server fails to properly handle certain SFTP connections. Wing FTP Server versions prior to 3.8.0 are affected.
• Ref: http://www.wftpserver.com/serverhistory.htm

• 11.11.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Foxit Reader JavaScript API Arbitrary File Creation or Overwrite
• Description: Foxit Reader is an application for handling PDF files. Foxit Reader is exposed to an issue that allows attackers to write or overwrite arbitrary files on a vulnerable computer. Specifically, the application's Javascript API function "createDataObject()" allows arbitrary files to be overwritten or created through a URI. Foxit Reader versions prior to 4.3.1.0218 are affected.
• Ref: http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit
  -pdf.html

• 11.11.21 - CVE: CVE-2010-4651
• Platform: Cross Platform
• Title: GNU patch Path Name Directory Traversal
• Description: GNU patch is an application used to apply difference listings created by the "diff" utility. GNU patch is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input in path names.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=667529

• 11.11.22 - CVE: CVE-2010-3609
• Platform: Cross Platform
• Title: VMware ESX/ESXi Service Location Protocol Daemon Local Denial of Service
• Description: VMware Server is a server emulation application available for several platforms. VMware ESX and ESXi are exposed to a denial of service issue caused by an unspecified error in Service Location Protocol daemon.
• Ref: http://www.vmware.com/security/advisories/VMSA-2011-0004.html

• 11.11.23 - CVE: Not Available10.0.648.127 are affected.
• Platform: Cross Platform
• Title: Google Chrome Multiple Security Vulnerabilities
• Description: Google Chrome is a web browser for multiple platforms. Google Chrome is exposed to multiple issues. Chrome versions prior to
• Ref: http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html

• 11.11.24 - CVE: CVE-2011-1094
• Platform: Cross Platform
• Title: KDE kdelibs IP Address SSL Certificate Security Bypass
• Description: KDE (K Desktop Environment) is a desktop for Unix variants. kdelibs are common libraries for the project. kdelibs is exposed to a security bypass issue that occurs in the "kio/kio/tcpslavebase.cpp" source file. kdelibs versions prior to 4.6.1 are affected.
• Ref: http://comments.gmane.org/gmane.comp.security.oss.general/4440

• 11.11.25 - CVE: CVE-2011-1143
• Platform: Cross Platform
• Title: Wireshark NTLMSSP NULL Pointer Dereference Denial of Service
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. It is available for Microsoft Windows and UNIX-like operating systems. Wireshark is exposed to a remote denial of service issue caused by a NULL-pointer dereference error in the NTLMSSP dissector.
• Ref: http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html

• 11.11.26 - CVE: Not Available
• Platform: Cross Platform
• Title: TeamViewer Insecure Directory Permissions Privilege Escalation
• Description: TeamViewer is a remote desktop sharing application available for multiple operating systems. TeamViewer is exposed to a local privilege escalation issue caused by insecure file system permissions that are granted to the installation directory, which may allow unprivileged users to overwrite arbitrary files in the "Version6" directory. TeamViewer version 6.0.10194 for Windows 7 is affected.
• Ref: http://www.securityfocus.com/bid/46797

• 11.11.27 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: IBM Tivoli Netcool/OMNIbus Unspecified SQL Injection
• Description: IBM Tivoli Netcool/OMNIbus is an operations management software application. The application is exposed to an unspecified SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. IBM Tivoli Netcool/OMNIbus version 7.3.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/46633

• 11.11.28 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: vBulletin cChatBox "messageid" Parameter SQL Injection
• Description: cChatBox is an Ajax-based chat module for vBulletin. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input before using it in an SQL query. Specifically, the application fails to sanitize data supplied to the "messageid" parameter of the "cchatbox.php" script.
• Ref: http://www.securityfocus.com/bid/46635

• 11.11.29 - CVE: Not Available
• Platform: Web Application
• Title: PHP Speedy Plugin for WordPress "admin_container.php" Remote PHP Code Execution
• Description: WordPress is a web-based publishing application implemented in PHP. PHP Speedy is a plugin for WordPress. The PHP Speedy plugin for WordPress is exposed to an issue that lets remote attackers execute arbitrary code because it fails to sanitize user-supplied input. PHP Speedy versions 0.5.2 and earlier are affected.
• Ref: http://aciddrop.com/2008/03/07/php-speedy-wordpress-plugin-preview-release/

• 11.11.30 - CVE: Not Available
• Platform: Network Device
• Title: Nokia N97 ".m3u" File Remote Buffer Overflow
• Description: Nokia N97 is a cellular phone. Nokia N97 is exposed to an issue because it fails to perform adequate boundary checks on user-supplied input. This issue occurs when the application fails to handle malformed ".m3u" files. Nokia N97 firmware version 22.0.110 is affected.
• Ref: http://www.securityfocus.com/bid/46776

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/