@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Adobe Flash Player Memory Corruption Vulnerability
• (2) HIGH: Microsoft Tuesday Multiple Vulnerabilities
• (3) HIGH: RealNetworks RealPlayer OpenURLInDefaultBrowser Remote Code Execution Vulnerability
• (4) MEDIUM: Winamp .m3u8 Buffer Overflow Vulnerability
• (5) MEDIUM: VLC .mp4 Heap Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.16.1 - Microsoft Windows "AFD.sys" Driver Local Denial of Service
• 11.16.2 - Microsoft Windows OpenType Font Driver Stack Overflow Remote Code Execution
• 11.16.3 - Microsoft Windows Messenger ActiveX Control Remote Code Execution
• 11.16.4 - Microsoft Windows DNS Resolution Remote Code Execution
• 11.16.5 - Microsoft Windows SMB Client Remote Code Execution
• 11.16.6 - Microsoft Windows Kernel "Win32k.sys" Local Privilege Escalation

Microsoft Office

• 11.16.7 - Microsoft Excel Buffer Allocation Integer Overflow Remote Code Execution
• 11.16.8 - Microsoft Office Shared Component DLL Loading Arbitrary Code Execution
• 11.16.9 - Microsoft PowerPoint Invalid "PersistDirectoryEntry" Record Remote Code Execution

Other Microsoft Products

• 11.16.10 - Microsoft Reader Multiple Memory Corruption Vulnerabilities
• 11.16.11 - Microsoft Internet Explorer Frame Tag Cross-Domain Information Disclosure
• 11.16.12 - Microsoft Internet Explorer JavaScript Cross-Domain Information Disclosure
• 11.16.13 - Microsoft WordPad Text Converter Remote Code Execution
• 11.16.14 - Microsoft .NET Framework x86 JIT compiler Stack Corruption Remote Code Execution
• 11.16.15 - Microsoft GDI+ EMF Image Processing Integer Overflow Memory Corruption
• 11.16.16 - Microsoft VBScript And JScript Scripting Engines Remote Code Execution
• 11.16.17 - Microsoft HTML Help ".chm" File Stack Buffer Overflow

Third Party Windows Apps

• 11.16.18 - Winamp ".m3u8" File Remote Buffer Overflow

Linux

• 11.16.19 - Linux Kernel "mremap()" Local Denial of Service

HP-UX

• 11.16.20 - HP-UX Unspecified Remote Denial of Service

Cross Platform

• 11.16.21 - VLC Media Player "MP4" Heap-Based Buffer Overflow
• 11.16.22 - McAfee Firewall Reporter "GernalUtilities.pm" Authentication Bypass
• 11.16.23 - IBM Tivoli Monitoring Java Unspecified Security
• 11.16.24 - Adobe Flash Player "SWF" File Remote Memory Corruption
• 11.16.25 - Microsoft Host Integration Server Multiple Remote Denial of Service Vulnerabilities
• 11.16.26 - Red Hat Network Satellite Server Security Bypass and Information Disclosure Vulnerabilities
• 11.16.27 - HP Photosmart Printers Multiple Security Vulnerabilities
• 11.16.28 - PDF Extract TIFF "pdf2tif.dll" Buffer Overflow

Web Application - Cross Site Scripting

• 11.16.29 - KDE Konqueror Error Page Cross-Site Scripting

Web Application

• 11.16.30 - SPIP Disconnect Database Unspecified Remote Denial of Service

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 14, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11133 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.16.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows "AFD.sys" Driver Local Denial of Service
• Description: Microsoft Windows is exposed to a local denial of service issue that occurs in the Windows kernel. This issue affects the Ancillary Function Driver ("AFD.sys"). The issue occurs because the driver fails to sufficiently validate input that is passed from user mode to kernel mode through the affected driver.
• Ref: http://www.securityfocus.com/bid/47279

• 11.16.2 - CVE: CVE-2011-0034
• Platform: Windows
• Title: Microsoft Windows OpenType Font Driver Stack Overflow Remote Code Execution
• Description: OpenType is a font format developed by Microsoft and Adobe. Compact Font Format fonts are an OpenType Type font that contains PostScript Type 1 outlines. Microsoft Windows is exposed to a remote code execution issue that affects the OpenType Font driver.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-032.mspx

• 11.16.3 - CVE: CVE-2011-1243
• Platform: Windows
• Title: Microsoft Windows Messenger ActiveX Control Remote Code Execution
• Description: Microsoft Windows Messenger ActiveX control ('msgsc.dll') is an instant messaging application available for Microsoft Windows. Microsoft Windows Messenger ActiveX control is exposed to a remote code execution issue. Memory corruption may occur when the control is used in Internet Explorer.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-027.mspx

• 11.16.4 - CVE: CVE-2011-0657
• Platform: Windows
• Title: Microsoft Windows DNS Resolution Remote Code Execution
• Description: Microsoft Windows is exposed to a remote code execution issue that occurs when the DNS client handles specially crafted LLMNR (Link-local Multicast Name Resolution) queries.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-030.mspx

• 11.16.5 - CVE: CVE-2011-0660
• Platform: Windows
• Title: Microsoft Windows SMB Client Remote Code Execution
• Description: Microsoft Windows is exposed to a remote code execution issue that affects the SMB client. Specifically, the issue occurs when processing specially crafted SMB responses.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-019.mspx

• 11.16.6 - CVE: CVE-2011-0662, CVE-2011-0665, CVE-2011-0666,CVE-2011-0667, CVE-2011-0670, CVE-2011-0671, CVE-2011-0672,CVE-2011-0674, CVE-2011-0675, CVE-2011-1234, CVE-2011-1235,CVE-2011-1236, CVE-2011-1237, CVE-2011-1238, CVE-2011-1239,CVE-2011-1240, CVE-2011-1241,
• Platform: Windows
• Title: Microsoft Windows Kernel "Win32k.sys" Local Privilege Escalation
• Description: The "Win32k.sys" kernel-mode device driver provides various functions such as the window manager, collection of user input, screen output and Graphics Device Interface. It also serves as a wrapper for DirectX support. Microsoft Windows is exposed to a local privilege escalation issue that occurs in the Windows kernel "Win32k.sys" kernel-mode device driver.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-034.mspx

• 11.16.7 - CVE: CVE-2011-0097
• Platform: Microsoft Office
• Title: Microsoft Excel Buffer Allocation Integer Overflow Remote Code Execution
• Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. Microsoft Excel is exposed to a remote code execution issue. Specifically, memory may become corrupted because of an integer overflow error.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-021.mspx

• 11.16.8 - CVE: CVE-2011-0107
• Platform: Microsoft Office
• Title: Microsoft Office Shared Component DLL Loading Arbitrary Code Execution
• Description: Microsoft Office is exposed to an issue that lets attackers execute arbitrary code. The issue arises because an unspecified shared component of the application searches for Dynamic Link Library (DLL) files in the current working directory.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-023.mspx

• 11.16.9 - CVE: CVE-2011-0656
• Platform: Microsoft Office
• Title: Microsoft PowerPoint Invalid "PersistDirectoryEntry" Record Remote Code Execution
• Description: Microsoft PowerPoint is a presentation application. Microsoft PowerPoint is exposed to a remote code execution issue caused by an error that occurs when processing a specially crafted PowerPoint file. Specifically, this occurs when validating an invalid "PersistDirectoryEntry" record in a malicious PowerPoint file.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx

• 11.16.10 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Reader Multiple Memory Corruption Vulnerabilities
• Description: Microsoft Reader is an e-book reader application. The application is exposed to multiple memory corruption issues. An attacker can exploit these issues to run arbitrary code in the context of the vulnerable application.
• Ref: http://aluigi.org/adv/msreader_3-adv.txt

• 11.16.11 - CVE: CVE-2011-1244
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Frame Tag Cross-Domain Information Disclosure
• Description: Microsoft Internet Explorer is a web browser available for Microsoft Windows platforms. Microsoft Internet Explorer is exposed to a cross-domain information disclosure issue because, during certain processes, the application allows attackers to access and read content from different domains.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx

• 11.16.12 - CVE: CVE-2011-1245
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer JavaScript Cross-Domain Information Disclosure
• Description: Microsoft Internet Explorer is a web browser available for Microsoft Windows platforms. Microsoft Internet Explorer is exposed to a cross-domain information disclosure issue because the application allows malicious scripts to access and read content from different domains.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx

• 11.16.13 - CVE: CVE-2011-0028
• Platform: Other Microsoft Products
• Title: Microsoft WordPad Text Converter Remote Code Execution
• Description: Microsoft WordPad is a simple text editor supplied with most versions of Microsoft Windows. WordPad Text Converters are components installed by default that allow some applications to open Word documents if Word isn't installed. WordPad is exposed to a remote code execution issue that occurs when handling a specially crafted Word file that contains a malformed structure.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-033.mspx

• 11.16.14 - CVE: CVE-2010-3958
• Platform: Other Microsoft Products
• Title: Microsoft .NET Framework x86 JIT compiler Stack Corruption Remote Code Execution
• Description: The Microsoft .NET Framework is a software framework for applications designed to run under Microsoft Windows. Its security model limits the privileges granted to .NET applications. The .NET Framework is exposed to a remote code execution issue caused by a stack corruption error in the x86 Just-In-Time(JIT) compiler when processing certain types of function calls.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-028.mspx

• 11.16.15 - CVE: CVE-2011-0041
• Platform: Other Microsoft Products
• Title: Microsoft GDI+ EMF Image Processing Integer Overflow Memory Corruption
• Description: Microsoft GDI+ (graphics device interface) enables applications to use graphics and formatted text on video display and on printers. GDI+ is exposed to a remote memory corruption issue that occurs when an application that uses the library tries to process a specially crafted Enhanced Metafile image file.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-029.mspx

• 11.16.16 - CVE: CVE-2011-0663
• Platform: Other Microsoft Products
• Title: Microsoft VBScript And JScript Scripting Engines Remote Code Execution
• Description: VBScript and JScript are scripting engines for Microsoft Windows. Microsoft VBScript and JScript scripting engines are exposed to a remote code execution issue. Memory corruption may occur when the scripting engines process a specially crafted script from a malicious web page.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-031.mspx

• 11.16.17 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft HTML Help ".chm" File Stack Buffer Overflow
• Description: Microsoft Compiled HTML Help is a format for online help files, developed by Microsoft. Microsoft HTML Help is exposed to a remote stack-based buffer overflow issue because the application fails to perform boundary checks before copying user-supplied data into buffers.
• Ref: http://www.securityfocus.com/archive/1/517441

• 11.16.18 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Winamp ".m3u8" File Remote Buffer Overflow
• Description: Winamp is a multimedia player available for Microsoft Windows. Winamp is exposed to a buffer overflow issue because it fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Winamp version 5.6.1 is affected.
• Ref: http://www.securityfocus.com/bid/47333

• 11.16.19 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "mremap()" Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue due to an error while expanding the "mremap()" call, which causes a BUG_ON().
• Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=
  982134ba62618c2d69fbbbd166d0a11ee3b7e3d8

• 11.16.20 - CVE: CVE-2011-0896
• Platform: HP-UX
• Title: HP-UX Unspecified Remote Denial of Service
• Description: HP-UX is exposed to a remote denial of service issue that affects NFS/ONCplus. Exploiting this issue allows remote attackers to trigger denial of service. HP-UX version B.11.31 is affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02777287

• 11.16.21 - CVE: Not Available
• Platform: Cross Platform
• Title: VLC Media Player "MP4" Heap-Based Buffer Overflow
• Description: VLC is a cross-platform media player. The application is exposed to a heap-based memory corruption issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized buffer. VLC Media Player versions 1.0.0 through 1.1.8 are affected.
• Ref: http://git.videolan.org/?p=vlc.git;a=commit;h=5637ca8141bf39f263ecdb62035d2cb45c
  740821

• 11.16.22 - CVE: Not Available
• Platform: Cross Platform
• Title: McAfee Firewall Reporter "GernalUtilities.pm" Authentication Bypass
• Description: McAfee Firewall Reporter is an application that logs firewall events. McAfee Firewall Reporter is exposed to an authentication bypass issue that affects the "GernalUtilities.pm" script. McAfee Firewall Reporter version 5.1.0.6 is affected.
• Ref: http://www.securityfocus.com/archive/1/517421

• 11.16.23 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Tivoli Monitoring Java Unspecified Security
• Description: IBM Tivoli Monitoring is server and application management software. IBM Tivoli Monitoring is exposed to an unspecified security issue that affects the application's bundled version of Java.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg1IZ85351

• 11.16.24 - CVE: CVE-2011-0611
• Platform: Cross Platform
• Title: Adobe Flash Player "SWF" File Remote Memory Corruption
• Description: Adobe Flash Player is a multimedia application for multiple platforms. Adobe Flash Player is exposed to a remote memory corruption issue that is triggered when handling a malicious ".swf" file embedded in a Microsoft Word ".doc" file.
• Ref: http://blogs.adobe.com/psirt/2011/04/security-advisory-for-adobe-flash-player-ad
  obe-reader-and-acrobat-apsa11-02.html

• 11.16.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Microsoft Host Integration Server Multiple Remote Denial of Service Vulnerabilities
• Description: Microsoft Host Integration Server allows integration between Microsoft and IBM technologies. The application is exposed to multiple denial of service issues. An attacker can exploit these issues to cause the application to become unresponsive or to crash, denying service to legitimate users.
• Ref: http://www.securityfocus.com/archive/1/517427

• 11.16.26 - CVE: CVE-2010-1171,CVE-2009-0788
• Platform: Cross Platform
• Title: Red Hat Network Satellite Server Security Bypass and Information Disclosure Vulnerabilities
• Description: Red Hat Network Satellite Server is a server application that allows users to perform Red Hat Network updates on computers that are not directly attached to the Internet. The application is exposed to multiple security issues. A security bypass issue exists because it fails to restrict access to the XML-RPC API for configuring package group ("comps.xml") files for channels. An information disclosure issue exists because of the way the application handles mod_rewrite rules.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=584118

• 11.16.27 - CVE: CVE-2011-1533,CVE-2011-1532,CVE-2011-1531
• Platform: Cross Platform
• Title: HP Photosmart Printers Multiple Security Vulnerabilities
• Description: HP Photosmart Printers are used to print documents and photos. HP Photosmart Printers are exposed to multiple issues. An unspecified cross-site scripting issue affects the printer because it fails to adequately sanitize user-supplied input. An information disclosure issue affects the printer due to an unspecified error in the "webscan" component. An unauthorized access issue affects the SNMP component because of an unspecified error.
• Ref: https://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02267197&a
  dmit=109447627+1302630915353+28353475

• 11.16.28 - CVE: Not Available
• Platform: Cross Platform
• Title: PDF Extract TIFF "pdf2tif.dll" Buffer Overflow
• Description: PDF Extract TIFF is an application that is used to extract images from PDF files. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input.
• Ref: http://www.nsense.fi/advisories/nsense_2010_006.txt

• 11.16.29 - CVE: CVE-2011-1168
• Platform: Web Application - Cross Site Scripting
• Title: KDE Konqueror Error Page Cross-Site Scripting
• Description: KDE Konqueror is a web browser included with the KDE desktop manager. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data before generating error pages when it fails to resolve hostnames. KDE Konqueror versions 4.4.0 to 4.6.1 are affected.
• Ref: http://www.kde.org/info/security/advisory-20110411-1.txt

• 11.16.30 - CVE: Not Available
• Platform: Web Application
• Title: SPIP Disconnect Database Unspecified Remote Denial of Service
• Description: SPIP is a website publishing application implemented in PHP. SPIP is exposed to an unspecified remote denial of service issue that allows an editor to disconnect a site from its database.
• Ref: http://www.spip-contrib.net/Mise-a-jour-de-securite-SPIP-2-1-10

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/