@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) HIGH: Microsoft Word Memory Corruption
• (2) HIGH: Mozilla Products Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.26.1 - Microsoft Windows "win32k.sys" OpenType Font Parsing Remote Code Execution Vulnerability
• 11.26.2 - Microsoft Windows Distributed File System Remote Code Execution Vulnerability
• 11.26.3 - Microsoft Windows Server Message Block Client Remote Code Execution Vulnerability
• 11.26.4 - Microsoft Windows "AFD.sys" Driver Local Privilege Escalation Vulnerability
• 11.26.5 - Microsoft Object Linking and Embedding (OLE) Automation WMF File Remote Code Execution Vulnerability
• 11.26.6 - Microsoft Windows SMB Server Remote Denial of Service

Microsoft Office

• 11.26.7 - Microsoft Word "wdGetApplicationObject()" Remote Code Execution Vulnerability
• 11.26.8 - Microsoft Excel Multiple Remote Code Execution Vulnerabilities

Other Microsoft Products

• 11.26.9 - Microsoft Forefront Threat Management Gateway (TMG) Firewall Client Memory Corruption Vulnerability
• 11.26.10 - Microsoft XML External Entities Resolution Information Disclosure Vulnerability
• 11.26.11 - Microsoft Internet Explorer Multiple Vulnerabilities

Third Party Windows Apps

• 11.26.12 - Gogago YouTube Video Converter ActiveX control "Download()" Method Buffer Overflow
• 11.26.13 - Trend Micro Control Manager "ApHost" Parameter Cross-Site Scripting Vulnerability
• 11.26.14 - Sunway ForceControl Multiple Heap-Based Buffer Overflow

Cross Platform

• 11.26.15 - DJabberd XML Parsing Denial of Service
• 11.26.16 - WebGL Unspecified Information Disclosure and Denial of Service Vulnerabilities
• 11.26.17 - Wing FTP Server "ssh public key" Authentication Security Bypass Vulnerability
• 11.26.18 - Mozilla Firefox Firebug Extension "chrome:" Cross-Domain Scripting Vulnerability
• 11.26.19 - SAP Netweaver Multiple Vulnerabilities
• 11.26.20 - Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities
• 11.26.21 - IBM Rational Team Concert Multiple Unspecified Cross-Site Scripting Vulnerabilities
• 11.26.22 - Google SketchUp ".SKP" File Invalid Edge Geometry Remote Code Execution

Web Application - Cross Site Scripting

• 11.26.23 - WeblyGo Unspecified Cross-Site Scripting
• 11.26.24 - CIDWeb Multiple Cross-Site Scripting Vulnerabilities

Web Application

• 11.26.25 - WeBid "adsearch.php" HTML Injection Vulnerability

Hardware

• 11.26.26 - Polycom SoundPoint IP "reg_1.html" Information Disclosure
• 11.26.27 - Multiple IP Cameras "productmaker" Account Unauthorized Access Vulnerability

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 23, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11453 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.26.1 - CVE: CVE-2011-1873
• Platform: Windows
• Title: Microsoft Windows "win32k.sys" OpenType Font Parsing Remote Code Execution Vulnerability
• Description: Microsoft Windows is exposed to a remote code execution issue. Specifically, the issue occurs when the "win32k.sys" kernel mode driver parses a specially crafted OpenType font. All supported editions, except for 32-bit editions, of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows XP and Windows Server 2003 are affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-041.mspx

• 11.26.2 - CVE: CVE-2011-1868,CVE-2011-1869
• Platform: Windows
• Title: Microsoft Windows Distributed File System Remote Code Execution Vulnerability
• Description: Microsoft Windows is exposed to a remote denial of service issue. The issue exists in the way the Distributed File System (DFS) client parses specially crafted DFS responses. Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2 are affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-042.mspx

• 11.26.3 - CVE: CVE-2011-1268
• Platform: Windows
• Title: Microsoft Windows Server Message Block Client Remote Code Execution Vulnerability
• Description: Microsoft Windows is exposed to a remote code execution issue. The issue affects the Microsoft Server Message Block (SMB) client. Specifically, the issue is triggered when the client parses specially crafted SMB responses. All supported releases of Microsoft Windows are affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-043.mspx

• 11.26.4 - CVE: CVE-2011-1249
• Platform: Windows
• Title: Microsoft Windows "AFD.sys" Driver Local Privilege Escalation Vulnerability
• Description: Microsoft Windows is exposed to a local privilege escalation issue. This issue affects the ancillary function driver ("AFD.sys"). The AFD component is responsible for managing the Winsock TCP/IP protocol. This vulnerability occurs because the kernel fails to properly validate data passed from user mode to kernel mode. All supported versions of Microsoft Windows are affected.
• Ref: http://www.microsoft.com/technet/security/bulletin/MS11-046.mspx

• 11.26.5 - CVE: CVE-2011-0658
• Platform: Windows
• Title: Microsoft Object Linking and Embedding (OLE) Automation WMF File Remote Code Execution Vulnerability
• Description: Microsoft Object Linking and Embedding (OLE) Automation is a Windows protocol that allows applications to share data or to control other applications. Microsoft OLE Automation is exposed to a remote code execution issue because of an underflow error. Specifically, the issue occurs when parsing a specially crafted Windows Metafile image file. All supported versions of Microsoft Windows are affected.
• Ref: http://www.microsoft.com/technet/security/bulletin/MS11-038.mspx

• 11.26.6 - CVE: CVE-2011-1267
• Platform: Windows
• Title: Microsoft Windows SMB Server Remote Denial of Service
• Description: Microsoft Windows is exposed to a remote denial of service issue. The issue affects the Microsoft Server Message Block (SMB) server. Specifically, the issue is triggered when the Microsoft SMB Protocol software handles specially crafted SMB requests. Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-048.mspx

• 11.26.7 - CVE: Not Available
• Platform: Microsoft Office
• Title: Microsoft Word "wdGetApplicationObject()" Remote Code Execution Vulnerability
• Description: Microsoft Word is a word processor available for multiple platforms. Microsoft Word is exposed to a remote code execution issue. This issue affects the "wdGetApplicationObject()" method because it fails to handle specially crafted data. Microsoft Word 2002 SP3 is vulnerable; other version may also affected.
• Ref: http://www.securityfocus.com/bid/48261/info

• 11.26.8 - CVE: CVE-2011-1275,CVE-2011-1279,CVE-2011-1278,CVE-2011-1274
• Platform: Microsoft Office
• Title: Microsoft Excel Multiple Remote Code Execution Vulnerabilities
• Description: Microsoft Excel is a spreadsheet application and part of the Microsoft Office suite. Microsoft Excel is exposed to multiple remote code execution issues. All supported editions of Microsoft Excel 2002, Microsoft Excel 2003, Microsoft Excel 2007, Microsoft Excel 2010, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Microsoft Office for Mac 2011, Open XML File Format Converter for Mac, Microsoft Excel Viewer and Microsoft Office Compatibility Pack are affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-045.mspx

• 11.26.9 - CVE: CVE-2011-1889
• Platform: Other Microsoft Products
• Title: Microsoft Forefront Threat Management Gateway (TMG) Firewall Client Memory Corruption Vulnerability
• Description: Microsoft Forefront Threat Management Gateway (TMG) is a firewall application for Microsoft Windows. TMG Firewall client is exposed to a memory corruption issue in the TMG Firewall Client Winsock provider. Microsoft Forefront Threat Management Gateway 2010 Client are affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-040.mspx

• 11.26.10 - CVE: CVE-2011-1280
• Platform: Other Microsoft Products
• Title: Microsoft XML External Entities Resolution Information Disclosure Vulnerability
• Description: Microsoft XML editor is an editor for XML files for Microsoft Windows. Microsoft XML editor is exposed to an information disclosure issue. This issue occurs when handling a specially crafted XML file. Microsoft InfoPath 2007, Microsoft InfoPath 2010, SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, Microsoft Visual Studio 2005, Microsoft Visual Studio 2008, and Microsoft Visual Studio 2010 are affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-049.mspx

• 11.26.11 - CVE:CVE-2011-1261,CVE-2011-1256,CVE-2011-1255,CVE-2011-1260,CVE-2011-1254,CVE-2011-1251,CVE-2011-1250,CVE-2011-1266,CVE-2011-1258,CVE-2011-1246,CVE-2011-1252,CVE-2011-1262
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Multiple Vulnerabilities
• Description: Microsoft Internet Explorer is a web browser available for Microsoft Windows platforms. Microsoft Internet Explorer is exposed to multiple remote code execution issues and multiple cross-domain information disclosure issues. Internet Explorer 6, Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 are affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx

• 11.26.12 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Gogago YouTube Video Converter ActiveX control "Download()" Method Buffer Overflow
• Description: Gogago YouTube Video Converter is an ActiveX control that allows users to convert videos into many formats. The application is exposed to a buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. Gogago YouTube Video Converter 1.1.6 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/518440

• 11.26.13 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Trend Micro Control Manager "ApHost" Parameter Cross-Site Scripting Vulnerability
• Description: Trend Micro Control Manager is a web-based management console. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data submitted to the "ApHost" parameter of the "/commoncgi/servlet/CCGIServlet" script. Trend Micro Control Manager 5.5 Build 1250 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48313/info

• 11.26.14 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Sunway ForceControl Multiple Heap-Based Buffer Overflow
• Description: Sunway ForceControl is a SCADA HMI that controls various devices. The application is exposed to multiple remote heap-based buffer overflow issues. A heap based buffer overflow issue affects the ForceControl Web server included in the device. This issue occurs when handling an excessively large URI. A heap based buffer overflow issue occurs when handling UDP packers sent to the "AngelServer.exe" process. Sunway ForceControl 6.1 SP1, SP2 SP3 and Sunway pNetPower 6 are affected.
• Ref: http://www.securityfocus.com/bid/48328/discuss http://www.sunwayland.com.cn/news_info_.asp?Nid=3593

• 11.26.15 - CVE: CVE-2011-1757
• Platform: Cross Platform
• Title: DJabberd XML Parsing Denial of Service
• Description: DJabberd is a communications server for Jabber/XMPP. The application is exposed to a denial of service issue. Specifically, the issue occurs because the application fails to handle specially crafted XML data. Versions prior to DJabberd 0.85 are affected.
• Ref: http://www.securityfocus.com/bid/48312/discuss

• 11.26.16 - CVE: Not Available
• Platform: Cross Platform
• Title: WebGL Unspecified Information Disclosure and Denial of Service Vulnerabilities
• Description: WebGL is a web-based graphics library that extends JavaScript to allow it to generate interactive 3D graphics within any compatible web browser. WebGL is exposed to an unspecified information disclosure issue and an unspecified denial of service issue. Firefox 4.x up to 4.0.1 are affected.
• Ref: http://blog.mozilla.com/security/2011/06/16/webgl-graphics-memory-stealing-issue
  /

• 11.26.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Wing FTP Server "ssh public key" Authentication Security Bypass Vulnerability
• Description: Wing FTP Server is a secure file server for Windows, Linux, Mac, FreeBSD and Solaris. Wing FTP Server is exposed to a security bypass issue that affects the SSH authentication mechanism. Versions prior to Wing FTP Server 3.8.8 are affected.
• Ref: http://www.securityfocus.com/bid/48335/info

• 11.26.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Firefox Firebug Extension "chrome:" Cross-Domain Scripting Vulnerability
• Description: Firebug is a Firefox extension that is used for debugging, editing and monitoring CSS, JavaScript and HTML. The application is exposed to a cross-domain scripting issue. This issue occurs because the application fails to sanitize user-supplied input. Firebug version 1.7.2 is vulnerable; other versions may also be affected.
• Ref: http://www.80vul.com/firefox/Firebug%20Firefox%20Extension%20Cross%20Context%20S
  cripting%20Vulnerability.htm

• 11.26.19 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP Netweaver Multiple Vulnerabilities
• Description: SAP NetWeaver is an integration platform for enterprise applications. The application is exposed to multiple security issues. A cross-site scripting issue affects the "test" parameter of the testServlet servlet in the performanceProviderRoot application. Two cross-site scripting issues affect the "BSNAME" and "REQID" parameters of the Deployer servlet in the Trust Center Service. An information disclosure issue affects the System Landscape Directory. An authentication bypass issue affects the J2EE engine. SAP NetWeaver version 7.30, 7.10, 7.02, 7.01, 7.0, 7.0 SP8 and 7.0 SP15 are affected.
• Ref: http://dsecrg.com/pages/vul/show.php?id=323, http://dsecrg.com/pages/vul/show.php?id=324 http://dsecrg.com/pages/vul/show.php?id=325 http://dsecrg.com/pages/vul/show.php?id=326

• 11.26.20 - CVE:CVE-2011-2377,CVE-2011-2376,CVE-2011-2375,CVE-2011-2374,CVE-2011-2373,CVE-2011-2371,CVE-2011-2370,CVE-2011-2369,CVE-2011-2368,CVE-2011-2367,CVE-2011-2366,CVE-2011-2365,CVE-2011-2364,CVE-2011-2363,CVE-2011-2362,CVE-2011-0085,CVE-2011-0083
• Platform: Cross Platform
• Title: Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities
• Description: Mozilla Firefox, Thunderbird and SeaMonkey are exposed to the following remote issues. 1) Multiple memory corruption issues. 2) A use after free memory corruption issue. 3) An integer overflow issue. 4) A security issue due to a cookie isolation error. 5) An HTML injection issue. 6) A security vulnerability that will allow attackers to cause non-whitelisted sites to trigger an install dialog for add-ons and themes. Firefox versions prior to 3.6.18, Firefox versions prior to 5 and Thunderbird versions prior to 3.1.11 are affected.
• Ref: http://www.mozilla.org/security/announce/2011/mfsa2011-19.html http://www.mozilla.org/security/announce/2011/mfsa2011-20.html http://www.mozilla.org/security/announce/2011/mfsa2011-21.html http://www.mozilla.org/security/announce/2011/mfsa2011-22.html http://www.mozilla.org/security/announce/2011/mfsa2011-23.html http://www.mozilla.org/security/announce/2011/mfsa2011-24.html http://www.mozilla.org/security/announce/2011/mfsa2011-25.html http://www.mozilla.org/security/announce/2011/mfsa2011-26.html http://www.mozilla.org/security/announce/2011/mfsa2011-27.html http://www.mozilla.org/security/announce/2011/mfsa2011-28.html

• 11.26.21 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Rational Team Concert Multiple Unspecified Cross-Site Scripting Vulnerabilities
• Description: IBM Rational Team Concert is a software life cycle management application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to unspecified scripts and parameters. IBM Rational Team Concert 3.0 is affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg1PM40308&wv=1

• 11.26.22 - CVE: CVE-2011-2478
• Platform: Cross Platform
• Title: Google SketchUp ".SKP" File Invalid Edge Geometry Remote Code Execution
• Description: Google SketchUp is an application for creating, modifying and sharing 3D models. The application is exposed to a remote code execution issue. Specifically, this issue occurs when the application parses specially crafted ".SKP" files because it fails to handle certain types of invalid edge geometry. Google SketchUp 7.1 Maintenance Release 2 and prior are affected.
• Ref: http://www.securityfocus.com/bid/48363/discuss

• 11.26.23 - CVE: CVE-2011-1330
• Platform: Web Application - Cross Site Scripting
• Title: WeblyGo Unspecified Cross-Site Scripting
• Description: WeblyGo is a web-based application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data submitted to an unspecified parameter. WeblyGo versions prior to 5.20 are affected.
• Ref: http://www.securityfocus.com/bid/48338/discuss http://www.kbs.co.jp/jp/tabid/254/Default.aspx

• 11.26.24 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: CIDWeb Multiple Cross-Site Scripting Vulnerabilities
• Description: CIDWeb is a mobile security solutions application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to the "RefreshSecs" and "RefreshPage" parameters of the "CidWebPwd/errpage.asp" script. CIDWeb 1.0.0.0 and 2.3.0.8 are vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48362/discuss

• 11.26.25 - CVE: Not Available
• Platform: Web Application
• Title: WeBid "adsearch.php" HTML Injection Vulnerability
• Description: WeBid is a web-based auction script implemented in PHP. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input submitted to the "maxprice" field of the "adsearch.php" script. WeBid version 1.0.2 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48324/discuss

• 11.26.26 - CVE: Not Available
• Platform: Hardware
• Title: Polycom SoundPoint IP "reg_1.html" Information Disclosure
• Description: Polycom SoundPoint IP phones are multiline SIP capable phones. Polycom SoundPoint IP is exposed to an information disclosure issue because it does not properly restrict access to the "reg_1.html" configuration file. Polycom SoundPoint IP 200 and 301 are affected.
• Ref: http://www.securityfocus.com/bid/48316/discuss

• 11.26.27 - CVE: Not Available
• Platform: Hardware
• Title: Multiple IP Cameras "productmaker" Account Unauthorized Access Vulnerability
• Description: Multiple IP cameras are exposed to an unauthorized access issue. This issue occurs because the devices include a "productmaker" account containing default user credentials. IPUX ICS1033, Digicom IP Camera 100W, TRENDnet TV-IP422W are affected
• Ref: http://www.securityfocus.com/bid/48325/info

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account