@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Adobe Reader Unspecified Vulnerability
• (2) HIGH: Microsoft Multiple Products Multiple Security Vulnerabilities
• (3) MEDIUM: Apple QuickTime Font Table Signed Length Vulnerability
• (4) MEDIUM: HP OpenView Network Node Manager Heap Buffer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.51.1 - Microsoft Windows Kernel Local Privilege Escalation
• 11.51.2 - Microsoft Windows Time Component Remote Code Execution
• 11.51.3 - Microsoft Windows CSRSS Local Privilege Escalation
• 11.51.4 - Microsoft Windows OLE Property Remote Code Execution
• 11.51.5 - Microsoft Active Directory Buffer Overflow

Microsoft Office

• 11.51.6 - Microsoft Publisher Multiple Vulnerabilities
• 11.51.7 - Microsoft Excel Remote Code Execution
• 11.51.8 - Microsoft PowerPoint Remote Code Execution
• 11.51.9 - Microsoft Word Access Violation Remote Code Execution
• 11.51.10 - Microsoft Pinyin IME Local Privilege Escalation

Other Microsoft Products

• 11.51.11 - Microsoft Internet Explorer Cross-Domain Information Disclosure
• 11.51.12 - Microsoft Windows Media Player And Media Center ".dvr-ms" Files Remote Code Execution

Third Party Windows Apps

• 11.51.13 - Winamp Multiple Integer Overflow Vulnerabilities
• 11.51.14 - zFTPServer "rmdir" Command Directory Traversal
• 11.51.15 - SafeNet Sentinel HASP and 7T IGSS Unspecified HTML Injection

Linux

• 11.51.16 - Red Hat Network Satellite Server Description Field HTML Injection
• 11.51.17 - ISC DHCP Regular Expressions Denial of Service

Cross Platform

• 11.51.18 - Foxit Reader Unspecified Memory Corruption
• 11.51.19 - Asterisk SIP "automon" NULL Pointer Dereference Denial Of Service
• 11.51.20 - PuTTY SSH keyboard Interactive Authentication Password Information Disclosure
• 11.51.21 - Schneider Electric PowerChute Business Edition Unspecified Cross-Site Scripting
• 11.51.22 - Opera Web Browser Multiple Denial of Service and Unspecified Vulnerabilities

Web Application - Cross Site Scripting

• 11.51.23 - Adobe ColdFusion Multiple Cross-Site Scripting Vulnerabilities
• 11.51.24 - phpWebSite Unspecified Cross-Site Scripting

Web Application

• 11.51.25 - vtiger CRM Leads Module Security Bypass

Hardware

• 11.51.26 - Restorepoint Insecure File Permissions Local Privilege Escalation

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 46, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12814 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.51.1 - CVE: CVE-2011-2018
• Platform: Windows
• Title: Microsoft Windows Kernel Local Privilege Escalation
• Description: Microsoft Windows is exposed to a local privilege escalation issue that occurs in the Windows kernel. Specifically, the issue arises when the kernel accesses an object that has not been properly initialized. All supported 32-bit editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-098

• 11.51.2 - CVE: CVE-2011-3397
• Platform: Windows
• Title: Microsoft Windows Time Component Remote Code Execution
• Description: Microsoft Windows is exposed to a remote code execution issue that affects the Microsoft Time component. The issue can be exploited to corrupt the system state allowing code execution when the binary behavior is used in Internet Explorer. All supported editions of Microsoft Windows are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-090

• 11.51.3 - CVE: CVE-2011-3408
• Platform: Windows
• Title: Microsoft Windows CSRSS Local Privilege Escalation
• Description: Microsoft Windows is exposed to a local privilege escalation issue that affects the Client/Server Run-time Subsystem. Specifically, the issue occurs in the "csrss.dll" file because of improper validation of permissions when a lower-integrity process communicates a device event message to a higher-integrity process. All supported releases Microsoft Windows are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-097

• 11.51.4 - CVE: CVE-2011-3400
• Platform: Windows
• Title: Microsoft Windows OLE Property Remote Code Execution
• Description: Microsoft Windows is exposed to a remote code execution issue. Specifically, the issue occurs due to improper handling of OLE objects in memory. All supported editions of Windows XP and Windows Server 2003 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-093

• 11.51.5 - CVE: CVE-2011-3406
• Platform: Windows
• Title: Microsoft Active Directory Buffer Overflow
• Description: Microsoft Active Directory is an LDAP implementation distributed with multiple Windows operating systems. The application is exposed to a buffer overflow issue. Specifically, the issue occurs when Active Directory processes a specially crafted query and attempts to access the contents of a memory buffer that has not been properly initialized. Active Directory, ADAM and AD LDS when installed on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 (except Itanium), Windows 7 and Windows Server 2008 R2 (except Itanium) are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-095

• 11.51.6 - CVE: CVE-2011-3412,CVE-2011-3411,CVE-2011-3410,CVE-2011-1508
• Platform: Microsoft Office
• Title: Microsoft Publisher Multiple Vulnerabilities
• Description: Microsoft Publisher is a desktop publishing application. The application is exposed to multiple issues. See reference for detailed information. All supported editions of Microsoft Publisher 2003 and Microsoft Publisher 2007 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-091

• 11.51.7 - CVE: CVE-2011-3403
• Platform: Microsoft Office
• Title: Microsoft Excel Remote Code Execution
• Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. The application is exposed to a remote code execution issue. Specifically, the issue occurs when the application incorrectly handles objects in memory. All supported editions of Microsoft Excel 2003 and Microsoft Office 2004 for Mac are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-096

• 11.51.8 - CVE: CVE-2011-3396,CVE-2011-3413
• Platform: Microsoft Office
• Title: Microsoft PowerPoint Remote Code Execution
• Description: Microsoft PowerPoint is a presentation application. The application is exposed to multiple issues. See reference for detailed information. Microsoft PowerPoint 2007 Service Pack 2, Microsoft PowerPoint 2010, Microsoft Office 2008 for Mac, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 and Microsoft PowerPoint Viewer 2007 Service Pack 2 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-094 http://www.securityfocus.com/bid/50967/references

• 11.51.9 - CVE: CVE-2011-1983
• Platform: Microsoft Office
• Title: Microsoft Word Access Violation Remote Code Execution
• Description: Microsoft Word is a word processor available for multiple platforms. The application is exposed to a remote code execution issue. This issue is due to an access violation error when handling a specially crafted Word file. All supported editions of Microsoft Office 2007, Microsoft Office 2010 and Microsoft Office for Mac 2011. are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-089

• 11.51.10 - CVE: CVE-2011-2010
• Platform: Microsoft Office
• Title: Microsoft Pinyin IME Local Privilege Escalation
• Description: Microsoft Pinyin IME is allows a user to input Chinese characters by entering the pinyin of a Chinese character and then presents the user with a list of possible characters with that pronunciation. The application is exposed to a local privilege escalation issue that affects Microsoft Office IME (Chinese) because it improperly exposes configuration options not designed to run on the secure desktop. All supported editions of Microsoft Office 2010 where Microsoft Pinyin IME 2010 is installed, Microsoft Office Pinyin SimpleFast Style 2010 and Microsoft Office Pinyin New Experience Style 2010 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-088

• 11.51.11 - CVE: CVE-2011-3404
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Cross-Domain Information Disclosure
• Description: Microsoft Internet Explorer is a web browser for Windows platforms. The application is exposed to a cross-domain information disclosure issue. This issue occurs because the application fails to properly enforce the content settings supplied by the Web server. Internet Explorer 6 on all supported editions of Windows XP, Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 on Windows clients and Internet Explorer on Windows servers are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-099

• 11.51.12 - CVE: CVE-2011-3401
• Platform: Other Microsoft Products
• Title: Microsoft Windows Media Player And Media Center ".dvr-ms" Files Remote Code Execution
• Description: Microsoft Windows Media Player and Windows Media Center are multimedia applications available for the Windows operating system. The applications are exposed to a remote code execution issue when handling specially crafted ".dvr-ms" media files. Windows XP (including Windows XP Media Center Edition 2005) and all supported editions of Windows Vista and Windows 7 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-092

• 11.51.13 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Winamp Multiple Integer Overflow Vulnerabilities
• Description: Winamp is a multiform media player for Microsoft Windows platforms. The application is exposed to multiple integer overflow issues in the "in_avi.dll" file. An integer overflow issue occurs when allocating memory using the number of stream headers. An attacker can trigger a heap overflow by enticing an unsuspecting user to open a specially crafted AVI file. An integer overflow issue occurs when parsing the "RIFF INFO" chunk included in an AVI file. An attacker can exploit this issue by enticing an unsuspecting victim to open a specially crafted AVI file. An integer overflow issue occurs when parsing song message data included in an Impulse Tracker file. Winamp versions prior to 5.623 are vulnerable.
• Ref: http://forums.winamp.com/showthread.php?t=332010 http://www.securityfocus.com/archive/1/520827

• 11.51.14 - CVE: CVE-2011-4717
• Platform: Third Party Windows Apps
• Title: zFTPServer "rmdir" Command Directory Traversal
• Description: zFTPServer is a file transfer server for Microsoft Windows. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize directory traversal strings (..) passed to the "rmdir" command. zFTPServer 6.0.0.52 is vulnerable and prior versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/520822 http://www.securityfocus.com/bid/51018/references

• 11.51.15 - CVE: CVE-2011-3339
• Platform: Third Party Windows Apps
• Title: SafeNet Sentinel HASP and 7T IGSS Unspecified HTML Injection
• Description: Sentinel HASP is a digital license manager. 7T IGSS is an application using the SafeNet Sentinel HASP SDK for its digital license manager to enable its software products. The applications are exposed to an HTML injection issue because they fail to properly sanitize user-supplied input. Specifically, attackers can craft and inject HTML code into the configuration file. Sentinel HASP SDK prior to 5.11, Sentinel HASP Run-time prior to 6.x and 7 Technologies (7T) IGSS 7 are affected.
• Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-314-01.pdf http://www.safenet-inc.com/support-downloads/sentinel-drivers/CVE-2011-3339/

• 11.51.16 - CVE: CVE-2011-4346
• Platform: Linux
• Title: Red Hat Network Satellite Server Description Field HTML Injection
• Description: The Red Hat Network Satellite Server is a server application that allows users to perform Red Hat Network updates on computers not directly attached to the Internet. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the asset tag/key in the "Description" field. Red Hat Network Satellite Server version 5.4 is affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=742050 http://www.securityfocus.com/bid/50963/references http://rhn.redhat.com/errata/RHSA-2011-1794.html

• 11.51.17 - CVE: CVE-2011-4539
• Platform: Linux
• Title: ISC DHCP Regular Expressions Denial of Service
• Description: ISC DHCP is a reference implementation of the DHCP protocol and includes a DHCP server, client, and relay agent. The application is exposed to a denial of service issue. Specifically, the application crashes when processing a crafted evaluated regular expression. ISC DHCP versions prior to 4.1-ESV-R4 and 4.2.3-P1 are affected.
• Ref: https://www.isc.org/software/dhcp/advisories/cve-2011-4539

• 11.51.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Foxit Reader Unspecified Memory Corruption
• Description: Foxit Reader is a secure PDF reader. The application is exposed to an unspecified memory corruption issue. Foxit Reader 5.1.0.1021 and prior versions are vulnerable.
• Ref: http://www.foxitsoftware.com/Secure_PDF_Reader/security_bulletins.php#terminatio
  n

• 11.51.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Asterisk SIP "automon" NULL Pointer Dereference Denial Of Service
• Description: Asterisk is a private branch exchange application available for Linux, BSD and Mac OSX platforms. The server is exposed to a remote denial of service issue caused by a NULL pointer dereference error. Specifically, the issue occurs because the server fails to properly handle malicious session initiation protocol requests when the "automon" feature is enabled in the "features.conf" file. Asterisk versions 1.8.x prior to 1.8.7.2 and 1.6.2.x prior to 1.6.2.21 are affected.
• Ref: http://downloads.asterisk.org/pub/security/AST-2011-014.html

• 11.51.20 - CVE: Not Available
• Platform: Cross Platform
• Title: PuTTY SSH keyboard Interactive Authentication Password Information Disclosure
• Description: PuTTY is a free Telnet and SSH client. The application is exposed to an information disclosure issue. Specifically, this issue occurs because the application fails to properly clean the replies typed by the user from memory during keyboard interactive authentication. PuTTY versions 0.59 through 0.61 are vulnerable.
• Ref: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.ht
  ml

• 11.51.21 - CVE: CVE-2011-4263
• Platform: Cross Platform
• Title: Schneider Electric PowerChute Business Edition Unspecified Cross-Site Scripting
• Description: PowerChute Business Edition from Schneider Electric is an application for power management. This application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input submitted to unspecified vectors. PowerChute Business Edition versions prior to 8.5 are vulnerable.
• Ref: http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000100.html http://www.securityfocus.com/bid/51022/references

• 11.51.22 - CVE: CVE-2011-4687,CVE-2011-4686,CVE-2011-4685,CVE-2011-4684
• Platform: Cross Platform
• Title: Opera Web Browser Multiple Denial of Service and Unspecified Vulnerabilities
• Description: Opera is a Web browser available for multiple platforms. The application is exposed to multiple issues. An unspecified issue occurs because the application fails to properly handle certificate revocation. A denial of service issue occurs in the Web Workers implementation. Multiple unspecified denial of service issues exist. Versions prior to Opera Web Browser 11.60 are vulnerable.
• Ref: http://www.opera.com/docs/changelogs/mac/1160/ http://www.opera.com/docs/changelogs/unix/1160/ http://www.opera.com/docs/changelogs/windows/1160/ http://www.securityfocus.com/bid/51027/references

• 11.51.23 - CVE: CVE-2011-4368,CVE-2011-2463
• Platform: Web Application - Cross Site Scripting
• Title: Adobe ColdFusion Multiple Cross-Site Scripting Vulnerabilities
• Description: Adobe ColdFusion is an application for developing web sites. The application is exposed to two cross-site scripting issues. See detailed information in reference. ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-29.html

• 11.51.24 - CVE: CVE-2011-4265
• Platform: Web Application - Cross Site Scripting
• Title: phpWebSite Unspecified Cross-Site Scripting
• Description: phpWebSite is a web-based content manager. The application is exposed to an unspecified cross-site scripting issue because it fails to sanitize user-supplied input. phpWebSite versions prior to 1.0.0 are vulnerable.
• Ref: http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000103.html http://www.securityfocus.com/bid/51026/references

• 11.51.25 - CVE: CVE-2011-4679
• Platform: Web Application
• Title: vtiger CRM Leads Module Security Bypass
• Description: vtiger CRM is a PHP-based customer relationship management application. The application is exposed to a security bypass issue because it fails to properly recognize the disabled status of a field in the Leads module. Versions prior to vtiger CRM 5.3.0 are vulnerable.
• Ref: http://wiki.vtiger.com/index.php/Oct2011:ODUpdate http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7003 http://www.securityfocus.com/bid/51024/references

• 11.51.26 - CVE: CVE-2011-4202
• Platform: Hardware
• Title: Restorepoint Insecure File Permissions Local Privilege Escalation
• Description: Restorepoint is a network appliance backup and disaster recovery system. The application is exposed to a local privilege escalation issue because of an insecure file permission error. Specifically, this issue occurs because certain scripts running with root privileges have insecure permissions, which allow local attackers to modify them. Restorepoint 3.2 is affected and other versions may also be vulnerable.
• Ref: https://www.trustmatta.com/advisories/MATTA-2011-003.txt http://www.securityfocus.com/bid/50991/references

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account