@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Microsoft Patch Tuesday Vulnerabilities
• (2) HIGH: Mozilla Firefox Use-After-Free Vulnerability
• (3) HIGH: Adobe Shockwave Player Multiple Vulnerabilities
• (4) HIGH: Horde Groupware Webmail Edition Unauthenticated PHP Execution
• (5) MEDIUM: Google Chrome Multiple Security Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 12.7.1 - Microsoft Windows Ancillary Function Driver Multiple Local Privilege Escalation Vulnerabilities
• 12.7.2 - Microsoft Windows "Msvcrt.dll" Remote Buffer Overflow
• 12.7.3 - Microsoft Windows Kernel "Win32k.sys" Multiple Remote Code Execution Vulnerabilities

Other Microsoft Products

• 12.7.4 - Microsoft Visio Viewer Multiple Remote Code Execution Vulnerabilities
• 12.7.5 - Microsoft Internet Explorer Multiple Vulnerabilities
• 12.7.6 - Microsoft Silverlight & .NET Framework Multiple Remote Code Execution Vulnerabilities
• 12.7.7 - Microsoft SharePoint Multiple Cross-Site Scripting Vulnerabilities

Third Party Windows Apps

• 12.7.8 - Symantec pcAnywhere Client/Server Input Handling Denial of Service
• 12.7.9 - ALFTP Insecure Executable File Loading Arbitrary Code Execution

Linux

• 12.7.10 - Horde Groupware Source Packages Backdoor Vulnerability

Unix

• 12.7.11 - NetSurf "netsurf/Cookies" Local Information Disclosure

Cross Platform

• 12.7.12 - CVS "proxy_connect()" Heap Buffer Overflow
• 12.7.13 - ImageMagick Buffer Overflow and Denial of Service Vulnerabilities
• 12.7.14 - Mozilla Firefox/Thunderbird/SeaMonkey "ReadPrototypeBindings()" Memory Corruption
• 12.7.15 - Zero Install "Common Name" Field Security Bypass
• 12.7.16 - PHP "tidy_diagnose()" NULL Pointer Dereference Denial Of Service
• 12.7.17 - Python SimpleXMLRPCServer Denial Of Service
• 12.7.18 - Adobe Shockwave Player Multiple Vulnerabilities
• 12.7.19 - Oracle Java SE Multiple Vulnerabilities

Web Application - Cross Site Scripting

• 12.7.20 - Adobe RoboHelp Cross-Site Scripting

Web Application

• 12.7.21 - Mathopd Directory Traversal
• 12.7.22 - GLPI "sub_type" Parameter Remote File Include
• 12.7.23 - AjaXplorer "doc_file" Parameter Local File Disclosure
• 12.7.24 - MyBB Multiple Security Vulnerabilities
• 12.7.25 - CubeCart Multiple URI Redirection Vulnerabilities
• 12.7.26 - Zen Cart "path_to_admin/product.php" Cross-Site Request Forgery

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 7, 2012

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 13245 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 12.7.1 - CVE: CVE-2012-0149,CVE-2012-0148
• Platform: Windows
• Title: Microsoft Windows Ancillary Function Driver Multiple Local Privilege Escalation Vulnerabilities
• Description: Ancillary Function Driver (afd.sys) manages the Winsock TCP/IP communications protocol. Microsoft Windows is exposed to multiple local privilege escalation issues that affect the Ancillary Function Driver component. Specifically, this issue occurs because the "afd.sys" driver improperly validates the input data received from the user mode. All supported editions of Windows XP (except x86-based), Windows Server 2003, Windows Vista (except x86-based), Windows Server 2008 (except x86-based), Windows 7 (except x86-based) and Windows Server 2008 R2 are vulnerable.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-009

• 12.7.2 - CVE: CVE-2012-0150
• Platform: Windows
• Title: Microsoft Windows "Msvcrt.dll" Remote Buffer Overflow
• Description: Microsoft Windows is exposed to a remote buffer overflow issue because it fails to properly bounds check user-supplied input. Specifically, the issue affects the windows library "Msvcrt.dll" when handling a specially crafted media file. All supported editions of Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 are vulnerable.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-013

• 12.7.3 - CVE: CVE-2012-0154,CVE-2011-5046
• Platform: Windows
• Title: Microsoft Windows Kernel "Win32k.sys" Multiple Remote Code Execution Vulnerabilities
• Description: The "Win32k.sys" kernel-mode device driver provides various functions such as the window manager, collection of user input, screen output and Graphics Device Interface (GDI). It also serves as a wrapper for DirectX support. Microsoft Windows is exposed to multiple remote code execution issues. See reference for detailed information. All supported releases of Microsoft Windows are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-008

• 12.7.4 - CVE: CVE-2012-0019,CVE-2012-0020,CVE-2012-0136,CVE-2012-0137,CVE-2012-0138
• Platform: Other Microsoft Products
• Title: Microsoft Visio Viewer Multiple Remote Code Execution Vulnerabilities
• Description: Microsoft Visio Viewer is an application that allows users to view Microsoft Visio files. The application is exposed to a remote code execution issue. The problem occurs because the application fails to properly handle memory when parsing specially crafted Visio files. All supported editions of Microsoft Visio Viewer 2010 are vulnerable.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-015

• 12.7.5 - CVE: CVE-2012-0010,CVE-2012-0011,CVE-2012-0012,CVE-2012-0155
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Multiple Vulnerabilities
• Description: Microsoft Internet Explorer is a web browser available for Microsoft Windows. The application is exposed to multiple security issues. See reference for detailed information. Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 on Windows clients, Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 on Windows servers, Internet Explorer 6 on all supported editions of Windows XP are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-010

• 12.7.6 - CVE: CVE-2012-0014,CVE-2012-0015
• Platform: Other Microsoft Products
• Title: Microsoft Silverlight & .NET Framework Multiple Remote Code Execution Vulnerabilities
• Description: The Microsoft .NET Framework is a software framework for applications designed to run under Microsoft Windows. Microsoft Silverlight is a web application framework that provides support for .NET applications. The applications are exposed to multiple remote code execution issues. See reference for detailed information. Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5.1 and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows and Microsoft Silverlight 4 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-016

• 12.7.7 - CVE: CVE-2012-0145,CVE-2012-0144,CVE-2012-0017
• Platform: Other Microsoft Products
• Title: Microsoft SharePoint Multiple Cross-Site Scripting Vulnerabilities
• Description: Microsoft SharePoint is an integrated server application providing content management and search capabilities. The application is exposed to multiple cross-site scripting issues. See reference for detailed information. Microsoft Office SharePoint Server 2010 and Microsoft SharePoint Foundation 2010 are vulnerable.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-011

• 12.7.8 - CVE: CVE-2012-0291
• Platform: Third Party Windows Apps
• Title: Symantec pcAnywhere Client/Server Input Handling Denial of Service
• Description: pcAnywhere is a remote administration application for Microsoft Windows. The application is exposed to a denial of service issue. The problem occurs when the client or server handles certain unexpected input. This can cause the application to become unstable and crash, effectively denying service. Symantec pcAnywhere versions 12.0.x, 12.1.x, 12.5.x, 12.6.x, 11.x and 10.x are affected.
• Ref: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=securit
  y_advisory&pvid=security_advisory&year=2012&suid=20120124_00 http://www.securityfocus.com/bid/51965/references

• 12.7.9 - CVE: CVE-2012-0315
• Platform: Third Party Windows Apps
• Title: ALFTP Insecure Executable File Loading Arbitrary Code Execution
• Description: ALFTP is a FTP client and server application available for Microsoft Windows. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the the application loads an executable ("readme.exe") file in an insecure manner. ALFTP version 5.30.0.1 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/51984/references http://jvn.jp/en/jp/JVN85695061/index.html

• 12.7.10 - CVE: CVE-2012-0209
• Platform: Linux
• Title: Horde Groupware Source Packages Backdoor Vulnerability
• Description: Horde Groupware is a web-based collaboration suite implemented in PHP. The application is exposed to a backdoor issue. This issue occurs because the Horde Groupware source code repository was compromised and replaced with source code packages that contain a backdoor. Horde Groupware versions 1.2.10 between November 2, 2011 and February 7, 2012 are vulnerable.
• Ref: http://www.securityfocus.com/bid/51989/references http://lists.horde.org/archives/announce/2012/000751.html

• 12.7.11 - CVE: CVE-2012-0844
• Platform: Unix
• Title: NetSurf "netsurf/Cookies" Local Information Disclosure
• Description: NetSurf is a web browser for RISC and UNIX-like operating systems. The application is exposed to an information disclosure issue because it provides local users read access to cookies stored in the "/netsurf/Cookies" file. NetSurf 2.8 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/51981/references

• 12.7.12 - CVE: CVE-2012-0804
• Platform: Cross Platform
• Title: CVS "proxy_connect()" Heap Buffer Overflow
• Description: CVS is a version control system designed for software projects. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer. Specifically, this issue occurs due to an error in the "proxy_connect()" function of the "src/client.c" source file. CVS versions 1.11.x are vulnerable.
• Ref: http://www.securityfocus.com/bid/51943/references https://bugzilla.redhat.com/show_bug.cgi?id=784141

• 12.7.13 - CVE: CVE-2012-0248,CVE-2012-0247
• Platform: Cross Platform
• Title: ImageMagick Buffer Overflow and Denial of Service Vulnerabilities
• Description: ImageMagick is an image editing suite that includes a library and command-line utilities supporting numerous image formats. The application is exposed to multiple issues. 1) A buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing a specially crafted image with incorrect offset and count in the ResolutionUnit tag in EXIF IFD0. 2) A denial of service issue that occurs because of an error when parsing an IFD with IOP tag offsets pointing to the start of the IFD. Specifically, this issue can be exploited to cause an infinite loop through a specially crafted image. ImageMagick versions prior to 6.7.5-1 are vulnerable.
• Ref: http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20286 http://www.securityfocus.com/bid/51957/references

• 12.7.14 - CVE: CVE-2012-0452
• Platform: Cross Platform
• Title: Mozilla Firefox/Thunderbird/SeaMonkey "ReadPrototypeBindings()" Memory Corruption
• Description: Firefox is a browser. SeaMonkey is a suite of applications that includes a browser and an email client. Thunderbird is an email client. The applications are exposed to a memory corruption issue that may allow remote code execution. A use-after-free condition occurs in the "ReadPrototypeBindings()" function because it fails to clear XBL binding in a hash table. Firefox and Firefox ESR versions prior to 10.0.1, Thunderbird and Thunderbird ESR versions prior to 10.0.1 and SeaMonkey versions prior to 2.7.1 are affected.
• Ref: https://www.mozilla.org/security/announce/2012/mfsa2012-10.html

• 12.7.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Zero Install "Common Name" Field Security Bypass
• Description: Zero Install is a decentralized cross-distribution software installation system. The application is exposed to a security issue that may allow attackers to conduct spoofing attacks. This issue occurs because it fails to properly check the "Common Name" field provided inside SSL server certificates. Versions prior to Zero Install 1.6 are vulnerable.
• Ref: http://sourceforge.net/mailarchive/message.php?msg_id=28823083 http://www.securityfocus.com/bid/51983/references

• 12.7.16 - CVE: CVE-2012-0781
• Platform: Cross Platform
• Title: PHP "tidy_diagnose()" NULL Pointer Dereference Denial Of Service
• Description: PHP is an open-source scripting language used for web development. The application is exposed to multiple denial of service issues caused by a NULL-pointer dereference error. Specifically, these issues occur because the application fails to properly check if a "tidy_diagnose()" function operation returns a NULL value. PHP 5.3.8 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/51992/references http://www.php.net/ChangeLog-5.php#5.3.9 https://bugzilla.redhat.com/show_bug.cgi?id=782951

• 12.7.17 - CVE: CVE-2012-0845
• Platform: Cross Platform
• Title: Python SimpleXMLRPCServer Denial Of Service
• Description: Python is a programming language available for multiple platforms. The application is exposed to a denial of service issue. This issue occurs in the "SimpleXMLRPCRequestHandler.do_POST()" method of the SimpleXMLRPCServer module because it fails to properly handle an EOF when processing POST requests. Python versions 2.7.2 and 3.2.2 are vulnerable and other versions may also be affected.
• Ref: http://bugs.python.org/issue14001 http://www.securityfocus.com/bid/51996/references

• 12.7.18 - CVE: CVE-2012-0757,CVE-2012-0758,CVE-2012-0759,CVE-2012-0760,CVE-2012-0761,CVE-2012-0762,CVE-2012-0763,CVE-2012-0764,CVE-2012-0766
• Platform: Cross Platform
• Title: Adobe Shockwave Player Multiple Vulnerabilities
• Description: Adobe Shockwave Player is a multimedia player application. The application is exposed to a remote memory corruption issues. See reference for detailed information. Versions prior to Adobe Shockwave Player 11.6.4.634 are vulnerable.
• Ref: http://www.adobe.com/support/security/bulletins/apsb12-02.html

• 12.7.19 - CVE: CVE-2012-0505,CVE-2012-0497,CVE-2012-0498,CVE-2012-0499,CVE-2012-0500,CVE-2012-0508,CVE-2012-0504,CVE-2011-3571,CVE-2012-0503,CVE-2012-0502,CVE-2011-3563,CVE-2011-5035,CVE-2012-0501,CVE-2012-0506
• Platform: Cross Platform
• Title: Oracle Java SE Multiple Vulnerabilities
• Description: Oracle Java SE is exposed to multiple security issues. See reference for detailed information. Java SE version 7 Update 2 and before, 6 Update 30 and before, 5.0 Update 33 and before, 1.4.2_35 and before, JavaFX 2.0.2 and before, JavaFX 1.3.0 and before, JavaFX 1.2.2 and before are vulnerable.
• Ref: http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

• 12.7.20 - CVE: CVE-2012-0765
• Platform: Web Application - Cross Site Scripting
• Title: Adobe RoboHelp Cross-Site Scripting
• Description: Adobe RoboHelp is a tool for creating application help files in a number of formats. The application is exposed to a cross-site scripting issue because the application fails to properly sanitize user-supplied input. Adobe RoboHelp 8 and 9 are vulnerable.
• Ref: http://www.adobe.com/support/security/bulletins/apsb12-04.html

• 12.7.21 - CVE: Not Available
• Platform: Web Application
• Title: Mathopd Directory Traversal
• Description: Mathopd is a web-based application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "/var/www/" directory. Versions prior to Mathopd 1.5p7 are vulnerable.
• Ref: http://www.securityfocus.com/bid/51872/references http://www.mathopd.org/security.html

• 12.7.22 - CVE: CVE-2012-1037
• Platform: Web Application
• Title: GLPI "sub_type" Parameter Remote File Include
• Description: GLPI is an information management application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input submitted to the "sub_type" parameter of the "front/popup.php" script. GLPI versions between 0.78 and 0.80.61 are vulnerable.
• Ref: http://www.securityfocus.com/bid/51958/references http://seclists.org/fulldisclosure/2012/Feb/157

• 12.7.23 - CVE: Not Available
• Platform: Web Application
• Title: AjaXplorer "doc_file" Parameter Local File Disclosure
• Description: AjaXplorer is a remote file management application. The application is exposed to a local file disclosure issue because it fails to adequately validate user-supplied input to the "doc_file" parameter of "index.php" script when "get_action" parameter is set to "display_doc". AjaXplorer 4.0.1 is vulnerable and other versions are also affected.
• Ref: http://www.securityfocus.com/bid/51960/references http://ajaxplorer.info/ajaxplorer-4-0-2/

• 12.7.24 - CVE: Not Available
• Platform: Web Application
• Title: MyBB Multiple Security Vulnerabilities
• Description: MyBB (MyBulletinBoard) is a forum application implemented in PHP. The application is exposed to multiple security issues, including: 1) Multiple cross-site request forgery issues because the application fails to properly validate HTTP requests, and 2) Multiple cross-site scripting issues because the application fails to properly sanitize user-supplied input. Versions prior to MyBB 1.6.6 are vulnerable.
• Ref: http://blog.mybb.com/2012/02/10/mybb-1-6-6-security-release/ http://www.securityfocus.com/bid/51962/references

• 12.7.25 - CVE: Not Available
• Platform: Web Application
• Title: CubeCart Multiple URI Redirection Vulnerabilities
• Description: CubeCart is a web-based e-commerce application. The application is exposed to multiple URI redirection issues because the application fails to properly sanitize user-supplied input submitted to the "goto" and "r" parameters of the "switch.php" and "login.php" scripts. CubeCart 3.0.20 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/51966/references http://www.securityfocus.com/archive/1/521587

• 12.7.26 - CVE: CVE-2011-4403
• Platform: Web Application
• Title: Zen Cart "path_to_admin/product.php" Cross-Site Request Forgery
• Description: Zen Cart is a web-based shopping cart. The application is exposed to a cross-site request forgery issue. This issue occurs because the application allows attackers to perform certain actions without validating the request. Specifically, the issue affects the "path_to_admin/product.php" script. Attackers may exploit this issue to delete and disable products. Zen Cart 1.3.9h is vulnerable and other versions may be affected.
• Ref: http://www.securityfocus.com/bid/51968/references http://seclists.org/fulldisclosure/2012/Feb/171

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account