@RISK: The Consensus Security Vulnerability Alert

Volume: XI, Issue: 7
February 16, 2012

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 3 (#1)
    • Other Microsoft Products
    • 4
    • Third Party Windows Apps
    • 2
    • Linux
    • 1 (#4)
    • Unix
    • 1
    • Cross Platform
    • 8 (#2,#3,#5)
    • Web Application - Cross Site Scripting
    • 1
    • Web Application
    • 6

************************* Sponsored By SANS ******************************

Take the SANS 8th Annual Log and Event Management Survey and be entered to WIN a $250 American Express Card. http://www.sans.org/info/99204

************************************************************************** TRAINING UPDATE --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ... http://www.sans.org/singapore-2012/ -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge. http://www.sans.org/mobile-device-security-summit-2012/ --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware. http://www.sans.org/sans-2012/ --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack http://www.sans.org/northern-virginia-2012/ --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012. http://www.sans.org/cyber-guardian-2012/ --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 5 courses. http://www.sans.org/appsec-2012/ --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses. http://www.sans.org/secure-amsterdam-2012/ --SANS Security West 2012, San Diego, CA May 10-18, 2012 25 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux. http://www.sans.org/security-west-2012/ --Looking for training in your own community? http://www.sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Bangalore, San Francisco, Stuttgart, Boston, and Abu Dhabi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Linux
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application
PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Widely Deployed Software
  • (2) HIGH: Mozilla Firefox Use-After-Free Vulnerability
  • Affected:
    • Firefox 10.0.1
    • Firefox ESR 10.0.1
  • Description: Mozilla has patched its Firefox web browser to address a vulnerability in its handling of XBL, the XML binding language. XBL is used to specify the look and feel of XUL (XML User Interface Language) widgets. XBL and XUL are both developed by Mozilla to serve as part of the development platform for the Mozilla Application Suite. A problem in the nsXBLDocumentInfo::ReadPrototypeBindings procedure in the implementation of XBL can lead to memory corruption when the procedure fails. By enticing a target to view a malicious page, an attacker can exploit this vulnerability. In the case of a successful exploit, the attacker could then execute arbitrary code on the target's machine.

  • Status: vendor confirmed, updates available

  • References:
  • (4) HIGH: Horde Groupware Webmail Edition Unauthenticated PHP Execution
  • Affected:
    • Unauthorized Modified Horde 3.3.12 downloaded between 15 Nov and 7 Feb
    • Unauthorized Modified Horde Groupware 1.2.10 downloaded between 9 Nov and 7 Feb
    • Unauthorized Modified Horde Groupware Webmail Edition 1.2.10 downloaded between 2 Nov and 7 Feb
  • Description: Horde Groupware has notified its users that its FTP server was compromised and its files manipulated. Attackers replaced Horde and Horde Groupware with malicious software that included a backdoor allowing unauthenticated PHP execution. The Horde Groupware collaboration suite is web-based, and an attacker could exploit this vulnerability by sending a malicious request to a server. A successful attack would result in arbitrary code execution.

  • Status: vendor confirmed, updates available

  • References:
  • (5) MEDIUM: Google Chrome Multiple Security Vulnerabilities
  • Affected:
    • Google Chrome prior to 17.0.963.46
  • Description: Google has released patches addressing multiple security vulnerabilities in its Chrome web browser. Nine of the vulnerabilities are rated HIGH or CRITICAL, and they include an unspecified crash; a use-after-free in garbage collection when handling PDFs; bad casts; a buffer overflow in locale handling; an unspecified race condition; and use-after-free vulnerabilities in the handling of stylesheets, CSS, SVG (scalar vector graphics) and mousemove events. By enticing a target to view a malicious page, an attacker can exploit these vulnerabilities in order to execute arbitrary code on the target's machine.

  • Status: vendor confirmed, updates available

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 7, 2012

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 13245 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


  • 12.7.1 - CVE: CVE-2012-0149,CVE-2012-0148
  • Platform: Windows
  • Title: Microsoft Windows Ancillary Function Driver Multiple Local Privilege Escalation Vulnerabilities
  • Description: Ancillary Function Driver (afd.sys) manages the Winsock TCP/IP communications protocol. Microsoft Windows is exposed to multiple local privilege escalation issues that affect the Ancillary Function Driver component. Specifically, this issue occurs because the "afd.sys" driver improperly validates the input data received from the user mode. All supported editions of Windows XP (except x86-based), Windows Server 2003, Windows Vista (except x86-based), Windows Server 2008 (except x86-based), Windows 7 (except x86-based) and Windows Server 2008 R2 are vulnerable.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-009

  • 12.7.2 - CVE: CVE-2012-0150
  • Platform: Windows
  • Title: Microsoft Windows "Msvcrt.dll" Remote Buffer Overflow
  • Description: Microsoft Windows is exposed to a remote buffer overflow issue because it fails to properly bounds check user-supplied input. Specifically, the issue affects the windows library "Msvcrt.dll" when handling a specially crafted media file. All supported editions of Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 are vulnerable.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-013

  • 12.7.3 - CVE: CVE-2012-0154,CVE-2011-5046
  • Platform: Windows
  • Title: Microsoft Windows Kernel "Win32k.sys" Multiple Remote Code Execution Vulnerabilities
  • Description: The "Win32k.sys" kernel-mode device driver provides various functions such as the window manager, collection of user input, screen output and Graphics Device Interface (GDI). It also serves as a wrapper for DirectX support. Microsoft Windows is exposed to multiple remote code execution issues. See reference for detailed information. All supported releases of Microsoft Windows are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-008

  • 12.7.4 - CVE: CVE-2012-0019,CVE-2012-0020,CVE-2012-0136,CVE-2012-0137,CVE-2012-0138
  • Platform: Other Microsoft Products
  • Title: Microsoft Visio Viewer Multiple Remote Code Execution Vulnerabilities
  • Description: Microsoft Visio Viewer is an application that allows users to view Microsoft Visio files. The application is exposed to a remote code execution issue. The problem occurs because the application fails to properly handle memory when parsing specially crafted Visio files. All supported editions of Microsoft Visio Viewer 2010 are vulnerable.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-015

  • 12.7.5 - CVE: CVE-2012-0010,CVE-2012-0011,CVE-2012-0012,CVE-2012-0155
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Multiple Vulnerabilities
  • Description: Microsoft Internet Explorer is a web browser available for Microsoft Windows. The application is exposed to multiple security issues. See reference for detailed information. Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 on Windows clients, Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 on Windows servers, Internet Explorer 6 on all supported editions of Windows XP are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-010

  • 12.7.6 - CVE: CVE-2012-0014,CVE-2012-0015
  • Platform: Other Microsoft Products
  • Title: Microsoft Silverlight & .NET Framework Multiple Remote Code Execution Vulnerabilities
  • Description: The Microsoft .NET Framework is a software framework for applications designed to run under Microsoft Windows. Microsoft Silverlight is a web application framework that provides support for .NET applications. The applications are exposed to multiple remote code execution issues. See reference for detailed information. Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5.1 and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows and Microsoft Silverlight 4 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-016

  • 12.7.7 - CVE: CVE-2012-0145,CVE-2012-0144,CVE-2012-0017
  • Platform: Other Microsoft Products
  • Title: Microsoft SharePoint Multiple Cross-Site Scripting Vulnerabilities
  • Description: Microsoft SharePoint is an integrated server application providing content management and search capabilities. The application is exposed to multiple cross-site scripting issues. See reference for detailed information. Microsoft Office SharePoint Server 2010 and Microsoft SharePoint Foundation 2010 are vulnerable.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-011


  • 12.7.9 - CVE: CVE-2012-0315
  • Platform: Third Party Windows Apps
  • Title: ALFTP Insecure Executable File Loading Arbitrary Code Execution
  • Description: ALFTP is a FTP client and server application available for Microsoft Windows. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the the application loads an executable ("readme.exe") file in an insecure manner. ALFTP version 5.30.0.1 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/51984/references http://jvn.jp/en/jp/JVN85695061/index.html

  • 12.7.10 - CVE: CVE-2012-0209
  • Platform: Linux
  • Title: Horde Groupware Source Packages Backdoor Vulnerability
  • Description: Horde Groupware is a web-based collaboration suite implemented in PHP. The application is exposed to a backdoor issue. This issue occurs because the Horde Groupware source code repository was compromised and replaced with source code packages that contain a backdoor. Horde Groupware versions 1.2.10 between November 2, 2011 and February 7, 2012 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/51989/references http://lists.horde.org/archives/announce/2012/000751.html

  • 12.7.11 - CVE: CVE-2012-0844
  • Platform: Unix
  • Title: NetSurf "netsurf/Cookies" Local Information Disclosure
  • Description: NetSurf is a web browser for RISC and UNIX-like operating systems. The application is exposed to an information disclosure issue because it provides local users read access to cookies stored in the "/netsurf/Cookies" file. NetSurf 2.8 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/51981/references

  • 12.7.12 - CVE: CVE-2012-0804
  • Platform: Cross Platform
  • Title: CVS "proxy_connect()" Heap Buffer Overflow
  • Description: CVS is a version control system designed for software projects. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer. Specifically, this issue occurs due to an error in the "proxy_connect()" function of the "src/client.c" source file. CVS versions 1.11.x are vulnerable.
  • Ref: http://www.securityfocus.com/bid/51943/references https://bugzilla.redhat.com/show_bug.cgi?id=784141

  • 12.7.13 - CVE: CVE-2012-0248,CVE-2012-0247
  • Platform: Cross Platform
  • Title: ImageMagick Buffer Overflow and Denial of Service Vulnerabilities
  • Description: ImageMagick is an image editing suite that includes a library and command-line utilities supporting numerous image formats. The application is exposed to multiple issues. 1) A buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing a specially crafted image with incorrect offset and count in the ResolutionUnit tag in EXIF IFD0. 2) A denial of service issue that occurs because of an error when parsing an IFD with IOP tag offsets pointing to the start of the IFD. Specifically, this issue can be exploited to cause an infinite loop through a specially crafted image. ImageMagick versions prior to 6.7.5-1 are vulnerable.
  • Ref: http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20286 http://www.securityfocus.com/bid/51957/references

  • 12.7.14 - CVE: CVE-2012-0452
  • Platform: Cross Platform
  • Title: Mozilla Firefox/Thunderbird/SeaMonkey "ReadPrototypeBindings()" Memory Corruption
  • Description: Firefox is a browser. SeaMonkey is a suite of applications that includes a browser and an email client. Thunderbird is an email client. The applications are exposed to a memory corruption issue that may allow remote code execution. A use-after-free condition occurs in the "ReadPrototypeBindings()" function because it fails to clear XBL binding in a hash table. Firefox and Firefox ESR versions prior to 10.0.1, Thunderbird and Thunderbird ESR versions prior to 10.0.1 and SeaMonkey versions prior to 2.7.1 are affected.
  • Ref: https://www.mozilla.org/security/announce/2012/mfsa2012-10.html

  • 12.7.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Zero Install "Common Name" Field Security Bypass
  • Description: Zero Install is a decentralized cross-distribution software installation system. The application is exposed to a security issue that may allow attackers to conduct spoofing attacks. This issue occurs because it fails to properly check the "Common Name" field provided inside SSL server certificates. Versions prior to Zero Install 1.6 are vulnerable.
  • Ref: http://sourceforge.net/mailarchive/message.php?msg_id=28823083 http://www.securityfocus.com/bid/51983/references


  • 12.7.17 - CVE: CVE-2012-0845
  • Platform: Cross Platform
  • Title: Python SimpleXMLRPCServer Denial Of Service
  • Description: Python is a programming language available for multiple platforms. The application is exposed to a denial of service issue. This issue occurs in the "SimpleXMLRPCRequestHandler.do_POST()" method of the SimpleXMLRPCServer module because it fails to properly handle an EOF when processing POST requests. Python versions 2.7.2 and 3.2.2 are vulnerable and other versions may also be affected.
  • Ref: http://bugs.python.org/issue14001 http://www.securityfocus.com/bid/51996/references

  • 12.7.18 - CVE: CVE-2012-0757,CVE-2012-0758,CVE-2012-0759,CVE-2012-0760,CVE-2012-0761,CVE-2012-0762,CVE-2012-0763,CVE-2012-0764,CVE-2012-0766
  • Platform: Cross Platform
  • Title: Adobe Shockwave Player Multiple Vulnerabilities
  • Description: Adobe Shockwave Player is a multimedia player application. The application is exposed to a remote memory corruption issues. See reference for detailed information. Versions prior to Adobe Shockwave Player 11.6.4.634 are vulnerable.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb12-02.html

  • 12.7.19 - CVE: CVE-2012-0505,CVE-2012-0497,CVE-2012-0498,CVE-2012-0499,CVE-2012-0500,CVE-2012-0508,CVE-2012-0504,CVE-2011-3571,CVE-2012-0503,CVE-2012-0502,CVE-2011-3563,CVE-2011-5035,CVE-2012-0501,CVE-2012-0506
  • Platform: Cross Platform
  • Title: Oracle Java SE Multiple Vulnerabilities
  • Description: Oracle Java SE is exposed to multiple security issues. See reference for detailed information. Java SE version 7 Update 2 and before, 6 Update 30 and before, 5.0 Update 33 and before, 1.4.2_35 and before, JavaFX 2.0.2 and before, JavaFX 1.3.0 and before, JavaFX 1.2.2 and before are vulnerable.
  • Ref: http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

  • 12.7.20 - CVE: CVE-2012-0765
  • Platform: Web Application - Cross Site Scripting
  • Title: Adobe RoboHelp Cross-Site Scripting
  • Description: Adobe RoboHelp is a tool for creating application help files in a number of formats. The application is exposed to a cross-site scripting issue because the application fails to properly sanitize user-supplied input. Adobe RoboHelp 8 and 9 are vulnerable.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb12-04.html

  • 12.7.21 - CVE: Not Available
  • Platform: Web Application
  • Title: Mathopd Directory Traversal
  • Description: Mathopd is a web-based application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "/var/www/" directory. Versions prior to Mathopd 1.5p7 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/51872/references http://www.mathopd.org/security.html

  • 12.7.22 - CVE: CVE-2012-1037
  • Platform: Web Application
  • Title: GLPI "sub_type" Parameter Remote File Include
  • Description: GLPI is an information management application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input submitted to the "sub_type" parameter of the "front/popup.php" script. GLPI versions between 0.78 and 0.80.61 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/51958/references http://seclists.org/fulldisclosure/2012/Feb/157

  • 12.7.23 - CVE: Not Available
  • Platform: Web Application
  • Title: AjaXplorer "doc_file" Parameter Local File Disclosure
  • Description: AjaXplorer is a remote file management application. The application is exposed to a local file disclosure issue because it fails to adequately validate user-supplied input to the "doc_file" parameter of "index.php" script when "get_action" parameter is set to "display_doc". AjaXplorer 4.0.1 is vulnerable and other versions are also affected.
  • Ref: http://www.securityfocus.com/bid/51960/references http://ajaxplorer.info/ajaxplorer-4-0-2/

  • 12.7.24 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBB Multiple Security Vulnerabilities
  • Description: MyBB (MyBulletinBoard) is a forum application implemented in PHP. The application is exposed to multiple security issues, including: 1) Multiple cross-site request forgery issues because the application fails to properly validate HTTP requests, and 2) Multiple cross-site scripting issues because the application fails to properly sanitize user-supplied input. Versions prior to MyBB 1.6.6 are vulnerable.
  • Ref: http://blog.mybb.com/2012/02/10/mybb-1-6-6-security-release/ http://www.securityfocus.com/bid/51962/references

  • 12.7.25 - CVE: Not Available
  • Platform: Web Application
  • Title: CubeCart Multiple URI Redirection Vulnerabilities
  • Description: CubeCart is a web-based e-commerce application. The application is exposed to multiple URI redirection issues because the application fails to properly sanitize user-supplied input submitted to the "goto" and "r" parameters of the "switch.php" and "login.php" scripts. CubeCart 3.0.20 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/51966/references http://www.securityfocus.com/archive/1/521587

  • 12.7.26 - CVE: CVE-2011-4403
  • Platform: Web Application
  • Title: Zen Cart "path_to_admin/product.php" Cross-Site Request Forgery
  • Description: Zen Cart is a web-based shopping cart. The application is exposed to a cross-site request forgery issue. This issue occurs because the application allows attackers to perform certain actions without validating the request. Specifically, the issue affects the "path_to_admin/product.php" script. Attackers may exploit this issue to delete and disable products. Zen Cart 1.3.9h is vulnerable and other versions may be affected.
  • Ref: http://www.securityfocus.com/bid/51968/references http://seclists.org/fulldisclosure/2012/Feb/171

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account