Internet Explorer has another critical vulnerability (#1 below) even when Service Pack 2 of Windows XP is installed. Microsoft is slow to respond.
@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).
******************** Security Training Update *************************
Featured Security Training Program: SANS Network Security 2004 Las Vegas, NV September 28 - October 6, 2004
The largest training conference in the world with 16 immersion training tracks and a large security exposition. Great courses for security managers and CISOs, for security experts, for auditors, for forensics scientists, and even for those just starting out. And Las Vegas is a great place to visit in the fall.
Register soon to get a seat at your choice of courses. http://www.sans.org/ns2004
Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process
Description: This vulnerability in the Internet Explorer can be exploited to completely compromise a client system. The problem arises because Internet Explorer does not perform sufficient checks on the "drag and drop" events that move resources between the "internet" and the "local" zone. The proof-of-concept exploit posted publicly drops an executable in the client's "startup" folder when the user drags and drops a specially crafted image on a webpage. A modified version of the exploit installs an executable when the user drags the Internet Explorer's scrollbar. The exploit may possibly be modified further such that minimal user interaction would be necessary for its successful execution. Note that Windows XP SP1 (fully patched) and SP2 are both vulnerable.
Status: Microsoft has not confirmed, no patches available.
Council Site Actions: All council sites submitted a similar response for this item. They are waiting for a patch to be released and will distribute it during one of their normal system update process or use Microsoft's automatic update method. Some sites are investigating deploying an alternate browser, while others are limited to IE due to internal applications. Some sites sent out an email notification to the users.
Description: The Adobe Acrobat Reader for Windows ships with an ActiveX control (pdf.ocx) that is responsible for displaying a PDF document within a web browser. This ActiveX control contains a heap-based buffer overflow. The flaw can be triggered by an overlong PDF filename that contains a URL-encoded null (%00) character. A malicious webpage or an HTML email may exploit this flaw to execute arbitrary code on a client system. Viewing the malicious webpage or the email is sufficient to trigger the flaw i.e. no user interaction is necessary, because the PDF file name can be enclosed in an image or a frame tag. The technical details required to exploit the vulnerability have been publicly posted.
Status: Adobe reported that the Adobe Reader version 6.0.2 is not vulnerable; the vulnerability reporters claim otherwise. A suggested workaround is to disable the "Display PDF in browser" Internet setting in the Adobe Acrobat and Acrobat Reader.
Council Site Actions: Most sites are awaiting additional vendor response to this item before they plan a remediation. Several sites are already running version 6.0.2. One site will rely on Acrobat Reader's built-in update functionality, in which the application periodically checks an adobe.com site for newer versions and asks the user whether to update, as their primary update method.
Description: This vulnerability in Internet Explorer allows a malicious webpage to spoof the location address bar, such that it appears to be a trusted site. The problem can be triggered by forcing Internet Explorer to open an unknown protocol URL multiple times, and using the "history.back()" function. For instance, the proof-of-concept exploit uses "res2res://", an unknown protocol. The flaw can be exploited by enticing the users to visit a specially crafted webpage. An attacker can potentially steal information like usernames, passwords or other personal information. Note that a large number of "phishing" scams have been reported that exploit similar vulnerabilities (Visit http://www.antiphishing.org).
Status: Microsoft has not confirmed, no patches available. Windows XP SP2 is reportedly not vulnerable. Users should be advised not to enter personal information on any webpage that they visit by clicking a link in an email or another webpage.
Council Site Actions: All council sites submitted a similar response for this item. They are waiting for a patch to be released and will distribute during one of their normal system update process or use Microsoft's automatic update method. Some sites are investigating deploying an alternate browser such as Firebox, while others are limited to IE due to internal applications. Some sites sent out an email notification to the users.
Description: Qt library provides tools for cross-platform development and internationalization. The library is used by popular software such as KDE (Linux desktop) and Adobe Photoshop. This library contains a heap-based buffer overflow that can be triggered by multiple image file formats such as BMP, GIF and JPEG. A malicious image may exploit the flaw to execute arbitrary code on a client system with the privileges of the user viewing the image. The image can be delivered to the client via a number of means including webpage, email or file sharing. The exploit code has been publicly posted.
Status: Vendor confirmed, upgrade to Qt version 3.3.3. Patches are available for Mandrake and SuSE Linux.
Council Site Actions: Only one council site responded to this vulnerability. They have a few hundred systems running licenses, which they will update to a non-vulnerable version when one is available. They have some KDE users as well, but the software is not supported by their central IT department. However, they expect that many users may become aware of this problem on their own.
Description: lukemftpd server ships with NetBSD, FreeBSD, MacOS and some flavors of Linux. The code base also has similarities with the Heimdal FTP server and the KerberosV FTP server. All the FTP servers contain multiple vulnerabilities in handling "signals", which may be delivered to the server via out-of-band TCP data. The flaws can be exploited by authenticated users, and in certain cases even by anonymous users to obtain root privileges on the server. The technical details have been publicly posted.
Status: Vendor(s) confirmed, updates available from some vendors. A workaround is to disable anonymous access and run the ftp server with non-root privileges.
Council Site Actions: Only two council sites responded to this issue. One site has very minimal use of FTP and has only sent an alert to the system support staff. The second site plans to update their system configurations within the next 30 days. They also have a few MacOS systems which will be updated using Apple's Software Update facility once a patch or new version is available.
Description: Clearswift's MAILsweeper product is designed to delete viruses, Trojans and other malware included in the emails at an organization's SMTP gateway. The product also supports policies that can be used to block attachments such as executables. However, the MAILsweeper does not decode many of the popularly used file compression formats. As a result, malware that has been compressed using certain compression formats may not be detected. This flaw may result in a virus or a Trojan infection in an enterprise relying on the MAILsweeper for protection. A list of undetected compression formats has been publicly posted.
Status: Vendor has confirmed and released a hotfix for the version 4.3.15.
Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.
This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3663 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.
(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.
Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.
To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.
To change your subscription, address, or other information, visit http://portal.sans.org
Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.