Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VIII, Issue: 23
June 4, 2009

SANS Newsletters Home

Microsoft DirectX DirectShow, Apple QuickTime and Apple iTunes are the top priorities this week. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 2
    • Third Party Windows Apps
    • 4 (#1, #5)
    • Mac Os
    • 1 (#3)
    • Linux
    • 3
    • Unix
    • 1 (#6)
    • Cross Platform
    • 31 (#2, #4, #7)
    • Web Application - Cross Site Scripting
    • 7
    • Web Application - SQL Injection
    • 7
    • Web Application
    • 11
    • Network Device
    • 2

************************ Sponsored By Sourcefire, Inc. ******************

Your Network Security Isn't Good Enough Anymore

Today's threats-and networks-are dynamic. Unfortunately most network security systems are not.

Join Martin Roesch, Founder and CTO of Sourcefire(r) and Creator of Snort(r), in a series of seminars, as he shows why network security must include full network visibility, relevant context, and automated impact assessment to be effective.

More information http://www.sans.org/info/44289

*************************************************************************

TRAINING UPDATE - - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php - - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php - - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php - - National Forensiscs Summit, July 6-14 http://www.sans.org/forensics09_summit/ Looking for training in your own community? http://sans.org/community/ Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Mac Os
Linux
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Microsoft DirectX DirectShow Remote Code Execution Vulnerability
  • Affected:
    • DirectX 7.0 on Microsoft Windows 2000 Service Pack 4
    • DirectX 8.1 on Microsoft Windows 2000 Service Pack 4
    • DirectX 9.0x on Microsoft Windows 2000 Service Pack 4
    • DirectX 9.0x on Windows XP Service Pack 2 and Windows XP Service Pack 3
    • DirectX 9.0x on Windows XP Professional x64 Edition Service Pack 2
    • DirectX 9.0x on Windows Server 2003 Service Pack 2
    • DirectX 9.0x on Windows Server 2003 x64 Edition Service Pack 2
    • DirectX 9.0x on Windows Server 2003 with SP2 for Itanium-based Systems

  • Description: Microsoft DirectX is a multimedia framework for its Windows operating system. The DirectShow, a component of Microsoft DirectX, is used for streaming media on Windows with the ability to capture and playback high quality streams. There is vulnerability in Microsoft's quartz.dll, a part of Microsoft DirectShow platform, in the way it processes QuickTime format files. A specially crafted malicious QuickTime file when opened by a Windows Media Player can trigger this vulnerability. The media playback plug-ins of browsers can also be used as an attack vector wherein an attacker creates a webpage that uses that feature to play the malicious QuickTime file. Successful exploitation will lead to arbitrary code execution. Note that all the versions of Windows Vista and Windows Server 2008 are not affected by this issue. Technical details of the vulnerability are not publicly available.

  • Status: Vendor confirmed, no updates available.

  • References:
  • (3) CRITICAL: Apple iTunes Multiple Protocol Handlers Buffer Overflow Vulnerability
  • Affected:
    • Apple iTunes versions prior to 8.2

  • Description: iTunes is a digital media player by Apple Inc, used for music and media management. There is a stack overflow vulnerability in the URI handlers associated with the iTunes. The specific vulnerable URI handlers are "itms", "itmss", "daap", "pcast", and "itpc", and one reaches the exploit condition when URL's are processed via these protocol handlers. Successful exploitation might lead to arbitrary code execution under the context of the logged in user. Technical details for this vulnerability are available in the form of publicly disclosed Proof-of-Concept. In order to exploit, an attacker will have to entice the unsuspecting user to visit the website hosting the malicious page.

  • Status: Vendor confirmed, updates available.

  • References:
  • (4) CRITICAL: Apple Terminal Window Resize command Integer Overflow vulnerability
  • Affected:
    • Apple Mac OS X Server 10.5.6 and prior
    • Apple Mac OS X 10.5.6 and prior

  • Description: Apple Terminal is a terminal emulator, included in Apple's Mac OS X operating system, which allows the user to use the command line interface to interact with the operating system. There is an integer overflow vulnerability in the handling of Terminal window sizes. The specific flaw is in the Terminal.app while handling an xterm escape sequence 'CSI[4', a sequence that handles window resizing. A very low negative value to (x,y) size might result in an integer overflow leading to memory corruption. Successful exploitation might allow an attacker to execute arbitrary code with the privileges of the logged in user. In order to exploit, an attacker will have to entice the unsuspecting user to visit the website hosting the malicious page.

  • Status: Vendor confirmed, updates available.

  • References:
  • (5) CRITICAL: SafeNet SoftRemote IKE service Buffer Overflow Vulnerability
  • Affected:
    • SafeNet SoftRemote versions prior to 10.8.6

  • Description: SafeNet is a supplier of encryption technologies that protect identities, provide secure communications and secure intellectual property. SafeNet SoftRemote is remote access client application from SafeNet, used for connecting users to corporate Virtual Private Networks (VPN) remotely. There is a stack-based overflow vulnerability in some installations of SoftRemote. The specific flaw is in the "ireIke.exe" service, since the process does not handle long requests adequately. This service listens on UDP port 62514. An attacker, by sending an overly long request sent to UDP port 62514, can exploit this vulnerability and execute arbitrary code with SYSTEM credentials. Authentication is not required to carry out this attack.

  • Status: Vendor has confirmed, updates available.

  • References:
  • (6) HIGH: CUPS Multiple Integer Overflow Vulnerabilities and Denial of Service Vulnerability
  • Affected:
    • CUPS 1.1.x
    • CUPS 1.3.x

  • Description: CUPS is the Common UNIX Printing System, and is the standard printing system on a variety of UNIX, Unix-like, and Linux operating systems. It is an open source printing system developed by Apple for Mac OS X and is their default printer. Multiple integer overflow vulnerabilities were identified in the CUPS "pdftops" filter, which is used to convert PDF files into PostScript. A specially crafted PDF file, if printed, would either crash the "pdftops" or execute arbitrary code as the "lp" user. The denial-of-service vulnerability is in the function "ippReadIO()", in "cups/ipp.c", while processing a specially crafted Internet Printing Protocol (IPP) that has two consecutive "IPP_TAG_UNSUPPORTED" tags. Full technical details are publicly available on these vulnerabilities, via source code analysis.

  • Status: Vendor has confirmed, updates available.

  • References:
  • (7) MODERATE: IBM WebSphere MQ Buffer Overflow Vulnerability
  • Affected:
    • WebSphere MQ prior to 6.0.2.7
    • WebSphere MQ prior to 7.0.1.0

  • Description: IBM WebSphere MQ is a family of network communication software from IBM to provide connectivity and integration between independent and non-concurrent applications on distributed systems. There is a buffer overflow vulnerability in WebSphere MQ which can allow attackers to compromise the vulnerable system. The flaw is in the way the MQ server processes inbound data on a client connection, and a specially crafted client request can be used to cause the buffer to overflow. The attackers might need valid authentication under some conditions to exploit this vulnerability. Successful exploitation might lead to arbitrary code execution.

  • Status: Vendor has confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 23, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7070 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 09.23.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows Desktop Wall Paper System Parameter Local Denial of Service
  • Description: Microsoft Windows is exposed to a local denial of service issue because the operating system fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling an excessively large Desktop wallpaper system parameter. Windows XP SP3 is affected.
  • Ref: http://www.securityfocus.com/bid/35120
  • 09.23.2 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows "win32k.sys" Local Denial of Service
  • Description: Microsoft Windows is prone to a local denial of service vulnerability. This issue affects the "win32k.sys" system file. Attackers may exploit this issue to crash the affected computer, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code with SYSTEM-level privileges, but this has not been confirmed. Windows Vista and Windows Server 2003 are affected.
  • Ref: http://bugtraq.ru/cgi-bin/forum.mcgi?type=sb&b=2&m=152274
  • 09.23.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Citrix Password Manager Secondary Credentials Local Information Disclosure
  • Description: Citrix Password Manager is an single sign on application for Microsoft Windows. The application is exposed to a local information disclosure issue. Specifically, local attackers may exploit this issue to access stored secondary credentials despite configured security policies. Password Manager versions prior to 4.6 SP1 are affected.
  • Ref: http://support.citrix.com/article/CTX120743
  • 09.23.4 - CVE: CVE-2009-1379
  • Platform: Third Party Windows Apps
  • Title: Microsoft DirectX DirectShow QuickTime Video Remote Code Execution
  • Description: Microsoft DirectX is a multimedia API for Microsoft Windows. DirectShow is a component of DirectX used for streaming media. DirectX is exposed to a remote code execution issue because the DirectShow component fails to properly handle QuickTime media files. Successfully exploiting this issue allows the attacker to execute arbitrary code in the context of the user running the application that uses DirectX. Ref: http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest
  • 09.23.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ICQ "ICQToolBar.dll" Denial of Service
  • Description: ICQ is an instant messaging client. ICQ is exposed to a denial of service issue because the application fails to perform adequate boundary checks on user-supplied data. Specifically, the issue occurs in the "ICQToolBar.dll" file when processing specially crafted ".url" files. ICQ version 6.5 is affected.
  • Ref: http://www.securityfocus.com/archive/1/503935
  • 09.23.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Safenet SoftRemote IKE Service Remote Stack Buffer Overflow
  • Description: Safenet SoftRemote is a remote access client available for Microsoft Windows. The application is exposed to a remote stack-based buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. Safenet SoftRemote versions prior to 10.8.6 are affected.
  • Ref: http://www.zerodayinitiative.com/advisories/ZDI-09-024/
  • 09.23.7 - CVE: CVE-2009-1717
  • Platform: Mac Os
  • Title: Apple Mac OS X Terminal Window Resize Command Integer Overflow
  • Description: Apple Mac OS X is exposed to an integer overflow issue affecting the Terminal application. This issue occurs because Terminal fails to handle malformed arguments to the "CSI[4" xterm window resizing command. Successful exploits will allow attacker-supplied code to run in the context of the user running the affected application.
  • Ref: http://support.apple.com/kb/HT3549
  • 09.23.8 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel "splice(2)" Double Lock Local Denial of Service
  • Description: The Linux kernel is exposed to a local denial of service issue because of a race condition in the "splice(2)" system call. The issue stems from a potential deadlock when double-locking inode mutexes in preparation for copy operations between pipes. The locks are not explicitly ordered, which may cause the kernel to crash when it tries to unlock inodes that were locked out of order.
  • Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/1809
  • 09.23.9 - CVE: Not Available
  • Platform: Linux
  • Title: strongSwan IKE Request Multiple Remote Denial of Service Vulnerabilities
  • Description: strongSwan is an open-source implementation of an IPSec VPN for Linux. Since it fails to properly handle certain IKE packets, the application is prone to multiple remote denial of service issues. strongSwan versions prior to 4.3.1 and 4.2.15 are affected.
  • Ref: http://download.strongswan.org/patches/04_swapped_ts_check_patch/
  • 09.23.10 - CVE: CVE-2009-1385
  • Platform: Linux
  • Title: Linux Kernel "e1000/e1000_main.c" Remote Denial of Service
  • Description: The Linux kernel is exposed to a remote denial of service issue. Specifically, the issue exists in the "e1000_clean_rx_irq()" function of the "e1000/e1000_main.c" file due to an incorrect length check. The problem occurs when E1000 tries to strip the cyclic redundancy check (CRC) from a frame by subtracting four bytes from the length of the frame. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ea30e11970a96cfe5e32c03a29332554573b4a10
  • 09.23.11 - CVE: CVE-2009-0949
  • Platform: Unix
  • Title: CUPS '"cups/ipp.c" NULL Pointer Dereference Denial of Service
  • Description: CUPS (Common UNIX Printing System) is a widely used set of printing utilities for UNIX-based systems. The application is exposed to a denial of service issue caused by a NULL-pointer dereference that occurs in the "ippReadIO()" function of the "cups/ipp.c" source file. An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
  • Ref: http://www.securityfocus.com/archive/1/504032
  • 09.23.12 - CVE: CVE-2009-1384
  • Platform: Cross Platform
  • Title: pam_krb5 Existing/Non-Existing Username Enumeration Weakness
  • Description: Pluggable authentication modules (PAM) provide a standard interface to various authentication mechanisms. The "pam-krb5" library is used to provide a PAM interface to the Kerberos authentication system. The application is exposed to a username-enumeration weakness because it displays different responses to login attempts, depending on whether or not the username exists. pam_krb5 version 2.2.14 is affected.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1384
  • 09.23.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Hardware Management Console (HMC) Shared Memory Unspecified Vulnerability
  • Description: IBM Hardware Management Console (HMC) enables an administrator to manage the configuration and operation of partitions in a computer and to monitor the computer for hardware problems. The application is exposed to an unspecified issue that occurs when migrating a shared memory partition to a target system which has a shared memory pool configured with redundant paging VIOS (Virtual I/O Server) partitions. HMC 7 Release 3.4.0 Service Pack 2 is affected. Ref: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4671&myns=phmc&mync=E
  • 09.23.14 - CVE: CVE-2009-1195
  • Platform: Cross Platform
  • Title: Apache "Options" and "AllowOverride" Directives Security Bypass
  • Description: Apache is an HTTP server available for various operating systems. The application is exposed to a security bypass issue related to the handling of configuration directives. This issue occurs when the "AllowOverride" and "Options" directives are used to restrict the ability of local users to execute scripts through the webserver. Apache versions prior to 2.2.9 are affected.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=489436
  • 09.23.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: libsndfile Audio Data Multiple Denial of Service Vulnerabilities
  • Description: libsndfile is a library used for reading and writing audio files. libsndfile is exposed to multiple denial of service issues due to a division-by-zero error. Exploiting these issues may allow attackers to crash the application that uses the affected library, denying service to legitimate users. libsndfile version 1.0.20 is affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530831
  • 09.23.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox "keygen" HTML Tag Denial of Service
  • Description: Mozilla Firefox is a browser available for multiple platforms. The browser is exposed to a remote denial of service issue caused by a design error. Specifically, the "keygen" tag has an automatic submission feature, which may allow attackers to cause the application to fall into an infinite loop with the JavaScript "onload()" function. Ref: http://blog.zoller.lu/2009/04/advisory-firefox-denial-of-service.html
  • 09.23.17 - CVE: CVE-2009-0897
  • Platform: Cross Platform
  • Title: IBM WebSphere Partner Gateway "bcgarchive" Information Disclosure
  • Description: IBM WebSphere Partner Gateway (WPG) is a business-to-business tool for use with WebSphere Application Server. WPG is exposed to an information disclosure issue because it uses a DB2 instance ID insecurely to execute the "bcgarchive" archive script. WPG versions 6.1.0 and 6.1.1 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21366016
  • 09.23.18 - CVE: CVE-2009-1744
  • Platform: Cross Platform
  • Title: Pinnacle Hollywood FX ".hfz" File Handling Remote Denial of Service
  • Description: Pinnacle Hollywood FX is a video transition module for Pinnacle Studio, a video editor. The application is exposed to a remote denial of service issue because it fails to handle specially crafted ".hfz" (Hollywood FX Compressed Archive) files. This issue occurs in the "InstallHFZ.exe" binary file. Pinnacle Hollywood FX version 6 is affected.
  • Ref: http://www.securityfocus.com/bid/35137
  • 09.23.19 - CVE: CVE-2009-1379
  • Platform: Cross Platform
  • Title: OpenSSL "dtls1_retrieve_buffered_fragment()" DTLS Packet Denial of Service
  • Description: OpenSSL is an open-source implementation of the SSL protocol that is used by a number of other projects, including but not restricted to Apache, Sendmail, and Bind. OpenSSL is exposed to a remote denial of service issue because it fails to handle malformed data. Specifically, this issue affects the "dtls1_retrieve_buffered_fragment()" function of the "ssl/d1_both.c" source file and may be triggered when an OpenSSL client receives a malformed DTLS packet from a malicious server. OpenSSL version 1.0.0 Beta 2 is affected. Ref: http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest
  • 09.23.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Ston3D S3DPlayer Web and StandAlone "system.openURL()" Remote Command Injection
  • Description: S3DPlayer Web and StandAlone are multimedia players available for Microsoft Windows, Linux and Mac OS X. S3DPlayer Web and StandAlone are exposed to a remote command injection issue that occurs in the scripting interface. Specifically, the application fails to sufficiently sanitize user-supplied input to the "sURL" parameter of the "system.openURL()" function.
  • Ref: http://www.securityfocus.com/archive/1/503887
  • 09.23.21 - CVE: CVE-2009-1805
  • Platform: Cross Platform
  • Title: VMware Products Descheduled Time Accounting Driver Denial Of Service
  • Description: Multiple VMware products are exposed to a denial of service issue. The issue stems from an unspecified error in the VMware Descheduled Time Accounting driver. An unprivileged attacker in a guest operating system could exploit this issue to cause denial of service conditions in the affected virtual machine.
  • Ref: http://www.vmware.com/security/advisories/VMSA-2009-0007.html
  • 09.23.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Avira AntiVir Products RAR/CAB/ZIP/LH File Scan Evasion
  • Description: Avira AntiVir products provide antivirus, antispyware, and firewalling capabilities for both enterprise and endpoint-based systems. Multiple AntiVir products are exposed to an issue that may allow certain compressed archives to bypass the scan engine. The issue occurs because the software fails to properly inspect specially crafted "ZIP", "CAB", "RAR", and "LH" files.
  • Ref: http://www.securityfocus.com/archive/1/503914
  • 09.23.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SonicWALL SSL-VPN "cgi-bin/welcome/VirtualOffice" Remote Format String
  • Description: SonicWALL SSL-VPN devices are hardware appliances for network security. The devices include a web-based administration interface. The devices are exposed to a remote format string issue because they fail to properly validate user-supplied input before passing it as the format specifier to a formatted-printing function.
  • Ref: http://www.securityfocus.com/archive/1/503913
  • 09.23.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Adobe Acrobat Stack Exhaustion Denial of Service
  • Description: Adobe Acrobat is exposed to a denial of service issue because the application fails to perform adequate boundary checks on user-supplied data. A stack exhaustion occurs when handling a specially crafted PDF file containing specially malformed JavaScript. Adobe Acrobat version 9.1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/35148
  • 09.23.25 - CVE: CVE-2009-0893
  • Platform: Cross Platform
  • Title: Xvid Video Codec Macroblock Number Heap Buffer Overflow
  • Description: The Xvid video compression codec available for a number of operating systems. The codec is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, this issue occurs due to a failure to handle macroblock values in maliciously crafted video files. Xvid versions prior to 1.2.2 are affected.
  • Ref: http://www.securityfocus.com/bid/35156
  • 09.23.26 - CVE: CVE-2009-0950
  • Platform: Cross Platform
  • Title: Apple iTunes "itms:" URI Stack Buffer Overflow
  • Description: Apple iTunes is a media player for Microsoft Windows and Apple MAC OS X. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks before copying user-supplied data to an insufficiently-sized buffer. This issue can occur when iTunes parses specially crafted "itms:" URIs.
  • Ref: http://www.securityfocus.com/bid/35157
  • 09.23.27 - CVE: CVE-2009-0894
  • Platform: Cross Platform
  • Title: Xvid Video Codec DirectShow Initialization Logic Heap Buffer Overflow
  • Description: The Xvid video compression codec available for a number of operating systems. The DirectShow component of the Xvid codec is exposed to a heap-based buffer overflow issue because it fails to properly handle error conditions. Specifically, this issue occurs due to a failure to properly handle error conditions which may occur when setting up the rendering pipeline. Xvid versions prior to 1.2.2 are affected.
  • Ref: http://www.securityfocus.com/bid/35158
  • 09.23.28 - CVE: CVE-2009-0188
  • Platform: Cross Platform
  • Title: Apple QuickTime Sorenson 3 Video File Remote Memory Corruption
  • Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a memory corruption issue when opening a specially crafted Sorenson 3 video file. Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X is affected.
  • Ref: http://www.securityfocus.com/archive/1/504007
  • 09.23.29 - CVE: CVE-2009-0951
  • Platform: Cross Platform
  • Title: Apple QuickTime FLC Compression File Heap Overflow
  • Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a heap-based buffer overflow issue when opening a specially crafted FLC compression file. Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X is affected.
  • Ref: http://www.securityfocus.com/archive/1/504023
  • 09.23.30 - CVE: CVE-2009-0952
  • Platform: Cross Platform
  • Title: Apple QuickTime PSD Image Buffer Overflow
  • Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a buffer overflow issue when processing a compressed PSD image. Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X is affected.
  • Ref: http://www.securityfocus.com/archive/1/504024
  • 09.23.31 - CVE: CVE-2009-0956
  • Platform: Cross Platform
  • Title: Apple QuickTime User Atom Data Size Uninitialized Memory Access Remote Code Execution
  • Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a remote code execution issue when opening a specially crafted movie file. This issue is caused by a failure to properly handle a user atom data size of zero, and may lead to the access of uninitialized memory. Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X is affected.
  • Ref: http://support.apple.com/kb/HT3591
  • 09.23.32 - CVE: CVE-2009-0185
  • Platform: Cross Platform
  • Title: Apple QuickTime MS ADPCM Audio File Heap Buffer Overflow
  • Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a heap-based buffer overflow issue when opening a specially crafted MS ADPCM-encoded audio file. Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X is affected.
  • Ref: http://www.securityfocus.com/archive/1/504006
  • 09.23.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apple QuickTime PICT Image Heap Overflow
  • Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a heap-based buffer overflow issue when processing a specially crafted PICT image. Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X are affected.
  • Ref: http://www.securityfocus.com/bid/35160
  • 09.23.34 - CVE: CVE-2009-0957
  • Platform: Cross Platform
  • Title: Apple QuickTime JP2 Image Handling Heap Buffer Overflow
  • Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a heap-based buffer overflow issue when opening a specially crafted JP2 image file. Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X is affected.
  • Ref: http://www.securityfocus.com/archive/1/504027
  • 09.23.35 - CVE: CVE-2009-0955
  • Platform: Cross Platform
  • Title: Apple QuickTime Image Description Atom Sign Extension
  • Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to an issue that occurs because the bit width of a number is increased without changing its sign. Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X is affected. Ref: http://roeehay.blogspot.com/2009/06/apple-quicktime-image-description-atom.html
  • 09.23.36 - CVE: CVE-2009-0954
  • Platform: Cross Platform
  • Title: Apple QuickTime Clipping Region (CRGN) Atom Types Heap Overflow
  • Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a heap-based buffer overflow issue when processing specially crafted Clipping Region (CRGN) atom types contained in a movie file. Apple QuickTime running on Microsoft Windows Vista and Windows XP SP3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/504026
  • 09.23.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM WebSphere MQ Remote Buffer Overflow
  • Description: IBM WebSphere MQ is a commercially available messaging engine for enterprises. WebSphere MQ is exposed to a buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. A specially crafted client request can be used to trigger this vulnerability. WebSphere MQ versions 6.x (prior to 6.0.2.7) and 7.x (prior to 7.0.1.0) are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27006309#1
  • 09.23.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM DB2 Denial of Service and Security Bypass Vulnerabilities
  • Description: IBM DB2 is a database manager. The application is exposed to multiple issues. Successful exploits may allow attackers to bypass certain security restrictions or to crash the application, causing a denial of service condition. DB2 versions prior to 9.5 Fixpak 4 and 9.1 Fixpack 7 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21386689
  • 09.23.39 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GStreamer gst-plugins-good "gstpngdec.c" PNG Output Buffer Integer Overflow
  • Description: GStreamer is a library for constructing graphs of media-handling components; "gst-plugins-good" is a collection of plugins for GStreamer. The "gst-plugins-good" package is exposed to an integer overflow issue because the software fails to perform adequate boundary checks on user-supplied data before using it to allocate memory buffers. This issue occurs when calculating the output buffer size for a malformed or large PNG image file and affects the "gstpngdec.c" source file. gst-plugins-good version 0.10.15 is affected. Ref: http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=d9544bcc44adcef769cbdf7f6453e140058a3adc
  • 09.23.40 - CVE: CVE-2009-1386
  • Platform: Cross Platform
  • Title: OpenSSL "ChangeCipherSpec" DTLS Packet Denial of Service
  • Description: OpenSSL is an open-source implementation of the SSL protocol that is used by a number of other projects, including but not restricted to Apache, Sendmail, and Bind. It is commonly found on Linux and Unix systems. OpenSSL is exposed to a denial of service issue caused by a NULL-pointer dereference condition. This issue occurs when the "ChangeCipherSpec" DTLS packet is received before the "ClientHello" DTLS packet. OpenSSL versions prior to 0.9.8i are affected. Ref: http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest
  • 09.23.41 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple ACDSee Products TIFF File Remote Buffer Overflow
  • Description: ACDSee products are applications designed to manage and edit digital photographs. Multiple ACDSee applications are exposed to a remote buffer overflow issue because they fail to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing a malformed TIFF image file. ACDSee Photo Manager versions 9.x, 10.x, 11.x, 2008, and 2009 and ACDSee Pro Photo Manager 2.5 are affected.
  • Ref: http://www.vupen.com/english/advisories/2009/1471
  • 09.23.42 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple ACDSee Products Font File Remote Buffer Overflow
  • Description: ACDSee products are applications designed to manage and edit digital photographs. Multiple ACDSee applications are exposed to a remote buffer overflow issue because they fail to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing a malformed font file. ACDSee Photo Manager versions 9.x, 10.x, 11.x, 2008, and 2009 and ACDSee Pro Photo Manager version 2.5 are affected.
  • Ref: http://www.securityfocus.com/archive/1/504009
  • 09.23.43 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Vanillla "ajax/updatecheck.php" Cross-Site Scripting
  • Description: Vanilla is a PHP-based discussion forum. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "RequestName" parameter of the "ajax/updatecheck.php" script. Vanilla versions 1.1.5 and 1.1.7 are affected.
  • Ref: http://www.securityfocus.com/archive/1/503847
  • 09.23.44 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Lussumo Vanilla "updatecheck.php" Cross-Site Scripting
  • Description: Vanilla is a PHP-based discussion forum. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. This issue affects the "RequestName" parameter of the "ajax/updatecheck.php" script. Vanilla versions prior to 1.1.8 are affected. Ref: http://gsasec.blogspot.com/2009/05/vanilla-v117-cross-site-scripting.html
  • 09.23.45 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PRTG Traffic Grapher "Monitor_Bandwidth" Cross-Site Scripting
  • Description: PRTG Traffic Grapher is used to monitor network traffic and bandwidth usage. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. This issue affects the "Monitor_Bandwidth" function. PRTG Traffic Grapher version 6.2.2.977 is affected.
  • Ref: http://www.securityfocus.com/archive/1/503865
  • 09.23.46 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Simple Machines Forum "image/bmp" MIME Type Cross-Site Scripting
  • Description: Simple Machines Forum (SMF) is an open-source web forum that is written in PHP. It will run on most UNIX and Linux variants as well as Microsoft Windows. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied images identified as "image/bmp" MIME types. This issue occurs because the Internet Explorer browser identifies uploaded images as "text/html" instead.
  • Ref: http://www.securityfocus.com/archive/1/503867
  • 09.23.47 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Achievo Multiple Cross-Site Scripting Vulnerabilities
  • Description: Achievo is a web-based resource management tool. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data. Achievo version 1.3.4 is affected.
  • Ref: http://www.securityfocus.com/archive/1/503920
  • 09.23.48 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: eliteCMS Arbitrary File Upload and Cross-Site Scripting Vulnerabilities
  • Description: eliteCMS is a web-based content manager. The application is exposed to multiple issues. Attackers can exploit these issues to steal cookie information, execute arbitrary client-side scripts in the context of the browser, upload and execute arbitrary files in the context of the webserver, and launch other attacks. eliteCMS version 1.01 is affected.
  • Ref: http://www.securityfocus.com/bid/35155
  • 09.23.49 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP-Nuke Downloads Module "query" Parameter Cross-Site Scripting
  • Description: PHP-Nuke is a PHP-based content management system. PHP-Nuke is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input. This issue affects the "query" parameter of the "modules.php" script when called with the "name" parameter set to "Downloads" and the "d_op" parameter set to "search". PHP-Nuke version 8.0 is affected. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2009-06/0024.html
  • 09.23.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP-Nuke "main/tracking/userLog.php" SQL Injection
  • Description: PHP-Nuke is a web forum implemented in PHP. PHP-Nuke is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the HTTP Referrer header parameter of the "main/tracking/userLog.php" script before using it an SQL query. PHP-Nuke version 8.0.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/503845
  • 09.23.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: AgoraGroups Joomla! Component "id" Parameter SQL Injection
  • Description: The AgoraGroups module is a component of the Agora plugin for the Joomla! content manager. AgoraGroups is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter before using it an SQL query. AgoraGroups version 0.3.5.3 is affected.
  • Ref: http://www.securityfocus.com/bid/35118
  • 09.23.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: phpBugTracker "include.php" SQL Injection
  • Description: phpBugTracker is a web-based bug tracker. phpBugTracker is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" parameter of the "include.php" script before using it an SQL query. phpBugTracker versions 1.0.4 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/35125
  • 09.23.53 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Arab Portal "X-Forwarded-for" Header SQL Injection
  • Description: Arab Portal is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "X-Forwarded-for" header before using it an SQL query. Arab Portal version 2.2 is affected.
  • Ref: http://www.securityfocus.com/bid/35149
  • 09.23.54 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ZeusCart "maincatid" Parameter SQL Injection
  • Description: ZeusCart is an ecommerce application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "maincatid" parameter of the "index.php" script before using it in an SQL query. ZeusCart version 2.3 is affected.
  • Ref: http://www.securityfocus.com/bid/35151
  • 09.23.55 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: OCS Inventory NG Server Multiple SQL Injection Vulnerabilities
  • Description: OCS Inventory NG is an inventory management application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. OCS Inventory NG Server versions prior to 1.02.1 are affected.
  • Ref: http://www.securityfocus.com/archive/1/503936
  • 09.23.56 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! Juser Component "id" Parameter SQL Injection
  • Description: JUser is a user-registration component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "com_juser" component before using it an SQL query. JUser version 2.0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/35160
  • 09.23.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Easy PX 41 CMS "fiche" Parameter Local File Include
  • Description: Easy PX 41 CMS is a PHP-based web application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "fiche" parameter of the "index.php" script. Easy PX 41 CMS version 09.00.00B1 is affected.
  • Ref: http://www.securityfocus.com/bid/35119
  • 09.23.58 - CVE: Not Available
  • Platform: Web Application
  • Title: SiteX "THEME_FOLDER" Parameter Multiple Local File Include Vulnerabilities
  • Description: SiteX is a content management system (CMS). The application is eposed to multiple local file include vulnerabilities because it fails to properly sanitize user-supplied input to the "THEME_FOLDER" parameter. SiteX version 0.7.4.418 is affected.
  • Ref: http://www.securityfocus.com/bid/35122
  • 09.23.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Ajax Session Module Multiple Input Validation Vulnerabilities
  • Description: Ajax Session is a module for the Drupal content manager. The application is exposed to multiple cross-site scripting and cross-site request forgery issues because it fails to sufficiently sanitize user-supplied input to unspecified parameters of unspecified pages. Ajax Session version 5.x-1.0 is affected.
  • Ref: http://drupal.org/node/474452
  • 09.23.60 - CVE: Not Available
  • Platform: Web Application
  • Title: ATutor "documentation/index.php" URL Handling Phishing
  • Description: ATutor i a PHP-based content manager. ATutor is exposed to an issue that can aid in phishing attacks. This issue occurs because the application fails to sufficiently sanitize user-supplied input to the "p" parameter of the "documentation/index.php" script before being linked to a frameset. ATutor version 1.6.2 is affected.
  • Ref: http://websvn.atrc.utoronto.ca/websvn/wsvn/Atutor/?rev=8490&sc=1
  • 09.23.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Embedded Media Field Module Create Content Multiple HTML Injection Vulnerabilities
  • Description: Embedded Media Field is a module for the Drupal content manager. The module is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Specifically, issues affect the "Help text", "Custom thumbnail label", and "Custom thumbnail description" fields when creating content with the affected module. Embedded Media Field version 6.x-1.0 is affected.
  • Ref: http://drupal.org/node/372836
  • 09.23.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Phorum "image/bmp" MIME Type HTML Injection
  • Description: Phorum is a PHP-based web forum application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied images identified as "image/bmp" MIME types. This issue occurs because the Internet Explorer browser identifies uploaded images as "text/html" instead.
  • Ref: http://www.securityfocus.com/archive/1/503867
  • 09.23.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Woltlab Burning Board "image/bmp" MIME Type HTML Injection
  • Description: Woltlab Burning Board is an open-source web forum. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied images identified as "image/bmp" MIME types. This issue occurs because the Internet Explorer browser identifies uploaded images as "text/html" instead. Burning Board versions 3.0.8 and earlier and Burning Board Lite versions 2.0.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/503867
  • 09.23.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! JVideo! Component "user_id" Parameter SQL Injection
  • Description: JVideo! is a video-sharing module for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "user_id" parameter of the "com_jvideo" component before using it an SQL query.
  • Ref: http://www.securityfocus.com/bid/35146
  • 09.23.65 - CVE: Not Available
  • Platform: Web Application
  • Title: AlstraSoft Article Manager Pro "article/register.php" Remote File Upload
  • Description: AlstraSoft Article Manager Pro is a PHP-based content manager for articles. The application is exposed to a remote file upload issue because it fails to sufficiently sanitize user-supplied input. This issue affects the "article/register.php" file when registering a new user.
  • Ref: http://www.securityfocus.com/bid/35177
  • 09.23.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Unclassified NewsBoard Multiple Remote Vulnerabilities
  • Description: Unclassified NewsBoard is a bulletin board system implemented in PHP. The application is exposed to multiple issues. A successful attack will compromise the application and may help in further attacks. NewsBoard version 1.6.4 is affected.
  • Ref: http://www.securityfocus.com/bid/35183
  • 09.23.67 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! Prior to 1.5.11 Multiple Cross-Site Scripting Vulnerabilities
  • Description: Joomla! is a PHP-based content manager. Joomla! is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. These issues affect the "com_user" component, "JA_Purity" template, and the administrative panel in the "Site client" sub-project of the application. Joomla! versions prior to 1.5.11 are affected. Ref: http://developer.joomla.org/security/news/296-20090602-core-japurity-xss.html
  • 09.23.68 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys WAG54G2 Web Management Console Remote Arbitrary Shell Command Injection
  • Description: Linksys WAG54G2 is a wireless router. The router is exposed to a remote command injection issue because it fails to adequately sanitize user-supplied input data. Specifically, the software fails to properly sanitize input to the "c4_ping_ipaddr" parameter of the "setup.cgi" script in the management console. Linksys WAG54G2 with firmware version V1.00.10 is affected.
  • Ref: http://www.securityfocus.com/archive/1/503934
  • 09.23.69 - CVE: Not Available
  • Platform: Network Device
  • Title: Asmax Ar-804gu Router "script" Remote Arbitrary Shell Command Injection
  • Description: Asmax Ar-804gu is a router for small or home office users. The router is exposed to a remote command injection issue because it fails to adequately restrict access to a maintenance script. This issue affects the "system" parameter of "cgi-bin/script" of the device's web-based management interface. Asmax Ar-804gu with firmware version 66.34.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/503946

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Excellent conference! Allows you to hit the ground running with effective skills and tools! Best security training in IT!
-Russell Morrison, AXYS

Forensics 585

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc