Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VIII, Issue: 29
July 16, 2009

SANS Newsletters Home

Microsoft has three components with critical vulnerabilities this week but don't let your focus on fixing Microsoft problems cause you to miss the critical Oracle problems and the Firefox Javascript vulnerability. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • -------------------------- -------------------------------------
    • Windows
    • 2 (#3)
    • Microsoft Office
    • 1 (#1)
    • Other Microsoft Products
    • 6 (#2, #6, #7)
    • Third Party Windows Apps
    • 2
    • Linux
    • 1
    • BSD
    • 1
    • Aix
    • 1
    • Novell
    • 1
    • Cross Platform
    • 46 (#4, #5, #8)
    • Web Application - Cross Site Scripting
    • 4
    • Web Application - SQL Injection
    • 3
    • Web Application
    • 8
    • Network Device
    • 5

********************** Sponsored By Cisco Systems ***********************

The Cisco 2009 Midyear Security Report presents an update on global security threats and trends. This overview of Cisco security intelligence highlights threat information and trends from the first half of 2009. The report also includes recommendations from Cisco security experts and predictions of how identified trends will evolve. Please click thru for the report. http://www.sans.org/info/46089

*************************************************************************

TRAINING UPDATE - - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition http://www.sans.org/ns2009 - - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php - - The Forensics Summit starts on July 9, and has four courses http://www.sans.org/forensics09_summit/event.php: - - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days http://www.sans.org/info/43118 Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Tokyo, London, Ottawa, Canberra, and Kuala Lumpur, all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

************************* Sponsored Links: ***************************

1) Be Sure to Register for the Managing Change and Event Monitoring for Sustainable NERC CIP Compliance Webcast w/ CoreTrace & NitroSecurity http://www.sans.org/info/46094

2) Be sure to Register for the Thursday, July 23rd Webcast: HP Tackles Cloud Application Security http://www.sans.org/info/46099

3) SANS Vendor Demo Spotlight: NetWitness Investigator - Forensics investigators perform unprecedented free-form contextual analysis of raw network data. http://www.sans.org/info/46104

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Microsoft Office Web Components ActiveX Control Memory Corruption Vulnerability
  • Affected:
    • Microsoft Office XP Service Pack 3
    • Microsoft Office 2003 Service Pack 3
    • Microsoft Office XP Web Components Service Pack 3
    • Microsoft Office 2003 Web Components Service Pack 3
    • Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1
    • Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
    • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
    • Microsoft Internet Security and Acceleration Server 2006
    • Internet Security and Acceleration Server 2006 Supportability Update
    • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
    • Microsoft Office Small Business Accounting 2006

  • Description: The Microsoft Office Web Components are a collection of Component Object Model (COM) controls used for manipulating office documents. There is a memory corruption vulnerability in some of the ActiveX controls that are installed by default by Microsoft Office. The specific flaw is in the Spreadsheet ActiveX control "OWC10.DLL" and "OWC11.DLL". A malicious web page that instantiates the vulnerable component could trigger this vulnerability and execute arbitrary code with the privileges of the current user. The users will have to be tricked into visiting the website that hosts such a web page, typically by persuading them to click on the links in e-mail messages. Some technical details are publicly available for this vulnerability, along with public proof-of-concepts.

  • Status: Vendor confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the affected controls via Microsoft's "killbit" mechanism for CLSIDs "0002E541-0000-0000-C000-000000000046", "0002E559-0000-0000-C000-000000000046".

  • References:
  • (2) CRITICAL: Microsoft DirectX DirectShow Multiple Vulnerabilities (MS09-028)
  • Affected:
    • Microsoft DirectX 7.0
    • Microsoft DirectX 8.1
    • Microsoft DirectX 9.0
    • Microsoft Windows 2000 Service Pack 4
    • Microsoft Windows 2000 Service Pack 4
    • Microsoft Windows 2000 Service Pack 4
    • Microsoft Windows XP Service Pack 2
    • Microsoft Windows XP Service Pack 3
    • Microsoft Windows XP Professional x64 Edition Service Pack 2
    • Microsoft Windows Server 2003 Service Pack 2
    • Microsoft Windows Server 2003 x64 Edition Service Pack 2
    • Microsoft Windows Server 2003 SP2 (Itanium)

  • Description: Microsoft DirectX is a multimedia framework for its Windows operating system and its component, the DirectShow, is used for streaming media on Windows with the ability to capture and playback high quality streams. Microsoft DirectShow has been identified with multiple vulnerabilities. A specially crafted QuickTime file when opened by a Windows Media Player might trigger one of these vulnerabilities. The first issue is a Null Byte overwrite in the DirectShow component caused due to improper parsing of QuickTime media files. The second issue is caused due to improper validation of certain values when DirectShow updates a pointer. The third issue is caused due to inadequate checking of the "NumberOfEntries" field while parsing QuickTime atoms. Successful exploitation might lead to arbitrary code execution. Technical details are not available publicly.

  • Status: Vendor confirmed, updates available.

  • References:
  • (3) CRITICAL: Windows Embedded OpenType Font Engine Multiple Vulnerabilities (MS09-029)
  • Affected:
    • Microsoft Windows 2000 Service Pack 4
    • Windows XP Service Pack 2
    • Windows XP Service Pack 3
    • Windows XP Professional x64 Edition Service Pack 2
    • Windows Server 2003 Service Pack 2
    • Windows Server 2003 x64 Edition Service Pack 2
    • Windows Server 2003 with SP2 for Itanium-based Systems
    • Windows Vista
    • Windows Vista Service Pack 1
    • Windows Vista Service Pack 2
    • Windows Vista x64 Edition
    • Windows Vista x64 Edition Service Pack 1
    • Windows Vista x64 Edition Service Pack 2
    • Windows Server 2008 for 32-bit Systems
    • Windows Server 2008 for 32-bit Systems Service Pack 2*
    • Windows Server 2008 for x64-based Systems
    • Windows Server 2008 for x64-based Systems Service Pack 2*
    • Windows Server 2008 for Itanium-based Systems
    • Windows Server 2008 for Itanium-based Systems Service Pack 2

  • Description: Embedded OpenType (EOT) fonts are a compact form of fonts designed for use with Office documents or with Web pages. EOT ensures that the users view the document exactly the way its author had intended them. The library responsible for parsing EOT files "T2EMBED.DLL" has been identified with multiple vulnerabilities. A specially crafted EOT font can be used to trigger one of these vulnerabilities. The first issue is a heap based buffer vulnerability in "T2EMBED.DLL" caused due to integer truncation on specific length value. The second issue is caused due to an integer overflow error in EOT engine while parsing name tables contained in files that had the EOT fonts. Successful exploitation might allow an attacker to execute arbitrary code. An attacker will have to entice the user on visiting the web pages that has specially crafted EOT font content.

  • Status: Vendor confirmed, updates available.

  • References:
  • (4) CRITICAL: Mozilla Firefox JavaScript Engine Memory Corruption Vulnerability
  • Affected:
    • Mozilla Firefox version 3.5

  • Description: Firefox is an open source web browser based on Mozilla codebase and had 22.51% of the recorded usage share among the web browsers as of May 2009. There is a memory corruption error in Mozilla Firefox's JavaScript engine. The specific flaw appears to reside within the "TraceMonkey" part of the JavaScript engine. A specially crafted web page, when parsed by a vulnerable browser, will trigger the vulnerability. Successful exploitation might allow an attacker to execute arbitrary code in the context of the user running the application. Full technical details for these vulnerabilities are available via source code analysis, along with the publicly available proof-of-concept.

  • Status: Vendor confirmed, no updates available.

  • References:
  • (5) CRITICAL: Oracle Products Multiple Vulnerabilities (CPU July 2009)
  • Affected:
    • Oracle Database 11g version 11.1.0.6
    • Oracle Database 11g version 11.1.0.7
    • Oracle Database 10g Release 2 version 10.2.0.3
    • Oracle Database 10g Release 2 version 10.2.0.4
    • Oracle Database 10g version 10.1.0.5
    • Oracle Database 9i Release 2 version 9.2.0.8
    • Oracle Database 9i Release 2 version 9.2.0.8DV
    • Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.3.0
    • Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.3.0
    • Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.4.0
    • Oracle Identity Management 10g, version 10.1.4.0.1
    • Oracle Identity Management 10g, version 10.1.4.2.0
    • Oracle Identity Management 10g, version 10.1.4.3.0
    • Oracle E-Business Suite Release 12 version 12.1
    • Oracle E-Business Suite Release 12 version 12.0.6
    • Oracle E-Business Suite Release 11i version 11.5.10.2
    • Oracle Enterprise Manager Database Control 11 version 11.1.0.6
    • Oracle Enterprise Manager Database Control 11 version 11.1.0.7
    • Oracle Enterprise Manager Grid Control 10g Release 4 version 10.2.0.4
    • PeopleSoft Enterprise PeopleTools version 8.49
    • PeopleSoft Enterprise HRMS version 8.9
    • PeopleSoft Enterprise HRMS version 9.0
    • Siebel Highly Interactive Client version 7.5.3
    • Siebel Highly Interactive Client version 7.7.2
    • Siebel Highly Interactive Client version 7.8
    • Siebel Highly Interactive Client version 8.0
    • Siebel Highly Interactive Client version 8.1
    • Oracle WebLogic Server 10.3, 10.0MP1
    • Oracle WebLogic Server 9.0 GA
    • Oracle WebLogic Server 9.1 GA
    • Oracle WebLogic Server 9.2 through 9.2 MP3
    • Oracle WebLogic Server 8.1 through 8.1 SP6
    • Oracle WebLogic Server 7.0 through 7.0 SP7
    • Oracle Complex Event Processing 10.3
    • Oracle WebLogic Event Server 2.0
    • Oracle JRockit version R27.6.3 and prior (JDK/JRE 6, 5, 1.4.2)

  • Description: Oracle has released a cumulative security patch for a wide range of its products on July 15, 2009. This Critical Patch Update contains 30 new security fixes across different products. Flaws addressed in this update include remote command execution vulnerabilities, denial of service issues, information disclosure vulnerabilities, SQL injection vulnerabilities, security restrictions bypass issues, and elevation of privilege issues. There still are some issues whose impacts are yet unknown. Authentication is not required to exploit some of these vulnerabilities while for some authentication is required.

  • Status: Vendor confirmed, updates available.

  • References:
  • (6) HIGH: Microsoft Office Publisher Pointer Dereference Vulnerability (MS09-030)
  • Affected:
    • 2007 Microsoft Office System Service Pack 1
    • Microsoft Office Publisher 2007

  • Description: Microsoft Office Publisher is an application for designing and publishing documents. There is a pointer dereference vulnerability in "PUBCONV.DLL module" in Microsoft Office Publisher 2007, which can be triggered by a specially crafted Publisher file. The specific flaw is caused due to an error in calculating object handler data while processing the malformed Publisher file, a file that have been created in older versions of Office Publisher. Successful exploitation might lead to system memory corruption and arbitrary code execution. Note that the affected version of Publisher does not open files without first prompting the user. An attacker will have to entice the user into opening a malformed Publisher file; either by sending the malicious file as an e-mail attachment or by sending a link, which hosts such a malformed Publisher file, in an e-mail message. Some technical information is available for this vulnerability.

  • Status: Vendor confirmed, updates available.

  • References:
  • (7) MODERATE: Microsoft ISA Server Radius OTP Security Bypass Vulnerability (MS09-031)
  • Affected:
    • Microsoft ISA Server 2006 Supportability Update 0
    • Microsoft ISA Server 2006 SP1
    • Microsoft ISA Server 2006 0

  • Description: Microsoft Internet Security and Acceleration (ISA) Server 2006 has a Security Bypass Vulnerability. In order to exploit this vulnerability there are some prerequisites on the configuration of the server. The web listener should be configured for forms-based authentication (FBA) with RADIUS One-Time Passwords (OTP), the web publishing rule should delegate using Kerberos Constrained Delegation (KCD), and the server should allow HTTP Basic authentication fallback. In such a scenario The ISA servers does not do adequate checks on the incoming authenticating requests that indicates fall-back to HTTP Basic authentication. Successful exploitation will lead to elevation of privilege giving an attacker access to any Web published resource. Some technical information is available for this vulnerability.

  • Status: Vendor confirmed, updates available.

  • References:
  • (8) MODERATE: ISC DHCP Buffer Overflow Vulnerability
  • Affected:
    • ISC DHCP 3
    • ISC DHCP 4.0.x
    • ISC DHCP 4.1.x

  • Description: ISC DHCP is an open source implementation of Dynamic Host Configuration Protocols (DHCP) that includes a DHCP server and a DHCP client. There is a buffer overflow vulnerability in ISC DHCP client which can be triggered by a specially crafted response from a malicious DHCP server. The specific flaw is a boundary error in the "script_write_params()" function within the 'dhclient'. The issue is caused due to inadequate checks on the subnet number generated from the server-supplied leased address and subnet-mask. Successful exploitation might allow an attacker to execute arbitrary code. Full technical details of the vulnerability are available via source code analysis.

  • Status: Vendor confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 29, 2009

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Intense, fast paced. Modern day Sherlock Holmes!
-Cody Drake, Allstate Ins. Co.

CyberTalent Assessments

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU