Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VIII, Issue: 46
November 12, 2009

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • -------------------------- -------------------------------------
    • Windows
    • 4 (#1, #3, #4)
    • Microsoft Office
    • 9 (#5, #6)
    • Other Microsoft Products
    • 1 (#7)
    • Third Party Windows Apps
    • 4
    • Mac Os
    • 21 (#2)
    • Linux
    • 2
    • BSD
    • 1
    • Solaris
    • 4
    • Aix
    • 1
    • Cross Platform
    • 9
    • Web Application - Cross Site Scripting
    • 5
    • Web Application - SQL Injection
    • 1
    • Web Application
    • 8
    • Network Device
    • 3

******************* Sponsored By Faronics Corporation *******************

Are You Missing a Layer of Security?

LEARN MORE: https://www.sans.org/info/50644

Neither definition-based anti-virus nor any other single solution is enough to block modern threats. Zero-day attacks, "mutating" viruses, or targeted attacks are all high-risk situations requiring an additional layer of protection. Application whitelisting solutions like Faronics Anti-Executable provide this if its not on the whitelist, its not going to run!

*************************************************************************

TRAINING UPDATE

-- SANS London, UK, November 28-December 6, 16 courses, bonus evening sessions: Hex Factor, Forensics Mini Summit and more https://sans.org/london09/

-- SANS CDI, Washington DC, December 11-18, https://www.sans.org/cyber-defense-initiative-2009

-- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations https://www.sans.org/security-east-2010/

-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010 https://www.sans.org/appsec-2010/

-- SANS Phoenix, February 14 -February 20, 2010 https://www.sans.org/phoenix-2010/

-- SANS 2010, Orlando, March 6 - March 15, 2010 https://www.sans.org/sans-2010/

Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses)

- See samples at https://www.sans.org/ondemand/spring09.php

For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
BSD
Solaris
Aix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

**************************** Sponsored Links: ***************************

1) Be sure to REGISTER NOW for the upcoming webcast: A Day In The Life Of A Configuration Compliance Exception

https://www.sans.org/info/50654

2) Learn network- and host-centric methods to detect intruders at the Incident Detection Summit December 9-10.

https://www.sans.org/info/50659

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems.

  • (1) CRITICAL: Microsoft Windows Kernel-Mode Drivers Multiple Vulnerabilities (MS09-065)
  • Affected:
    • Microsoft Windows 2000 Service Pack 4
    • Windows XP Service Pack 2 and Windows XP Service Pack 3
    • Windows XP Professional x64 Edition Service Pack 2
    • Windows Server 2003 Service Pack 2
    • Windows Server 2003 x64 Edition Service Pack 2
    • Windows Server 2003 with SP2 for Itanium-based Systems
    • Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
    • Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
    • Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
    • Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
    • Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

  • Description: Microsoft Windows Kernel-Mode Drivers (Win32k.sys), the core of the Windows subsystem that contains the window manager, has been reported with multiple vulnerabilities. The first issue is a Null Pointer dereferencing vulnerability caused by inadequate validation of an argument passed to a Windows kernel system call. The second issue is an elevation of privilege vulnerability cause by inadequate validation of data passed from user mode through the kernel component of graphics device interface (GDI). Both these vulnerabilities can be leveraged by an attacker to gain privilege escalation and/or execute arbitrary code. The third issue is a memory corruption error in Windows kernel-mode drivers caused by improper parsing of Embedded OpenType (EOT) font code when building a table of directory entries. Successful exploitation in this case might allow an attacker to execute arbitrary code.

  • Status: Vendor confirmed, updates available.

  • References:
  • (3) CRITICAL: Microsoft Windows Web Services on Devices API Memory Corruption Vulnerability (MS09-063)
  • Affected:
    • Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
    • Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
    • Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
    • Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
    • Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

  • Description: Web Services on Device (WSD) is used by Windows client to scan and access remote devices across a network and Web Services on Device Application Programming Interface (WSDAPI) is used for implementing the Devices profile. A memory corruption vulnerability has been reported in WSDAPI which can be triggered by a specially crafted WSD message. The specific flaw is caused by incorrect validation of some headers of a received WSD message by the WSDAPI on both client and servers. This API is available by default, however for an attack to be successful an application must use the API over TCP port 5357 or 5358. Successful exploitation might allow an attacker to execute arbitrary code.

  • Status: Vendors confirmed, updates available.

  • References:
  • (4) CRITICAL: Microsoft Windows License Logging Service Heap Overflow Vulnerability (MS09-064)
  • Affected:
    • Microsoft Windows 2000 Server Service Pack 4

  • Description: Microsoft Windows License Logging Service is a tool to help users manage licenses of Microsoft Server products licensed in the Server Client Access license model. A heap-based overflow vulnerability has been reported in Microsoft License Logging Server software. The specific flaw is License Logging Service in the way it handles RPC calls. A character array, while processing arguments to "LlsrLicenseRequestW" method, is expected to a terminating null byte. But if the data supplied doesn't contain the null byte a heap overflow condition can be reached. Successful exploitation might allow an attacker to execute arbitrary code. Authentication is not required to carry out this attack. Some technical details for this vulnerability are publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (6) HIGH: Microsoft Office Word FIB Parsing Stack Buffer Overflow Vulnerability (MS09-068)
  • Affected:
    • Microsoft Office Word 2002 Service Pack 3
    • Microsoft Office Word 2003 Service Pack 3
    • Microsoft Office 2004 for Mac
    • Microsoft Office 2008 for Mac
    • Open XML File Format Converter for Mac
    • Microsoft Office Word Viewer

  • Description: Microsoft Word contains a stack based buffer overflow vulnerability which could be triggered by a specially-crafted Word document file. The specific flaw is an error in the way Microsoft Word parses the a specially-crafted malformed File Information Block (FIB) structure inside a Word document. Successful exploitation leads to memory corruption in such a way that an attacker can execute arbitrary code with the privileges of the current user. To exploit these flaws, an attacker might take one of the following actions: (a) Create a webpage that downloads a malicious Word document from a server, and entice an attacker to visit his webpage. (b) Send an email with a specially crafted Word document as an attachment and convince the user to open it. Note that, on recent versions of Microsoft Office, Word documents are not opened upon receipt without first prompting the user. Some technical details are publicly available for these vulnerabilities.

  • Status: Vendor confirmed, updates available.

  • References:
  • (7) MODERATE: Microsoft Windows Active Directory Denial of Service Vulnerability (MS09-066)
  • Affected:
    • Microsoft Windows 2000 Server Service Pack 4
    • Windows XP Service Pack 2 and Windows XP Service Pack 3
    • Windows XP Professional x64 Edition Service Pack 2
    • Windows Server 2003 Service Pack 2
    • Windows Server 2003 x64 Edition Service Pack 2
    • Windows Server 2003 with SP2 for Itanium-based Systems
    • Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
    • Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*

  • Description: Active Directory in Windows is used to provide authorization services to windows-based computers. A denial-of-service vulnerability has been reported in Active Directory, Active Directory Application Mode (ADAM) and Active Directory Lightweight Directory Service (AD LDS). This flaw is the result of improper parsing of certain malformed LDAP or LDAPS requests. Successful exploitation might lead to stack space exhaustion and a denial-of-service condition. Technical details for this vulnerability are not available publicly.

  • Status: Vendor confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 46, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7596 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 09.46.1 - CVE: CVE-2009-2512
  • Platform: Windows
  • Title: Microsoft Windows Web Services on Devices API Remote Code Execution
  • Description: Web Services on Devices API (WSDAPI) is an implementation of the Devices Profile for Web Services (DPWS) for Windows Vista and Windows Server 2008. WSDAPI allows the automatic discovery of network devices. Windows is exposed to a remote code execution issue because the WSDAPI implementation fails to sufficiently validate header information when processing WSD messages.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-063.mspx
  • 09.46.2 - CVE: CVE-2009-2523
  • Platform: Windows
  • Title: Microsoft Windows License Logging Server Remote Heap Buffer Overflow
  • Description: The License Logging Server is a tool for Windows for managing licenses for Microsoft server products. The tool is exposed to a remote heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data when handling specially crafted RPC (Remote Procedure Call) requests.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-064.mspx
  • 09.46.3 - CVE: CVE-2009-1127
  • Platform: Windows
  • Title: Microsoft Windows Kernel NULL Pointer Dereference Local Privilege Escalation
  • Description: Microsoft Windows is exposed to a local privilege escalation issue that occurs in the Windows kernel. This issue stems from a NULL pointer dereference because the kernel fails to properly validate a user-supplied argument before passing it to a system call.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx
  • 09.46.4 - CVE: CVE-2009-2513
  • Platform: Windows
  • Title: Microsoft Windows Kernel GDI Data Validation Local Privilege Escalation
  • Description: The Microsoft Windows Graphics Device Interface (GDI) allows applications to use graphics and formatted text on both the video display and the printer. Windows is exposed to a local privilege escalation issue that occurs in the Windows kernel, affecting the GDI library. Specifically, the kernel mode drivers fail to properly validate user-supplied input before passing it to the kernel component of GDI.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx
  • 09.46.5 - CVE: CVE-2009-3131
  • Platform: Microsoft Office
  • Title: Microsoft Excel Formula Parsing Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. The application is exposed to a remote code execution vulnerability when parsing an Excel ".xls" file. The issue arises when the application processes a specially crafted formula embedded inside a cell which leads to memory corruption.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-067.mspx
  • 09.46.6 - CVE: CVE-2009-3132
  • Platform: Microsoft Office
  • Title: Microsoft Excel Index Parsing Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. The application is exposed to remote code execution issue when parsing an index value while loading a specially crafted formula in a malformed Excel ".xls" file.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-067.mspx
  • 09.46.7 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Microsoft Excel Document Parsing Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. The application is exposed to a remote code execution vulnerability when parsing a specially crafted Excel ".xls" file which leads to memory corruption.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-067.mspx
  • 09.46.8 - CVE: CVE-2009-3134
  • Platform: Microsoft Office
  • Title: Microsoft Excel Field Parsing Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. The application is exposed to a remote code execution issue when opening a specially crafted Excel ".xls" file which leads to memory corruption.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-067.mspx
  • 09.46.9 - CVE: CVE-2009-3127
  • Platform: Microsoft Office
  • Title: Microsoft Excel Cache Memory Corruption Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. The application is exposed to a remote code execution issue when parsing a specially crafted Excel ".xls" file which leads to corruption of cache memory.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-067.mspx
  • 09.46.10 - CVE: CVE-2009-3128
  • Platform: Microsoft Office
  • Title: Microsoft Excel "SxView" Memory Corruption Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. Excel is exposed to a remote code execution issue that arises when parsing objects in an Excel ".xls" file. A specially crafted "SxView" record can corrupt memory.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-067.mspx
  • 09.46.11 - CVE: CVE-2009-3129
  • Platform: Microsoft Office
  • Title: Microsoft Excel "Featheader" Record Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. The application is exposed to a remote code execution issue that arises when parsing an object in a specially crafted Excel ".xls" file which lead to memory corruption.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-067.mspx
  • 09.46.12 - CVE: CVE-2009-3130
  • Platform: Microsoft Office
  • Title: Microsoft Excel Malformed BIFF Record Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. The application is exposed to a remote code execution issue that arises when handling malformed BIFF records which triggers a heap-based overflow.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-067.mspx
  • 09.46.13 - CVE: CVE-2009-3135
  • Platform: Microsoft Office
  • Title: Microsoft Word Record Parsing Remote Code Execution
  • Description: Microsoft Word is a word processor available for multiple platforms. The application is exposed to a remote code execution issue when processing a malformed record in the file, which can trigger memory corruption.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS09-068.mspx
  • 09.46.14 - CVE: CVE-2009-1928
  • Platform: Other Microsoft Products
  • Title: Microsoft Active Directory LDAP Request Stack Exhaustion Denial of Service
  • Description: Microsoft Active Directory is an LDAP (Lightweight Directory Access Protocol) implementation distributed with multiple Windows operating systems. The application is exposed to a denial of service issue that occurs when processing specially crafted LDAP or LDAPS requests. Specifically, a remote attacker can exploit this issue to cause the vulnerable application to exhaust stack memory and stop responding, thus denying access to legitimate users.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS09-066.mspx
  • 09.46.15 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: SafeNet SoftRemote Policy File Handling Remote Buffer Overflow Vulnerabilities
  • Description: SafeNet SoftRemote is an IPSec VPN client. The application is exposed to remote stack based buffer overflow vulnerabilities because it fails to perform adequate checks on user-supplied input. Specifically, these issues occur when the application parses specially crafted ".spd" files containing excessive values for the "TREENAME" or "GROUPNAME" fields. SafeNet SoftRemote versions 10.8.5 build 2 and 10.3.5 build 6 are affected by this issue.
  • Ref: http://www.senseofsecurity.com.au/advisories/SOS-09-008
  • 09.46.16 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Pablo Software Solutions Baby Web Server Multiple Request Remote Denial of Service
  • Description: Pablo Software Solutions Baby Web Server is a web server available for Microsoft Windows. The application is exposed to a remote denial of service issue because it fails to handle multiple connection requests. Baby Web Server version 2.7.2 is affected by this issue.
  • Ref: http://www.securityfocus.com/bid/36942/
  • 09.46.17 - CVE: CVE-2009-3548
  • Platform: Third Party Windows Apps
  • Title: Apache Tomcat Windows Installer Insecure Password
  • Description: Apache Tomcat is a Java-based web server for multiple operating systems. The applications is exposed to an insecure password issue in the Windows installer because the administrative password defaults to a blank password during the install process. Tomcat versions 6.0.0 through 6.0.20 and Tomcat 5.5.0 through 5.5.28 area affected by this issue.
  • Ref: http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html
  • 09.46.18 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: XM Easy Personal FTP Server
  • Description: XM Easy Personal FTP Server is an FTP server for Microsoft Windows. The application is exposed to a remote denial of service issue that occur when handling a specially crafted "LIST" command without first processing a "PASV" or "POST" command. XM Easy Personal FTP Server version 5.8.0 is affected by this issue.
  • Ref: http://www.securityfocus.com/archive/1/507785
  • 09.46.19 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X "ptrace" Mutex Handling Local Denial of Service
  • Description: Apple Mac OS X is exposed to a local denial of service issue due to a race condition error when handling the "ptrace" command. Specifically, the issue occurs due to an error in mutex handling and occurs when a destroyed mutex is attempted to be interlocked.
  • Ref: http://www.vupen.com/english/advisories/2009/3163
  • 09.46.20 - CVE: CVE-2009-2824
  • Platform: Mac Os
  • Title: Apple Mac OS X Apple Type Services Multiple Memory Corruption Vulnerabilities
  • Description: Apple Type Services (ATS) is a component of the Apple Mac OS X operating system. ATS is exposed to multiple memory corruption vulnerabilities when handling a maliciously crafted document containing an embedded font. Mac OS X and Mac OS X Server versions 10.5.8 and earlier are affected by this issue.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.21 - CVE: CVE-2009-281910.5.8 and earlier are affected by this issue.
  • Platform: Mac Os
  • Title: Apple Mac OS X AFP Client Multiple Remote Code Execution Vulnerabilities
  • Description: Apple Mac OS X is exposed to a remote code execution issue in the AFP client due to a boundary condition error when accessing a malicious AFP server. Mac OS X and Mac OS X Server versions
  • Ref: http://support.apple.com/kb/HT3937
  • 10.5.8 - CVE: Not Available10.5.8 and earlier, and Mac OS X Server versions and earlier areaffected by this issue.
  • Platform: Mac Os
  • Title: Apple Mac OS X CoreGraphics Multiple Heap Overflow Vulnerabilities
  • Description: CoreGraphics is a component of the Apple Mac OS X operating system. The CoreGraphics component is exposed to multiple memory corruption vulnerabilities when handling a maliciously crafted PDF document which result from heap overflow conditions. Mac OS X versions
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.23 - CVE: CVE-2009-2818
  • Platform: Mac Os
  • Title: Apple Mac OS X Adaptive Firewall Security Bypass
  • Description: Apple Mac OS X is exposed to a security bypass issue. Specifically under certain circumstances the Adaptive Firewall application fails to detect SSH login attempts that use invalid user names. Mac OS X Server versions 10.5.8 and earlier, and Mac OS X Server versions 10.6.1 and earlier are affected by this issue.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.24 - CVE: CVE-2009-2839
  • Platform: Mac Os
  • Title: Apple Mac OS X Screen Sharing Client Multiple Remote Code Execution Vulnerabilities
  • Description: Apple Mac OS X Screen Sharing client allows users to access remote computers. The application is exposed to multiple remote code execution vulnerabilities which arises when the client accesses a malicious VNC server.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.25 - CVE: CVE-2009-2829
  • Platform: Mac Os
  • Title: Apple Mac OS X Event Monitor Log Parsing Denial of Service
  • Description: Apple Mac OS X is exposed to a denial of service issue which affects the Event Monitor component and can occur by sending maliciously crafted authentication information to the SSH server. This causes malicious data to be stored in logs which are later processed by other services. Mac OS X Server versions 10.5.8 and earlier are affected by this issue.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.26 - CVE: CVE-2009-2840
  • Platform: Mac Os
  • Title: Apple Mac OS X Spotlight Insecure Temporary File Handling
  • Description: Apple Mac OS X Spotlight handles temporary files in an insecure manner. Successfully exploiting this issue may allow a local attacker to overwrite files with the privileges of another local user.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.27 - CVE: CVE-2009-2828
  • Platform: Mac Os
  • Title: Apple Mac OS X DirectoryService Memory Corruption
  • Description: Apple Mac OS X is exposed to a memory corruption issue that affects the DirectoryService component.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.28 - CVE: CVE-2009-282710.5.8 and earlier are affected by this issue.
  • Platform: Mac Os
  • Title: Apple Mac OS X Disk Images FAT Filesystem Heap Buffer Overflow
  • Description: Apple Mac OS X is exposed to a heap based buffer overflow issue that affects the Disk Images component. This issue occurs when handling a disk image containing a malicious FAT filesystem. Mac OS X versions 10.5.8 and earlier and Mac OS X Server versions
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.29 - CVE: CVE-2009-2830
  • Platform: Mac Os
  • Title: Apple Mac OS X CDF File Multiple Buffer Overflow Vulnerabilities
  • Description: Apple Mac OS X is exposed to multiple heap based buffer overflow vulnerabilities that affect the file component. These issues occur when running the "file" command line tool on a specially crafted Common Document Format (CDF) file.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.30 - CVE: CVE-2009-2832
  • Platform: Mac Os
  • Title: Apple Mac OS X FTP Server CWD Command Buffer Overflow
  • Description: Apple Mac OS X is exposed to a buffer overflow issue that affects the FTP component which occurs when issuing a CWD command on a deeply nested directory hierarchy.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.31 - CVE: CVE-2009-2808
  • Platform: Mac Os
  • Title: Apple Mac OS X Help Viewer Spoofed HTTP Response Remote Code Execution
  • Description: Apple Mac OS X is exposed to a remote code execution issue that occurs in Help Viewer component because it fails to use HTTPS when viewing Apple Help content.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.32 - CVE: CVE-2009-2831
  • Platform: Mac Os
  • Title: Apple Mac OS X Dictionary Arbitrary Script Injection
  • Description: Apple Mac OS X is exposed to a arbitrary script code execution issue because it fails to properly sanitize user-supplied input to the Dictionary component.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.33 - CVE: CVE-2009-2834
  • Platform: Mac Os
  • Title: Apple Mac OS X IOKit Keyboard Firmware Local Unauthorized Access
  • Description: Apple Mac OS X is exposed to a local unauthorized access issue that affects the IOKit component. Specifically, nonprivileged users can alter the firmware in an attached USB or Bluetooth keyboard.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.34 - CVE: CVE-2009-2833
  • Platform: Mac Os
  • Title: Apple Mac OS X International Components for Unicode Buffer Overflow
  • Description: Apple Mac OS X is exposed to a buffer overflow issue that affects the International Components for Unicode libraries. This issue occurs in the "UCCompareTextDefault" API when malformed data is processed. Mac OS X and Mac OS X Server versions 10.5.8 and earlier affected by this issue.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.35 - CVE: CVE-2009-2835
  • Platform: Mac Os
  • Title: Apple Mac OS X Kernel Multiple Vulnerabilities
  • Description: Apple Mac OS X kernel is exposed to multiple vulnerabilities due to insufficient input validation and when handling task state segments.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.36 - CVE: CVE-2009-283610.6.1 are affected by this issue.
  • Platform: Mac Os
  • Title: Apple Mac OS X Login Window Race Condition
  • Description: Apple Mac OS X is exposed to a race condition issue that occurs in Login Window. Mac OS X and Mac OS X Server versions 10.6 and
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.37 - CVE: CVE-2009-2837
  • Platform: Mac Os
  • Title: Apple Mac OS X QuickDraw Manager Remote Code Execution
  • Description: Apple Mac OS X is exposed to a remote code execution issue that affects the QuickDraw Manager. This issue occurs due to a heap based buffer overflow when handling a malicious PICT image. Mac OS X and Mac OS X Server versions earlier than 10.6.2 and Mac OS X and Mac OS X Server versions 10.5.8 and earlier are affected by this issue.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.38 - CVE: CVE-2009-2810
  • Platform: Mac Os
  • Title: Apple Mac OS X Launch Services Remote Security Bypass
  • Description: issue which affects the Launch Services API. Specifically, when the API is called to open a quarantined directory, it recursively removes the quarantine information from all files present in the directory which can allow an unsuspecting user to launch a file from the quarantined directory without being presented with a warning dialog box. Mac OS X and Mac OS X Server versions 10.6 and 10.6.1 are affected by this issue.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.39 - CVE: CVE-2009-2838
  • Platform: Mac Os
  • Title: Apple Mac OS X QuickLook Remote Code Execution
  • Description: Apple Mac OS X is exposed to a remote code execution issue that affects QuickLook. This issue occurs due to an integer overflow when handling malicious Microsoft Office files.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.41 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel "fput()" NULL Pointer Dereference Local Denial of Service
  • Description: The Linux kernel is exposed to a local denial of service issue that stems from a NULL pointer dereference condition in the NOMMU subsystem. Specifically when an attacker attempts to allocate a large amount of memory, the kernel passes a NULL pointer to the "fput()" function as an argument which is later used in the "atomic_long_dec_and_test()' function resulting in a NULL-pointer exception. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=89a8640279f8bb78aaf778d1fc5c4a6778f18064
  • 09.46.43 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Sockets Direct Protocol (SDP) Driver "sdp(7D)" Remote Denial of Service
  • Description: Sun Solaris is a Unix based operating system. Solaris is exposed to a remote denial of service issue because of an error in the Sockets Direct Protocol (SDP) driver "sdp(7D)".
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-264730-1
  • 120095-27 - CVE: Not Available120094-27 and are affected by this issue.
  • Platform: Solaris
  • Title: Sun Solaris XScreenSaver Popup Windows Security Bypass
  • Description: XScreenSaver is a screen saver for Linux and Unix systems running the X11 Window System. The application is exposed to a security bypass issue because the popup windows may appear through the locked screen when the accessibility feature is turned on. Solaris 10 on both SPARC and x86 platforms with patches
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-268288-1
  • 09.46.46 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris SCTP "sctp(7P)" and SDP "sdp(7D)" Sockets Local Denial of Service
  • Description: Sun Solaris is exposed to a local denial of service issue in Stream Control Transmission Protocol "sctp(7P)" and Sockets Direct Protocol "sdp(7D)" driver sockets.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-266388-1
  • 09.46.47 - CVE: Not Available
  • Platform: Aix
  • Title: IBM PowerHA Cluster Management Unauthorized Access
  • Description: IBM PowerHA Cluster Management is a tool for high availability cluster configuration. The application is exposed to an unauthorized access issue which may allow remote attackers interact with the "godm" service by sending specifically crafted packets to port 6177. PowerHA Cluster Management version 5.4, 5.4.1, 5.5, and 6.1 on AIX 5.3 and AIX 6.1 platforms are affected by this issue.
  • Ref: http://aix.software.ibm.com/aix/efixes/security/haport_advisory.asc
  • 09.46.48 - CVE: CVE-2009-3463, CVE-2009-3464, CVE-2009-3465,CVE-2009-3466, CVE-2009-3244
  • Platform: Cross Platform
  • Title: Adobe Shockwave Player Multiple Remote Code Execution and Denial of Service Vulnerabilities
  • Description: Adobe Shockwave Player is a multimedia player available for multiple platforms. The application is exposed to remote code execution vulnerabilities due to an invalid index issue, an invalid string length issue and an invalid pointer issue, and a denial of service issue due to boundary condition error. Adobe Shockwave Player versions earlier than 11.5.2.602 for Microsoft Windows and Apple Mac OS X are affected by this issues.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb09-16.html
  • 09.46.49 - CVE: CVE-2008-4826
  • Platform: Cross Platform
  • Title: IBM Tivoli Storage Manager Multiple Remote Vulnerabilities
  • Description: IBM Tivoli Storage Manager is an application for automated backup and recovery of data. The application is exposed to a remote buffer overflow issue which affects the client acceptor daemon (CAD) scheduler when handling malicious data, a buffer overflow issue which affects the traditional client scheduler when handling malicious data, and an unauthorized access issue in the Unix and Linux backup archive clients and the OS/400 API client when the "MAILPROG" option is enabled may allow attackers to read, copy, edit, or delete files on affected computers.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21405562
  • 09.46.50 - CVE: CVE-2009-3727
  • Platform: Cross Platform
  • Title: Asterisk SIP Response Username Enumeration Remote Information Disclosure
  • Description: Asterisk is an open source PBX application available for multiple operating platforms. The application is exposed to an information disclosure issue because it doesn't provide safe responses to failed SIP authentication attempts. Specifically, when two specially crafted REGISTER messages are sent, different responses are provided, depending on whether a user exists or not.
  • Ref: http://downloads.asterisk.org/pub/security/AST-2009-008.html
  • 09.46.53 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Google Chrome prior to 3.0.195.32 Multiple Security Vulnerabilities
  • Description: Google Chrome is web browser for multiple platforms. The application is prone to a security bypass issue because the browser does not warn a user about dangerous file types before downloading them. Chrome versions earlier than 3.0.195.32 are affected by this issue.
  • Ref: http://googlechromereleases.blogspot.com/2009/11/stable-channel-update.html
  • 09.46.54 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PDFLib "open_basedir" Restriction Bypass
  • Description: PDFLib is a library used to construct PDF files. PDFLib is exposed to an "open_basedir" restriction bypass issue. Successfully exploiting this issue allows attackers to write to arbitrary files on the hosting computer with the privileges of the hosting web server. This issue affects unknown versions of PDFLib, while running on PHP 5.3.0.
  • Ref: http://www.securityfocus.com/archive/1/507716
  • 09.46.55 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GNU GRUB Local Authentication Bypass
  • Description: GNU GRUB is a boot loader. GNU GRUB is exposed to a local authentication bypass issue because the application fails to properly validate passwords at boot time and accepts a password even if only the first character of the password supplied by an attacker matches the correct password's first character. GNU GRUB version 1.97 is affected by this issue.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555195
  • 09.46.56 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Poppler "ABWOutputDev.cc" Remote Buffer Overflow
  • Description: Poppler is a library that provides a programming interface for rendering PDF files.The library is exposed to a remote buffer overflow issue that occurs because it fails to perform adequate boundary checks on user-supplied data.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534680
  • 09.46.57 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: RoundCube Webmail Multiple Cross-Site Request Forgery Vulnerabilities
  • Description: RoundCube Webmail is a web-based IMAP client implemented in PHP. The application is exposed to multiple cross-site request forgery vulnerabilities. Successfully exploiting this issue may allow an attacker to alter user information or send arbitrary emails. RoundCube Webmail versions earlier than 0.3-stable are affected by this issue.
  • Ref: http://jvn.jp/en/jp/JVN72974205/index.html http://jvn.jp/en/jp/JVN75694913/index.html
  • 09.46.58 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Drupal User Protect Cross-Site Request Forgery
  • Description: User Protect provides an editing protection module for the Drupal content manager. The application is exposed to a cross-site request forgery issue. Specifically, the link used for deleting user protection fails to properly implement the Form API submission model, which is used to protect users from cross-site request-forgery attacks. Drupal User Protect versions 6.x-1.2 and 5.x-1.3 are affected by this issue.
  • Ref: http://drupal.org/node/623162
  • 09.46.59 - CVE: CVE-2008-7220
  • Platform: Web Application - Cross Site Scripting
  • Title: Prototype JavaScript Framework Cross-Site Ajax Request
  • Description: Prototype JavaScript Framework is a framework for developing dynamic web applications. Prototype JavaScript Framework is exposed to a issue involving cross-site AJAX requests which may allow attackers to execute arbitrary code within the context of the affected browser. Prototype JavaScript Framework versions earlier than 1.6.0.2 are affected by this issue. Asterisk Open Source, Asterisk Business Edition and AsteriskNOW include Prototype JavaScript Framework.
  • Ref: http://downloads.digium.com/pub/security/AST-2009-009.html
  • 09.46.61 - CVE: CVE-2009-2823
  • Platform: Web Application - Cross Site Scripting
  • Title: Apple Mac OS X Apache HTTP TRACE Cross-Site Scripting
  • Description: Apple Mac OS X Apache server is exposed to a cross-site scripting issue. The issue occurs because the server supports and responds to the HTTP TRACE request by default. Mac OS X and Mac OS X Server versions 10.5.8 and earlier, and Mac OS X 10.6.1 and Mac OS X Server 10.6.1 and earlier are affected by this issue.
  • Ref: http://support.apple.com/kb/HT3937
  • 09.46.62 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Xerox Fiery Webtools "summary.php" SQL Injection
  • Description: Xerox Fiery Webtools is a web-based printer application. The application is exposed to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "select" parameter of the "/wt3/summary.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/36906
  • 09.46.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Smartqueue OG Confirmation Message Security Bypass
  • Description: The Smartqueue OG is a module for the Drupal content manager. The module is exposed to a security bypass issue that may allow attackers with insufficient privileges to view group nodes. Specifically confirmation message containing group membership info is displayed without checks to see if the user has permissions to view the group.
  • Ref: http://drupal.org/node/623554
  • 09.46.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal NGP COO/CWP Integration Module Security Bypass and HTML Injection Vulnerabilities
  • Description: NGP COO/CWP Integration is a module for the Drupal content manager. The module provides integration with the NGP Software API for campaign management. The application is exposed to a HTML injection issue which affects unspecified user-supplied values and a security bypass issue in an unspecified administration page. NGP COO/CWP Integration versions earlier than 6.x-1.13 are affected by this issue.
  • Ref: http://drupal.org/node/623546
  • 09.46.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Link Module "Link Title" HTML Injection
  • Description: Link is a component for the Drupal content manager that adds functionality to the Content Construction Kit (CCK) module. The application is exposed to a HTML injection issue because it fails to properly sanitize user-supplied input to the "link title" field when using the "Separate title and URL" formatter before using the input in dynamically generated content. Link versions earlier than 5.x-2.6 and Link 6.x-2.7 are affected by this issue.
  • Ref: http://drupal.org/node/623562
  • 09.46.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Zoomify Module "node title" HTML Injection
  • Description: Zoomify is a PHP based component for the Drupal content manager. The component integrates the Zoomify Flash applet for zooming and panning large images. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "node title" field before displaying it in a user's browser. Zoomify versions earlier than 6.x-1.4 and Zoomify 5.x-2.2 are affected by this issue.
  • Ref: http://drupal.org/node/623678
  • 09.46.67 - CVE: Not Available
  • Platform: Web Application
  • Title: eNdonesia "mod" Parameter Local File Include
  • Description: eNdonesia is web-based content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "mod" parameter of the "mod.php" script. eNdonesia version 8.4 is affected by this issue.
  • Ref: http://www.juniper.net/security/auto/vulnerabilities/vuln36932.html
  • 09.46.68 - CVE: CVE-2009-2685
  • Platform: Web Application
  • Title: HP Power Manager Unspecified Remote Code Execution
  • Description: HP Power Manager is a web-based application to manage an HP UPS. The application is exposed to an unspecified remote code execution issue. Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01905743
  • 09.46.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Citrix NetScaler and Access Gateway Denial of Service
  • Description: Citrix NetScaler is an appliance that accelerates the performance of applications. Citrix NetScaler and Access Gateway are exposed to a denial of service issue due to an unspecified error when the "URL Transform", "Application Firewall" or "AGEE Clientless VPN" features are in use. Citrix NetScaler, NetScaler Application Firewall and Access Gateway Enterprise Edition with firmware versions 9.0 (earlier than build 70.5) and 9.1 (earlier than build 96.4) are affected by this issue.
  • Ref: http://support.citrix.com/article/CTX123060
  • 09.46.70 - CVE: Not Available
  • Platform: Web Application
  • Title: XOOPS Multiple Unspecified Vulnerabilities
  • Description: XOOPS is a PHP-based content manager. The application is exposed to multiple unspecified vulnerabilities. XOOPS versions earlier than 2.4.0 are affected by this issue.
  • Ref: http://www.xoops.org/modules/news/article.php?storyid=5064
  • 09.46.71 - CVE: Not Available
  • Platform: Network Device
  • Title: Hitachi Cosminexus XML Processor Denial of Service
  • Description: Multiple Hitachi products are exposed to a denial of service issue because of the Cosminexus XML Processor component and occurs when processing a SOAP message that contains crafted XML data. Ref: http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS09-017/index.html
  • 09.46.72 - CVE: Not Available
  • Platform: Network Device
  • Title: IBM BladeCenter Advanced Management Module Multiple Unspecified Security Vulnerabilities
  • Description: IBM BladeCenter Advanced Management Module is a hardware device used for managing cluster nodes. BladeCenter Advanced Management Module is exposed to multiple unspecified security vulnerabilities. BladeCenter Advanced Management versions earlier than Module 2.50G are vulnerable. Ref: ftp://download2.boulder.ibm.com/ecc/sar/CMA/XSA/00pj6/0/ibm_fw_amm_bbet50g_anyos_noarch.chg
  • 09.46.73 - CVE: Not Available
  • Platform: Network Device
  • Title: HP NonStop Server Unauthorized Data Access
  • Description: HP NonStop Server is an enterprise server as part of the HP Integrity family of servers. HP NonStop Server is prone to an unauthorized access issue which arises on HP NonStop Servers running the OSS Name Server.
  • Ref: http://www.securityfocus.com/bid/36981/

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Provided more depth on available tools than any other conference!
-Eric Moriak, Flowserve

GIAC GSEC Certification

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU