- Training
- Training Live Events
- Training Without Travel
- SANS Courses
- Certified Instructors
- Career Roadmap
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Partnership Series
- SANS Workshop Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
Top New Vulnerabilities in Q2, 2005 (Summary List)
Microsoft Products
- Microsoft Internet Explorer Multiple Vulnerabilities (MS05-020 and MS05-025)
- Microsoft Exchange Server Extended Verb Overflow (MS05-021)
- Windows Message Queuing Service Overflow (MS05-017)
- Windows SMB Protocol Processing Overflow (MS05-027)
- Windows HTML Help File Parsing Overflow (MS05-026)
- Windows Shell Remote Code Execution (MS05-016)
Other Products
- Computer Associates BrightStor ARCServe Backup Overflow
- Veritas Backup Software Multiple Vulnerabilities
- Computer Associates and Zone Alarm Vet Library Overflow
- Oracle Cumulative Update April 2005
- RealNetworks RealPlayer Multiple Vulnerabilities
- Apple iTunes MPEG4 File Processing Overflow
- Mozilla and Firefox Browsers Multiple Vulnerabilities
- Apple Cumulative Security Update 2005-005 and 2005-006
Microsoft Products
***********************************************************Microsoft Internet Explorer Multiple Vulnerabilities (MS05-020 and MS05-025)
Patches:
MS05-025 available. Note that MS05-025 also includes the patches released in security update MS05-020.
Affected:
Internet Explorer 5.01 SP3/SP4, 5.5SP2, 6.0 and 6.0 SP1
Risk:
A malicious webpage can compromise a client system to install malware.
Exploits:
Multiple exploits have been publicly posted. Certain vulnerabilities have been exploited in the wild.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely3
http://www.sans.org/newsletters/risk/display.php?v=4&i=24#widely1
http://www.edup.tudelft.nl/~bjwever/menu.html.php
http://www.sans.org/newsletters/risk/display.php?v=4&i=17#exploit2
http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx
http://www.microsoft.com/technet/security/Bulletin/MS05-025.mspx
CVE:
CAN-2005-0553
CAN-2005-0554
CAN-2005-0555
CAN-2005-1211
Top20 Category: W6 Web Browsers
Microsoft Exchange Server Extended Verb Overflow (MS05-021)
Patches:
MS05-021 available.
Affected:
Microsoft Exchange Server 2000/2003
Risk:
An unauthenticated attacker can execute code with "SYSTEM" privileges.
Exploits:
Exploit code has been publicly posted and seen in the wild.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely1
http://www.sans.org/newsletters/risk/display.php?v=4&i=16#exploit1
http://www.microsoft.com/technet/security/Bulletin/MS05-021.mspx
CVE:
CAN-2005-0560
Affected Ports:
25/tcp
Top20 Category: W3 Windows Remote Access Services
Windows Message Queuing Service Overflow (MS05-017)
Patches:
MS05-017 available.
Affected:
The following Windows systems running the Message Queuing Service
Windows 2000 SP3 and SP4
Windows XP SP1 (including 64-bit edition)
Risk:
An unauthenticated attacker can execute code with "SYSTEM" privileges.
Exploits:
Exploit code has been publicly posted.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely2
http://www.sans.org/newsletters/risk/display.php?v=4&i=26#exploit2
http://www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
CVE:
CAN-2005-0059
Affected Ports:
In typical configurations 2101/tcp, 2103/tcp, 2105/tcp, 2107/tcp
The service binds to ports above 1024/tcp
Top20 Category: W3 Windows Remote Access Services
Windows SMB Protocol Processing Overflow (MS05-027)
Patches:
MS05-027 available.
Affected:
Windows 2000 SP3 and SP4
Windows XP SP1 and SP2
Windows 2003 including SP1
Risk:
An unauthenticated attacker can execute code with kernel privileges.
Exploits:
Exploit code has been included in the CORE Testing Tool.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=24#widely3
http://www.microsoft.com/technet/security/Bulletin/MS05-027.mspx
CVE:
CAN-2005-1206
Affected Ports:
139/tcp and 445/tcp
Top20 Category: W3 Windows Remote Access Services
Windows HTML Help File Parsing Overflow (MS05-026)
Patches:
MS05-026 available.
Affected:
Windows 2000 SP3 and SP4
Windows XP SP1 and SP2
Windows 2003 including SP1
Risk:
A malicious webpage can compromise a client system to install malware.
Exploits:
The technical details have been publicly posted.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=24#widely2
http://www.microsoft.com/technet/security/Bulletin/MS05-026.mspx
CVE:
CAN-2005-1208
Windows Shell Remote Code Execution (MS05-016)
Patches:
MS05-016 available.
Affected:
Windows 2000 SP3 and SP4
Windows XP SP1 and SP2
Windows XP 64-bit SP1 and 2003
Windows 2003
Risk:
A malicious document can compromise a client system to install malware. The flaw would require
user-interaction to be exploited.
Exploits:
Exploit code has been publicly posted.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely6
http://www.microsoft.com/technet/security/Bulletin/MS05-016.mspx
CVE:
CAN-2005-0063
*******************************************************************
***********************************************************Backup Software
***********************************************************Computer Associates BrightStor ARCServe Backup Overflow
Patches:
Available.
Affected:
BrightStor ARCserve Backup 9.x, 10.x and 11.x on Windows platform
Risk:
Compromise of systems running ARCserve Backup products with Administrator privileges.
Exploits:
Available in the Metasploit project. Increased scanning activity observed for the port 6050/tcp.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=15#other1
http://www.metasploit.com/projects/Framework/modules/exploits/cabrightstor_uniagent.pm
CVE:
CAN-2005-1018
Affected Ports:
6050/tcp
Veritas Backup Software Multiple Vulnerabilities
Patches:
Available.
Affected:
Backup Exec 10.0 for Windows Servers rev. 5484
Backup Exec 9.1 for Windows Servers rev. 4691
Backup Exec 9.0 for Windows Servers rev. 4454 and 4367
Backup Exec 9.1.307/306/1154/1152.4/1152 /1151.1/1127.1/1067.3/1067.2 for NetWare Servers
Backup Exec 9.0.4202 /4174/4172/4170 /4019 for NetWare Servers
Risk:
Compromise of systems running Veritas backup software with Administrator privileges.
Exploits:
Available in the Metasploit project and seen in the wild.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=25#widely1
http://seer.support.veritas.com/docs/276604.htm
http://seer.support.veritas.com/docs/276605.htm
http://seer.support.veritas.com/docs/276606.htm
http://seer.support.veritas.com/docs/276533.htm
http://seer.support.veritas.com/docs/276607.htm
http://seer.support.veritas.com/docs/277485.htm
CVE:
CAN-2005-0771
CAN-2005-0772
CAN-2005-0773
Affected Ports:
10000/tcp, 8099/tcp, 6106/tcp
***********************************************************
***************************************************************************************Anti-virus, Database, Media Players and Browser Software
***************************************************************************************Computer Associates and Zone Alarm Vet Library Overflow
Patches:
Available.
Affected:
CA InoculateIT 6.0
CA eTrust Antivirus r6.0/r7.0/r7.1
CA eTrust Antivirus for the Gateway r7.0/r7.1
CA eTrust Secure Content Manager
CA eTrust Intrusion Detection
CA BrightStor ARCserve Backup (BAB) r11.1 Windows
CA eTrust EZ Armor 2.x/3.x
Any products running CA Vet Engine version prior to 11.9.1
Zonelabs ZoneAlarm Security Suite
Zonelabs ZoneAlarm Antivirus
Other vendors who use the Vet Library
Risk:
Compromise of systems running anti-virus engines that use Vet library. The systems can be
compromised via email, web, shared server etc.
Exploits:
Complete technical details have been posted.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=21#widely1
http://www.rem0te.com/public/images/vet.pdf
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32896
http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0574.html
CVE:
CAN-2005-1693
Oracle Cumulative Update April 2005
Patches:
Available.
Affected:
Multiple Oracle products including Oracle Database Server, Oracle Application Server, Oracle
Collaboration Suite, Oracle E-business Suite and Applications, Oracle Enterprise Manager,
PeopleSoft EnterpriseONE Applications, PeopleSoft OneWorldXe/ERP8 Applications
Risk:
Compromise of database or systems running various Oracle products.
Exploits:
Proof of concept exploit code has been publicly posted.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely4
http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
http://security-papers.globint.com.ar/oracle_security/sql_injection_in_oracle.php
http://www.red-database-security.com/wp/sql_injection_forms_us.pdf
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0017.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0016.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0015.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0014.html
http://www.argeniss.com/research.html
Problems Reported with April 2005 Update
http://archives.neohapsis.com/archives/bugtraq/2005-07/0093.html
http://archives.neohapsis.com/archives/bugtraq/2005-07/0172.html
http://archives.neohapsis.com/archives/bugtraq/2005-07/0179.html
http://archives.neohapsis.com/archives/bugtraq/2005-07/0400.html
RealNetworks RealPlayer Multiple Vulnerabilities
Patches:
Available.
Affected:
On Windows:
RealPlayer 10.5 (6.0.12.1040-1069)
RealPlayer 8/10
RealOne Player v2/v1
RealPlayer Enterprise
Rhapsody 3 (build 0.815-0.1006)
On Mac OS:
Mac RealPlayer 10 (10.0.0.305-331)
Mac RealOne Player
On Linux:
Linux RealPlayer 10 (10.0.0-4)
Helix Player (10.0.0-4)
Risk:
Remote compromise of systems with RealNetworks media players.
Exploits:
The technical details about how to trigger the flaws have been posted.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=16#widely2
http://www.sans.org/newsletters/risk/display.php?v=4&i=25#widely2
http://service.real.com/help/faq/security/050419_player/EN/
http://service.real.com/help/faq/security/050623_player/EN/
CVE:
CAN-2005-0755
CAN-2005-1277
Apple iTunes MPEG4 File Processing Overflow
Patches:
Available.
Affected:
iTunes versions prior to 4.8
Risk:
Remote compromise of systems with iTunes installed.
Exploits:
The technical details scheduled to be released by the researchers in another 2 months.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=19#widely3
http://docs.info.apple.com/article.html?artnum=301596
CVE:
CAN-2005-1248
Mozilla and Firefox Browsers Multiple Vulnerabilities
Patches:
Available.
Affected:
Firefox prior to version 1.0.5
Mozilla prior to version 1.7.9
Thunderbird prior to version 1.0.2
Risk:
A malicious webpage can compromise a client system to install malware.
Exploits:
Multiple Exploits have been publicly posted.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=19#widely1
http://www.sans.org/newsletters/risk/display.php?v=4&i=28#widely8
http://www.frsirt.com/exploits/20050712.mfsa2005-49exploit.php
http://www.frsirt.com/exploits/20050712.mfsa2005-47exploit.php
http://www.frsirt.com/exploits/20050712.mfsa2005-55exploit.php
http://greyhatsecurity.org/vulntests/ffrc.htm
CVE:
CAN-2005-1476
CAN-2005-1477
****************************************************************************
***********************************************************Mac OS
***********************************************************Apple Cumulative Security Update 2005-005 and 2005-006
Patches:
Available.
Affected:
Mac OS X version 10.4.1 and prior
Mac OS X Server version 10.4.1 and prior
Risk:
Compromise of systems running Mac OS.
Exploits:
Exploit code has been publicly posted for some of the flaws.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=18#widely1
http://www.sans.org/newsletters/risk/display.php?v=4&i=23#widely3
http://docs.info.apple.com/article.html?artnum=301528
http://docs.info.apple.com/article.html?artnum=301742
Check Them Out!
This is hands-down, the premiere training opportunity.
- Dan Mather, JICPAC
