Critical vulnarability in Lotus Domino Web Access (iNotes)

2008-01-04

Risk level: high

Type: Buffer overflow

Source of info: CERT

Impact

Due to ActiveX Control Buffer Overflow in Lotus Domino Web Access (iNotes), it is possible for an 
attacker to compromise the controls to execute arbitrary code resulting in a buffer overflow 
situation.

Overview

As it is stated in an advisory provided by IBM (http://http://www-1.ibm.com/support/docview.wss?uid=swg21279071), 
in order for an attacker to successfully exploit this vulnerability in the following must be 
accomplished:

(1) The Lotus Domino Web Access feature needs to be enabled to allow users to access their mail via 
a browser.

(2) User has used the Domino Web Access client at least once, which installs the ActiveX control.

(3) Attacker must create malicious code that would exploit the ActiveX control and create the buffer 
overflow. This code can be part of an email, attachment, or web page.

(4) User must be persuaded to view a message, attachment or web site that contains the malicious code via a Microsoft® Internet Explorer (IE) web browser.

Patches

For workarounds and possible solutions please refer to: http://www-1.ibm.com/support/docview.wss?uid=swg21279071

Multiple vulnerabilities in VLC media player

2007-12-28

Risk level: high

Type: Remote code execution

Source of info: Secunia

Impact

Multiple vulnerabilities have been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user's system.

Overview

The following two errors has been discovered in VLC by Michal Luczaj and Luigi Auriemma:
1) Boundary errors in the "ParseMicroDvd()", "ParseSSA()", and "ParseVplayer()" functions when handling subtitles can be exploited to cause stack-based buffer overflows.

2) A format string error in the web interface listening on port 8080/tcp (disabled by default) can be exploited via a specially crafted HTTP request with a "Connection" header value containing format specifiers.

Successful exploitation of the vulnerabilities allows execution of arbitrary code.

Patches

Check the VLC SVN repository.

Multiple Vulnerabilities in Thunderbird

2007-12-20

Risk level: high

Type: System access

Source of info: Secunia

Impact

Vulnerabilities discovered in Thunderbird, potentially can be exploited by malicious people to
compromise a user's system.

Overview

Two vulnerabilities have been reported in Thunderbird, which potentially can be exploited by malicious people to compromise a user's system.

1) An error related to URI handlers potentially allows to execute arbitrary code.

2) Various errors in the browser engine and the Javascript engine can potentially be exploited by malicious people to compromise a user's system.

For more information see:
http://www.mozilla.org/security/announce/2007/mfsa2007-29.html

Patches

For complete protection please upgrade to the latest version of Thunderbird 2 and do not enable JavaScript in mail.

Apple Mac OS X Security Update Fixes Multiple Vulnerabilities

2007-12-18

Risk level: critical

Type: System access

Source of info: Secunia

Impact

Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
If you are Mac OS X user then please update your system as soon as possible

Overview

For detailed information on all vulnerabilities patched in Mac OS X refer to http://docs.info.apple.com/article.html?artnum=307179
and
http://docs.info.apple.com/article.html?artnum=307224

Patches

http://www.apple.com/support/downloads/

Internet Explorer Multiple Code Execution Vulnerabilities

2007-12-11

Risk level: critical

Type: Remote code execution

Source of info: CERT

Impact

Microsoft has published cumulative patch for Internet Explorer. The patch resolves four 
privately reported vulnerabilities. 

Overview

According to Microsoft, critical security update resolves four privately reported vulnerabilities. 
The most serious security impact could allow remote code execution if a user viewed a specially crafted 
Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on 
the system could be less impacted than users who operate with administrative user rights.

For more details see:
http://www.microsoft.com/technet/security/Bulletin/MS07-069.mspx

Patches

Use Windows updates, or see:
http://www.microsoft.com/technet/security/Bulletin/MS07-069.mspx

Vulnerabilities in Symantec Mail Security for Exchange

2007-10-29

Risk level: high

Type: DoS

Source of info: Secunia

Impact

Multiple vulnerabilities in Symantec Mail Security for Exchange can be exploited to cause a DoS (Denial 
of Service) and compromise a vulnerable system.

Overview

See Secunia Advisory for more details:
http://secunia.com/advisories/27304/

Patches

Use vendor instructions to get patches.

Vulnerabilities in Novell - OpenSuSE

2007-10-12

Risk level: high

Type: many types

Source of info: SuSE Security Team

Impact

Seven vulerabilities have been patched in Novell - OpenSuSE linux. To avoid remote system compromise, please update your system.

Overview

Following Security Vulnerabilities have been solved:
- TK GIF image loader overflow
- openssl off-by-one overflow
- hugin temporary filename
- not affected by Xen virtual pygrub escape problem
- lighttpd buffer overflow
- novell-groupwise-gwclient SSL problems
- sylpheed-claws format string problem

For details and upgrades see SUSE Security Summary Report:
http://www.novell.com/linux/security/advisories/2007_20_sr.html

Patches

Use Novell's FTP server or/and the YaST Online Update.

Microsoft Updates for Multiple Vulnerabilities - Security Builettin for August 2007

2007-08-14

Risk level: high

Type: many types

Source of info: Microsoft Security Team

Impact

Microsoft has released updates that address several critical vulnerabilities in Microsoft 
Windows, Internet Explorer, Windows Media Player, 
Office, Office for Mac, XML Core Services, Visual Basic, Virtual PC, and Virtual Server. 

Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute 
arbitrary code or cause a denial of service on a vulnerable system.

Overview

For more information please refer to Microsoft Security Summary Bulletin: 
http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx

Patches

Please use Microsoft Update (https://update.microsoft.com/microsoftupdate/v6/default.aspx)  and Microsoft Office Updates (http://officeupdate.microsoft.com/) sites. 
Mac users please use Mactopia web site:
http://www.microsoft.com/mac/

Symantec ActiveX Control Input Validation Error

2007-08-09

Risk level: high

Type: Remote code execution

Source of info: Symantec

Impact

An input validation error has been discovered in two ActiveX controls used by Norton AntiVirus, Norton 
Internet Security, and Norton System Works. 

These vulnerabilities can be exploited by malicious people to compromise a user's system.

Overview

For more details please refer to:
http://www.symantec.com/avcenter/security/Content/2007.08.09.html

Patches

Please use LiveUpdate

Vulnerability in LinkedIn Internet Explorer Toolbar

2007-07-24

Risk level: highly critical

Type: System access

Source of info: Secunia

Impact

Jared DeMott and Justin Seitz from VDA Labs discovered vulnerability in LinkedIn Internet 
Explorer Toolbar that can be exploited to compromise a user's system.

 

Overview

For more details please refer to:
http://www.vdalabs.com/tools/linkedin.html
http://secunia.com/advisories/26181/

Patches

Please update toolbar to the latest version:
http://www.linkedin.com/static?key=browser_toolbar_download

Oracle published official patch for multiple vulnerabilities

2007-07-20

Risk level: critical

Type: many types

Source of info: ORACLE

Impact

Oracle published critical patch update that is a collection of patches for 45 security 
vulnerabilities and multiple non-security releated bugs. Due to the threat posed by a successful 
attack, it is higly recommended to apply this
 fixes as soon as possible.

Overview

For more datails please refer to Oracle's web-site:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html

Patches

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html

Multiple Vulnerabilities in Mozilla Firefox

2007-07-19

Risk level: critical

Type: many types

Source of info: Secunia

Impact

Multiple vulnerabilities have been reported in Mozilla Firefox, which can be exploited to conduct 
spoofing and cross-site scripting attacks. These attacks can lead to a user's system compromise.

Overview

According to Secunia, the following errors have been discovered:
a) Errors in the browser engine can be exploited to cause memory corruption and potentially to 
arbitrary code execution.

b) Javascript engine has leaks that can be exploited to cause memory corruption and 
potentially to arbitrary code execution.

c) The "addEventListener" and "setTimeout" methods contain errors that can be exploited to inject 
script into another site's context, causing the browser's same-origin policy.

d) Errors in a cross-domain handling can be exploited to inject arbitrary HTML and script code 
in a sub-frame of another web site.

e) An unspecified error in the handling of elements outside of documents allows an attacker 
to call an event handler and execute arbitrary code with chrome privileges.

f) An unspecified error in the handling of "XPCNativeWrapper" can lead to execution of 
user-supplied code.

Patches

For updates see: 
http://www.mozilla.com/firefox/

Adobe Flash Player Multiple Vulnerabilities

2007-07-16

Risk level: high

Type: remote system compromise

Source of info: CERT

Impact

Vulnerabilities in Adobe Flash Player can be exploited to gather sensitive information or compromise a user's system.

Overview

For more information and list of vulnerable systems please refer to:
http://secunia.com/advisories/26027/
and 
http://www.adobe.com/support/security/bulletins/apsb07-12.html

Patches

Flash Player 9.0.45.0 and earlier (update to version 9.0.47.0):
http://www.adobe.com/go/getflash

Flash Player 9.0.45.0 and earlier - network distribution (update to version 9.0.47.0):
http://www.adobe.com/licensing/distribution

Flash CS3 Professional (update to version 9.0.47.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flash Professional 8, Flash Basic (update to version 8.0.35.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flex 2.0 (update to version 9.0.47.0):
http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9

Microsoft published Security Bulletin Summary for July 2007

2007-07-10

Risk level: highly critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

Microsoft has informed about  vulnerabilities: 3 critical, 2 important and 1 moderate, discovered and 
patched since publication of the previous bulletin in June.

Overview

Most of reported errors allow remote code execution	
and have been discovered in: Microsoft Excel, 
Microsoft Windows Active Directory, Microsoft .Net Framework, Microsoft Internet Information Services 
(IIS) and Windows Vista Firewall.

For more details please refer to:
http://www.microsoft.com/technet/security/bulletin/ms07-jul.mspx

Patches

http://www.microsoft.com/technet/security/bulletin/ms07-jul.mspx

SAP Message Server Buffer Overflow Vulnerability

2007-07-09

Risk level: high

Type: Buffer overflow

Source of info: NGSSoftware Insight Security

Impact

A vulnerability in SAP Message Server can be exploited to compromise a vulnerable system.
The vulnerability has been reported by Mark Litchfield from NGSSoftware Insight Security Research.

Overview

The vulnerability is caused due to a boundary error when processing HTTP requests and can be exploited to cause a heap-based buffer overflow via e.g a 
specially crafted GET request.

Successful exploitation allows execution of arbitrary code.

For additional information see: 
http://secunia.com/advisories/25966
http://www.us-cert.gov/cas/bulletins/SB07-197.html
http://www.ngssoftware.com/advisories/critical-risk-vulnerability-in-sap-message-server-heap-overflow/

Patches

Contact vendor and update to the latest version.

Yahoo! Messenger Two ActiveX Controls Buffer Overflows

2007-06-11

Risk level: highly critical

Type: Buffer overflow

Source of info: Secunia

Impact

Two vulnerabilities in Yahoo! Messenger has been reported. They can be exploited by malicious people 
to compromise a user's system.

Overview

Successful exploitation of the vulnerabilities allows   execution of arbitrary code.The vulnerabilities are 
confirmed in version 8.1.0.249. Other versions may also be affected.

For more details see Secunia Advisory:
http://secunia.com/advisories/25547/

Patches

http://messenger.yahoo.com

Microsoft Security Bulletin Summary for May 2007

2007-05-10

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

According to Microsoft Security Bulletin, there are seven critical updates available for Microsoft products. All of them could allow remote code execution. It is higly recomended to update vulnarable systems.

Overview

For more details see and updates see:
http://www.microsoft.com/technet/security/bulletin/ms07-may.mspx

Patches

See:
http://www.microsoft.com/technet/security/bulletin/ms07-may.mspx

Critical patches for Oracle Products

2007-04-19

Risk level: high

Type: Buffer overflow

Source of info: ORACLE

Impact

Oracle published a critical patch update, that consist a collection of patches for multiple security 
vulnerabilities.

Overview

According to Secunia Advisor, some of these vulnerabilities have unknown impacts, while others 
can be exploited to bypass certain security restrictions, cause a DoS (Denial of Service), 
conduct cross-site scripting and SQL injection attacks, or potentially compromise a vulnerable 
system.

More detailed information about these update can be found on Oracle website under the following link:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html

Patches

For patches see:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html

Microsoft Windows DNS Service Buffer Overflow Vulnerability

2007-04-16

Risk level: highly critical

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

Vulnerability in RPC on Windows DNS Server could allow an attacker to run code in the security context 
of the Domain Name System Server Service, which by default runs as Local SYSTEM. 

Overview

According to Microsoft website, Microsoft is investigating new public reports of attack exploiting 
a vulnerability in the Domain Name System (DNS)Server Service in Microsoft Windows 2000 Server Service Pack 
4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. 
  Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not 
affected as these versions do not contain the vulnerable code.
 At this time, the attack does not appear widespread.

For more details see:
http://www.microsoft.com/technet/security/advisory/935964.mspx

Patches

not available

Vulnerability in Windows Animated Cursor Handling

2007-03-29

Risk level: high

Type: System access

Source of info: Microsoft Security Team

Impact

Vulnerabilities in the way Microsoft Windows handles animated cursor (.ani) files can be exploited by 
malicious people to compromise a user's system. 

Overview

According to Microsoft Advisory (935423), in order for this attack to be carried out, a user must either
 visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially 
crafted e-mail message or email attachment sent to them by an attacker. Exploitation of this 
vulnerability can allow arbitrary code execution.

Patches

Check Windows Updates - the patch should be available  soon.

Vulnerabilities in StarOffice

2007-03-28

Risk level: high

Type: System access

Source of info: Secunia

Impact

Vulnerabilities in StarOffice can be used by malicious people to compromise a user's system.

Overview

Two vulnerabilities has been found in StarOffice 6.x /StarSuite 7.x/ StarSuite 8.x. According to Sun 
Microsystems, first of them is a result of the way how StarOffice process StarCalc 1.0 documents (.sdc) 
and may allow a remote unprivileged user (who provides a StarCalc document that is opened by a 
local user) the ability to execute arbitrary commands on the system with the privileges of the user running 
StarOffice/StarSuite. The second is caused by  the way in which StarOffice/StarSuite 6, 7 and 8 process 
hyperlinks (URLs) in documents and also may allow a remote unprivileged user who provides 
a StarOffice/StarSuite document that is opened by a local user the ability to execute arbitrary commands 
on the system with the privileges of the user running StarOffice/StarSuite.

Patches

none

Apple Updates for Multiple Vulnerabilities

2007-03-14

Risk level: high

Type: Remote code execution

Source of info: CERT

Impact

Apple Mac OS X is affected by multiple vulnerabilities. 

Overview

Apple has released Security 
Update 2007-003 to address vulnerabilities, on of them may allow a remote  attacker to place and run
malicious programs on  your computer.

Install Apple Security Update 2007-003 through Apple 
Update (See: http://docs.info.apple.com/article.html?artnum=106704)
 

Patches

Install Apple Security Update 2007-003 through Apple 
Update (See: http://docs.info.apple.com/article.html?artnum=106704)
 

Mozilla Firefox Multiple Vulnerabilities

2007-03-06

Risk level: high

Type: many types

Source of info: Secunia

Impact

Vulnerabilities in Mozilla Firefox can be exploited 
by malicious people to bypass certain security 
restrictions, conduct cross-site scripting and 
spoofing attacks, gain knowledge of sensitive 
information, and potentially compromise a user's 
system.

Overview

According to Secunia (http://secunia.com/advisories/24205/) 
the following vulnerabilities has been detected:
1) An error in the handling of the 
"locations.hostname" DOM property can be exploited 
to bypass certain security restrictions.

2) An integer underflow error in the Network 
Security Services (NSS) code when processing SSLv2 
server messages can be exploited to cause a 
heap-based buffer overflow via a certificate with 
a public key too small to encrypt the "Master 
Secret".

Successful exploitation may allow execution of arbitrary code.

NOTE: Support for SSLv2 is disabled in Firefox 
2.x. This version is only vulnerable if user has 
modified hidden internal NSS settings to re-enable 
SSLv2 support.

3) It is possible to conduct cross-site scripting 
attacks against sites containing a frame with a 
"data:" URI as source.

Successful exploitation requires that a user is 
tricked into visiting a malicious website and 
opening a blocked popup.

4) It is possible to open windows containing local 
files thereby stealing the contents when the full 
path of a locally saved file containing malicious 
script code is known. This can be exploited in 
combination with a flaw in the seeding of the 
pseudo-random number generator causing downloaded 
files to be saved to temporary files with a 
somewhat predictable name.

Successful exploitation requires that a user is 
tricked into visiting a malicious website and 
opening a blocked popup.

5) Browser UI elements like the host name and 
security indicators can be spoofed using a 
specially crafted custom cursor and manipulating 
the CSS3 hotspot property.

6) It may be possible to gain knowledge of 
sensitive information from a website due to an 
error resulting in two web pages colliding in the 
disk cache thereby potentially appending part of 
one document to the other.

Successful exploitation requires that a user is 
tricked into visiting a malicious website while 
visiting the target website.

7) Various errors in the Mozilla parser when 
handling invalid trailing characters in HTML tag 
attribute names and during processing of UTF-7 
content when child frames inherit the character 
set of its parent window can be exploited to 
conduct cross-site scripting attacks.

8) A vulnerability in the Password Manager may be 
exploited to conduct phishing attacks.

For more information:
SA23046

9) Multiple memory corruption errors exist in the 
layout engine, JavaScript engine, and in SVG. Some 
of these may be exploited to execute arbitrary 
code on a user's system.

10) An error within the handling of the onUnload 
event handler and self-modifying document.write()
calls can be exploited to corrupt memory and
potentially execute arbitrary code.

11) The fix for MFSA 2006-72 introduced a 
regression, which can be exploited to execute 
arbitrary code by setting the "src" attribute of 
an "IMG" tag to a specially crafted 
javascript:URI.

Patches

Update to the newest version of Firefox:
http://www.mozilla.com/en-US/

Vulnerability in Microsoft Office Could Allow Remote Code Execution

2007-02-05

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

Microsoft is investigating new public reports of Microsoft Excel 'zero-day' attacks using a vulnerability in Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and Microsoft Office 2004 for Mac

In order for this attack to be carried out, a user must first open a malicious Office file attached to an e-mail or otherwise provided to them by an attacker.

Overview

According to Microsoft he vulnerability cannot be exploited on Office 2007 or on Works 2004, 2005, or 2006.
	
An attacker who successfully exploited this vulnerability could gain the same user rights as 
the local user, so users whose accounts are 
configured to have fewer user rights on the system 
could be less affected than users who operate with 
administrative user rights.

In a Web-based attack scenario, an attacker would 
have to host a Web site that contains a Office 
file that is used to attempt to exploit this 
vulnerability. In addition, compromised Web sites 
and Web sites that accept or host user-provided 
content could contain specially crafted content 
that could exploit this vulnerability. An attacker 
would have no way to force users to visit a 
malicious Web site. Instead, an attacker would 
have to persuade them to visit the Web site, 
typically by getting them to click a link that 
takes them to the attacker's site.

The vulnerability cannot be exploited 
automatically through e-mail. For an attack to be 
successful a user must open an attachment that is 
sent in an e-mail message.
	
Users who have installed and are using the Office 
Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before 
opening a document.

For more details please see:
http://www.microsoft.com/technet/security/advisory/932553.mspx

Patches

Patches are currently not available, so do not open or save Office files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.

ORACLE Releases Patches for several vulnerabilities

2007-01-17

Risk level: critical

Type: many types

Source of info: ORACLE

Impact

Oracle has released critical patches for 
vulnerabilities in several Oracle products. The 
impacts of these vulnerabilities include remote 
execution of arbitrary code, information disclosure, 
and denial of service.

Overview

According to Oracle, Critical Patch Update for January 2007 (CPU) contains:
    * 17 new security fixes for the Oracle
 Database, one of which is for Oracle Database 
 client-only installations
    * 9 new security fixes for the Oracle HTTP 
 Server
    * 12 new security fixes for the Oracle
 Application Server
    * 7 new security fixes for the Oracle
 E-Business Suite
    * 6 new security fixes for the Oracle  
 Enterprise Manager
    * 3 new security fixes for the Oracle
 PeopleSoft Enterprise PeopleTools

Many Oracle products include or share code with 
other vulnerable Oracle products and components. 
Therefore, one vulnerability may affect multiple 
Oracle products and components. For example, the 
January 2007 CPU does not contain any fixes 
specifically for Oracle Collaboration Suite. 
However, Oracle Collaboration Suite is affected by 
vulnerabilities in Oracle Database and Oracle 
Application Server, so sites running Oracle 
Collaboration suite should install fixes for 
Oracle Database and Oracle Application Server. 
Refer to the January 2007 CPU for details 
regarding which vulnerabilities affect specific 
Oracle products and components. 

Patches

Apply the appropriate patches or upgrade as specified 
in the Critical Patch Update - January 2007:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html

Critical update for Adobe Reader

2007-01-10

Risk level: critical

Type: remote system compromise

Source of info: Adobe Inc.

Impact

According to Adobe Bulletin APSB07-01 there are several vulnerabilities, including issues that have already been disclosed. It is recommended that users update to the most current version of Adobe Reader or Acrobat available.

Overview

According to Adobe Inc. an update is available for a cross-site scripting (XSS) vulnerability in versions 7.0.8 and earlier of Adobe Reader and Acrobat that could allow remote attackers to inject arbitrary JavaScript into a browser session. This vulnerability, previously reported in APSA07-01 on January 4, 2007, has been assigned an important severity rating. Additional vulnerabilities have been identified in versions 7.0.8 and earlier of Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. These vulnerabilities have been assigned a critical severity rating. A malicious file must be loaded in Adobe Reader by the end user for an attacker to exploit these vulnerabilities. It is recommended that users update to the most current version of Adobe Reader or Acrobat available.

For more details see:
http://secunia.com/advisories/23666/

Patches

http://www.adobe.com/support/security/bulletins/apsb07-01.html

Exploit Code Available for Multiple Vulnerabilities in Sun Java Runtime Environment

2007-01-10

Risk level: high

Type: Elevation of privilege

Source of info: CERT

Impact

Security vulnerabilities in the Java Runtime Environment may allow untrusted applets to elevate privileges and Execute Arbitrary Code

Overview

According to the US-CERT there is publicly available exploit code for multiple vulnerabilities in Sun Java Runtime Environment (JRE). 

We encourages users to take the following actions to 
help mitigate the effects of these vulnerabilities:
  - upgrade to patched versions for impacted Sun
  products as specified in Sunsolve Documents: 102729 
  and 102731.
  - disable Java as specified in the securing your 
  web browser document until updates can be applied.

Patches

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102731-1

Microsoft Security Bulletin Summary for January, 2007

2007-01-09

Risk level: critical

Type: many types

Source of info: Microsoft Security Team

Impact

Microsoft released advisory that consist of updates for newly discovered vulnerabilities. There are four critical vulnerabilities and one important.

Overview

The critical vulnerabilities described in the advisory are:
 -vulnerabilities in Microsoft Excel that could     
 allow remote code execution (927198) see  
 MS07-003,
 -vulnerabilities in Microsoft Outlook that could  
 allow remote code execution (925938) see 
 MS07-004.
 -vulnerability in Vector Markup Language could 
 allow remote code execution (929969). This update resolves vulnerabilities in Internet Explorer that could allow remote code execution.
The important update is:
 -vulnerability in Microsoft Office 2003 - Brazilian  
 Portuguese Grammar Checker Could allow remote code  
 execution (921585)
For details see:
http://www.microsoft.com/technet/security/bulletin/ms07-jan.mspx

Patches

See:
http://www.microsoft.com/technet/security/bulletin/ms07-jan.mspx

Cross-Site scripting vulnerabilities in SquirrelMail

2006-12-04

Risk level: moderate

Type: Cross-Site Scripting (XSS)

Source of info: Secunia

Impact

Some vulnerabilities have been reported in 
SquirrelMail, which can be exploited by malicious 
people to conduct cross-site scripting and script 
insertion attacks.

Overview

According to Secunia Advisory, SquirrelMail in versions prior to 1.4.9a consist following vulnerabilities:
1) Input passed to certain parameters in webmail.php 
and compose.php in the "draft", "compose", and 
"mailto" functionality is not properly sanitised 
before being returned to the user. This can be 
exploited to execute arbitrary HTML and script code 
in a user's browser session in context of an affected site.

2) Input validation errors exist in the magicHTML 
filter when sanitising HTML mails. This can be 
exploited to insert arbitrary HTML and script 
code, which is executed in a user's browser 
session in context of an affected site when the 
malicious data is viewed.

Successful exploitation of some of these errors 
require that the target user runs Microsoft 
Internet Explorer.

Patches

http://squirrelmail.org/security/issue/2006-12-02

Microsoft Security Bulletin Summary for August

2006-08-08

Risk level: critical

Type: Buffer overflow

Source of info: Microsoft Security Team

Impact

Multiple vulnerabilities has been discovered in Microsoft products. There is 9 critical and 3 important updates.

Overview

The following issues has been discovered:
- Vulnerability in Server Service Could Allow Remote Code Execution (921883)
-Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
-Remote code execution issue in Internet Explorer (918899)
-Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
-Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)
-Vulnerability in HTML Help Could Allow Remote Code Execution (922616)
-Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)
-Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
-Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)
-Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)
-Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)
-Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)

For detiled overview see:
http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx

Patches

http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx

Critical Vulnerabilities in Oracle

2006-07-19

Risk level: high

Type: many types

Source of info: CERT

Impact

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to gain access to sensitive information.

Overview

For list of affected product and detailed overview please visit:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html

Patches

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html

Vulnerabilities in Microsoft Windows, Internet Explorer, Media Player, Word, PowerPoint, and Exchange

2006-06-13

Risk level: critical

Type: many types

Source of info: Microsoft Security Team

Impact

Multiple critical vulnerabilities has been updated in Microsoft Products. Eight of them are critical.

Overview

For detailed overview and patches see:
http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx

Patches

Please use windows updates.
For details about patches see:
http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx

Microsoft Windows and Exchange Server Vulnerabilities

2006-05-09

Risk level: critical

Type: many types

Source of info: Microsoft Security Team

Impact

Three vulnerabilities has been discoverd in Microsoft   products. Two of them are critical and alows remote code execution. One is moderate.

Overview

The products that are affected:
-vulnerability in Microsoft Exchange Could Allow  Remote Code Execution (916803)
-vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (913433)
-vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)

For details see:
http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx

Patches

Please use automatic updates.
For details see on patches:
http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx

Mozilla Products Contain Multiple Vulnerabilities

2006-04-17

Risk level: medium

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

The Mozilla web browser and products based on Mozilla components contains several vulnerabilities. One of them could allow a remote attacker to execute arbitrary code on a system running affected component.

Overview

The list of affected products and detailed report on the vulnerabilities could be find in:
 http://www.us-cert.gov/cas/techalerts/TA06-107A.html  

Patches

Please check
http://www.mozilla.org
for upgrades

Microsoft Windows and Internet Explorer Vulnerabilities

2006-04-11

Risk level: high

Type: many types

Source of info: Microsoft Security Team

Impact

Microsoft has released updates that address critical vulnerabilities in Microsoft Windows and Internet Explorer. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

Overview

For detailed overview see:
http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx

Patches

See:
http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx

Sendmail Race Condition Vulnerability

2006-03-23

Risk level: high

Type: Remote code execution

Source of info: CERT

Impact

A remote, unauthenticated attacker could execute arbitrary code with the privileges of the Sendmail process. If Sendmail is running as root, the attacker could take complete control of an affected system.

Overview

Sendmail contains a race condition caused by the improper handling of asynchronous signals. In particular, by forcing SMTP server to have an I/O timeout at exactly the correct instant, the attacker may be able to execute arbitrary code with the privileges of the Sendmail process.

More information is available in the Sendmail version 8.13.6 release page and the Sendmail MTA Security Vulnerability Advisory.

Patches

For details see:
http://www.sendmail.com/company/advisory/

Cumulative Security Update for Internet Explorer

2005-12-13

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

Four critical vulnerabilities have been found in Microsoft Internet Explorer, which can be used to compromise a user's system.

Overview

Details of vulnerabilities:
1) A remote code execution vulnerability exists in the way Internet Explorer displays file download
 dialog boxes and accepts user input during interaction with a Web page. An attacker could 
exploit the vulnerability by constructing a malicious Web page that could potentially allow 
remote code execution if a user visited the malicious Web site. An attacker who successfully 
exploited this vulnerability could take complete control of an affected system. However, 
significant user interaction is required to exploit this vulnerability.

2)An information disclosure vulnerability exists in the way Internet Explorer behaves in certain 
situations where an HTTPS proxy server requires clients to use Basic authentication. This 
vulnerability could allow an attacker to read Web addresses in clear text sent from Internet 
Explorer to a proxy server despite the connection being an HTTPS connection.

3)A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects 
that are not intended to be instantiated in Internet Explorer. An attacker could exploit the 
vulnerability by constructing a malicious Web page that could potentially allow remote code execution 
if a user visited the malicious Web site. An attacker who successfully exploited this 
vulnerability could take complete control of an affected system.

4)A remote code execution vulnerability exists in the way Internet Explorer handles mismatched 
Document Object Model objects. An attacker could exploit the vulnerability by constructing a 
malicious Web page.

For more details visit:
http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx

Patches

For details see:
http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx

Multiple Vulnerabilities in Oracle Products

2005-11-19

Risk level: critical

Type: Remote code execution

Source of info: CERT

Impact

Oracle released a Critical Patch Update in October 2005. It addresses more than eighty vulnerabilities 
in different Oracle products and components. The impact of these vulnerabilities varies depending
on the product, component, and configuration of the system. Potential consequences include remote
execution of arbitrary code or commands, information disclosure, and denial of service. 
An attacker who compromises an Oracle database may be able to gain access to sensitive information.

Overview

The Critical Patch Update provides information about affected components, access and authorization 
required, and the impact of the  vulnerabilities on data confidentiality, integrity, and availability. 
For more information on terms used in the Critical Patch Update, Metalink customers should refer to
MetaLink Note 293956.1.

According to the Critical Patch Update: "The new database vulnerabilities addressed by this 
Critical Patch Update do not affect Oracle database Client-only installations (installations 
that do not have the Oracle Database Server 
installed). Therefore, it is not necessary to apply 
this Critical Patch Update to client-only 
installations if a prior Critical Patch Update, or 
Alert 68, has already been applied to the 
client-only installations."

US-CERT recommends that sites running Oracle review the Critical Patch Update, apply patches, 
and take other mitigating action as appropriate. US-CERT is tracking all of these issues under 
VU#210524. As further information becomes 
available, we will publish individual Vulnerability Notes.

Note that according to public reports, the patches included in this update, as well as previous 
updates, may not adequately correct all security.

For details see:
http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html

Patches

http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html

Thunderbird Command Line URL Shell Command Injection

2005-10-03

Risk level: critical

Type: remote system compromise

Source of info: Peter Zelezny

Impact

A remote, unauthenticated attacker may be able to 
execute arbitrary commands with the privileges of 
the user of the application which invoked the 
vulnerable shell script.

Overview

The vulnerability is caused due to the shell script
used to launch Thunderbird is parsing shell commands 
that are enclosed within backticks in the URL 
provided via the command line. This can e.g. be 
exploited to execute arbitrary shell commands by 
tricking a user into following a malicious link with 
the "mailto:" URI handler in an external application 
which uses Thunderbird as the default mail reader 
(e.g. Firefox on Fedora Core 4).

For additional information see:
https://bugzilla.mozilla.org/show_bug.cgi?id=307185
http://secunia.com/advisories/16869/
http://secunia.com/advisories/16846/
http://secunia.com/advisories/16901/

Patches

http://www.mozilla.org/products/thunderbird/

Microsoft Security Bulletin Summary for August 2005

2005-08-10

Risk level: critical

Type: many types

Source of info: Microsoft Security Team

Impact

Microsoft has released the Security Bulletin Summary  for August 2005. In the summary six vulnerabilities 
has been mention. Three of them are critical and make possible remote code execution, one is 
important and the other two are moderate. 

Overview

For more details see:
 http://go.microsoft.com/fwlink/?LinkId=51160

Patches

See: http://go.microsoft.com/fwlink/?LinkId=51160

Microsoft Windows, Internet Explorer, Word and Remote Desktop Vulnerabilities

2005-07-19

Risk level: critical

Type: remote system compromise

Source of info: Microsoft Security Team

Impact

Few days ago, Microsoft has released updates that address critical vulnerabilities in Windows, Office, Internet Explorer. Recently an information about unpatched vulnerabilities in Remote Desktop Protocol has been published. Exploitation of the first three vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code on an affected system. 

Recently Microsoft published information about vulnerability in Remote Desktop Protocol (RDP), that could lead to Denial of Service.

Overview

More information about critical updates can be found in Microsoft Security Bulletin Summary for July, 2005: http://www.microsoft.com/technet/security/bulletin/ms05-jul.mspx

Information regarding DoS attack on Remote Desktop Protocol one can find in 
Microsoft Security Advisory (904797):
http://www.microsoft.com/technet/security/advisory/904797.mspx

Patches

To patch first three vulnerabilities  see:
http://www.microsoft.com/technet/security/bulletin/ms05-jul.mspx
For the last one see workaround in:
http://www.microsoft.com/technet/security/advisory/904797.mspx
and use Windows Updates

Critical bug in Windows - a COM Object (Javaprxy.dll) contains an unspecified vulnerability

2005-07-04

Risk level: critical

Type: Remote code execution

Source of info: sec-consult

Impact

The JVIEW Profiler COM object contains an 
unspecified vulnerability, which may allow a remote 
attacker to execute arbitrary code on a vulnerable system.

Overview

More information could be found on:

http://www.sec-consult.com/184.html
http://www.kb.cert.org/vuls/id/939605
http://www.microsoft.com/technet/security/advisory/903144.mspx
http://secunia.com/advisories/15891/
http://www.securitytracker.com/alerts/2005/Jun/1014329.html
http://www.osvdb.org/displayvuln.php?osvdb_id=17680

Patches

unpatched

Vulnerability in Windows' Server Message Block

2005-06-17

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

A remote code execution vulnerability exists in Server Message Block (SMB) that could allow an attacker who successfully exploited this vulnerable to take complete control of the affected system.

Overview

Because of the nature of this issue, attempts to exploit this vulnerability would most likely result in a denial of service.

Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. By default, the Windows Firewall that is provided as part of Windows XP Service Pack 2 and Windows Server 2003 blocks the affected ports from responding to network-based attempts to exploit this vulnerability. 

For more details see:
http://www.microsoft.com/technet/security/bulletin/MS05-027.mspx

Patches

http://www.microsoft.com/technet/security/bulletin/MS05-027.mspx

Cumulative Security Update for Internet Explorer

2005-06-17

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

Two critical vulnerabilities has been found in Internet Explorer 5.01, 5.5 and 6. One of them alows remote code execution and the second one can lead to information disclosure.

Overview

According to Microsoft Security Bulletin MS05-025:
1) A remote code execution vulnerability exists in Internet Explorer because of the way that it handles PNG images. An attacker could exploit the vulnerability by constructing a malicious PNG image that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

2) An information disclosure vulnerability exists in Internet Explorer because of the way that it handles certain requests to display XML content. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially lead to information disclosure if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could read XML data from another Internet Explorer domain. However, user interaction is required to exploit this vulnerability.

For details see:
http://www.microsoft.com/technet/security/Bulletin/MS05-025.mspx

Patches

http://www.microsoft.com/technet/security/Bulletin/MS05-025.mspx

Remote Buffer overflow in WebSphere Application Server Console

2005-06-08

Risk level: high

Type: Buffer overflow

Source of info: Application Security, Inc.

Impact

Remote execution of an arbitrary code is possible by unauthorized user. The code may be executed in the context of the server process 

Overview

There is a Unicode buffer overflow in the WebSphere Application Server Administrative Console. The
 security vulnerability exists in the authentication mechanism. The default TCP ports where this 
vulnerability can  be exploited include 9080 (HTTP), 9090 (HTTP) and 9043 (HTTPS).
The authentication process takes place 
only when the 'global security option' is enabled 
in the server. The vulnerability can not be 
exploited if the security option is disabled.

For details see Application Security, Inc advisory:
http://www.appsecinc.com/resources/alerts/general/WEBSPHERE-001.html

Patches

http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24009775

Critical vulnerabilities in HP-UX

2005-05-27

Risk level: high

Type: many types

Source of info: HP Software Security Response Team

Impact

Hewlett-Packard Software Security Team has informed about three critical vulnerabilities. Two of them
 could be remotely exploited by an unauthorized user to cause a Denial of Service(DoS) and one could be 
exploited  to get remote unauthorized access.

Overview

More detailed information about the issues could be
 found in HP Security bulletins: HPSBUX01165, HPSBUX01164, HPSBUX01137.See: 
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01165
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01164
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01137

Patches

http://itrc.hp.com

Linux kernel pktcdvd ioctl break user space limit

2005-05-19

Risk level: medium

Type: Elevation of privilege

Source of info: Xfocus

Impact

Locally exploitable flaw, in the Linux pktcdvd block
device ioctl handler, allows local users to gain 
root privileges and also execute arbitrary code at kernel privilege level.

Overview

The Linux kernel contains pktcdvd block device component. Due to the missing check pktcdvd ioctl handler parameter, the process can break user space limit and  execute arbitrary code at kernel privilege level.

See also:
http://secunia.com/advisories/15392/
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10

Patches

http://www.kernel.org/

Vulnerability Issues with IPsec Configurations

2005-05-10

Risk level: medium

Type: Information leakage

Source of info: NISCC UK

Impact

An unauthenticated remote attacker that is able to intercept and modify IPsec (and ICMP, for some scenarios) communications between security gateways may be able to recover plaintext of the IPsec communications between them.

Overview

Within the IPsec suite, the Encapsulating Security Payload (ESP) protocol provides confidentiality 
for packets by applying encryption algorithms to the packets, along with several other services. 
The Authentication Header (AH) protocol can be used to complement the ESP functionality with 
integrity protection. Both the ESP and AH protocols can be used in either "Transport" or 
"Tunneling" mode. When Cipher Block Chaining (CBC) encryption, which has a well-known set of flaws 
allowing bit-flipping attacks, is used by ESP in tunneling mode to provide confidentiality 
guarantees without proper integrity protection for inner (tunneled) packets, attackers may be able to 
perform the following attacks:

      Destination Address Rewriting: The destination IP address of the inner, encrypted 
packet is modification in a bit-flipping attack. Intermediate gateways may then route the inner 
packet to the modified destination address once the inner packet is recovered.

      IP Options modification: The header length and source address of the inner packet is modified 
by performing a bit-flipping attack on the outer payload. Once the modified inner packet is 
recovered, the structure of the packet may be affected in such a manner that an Internet Control 
Message Protocol (ICMP) Parameter Problem message is generated and sent to the source address of the 
inner packet along with the plaintext payload. This may be intercepted, leading to a recovery of 
the original inner packet plaintext payload.

      Protocol Field modification: In a similar manner to the IP Options modification attack, the 
protocol field and source address of the inner packet are modified in a bit-flipping attack 
against the outer packet payload. An invalid or unusable value in the protocol field may then 
cause a system which is processing a recovered inner packet to generate an ICMP Protocol 
Unreachable message. This ICMP message is then sent back to the (modified) source address with 
the plaintext payload of the inner packet, which may be intercepted in order to recover the 
plaintext.

For further details see:
http://www.niscc.gov.uk/niscc/docs/re-20050509-00385.pdf?lang=en
http://jvn.jp/niscc/NISCC-004033/index.html
http://www.ietf.org/ids.by.wg/ipsec.html

Patches

See vendor specific solutions at your vendor's website.

New cvs packages for Debian fix unauthorised repository access

2005-04-28

Risk level: high

Type: remote system compromise

Source of info: Debian Security Team

Impact

Remote exploitable bugs in Concurrent Versions System (CVS) server have been discovered.

Overview

According to Debian Security Adviosry:
Maks Polunin and Alberto Garcia discovered independently that using the pserver access method 
in connection with the repouid patch that Debian uses it is possible to bypass the password and
gain access to the repository in question (CAN-2004-1342).

Moreover, Alberto Garcia discovered that a remote user can cause the cvs server to crash when the 
cvs-repouids file exists but does not contain a mapping for the current repository, which can be 
used as a denial of service attack.

Patches

For details see:
http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00097.html

Multiple flaws in Oracle Database Server

2005-04-27

Risk level: high

Type: many types

Source of info: NGSSoftware Insight Security

Impact

Potential consequences may include the remote execution of arbitrary code, disclosure of 
sensitive information, and denial-of-service conditions. Database compromises may result in the 
diclosure of sensitive personal information, such as credit card numbers, social security numbers, 
and health and patient information.

Overview

David Litchfield of NGSSoftware has discovered multiple high risk vulnerabilities in Oracle's Database Server. Versions affected include:

Oracle Database 10g Release 1 Version 10.1.0.2, 10.1.0.3, 10.1.0.3.1 and 10.1.0.4
Oracle9i Database Server Release 2, versions 9.2.0.5 and 9.2.0.6
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
Oracle8i Database Server Release 3, version 8.1.7.4

NGSSoftware are going to withhold details about these flaws for three months. Full details will be published on the Tuesday, 12th of July 2005. This three month window will allow Oracle database administrators the time needed to test and apply the patch set before the details are released to the general public. This reflects NGSSoftware's new approach to responsible disclosure. 

NGSSQuirreL for Oracle, NGSSoftware's advanced vulnerability assessment scanner and security manager for Oracle, has been updated to check for and positively identify these flaws in Oracle database servers on the network. More information about NGSSQuirreL for Oracle can be found at http://www.ngssoftware.com/squirrelora.htm. 

Patches

http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
http://metalink.oracle.com/

sendfile() system call - kernel memory disclosure

2005-04-20

Risk level: medium

Type: Buffer overflow

Source of info: FreeBSD Project Team

Impact

A local user could create a large file and truncate
 it while transferring it to himself, thus obtaining 
a copy of portions of system memory 
to which he would normally not have access.Such memory might contain sensitive information.

Overview

The sendfile(2) system call allows a server application (such as an HTTP
or FTP server) to transmit the contents of a file over a network
connection without first copying it to application memory.  High performance servers such as Apache and 
ftpd use sendfile.

If the file being transmitted is truncated after the transfer has started but before it completes, 
sendfile(2) will transfer the contents of more or less random portions of kernel memory in lieu of the
missing part of the file.

Patches

For patches see:
ftp://ftp.freebsd.org/pub/CERT/advisories/FreeBSD-SA-05:02.sendfile.asc

Bug in Mozilla Firefox - remote code execution

2005-04-15

Risk level: high

Type: Remote code execution

Source of info: Kohei Yoshino

Impact

According to information provided by  Kohei Yoshino and published in  
Mozilla Foundation Security Advisory 2005-39 and US-CERT VU#519317 announcment, 
a remote attacker may be able to install malicious code on or read protected information 
from a vulnerable system.
 

Overview

Sites can use the _search target to open links in
 the Firefox sidebar. Two missing security checks 
allow malicious scripts to first open a privileged 
page (such as about:config) and then inject script 
using a javascript: url. This could be used to 
install malicious code or steal data without user 
interaction.

Patches

Bugs have been removed in Firefox 1.0.3
http://www.mozilla.org/products/firefox/all.html

Remotly exploitable bug in XFree86

2004-02-15

Risk level: high

Type: Buffer overflow

Source of info: iDEFENSE Labs

Impact

Exploitation of a buffer overflow in The XFree86 X Window System allows local attackers to gain root privileges.  

Overview

Greg MacManus, of iDEFENSE Labs, reports finding several potentially exploitable buffer overflows in XFree86's font code. David Dawes provided a patch to fix these, and other, errors.

The vulnerability specifically exists in the use of the CopyISOLatin1Lowered() function with the font_name buffer. While parsing a font.alias file, the ReadFontAlias() function uses the
length of the input string as the limit for the copy, instead of the size of the storage buffer. A malicious user may craft a malformed font.alias file, causing a buffer overflow upon parsing and eventually leading to the execution of arbitrary code.

Successful exploitation requires that an attacker be able to execute commands in the X11 subsystem. This can be done either by having console access to the target or through a remote exploit against any X client program such as a web-browser, mail-reader or game. Successful
exploitation yields root access.

iDEFENSE has confirmed the existence of this vulnerability in XFree86 versions 4.1.0 to the current version 4.3.0. It is suspected that
earlier versions are vulnerable as well. 

Patches

ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff 

SGI has released security update #10 for Altix systems

2004-02-15

Risk level: medium

Type: many types

Source of info: CERT

Impact

SGI has released Patch 10050: SGI Advanced Linux Environment security update #10, which includes updated RPMs for SGI ProPack v2.3 for the SGI
Altix family of systems.

Overview

The patch has been released in response to the following security issues:
-Updated slocate packages fix vulnerabilities
 http://rhn.redhat.com/errata/RHSA-2004-041.html
-Updated util-linux packages fix information  leak
 http://rhn.redhat.com/errata/RHSA-2004-056.html
-Updated mc packages resolve buffer overflow vulnerability
 http://rhn.redhat.com/errata/RHSA-2004-035.html
-Updated NetPBM packages fix multiple temporary file vulnerabilities
 http://rhn.redhat.com/errata/RHSA-2004-031.html
-Updated Gaim packages fix security vulnerabilities
 http://rhn.redhat.com/errata/RHSA-2004-045.html
-Updated mailman packages close DoS vulnerability
 http://rhn.redhat.com/errata/RHSA-2004-019.html

Patches

Patch 10050 is available from 
http://support.sgi.com/ and
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/
The individual RPMs from Patch 10050 are available from:
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/RPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/SRPMS

Remote crash in Mutt

2004-02-14

Risk level: high

Type: remote crash

Source of info: Mandrake Security Team

Impact

A bug in mutt was reported by Neils Heinen that could allow a remote attacker to send a carefully crafted mail message that can cause mutt to segfault and possibly execute arbitrary code as the user running mutt.

Overview

Mutt is a text mode mail user agent. Mutt supports color, threading, arbitrary key remapping, and a lot of customization.

It was discovered that certain messages would cause mutt to crash. Mutt 1.4.2 fixes this bug

Patches

For Mandrake packages use a suitable mirror
from the list on:
http://www.mandrakesecure.net/en/ftp.php
And install updated packages:
 Updated Packages:
  
 Corporate Server 2.1:
 9bc44748af1cb08ab42af19ae66b2bd3  corporate/2.1/RPMS/mutt-1.4.1i-1.2.C21mdk.i586.rpm
 4988bcd3dfada99b7aba26f65662c0c0  corporate/2.1/SRPMS/mutt-1.4.1i-1.2.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 9ad9b5c92a2af1e7a9ecb4f4dbadfd3f  x86_64/corporate/2.1/RPMS/mutt-1.4.1i-1.2.C21mdk.x86_64.rpm
 4988bcd3dfada99b7aba26f65662c0c0  x86_64/corporate/2.1/SRPMS/mutt-1.4.1i-1.2.C21mdk.src.rpm

 Mandrake Linux 9.1:
 bd20ea8a4ed852602e269e1ec637e822  9.1/RPMS/mutt-1.4.1i-1.2.91mdk.i586.rpm
 4bfe4f092a63e96ada255bfc6e5a4c0e  9.1/SRPMS/mutt-1.4.1i-1.2.91mdk.src.rpm

 Mandrake Linux 9.1/PPC:
 ab9886dbc9a906669c2827bf1b0f51e7  ppc/9.1/RPMS/mutt-1.4.1i-1.2.91mdk.ppc.rpm
 4bfe4f092a63e96ada255bfc6e5a4c0e  ppc/9.1/SRPMS/mutt-1.4.1i-1.2.91mdk.src.rpm

 Mandrake Linux 9.2:
 6e3c3843611f49a20894f1cb0c64c760  9.2/RPMS/mutt-1.4.1i-3.1.92mdk.i586.rpm
 7a38e74fb7e1b11f1add65ac8f5a1e2a  9.2/SRPMS/mutt-1.4.1i-3.1.92mdk.src.rpm

 Mandrake Linux 9.2/AMD64:
 a3aa8bcdd20b8fb56c366818a10f3a9d  amd64/9.2/RPMS/mutt-1.4.1i-3.1.92mdk.amd64.rpm
 7a38e74fb7e1b11f1add65ac8f5a1e2a  amd64/9.2/SRPMS/mutt-1.4.1i-3.1.92mdk.src.rpm

Multiple Vulnerabilities in Microsoft ASN.1 Library

2004-02-11

Risk level: critical

Type: many types

Source of info: CERT

Impact

   An unauthenticated, remote attacker could execute arbitrary code with  the privileges of the process using the ASN.1 library. In the case of most server and authentication applications, an attacker could gain SYSTEM privileges.

Overview

Multiple integer overflow vulnerabilities in the Microsoft Windows ASN.1 parser library could allow an unauthenticated, remote attacker to execute arbitrary code with SYSTEM privileges.

Microsoft Security Bulletin MS04-007 announces a patch for multiple vulnerabilities in the Microsoft Windows ASN.1 library (msasn1.dll).  According to information from eEye Digital Security, the vulnerabilities involve integer overflows and other flaws in   integer arithmetic.    
  
Any application that loads the ASN.1 library could serve as an attack vector. In particular, ASN.1 is used by a number of cryptographic and authentication services such as digital certificates (x.509), Kerberos, NTLMv2, SSL,and TLS. Both client and server systems are affected. The Local Security Authority Subsystem (lsass.exe) and a component of the CryptoAPI (crypt32.dll) use the vulnerable ASN.1 library.

Patch your system as soon as possible.

Patches

Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-007:
http://microsoft.com/technet/security/bulletin/MS04-007.asp

Internet Explorer/Outlook double null character DoS

2004-02-11

Risk level: medium

Type: DoS

Source of info: ACROS Security

Impact

For some web servers, two null (%00) characters appended after the host
name cause Internet Explorer or Outlook to consume 100% CPU and freeze.
This issue can be  exploited by forcing the user's browser to open a
hostile URL, either by  setting up a malicious web site and luring the
user into visiting it or sending a malicious HTML e-mail to a user using
Outlook. Once Internet  Explorer or Outlook is frozen, the user must kill
iexplore.exe or outlook.exe process respectively via task manager in order
to resume normal IE/Outlook use.

Overview

There's probably some flawed assumption in the code responsible for
parsing the requested URL, specifically in parsing the host name, that
leads to a dead loop consuming 100% CPU. This issue, however, does not
seem to occur with all host names. Furthermore, we discovered that the
sensitivity to double-null suffix obviously depends on the "Do not save
encrypted pages to disk" option being turned off (which is default).

As far as Outlook is concerned, its susceptibility to this issue is not
surprising, as Outlook is using Internet Explorer's browser object for
rendering HTML e-mail. Outlook 2003 by default prevents remote HTML images
from being displayed due to privacy reasons, which effectively prevents an
e-mail borne attack unless the sender is listed in "safe senders" list.

Our tests have shown that the computer under attack must be connected to
Internet (directly, not via http proxy) in order for this issue to occur.

Finally, once IE or Outlook is frozen, Windows Explorer often freezes as
well, possibly due to calling the same piece of code that is caught in an
endless loop.

Patches

An official patch MS04-004 was released, which fixes this issue:
http://www.microsoft.com/technet/security/bulletin/ms04-004.asp.

Possible unauthorized access to Check Point Firewall-1

2004-02-06

Risk level: high

Type: security features compromise

Source of info: CERT

Impact

   Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative   privileges typically "SYSTEM"
   or "root". This allows the attacker to take control of the firewall, and in some cases, to also control the server it runs on. Failed attempts to exploit this vulnerability may cause the firewall to crash.

Overview

 The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks once it has passed through the firewall at the network level. Earlier versions of Firewall-1 include the HTTP Security Server, which
provides similar functionality.

 Both the AI and HTTP Security Server features contain an HTTP parsing vulnerability that is triggered by sending an invalid HTTP request through the firewall. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf().

 Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. The researchers have also determined that this vulnerability can be exploited as a heap overflow, which would allow an attacker to execute arbitrary code. In either case, the commands or code executed by the attacker would run with administrative privileges, typically "SYSTEM" or "root". For more information, please see the ISS advisory at:
        http://xforce.iss.net/xforce/alerts/id/162

Check Point has published a "Firewall-1 HTTP Security Server Update" that modifies the error return strings used when an invalid HTTP request is detected. For more information, please see the Check Point bulletin at:
http://www.checkpoint.com/techsupport/alerts/security_server.html

Patches

See the Check Point bulletin at:
http://www.checkpoint.com/techsupport/alerts/security_server.html

Shared memory reference count overflow in shmat()

2004-02-05

Risk level: medium

Type: local system compromise

Source of info: PINE Digital Security

Impact

Local users can elevate their privileges in FreeBSD with System V Shared Memory.

Overview

The shmat(2) function maps a shared memory segment, previously created with the shmget(2) function, into the address space of the calling process.

This function is implemented in the sysv_shm.c file:

        -- sysv_shm.c lines 317-322 --
                vm_object_reference(shm_handle->shm_object);
         rv = vm_map_find(&p->p_vmspace->vm_map,
              shm_handle->shm_object,
              0, &attach_va, size,
              (flags & MAP_FIXED) ? 0 : 1,
                                prot, prot, 0);

        if (rv != KERN_SUCCESS) return ENOMEM;

        -- end of code snippet --

The shmat(2) function first increases the reference count of the underlying vm_object and then attempts to insert the vm_object into the process address space.

The vulnerability occurs because the shmat(2) function forgets  to decrease the reference count when the vm_map_find function returns failure.

Since the caller of shmat(2) can specify the address at which the segment should be mapped it is possible to have vm_map_find return failure and thus end up with stale references.

Exploitability

This vulnerability can exploited (reliably) by local users:

One would first create a shared memory segment using the shmget(2)function and create two seperate mappings at different locations in the process address space using the shmat(2) function.

After making around 232-2 (invalid) calls to the shmat(2) function the reference count of the underlying vm_object will wraparound to 1.

After deleting one of our mappings using the shmdt(2) function the underlying vm_object will be freed and we will still have one (extranous) mapping hanging around.

One would then invoke some magic trickery and execute a suid binary which will reuse the freed vm_object for its stack segment.

At this point one could write directly into the stack segment of the suid binary (using the extranous mapping) and thus escalate ones privileges easily.

Patches

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch.asc

Multiple Vulnerabilities in Microsoft Internet Explorer

2004-02-02

Risk level: high

Type: many types

Source of info: CERT

Impact

   Microsoft Internet Explorer (IE) contains multiple vulnerabilities,
   the most serious of which could allow a remote attacker to execute
   arbitrary code with the privileges of the user running IE

Overview

Microsoft Security Bulletin MS04-004 describes three vulnerabilities
   in Internet Explorer. These vulnerabilities are listed below. More
   detailed information is available in the individual vulnerability
   notes. Note that in addition to IE, any applications that use the IE
   HTML rendering engine to interpret HTML documents may present
   additional attack vectors for these vulnerabilities.

   VU#784102 - Microsoft Internet Explorer Travel Log Cross Domain
   Vulnerability

   A cross-domain scripting vulnerability exists in the Travel Log
   functionality of Internet Explorer. This vulnerability could allow a
   remote attacker to execute arbitrary script in a different domain,
   including the Local Machine Zone.
   (Other resources: CAN-2003-01026)

   VU#413886 - Microsoft Internet Explorer Drag-and-Drop Operation
   Vulnerability 

   Internet Explorer allows remote attackers to direct drag and drop
   behaviors and other mouse click actions by using method caching
   (SaveRef) to access the window.moveBy method.
   (Other resources: CAN-2003-01027)

   VU#652278 - Microsoft Internet Explorer does not properly display URLs

   Microsoft Internet Explorer does not properly display the location of
   HTML documents. An attacker could exploit this behavior to mislead
   users into revealing sensitive information.
   (Other resources: CAN-2003-01025)

Impact

   These vulnerabilities have different impacts, ranging from disguising
   the true location of a URL to executing arbitrary commands or code.
   Please see the individual vulnerability notes for specific
   information. The most serious of these vulnerabilities (VU#784102)
   could allow a remote attacker to execute arbitrary code with the
   privileges of the user running IE. The attacker could exploit this
   vulnerability by convincing the user to access a specially crafted
   HTML document, such as a web page or HTML email message. No user
   intervention is required beyond viewing the attacker's HTML document
   with IE.

 Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-004.

   Note: The fix included in MS04-004 for VU#652278 may cause sites that use URLs of the form "username:password@www.example.com" to break.
   This change, along with workarounds for users and administrators of such sites, is covered in Microsoft KB Article 834489.

Patches

Microsoft Security Bulletin MS04-004:
<http://microsoft.com/technet/security/bulletin/MS04-004.asp>

Vulnerabilities in Gaim instant-messaging client

2004-01-29

Risk level: medium

Type: remote system compromise

Source of info: SuSE Security Team

Impact

Gaim is a multi-protocol instant-messaging client. Stefan Esser found 12 vulnerabilities in gaim that can lead to a remote system compromise
with the privileges of the user running GAIM.

Overview

The GAIM package that SUSE LINUX ships is affected by just two of these bug:
        - Yahoo Packet Parser Overflow
        - HTTP Proxy Connect Overflow

    The first vulnerability is easy to exploit and results in a classic stack
    overflow which can be used to execute arbitrary code.
    The latter vulnerability requires the gaim client use a HTTP proxy under
    the control of the attacker. The exploitation of this bug results in
    arbitrary code execution too.

    There is no known workaround.

    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, to apply the update use the command "rpm -Fhv file.rpm".
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.

Patches

  SuSE-9.0:
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gaim-0.67-65.i586.rpm
      09f8d12dd52e246cf32dca8ad3374f39
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gaim-0.67-65.i586.patch.rpm
      3a633e341b9e56facdbe0250b55dd33a
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/gaim-0.67-65.src.rpm
      5ee6a86077c0297a64815532782f7a54

    SuSE-8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gaim-0.59.8-60.i586.rpm
      7a269744304f72bf951c7bd6974560f2
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gaim-0.59.8-60.i586.patch.rpm
      e7b18f0da02c1c4392dc1b03e835a827
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/gaim-0.59.8-60.src.rpm
      ae7d7b1c9735696244547a0d6a5ee92e

    SuSE-8.1:
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/gaim-0.59-158.i586.rpm
      22b1d4be5737906f8ff0975918279034
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/gaim-0.59-158.i586.patch.rpm
      7644020869e92cc980b881efebf9d617
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/gaim-0.59-158.src.rpm
      cd1532f71a79ed32d016d456a844ff4b

    SuSE-8.0:
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/gnm3/gaim-0.50-187.i386.rpm
      7dcb581b78bf8ab61e82bf0836a4357e
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/gnm3/gaim-0.50-187.i386.patch.rpm
      5a6f596538edc56e0b3a70a23200c21e
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/gaim-0.50-187.src.rpm
      d38c8da629941eecef7f75d6a5ea9e80

Updated cvs resolves security vulnerability

2004-01-28

Risk level: medium

Type: many types

Source of info: Fedora Legacy Team

Impact

Updated cvs packages are now available that fix a security vulnerability which may allow cvs to attempt to create files and directories in the root file system, as well as prevent the cvsd from retaining root privileges after a user login.

Overview

CVS (Concurrent Version System) is a version control system that can record the history of your files (usually, but not always, source code). CVS only stores the differences between versions, instead of every version of every file you have ever created. CVS also keeps a log of who, when, and why changes occurred.

A flaw was found in versions of CVS prior to 1.11.10 where a malformed module request could cause the CVS server to attempt to create files or
directories at the root level of the file system. However, normal file system permissions would prevent the creation of these misplaced directories. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0977 to this issue.

Another flaw was found that would allow the cvsd process to continue to run as root after a user login.  Previously, any user with the ability to
write the CVSROOT/passwd file could execute arbitrary code as the root user on systems with CVS pserver access enabled.

Users of cvs should update to these update packages, which contain a backported security patch that corrects this issue.

Fedora Legacy would like to thank Seth Vidal, Jason Rohwedder and Christian Pearce for providing a backported fix for Red Hat Linux 7.2, 7.3, and 8.0.

Patches

Red Hat Linux 7.2:

SRPMS:
http://download.fedoralegacy.org/redhat/7.2/updates/SRPMS/cvs-1.11.1p1-9.7.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.2/updates/i386/cvs-1.11.1p1-9.7.legacy.i386.rpm

Red Hat Linux 7.3:

SRPMS:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/cvs-1.11.1p1-9.7.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cvs-1.11.1p1-9.7.legacy.i386.rpm

Red Hat Linux 8.0:

SRPMS:
http://download.fedoralegacy.org/redhat/8.0/updates/SRPMS/cvs-1.11.2-9.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/8.0/updates/i386/cvs-1.11.2-9.legacy.i386.rpm

Updated mc packages fix buffer overflow vulnerability

2004-01-28

Risk level: high

Type: Buffer overflow

Source of info: Mandrake Security Team

Impact

A buffer overflow was discovered in mc's virtual filesystem code.
 This vulnerability could allow remote attackers to execute arbitrary
 code during symlink conversion.
 
 

Overview

The updated packages have been patched to correct the problem.

Patches

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

Updated tcpdump packages fix several vulnerabilities

2004-01-28

Risk level: high

Type: many types

Source of info: Mandrake Security Team

Impact

A number of vulnerabilities were discovered in tcpdump versions prior
 to 3.8.1 that, if fed a maliciously crafted packet, could be exploited
 to crash tcpdump or potentially execute arbitrary code with the
 privileges of the user running tcpdump.

Overview

These vulnerabilities include:
 
 An infinite loop and memory consumption processing L2TP packets
 (CAN-2003-1029).
 
 Infinite loops in processing ISAKMP packets (CAN-2003-0989,
 CAN-2004-0057).
 
 A segmentation fault caused by a RADIUS attribute with a large length
 value (CAN-2004-0055).
 
 The updated packages are patched to correct these problem.

Patches

To upgrade automatically use MandrakeUpdate or urpmi.  The verification of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
  http://www.mandrakesecure.net/en/ftp.php

Updated Packages:
 Corporate Server 2.1:
 c9c3cb66d49d3c61c09db1df364309aa  corporate/2.1/RPMS/tcpdump-3.7.2-2.1.C21mdk.i586.rpm
 a0731e1d0f8bb67e27796486ee0ac6de  corporate/2.1/SRPMS/tcpdump-3.7.2-2.1.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 3eba37e4c75f54916c3c15b126710c43  x86_64/corporate/2.1/RPMS/tcpdump-3.7.2-2.1.C21mdk.x86_64.rpm
 a0731e1d0f8bb67e27796486ee0ac6de  x86_64/corporate/2.1/SRPMS/tcpdump-3.7.2-2.1.C21mdk.src.rpm

 Mandrake Linux 9.1:
 aa337b3beb1371a5ceace20db36c5dfa  9.1/RPMS/tcpdump-3.7.2-2.1.91mdk.i586.rpm
 99e8f3cb2c6cc748ca8c8d24ab555029  9.1/SRPMS/tcpdump-3.7.2-2.1.91mdk.src.rpm

 Mandrake Linux 9.1/PPC:
 df878fa0b993bcc53cb852a4b3a6b0bb  ppc/9.1/RPMS/tcpdump-3.7.2-2.1.91mdk.ppc.rpm
 99e8f3cb2c6cc748ca8c8d24ab555029  ppc/9.1/SRPMS/tcpdump-3.7.2-2.1.91mdk.src.rpm

 Mandrake Linux 9.2:
 595518640b2291ce10e26b943debf84b  9.2/RPMS/tcpdump-3.7.2-2.1.92mdk.i586.rpm
 8e3520db919980c762c7acce742f9831  9.2/SRPMS/tcpdump-3.7.2-2.1.92mdk.src.rpm

 Mandrake Linux 9.2/AMD64:
 efd0e0b8f9796b3ba98d3da63d5b38c2  amd64/9.2/RPMS/tcpdump-3.7.2-2.1.92mdk.amd64.rpm
 8e3520db919980c762c7acce742f9831  amd64/9.2/SRPMS/tcpdump-3.7.2-2.1.92mdk.src.rpm

 Multi Network Firewall 8.2:
 3eaac937cfc3d2390a2eda8dd431fc56  mnf8.2/RPMS/tcpdump-3.7.2-2.1.M82mdk.i586.rpm
 a33365b5a8d47668764615ec6713869f  mnf8.2/SRPMS/tcpdump-3.7.2-2.1.M82mdk.src.rpm
 __________________________

Internet Worm.Mydoom.A under attack

2004-01-27

Risk level: high

Type: Worm

Source of info: Symantec

Impact

Worm.Mydoom.A (W32.Novarg.A@mm) is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files.

The worm will perform a DoS starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004.

Overview

1. Creates the following files:
          * %System%/shimgapi.dll
          * %temp%/Message (This file is full of random letters and is displayed using Notepad.)
          * %System%/taskmon.exe (If a copy of taskmon.exe exists in the %System%, it is overwritten and replaced by this copy of the worm.)
Notes:
          * taskmon.exe is a legitimate file in Windows 95/98/Me operating systems, stored in the %Windir% folder. (by default, this is C:\Windows or C:\Winnt) Do not delete this file by mistake.
* %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
         * %Temp% is a variable. The worm locates the temporary folder and copies itself to that location. By default, this is C:\Windows\TEMP (Windows 95/98/Me), or C:\WINNT\Temp (Windows NT/2000), or C:\Document and Settings\<UserName>\Local Settings\Temp (Windows XP).

2. Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files.

3. Adds the value:

      "(Default)" = "%System%\shimgapi.dll"

      to the registry key:

      HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

      so that shimgapi.dll is loaded by EXPLORER.EXE.

4. Adds the value:

      "TaskMon" = "%System%\taskmon.exe"

      to the registry keys:
          * HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
          * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

5. Attempts to perform a Denial of Service attack against www.sco.com by creating 64 threads that send GET requests and use a direct connection to port 80.

      Note: The DoS is active between February 1, 2004 and February 12, 2004.

6. Creates the following registry keys:
          * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
            Explorer\ComDlg32\Version
          * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
            Explorer\ComDlg32\Version

7. Searches for email addresses in files with the following extensions.
          * .htm
          * .sht
          * .php
          * .asp
          * .dbx
          * .tbb
          * .adb
          * .pl
          * .wab
          * .txt
            Note: It ignores addresses which end in .edu.
8. Attempts to send emails using its own SMTP engine. The worm performs a lookup of the mail server used by the recipient before sending the email. If it is unsuccessful, it will use the local mail server instead.

9. The email will have the following characteristics:

      From: may be a spoofed from address

      Subject:
      (one of the following)
          * test
          * hi
          * hello
          * Mail Delivery System
          * Mail Transaction Failed
          * Server Report
          * Status
          * Error

            Message:
            (one of the following)
          * Mail transaction failed. Partial message is available.
          * The message contains Unicode characters and has been sent as a binary attachment.
          * The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

            Attachment:
            (one of the following)
          * document
          * readme
          * doc
          * text
          * file
          * data
          * test
          * message
          * body

            Notes:
          * The attachment may have two suffixes. If so, the first suffix will be one of the following:
                o .htm
                o .txt
                o .doc
          * The worm will always end with one of the following suffixes:
                o .pif
                o .scr
                o .exe
                o .cmd
                o .bat
                o .zip
          * The icon displayed will look like the following:



            unless the worm has .exe or .scr for an extension, in which case the file will use the following icon:


10. Copies itself to Kazaa download folder as one of the following files:
          * winamp5
          * icq2004-final
          * activation_crack
          * strip-girl-2.0bdcom_patches
          * rootkitXP
          * office_crack
          * nuke2004

            with a file extension of:
          * .pif
          * .scr
          * .bat
          * .exe

An update for a newly discovered vulnerability in Microsoft Internet Security and Acceleration Server 2000

2004-01-14

Risk level: critical

Type: Remote code execution

Source of info: Microsoft Security Team

Impact

An update for a newly discovered vulnerability in Microsoft Internet Security and Acceleration Server 2000. This vulnerability is rated Critical.

Overview

n update is available to fix this vulnerability.
For additional information, including Technical Details, Workarounds, answers to Frequently Asked Questions, and Update Deployment Information please read the Microsoft ISA Server Security Bulletin Summary for January at:
http://www.microsoft.com/technet/security/bulletin/isajan04.asp

Patches

See:
http://www.microsoft.com/technet/security/bulletin/isajan04.asp

An update for a newly discovered vulnerability in Microsoft Exchange Server 2003.

2004-01-14

Risk level: moderate

Type: Elevation of privilege

Source of info: Microsoft Security Team

Impact

Vulnerability in Exchange Server 2003 Could Lead to
Privilege Escalation.

Overview

An update is available to fix this vulnerability.
For additional information, including Technical Details, 
Workarounds, answers to Frequently Asked Questions, and Update 
Deployment Information please read the Microsoft Exchange Server 
2003 Security Bulletin Summary for January at:
http://www.microsoft.com/technet/security/bulletin/excjan04.asp

Patches

See:
http://www.microsoft.com/technet/security/bulletin/excjan04.asp

an update for a newly discovered vulnerability in Microsoft Data Access Components (MDAC)

2004-01-14

Risk level: Important

Type: Remote code execution

Source of info: CERT

Impact

Buffer Overrun in MDAC Function Could Allow Code       Execution

Overview

An update is available to fix this vulnerability.
For additional information, including Technical Details, 
Workarounds, answers to Frequently Asked Questions, and Update 
Deployment Information please read the Microsoft Windows Security 
Bulletin Summary for January at:
http://www.microsoft.com/technet/security/bulletin/winjan04.asp

Patches

See:
http://www.microsoft.com/technet/security/bulletin/winjan04.asp

SGI Advanced Linux Environment security update #8

2004-01-07

Risk level: high

Type: Buffer overflow

Source of info: SGI Security Team

Impact

SGI has released Patch 10040: SGI Advanced Linux Environment security update #8, which includes updated RPMs for SGI ProPack v2.3 for the Altix
family of systems.

Overview

The patch has been created in response to the following erratas released by Red Hat :
 Updated lftp packages fix security vulnerability
 http://rhn.redhat.com/errata/RHSA-2003-404.html

Patches

Patch 10040 is available from http://support.sgi.com/ and
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/

The individual RPMs from Patch 10040 are available from:
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/RPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/SRPMS

Bugs in linux kernel (in do_mremap function)

2004-01-05

Risk level: high

Type: local system compromise

Source of info: SuSE Security Team

Impact

Incorrect bounds checking in one of the kernel functions can lead to local system compromise.

Overview

The do_mremap() function of the Linux Kernel is used to manage
    (move, resize) Virtual Memory Areas (VMAs). By exploiting an incorrect
    bounds check in do_mremap() during the remapping of memory it is
    possible to create a VMA with the size of 0.
    In normal operation do_mremap() leaves a memory hole of one page and
    creates an additional VMA of two pages. In case of exploitation no
    hole is created but the new VMA has a 0 bytes length.
    The Linux Kernel's memory management is corrupted from this point
    and can be abused by local users to gain root privileges.

    There is no temporary workaround for this bug.

Patches

 Intel i386 Platform:

    SuSE-9.0:
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_athlon-2.4.21-166.i586.rpm
      0bbda4a9166edcdd4444fa43a5b37f10
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_athlon-2.4.21-166.src.rpm
      3cce21862c2d54a82742c74557dcc7fa
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_deflt-2.4.21-166.i586.rpm
      6df247b9f114e8636de2c673747ef6ea
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_deflt-2.4.21-166.src.rpm
      c06a81d1e7912db429df25e8e8d754b7
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp-2.4.21-166.i586.rpm
      0da9470eb573ecb5c801bedbd5dbf666
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp-2.4.21-166.src.rpm
      34393ea6b46a8b8859d51020e1dc275e
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp4G-2.4.21-166.i586.rpm
      0b0d23a4a6918e57a1e7c45504a50df7
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp4G-2.4.21-166.src.rpm
      26cadc4c9d77dc6e433bedc458166236
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_um-2.4.21-166.i586.rpm
      7e18d9b0b89ef72bee40bbf150dd0470
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_um-2.4.21-166.src.rpm
      ad8c357792c0d34570c9ba54a579d867
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/kernel-source-2.4.21-166.i586.rpm
      48b46c943cc15aacfba0ec68090de1f6
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/kernel-source-2.4.21-166.src.rpm
      ef71c55f61b595edc24be7c318237432

    SuSE-8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_athlon-2.4.20-102.i586.rpm
      61de636fab3149ee5d45d16dccf8d0e8
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_athlon-2.4.20-102.src.rpm
      80b8f44b6f8f4d039b8954c709b457b0
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_deflt-2.4.20-102.i586.rpm
      c25b57bc5d67d87177abf7953f022331
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_deflt-2.4.20-102.src.rpm
      29d014e79a3ee0b14a23cb0e4bdd0f0e
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_smp-2.4.20-102.i586.rpm
      d42041b08cdee2d9959a4a6dad8b6e9d
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_smp-2.4.20-102.src.rpm
      22e598ebf546cd9378c852042b602f2f
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_psmp-2.4.20-102.i586.rpm
      c2e0455b45eac55c97e13322ab40e4bc
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_psmp-2.4.20-102.src.rpm
      68b2d35ae0de009ac3fbc6ee9a0bb3fd
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/kernel-source-2.4.20.SuSE-102.i586.rpm
      0f539af39523fd27232289014db36202
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/kernel-source-2.4.20.SuSE-102.src.rpm
      14c238bbbd7758abc2b4113a7297f2b5

    SuSE-8.1:
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_athlon-2.4.21-168.i586.rpm
      8299b1153d3d9d81236e4e77f3ae66e2
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_athlon-2.4.21-168.src.rpm
      0705e6bb739aaec77bc9801760e60051
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_deflt-2.4.21-168.i586.rpm
      fea1ffe95acdbc5c00d3272b3867bd39
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_deflt-2.4.21-168.src.rpm
      aeff9339c71c275fd3c7e9ebcf49cc4f
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_smp-2.4.21-168.i586.rpm
      f4e41bdd0806673d82dc0971e36da0e1
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_smp-2.4.21-168.src.rpm
      f352afbf4c6d679fd4bf40347bd7989c
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_debug-2.4.21-168.i586.rpm
      81e9a2516e7b9a8d0234f2d6ee9e4444
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_debug-2.4.21-168.src.rpm
      8b6c8e51c93c9dcbf5d34587de722a4a
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_psmp-2.4.21-168.i586.rpm
      9961f14d44c40a83be800ad463e17e51
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_psmp-2.4.21-168.src.rpm
      f3caa2e715d24a2987408e29e0623737

    SuSE-8.0:
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_deflt-2.4.18-282.i386.rpm
      62ae55de1c6abbe821b99165cbccdce7
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_deflt-2.4.18-282.src.rpm
      c65eadb1dd7225463f7a29979ab43dd8
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_smp-2.4.18-282.i386.rpm
      7fdec3995171a6d88f293c10c41e6991
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_smp-2.4.18-282.src.rpm
      08a2cba4382f4bb8adfc5cb8f80677d1
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_psmp-2.4.18-282.i386.rpm
      955386318df968aac6c66b6071eb466a
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_psmp-2.4.18-282.src.rpm
      fe87f59c3e818fbb9eedcb211f9d0bf4
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/kernel-source-2.4.18.SuSE-282.i386.rpm
      249a3cd1dcc1edaabf00d72874ba4aa2
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/kernel-source-2.4.18.SuSE-282.nosrc.rpm
      7e5cbc3af87fdedbd8b6dc829e038d63
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_i386-2.4.18-282.i386.rpm
      bd80346beef2e459009584065fccc7eb
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_i386-2.4.18-282.src.rpm
      ce704a3481d8b84f9fdd0b83784e74a6


    Opteron x86_64 Platform:

    SuSE-9.0:
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_deflt-2.4.21-171.x86_64.rpm
      3dd54a4105bad6c4f3084e70aaa45410
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_deflt-2.4.21-171.src.rpm
      d88ca0142409a98a7e4e9f4f7b2e9bf8
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_smp-2.4.21-171.x86_64.rpm
      b97e9d91ef710b0b801536294d99ba1a
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_smp-2.4.21-171.src.rpm
      6221b0f5893499f5926c9dd529fceb5c
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/kernel-source-2.4.21-171.x86_64.rpm
      1a27668dff4ae3c405f18399432a326e
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/kernel-source-2.4.21-171.src.rpm
      301e1d8ac232d3a000f373a928deee5f

New lftp packages fix arbitrary code execution

2004-01-04

Risk level: high

Type: Buffer overflow

Source of info: Debian Security Team

Impact

Remotly exploitable bug in lftp can lead to the execution of arbitrary code.

Overview

Ulf Harnhammar discovered a buffer overflow in lftp, a set of
sophisticated command-line FTP/HTTP client programs.  An attacker
could create a carefully crafted directory on a website so that the
execution of an 'ls' or 'rels' command would lead to the execution of
arbitrary code on the client machine.

Patches

Links for updated Debian's packages:

Debian GNU/Linux 3.0 alias woody
- --------------------------------
  Source archives:
http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2.dsc
      Size/MD5 checksum:      604 f5daa8b9ca0b4a3dd775ece1d5d90dbc
    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2.diff.gz
      Size/MD5 checksum:    23483 9f2005abc309b9e44c09e4518063f811
    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9.orig.tar.gz
      Size/MD5 checksum:  1479880 53ce980339e1adb0c4ec7135950d2055

  Alpha architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_alpha.deb
      Size/MD5 checksum:   506612 8c0580626371c756c0a0c62eeb5128f0

  ARM architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_arm.deb
      Size/MD5 checksum:   443624 8b2393f949aeca43699e27527d4e3179

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_i386.deb
      Size/MD5 checksum:   441070 96b40a457747a309b72e240bf88f1dcd

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_ia64.deb
      Size/MD5 checksum:   602626 bbc526e8b9212b5b1e80558958677299

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_hppa.deb
      Size/MD5 checksum:   499616 8ad2c1349fe16284b8f904d88177e9ee

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_m68k.deb
      Size/MD5 checksum:   423600 652c35b149e1ce3bb6602ed17430e1a2

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_mips.deb
      Size/MD5 checksum:   472524 7545ec21b6a423373538ecd941848e5a

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_mipsel.deb
      Size/MD5 checksum:   470934 3153069a5cd81582d270bb0341b30c08

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_powerpc.deb
      Size/MD5 checksum:   457702 4d58d1f70d75f8a8f173f5d966ced97a

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_s390.deb
      Size/MD5 checksum:   452260 149e1fbbc06fdad45b0cf64cb3d43350

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_sparc.deb
      Size/MD5 checksum:   445716 07b1e6b07e9a4a7f47bddebf82c5f372


  These files will probably be moved into the stable distribution on
  its next revision.

Hijacking Apache https by mod_php

2003-12-26

Risk level: medium

Type: Buffer overflow

Source of info: Steve Grub

Impact

Mod_php under apache 2.0.x leaks a critical file descriptor that can be used to takeover (hijack) the https service.

Overview

hen using mod_php, many file descriptors are leaked to the php script process. If the script page calls external programs by passthru(), exec(), or system(), the descriptors are leaked to that program as well.

One of these descriptors is the listening descriptor to port 443, also known as https. Port 443 is a privileged port and can only be bound to by a root process. It is not normal for that descriptor to be leaked to any or all programs. As a side note, this descriptor seems to be opened by apache regardless of whether or not you use https.

The bug is caused by not making a call to fcntl with the CLOEXEC flag to prevent the leak of a privileged file descriptor. ( It really is a 1 line fix ! )

The listening descriptor is used by all sites on the same machine. If a person can ftp in an executable and has access to php, they may be able to hijack the https service for all sites on the machine. Sandboxing and jailing may not help since the descriptor itself is leaked to the child.

"Safe_mode = on" does not offer any protection for this 
problem if safe_mode_exec_dir points to a directory hat 
can be ftp'd to.

Arbitrary File Delete Vulnerability in Opera 7

2003-12-22

Risk level: Critical

Type: remote file deletion

Source of info: Operash

Impact

Displaying a Download Dialog, Opera creates a temporary file.
  But this file name is not sanitized enough, so that an existing
  file can be deleted.

Overview

Exploiting this vulnerability,  an attacker can delete
  an arbitrary existing file on a local disk from remote.

  With this vulnerability, there could be following risks;

  * Destruction of the system.
  * Destruction of application data.

SYSTEMS AFFECTED
=====================

  7.22 build 3221 (JP:build 3222)
  7.21 build 3218 (JP:build 3219)
  7.20 build 3144 (JP:build 3145)
  7.1x
  7.0x


SYSTEMS NOT AFFECTED
=========================

  7.23 build 3227 (JP:build 3226)


EXAMINES
=============

  Opera for Windows:
    Opera 7.23 build 3227 (JP:build 3226)
    Opera 7.22 build 3221 (JP:build 3222)
    Opera 7.21 build 3218 (JP:build 3219)
    Opera 7.20 build 3144 (JP:build 3145)
    Opera 7.11 build 2887
    Opera 7.11 build 2880
    Opera 7.10 build 2840
    Opera 7.03 build 2670
    Opera 7.02 build 2668
    Opera 7.01 build 2651

  Platform:
    Windows 98SE Japanese
    Windows 2000 Professional SP4 Japanese
    Windows XP Professional SP1 Japanese


SOLUTION
========

  Upgrade to version 7.23 or later version.

Patches

http://www.opera.com/

Repetable tcpdump remote crash

2003-12-20

Risk level: Critical

Type: Buffer overflow

Source of info: Przemyslaw Frasunek

Impact

Sending a packet containg 0xff,0x02 bytes to port 1701/udp causes a L2TP protocol parser in tcpdump to enter an infinite loop, eating all available memory and then segfaulting.

	

Overview

This bug also affects tcpdump in -CURRENT.
Fix: Unknown, recent versions of tcpdump are immune to this problem.

Search for more information and patches at:
http://www.openbsd.org/query-pr.html
using PR number: 3610

Patches

Search for more information and patches at:
http://www.openbsd.org/query-pr.html
using PR number: 3610

Updated httpd packages fix Apache security vulnerabilities

2003-12-18

Risk level: high

Type: many types

Source of info: Red Hat Security Team

Impact

Updated httpd packages that fix two minor security issues in the Apache Web
server are now available for Red Hat Linux 8.0, 9 (CAN-2003-0542, CAN-2003-0789),and  for 7.1, 7.2, and 7.3 as well (CAN-2003-0542).

Overview

The Apache HTTP Server is a powerful, full-featured, efficient, and
freely-available Web server.

An issue in the handling of regular expressions from configuration files
was discovered in releases of the Apache HTTP Server version 2.0 prior to
2.0.48.  To exploit this issue an attacker would need to have the ability
to write to Apache configuration files such as .htaccess or httpd.conf.  A
carefully-crafted configuration file can cause an exploitable buffer
overflow and would allow the attacker to execute arbitrary code in the
context of the server (in default configurations as the 'apache' user).
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0542 to this issue.

A bug in the CGI daemon-based "mod_cgid" module was discovered that can
result in CGI script output being sent to the wrong client. This issue only
affects Red Hat Linux 9, and only when the server is configured to use the
"worker" MPM. The default configuration uses the "mod_cgi" module for CGI
and is not affected by this issue. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0789 to this issue.

Users of the Apache HTTP Server should upgrade to these erratum packages,
which contain backported patches correcting these issues, and are applied
to Apache version 2.0.40.

Patches

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/httpd-2.0.40-11.9.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/httpd-2.0.40-11.9.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/httpd-devel-2.0.40-11.9.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/httpd-manual-2.0.40-11.9.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mod_ssl-2.0.40-11.9.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/httpd-2.0.40-21.9.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/httpd-2.0.40-21.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/httpd-devel-2.0.40-21.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/httpd-manual-2.0.40-21.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/mod_ssl-2.0.40-21.9.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/apache-1.3.27-3.7.1.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/apache-1.3.27-3.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/apache-devel-1.3.27-3.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/apache-manual-1.3.27-3.7.1.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/apache-1.3.27-3.7.2.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/apache-1.3.27-3.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/apache-devel-1.3.27-3.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/apache-manual-1.3.27-3.7.2.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/apache-1.3.27-3.7.2.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/apache-devel-1.3.27-3.7.2.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/apache-manual-1.3.27-3.7.2.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/apache-1.3.27-4.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/apache-1.3.27-4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/apache-devel-1.3.27-4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/apache-manual-1.3.27-4.i386.rpm

Buffer overflows in lftp

2003-12-15

Risk level: medium

Type: remote system compromise

Source of info: SuSE Security Team

Impact

The flexible and powerful FTP command-line client  lftp is vulnerable to two remote buffer overflows.
When using lftp via HTTP or HTTPS to execute commands like 'ls' or 'rels' specially prepared directories on the server can trigger a buffer overflow in the HTTP handling functions of lftp to possibly execute arbitrary code on the client-side. Please note, to exploit these bugs an attacker has to control the server-side of the context and the attacker will only gain access to the account of the user that is executing lftp.

Overview

Ulf Hu00e4rnhammar, who posted this issue to bug-traq, stated that technically, the problem lies in the file src/HttpDir.cc and the functions try_netscape_proxy() and try_squid_eplf(), which both have sscanf() calls that take data of an arbitrary length and store it in a char array with 32 elements. (Back in version 2.3.0,
the problematic code was located in some other function, but the problem existed back then too.)
Depending on the HTML document in the specially prepared directory, buffers will be overflown in either one function or the other.

Patches

Src (vendor page):
http://lftp.yar.ru/

SuSE updates: 
Intel i386 Platform:
 SuSE-9.0 :
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/lftp-2.6.6-71.i586.rpm
      2e5aee46868b5b19c26a8559927e8663
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/lftp-2.6.6-71.i586.patch.rpm
      0468cf8f2b2b4c18a854f51ef63470b7
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/lftp-2.6.6-71.src.rpm
      a32eee3ff4eeb322d44f04b9f8ff4c9c

    SuSE-8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/lftp-2.6.4-44.i586.rpm
      df0d7c059cd3bb4fe47c927849fd9a5e
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/lftp-2.6.4-44.i586.patch.rpm
      eb9d6aedc25d3e2d25b63999526ee1bd
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/lftp-2.6.4-44.src.rpm
      63695b02bf520b02f93ec73078d6e4d8

Bugs in cvs

2003-12-11

Risk level: minimal

Type: many types

Source of info: GENTOO LINUX SECURITY TEAM

Impact

Stable CVS 1.11.10 has been released. Stable releases contain only bug fixes from previous versions of CVS. This release fixes a security issue with no known exploits that could cause previous versions of CVS to attempt to create files and directories in the filesystem root. This release also fixes several issues relevant to    case insensitive filesystems and some other bugs. We recommend this upgrade for all CVS clients and servers.

Overview

More info could be found here:
<http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84>

Patches

http://ccvs.cvshome.org/

SGI Advanced Linux Environment security update #6

2003-12-10

Risk level: medium

Type: many types

Source of info: SGI Security Team

Impact

SGI has released Patch 10037: SGI Advanced Linux Environment security update #6, which includes updated RPMs for SGI ProPack v2.3 for the Altix
family of systems.
 

Overview

Update has been released in response to the following erratas released by Red Hat:
New rsync packages fix remote security vulnerability
 http://rhn.redhat.com/errata/RHSA-2003-399.html

Patches

Patch 10037 is available from http://support.sgi.com/ and
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/

The individual RPMs from Patch 10037 are available from:
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/RPMS
ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/SRPMS

Remotely exploitable heap overflow in rsync

2003-12-05

Risk level: high

Type