-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-356A
Exploitation of phpBB highlight parameter vulnerability
Original release date: December 21, 2004
Last revised: --
Source: US-CERT
Systems Affected
phpBB versions 2.0.10 and prior
Overview
The software phpBB contains an input validation problem in how it
processes a parameter contained in URLs. An intruder can deface a
phpBB website, execute arbitrary commands, or gain administrative
privileges on a compromised bulletin board.
I. Description
phpBB is an open-source bulletin board application. It fails to
properly perform an urldecode() on the "highlight" parameter supplied
to viewtopic.php. This may allow a remote attacker to execute
arbitrary commands on a vulnerable server.
According to reports, this vulnerability is being actively exploited
by the Santy.A worm. The worm appears to propogate by searching for
the keyword "viewtopic.php" in order to find vulnerable sites.
The worm writes itself to a file named "m1ho2of" on the compromised
system. It then overwrites files ending with .htm, .php, .asp. shtm,
.jsp, and .phtm replacing them with HTML content that defaces the web
page. The worm then tries to use PERL to execute itself on the
compromised system and propogate further.
US-CERT is tracking this issue as:
VU#497400 - phpBB viewtopic.php fails to properly sanitize input
passed to the "highlight" parameter
II. Impact
A remote attacker may be able to deface a phpBB website and execute
arbitrary commands on a compromised bulletin board.
III. Solution
Upgrade phpBB
Upgrade to phpBB verison 2.0.11 to prevent exploitation.
Appendix A. References
* US-CERT Vulnerability Note VU#497400 -
<http://www.kb.cert.org/vuls/id/497400>
* phpBB Downloads - < http://www.phpbb.com/downloads.php>
* phpBB Announcement -
<http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636>
* Symantec Security Response - Perl.Santy -
<http://securityresponse.symantec.com/avcenter/venc/data/perl.santy
.html>
* McAfee - Computer Virus Software and Internet Security -
<http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=
130471>
_________________________________________________________________
This vulnerability was reported by the phpBB Development Team.
_________________________________________________________________
Feedback can be directed to the authors: Jeffrey Gennari and
Jason Rafail
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA04-356A.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
Dec 21, 2004: Initial release
Last updated December 21, 2004
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQci1ihhoSezw4YfQAQLarQf/cyzsvhFzCnqDyzRRqccGx8yG+AUMLQnG
C+eZ3oyfEntqJkMh4ApNb1er8F+7BkHNnhzvPeifqDQPMGwpjLrBnyPr4vSneG3v
JBregSqACGHzR7/TDeDJ94kiBFPty77AS5r6eqsLe0ueaL2kA149lEEcbGjPGd+q
P0my0Jxkal0DPOwGuPyFIcjdGBAYHXqyCbI0hl6DqGGj/vSRkuhjt5EY0K7ShOdV
JaSmRWgkbM0vXtKj+sWCSOLFoDschFzlW+Egke17xf3bIZUwvx5uNsw8AXZwCiaa
CJNJcL+sI8JvXEQqC5xiAkYgUVDA+WzRGtKoVfkEJBpv8PS0MyhX+Q==
=ZLLn
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-336A
Update for Microsoft Internet Explorer HTML Elements Vulnerability
Original release date: December 1, 2004
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows systems running
* Internet Explorer versions 6 and later (see MS04-040 for affected
software and components)
* Other programs that host the WebBrowser ActiveX control
Overview
Microsoft Security Bulletin MS04-040 contains an update to fix a
buffer overflow vulnerability in Internet Explorer.
I. Description
TA04-315A describes a buffer overflow vulnerability in Microsoft
Internet Explorer HTML elements that could allow a remote attacker to
execute arbitrary code. Note that any program that hosts the
WebBrowser ActiveX control could be affected. Microsoft Security
Bulletin MS04-040 contains an update to fix this vulnerability.
The vulnerability is described in further detail in VU#842160.
II. Impact
By convincing a user to view a specially crafted HTML document (e.g.,
a web page or an HTML email message), an attacker could execute
arbitrary code with the privileges of the user. The attacker could
also cause IE to crash.
Reports indicate that this vulnerability is being exploited by
malicious code referred to as MyDoom.{AG,AH,AI} or Bofra.
III. Solution
Install an update
Install the appropriate update according to Microsoft Security
Bulletin MS04-040. For additional information about the update,
including possible adverse effects, please see Microsoft Knowledge
Base articles 889293 and 889669.
Appendix A. References
* Microsoft Security Bulletin MS04-040 -
<http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx>
* MS04-040: Cumulative Security Update for Internet Explorer (IE 6.0
SP1) - <http://support.microsoft.com/kb/889293>
* An update rollup is available for Internet Explorer 6 SP1 -
<http://support.microsoft.com/kb/889669>
* US-CERT Technical Cyber Security Alert TA04-315A -
<http://www.us-cert.gov/cas/techalerts/TA04-315A.html>
* Vulnerability Note VU#842160 -
<http://www.kb.cert.org/vuls/id/842160>
* About the Browser (Internet Explorer - WebBrowser) -
<http://msdn.microsoft.com/workshop/browser/overview/Overview.asp>
_________________________________________________________________
Feedback can be directed to the authors: Will Dormann and Art Manion.
Send mail to <cert@cert.org>.
Please include the Subject line "TA04-336A Feedback VU#842160".
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA04-336A.html>
_________________________________________________________________
Revision History
December 1, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQa5IqhhoSezw4YfQAQK9ZAf7BHn69m5KRp64ePmJii0a1UCmZLimEdoF
16f11YLjUZljUvCjDD21pPv0jiPYY5cmFcHXZdlpovu/x6FnxuNvmV0GUYGENy27
qSzBt6aHc2oAHsouxb77x9ZIlg/k6+yjX82HqcR9+ITIXDx5SfTEz4jJsCJ86I7y
UTZqpMSQIniE8QDJ2VsoVnLylvC1RqgUCEXf+/526XDu/udIpQ+pahuewNUy+bgH
cj28U7WnjEAI9X/dgmCKu9znTtSfFL0Lm1YxDvF/tH1+q/9z9KmdldT16HbGPjJO
K0xbbFkpgKy9apXTF3MOzlb/ehXMXLgOwV37IXCD49TAhQy2FBe5CQ==
=w9cf
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-316A
Cisco IOS Input Queue Vulnerability
Original release date: November 11, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Cisco routers, switches, and line cards running vulnerable
versions of IOS
The following versions of IOS are known to be affected:
* 12.2(18)EW
* 12.2(18)EWA
* 12.2(18)S
* 12.2(18)SE
* 12.2(18)SV
* 12.2(18)SW
* 12.2(14)SZ
Overview
There is a vulnerability in the way Cisco IOS processes DHCP packets.
Exploitation of this vulnerability may lead to a denial of service.
The processing of DHCP packets is enabled by default.
I. Description
The Dynamic Host Configuration Protocol (DHCP) provides a means for
distributing configuration information to hosts on a TCP/IP
network.The Cisco Internetwork Operating System (IOS) contains a
vulnerability that allows malformed DHCP packets to cause an affected
device to stop processing incoming network traffic.
Cisco routers, switches, and line cards provide support for processing
DHCP packets. Cisco devices can act as a DHCP server, providing host
configuration information to clients, or they can forward DHCP and
BootP requests as a relay agent. The affected devices have the DHCP
service enabled by default and will accept and process incoming DHCP
packets. When a DHCP packet is received, it is placed into an input
queue so it can be processed. Undeliverable DHCP packets may remain in
the queue if malformed in a certain way. When the queue becomes full,
the device will stop accepting all traffic on that interface, not just
DHCP traffic.
The DHCP service is enabled by default in IOS. DHCP can only be
disabled when the no service dhcp command is specified in the running
configuration. Cisco notes the following in their advisory:
"Cisco routers are configured to process and accept DHCP
packets by default, therefore the command service dhcp does not
appear in the running configuration display, and only the
command for the disabled feature, no service dhcp, will appear
in the running configuration display when the feature is
disabled. The vulnerability is present, regardless if the DHCP
server or relay agent configurations are present on an affected
product. The only required configuration for this vulnerability
in affected versions is the lack of the no service dhcp
command."
Cisco is tracking this issue as CSCee50294. US-CERT is tracking this
issue as VU#630104.
II. Impact
By sending a specially crafted DHCP packet to an affected device, a
remote, unauthenticated attacker could cause the device to stop
processing incoming network traffic. Repeated exploitation of this
vulnerability could lead to a sustained denial-of-service condition.
In order to regain functionality, the device must be rebooted to clear
the input queue on the interface.
III. Solution
Upgrade to fixed versions of IOS
Cisco has published detailed information about upgrading affected
Cisco IOS software to correct this vulnerability. System managers are
encouraged to upgrade to one of the non-vulnerable releases. For
additional information regarding availability of repaired releases,
please refer to the "Software Versions and Fixes" section of the Cisco
Security Advisory.
Workarounds
Cisco recommends a number of workarounds. For a complete list of
workarounds, see the Cisco Security Advisory.
Appendix A. References
* Vulnerability Note VU#630104 -
<http://www.kb.cert.org/vuls/id/630104>
* Cisco Security Advisory: "Cisco IOS DHCP Blocked Interface
Denial-of-Service" -
<http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml
>
_________________________________________________________________
US-CERT thanks Cisco Systems for notifying us about this problem.
_________________________________________________________________
Feedback can be directed to the authors: Jeff Havrilla, Damon Morda,
and Jason Rafail
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA04-316A.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
Nov 11, 2004: Initial release
Last updated November 11, 2004
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQZP5KBhoSezw4YfQAQLfEAgAlabhwlqCsQXLVFjedNKxa2CmRPYta5aC
GXy6I+TDAVv7V57pz4QE4LxreUEb2vyc8CE4TWUy5PL7+tR0IEduur7XXnOs13Is
O77GyYxBzxtOi+12zAui2wVM8gepobMS6JwYY7V5tyCRZ7mT7lGkVXzO2xHwFsM7
l6meXU/3eO0AjUv5NmJWBuWuGcPny3qyy3M4rgAcRCXIEWaVMnSCAALfSfPS6Ea8
6qYTmXOCbOnEC1RfdnRDgfmnWGwX5RlOPSrDJr3uS5DEkuEvFwaBnIDWMVtQUnvv
oL1jZwbFVY1WNuPIosKSFSBs0U4l7RStiwSw3BF/EbgPrUBg3ugYyw==
=gshZ
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-315A
Buffer Overflow in Microsoft Internet Explorer
Original release date: November 10, 2004
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows systems running
* Internet Explorer versions 6.0 and later; previous versions of
Internet Explorer may also be affected
* Other programs that host the WebBrowser ActiveX control
Overview
Microsoft Internet Explorer (IE) contains a buffer overflow
vulnerability that could allow a remote attacker to execute
arbitrary code with the privileges of the user running IE.
I. Description
A buffer overflow vulnerability exists in the way IE handles the
SRC and NAME attributes of various elements, including FRAME,
IFRAME, and EMBED. Because IE fails to properly check the size of
the NAME and SRC attributes, a specially crafted HTML document can
cause a buffer overflow in heap memory. Due to the dynamic nature
of the heap, it is usually difficult for attackers to execute
arbitrary code using this type of vulnerability.
However, if heap memory is prepared in a special manner, an
attacker could execute arbitrary code more easily. Publicly
observed exploits use scripting to prepare the heap, though this
may be accomplished without scripting. Without the ability to
prepare the heap, the impact is most likely limited to denial of
service.
This vulnerability is described in further detail in VU#842160.
II. Impact
By convincing a user to view a specially crafted HTML document
(e.g., a web page or an HTML email message), an attacker could
execute arbitrary code with the privileges of the user. The
attacker could also cause IE (or any program that hosts the
WebBrowser ActiveX control) to crash.
Reports indicate that this vulnerability is being exploited by
malicious code propagated via email. When a user clicks on a URL in
a malicious email message, IE opens and displays an HTML document
that exploits the vulnerability. This malicious code may be
referred to as MyDoom.{AG,AH,AI} or Bofra.
III. Solution
Until a complete solution is available from Microsoft, consider the
following workarounds:
Install Windows XP SP2
Microsoft Windows XP SP2 does not appear to be affected by this
vulnerability. If you are using Windows XP, please update to SP2.
Disable Active scripting
To help protect against attacks that use scripting to prepare the
heap, disable Active scripting in any zone used to render untrusted
HTML content (typically the Internet Zone and Restricted Sites
Zone). Instructions for disabling Active scripting in the Internet
Zone can be found in the Malicious Web Scripts FAQ.
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant
messages, web forums, or Internet relay chat (IRC) channels. While
this is generally good security practice, following this behavior
will not prevent exploitation of this vulnerability in all
cases. For example, a trusted web site could be compromised and
modified to deliver exploit script to unsuspecting clients.
Read and send email in plain text format
Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
to view email messages in text format. Consider the security of
fellow Internet users and send email in plain text format when
possible. Note that reading and sending email in plain text will
not necessarily prevent exploitation of this vulnerability.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and
prevent some exploit attempts. Variations of exploits or attack
vectors may not be detected. Do not rely solely on anti-virus software
to defend against this vulnerability. More information about viruses
and anti-virus vendors is available on the US-CERT Computer Virus
Resources page.
Appendix A. References
* Vulnerability Note VU#842160 -
<http://www.kb.cert.org/vuls/id/842160>
* Windows XP SP2 -
<http://www.us-cert.gov/cas/alerts/SA04-243A.html>
* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html>
* US-CERT Computer Virus Resources Page -
<http://www.us-cert.gov/other_sources/viruses.html>
* About the Browser (Internet Explorer - WebBrowser) -
<http://msdn.microsoft.com/workshop/browser/overview/Overview.asp>
_________________________________________________________________
Feedback can be directed to the authors: Will Dormann and Art Manion.
Send mail to <cert@cert.org>.
Please include the Subject line "TA04-315A Feedback VU#842160".
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA04-315A.html>
_________________________________________________________________
Revision History
November 10, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQZJ1mBhoSezw4YfQAQI3iAf+LS3++j7u55GXcK2sKED6gi8ZHTXY/85t
0Z2bsLVkvQYq7FmDMRZR1Id9gGadzbj+FvaCoilAqcfxjNG8MrDwuuZ/w2/F2zLn
ybOsQK5qdIcU7InbVWiWwi4oNSmTkWqtbM4YtYISPRVpvfvgAFKjhGJFGtniu4qa
rGdyqyxmMZnUY47MVyqy1umYPcMeMDExoeLEOCnKfxzxbTdYLz1pKA8Oru/tOGdP
FaLj8S1i041dquKYtNb1dedUL6WlP2sy8hyk4Q+S5R0g0pfsETByNx4IsXJ+3fy3
a6uOqIn0q+ptqZ0Mv2f2XTCAi+tKeCHml1IaowDEBNzEPFi/yP3vOw==
=LS8m
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA04-293A
Multiple Vulnerabilities in Microsoft Internet Explorer
Original release date: October 19, 2004
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows systems running
* Internet Explorer versions 5.01 and later; previous,
unsupported versions of Internet Explorer may also be affected
* Programs that use the WebBrowser ActiveX control (WebOC) or
MSHTML rendering engine
Overview
Microsoft Internet Explorer (IE) contains multiple vulnerabilities,
the most severe of which could allow a remote attacker to execute
arbitrary code with the privileges of the user running IE.
I. Description
Microsoft Security Bulletin MS04-038 describes a number of IE
vulnerabilities, including buffer overflows, cross-domain
scripting, spoofing, and "drag and drop." Further details are
available in the following vulnerability notes:
* VU#291304 - Microsoft Internet Explorer contains a buffer overflow
in CSS parsing
A buffer overflow vulnerability exists in the way that IE
processes Cascading Style Sheets (CSS). This could allow an
attacker to execute arbitrary code or cause a denial of service.
(CAN-2004-0842)
* VU#637760 - Microsoft Internet Explorer Install Engine contains a
buffer overflow vulnerability
The IE Active Setup Install Engine (inseng.dll), which is used to
decompress ActiveX controls stored in CAB files, contains a buffer
overflow vulnerability. This could allow an attacker to execute
arbitrary code. (CAN-2004-0216)
* VU#207264 - Microsoft Internet Explorer does not properly handle
function redirection (Similar Method Name Redirection Cross Domain
Vulnerability)
IE does not properly validate redirected functions. The impact is
similar to that of a cross-site scripting vulnerability, allowing
an attacker to access data and execute script in other domains,
including the Local Machine Zone. (CAN-2004-0727)
* VU#526089 - Microsoft Internet Explorer treats arbitrary files as
images for drag and drop operations (Drag and Drop Vulnerability)
IE treats arbitrary files as images during "drag and drop" mouse
operations. This could allow an attacker to trick a user into
copying a file to a location where it could be executed, such as
the user's Startup folder. (CAN-2004-0839)
* VU#413886 - Microsoft Internet Explorer allows mouse events to
manipulate window objects and perform "drag and drop" operations
(Script in Image Tag File Download Vulnerability, HijackClick 3)
IE dynamic HTML (DHTML) mouse events can manipulate windows to
copy objects from one domain to another, including the Local
Machine Zone. This could allow an attacker to write an arbitrary
file to the local file system in a location where it could be
executed, such as the user's Startup folder. (CAN-2004-0841)
In addition, MS04-038 describes two address bar spoofing
vulnerabilities (VU#625616, VU#431576) that could allow an attacker
to deceive a user about the location of a web site; a vulnerability
involving cached HTTPS files (VU#795720) that could allow an
attacker to read from or inject data into an HTTPS web site; and a
vulnerability in which IE6 on Windows XP ignores the "Drag and drop
and copy and paste files" setting (VU#630720).
Any program that uses the WebBrowser ActiveX control (WebOC) or
MSHTML rendering engine could be affected by these vulnerabilities.
II. Impact
The impacts of these vulnerabilities vary, but an attacker may be
able to execute arbitrary code with the privileges of the user
running IE. An attacker could also exploit these vulnerabilities
to perform social engineering attacks such as spoofing or phishing
attacks. In most cases, an attacker would need to convince a user
to view an HTML document (web page, HTML email message) with IE or
another program that uses the WebBrowser ActiveX control or MSHTML
rendering engine.
In some cases, an attacker could combine two or more
vulnerabilities to write an arbitrary file to the local file system
in a sensitive location, such as the user's Startup folder. US-CERT
has monitored reports of attacks against some of these
vulnerabilities.
III. Solution
Apply a patch
Apply the appropriate patch as specified by Microsoft Security
Bulletin MS04-038.
Disable Active scripting and ActiveX controls
To protect from attacks against several of these vulnerabilities,
disable Active scripting and ActiveX controls in any zone used to
render untrusted HTML content (typically the Internet Zone and
Restricted Sites Zone). Instructions for disabling Active scripting in
the Internet Zone can be found in the Malicious Web Scripts FAQ.
Upgrade to Windows XP Service Pack 2
Service Pack 2 for Windows XP contains security improvements for IE
that reduce the impact of some of these vulnerabilities.
Appendix A. References
* Vulnerability Note VU#291304 -
<http://www.kb.cert.org/vuls/id/291304>
* Vulnerability Note VU#637760 -
<http://www.kb.cert.org/vuls/id/637760>
* Vulnerability Note VU#207264 -
<http://www.kb.cert.org/vuls/id/207264>
* Vulnerability Note VU#526089 -
<http://www.kb.cert.org/vuls/id/526089>
* Vulnerability Note VU#413886 -
<http://www.kb.cert.org/vuls/id/413886>
* Vulnerability Note VU#625616 -
<http://www.kb.cert.org/vuls/id/625616>
* Vulnerability Note VU#431576 -
<http://www.kb.cert.org/vuls/id/431576>
* Vulnerability Note VU#795720 -
<http://www.kb.cert.org/vuls/id/795720>
* Vulnerability Note VU#630720 -
<http://www.kb.cert.org/vuls/id/630720>
* Vulnerability Note VU#673134 -
<http://www.kb.cert.org/vuls/id/673134>
* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html>
* Microsoft Security Bulletin MS04-038 -
<http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx>
_________________________________________________________________
Information used in this document came from Microsoft Security
Bulletin MS04-038. Microsoft credits Greg Jones, Peter Winter-Smith,
Mitja Kolsek, and John Heasman for reporting several vulnerabilities.
Will Dormann reported the IE6 Windows XP drag and drop setting
vulnerability.
_________________________________________________________________
Feedback can be directed to the authors: Art Manion and Will Dormann.
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA04-293A.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
October 19, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQXWoaRhoSezw4YfQAQKZfwgAgV5v+A2qGlqq1jlo1OSpbSY6NqRpw001
0+QCbr8eJpdl6JV6m+wcZwGKj0Hhm0CfF0ysMKw7cHB0m0XSVVma0EGKRoztIrIh
i8yrHRF6zopsatf+qXciG1o4uB9TOZGz/1oUvdyH8d4s3PaqJH2+zAEJyV6mz6WD
uudFcHuTEpQcmgLMJF8G8/s/gsMF565fv+Uox6rizQgYoGDAApVh5U3Rh5fnI20c
aKoUofqiZn39cNjZRpxiCD2n72/oDr12aZQwjOnOZjHbWIqv92NmaTupUkmsnyk7
mnxKs3LwCKgTVKBjlEwOZSL0ryY9bzJaimUDWit/h24YMCBh8y4xiQ==
=6qiJ
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA04-286A
Multiple Vulnerabilities in Microsoft Windows, Internet Explorer, and Excel
Original release date: October 12, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Excel, including Macintosh versions
Overview
By taking advantage of one or more vulnerabilities in Microsoft
products, an attacker may be able to take control of your computer.
Solution
Apply updates
Microsoft has released security updates for a number of products,
including Windows, Internet Explorer, and Excel. To obtain the
updates, visit the Windows Update and Office Update web sites.
US-CERT also recommends enabling Automatic Updates.
Description
There are vulnerabilities in multiple Microsoft products, including
Windows, Internet Explorer, and Excel. Many of these
vulnerabilities could allow an attacker to take control of your
computer. In some cases, an attacker could exploit a vulnerability
without any action from you. In other cases, you would need to open
a malicious document such as a web site, email message, image, or
Excel spreadsheet.
References
* Windows Security Updates for October 2004 -
<http://www.microsoft.com/security/bulletins/200410_windows.mspx>
* Protect Your PC - <http://www.microsoft.com/protect/>
_________________________________________________________________
Feedback can be directed to US-CERT at <cert@cert.org>. Please
include the subject line "SA04-286A Feedback INFO#580012".
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/alerts/SA04-196A.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
October 12, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQWxIXRhoSezw4YfQAQKOqQf9Hk6nZ1+48VtKQxnp/G8inbih2LduPRtI
7HxdWWpMPgOcyYQ79KuxZ/R/KZLoWrvjWQdkkSg5CidCRq5h220L9bYlAixlBIOc
Z5xKl8f6rR0AU3VyCnsFMcdlP6H1lsPw/e454r9EMpc4vx5eSrG7JE9PHH+aOVjF
PkiZWCiQHlWRNdLFkjK+8qUff28I5oxz7g+SP7v93tkgyemuXNQS50EsebK2R0DG
yUYUZxBG5rYCi6cfwpNdWYl4w4syovsKMpXKOLmYCDduBZ/e3Cotcedq3XP69ijQ
L6MGMbmF7sH3OBv05iVjvTEyUOgpEvaoUqelMbfDKSLoUk6Tk3usiw==
=wcl5
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Alert SA04-261A
Multiple vulnerabilities in Mozilla products
Original release date: September 17, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Mozilla Suite (Mozilla web browser, Mozilla Mail)
* Firefox web browser
* Thunderbird email client
Overview
By taking advantage of one or more vulnerabilities in Mozilla
products, an attacker may be able to take control of your computer.
Solution
Upgrade to the latest version
Mozilla has released updated versions of the affected products. You
can download the latest versions:
* Mozilla
* Firefox
* Thunderbird
Description
There are vulnerabilities in various features of Mozilla's web
browsers and email clients. Some of the vulnerabilities are
connected to the way the application handles URLs or images. In one
instance, an attacker could cause an application to crash or could
take control of your computer by convincing you to view a malicious
web site or email message.
For more technical information, see US-CERT Technical Alert
TA04-261A.
References
* Known Vulnerabilities in Mozilla -
<http://www.mozilla.org/projects/security/known-vulnerabilities.ht
ml>
* US-CERT Technical Cyber Security Alert TA04-261A -
<http://www.us-cert.gov/cas/techalerts/TA04-261A.html>
_________________________________________________________________
Feedback can be directed to US-CERT.
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
This document is available from
<http://www.us-cert.gov/cas/alerts/SA04-261A.html>
Revision History
September 17, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQUtC8RhoSezw4YfQAQL4gAf/Wu5pYhSMCOGAjBH+pdAFFTaEGuBsRUne
LqUdj0I1lTdpEPW7ciBbV+C6iBdYM7slcr+k4mlnRD/tL2HWmpg8ebAqo2SYpURB
q2mWTksR7wgCWyw1GLOitfNliwNjLs6jg01aFq4xsBnnBaLCRbwmUktuer8zuqDL
3ANJbMF9LHRFB5uex7TMKuAHuq4KQy6zShoxmC71p4nWSBZ+sK8DYzKdDV90/M34
5Qwyuw9l73STw3wRULm2dKOPp5nRmlSubxD8Ftrhc08ZHssD4373Tv7rBAkVnzus
yu4If21Wq8ISXVSNAUBAmsMWJHR3unqq6XVrcikqSKwDU8i0wVG0WQ==
=XPw9
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-260A
Microsoft Windows JPEG component buffer overflow
Original release date: September 16, 2004
Last revised: --
Source: US-CERT
Systems Affected
This vulnerability affects the following Microsoft Windows operating
systems by default:
* Microsoft Windows XP and Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 64-Bit Edition
Other Microsoft Windows operating systems, including systems running
Microsoft Windows XP Service Pack 2, are not affected by default.
However, this vulnerability may affect all versions of the Microsoft
Windows operating systems if an application or update installs a
vulnerable version of the gdiplus.dll file onto the system.
Please note that this vulnerability affects any software that uses the
Microsoft Windows operating system or Microsoft's GDI+ library to
render JPEG graphics. Please see Systems Affected section of the
vulnerability note to determine if third-party software is affected. A
list of affected Microsoft products is available in Appendix B, or for
the complete list of affected and non-affected Microsoft products,
please see Microsoft Security Bulletin MS04-028.
Overview
Microsoft's Graphic Device Interface Plus (GDI+) contains a
vulnerability in the processing of JPEG images. This vulnerability may
allow attackers to remotely execute arbitrary code on the affected
system. Exploitation may occur as the result of viewing a malicious
web site, reading an HTML-rendered email message, or opening a crafted
JPEG image in any vulnerable application. The privileges gained by a
remote attacker depend on the software component being attacked.
I. Description
Microsoft Security Bulletin MS04-028 describes a remotely exploitable
buffer overflow vulnerability in Microsoft's Graphic Device Interface
Plus (GDI+) JPEG processing component. Attackers can exploit this
vulnerability by convincing a victim user to visit a malicious web
site, read an HTML-rendered email message, or otherwise view a crafted
JPEG image with a vulnerable application. No user intervention is
required beyond viewing an attacker-supplied JPEG image.
Any applications (Microsoft or third-party) that use the GDI+ library
to render JPEG images may present additional attack vectors for this
vulnerability. While some applications use the Windows operating
system version of the GDI+ library, other applications may install and
use another version, which may also be vulnerable. Microsoft has
created a GDI+ Detection Tool to help detect products that may contain
a vulnerable version of the JPEG parsing component. Microsoft
Knowledge Base Article 873374 provides instructions on how to download
and use this tool.
In addition to running Microsoft's detection utility, we recommend
searching your system for "gdiplus.dll" to help determine what
third-party applications may be affected by this vulnerability. Also
note that applications may re-install a vulnerable version of the GDI+
library if re-installed after a patch has been applied.
We are tracking this vulnerability in Vulnerability Note VU#297462.
This reference number corresponds to CVE candidate CAN-2004-0200.
II. Impact
Remote attackers exploiting the vulnerability described above may
execute arbitrary code with the privileges of the user running the
software components being attacked.
III. Solution
Apply patches from Microsoft
Apply the appropriate patches as specified in Microsoft Security
Bulletin MS04-028. Please note that this bulletin provides several
updates to the operating system and various applications that rely on
GDI+ to render JPEG images. Depending on your system's configuration,
you may need to install multiple patches.
In addition to releasing some patches on Windows Update, Microsoft has
released some patches on Office Update, and developer tool patches are
available from MS04-028.
Apply patches from third-party vendors
Third-party software that relies on GDI+ to render JPEG images may
also need to be updated. Apply the appropriate patches specified by
your vendor. Please see the your vendor's site and the Systems
Affected section of the vulnerability note for more information.
Depending on your system's configuration, you may need install
multiple patches.
Follow Microsoft recommendations for workarounds
Microsoft provides several workarounds for this vulnerability. Note
that these workarounds do not remove the vulnerability from the
system, and they will limit functionality. Please consult the
"Workarounds for JPEG Vulnerability - CAN-2004-0200" section of
Microsoft Security Bulletin MS04-028.
Appendix A. References
* Microsoft Security Bulletin MS04-028 -
<http://microsoft.com/technet/security/bulletin/MS04-028.asp>
* Microsoft End User Security Bulletin for MS04-028 -
<http://www.microsoft.com/security/bulletins/200409_jpeg.mspx>
* US-CERT Vulnerability Note VU#297462 -
<http://www.kb.cert.org/vuls/id/297462>
* Microsoft KB Article 873374 -
<http://support.microsoft.com/?id=873374>
* CVE CAN-2004-0200 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0200>
Appendix B. Affected Microsoft Products
The following Microsoft Products are affected:
* Microsoft Office XP Service Pack 3
* Microsoft Office XP Service Pack 2
* Microsoft Office XP Software:
+ Outlook 2002
+ Word 2002
+ Excel 2002
+ PowerPoint 2002
+ FrontPage 2002
+ Publisher 2002
* Microsoft Office 2003
* Microsoft Office 2003 Software:
+ Outlook 2003
+ Word 2003
+ Excel 2003
+ PowerPoint 2003
+ FrontPage 2003
+ Publisher 2003
+ InfoPath 2003
+ OneNote 2003
* Microsoft Project 2002 Service Pack 1 (all versions)
* Microsoft Project 2003 (all versions)
* Microsoft Visio 2002 Service Pack 2 (all versions)
* Microsoft Visio 2003 (all versions)
* Microsoft Visual Studio .NET 2002
* Microsoft Visual Studio .NET 2002 Software:
+ Visual Basic .NET Standard 2002
+ Visual C# .NET Standard 2002
+ Visual C++ .NET Standard 2002
* Microsoft Visual Studio .NET 2003
* Microsoft Visual Studio .NET 2003 Software:
+ Visual Basic .NET Standard 2003
+ Visual C# .NET Standard 2003
+ Visual C++ .NET Standard 2003
+ Visual J# .NET Standard 2003
* The Microsoft .NET Framework version 1.0 SDK Service Pack 2
* Microsoft Picture It! 2002 (all versions)
* Microsoft Greetings 2002
* Microsoft Picture It! version 7.0 (all versions)
* Microsoft Digital Image Pro version 7.0
* Microsoft Picture It! version 9 (all versions, including Picture
It! Library)
* Microsoft Digital Image Pro version 9
* Microsoft Digital Image Suite version 9
* Microsoft Producer for Microsoft Office PowerPoint (all versions)
* Microsoft Platform SDK Redistributable: GDI+
* Internet Explorer 6 Service Pack 1
* The Microsoft .NET Framework version 1.0 Service Pack 2
* The Microsoft .NET Framework version 1.1
_________________________________________________________________
Feedback can be directed to the US-CERT Technical Staff.
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA04-260A.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
Sept 16, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQUnrRhhoSezw4YfQAQJUHQf/RWwQLPaATa/RdE+j8PLEiJdLlh17XxaR
b0/irS0+Sx83t7HAuWgQdZR4xu5qIkUuWYKCTEPNHNXfwSNJc6LE3/MfoEurFVzE
SdChZa3/q3rc3631COon9B8yNVvUQqaQIe3BjwwJWlaj4F9Su9QrcO7N6JpVuJsW
dc0FuiVy/fJB2Jji+31q3krekW2BHuTA0I7TUaahwy18RHnJDNPUgldQenf8+A6E
Y8G98ofdruO/zR5jIceRKpd2lTWFamQmV5IgvH25LoXro1negtS72SkqWl4zqVyK
12bfvjkFWqRhociMssA4ehz52SqUT71lZCyxFkqtrNiJuDJrkgek3w==
=CCT/
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Alert SA04-258A
Vulnerability in Microsoft Image Processing Component
Original release date: September 14, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Applications that process JPEG images on Microsoft Windows,
including but not limited to
* Internet Explorer
* Microsoft Office
* Microsoft Visual Studio
* Picture It!
* Applications from other vendors besides Microsoft
Overview
An attacker may be able to gain control of your computer by taking
advantage of the way some programs process the JPEG image format.
Solution
Apply a patch
Microsoft has issued updates to address the problem. Obtain the
appropriate update from Windows Update and from Office Update.
Note: You may need to install multiple patches depending what
software you have on your computer.
Use caution with email attachments
Never open unexpected email attachments. Before opening an
attachment, save it to a disk and scan it with anti-virus software.
Make sure to turn off the option to automatically download
attachments.
View email messages in plain text
Email programs like Outlook and Outlook Express interpret HTML code
the same way that Internet Explorer does. Attackers may be able to
take advantage of that by sending malicious HTML-formatted email
messages.
Maintain updated anti-virus software
It is important that you use anti-virus software and keep it up to
date. Most anti-virus software vendors frequently release updated
information, tools, or virus databases to help detect and recover
from virus infections. Many anti-virus packages support automatic
updates of virus definitions. US-CERT recommends using these
automatic updates when possible.
Description
Microsoft Windows Graphics Device Interface (GDI+) is used to
display information on screens and printers, including JPEG image
files. An attacker could execute arbitrary code on a vulnerable
system if the user opens a malicious JPEG file via applications
such as a web browser, email program, internet chat program, or via
email attachment. Any application that uses GDI+ to process JPEG
image files is vulnerable to this type of attack. This
vulnerability also affects products from companies other than
Microsoft.
References
* September 2004 Security Update for JPEG Processing (GDI+) -
<http://www.microsoft.com/security/bulletins/200409_jpeg.mspx>
* US-CERT Vulnerability Note VU#297462 -
<http://www.kb.cert.org/vuls/id/297462>
_________________________________________________________________
Author: Mindi McDowell. Feedback can be directed to US-CERT, at
"US-CERT Security Alerts" at <mailto:cert@cert.org>. Please include
the Subject line "SA04-258A Feedback VU#297462".
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
This document is available from
<http://www.us-cert.gov/cas/alerts/SA04-258A.html>
Revision History
September 14, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBR3B1XlvNRxAkFWARAtRbAJ9FRO0XqiiEMNjjwGoTBpox2wJqWgCg1YzJ
8JEt8xDHp6Gm5LXjI8y0uOU=
=ehyf
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-245A
Multiple Vulnerabilities in Oracle Products
Original release date: September 1, 2004
Last revised: --
Source: US-CERT
Systems Affected
The following Oracle applications are affected:
* Oracle Database 10g Release 1, version 10.1.0.2
* Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
* Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and
9.0.4
* Oracle8i Database Server Release 3, version 8.1.7.4
* Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
* Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
* Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and
9.0.4.1
* Oracle9i Application Server Release 2, versions 9.0.2.3 and
9.0.3.1
* Oracle9i Application Server Release 1, version 1.0.2.2
Oracle's Collaboration Suite and E-Business Suite 11i contain some of
the vulnerable components and are also affected.
According to Oracle, the following product releases and versions, and
all future releases and versions are not affected:
* Oracle Database 10g Release 1, version 10.1.0.3
* Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3 (not
yet available)
* Oracle Application Server 10g (9.0.4), version 9.0.4.2 (not yet
available)
Overview
Several vulnerabilities exist in the Oracle Database Server,
Application Server, and Enterprise Manager software. The most serious
vulnerabilities could allow a remote attacker to execute arbitrary
code on an affected system. Oracle's Collaboration Suite and
E-Business Suite 11i contain the vulnerable software and are affected
as well.
I. Description
Several vulnerabilities have been reported in Oracle's Database
Server, Application Server, and Enterprise Manager software. According
to reports, several buffer overflow, format string, SQL injection and
other types of vulnerabilities were discovered and reported to Oracle.
Oracle has released Oracle Security Alert #68 (pdf) to address these
vulnerabilities. We are tracking them as follows:
VU#170830 - Oracle Enterprise Manager contains several
vulnerabilities
VU#316206 - Oracle Database Server contains several vulnerabilities
VU#435974 - Oracle Application Server contains several
vulnerabilities
As more information becomes available, we will update these
vulnerability notes as appropriate.
II. Impact
The impacts of the vulnerabilities described above are unclear.
According to credible reports, the impacts of these vulnerabilities
range from the remote unauthenticated execution arbitrary code to data
corruption or leakage.
III. Solution
Apply a patch or upgrade
Apply the appropriate patch or upgrade as specified in the Oracle
Security Alert #68 (pdf).
Organizations that use Oracle's Collaboration Suite or E-Business
Suite 11i should see Oracle Security Alert #68 (pdf) for remediation
instructions.
Appendix A. References
* Oracle Security Alert #68 (pdf) - <
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.p
df>
* US-CERT Vulnerability Note VU#316206 -
<http://www.kb.cert.org/vuls/id/316206>
* US-CERT Vulnerability Note VU#435974 -
<http://www.kb.cert.org/vuls/id/435974>
* US-CERT Vulnerability Note VU#170830 -
<http://www.kb.cert.org/vuls/id/170830>
_________________________________________________________________
US-CERT thanks all the parties involved in researching and reporting
these vulnerabilities. Specifically, Oracle credits the people for
discovering these issues: David Litchfield, Michael Litchfield, Cesar
Cerrudo, Pete Finnigan, Jonathan Gennick, Alexander Kornbrust, Stephen
Kost, Matt Moore, Aaron Newman, Andy Rees, and Christian Schaller.
_________________________________________________________________
Feedback can be directed to the author: Jason A. Rafail.
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA04-245A.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
Sep 1, 2004: Initial release
Last updated September 01, 2004
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBNihCXlvNRxAkFWARAplJAJ9AROpSu/1ykM0LkIcpnoADxTKHFwCgtE4b
OLKV86pUUBI7/iE2GVtHA8s=
=M7Dk
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA04-243A
Security Improvements in Windows XP Service Pack 2
Original release date: August 30, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows XP
Overview
Microsoft Windows XP Service Pack 2 (SP2) significantly improves
your computer's defenses against attacks and vulnerabilities.
Recommendation
To help protect your Windows XP computer from attacks and
vulnerabilities, install Service Pack 2 using Windows Update or
Automatic Updates.
Note: Service Pack 2 makes significant changes to improve the
security of Windows XP, and these changes may have negative effects
effects on some programs and Windows functionality. Before you
install Service Pack 2, back up your important data and consult
your computer manufacturer's web site for information about Service
Pack 2.
Description
Windows XP Service Pack 2 is a major operating system update that
contains a number of new security updates and features. Like other
Microsoft Service Packs, Windows XP Service Pack 2 also includes
previously released security fixes and other operating system
updates. Following is a summary of the new security updates and
features in Service Pack 2:
* Windows Firewall
Windows Firewall is enabled in almost all configurations, blocking
network traffic coming into your computer. Blocking this traffic
helps to protect you from worms and other malicious code that
spread via the Internet.
* Internet Explorer Local Machine Zone Lockdown
New settings for Internet Explorer disable the execution of
ActiveX controls and Active scripting in the Local Machine Zone.
This protects you from attacks and vulnerabilties such as
Download.Ject.
* Additional Internet Explorer Security Changes
Internet Explorer now includes a pop-up blocker, additional window
restrictions, and changes in MIME type handling that better defend
against social engineering and "phishing" attacks. A browser
add-on management interface provides a way to identify and disable
programs that run as part of Internet Explorer. Enhanced
protection against security zone elevation and object caching
vulnerabilities helps defend against malicious web scripts.
* Email Handling Technologies
Outlook Express now supports the ability to read and compose
messages in plain text and to block external HTML content such as
"web bugs." Security checks are now performed in a more consistent
way to help prevent the execution of malicious attachments.
* Security Center
The Security Center "...provides a central location for changing
security settings, learning more about security, and ensuring that
[your] computer is up to date, with the essential security
settings that are recommended by Microsoft."
* Automatic Updates
The update services and automatic update feature of Windows XP
have been improved. US-CERT highly recommends that you enable
Automatic Updates.
* Data Execution Prevention
Memory protection helps prevent attackers from executing code on
your computer.
References
* Windows XP Service Pack 2 -
<http://www.microsoft.com/windowsxp/sp2/>
* What to Know Before You Download and Install Windows XP Service
Pack 2 -
<http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx>
* Get the Latest Updates and Information from Your PC Manufacturer
Before Installing Windows XP Service Pack 2 -
<http://www.microsoft.com/windowsxp/sp2/oemlinks.mspx>
* Backing up your computer files -
<http://www.microsoft.com/athome/security/update/backup.mspx>
* Programs that are known to experience a loss of functionality when
they run on a Windows XP Service Pack 2-based computer -
<http://support.microsoft.com/?id=884130>
_________________________________________________________________
Authors: Art Manion and Mindi McDowell. Feedback can be directed to
the US-CERT Technical Staff.
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/alerts/SA04-196A.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
August 30, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBM3O5XlvNRxAkFWARAqTCAKDoodz5PRNBBC7t6B8IPJbZt2SsSQCdFviV
PWDxGS84QGj6gW0rKfxf1Nk=
=xJHo
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple Vulnerabilities in libpng
Original release date: August 4, 2004
Last revised: --
Source: US-CERT
Systems Affected
Applications and systems that use the libpng library.
Overview
Several vulnerabilities exist in the libpng library, the most serious
of which could allow a remote attacker to execute arbitrary code on an
affected system.
I. Description
The Portable Network Graphics (PNG) image format is used as an
alternative to other image formats such as the Graphics Interchange
Format (GIF). The libpng is a popular reference library available for
application developers to support the PNG image format.
Several vulnerabilities have been reported in the libpng library. Any
application or system that uses this library may be affected. More
detailed information is available in the individual vulnerability
notes:
VU#388984 - libpng fails to properly check length of transparency
chunk (tRNS) data
A buffer overflow vulnerability has been discovered in the way that
libpng processes PNG images. This vulnerability could allow a remote
attacker to execute arbitrary code on a vulnerable system by
introducing a specially crafted PNG image.
(Other references: CAN-2004-0597)
VU#236656 - libpng png_handle_iCCP() NULL pointer dereference
Under some circumstances, a null pointer may be dereferenced during a
memory allocation in the png_handle_iCCP() function. As a result, a
PNG image with particular characteristics could cause the affected
application to crash. Similar errors are reported to exist in other
locations within libpng.
(Other references: CAN-2004-0598)
VU#160448 - libpng integer overflow in image height processing
An integer overflow error exists in the handling of PNG image height
within the png_read_png() function. As a result, a PNG image with
excessive height may cause an integer overflow during a memory
allocation operation, which could cause the affected application to
crash.
(Other references: CAN-2004-0599)
VU#477512 - libpng png_handle_sPLT() integer overflow
A potential integer overflow error exists during a memory allocation
operation within the png_handle_sPLT() function. It is unclear what
practical impact this error might have on applications using libpng.
(Other references: CAN-2004-0599)
VU#817368 - libpng png_handle_sBIT() performs insufficient bounds
checking
A potentially insufficient bounds check exists within the
png_handle_sBIT() function. A similar error exists in the
png_handle_hIST() function. While the code that contains these errors
could potentially permit a buffer overflow to occur during a
subsequent png_crc_read() operation, it is unclear what practical
vulnerabilities it might present in applications using libpng.
(Other references: CAN-2004-0597)
VU#286464 - libpng contains integer overflows in progressive display
image reading
The libpng library provides the ability to display interlaced, or
progressive display, PNG images. A number of potential integer
overflow errors exist in libpng's handling of such progressive display
images. While the code that contains these errors introduces dangerous
conditions, it is unclear what practical vulnerabilities it might
present in applications using libpng.
(Other references: CAN-2004-0599)
II. Impact
In the case of VU#388984, an attacker with the ability to introduce a
malformed PNG image to a vulnerable application could cause the
application to crash or could potentially execute arbitrary code with
the privileges of the user running the affected application.
In the case of VU#236656 and VU#160448, an attacker with the ability
to introduce a malformed PNG image to a vulnerable application could
cause the application to crash.
The impacts of the other vulnerabilities described above are unclear.
A remote attacker could cause an application to crash or potentially
execute arbitrary code by convincing a victim user to visit a
malicious web site or view an email message containing a malformed
image.
III. Solution
Apply a patch or upgrade
Apply the appropriate patch or upgrade as specified by your vendor.
For vendor-specific responses, please see your vendor's web site or
the individual vulnerability notes.
For individuals who rely on the original source of libpng, these
issues have been resolved in libpng version 1.2.6rc1 (release
candidate 1).
Appendix A. References
* Chris Evans Security Advisory 2004.1 -
<http://scary.beasts.org/security/CESA-2004-001.txt>
* libpng Homepage - <http://libpng.sourceforge.net>
* Portable Network Graphics (PNG) Homepage -
<http://www.libpng.org/pub/png>
* US-CERT Vulnerability Note VU#388984 -
<http://www.kb.cert.org/vuls/id/388984>
* US-CERT Vulnerability Note VU#817368 -
<http://www.kb.cert.org/vuls/id/817368>
* US-CERT Vulnerability Note VU#286464 -
<http://www.kb.cert.org/vuls/id/286484>
* US-CERT Vulnerability Note VU#477512 -
<http://www.kb.cert.org/vuls/id/477512>
* US-CERT Vulnerability Note VU#160448 -
<http://www.kb.cert.org/vuls/id/160448>
* US-CERT Vulnerability Note VU#236656 -
<http://www.kb.cert.org/vuls/id/236656>
* CVE CAN-2004-0597 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597>
* CVE CAN-2004-0598 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598>
* CVE CAN-2004-0599 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599>
_________________________________________________________________
US-CERT thanks Chris Evans for researching and reporting these
vulnerabilities.
_________________________________________________________________
Feedback can be directed to the US-CERT Technical Staff.
_________________________________________________________________
The latest copy of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA04-217A.html>
Copyright 2004 Carnegie Mellon University. Terms of use
Revision History
Aug 4, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBER8VXlvNRxAkFWARAtSFAKCGG0ALkKpzC3fhY3jlGZQDyzN5TgCg9g9c
lQD3Z5OoJ30TQenb8/lwjn0=
=d+t3
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple Vulnerabilities in Systems Running Microsoft Windows
Original release date: July 30, 2004
Last revised: --
Source: US-CERT
Systems Affected
- Microsoft Windows systems; specifically, some versions of the
following programs:
* Microsoft Windows NT
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003
* Microsoft Windows 98
* Microsoft Windows Millennium Edition
* Microsoft Internet Explorer 5
* Microsoft Internet Explorer 6
Overview
Microsoft has reported two vulnerabilities in the way Internet
Explorer processes certain types of images. Attackers may be able
to gain control of your machine if you view a malicious image,
visit a web page, or open an email message that contains these
images.
Microsoft has also published an update to address the cross-domain
vulnerability discussed in SA04-163A. This vulnerability may allow
an attacker to alter a web site to point to a different location.
If the attacker can convince you to visit the site, they may be
able to gain control of your machine.
Solution
Apply a patch
Microsoft has issued updates that resolve this problem. Obtain the
appropriate update from Windows Update
Use caution with email attachments
Never open unexpected email attachments. Before opening an
attachment, save it to a disk and scan it with anti-virus software.
Make sure to turn off the option to automatically download
attachments.
View email messages in plain text
Email programs like Outlook and Outlook Express interpret HTML code
the same way that Internet Explorer does. Attackers may be able to
take advantage of that by sending malicious HTML-formatted email
messages.
Maintain updated anti-virus software
It is important that you use anti-virus software and keep it up to
date. Most anti-virus software vendors frequently release updated
information, tools, or virus databases to help detect and recover
from virus infections. Many anti-virus packages support automatic
updates of virus definitions. US-CERT recommends using these
automatic updates when possible.
Description
In Microsoft Security Bulletin MS04-025, Microsoft describes a
critical vulnerability in the way Internet Explorer processes .GIF
and .BMP images. An attacker can use malicious images on a web page
or in HTML-formatted email messages. If the attacker can convince a
user to visit the web page, open the message, or otherwise view the
image, the attacker may be able to gain control of the user's
machine.
There is also a vulnerability in the way Internet Explorer
processes scripts. An attacker may be able to take advantage of
frames to redirect users to a malicious web site.
More technical information about this issue is available in
TA04-212A and Microsoft Security Bulletin MS04-025.
References
* Windows Security Updates for July 2004 -
<http://www.microsoft.com/security/bulletins/200407_windows.mspx>
* Multiple Remote Code Execution Vulnerabilities in Microsoft
Internet Explorer -
<http://www.us-cert.gov/cas/techalerts/TA04-212A.html>
* Microsoft Security Bulletin MS04-025 -
<http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx>
* US-CERT Computer Virus Resources -
<http://www.us-cert.gov/other_sources/viruses.html>
* Understanding Anti-Virus Software -
<http://www.us-cert.gov/cas/tips/ST04-005.html>
* Using Caution with Email Attachments -
<http://www.us-cert.gov/cas/tips/ST04-010.html>
* Home Network Security -
<http://www.cert.org/tech_tips/home_networks.html>
* Home Computer Security -
<http://www.cert.org/homeusers/HomeComputerSecurity/
_________________________________________________________________
Author: Mindi McDowell. Feedback can be directed to the US-CERT
Technical Staff.
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Revision History
July 30, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBCuWXXlvNRxAkFWARAnajAKC4GTaFQRkTT3QIa85wHyLl3hDGIwCgmmDo
MLxGp6us3L4yzOtfzWsCEBg=
=r9CV
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Critical Vulnerabilities in Microsoft Windows
Original release date: July 30, 2004
Last revised: --
Source: US-CERT
Systems Affected
These vulnerabilities affect the following versions of Microsoft
Internet Explorer:
* Microsoft Internet Explorer 5.01 Service Pack 2
* Microsoft Internet Explorer 5.01 Service Pack 3
* Microsoft Internet Explorer 5.01 Service Pack 4
* Microsoft Internet Explorer 5.5 Service Pack 2
* Microsoft Internet Explorer 6
* Microsoft Internet Explorer 6 Service Pack 1
* Microsoft Internet Explorer 6 Service Pack 1 (64-Bit Edition)
* Microsoft Internet Explorer 6 for Windows Server 2003
* Microsoft Internet Explorer 6 for Windows Server 2003 (64-Bit
Edition)
These vulnerabilities affect the following versions of the Microsoft
Windows operating system:
* Microsoft Windows NT Workstation 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service
Pack 6
* Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000
Service Pack 3, Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP and Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 64-Bit Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and Microsoft Windows Millennium Edition (Me)
Please note that these vulnerabilities my affect any software that
uses the Microsoft Windows operating system to render HTML or
graphics.
Overview
Microsoft Internet Explorer contains three vulnerabilities that may
allow arbitrary code to be executed. The privileges gained by a remote
attacker depend on the software component being attacked. For example,
a user browsing to an unsafe web page using Internet Explorer could
have code executed with the same privilege as the user. These
vulnerabilities have been reported to be relatively straightforward to
exploit; even vigilant users visiting a malicious website, viewing a
malformed image, or reading an HTML-rendered email message may be
affected.
I. Description
Microsoft Security Bulletin MS04-025 describes three vulnerabilities
in Internet Explorer; more detailed information is available in the
individual vulnerability notes. Note that in addition to Internet
Explorer, any applications that use the Internet Explorer HTML
rendering engine to interpret HTML documents may present additional
attack vectors for these vulnerabilities.
VU#266926 - Microsoft Internet Explorer contains an integer overflow
in the processing of bitmap files
An integer overflow vulnerability has been discovered in the way that
Internet Explorer processes bitmap image files. This vulnerability
could allow a remote attacker to execute arbitrary code on a
vulnerable system by introducing a specially crafted bitmap file.
(Other resources: CAN-2004-0566)
VU#685364 - Microsoft Internet Explorer contains a double-free
vulnerability in the processing of GIF files
A double-free vulnerability has been discovered in the way that
Internet Explorer processes GIF image files. When processing GIF image
files, the routine responsible for freeing memory may attempt to free
the same memory reference more than once. Deallocating the already
freed memory can lead to memory corruption, which could cause a
denial-of-service condition or potentially be leveraged by an attacker
to execute arbitrary code.
(Other resources: CAN-2003-1048)
VU#713878 - Microsoft Internet Explorer does not properly validate
source of redirected frame Microsoft Internet Explorer does not
properly display URLs
As previously discussed in TA-163A, Microsoft Internet Explorer does
not adequately validate the security context of a frame that has been
redirected by a web server. An attacker could exploit this
vulnerability to evaluate script in different security domains. By
causing script to be evaluated in the Local Machine Zone, the attacker
could execute arbitrary code with the privileges of the user running
Internet Explorer. For a detailed technical analysis of this
vulnerability, please see VU#713878.
(Other resources: CAN-2004-0549)
II. Impact
Remote attackers exploiting the vulnerabilities described above may
execute arbitrary code with the privileges of the user running the
software components being attacked (e.g., Internet Explorer).
Attackers can exploit these vulnerabilities by convincing a victim
user to visit a malicious website, view a malformed image, or read an
HTML-rendered email message. No user intervention is required beyond
viewing an attacker-supplied HTML document or image. For further
details, please see the individual vulnerability notes.
III. Solution
Apply a patch from Microsoft
Apply the appropriate patch as specified by Microsoft Security
Bulletin MS04-025. Please note that this bulletin provides a
cumulative update that replaces all previously released updates for
Internet Explorer, including those provided in MS04-004. However,
users who have applied hotfixes released after MS04-004 will need to
install MS04-025. Please see the FAQ section of Microsoft's advisory
for more details.
Follow Microsoft recommendations for workarounds
Microsoft provides several workarounds for each of these
vulnerabilities. Please consult the appropriate section(s) of
Microsoft Security Bulletin MS04-025.
Appendix A. Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to US-CERT, we will update
this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
Microsoft
Please see Microsoft Security Bulletin MS04-025.
Appendix B. References
* US-CERT Technical Cyber Security Alert TA04-163A -
<http://www.us-cert.gov/cas/techalerts/TA04-163A.html>
* US-CERT Cyber Security Alert TA04-212A -
<http://www.us-cert.gov/cas/alerts/SA04-212A.html>
* US-CERT Vulnerability Note VU#266926 -
<http://www.kb.cert.org/vuls/id/266926>
* US-CERT Vulnerability Note VU#685364 -
<http://www.kb.cert.org/vuls/id/685364>
* US-CERT Vulnerability Note VU#713878 -
<http://www.kb.cert.org/vuls/id/713878>
* Microsoft Security Bulletin MS04-025 -
<http://microsoft.com/technet/security/bulletin/MS04-025.asp>
* Microsoft KB Article 867801 -
<http://support.microsoft.com/?id=867801>
* Microsoft KB Article 871260 -
<http://support.microsoft.com/?id=871260>
* Microsoft KB Article 875345 -
<http://support.microsoft.com/?id=875345>
* CVE CAN-2004-0566 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0566>
* CVE CAN-2003-1048 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1048>
* CVE CAN-2004-0549 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549>
_________________________________________________________________
Feedback can be directed to the US-CERT Technical Staff.
_________________________________________________________________
Copyright 2004 Carnegie Mellon University. Terms of use
Revision History
Jul 30, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBCuknXlvNRxAkFWARAvSVAKC7vHp7n0CsHHs1zrPektl2gU8jiACdGJ1U
O3zPilFLF7HxcJ2yD+WM/6s=
=F39s
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Summary of Security Items from July 21 through August 3, 2004
This bulletin provides a summary of new or updated vulnerabilities,
exploits, trends and viruses identified between July 21 and August 3,
2004.
The current version of this document can be found here
<http://www.us-cert.gov/cas/bulletins/SB04-217.html>
Bugs, Holes, & Patches
* Windows Operating Systems
* UNIX Operating Systems
* Multiple Operating Systems
Recent Exploit Scripts/Techniques
Trends
Viruses/Trojans
_________________________________________________________________
Bugs, Holes, & Patches
The table below summarizes vulnerabilities that have been identified,
even if they are not being exploited. Updates to items appearing in
previous bulletins are listed in bold. Complete details about patches
or workarounds are available from the source of the information or
from the URL provided in the section. CVE numbers are listed where
applicable.
Vulnerabilities that affect both Windows and Unix Operating Systems
are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been
discussed in newsgroups and on web sites.
Risk is defined as follows:
* High - A high-risk vulnerability is defined as one that will allow
an intruder to immediately gain privileged access (e.g., sysadmin
or root) to the system or allow an intruder to execute code or
alter arbitrary system files. An example of a high-risk
vulnerability is one that allows an unauthorized user to send a
sequence of instructions to a machine and the machine responds
with a command prompt with administrator privileges.
* Medium - A medium-risk vulnerability is defined as one that will
allow an intruder immediate access to a system with less than
privileged access. Such vulnerability will allow the intruder the
opportunity to continue the attempt to gain privileged access. An
example of medium-risk vulnerability is a server configuration
error that allows an intruder to capture the password file.
* Low - A low-risk vulnerability is defined as one that will provide
information to an intruder that could lead to further compromise
&nbs
