-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Microsoft Windows Metafile Handling Buffer Overflow
Original release date: December 28, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Systems running Microsoft Windows
Overview
Microsoft Windows is vulnerable to remote code execution via an error
in handling files using the Windows Metafile image format. Exploit
code has been publicly posted and used to successfully attack
fully-patched Windows XP SP2 systems. However, other versions of the
the Windows operating system may be at risk as well.
I. Description
Microsoft Windows Metafiles are image files that can contain both
vector and bitmap-based picture information. Microsoft Windows
contains routines for displaying various Windows Metafile formats.
However, a lack of input validation in one of these routines may allow
a buffer overflow to occur, and in turn may allow remote arbitrary
code execution.
This new vulnerability may be similar to one Microsoft released
patches for in Microsoft Security Bulletin MS05-053. However, publicly
available exploit code is known to affect systems updated with the
MS05-053 patches.
Not all anti-virus software products are currently able to detect all
known variants of exploits for this vulnerability. However, US-CERT
recommends updating anti-virus signatures as frequently as practical
to provide maximum protection as new variants appear.
US-CERT is tracking this issue as VU#181038. This reference number
corresponds to CVE entry CVE-2005-4560.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code if the user is persuaded to view a specially crafted Windows
Metafile.
III. Solution
Since there is no known patch for this issue at this time, US-CERT is
recommending sites follow several potential workarounds.
Workarounds
Please be aware US-CERT has confirmed that filtering based just on the
WMF file extension or MIME type "application/x-msmetafile" will not
block all known attack vectors for this vulnerability. Filter
mechanisms should be looking for any file that Microsoft Windows
recognizes as a Windows Metafile by virtue of its file header.
Do not access Windows Metafiles from untrusted sources
Exploitation occurs by accessing a specially crafted Windows Metafile.
By only accessing Windows Metafiles from trusted or known sources, the
chances of exploitation are reduced.
Attackers may host malicious Windows Metafiles on a web site. In order
to convince users to visit their sites, those attackers often use URL
encoding, IP address variations, long URLs, intentional misspellings,
and other techniques to create misleading links. Do not click on
unsolicited links received in email, instant messages, web forums, or
internet relay chat (IRC) channels. Type URLs directly into the
browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.
Block access to Windows Metafiles at network perimeters
By blocking access to Windows Metafiles using HTTP proxies, mail
gateways, and other network filter technologies, system administrators
may also limit other potential attack vectors.
Reset the program association for Windows Metafiles
Remapping handling of Windows Metafiles to open a program other than
the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent
exploitation via some current attack vectors. However, this may still
allow the underlying vulnerability to be exploited via other known
attack vectors.
_________________________________________________________________
This document is also available at
<http://www.us-cert.gov/cas/techalerts/TA05-362A.html>
Updates will be made at
<http://www.kb.cert.org/vuls/id/181038>
Feedback can be directed to
<mailto:cert@cert.org?subject=TA05-362A%20Feedback%20VU%23181038>
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
Revision History
December 28, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ7M8HX0pj593lg50AQJZLAf8DSIBug0PJwRekEIVO98pEJOQByA6oU63
orYhC7cPDlrFEmIXG5Nx+2sDedb83cUmuGbNTFYKd2FqEzdGty7EsMGIKW6NGyIJ
O0qrS+wOm3T6/9XZ0fwuI0cHJjrlDoF3LlTnfsL4SpEEQRFlDsS/Bd9lxuUHDoU6
0PKOiy2j+XjhpyKlNGA5d7a7Qo+HkKYkO4xMm5NPO5kKYKHW81REcs8mqnMbN0JC
JAoFLSWsCrSVqx8arE2ofwZCtOkCb5iQFlkKsc6EUFzUtYzBS8jaAncYEb1KJatl
w3ACj4+Rr/OsbY1Sqle+P6XKPfIVwjx7s/MgvQR20OVtCbIE92N9nw==
=hAPk
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA05-347A
Microsoft Internet Explorer Vulnerabilities
Original release date: December 13, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
For more complete information, refer to the Microsoft Security
Bulletin Summary for December 2005.
Overview
Microsoft has released updates that address critical
vulnerabilities in Internet Explorer.
Solution
Apply Updates
Microsoft has released security updates for Internet Explorer. To
obtain the updates, visit the Microsoft Update web site. US-CERT
also recommends enabling Automatic Updates.
Disable ActiveX
Instructions for disabling ActiveX controls in the Internet Zone
can be found in the Malicious Web Scripts FAQ.
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant
messages, web forums, or internet relay chat (IRC) channels.
Description
Microsoft Security Bulletins for December 2005 address
vulnerabilities in Internet Explorer. These vulnerabilities may
allow an attacker to take control of your computer or cause it to
crash. For more technical information, see US-CERT Technical Cyber
Security Alert TA05-347A.
References
* Microsoft Security Bulletin Summary for December 2005 - <
http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx>
* US-CERT Vulnerability Note VU#887861 -
<http://www.kb.cert.org/vuls/id/887861>
* US-CERT Vulnerability Note VU#959049 -
<http://www.kb.cert.org/vuls/id/959049>
* US-CERT Vulnerability Note VU#680526 -
<http://www.kb.cert.org/vuls/id/680526>
* US-CERT Technical Cyber Security Alert TA05-347A -
<http://www.us-cert.gov/cas/techalerts/TA05-347A.html>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate>
* Microsoft Update Overview -
<http://www.microsoft.com/technet/prodtechnol/microsoftupdate/defa
ult.mspx>
* CERT/CC Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56>
* Improve the safety of your browsing and e-mail activities-
<http://www.microsoft.com/athome/security/online/browsing_safety.m
spx>
* Microsoft Security Essentials -
<http://www.microsoft.com/athome/security/protect/default.aspx>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA05-347A.html>
_________________________________________________________________
Feedback can be directed to US-CERT. Please send email to:
<cert@cert.org> with "SA05-347A Feedback VU#887861" in the subject.
_________________________________________________________________
Revision History
Dec 13, 2005: Initial release
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ59OBn0pj593lg50AQJTvAgAstsmk+yyrOIZu8+c1tAi8za08xyXzKFH
S2pre7Y4loz48Fy0fL8bg6O3Z78nDguHR0cNQ+Rk0g8SPW3KJHp49XQX1nRDSyPq
JQ09l794sKKJY3uEkspbL2/1pNCx+6TnG1TCFPZGue16+x5OL8MEigEnDdswUEs6
hTDOr4oxgtEvWf/x+fXpodP5CTNybSvRcp36kCuQKxhDAqufrNEA8r9Ndlun7Wk2
zjHb5Xfq4OxoFo/REDlwsUJ6Z39JipvmDHgYSXEWqGBSi76kTmM8ZPCR/BxtKRoC
F/xo2Yqu+CcnmU9pUPVZpgwPC6JSKvswmzPDb0ODfL+CDQeXv9KjxQ==
=bxMS
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Alert SA05-312A
Microsoft Windows Image Processing Vulnerabilities
Original release date: November 08, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
Overview
Microsoft has released updates that address critical
vulnerabilities in Windows.
Solution
Apply Update
Microsoft has released security updates for Windows. To obtain the
updates, visit the Microsoft Update web site. US-CERT also
recommends enabling Automatic Updates.
Description
The Microsoft Security Bulletin for November 2005 addresses
vulnerabilities in the way Microsoft Windows processes image files.
By tricking you into viewing maliciously altered image files, such
as pictures on web sites or in email messages, an attacker may
crash or take over your computer.
For more technical information, see US-CERT Technical Alert
TA05-312A.
References
* Microsoft Security Bulletin MS05-053 -
<http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx>
* Microsoft Security Bulletin Summary for November 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-nov.mspx>
* US-CERT Vulnerability Note VU#300549 -
<http://www.kb.cert.org/vuls/id/300549>
* US-CERT Vulnerability Note VU#433341 -
<http://www.kb.cert.org/vuls/id/433341>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate>
_________________________________________________________________
Author: US-CERT. Feedback can be directed to US-CERT.
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/alerts/SA05-312A.html>
Copyright 2005 Carnegie Mellon University.
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ3E7bX0pj593lg50AQIz+wgAzMcjXTfppQM9YQs92T9eoeh3sxLSTxEw
Yg/eLVuWwtuKc4+GQP9h2T3KxOmIRyso2rO36Xqbfd+bZwSMqmdCSmscHK0d4kut
v6YGJAtQxPq4pjjH7wEC4DxPgANMvr/GHdSp73kS6RFnvfIwkv7bALd7QRCUS/eZ
Zr85TjR1XQOYqbJi4f1pWH+ClbVVjbiT35YigA3CxDp8dquauczKcMFzQU01CWwH
LUqk3nM17oP2UmNfR89ifSVU0T7RLhz/N64JCcI9TKjztArs95+lf5Btjtgn7bP3
fpICHcbGg6P+E67wpdnrnWDdGrilCatHJUpDrMpR5K4qXfOGwcURiw==
=N85u
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-292A
Oracle Products Contain Multiple Vulnerabilities
Original release date: October 19, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Oracle Database Server 10g
* Oracle9i Database Server
* Oracle8i Database Server
* Oracle8 Database Server
* Oracle Enterprise Manager 10g Grid Control
* Oracle Enterprise Manager Application Server Control
* Oracle Enterprise Manager 10g Database Control
* Oracle Application Server 10g
* Oracle9i Application Server
* Oracle Collaboration Suite 10g
* Oracle9i Collaboration Suite
* Oracle E-Business Suite Release 11i
* Oracle E-Business Suite Release 11.0
* Oracle Clinical
* JD Edwards EnterpriseOne, OneWorld XE
* Oracle Developer Suite
* Oracle Workflow
For more information regarding affected product versions, please see
the Oracle Critical Patch Update - October 2005.
Overview
Various Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include
unauthenticated, remote code execution, information disclosure, and
denial of service.
I. Description
Oracle released a Critical Patch Update in October 2005. It addresses
more than eighty vulnerabilities in different Oracle products and
components.
The Critical Patch Update provides information about affected
components, access and authorization required, and the impact of the
vulnerabilities on data confidentiality, integrity, and availability.
For more information on terms used in the Critical Patch Update,
Metalink customers should refer to MetaLink Note 293956.1.
According to the Critical Patch Update: "The new database
vulnerabilities addressed by this Critical Patch Update do not affect
Oracle Database Client-only installations (installations that do not
have the Oracle Database Server installed). Therefore, it is not
necessary to apply this Critical Patch Update to client-only
installations if a prior Critical Patch Update, or Alert 68, has
already been applied to the client-only installations."
US-CERT recommends that sites running Oracle review the Critical Patch
Update, apply patches, and take other mitigating action as
appropriate. US-CERT is tracking all of these issues under VU#210524.
As further information becomes available, we will publish individual
Vulnerability Notes.
Note that according to public reports, the patches included in this
update, as well as previous updates, may not adequately correct all
security vulnerabilities.
II. Impact
The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include remote execution of arbitrary code or commands, information
disclosure, and denial of service. An attacker who compromises an
Oracle database may be able to gain access to sensitive information.
III. Solution
Apply a patch
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - October 2005. Note that this Critical Patch
Update only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
Workarounds
It may be possible to mitigate some vulnerabilities by disabling or
removing unnecessary components, restricting network access, and
restricting access to temporary files.
Oracle Critical Patch Update - October 2005 suggests disabling the
PSQL Manager to mitigate a vulnerability in PeopleSoft Enterprise
PeopleTools (PSE04).
Appendix A. Vendor Information
Oracle
Please see Oracle Critical Patch Update - October 2005 and Critical
Patch Updates and Security Alerts.
Appendix B. References
* Critical Patch Update - October 2005 -
<http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.h
tml>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* MetaLink Note 293956.1 -
<http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=29395
6.1>
* US-CERT Vulnerability Note VU#210524 -
<http://www.kb.cert.org/vuls/id/210524>
* US-CERT Vulnerability Notes Related to Critical Patch Update -
October 2005 -
<http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_octo
ber_2005>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_
to_advisory_mapping.html>
* SecurityFocus BugTraq -
<http://www.securityfocus.com/archive/1/413827/30/0/threaded>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-292A.html>
_________________________________________________________________
Feedback can be directed to US-CERT. Please send email to:
<cert@cert.org> with "TA05-292A Feedback VU#210524" in the subject.
_________________________________________________________________
Revision History
Oct 19, 2005: Initial release
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ1aoq30pj593lg50AQLg0wgAz83P5EEFyjDoBxSNW/yZBNkgQz6Wiq2K
2JPMbO6qFg/pQoXyrwxJL5qAUXHGSbWUNbUHI77iKr88pHqtNwg7fKj4jPv9CAJA
GfYYZPBdRKmHsEXRwfUddiD2x/CdTpxuvqer9u9KKgSqo91g4m6EwfHgntsRU6Qm
wSsGPVZAjt0spBnK1TcGV1OuPvQDpoArXNnlXZZxgx+u2Qx8Qo1zEXStZjEsyeMc
Y7wEJnsxktUM/qvc9cbjuA3tqBd1Cmazh5I8jqC+81aVW/I8/aY9rd9YEyRzHIcI
WLKW4GPw/f0dynNPNqkM5TEAMb+iHzfDSESTHuZnQHLd8b+6AFDGCg==
=Lcm/
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-291A
Snort Back Orifice Preprocessor Buffer Overflow
Original release date: October 18, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Snort versions 2.4.0 to 2.4.2
* Sourcefire Intrusion Sensors
Other products that use Snort or Snort components may be affected.
Overview
The Snort Back Orifice preprocessor contains a buffer overflow that
could allow a remote attacker to execute arbitrary code on a
vulnerable system.
I. Description
Snort is a widely-deployed, open-source network intrusion detection
system (IDS). Snort and its components are used in other IDS
products, notably Sourcefire Intrusion Sensors, and Snort is
included with a number of operating system distributions.
Snort preprocessors are modular plugins that extend functionality
by operating on packets before the detection engine is run. The
Back Orifice preprocessor decodes packets to determine if they
contain Back Orifice ping messages. The ping detection code does
not adequately limit the amount of data that is read from the
packet into a fixed-length buffer, thus creating the potential for
a buffer overflow.
The vulnerable code will process any UDP packet that is not
destined to or sourced from the default Back Orifice port
(31337/udp). An attacker could exploit this vulnerability by
sending a specially crafted UDP packet to a host or network
monitored by Snort.
US-CERT is tracking this vulnerability as VU#175500. Further
information is available in an advisory from Internet Security
Systems (ISS).
II. Impact
A remote attacker who can send UDP packets to a Snort sensor may be
able to execute arbitrary code. Snort typically runs with root or
SYSTEM privileges, so an attacker could take complete control of a
vulnerable system. An attacker does not need to target a Snort
sensor directly; the attacker can target any host or network
monitored by Snort.
III. Solution
Upgrade
Sourcefire has released Snort 2.4.3 which is available from the
Snort download site. For information about other vendors, please
see the Systems Affected section of VU#175500.
Disable Back Orifice Preprocessor
To disable the Back Orifice preprocessor, comment out the line that
loads the preprocessor in the Snort configuration file (typically
/etc/snort.conf on UNIX and Linux systems):
[/etc/snort.conf]
...
#preprocessor bo
...
Restart Snort for the change to take effect.
Restrict Outbound Traffic
Consider preventing Snort sensors from initiating outbound
connections and restricting outbound traffic to only those hosts
and networks that have legitimate requirements to communicate with
the sensors. While this will not prevent exploitation of the
vulnerability, it may make it more difficult for an attacker to
access a compromised system or reconnoiter other systems.
Appendix A. References
* US-CERT Vulnerability Note VU#175500 -
<http://www.kb.cert.org/vuls/id/177500>
* Fixes and Mitigation Instructions Available for Snort Back
Orifice Vulnerability -
<http://www.snort.org/pub-bin/snortnews.cgi#99>
* Snort downloads - <http://www.snort.org/dl/>
* Snort 2.4.3 Changelog -
<http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>
* Preprocessors -
<http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/
node11.html#SECTION00310000000000000000>
* Snort Back Orifice Parsing Remote Code Execution -
<http://xforce.iss.net/xforce/alerts/id/207>
____________________________________________________________________
This vulnerability was researched and reported by Internet Security
Systems (ISS).
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-291A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Oct 18, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3
T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H
+qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX
4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM
nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme
jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ==
=jjID
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA05-284A
Microsoft Windows, Internet Explorer, and Windows Media Technology Vulnerabilities
Original release date: October 11, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
* Windows Media Technologies (DirectX)
For more complete information, refer to the Microsoft Security
Bulletin Summary for October 2005.
Overview
Microsoft has released updates that address critical
vulnerabilities in Windows, Internet Explorer, and Windows Media
technologies.
Solution
Apply Updates
Microsoft has released security updates for Windows, Internet
Explorer, and Windows Media technologies. To obtain the updates,
visit the Microsoft Update web site. US-CERT also recommends
enabling Automatic Updates.
Description
Microsoft Security Bulletins for October 2005 address
vulnerabilities in Windows, Internet Explorer, and Windows Media
technologies. These vulnerabilities may allow an attacker to take
control of your computer or cause it to crash. For more technical
information, see US-CERT Technical Cyber Security Alert TA05-284A.
References
* Microsoft Security Bulletin Summary for October 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-oct.mspx>
* US-CERT Vulnerability Note VU#922708 -
<http://www.kb.cert.org/vuls/id/922708>
* US-CERT Vulnerability Note VU#995220 -
<http://www.kb.cert.org/vuls/id/995220>
* US-CERT Vulnerability Note VU#180868 -
<http://www.kb.cert.org/vuls/id/180868>
* US-CERT Vulnerability Note VU#950516 -
<http://www.kb.cert.org/vuls/id/950516>
* US-CERT Vulnerability Note VU#680526 -
<http://www.kb.cert.org/vuls/id/680526>
* US-CERT Vulnerability Note VU#959049 -
<http://www.kb.cert.org/vuls/id/959049>
* US-CERT Technical Cyber Security Alert TA05-284A -
<http://www.us-cert.gov/cas/techalerts/TA05-284A.html>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate>
* Microsoft Update Overview -
<http://www.microsoft.com/technet/prodtechnol/microsoftupdate/defa
ult.mspx>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA05-284A.html>
____________________________________________________________________
Feedback can be directed to US-CERT. Please send email to
<cert@cert.org> with "SA05-284A Feedback VU#959049" in the subject.
____________________________________________________________________
Revision History
October 11, 2005: Initial release
____________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ0xDl30pj593lg50AQKSNwgAmMSEeXg79FUmLAOb//QCORwFo7zZYHeo
xIBVl0M8bcPYZpTn+U8GjB9mW0kqWEot6L2we7UbIRFX8wos804UJciUXoIMTEg9
mqzI+BYO0NziAd/EdXGKgeS923ch3Bzop71SUuCqllR0zV+y2QwPDHZX8QkpPO+V
Djw2bZjZoF1eKQxCVuZxs6XpraeDR9WhXq18sENq0zGNyfDJUL8yn0sCMXYh4aWb
SFXmwvndO1fYLg0BRZJMfmm1yETpNbm5dFNIO66OQ84CSXmxW8a0aT0SZ161hYSF
DTkVAgKEsUPGDVHYAsnDDiLSu2r8Q+ct1W6KIJuMd+KvD/Ba46uT7Q==
=uCmV
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA05-229A
Apple Mac OS X Multiple Vulnerabilities
Original release date: August 17, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Apple Mac OS X version 10.3.9 (Panther)
* Apple Mac OS X version 10.4.2 (Tiger)
* Apple Safari web browser
Overview
Apple has released Security Update 2005-007 to correct several
vulnerabilities affecting Mac OS X and the Safari web browser.
These vulnerabilities have a wide range of impacts, the most
severe of which could allow an attacker to gain access to your
computer.
Solution
Install an Update
Use the Mac OS X Software Update feature to download and install
the updates. Consider scheduling Software Update to check for
updates automatically (this option is enabled by default).
Description
Apple Mac OS X has multiple vulnerabilities that could allow an
attacker to run malicious programs on your computer. Installing
the update from Apple will correct these vulnerabilities.
For more technical information, see US-CERT Technical Alert
TA05-229A and Apple Security Update 2005-007.
References
* US-CERT Technical Cyber Security Alert TA05-229A -
<http://www.us-cert.gov/cas/techalerts/TA05-229A.html>
* Apple Security Update 2005-007 -
<http://docs.info.apple.com/article.html?artnum=302163>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA05-229A.html>
____________________________________________________________________
Feedback can be directed to US-CERT. Please send email to
<cert@cert.org> with "SA05-229A Feedback VU#913820" in the subject.
____________________________________________________________________
Mailing list information:
<http://www.us-cert.gov/cas/>
____________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 17, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQwOGiRhoSezw4YfQAQLmWgf+IM7BduQkKU1XUKiNUDcMCHnsV4YpdKuO
Je6fm2FQLfHjb5rOFs6140zuC1NbP5sJmT97O/kbgl4QGLprsoTUJh9QRrhR+EaF
H7QaxjWF1tBJKubN74PzbYqXL/d2vLj3TyvyOr3NliE/Uk+5Bl0R/mNH2PXDnOgT
phNLsc6b+XUc3hCUsj4mGXx/mtZQz/gHX6n0wl7JOqwGdPefk/bHoHrtJLpCHgAQ
YBgqqSrBZfsMr63rKzE9gaXpMG1bq57yqM2fsJlTDA43cNZHQVgEJgl3zDs19UYf
Z8ucCJBL09Vcq1q2RzddYblgbGF/2VTFstbppUIFZR5fvDQqtHwCuA==
=ctgk
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-224A
VERITAS Backup Exec Uses Hard-Coded Authentication Credentials
Original release date: August 12, 2005
Last revised: --
Source: US-CERT
Systems Affected
* VERITAS Backup Exec Remote Agent for Windows Servers
Overview
VERITAS Backup Exec Remote Agent for Windows Servers uses
hard-coded administrative authentication credentials. An attacker
with knowledge of these credentials and access to the Remote Agent
could retrieve arbitrary files from a vulnerable system.
I. Description
VERITAS Backup Exec Remote Agent for Windows Servers is a data
backup and recovery solution that supports the Network Data
Management Protocol (NDMP). NDMP "...is an open standard protocol
for enterprise-wide backup of heterogeneous network-attached
storage." By default, the Remote Agent listens for NDMP traffic on
port 10000/tcp.
The VERITAS Backup Exec Remote agent uses hard-coded administrative
authentication credentials. An attacker with knowledge of these
credentials and access to the Remote Agent may be able to retrieve
arbitrary files from a vulnerable system. The Remote Agent runs
with SYSTEM privileges.
Exploit code, including the credentials, is publicly available.
US-CERT has also seen reports of increased scanning activity on
port 10000/tcp. This increase may be caused by attempts to locate
vulnerable systems.
US-CERT is tracking this vulnerability as VU#378957.
Please note that VERITAS has recently merged with Symantec.
II. Impact
A remote attacker with knowledge of the credentials and access to
the Remote Agent may be able to retrieve arbitrary files from a
vulnerable system.
III. Solution
Restrict access
US-CERT recommends taking the following actions to reduce the chances
of exploitation:
* Use firewalls to limit connectivity so that only authorized backup
server(s) can connect to the Remote Agent. The default port for
this service is port 10000/tcp.
* At a minimum, implement some basic protection at the network
perimeter. When developing rules for network traffic filters,
realize that individual installations may operate on
non-standard ports.
* In addition, changing the Remote Agent's default port from
10000/tcp may reduce the chances of exploitation. Please refer
to VERITAS support document 255174 for instructions on how to
change the default port.
For more information, please see US-CERT Vulnerability Note VU#378957.
Appendix A. References
* US-CERT Vulnerability Note VU#378957 -
<http://www.kb.cert.org/vuls/id/378957>
* Veritas Backup Exec Remote Agent for Windows Servers Arbitrary
File Download Vulnerability -
<http://securityresponse.symantec.com/avcenter/security/Content/14
551.html>
* VERITAS support document 255831 -
<http://seer.support.veritas.com/docs/255831.htm>
* VERITAS support document 258334 -
<http://seer.support.veritas.com/docs/258334.htm>
* VERITAS support document 255174 -
<http://seer.support.veritas.com/docs/255174.htm>
* What is NDMP? - <http://www.ndmp.org/info/faq.shtml#1>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-224A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA05-224A Feedback VU#378957" in the
subject.
____________________________________________________________________
To unsubscribe:
<http://www.us-cert.gov/cas/#unsubscribe>
____________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Aug 12, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQv0e3BhoSezw4YfQAQJbFQf9E5d1IyfH5OwAVMgoHwZ2zUiozACJfoEN
zh2X3pYbYCmBhfzr9uQDJW1U0TJfQXvgQUs/bpGVVFH1YHGjTV/Op6vGt4KnUFjW
KRcQrKAy+evk/ajrFlcLr/mM3oM4GdsJvqz9UdFBmU0ET53a10PAxYwLWY+5weB+
7d+TCXvnUkpwrDHo1N331QxrcZaFqZEA0b86dL7X6Cjt39NDv/4EVkoDiWv608w3
V6FGeXIXFpLP241141lQcDnf2WLmAD3oNSK6YbJ1utDu4dezoR164apTZBLEhcp0
AUptGGZGe9PxjyrylxIv8KSxEWB7oajKziQxcQG0IRv4CTP0UPLB7Q==
=cO6/
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA05-221A archive
Microsoft Windows and Internet Explorer Vulnerabilities
Original release date: August 9, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
For more complete information, refer to the Microsoft Security
Bulletin Summary for August, 2005.
Overview
Microsoft has released updates that address critical
vulnerabilities in Windows and Internet Explorer.
Solution
Apply Updates
Microsoft has released security updates for Windows and Internet
Explorer. To obtain the updates, visit the Microsoft Update web
site. US-CERT also recommends enabling Automatic Updates.
Description
Microsoft Security Bulletins for August, 2005 address
vulnerabilities in Windows and Internet Explorer. These
vulnerabilities may allow an attacker to take control of your
computer or cause it to crash. For more technical information, see
US-CERT Technical Cyber Security Alert TA05-221A.
References
* Microsoft Security Bulletin Summary for August, 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-aug.mspx>
* US-CERT Vulnerability Note VU#965206 -
<http://www.kb.cert.org/vuls/id/965206>
* US-CERT Vulnerability Note VU#959049 -
<http://www.kb.cert.org/vuls/id/959049>
* US-CERT Vulnerability Note VU#998653 -
<http://www.kb.cert.org/vuls/id/998653>
* US-CERT Vulnerability Note VU#490628 -
<http://www.kb.cert.org/vuls/id/490628>
* US-CERT Vulnerability Note VU#220821 -
<http://www.kb.cert.org/vuls/id/220821>
* US-CERT Technical Cyber Security Alert TA05-221A -
<http://www.us-cert.gov/cas/techalerts/TA05-221A.html>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate>
* Microsoft Update Overview -
<http://www.microsoft.com/technet/prodtechnol/microsoftupdate/defa
ult.mspx>
_________________________________________________________________
Feedback can be directed to the US-CERT Technical Staff.
_________________________________________________________________
This document is available at
<http://www.us-cert.gov/cas/alerts/SA05-221A.html>
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
August 9, 2005: Initial release
Last updated August 9, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQvkzAhhoSezw4YfQAQIbAQf/WAX5AghmyO6jws4CaOUzvAxupY4j/Yvy
GTP602Z8/NYn1mspiOcd0rOtm4DIp/4EpJuYggULNC7CRkcusKqE5dtUqIR4VUG3
nR4zgUHG1MTTi0/TqF+f8EI3lY/j07zKwNhAvbElf1MAeV6XqXCo7jVAPwUm2w5t
cb9XTUh3UdA/kq4K8vCF7dh4wjqlCHJBSuNfyBmVQTSdgttHJxXclvhwPuTlLPFs
+A4rQR7FiTXRN3Tj0sHW/zW7xCDs07h1+vsiI7jpCuAk9JD40xWwb3BiX5ex7y5N
zcHkvfazshEypmfdt2N3McGIiqIh58hyBbqd1uUT8b+qaBXVrm8djg==
=VjB4
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-210A
Cisco IOS IPv6 Vulnerability
Original release date: July 29, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Cisco IOS devices with IPv6 enabled
For specific information, please see the Cisco Advisory.
Overview
Cisco IOS IPv6 processing functionality contains a vulnerability that
could allow an unauthenticated, remote attacker to execute arbitrary
code or cause a denial of service.
I. Description
Cisco IOS contains a vulnerability in the way IPv6 packets are
processed. US-CERT has not confirmed further technical details.
According to the Cisco Advisory, this vulnerability could be exploited
by an attacker on the same IP subnet:
Crafted packets from the local segment received on logical
interfaces (that is, tunnels including 6to4 tunnels) as well as
physical interfaces can trigger this vulnerability. Crafted packets
can not traverse a 6to4 tunnel and attack a box across the tunnel.
The crafted packet must be sent from a local network segment to
trigger the attack. This vulnerability can not be exploited one or
more hops from the IOS device.
US-CERT strongly recommends that sites running Cisco IOS devices
review the Cisco Advisory and upgrade as appropriate. We are tracking
this vulnerability as VU#930892.
II. Impact
This vulnerability could allow an unauthenticated, remote attacker on
the same IP subnet to execute arbitrary code or cause a denial of
service. The attacker may be able to take control of a vulnerable
device.
III. Solutions
Upgrade
Upgrade to a fixed version of IOS. Please see the Software Versions
and Fixes section of the Cisco Advisory for details.
Disable IPv6
From the Cisco Advisory:
In networks where IPv6 is not needed, disabling IPv6 processing on
an IOS device will eliminate exposure to this vulnerability. On a
router which supports IPv6, this must be done by issuing the
command "no ipv6 enable" and "no ipv6 address" on each interface.
Appendix A. Vendor Information
Cisco Systems, Inc.
Cisco Systems, Inc. has released a security advisory regarding a
vulnerability which was disclosed on July 27, 2005 at the Black Hat
security conference. Security advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml
For up-to-date information on security vulnerabilities in Cisco
Systems, Inc. products, visit http://www.cisco.com/go/psirt.
Appendix B. References
* US-CERT Vulnerability Note VU#930892 -
<http://www.kb.cert.org/vuls/id/930892>
* Cisco Security Advisory: IPv6 Crafted Packet Vulnerability -
<http://www.cisco.com/en/US/products/products_security_advisory091
86a00804d82c9.shtml>
_________________________________________________________________
Information regarding this vulnerability was primarily provided by
Cisco Systems, who in turn acknowledge the disclosure of this
vulnerability at the Black Hat USA 2005 Briefings.
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Send mail to
<cert@cert.org> with "TA05-210A feedback VU#930892" in the subject.
_________________________________________________________________
The most recent version of this document is available at:
<http://www.us-cert.gov/cas/techalerts/TA05-210A.html>
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
_________________________________________________________________
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
July 29, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQuqgLRhoSezw4YfQAQI5iwgAkSYXPNt6Hffg7BfMeYoBaZ4Co6XFVjQ6
nWHKt1inYcYta/DXEuWJAhcjI/t8v74OH0b5sxGEr0mwtzEwV2r5pAF6nQesqyoj
q3r60OE3TZygxUZPrGNmmkSpkhoNap9cSVs97Xt6Fd4evOmp0VZ6pqMdJtQ/r5xk
d67LicCM9NLNoC0LPoen2/7ICu7jqxZnoF4oHDkZS8b2g2mx7vfz3Htj44Nd5/eD
tWe8HqF8ReSyLEiOj8z8vrjcfz+BIwSLXnyr6DDxSvFmhy0CunGFkCQq074CwbVE
GZjAJSn2r/A2Pp3HBP/RxQ9BNv8rHrSF7DkG9gADc5PV8WpaLCHP0Q==
=4jtB
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-194A archive
Oracle Products Contain Multiple Vulnerabilities
Original release date: July 13, 2005
Last revised: --
Source: US-CERT
Systems Affected
According to Oracle Critical Patch Update - July 2005:
* Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3,
10.1.0.4
* Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
* Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5,
9.0.1.5 FIPS
* Oracle8i Database Server Release 3, version 8.1.7.4
* Oracle8 Database Release 8.0.6, version 8.0.6.3
* Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2,
10.1.0.3
* Oracle Enterprise Manager 10g Database Control, versions 10.1.0.2,
10.1.0.3, 10.1.0.4
* Oracle Enterprise Manager Application Server Control, versions
9.0.4.0, 9.0.4.1
* Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1
* Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
* Oracle9i Application Server Release 1, version 1.0.2.2
* Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
* Oracle E-Business Suite and Applications Release 11i, versions
11.5.1 through 11.5.10
* Oracle E-Business Suite and Applications Release 11.0
* Oracle Workflow, versions 11.5.1 through 11.5.9.5
* Oracle Forms and Reports, versions 4.5.10.22, 6.0.8.25
* Oracle JInitiator, versions 1.1.8, 1.3.1
* Oracle Developer Suite, versions 9.0.2.3, 9.0.4, 9.0.4.1, 9.0.5,
10.1.2
* Oracle Express Server, version 6.3.4.0
Overview
Various Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include
unauthenticated, remote code execution, information disclosure, and
denial of service.
I. Description
Oracle released a Critical Patch Update in July 2005 that addresses
more than forty vulnerabilities in different Oracle products and
components. The Critical Patch Update provides information about which
components are affected, what access and authorization are required,
and how data confidentiality, integrity, and availability may be
impacted. Public reports describe vulnerabilities related to insecure
password and temporary file handling and SQL injection.
US-CERT strongly recommends that sites running Oracle review the
Critical Patch Update, apply patches, and take other mitigating action
as appropriate.
Oracle HTTP Server is based on the Apache HTTP Server. Some Oracle
products include Java components from Sun Microsystems. According to
Oracle, the July 2005 Critical Patch Update addresses previously
disclosed vulnerabilities in Apache and Java. Oracle also notes that
Oracle Database Client-only installations are not affected by
vulnerabilities listed in the July 2005 Critical Patch Update.
US-CERT is tracking all of these issues under VU#613562. As further
information becomes available, we will publish individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary depending on product or
component and configuration. Potential consequences include remote
execution of arbitrary code or commands, information disclosure, and
denial of service. An attacker who compromises an Oracle database may
be able to gain access to sensitive information.
III. Solution
Apply a patch
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - July 2005. The update notes that some Oracle
patches are cumulative while others are not:
The Oracle Database Server, Enterprise Manager, and the Oracle
Application Server patches in the Updates are cumulative; each
successive Critical Patch Update contains the fixes from the
previous Critical Patch Updates.
E-Business Suite patches are not cumulative, so E-Business Suite
customers should refer to previous Critical Patch Updates to
identify previous fixes they wish to apply.
Oracle Collaboration Suite patches are not cumulative, so Oracle
Collaboration Suite customers should refer to previous Critical
Patch Updates to identify previous fixes they wish to apply.
Workarounds
It may be possible to mitigate some vulnerabilities by disabling or
removing unnecessary components, restricting network access, and
restricting access to temporary files.
Oracle Critical Patch Update - July 2005 suggests setting a TNS
listner password to mitigate a vulnerability in Oracle Database Server
(DB08).
Appendix A. Vendor Information
Oracle
Please see Oracle Critical Patch Update - July 2005 and Critical Patch
Updates and Security Alerts.
Appendix B. References
* Critical Patch Update - July 2005-
<http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.h
tml>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_
to_advisory_mapping.html>
* US-CERT Vulnerability Note VU#613562 -
<http://www.kb.cert.org/vuls/id/613562>
* Oracle JDeveloper passes Plaintext Password -
<http://www.red-database-security.com/advisory/oracle_jdeveloper_p
asses_plaintext_password.html>
* Oracle JDeveloper Plaintext Passwords -
<http://www.red-database-security.com/advisory/oracle_jdeveloper_p
laintext_password.html>
* Oracle Forms Builder Password in Temp Files -
<http://www.red-database-security.com/advisory/oracle_formsbuilder
_temp_file_issue.html>
* Oracle Forms Insecure Temporary File Handling -
<http://www.red-database-security.com/advisory/oracle_forms_unsecu
re_temp_file_handling.html>
* Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i
- <http://www.integrigy.com/alerts/OraCPU0705.htm>
_________________________________________________________________
Information used in this document came from Red-Database-Security and
Oracle. Oracle credits Qualys Inc., Application Security, Inc., Red
Database Security GmbH, Integrigy, NGS Software, nCircle Network
Security, and Rigel Kent Security.
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff.
Please send mail to cert@cert.org with the subject:
"TA05-194A Feedback VU#613562"
_________________________________________________________________
This document is available at
<http://www.us-cert.gov/cas/techalerts/TA05-194A.html>
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
_________________________________________________________________
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
July 13, 2005: Initial release
Last updated July 13, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQtV4cxhoSezw4YfQAQLYkgf+I48YLEeutCHbzFWvz77pu+m4hs6Gltzf
Nd6nhkzdfsU6arAqb1hXG5p7GEJ1adJB8Nz+df12MKxMVJAWfW6xjlEhlsHnuVJM
hLThHyI166U34qbQt0SWKwlg1aKonAuP3p6XY16LCm7Vbq9G1HQgDGpK02LHbf/8
rWs2bUNqhPy7iz6wRwrF0w7CxJxI6+m6nfVnASwVknDCClz0bRyyw5oT6GUTeXOa
X+DlnbMj7BLv08gJve/f5pSf7dQIZObHo6jBEV0/99ZW9P6h4dYAtLznOUYAd+5Q
8aIzfiK5RVe5uUFJsuTu+4dTV1lXfTF5eKEWNu5PWQHNT1NTXWIfCA==
=HYcV
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA05-193A archive
Microsoft Windows, Internet Explorer, and Word Vulnerabilities
Original release date: July 12, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Office
* Microsoft Internet Explorer
For more complete information, refer to the Microsoft Security
Bulletin Summary for July, 2005.
Overview
Microsoft has released updates that address critical vulnerabilities
in Windows, Internet Explorer, and Word.
Description
Microsoft Security Bulletins for July, 2005 address vulnerabilities in
Windows, Office, and Internet Explorer. There are vulnerabilities in
Microsoft Windows, Internet Explorer, and Word that may allow an
attacker to take control of your computer or cause it to crash. For
more technical information, see US-CERT Technical Alert TA05-193A.
Resolution
Apply Updates
Microsoft has released security updates for Windows, Internet
Explorer, and Word. To obtain the updates, visit the Microsoft Update
web site. US-CERT also recommends enabling Automatic Updates.
References
* Microsoft Security Bulletin Summary for July, 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-jul.mspx>
* US-CERT Vulnerability Note VU#218621 -
<http://www.kb.cert.org/vuls/id/218621>
* US-CERT Vulnerability Note VU#720742 -
<http://www.kb.cert.org/vuls/id/720742>
* US-CERT Vulnerability Note VU#939605 -
<http://www.kb.cert.org/vuls/id/939605>
* US-CERT Technical Cyber Security Alert TA05-193A -
<http://www.us-cert.gov/cas/techalerts/TA05-193A.html>
* Microsoft Update - <http://update.microsoft.com/>
_________________________________________________________________
Feedback can be directed to the US-CERT Technical Staff.
Please send mail to cert@cert.org with the subject:
"SA05-193A Feedback VU#720742"
_________________________________________________________________
This document is available at
<http://www.us-cert.gov/cas/alerts/SA05-193A.html>
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
July 12, 2005: Initial release
Last updated July 12, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQtQ68xhoSezw4YfQAQJZYwf8DeVBz2/pmoTHkg/x2FoiXKhMCStBy64O
LH/TndRBNxEFStAvV2vqMJShZILNIW+5tHNLPuFZsBKWdGkX+k8LkJs8a3rqGcZW
PM5B6A0OhckuQb+rx5G1T0lT/4ZM/X33qpTmleBVePlXuHVwpJME66JqRGfcKx7e
+h9UseYcShFoeba1wg7IB9zhS3ZC4RjVU3ZDUQ5QS6Sp+VriSU/1nLSt6UuiRb5b
ym3x+53udF3unN9bKmlxuOOqnY4eTcb+Iykdud6lOzDphf8m7nyvQcGxfKZ7ro2q
WzaHjNmkLRczG6RoGFd/qIaMPEdaUZEuNvDRhbAgOvcM1U4lPcEoDw==
=nvCC
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Targeted Trojan Email Attacks
Original release date: July 08, 2005
Last revised: --
Source: US-CERT
Overview
The United States Computer Emergency Readiness Team (US-CERT) has
received reports of an email based technique for spreading trojan
horse programs. A trojan horse is an attack method by which malicious
or harmful code is contained inside apparently harmless files. Once
opened, the malicious code can collect unauthorized information that
can be exploited for various purposes, or permit computers to be used
surreptitiously for other malicious activity. The emails are sent to
specific individuals rather than the random distributions associated
with a phishing attack or other trojan activity. (Phishing is the act
of sending an email to a user falsely claiming to be an established
legitimate enterprise in an attempt to scam the user into surrendering
private information that can be used for identity theft.) These
attacks appear to target US information for exfiltration. This alert
seeks to raise awareness of this kind of attack, highlight the
important need for government and critical infrastructure systems
owners and operators to take appropriate measures to protect their
data, and provide guidance on proper protective measures.
Description
There are two distinct elements that make this attack technique
significant. First, the trojans can elude conventional protective
measures such as anti-virus software and firewalls, both key measures
in protecting the US Critical Infrastructure networks. A number of
open source and tailored trojans, altered to avoid anti-virus
detection, have been used. Trojan capabilities suggest that
exfiltration of data is a fundamental goal. Second, the emails are
sent to specific or targeted recipients. Unlike "phishing" attacks,
the emails use social engineering to appear credible, with subject
lines often referring to work or other subjects that the recipient
would find relevant. The emails containing the trojanized attachments,
or links to websites hosting trojanized files are spoofed, making it
appear to come from a colleague or reliable party. The email
attachments exploit known vulnerabilities to install a trojan on the
user's computer. When opened, the file or link installs the trojan.
Trojans can be configured to transmit information to a remote attacker
using ports assigned to a common service (e.g., TCP port 80, which is
assigned to Web traffic) and thereby defeat firewalls. Once the
trojanized attachment is opened, a remote attacker can then perform
the following functions:
* Collection of usernames and passwords for email accounts
* Collection of critical system information and scanning of network
drives
* Use of infected machine to compromise other machines and networks
* Downloading of further programs (e.g., worms, more advanced
trojans)
* Uploading of documents and data to a remote computer
US-CERT is working with other computer emergency response teams
worldwide to address these types of attacks.
Suggested Actions
Due to the targeted distribution of trojans spread in this way and the
possibility of communication with remote attackers using ports
assigned to common services, detection of this activity is
problematic. US-CERT advises that system administrators take the
following actions:
* Educate users to use an anti-virus scanner on all email
attachments.
* Maintain and update anti-virus software and signatures to detect
malware that may be associated with this attack.
* Block executable and/or suspect attachment types at email gateway
or block the download of executable content via HTTP.
* Investigate anomalous slow-running machines, looking for unknown
processes or unexpected Internet connections, as this may be an
indication of malicious programs operating in the background.
Encourage reporting and full investigation of such behavior.
* Update operating system and application software to patch
vulnerabilities exploited in the past by these Trojans.
* Implement spam filtering to guard against infrastructures (e.g.,
dial-ups, open proxies and open relays) commonly used by the
attackers.
* As Microsoft Office vulnerabilities have been targeted and
exploited, ensure that Microsoft security bulletins are followed.
Microsoft Security Bulletins Search
http://www.microsoft.com/technet/security/current.aspx
* Turn off 'Preview Pane' functionality in email clients and set the
default options to view opened emails as plain text
* Examine firewall logs of critical systems, or networks used for
processing sensitive information, for connections to or from
anomalous IP addresses.
* Consider traffic analysis to identify any compromised computers
that are exfiltrating files. Data on the size and times of HTTP
transactions or TCP port 80 flows may help detect exfiltration by
highlighting connections where the data volume sent is far greater
than that received from the remote server or when data is being
sent at times outside of normal working hours.
* Analyze log files to determine whether the attackers are spoofing
your domain.
* Consider implementing IP address lists of outbound Internet
connections, denying access except from address ranges relevant to
your business activities, such as a "default deny" policy. This
provides some protection against computers in third countries
being used by attackers to control trojans.
Incidents or suspected malicious activity of this nature, as well as
all cyber security incidents affecting the US Critical Infrastructure
should be reported to the United States Computer Emergency Readiness
Team (US-CERT) via email to soc@us-cert.gov or by telephone (703)
235-5110.
Vendor Product Names
The following anti-virus product names are associated with known
trojans used in the attacks since January 2005.
McAfee
<http://www.mcafee.com>
* Backdoor-BCB
* BackDoor-CPY!chm
* Backdoor-TW
* Downloader-WY
* Exploit-1Table
* JS/BackDoor-CPY
* MultiDropper-MR
* Proxy-Sysgam
* Pusno
* StartPage-DH.dll
Sophos
<http://www.sophos.com>
* Troj/Agent-BX
* Troj/Agent-T
* Troj/DDrop-A
* Troj/Dloader-KF
* Troj/Dloader-KZ
* Troj/Lecna-C
* Troj/Nethief-M
* Troj/Nethief-N
* Troj/Nethief-O
* Troj/Netter-A
* Troj/Riler-E
* Troj/Riler-F
* Troj/Riler-J
* Troj/RPE-A
* Troj/Sharp-F
* Troj/VBDrop-A
* WM97/Loof-D
Symantec
<http://www.symantec.com>
* Trojan.Dropper
* Trojan.Mdropper.B
* Trojan.Riler.C
Trend Micro
<http://www.trendmicro.com>
* BKDR_NETHIEF.L
* BKDR_NETHIEF.R
* BKDR_NETHIEF.S
* BKDR_TUIMER.A
* TROJ_AGENT.KZ
* TROJ_SHARP.C
* TROJ_WINBLUE.A
* W2KM_PASSPRO.A
* W2KM_PASSPRO.C
* W2KM_PASSPRO.E
_________________________________________________________________
Feedback can be directed to US-CERT at soc@us-cert.gov
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
This document is available online.
<http://www.us-cert.gov/cas/techalerts/TA05-189A.html>
Terms of use
<http://www.us-cert.gov/legal.html>
Revision History
July 08, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQs7q8hhoSezw4YfQAQJ2+Qf/X8cm1Z0+3NQoRNiyWxOz/0SR6uxsyQBO
jd6jQpRwbuoFPQinnxJdf0kQLnIEqn9wcczn3ibjty8JjnZVMtjdq8PpTmkwy6jr
H8l3Qm2J1hCgSgKQHweZLqdeKVvwg2FGYRH12qHSKU++3NyZF+GZSoPgx/3QkM0D
nxJ3sFnsysgt22SFcgL70MfD3nHocxlwLbnQfLvYWnFGci1fnS8sLng0Yj5UdKfu
Bfa7ik4bmtRcL6r+tOweejI0dEqwbRgr/tHip55FqSrP15Ai6QXgrXpSMs1oYwLw
geKcrxFSaKJh9gOj8lHSU5b+wLbvIgKpXou3PNs5cJxLM+ATw6eGRA==
=TzGH
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-180A archive
VERITAS Backup Exec Software is actively being exploited
Original release date: June 29, 2005
Last revised: --
Source: US-CERT
Systems Affected
VERITAS Backup Exec Remote Agent
Overview
The VERITAS Backup Exec Remote Agent for Windows contains a buffer
overflow that may allow an unauthenticated, remote attacker to
compromise a system and execute arbitrary code with administrative
privileges.
I. Description
VERITAS Backup Exec is a data backup and recovery solution with
support for network-based backups. The VERITAS Backup Exec Remote
Agent is installed on systems that are to be backed up. It listens on
TCP port 10000 for messages indicating that a backup should occur.
The remote agent software fails to properly validate incoming packets,
which allows a buffer overflow to occur. Specially crafted
authentication messages can be used to trigger the buffer overflow,
making it possible for an unauthenticated attacker to exploit this
vulnerability.
Exploit code for this vulnerability is publicly available. In
addition, we have received credible reports that this vulnerability is
being actively exploited to execute arbitrary code with Local System
privileges. We have also seen increased scanning activity on port
10000/tcp. This increase is believed to be attempts to locate
vulnerable systems running the VERITAS Backup Exec Remote Agent.
US-CERT is tracking this issue in the following vulnerability note:
* VU#492105 - VERITAS Backup Exec Remote Agent fails to properly
validate authentication requests. This issue is also identified
as VERITAS Security Advisory VX05-002 and CAN-2005-0773.
In addition, US-CERT is investigating other, potentially serious
vulnerabilities in VERITAS backup software:
* VU#352625 - VERITAS Backup Exec Server Service contains a buffer
overflow vulnerability. This issue is also identified as VERITAS
Security Advisory VX05-006.
* VU#584505 - VERITAS Backup Exec remote access validation
vulnerability. This issue is also identified as VERITAS
Security Advisory VX05-003.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code with administrative privileges on a vulnerable system.
III. Solution
Apply a patch
VERITAS has issued patches for each vulnerable version of Backup Exec
Remote Agent. Information about these patches can be found in the
VERITAS Patch summary for Security Advisories VX05-001, VX05-002,
VX05-003, VX05-005, VX05-006, VX05-007.
Restrict access
US-CERT recommends taking the following actions to reduce the chances
of exploitation:
* Use firewalls to limit connectivity so that only the backup
server(s) can connect to the systems being backed up. The standard
port for this service is port 10000/tcp.
* At a minimum, implement some basic protection at the network
perimeter. When developing rules for network traffic filters,
realize that individual installations may operate on non-standard
ports.
Appendix A. References
* US-CERT Vulnerability Note VU#492105 -
<http://www.kb.cert.org/vuls/id/492105>
* US-CERT Vulnerability Note VU#352625 -
<http://www.kb.cert.org/vuls/id/352625>
* US-CERT Vulnerability Note VU#584505 -
<http://www.kb.cert.org/vuls/id/584505>
* VERITAS Software Security Advisory VX05-002 -
<http://seer.support.veritas.com/docs/276604.htm>
* VERITAS Software Security Advisory VX05-006 -
<http://seer.support.veritas.com/docs/276607.htm>
* VERITAS Software Security Advisory VX05-003 -
<http://seer.support.veritas.com/docs/276605.htm>
* VERITAS Software Security Announcement -
<http://seer.support.veritas.com/docs/277428.htm>
* iDefense security advisory -
<http://www.idefense.com/application/poi/display?id=272&type=vulne
rabilities>
_________________________________________________________________
These vulnerabilities were reported by VERITAS Software. VERITAS
credits iDefense with supplying information regarding VU#492105 and
VU#584505. VERITAS credits NGSSoftware Research Team with supplying
information regarding VU#352625.
_________________________________________________________________
Feedback can be directed to the authors: US-CERT Technical Staff
_________________________________________________________________
Revision History
Jun 29, 2005: Initial release
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA05-180A.html>
Produced 2005 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQsLs9BhoSezw4YfQAQLQaAf/X7XHXphDIe1ImdN1f/ap5y4YXTvMVnPk
VDed43Bk3HLGEKWP2gPReWGGTEzs3u8CiO4yJO879ksV2lQgJUNgLy5U21ltw4Nh
A2uZM90OpeCgirS8jSmhReqrHM89LqhDgbiNMpStJmQO3c2ClBpJ3skbO53/VT7L
Uowoz1XHwqMOSsaPVS4gsz+5NTJS2HNkXZuuLRbE3qexigWa6/CPJ9JINtgcQH65
O41V/fcs5gjvaHSB7H8a9gaSPewIwPnEqpFpA6w8hLiZ0erH0Ti1Ggj6mykDAESp
+OAyJk/MvAtQq1oXHpca9xaHqCMZd+Yus+/KQOkO5qCRGC+YtT3Kyw==
=VMlW
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Microsoft Windows and Internet Explorer Vulnerabilities
Original release date: June 14, 2005
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows and various Microsoft products, including Internet
Explorer
Overview
By taking advantage of vulnerabilities in various Microsoft
products, an attacker may be able to stop affected programs or take
control of your computer. Microsoft has released updates to address
these issues.
Solution
Install Updates
Microsoft has released security updates for Windows and Internet
Explorer. To obtain the updates, visit the Windows Update web site.
US-CERT also recommends enabling Automatic Updates.
Description
There are problems with various Microsoft applications and
features:
* Help system - The HTML Help system is used by many Microsoft
Windows applications. An attacker may be able to create a
malicious help file that may allow him or her to gain control of
your computer.
* Image handling - Images can be saved in multiple formats,
including .jpg, .gif, and .png. An attacker may be able to create
a malicious image file that, if you view it, will allow him or her
to stop affected programs or take control of your computer.
* Networking - Microsoft Windows uses networking to allow your
computer to talk to printers and other computers. A vulnerability
in Windows networking may allow an attacker to take control of
your computer.
For more technical information, see US-CERT Technical Alert
TA05-165A.
References
* US-CERT Technical Cyber Security Alert TA05-165A -
<http://www.us-cert.gov/cas/techalerts/TA05-165A.html>
* Microsoft Security Bulletin Summary for June, 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-jun.mspx>
_________________________________________________________________
Author: Mindi McDowell. Feedback can be directed to US-CERT.
_________________________________________________________________
Revision History
June 14, 2005: Initial release
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/alerts/SA05-165A.html>
Produced 2005 by US-CERT, a government organization. Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQq90xhhoSezw4YfQAQI3iQf9Fe842rAMCL5LdBqRxBMqbqCbWwvSsAJc
oalk3vNHE1LI/MsQ76NT2NzYLQ78SZ+J03U9MzFZd/s5aJg0Wi80WRDsxLu2APn/
KkepDeVFOP1Dt/V/j4nGnVc+9D7n4R/1v39AV6S0RW5d6qDLJrGoO2hkBcf63Ow2
uzr/nWPnfl0ZWs0xbOX66RoiYpu8ZuRLAnOvpKY2YiJ3a+aVaiP2jzu0E4GD1Qhs
zoyB9FJG0SwyjokyQEft3B7VFHwbetoV5gfu93rV9pa2kF27iCZ6tTm1X7SnTxjk
VS6q24Qo2+j67uADIRZU7Mo4Ut7SeDbJ/BgQ2nv2Lo/+QvXFw4rSEQ==
=8A8x
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA05-136A
Apple Mac OS X is affected by multiple vulnerabilities
Original release date: May 16, 2005
Last revised: --
Source: US-CERT
Systems Affected
Mac OS X version 10.3.9 (Panther) and Mac OS X Server version 10.3.9
Overview
Apple has released Security Update 2005-005 to address multiple
vulnerabilities affecting Mac OS X and Mac OS X Server. The most
serious of these vulnerabilities may allow a remote attacker to
execute arbitrary code. Impacts of other vulnerabilities addressed by
the update include disclosure of information and denial of service.
I. Description
Apple Security Update 2005-005 resolves a number of vulnerabilities
affecting Mac OS X and OS X Server. Further details are available in
the following Vulnerability Notes:
VU#356070 - Apple Terminal fails to properly sanitize input for
x-man-page URI
Apple Terminal on Mac OS X fails to sanitize x-man-page URIs, allowing
a remote attacker to execute arbitrary commands.
(CAN-2005-1342)
VU#882750 - libXpm image library vulnerable to buffer overflow
libXpm image parsing code contains a buffer-overflow vulnerability
that may allow a remote attacker execute arbitrary code or cause a
denial-of-service condition.
(CAN-2004-0687)
VU#125598 - LibTIFF vulnerable to integer overflow via corrupted
directory entry count
An integer overflow in LibTIFF may allow a remote attacker to execute
arbitrary code.
(CAN-2004-1308)
VU#539110 - LibTIFF vulnerable to integer overflow in the
TIFFFetchStrip() routine
An integer overflow in LibTIFF may allow a remote attacker to execute
arbitrary code.
(CAN-2004-1307)
VU#537878 - libXpm library contains multiple integer overflow
vulnerabilities
libXpm contains multiple integer-overflow vulnerabilities that may
allow a remote attacker execute arbitrary code or cause a
denial-of-service condition.
(CAN-2004-0688)
VU#331694 - Apple Mac OS X chpass/chfn/chsh utilities do not properly
validate external programs
Mac OS X Directory Service utilities do not properly validate code
paths to external programs, potentially allowing a local attacker to
execute arbitrary code.
(CAN-2004-1335)
VU#582934 - Apple Mac OS X Foundation framework vulnerable to buffer
overflow via incorrect handling of an environmental variable
A buffer overflow in Mac OS X's Foundation Framework's processing of
environment variables may lead to elevated privileges.
(CAN-2004-1336)
VU#706838 - Apple Mac OS X vulnerable to buffer overflow via vpnd
daemon
Apple Mac OS X contains a buffer overflow in vpnd that could allow a
local, authenticated attacker to execute arbitrary code with root
privileges.
(CAN-2004-1343)
VU#258390 - Apple Mac OS X with Bluetooth enabled may allow file
exchange without prompting users
Apple Mac OS X with Bluetooth support may unintentionally allow files
to be exchanged with other systems by default.
(CAN-2004-1332)
VU#354486 - Apple Mac OS X Server Netinfo Setup Tool fails to validate
command line parameters
Apple Mac OS X Server NeST tool contains a vulnerability in the
processing of command line arguments that could allow a local attacker
to execute arbitrary code.
(CAN-2004-0594)
Please note that Apple Security Update 2005-005 addresses additional
vulnerabilities not described above. As further information becomes
available, we will publish individual Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary, for information about
specific impacts please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
disclosure of sensitive information, and denial of service.
III. Solution
Install an Update
Install the update as described in Apple Security Update 2005-005.
Appendix A. References
* US-CERT Vulnerability Note VU#582934 -
<http://www.kb.cert.org/vuls/id/582934>
* US-CERT Vulnerability Note VU#258390 -
<http://www.kb.cert.org/vuls/id/258390>
* US-CERT Vulnerability Note VU#331694 -
<http://www.kb.cert.org/vuls/id/331694>
* US-CERT Vulnerability Note VU#706838 -
<http://www.kb.cert.org/vuls/id/706838>
* US-CERT Vulnerability Note VU#539110 -
<http://www.kb.cert.org/vuls/id/539110>
* US-CERT Vulnerability Note VU#354486 -
<http://www.kb.cert.org/vuls/id/354486>
* US-CERT Vulnerability Note VU#882750 -
<http://www.kb.cert.org/vuls/id/882750>
* US-CERT Vulnerability Note VU#537878 -
<http://www.kb.cert.org/vuls/id/537878>
* US-CERT Vulnerability Note VU#125598 -
<http://www.kb.cert.org/vuls/id/125598>
* US-CERT Vulnerability Note VU#356070 -
<http://www.kb.cert.org/vuls/id/356070>
* Apple Security Update 2005-005 -
<http://docs.info.apple.com/article.html?artnum=301528>
_________________________________________________________________
These vulnerabilities were discovered by several people and reported
in Apple Security Update 2005-005. Please see the Vulnerability Notes
for individual reporter acknowledgements.
_________________________________________________________________
Feedback can be directed to the authors: Jeffrey Gennari and Jason
Rafail.
_________________________________________________________________
Copyright 2005 Carnegie Mellon University. Terms of use
Revision History
May 16, 2005: Initial release
Last updated May 16, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQojwRBhoSezw4YfQAQKb1gf/a7XQAZQR+t5+FpzRoUrJyVIg3Mf1IISP
yS5GLgfwC+4GuDEd/BA51+591OhNAWa1hO2JAUQwJ799VL7vAY6vbDW84c+S0eQ+
J+FHgddUsuvRtmsXCg2Fin1JRG4hCqBQ9q2S0h4+fM7yWSdLOY7xeAAwPOwG+bsU
AVjDMNiPACHxw7CNQ8qpPXFfo3qrV+oj55F62TbR0fujtil6yQR3lE9wSeiuLs/i
KgQFZlHMEoAwQnghwLk7eQLkzGD9eAZ+pZ7Ny0AvF7avhGflh2nFNe2acFoJ2Iw7
/gMXj/uN/ZpDssS37y38LIvyA3kIQrSlEW7iKf1wi2eQ3ntjyv/9NA==
=uqBU
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA05-117A
Oracle Products Contain Multiple Vulnerabilities
Original release date: April 27, 2005
Last revised: --
Source: US-CERT
Systems Affected
From the Oracle Critical Patch Update - April 2005:
* Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3,
10.1.0.3.1, 10.1.0.4 (10.1.0.3.1 is supported for Oracle
Application Server only)
* Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
* Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5,
9.0.4 (9.0.1.5 FIPS) (all of which are supported for Oracle
Application Server only)
* Oracle8i Database Server Release 3, version 8.1.7.4
* Oracle Application Server 10g Release 2 (10.1.2)
* Oracle Application Server 10g (9.0.4), versions 9.0.4.0,
9.0.4.1
* Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
* Oracle9i Application Server Release 1, version 1.0.2.2
* Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
* Oracle E-Business Suite and Applications Release 11i, versions
11.5.0 through 11.5.10
* Oracle E-Business Suite and Applications Release 11.0
* Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2,
10.1.0.3
* Oracle Enterprise Manager versions 9.0.4.0, 9.0.4.1
* PeopleSoft EnterpriseOne Applications, versions 8.9 SP2 and 8.93
* PeopleSoft OneWorldXe/ERP8 Applications, versions SP22 and higher
Overview
Various Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include
unauthenticated, remote code execution, information disclosure, and
denial of service.
I. Description
Oracle released a Critical Patch Update in April that addresses
more than seventy vulnerabilities in different Oracle products and
components. The Critical Patch Update provides information about
which components are affected, what access and authorization are
required, and how data confidentiality, integrity, and availability
may be impacted.
US-CERT strongly recommends that sites running Oracle review the
Critical Patch Update, apply patches, and take other mitigating
action as appropriate.
Oracle HTTP Server is based on the Apache HTTP Server. According to
Oracle, the Critical Patch Update addresses a number of previously
disclosed Apache vulnerabilities. Oracle Database Client-only
installations are not affected.
US-CERT is tracking all of these issues under VU#948486. As further
information becomes available, we will publish individual
Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary depending on product or
component and configuration. Potential consequences include remote
execution of arbitrary code or commands, information disclosure,
and denial of service. An attacker who compromises an Oracle
database may be able to gain access to sensitive information.
III. Solution
Apply a patch
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - April 2005. The update notes that some
Oracle patches are cumulative while others are not:
The Oracle Database Server, Enterprise Manager, and the Oracle
Application Server patches for this Critical Patch Update are
cumulative, and contain all the fixes from the previous Critical
Patch Update.
...
E-Business Suite patches are not cumulative, so E-Business Suite
customers should refer to previous Critical Patch Updates to
identify previous fixes they wish to apply.
Oracle Collaboration Suite patches are not cumulative, so Oracle
Collaboration Suite customers should refer to previous Critical
Patch Updates to identify previous fixes they wish to apply.
Workarounds
It may be possible to mitigate some vulnerabilities by disabling or
removing unnecessary components and restricting network access.
Revoking PUBLIC EXECUTE privileges from vulnerable stored
procedures may reduce the impact of SQL injection vulnerabilities
(VU#982109). For more specific workarounds please see the
individual Vulnerability Notes.
Oracle Critical Patch Update - April 2005 contains a workaround for a
vulnerability in PeopleSoft.
Appendix A. Vendor Information
Oracle
Please see Oracle Critical Patch Update - April 2005 and Critical
Patch Updates and Security Alerts.
Appendix B. References
* Critical Patch Update - April 2005 -
<http://www.oracle.com/technology/deploy/security/pdf/
cpuapr2005.pdf>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/
public_vuln_to_advisory_mapping.html>
* Comments on Oracle Critical Patch Update April 2005 -
<http://www.red-database-security.com/wp/
comments_oracle_cpu_april_2005_us.pdf>
* NGSSoftware Oracle Database vulnerabilities -
<http://www.ngssoftware.com/advisories/oracle-03.txt>
* US-CERT Vulnerability Note VU#948486 -
<http://www.kb.cert.org/vuls/id/948486>
* US-CERT Vulnerability Note VU#982109 -
<http://www.kb.cert.org/vuls/id/982109>
_________________________________________________________________
Thanks to Alexander Kornbrust of Red-Database-Security GmbH.
Information used in this document came from Red-Database-Security and
Oracle. Oracle credits NGS Software Ltd., Integrigy, and Application
Security, Inc.
_________________________________________________________________
Feedback can be directed to the authors: Art Manion and Jeff Gennari.
Send mail to <cert@cert.org>.
Please include the Subject line "TA04-315A Feedback VU#948486".
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
The most recent version of this document is available at:
<http://www.us-cert.gov/cas/techalerts/TA05-117A.html>
_________________________________________________________________
Revision History
April 27, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQm/pwhhoSezw4YfQAQIouwgAhowi2o6QI66xpWVcyKDckKfJSlUKMoLt
vSHpL0J6vHJDGyrnllbVqcUhsYi78IPmvkOiZ0RbvgBtm9TR+zxO13CyQ6wWPoTl
dItgw4BDw/f1bzLthb7+2GvCzXqsG+ICWZegEzX31ma7tO0yb1sdGEt9kwgL64ik
njwJ/Bn7pG2b1EFQ1zurIOsOcINdUrThgk0BqNmGfRxRnIF7XXdEQUIC2Q0jAz4a
Qxx6rttfnCJp6LmVMyqLFDItn9QyBMQTIfiOKaGNnmu7oyk8jdZq+HoORaeYqbC8
ectngIs+FPKXEACRaAKi/F932fkD2BX5dS/IF1VkYw7tWX6M2I39Dw==
=5Mno
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-102A
Multiple Vulnerabilities in Microsoft Windows Components
Original release date: April 12, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows Systems
For a complete list of affected versions of the Windows operating
systems and components, refer to the Microsoft Security Bulletins.
Overview
Microsoft has released a Security Bulletin Summary for April, 2005.
This summary includes several bulletins that address
vulnerabilities in various Windows applications and
components. Exploitation of some vulnerabilities can result in the
remote execution of arbitrary code by a remote attacker. Details of
the vulnerabilities and their impacts are provided below.
I. Description
The list below provides a mapping between Microsoft's Security
Bulletins and the related US-CERT Vulnerability Notes. More
information related to the vulnerabilities is available in these
documents.
Microsoft Security Bulletin MS05-020:
Cumulative Security Update for Internet Explorer (890923)
VU#774338 Microsoft Internet Explorer DHTML objects contain a
race condition
VU#756122 Microsoft Internet Explorer URL validation routine
contains a buffer overflow
VU#222050 Microsoft Internet Explorer Content Advisor contains a
buffer overflow
Microsoft Security Bulletin MS05-02:
Vulnerability in Exchange Server Could Allow Remote Code
Execution (894549)
VU#275193 Microsoft Exchange Server contains unchecked buffer in SMTP
extended verb handling
Microsoft Security Bulletin MS05-022:
Vulnerability in MSN Messenger Could Lead to Remote Code Execution
(896597)
VU#633446 Microsoft MSN Messenger GIF processing
buffer overflow
Microsoft Security Bulletin MS05-019:
Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial
of Service (893066)
VU#233754 Microsoft Windows does not adequately validate IP
packets
II. Impact
Exploitation of these vulnerabilities may permit a remote attacker to
execute arbitrary code on a vulnerable Windows system, or cause a
denial-of-service condition.
III. Solution
Apply a patch
Microsoft has provided the patches for these vulnerabilities in the
Security Bulletins and on Windows Update.
Appendix A. References
* Microsoft's Security Bulletin Summary for April, 2005 - <
http://www.microsoft.com/technet/security/bulletin/ms05-apr.mspx>
* US-CERT Vulnerability Note VU#774338 -
<http://www.kb.cert.org/vuls/id/774338>
* US-CERT Vulnerability Note VU#756122 -
<http://www.kb.cert.org/vuls/id/756122>
* US-CERT Vulnerability Note VU#222050 -
<http://www.kb.cert.org/vuls/id/222050>
* US-CERT Vulnerability Note VU#275193 -
<http://www.kb.cert.org/vuls/id/275193>
* US-CERT Vulnerability Note VU#633446 -
<http://www.kb.cert.org/vuls/id/633446>
* US-CERT Vulnerability Note VU#233754 -
<http://www.kb.cert.org/vuls/id/233754>
_________________________________________________________________
Feedback can be directed to the authors: Will Dormann, Jeff Gennari,
Chad Dougherty, Ken MacInnis, Jason Rafail, Art Manion, and Jeff
Havrilla.
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA05-102A.html>
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
April 12, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQlxwexhoSezw4YfQAQJ4RAf/bTgaa6SBDMJveqW/GnQET79F9aVPM1S2
glam1w4YFyOdyIHpDYqQZRBqgXgpJjel/MiH02tZreU5mgIjkPIWA3gleepyWvnN
7VYv8KcbSnyvGxDl/8K2YjFz550gxA3pkRD7IiqdpOums87lJ7xM7sjdUY0ZA8aF
JEvA4gfndpgLSuISV7Gf8y1s4MU329DurNy3t8W4EB9Iuef/E4Z058IvHnz9dTnT
XwBnyW1KfH2Ohpy7QBOtcXt1wXU8X0F+d01g/VZmTL7xVwXmcPi8UpS7bPK8A17+
asqo582KjZVR56iL7fqNQzsrXUGZncEnX/8QOhi3Ym2LfAEkKrg3rw==
=BY/p
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple Vulnerabilities in Microsoft Windows
Original release date: February 8, 2005
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows operating systems
Microsoft Office
Microsoft Project 2002
Microsoft Visio 2002
Microsoft Works Suite
Microsoft Windows Media Player
Windows Messenger
MSN Messenger
Overview
An attacker may be able to take control of your computer by taking
advantage of vulnerabilities in the Windows operating system and in
some Microsoft software packages.
Description
Microsoft has released a Security Bulletin Summary for February,
2005. This summary includes several bulletins that address
vulnerabilities in various Windows operating systems, applications
and components.
Resolution
Apply an update
Obtain the appropriate updates from Windows Update or by using
Automatic Updates.
References
* US-CERT Technical Alert TA05-039A -
<http://www.us-cert.gov/cas/techalerts/TA05-039A.html>
* Microsoft Security Bulletin Summary for February, 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-feb.mspx>
* Microsoft Security Bulletin MS05-005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-005.mspx>
* Microsoft Security Bulletin MS05-008 -
<http://www.microsoft.com/technet/security/bulletin/ms05-008.mspx>
* Microsoft Security Bulletin MS05-009 -
<http://www.microsoft.com/technet/security/bulletin/ms05-009.mspx>
* Microsoft Security Bulletin MS05-011 -
<http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx>
* Microsoft Security Bulletin MS05-012 -
<http://www.microsoft.com/technet/security/bulletin/ms05-012.mspx>
* Microsoft Security Bulletin MS05-013 -
<http://www.microsoft.com/technet/security/bulletin/ms05-013.mspx>
* Microsoft Security Bulletin MS05-014 -
<http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx>
* Microsoft Security Bulletin MS05-015 -
<http://www.microsoft.com/technet/security/bulletin/ms05-015.mspx>
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
<http://www.us-cert.gov/cas/alerts/SA05-039A.html>
Terms of use
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQgluJxhoSezw4YfQAQKHNggAjZqPd4VymuSiroXhuTD6UknJ8BYq4A6/
1c0eAhM9+0n2Cx5io9C4EUFIj+zXtROAjfVLbc5vIe+kKzV/SCrgopLx4FAJvycG
MsAbdamM/uO0fFtVAApDsD3nvEjbytyaSD946Trcyu/UAtvZEJB7aFQVv3YwI3JZ
UM/hq5iSHucDe8DDLAPgEGQc43Im4NL73FPOHhPOd9awCD7Mcl4JiW+UUoUkhSbf
uYesGOGccqR5n46D/rzvvh4t3GGsFMRiqvbL0PbSAkm3bEJvo5NHcZed9y+xJ+OU
7HXyu9msvJn5bZ0xNcLpMMgZqPDXgY6RPLkLlHCm4788+pCCZF6Dbw==
=itIL
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA05-026A
Multiple Denial-of-Service Vulnerabilities in Cisco IOS
Original release date: January 26, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Cisco routers and switches running IOS in various configurations
Overview
Several denial-of-service vulnerabilities have been discovered in
Cisco's Internet Operating System (IOS). A remote attacker may be able
to cause an affected device to reload the operating system.
I. Description
Cisco has published three advisories describing flaws in IOS that
could allow a remote attacker to cause an affected device to reload.
Further details are available in the following vulnerability notes:
VU#583638 - Cisco IOS contains DoS vulnerability in MPLS packet
processing
The IOS implementation of Multi Protocol Label Switching (MPLS)
contains a vulnerability that allows malformed MPLS packets to cause
an affected device to reload. An unauthenticated attacker can send
these malformed packets on a local network segment that is connected
to a vulnerable device interface.
VU#472582 - Cisco IOS IPv6 denial-of-service vulnerability
A vulnerability in the way that IOS handles a sequence of specially
crafted IPv6 packets could cause an affected device to reload,
resulting in a denial of service. The vulnerability is exposed on both
physical interfaces (i.e., hardware interfaces), and logical
interfaces (i.e., software defined interfaces such as tunnels) that
are configured for IPv6.
VU#689326 - Cisco IOS vulnerable to DoS via malformed BGP packet
An IOS device that is enabled for Border Gateway Protocol (BGP) and
set up with the bgp log-neighbor-changes option is vulnerable to a
denial-of-service attack via a malformed BGP packet.
II. Impact
Although the underlying causes of these three vulnerabilities is
different, in each case a remote attacker could cause an affected
device to reload the operating system. This creates a
denial-of-service condition since packets are not forwarded through
the affected device while it is reloading. Repeated exploitation of
these vulnerabilites would result in a sustained denial-of-service
condition.
Since devices running IOS may transit traffic for a number of other
networks, the secondary impacts of a denial of service may be severe.
III. Solution
Upgrade to a fixed version of IOS
Cisco has updated versions of its IOS software to address these
vulnerabilities. Please refer to the "Software Versions and Fixes"
sections of the Cisco Security Advisories listed in Appendix A for
more information on upgrading.
Workaround
Cisco has also published practical workarounds for VU#689326 and
VU#583638. Please refer to the "Workarounds" section of each Cisco
Security Advisory listed in Appendix A for more information.
Sites that are unable to install an upgraded version of IOS are
encouraged to implement these workarounds.
Appendix A. References
* Cisco Security Advisory: Crafted Packet Causes Reload on Cisco
Routers -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml>
* Cisco Security Advisory: Multiple Crafted IPv6 Packets Cause
Reload -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml>
* Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes
Reload -
<http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml>
* US-CERT Vulnerability Note VU#583638 -
<http://www.kb.cert.org/vuls/id/583638>
* US-CERT Vulnerability Note VU#472582 -
<http://www.kb.cert.org/vuls/id/472582>
* US-CERT Vulnerability Note VU#689326 -
<http://www.kb.cert.org/vuls/id/689326>
_________________________________________________________________
Feedback can be directed to the authors: Will Dormann, Chad Dougherty,
and Damon Morda
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA05-026A.html>
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
January 26, 2005: Initial release
Last updated January 26, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQfgfthhoSezw4YfQAQJQKAf8DxKPd+9aXGsomYzRhFPyCcnjEfy6dv/N
3GcqV8GR5WyshB207vhvw1PDfZdQVFIXiNr/xE9dmBKEhm38En3a70DnVe2UCmXO
UobYXGk9tSW+pnR7Cdd3hc8yeZq0ys+LFKF/sztgpPJji/zFWojPnuS1wCcYggA1
kuGCQ9VD6My64Hlh/PStCYqx5C9azgGHNv086W6fQyCssgjwBz51YxdV9gZ9wJUt
I8LGjq6T0Fp+5kEEd9SPoUjA+r7bNft3xUPAabb+N4dt8sZUYqzXDP71lYYXgZay
z2FE7jkbtX/LYVQCiA4LfgGCbw1sI6p+UQABtj74CPte2CyJZO5hJw==
=aHIO
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Alert SA05-012A
Multiple Vulnerabilities in Microsoft Windows
Original release date: January 12, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Windows 98, Me, 2000, XP, and Server 2003
* Internet Explorer 5.x and 6.x
* Other Windows programs that use MSHTML
Overview
An attacker may be able to take control of your computer by
taking advantage of two different vulnerabilities in Internet
Explorer and Windows.
Description
There is a vulnerability in the way Internet Explorer processes
certain HTML code. There is also a vulnerability in the way
Microsoft Windows handles certain images. By exploiting either
vulnerability, an attacker may be able to take control of your
computer.
Reports indicate that one of these vulnerabilities is being
exploited by malicious code referred to as Phel.
Resolution
Apply an update
Install the updates as described in Microsoft Security Bulletins
MS05-001 and MS05-002. Obtain the appropriate updates from
Windows Update or by using Automatic Updates.
References
* US-CERT Technical Alert TA05-012A -
<http://www.us-cert.gov/cas/techalerts/TA05-012A.html>
* US-CERT Technical Alert TA05-012B -
<http://www.us-cert.gov/cas/techalerts/TA05-012B.html>
* Vulnerability Note VU#972415 -
<Http://www.kb.cert.org/vuls/id/972415>
* Vulnerability Note VU#625856 -
<http://www.kb.cert.org/vuls/id/625856>
_________________________________________________________________
Author: Michael D. Durkota
Feedback can be directed to US-CERT.
Send mail to <cert@cert.org>.
Please include the subject line "SA05-012A Feedback VU#972415
VU#625856".
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
The latest version of this document is available at:
<http://www.us-cert.gov/cas/alerts/SA05-012A.html>
_________________________________________________________________
Revision History
January 12, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQeXybRhoSezw4YfQAQLJ2wf9Gle3aK0uZP1wxMNXYUE3RHLiCDBzzu8V
ttprKuRz2049vIX8RotuwNjzSXct+afzjHDEoXpCfPGxjJgxvy7oKmcxmSD7gfl7
GRsC0/zgz83nd4fQoR193m4CqWQ8hswJ5VsEbVQdiwYTxxvFPjNS8rd2jC/0UX+W
KNFpOGSQUuVbas0FeI/Oq6dScPC7f82LlSbui7Em1dW4CKbK9hZvLWGllp7gVu4Q
as0E7Kk9COZ+Byi11DpgwesAQ3mweuSdGDeEfgjD6+lIFhfYyLTKkAvsU2pY4dHV
Ztz7uOVXad53ogGntAg9GP49xpIW3W/s0PPXLA8Svgb589RNoecp+w==
=OHid
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA05-012B
Microsoft Windows HTML Help ActiveX Contol Cross-Domain Vulnerability
Original release date: January 12, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Windows 98, Me, 2000, XP, and Server 2003
* Internet Explorer 5.x and 6.x
* Other Windows programs that use MSHTML
Overview
The Microsoft Windows HTML Help Activex control contains a
cross-domain vulnerability that could allow an unauthenticated,
remote attacker to execute arbitrary commands or code with the
privileges of the user running the control. The HTML Help control
can be instantiated by an HTML document loaded in Internet Explorer
or any other program that uses MSHTML.
I. Description
The Microsoft Windows HTML Help ActiveX control (hhctrl.ocx) does
not properly determine the source of windows opened by the Related
Topics command. If an HTML Help control opens a Related Topics
window in one domain, and a second control opens a Related Topics
window using the same window name in a different domain, content
from the second window is considered to be in the domain of the
first window. This cross-domain vulnerability allows an attacker in
one domain to read or modify content or execute script in a
different domain, including the Local Machine Zone.
An attacker could exploit this vulnerability against Internet
Explorer (IE) using a specially crafted web site. Other programs
that use MSHTML, including Outlook and Outlook Express, could also
act as attack vectors.
This vulnerability has been assigned CVE CAN-2004-1043 and is
described in further detail in VU#972415.
II. Impact
By convincing a user to view a specially crafted HTML document
(e.g., a web page or an HTML email message), an attacker could
execute arbitrary code or commands with the privileges of the
user. The attacker could also read or modify data in other web
sites.
Reports indicate that this vulnerability is being exploited by
malicious code referred to as Phel.
III. Solution
Install an update
Install the appropriate update according to Microsoft Security
Bulletin MS05-001. Note that the update may adversely affect the
HTML Help system as described in Microsoft Knowledge Base articles
892641 and 892675.
Workarounds
A number of workarounds are described in MS05-001 and VU#972415.
Appendix A. References
* Vulnerability Note VU#972415 -
<http://www.kb.cert.org/vuls/id/972415>
* Microsoft Security Bulletin MS05-001 -
<http://www.microsoft.com/technet/security/bulletin/ms05-001.mspx>
* HTML Help files do not work correctly after you uninstall security
update 890175 (MS05-001) -
<http://support.microsoft.com/kb/892641>
* You cannot access HTML Help functionality on some Web sites after
installing security update MS05-001 -
<http://support.microsoft.com/kb/892675>
* Reusing MSHTML -
<http://msdn.microsoft.com/workshop/browser/hosting/hosting.asp>
* HTML Help ActiveX Control Overview -
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
htmlhelp/html/vsconocxov.asp>
* Related Topics -
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
htmlhelp/html/vsconocxrelatedtopics.asp>
* About the Browser (Internet Explorer - WebBrowser) -
<http://msdn.microsoft.com/workshop/browser/overview/Overview.asp>
* CVE CAN-2004-1043 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1043>
_________________________________________________________________
Feedback can be directed to the author: Art Manion.
Send mail to <cert@cert.org>.
Please include the subject line "TA05-012B Feedback VU#972415".
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-012B.html>
_________________________________________________________________
Revision History
January 12, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQeXt5hhoSezw4YfQAQKGDAf+Lb6gUl6gDtrWunNwgcTAEoNkTStKlDzX
zvPjKjEfvuM58EcRDzaJnqeinvuKO37c3OMwuZ/5MGZy6rIb45auD3hG3uQSDNWj
7tlADBoU24Bqj5Hcskz3ePAkRxI+Ex06di4N3F/qUVnDBbyZi+oTmIPBabLpcnhV
9yy4W5ihHLxfAOEDUWVZYb2xqdGLh9CP1G9TRNH3cjCxAHf60WV/QDbpuX8JO4dW
vdsgUfDOxW1+6g0l2BvIqUG2AfPorsBWZ1VhhCTrhyKn0is2rqGl7YbZ7lWDKLrp
M8Fm4ynpVLexcN2qC3VxZI0dFn3yXRy1q1946DRlX6VqGuA12ZlWyA==
=yHDO
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA05-012A Multiple Vulnerabilities in Microsoft Windows Icon and Cursor Processing
Original release date: January 12, 2005
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows Operating Systems excluding Microsoft Windows XP SP2
Overview
Microsoft Windows contains multiple vulnerabilities in the way that it
handles cursor and icon files. A remote attacker could execute
arbitrary code or cause a denial-of-service condition.
I. Description
Microsoft Security Bulletin MS05-002 describes a number of
vulnerabilities in the way that Windows handles icons, cursors,
animated cursors, and bitmaps. Further details are available in the
following vulnerability notes:
VU#625856 - Microsoft Windows LoadImage API vulnerable to integer
overflow
The Microsoft Windows LoadImage routine is vulnerable to an integer
overflow that may allow a remote attacker to execute arbitrary code on
a vulnerable system.
(CAN-2004-1049)
VU#697136 - Microsoft Windows kernel vulnerable to denial-of-service
condition via animated cursor (.ani) rate number
A vulnerability exists in the way the Microsoft Windows kernel
processes animated cursor (.ani) files with a rate number set to zero.
Exploitation of this vulnerability may allow a remote attacker to
cause a denial-of-service condition.
(CAN-2004-1305)
VU#177584 - Microsoft Windows kernel vulnerable to denial-of-service
condition via animated cursor (.ani) frame number
A vulnerability exists in the way the Microsoft Windows kernel
processes animated cursor (.ani) files with a frame number set to
zero. Exploitation of this vulnerability may allow a remote attacker
to cause a denial-of-service condition.
(CAN-2004-1305)
Note that exploits for these vulnerabilities are publicly available.
II. Impact
If a remote attacker can persuade a user to access a specially crafted
bitmap image, icon, or cursor file, the attacker may be able to
execute arbitrary code on that user's system, with their privileges.
Potentially, any operation that displays an image could trigger
exploitation; for instance, browsing the file system, reading HTML
email, or browsing websites.
III. Solution
Install an Update
Install the update as described in Microsoft Security Bulletin
MS05-002. Please also note that this update is also available via
Windows Update and Automatic Updates.
Appendix A. References
* US-CERT Vulnerability Note VU#697136 -
<http://www.kb.cert.org/vuls/id/697136>
* US-CERT Vulnerability Note VU#177584 -
<http://www.kb.cert.org/vuls/id/177584>
* US-CERT Vulnerability Note VU#625856 -
<http://www.kb.cert.org/vuls/id/625856>
* Microsoft Security Bulletin MS05-002 -
<http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx>
_________________________________________________________________
These vulnerabilities were reported by Flashsky Fangxing and eEye
Digital Security.
_________________________________________________________________
Feedback can be directed to the author: Jeffrey Gennari
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA05-012A.html>
_________________________________________________________________
Copyright 2005 Carnegie Mellon University. Terms of use
Revision History
Jan 12, 2005: Initial release
Last updated January 12, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQeWT/xhoSezw4YfQAQJ4Mwf8DW38XyncYoByjMNLaDo5thBVElAbQpnP
dCEmwTN65U+g604L1Zn+p0EJ2FSFRkF1Pbj0SZtin6PrjsTMsVP3KyaB2ogANpRl
jjlXsK3BZcI+KA5MEz+tG6rRcN8leaKUkep94k2oBQvmS5EJ7qlxYEt6aNZCyws5
LNwGoGJFdh+1GS7V+SiI8bctJCkCyxZnbMqQDeacAmt8/wD7RcMUSvk8Cfk1L9hd
Yw4cFlweRqjqHyj52Q01F7FAtvdRW+iG87EFMi5J6+HKkqR2vubExVI42uGCt64B
8SdG304c7pTIt2QSYFfqZWpMBkqWsqLI8mjPE/zU1ffnFM3DTAeExg==
=H24T
-----END PGP SIGNATURE-----
