VULNERABILITIES \ FIXES - October 14, 2008

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Unpatched


OS: Avaya Message Networking 2.x
Avaya Modular Messaging 2.x
Avaya Modular Messaging 3.x
Avaya SIP Enablement Services (SES) 3.x



Software: Avaya Application Enablement Services 3.x
Avaya Application Enablement Services 4.x
Avaya Communication Manager 3.x

Description:
Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library.

Solution:
The vendor recommends that local and network access to the affected systems be restricted until an update is available.

Original Advisory:
http://support.avaya.com/elmodocs2/security/ASA-2008-400.htm

Other References:
SA31558:
http://secunia.com/advisories/31558/

Release Date: 2008-10-14

Critical:
Less critical
Impact: Exposure of sensitive information

Where: Local system
Solution Status: Unpatched


Software: Websense 6.x

Description:
Eric Beaulieu has reported a security issue in Websense, which can be exploited by malicious, local users to disclose sensitive information.

The security issue is caused due to the Websense Reporter Module storing the password for the administrative SQL user in plain text in the file "CreateDbInstall.log" within a accessible zip file in the installation directory.

The security issue is reported in the Websense Reporter Module in Websense version 6.3.2. Other versions may also be affected.

Solution:
Grant only trusted users access to affected systems.

Provided and/or discovered by:
Eric Beaulieu

Original Advisory:
http://zebux.free.fr/pub/Advisory/Adv...porter_Password_Disclosure_200810.txt

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Unpatched


OS: Avaya Modular Messaging 3.x
Avaya SIP Enablement Services (SES) 3.x



Software: Avaya Communication Manager 3.x

Description:
Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a memory leak in vsftpd when using PAM and can be exploited to exhaust all available memory via multiple invalid authentication requests.

Solution:
The vendor recommends that local and network access to the affected systems be restricted until an update is available.

Original Advisory:
http://support.avaya.com/elmodocs2/security/ASA-2008-398.htm

Other References:
SA31223:
http://secunia.com/advisories/31223/

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: Unknown
DoS

Where: From remote
Solution Status: Vendor Patch


OS: Linksys WAP4400N

Description:
Some vulnerabilities have been reported in Linksys WAP4400N, where one has unknown impacts and the other can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Update to firmware version 1.2.17.
http://www.linksys.com/servlet/Satell...ame=Linksys%2FCommon%2FVisitorWrapper

Provided and/or discovered by:
1) Laurent Butti and Julien Tinnes, France Telecom / Orange
2) Reported by the vendor.

Original Advisory:
http://www.linksys.com/servlet/Satell...ame=Linksys%2FCommon%2FVisitorWrapper

Release Date: 2008-10-14

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


Software: Lenovo Rescue and Recovery 4.x

Description:
A vulnerability has been reported in Lenovo Rescue and Recovery, which potentially can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to a boundary error within the "tvtumin.sys" kernel driver when processing overly long file names. This can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code with escalated privileges by passing a specially crafted file name through the file system.

The vulnerability is reported in version 4.20.0512 for Windows Vista and 4.20.0511 for Windows XP and 2000.

Solution:
Update to version 4.21.
http://www-307.ibm.com/pc/support/site.wss/MIGR-4Q2QAK.html

Provided and/or discovered by:
Chris Clark and Rachel Engel, iSEC Partners

Original Advisory:
iSEC Partners:
https://www.isecpartners.com/advisories/2008-02-lenovornr.txt

Lenovo:
http://www-307.ibm.com/pc/support/site.wss/MIGR-70699.html
http://www-307.ibm.com/pc/support/site.wss/MIGR-4Q2QAK.html

Release Date: 2008-10-14

Critical:
Less critical
Impact: Exposure of sensitive information

Where: From remote
Solution Status: Vendor Patch


Software: Mantis 1.x

Description:
A security issue has been reported in Mantis, which can be exploited by malicious users to disclose potentially sensitive information.

The security issue is caused due to an error when creating the link tags to a referenced report. This can be exploited to e.g. disclose the title and status of a restricted report by filing a new issue report that includes a numeric reference to the restricted report.

Note: This also fixes a problem that could allow cookies to be transmitted unencrypted when performing a HTTP request during a HTTPS session.

The security issue is reported in versions prior to 1.1.3.

Solution:
Update to version 1.1.3.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Mantis change log:
http://www.mantisbt.org/bugs/changelog_page.php

Mantis Issue #9321:
http://www.mantisbt.org/bugs/view.php?id=9321

Mantis Issue #9533:
http://www.mantisbt.org/bugs/view.php?id=9533

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: Unknown

Where: From remote
Solution Status: Unpatched


OS: Avaya Message Networking 2.x
Avaya Modular Messaging 2.x
Avaya Modular Messaging 3.x
Avaya SIP Enablement Services (SES) 3.x



Software: Avaya Application Enablement Services 3.x
Avaya Application Enablement Services 4.x
Avaya Communication Manager 3.x
Avaya Communication Manager 4.x
Avaya Communication Manager 5.x

Description:
Avaya has acknowledged that a small number of OpenSSH packages have been tampered with.

Solution:
The vendor recommends that local and network access to the affected systems be restricted until an update is available.

Original Advisory:
http://support.avaya.com/elmodocs2/security/ASA-2008-399.htm

Other References:
SA31575:
http://secunia.com/advisories/31575/

Release Date: 2008-10-14

Critical:
Less critical
Impact: Privilege escalation
DoS

Where: Local system
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0

Description:
Debian has issued an update for linux-2.6. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and gain escalated privileges.

Solution:
Apply updated packages.

Original Advisory:
http://www.us.debian.org/security/2008/dsa-1653

Other References:
SA23073:
http://secunia.com/advisories/23073/

SA25895:
http://secunia.com/advisories/25895/

SA26389:
http://secunia.com/advisories/26389/

SA31509:
http://secunia.com/advisories/31509/

SA31826:
http://secunia.com/advisories/31826/

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Phorum 5.x

Description:
Julian A. Rodriguez has reported a vulnerability in Phorum, which can be exploited by malicious people to conduct script insertion attacks.

Input passed as private messages or forum posts is not properly sanitised for nested "" tags before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed.

Successful exploitation requires that the BBcode module is enabled.

The vulnerability is reported in version 5.2.8. Prior versions may also be affected.

Solution:
Update to version 5.2.9 or later.

Provided and/or discovered by:
Julian A. Rodriguez

Original Advisory:
Phorum:
http://www.phorum.org/phorum5/read.php?64,133699

Julian A. Rodriguez:
http://nulledcore.com/?p=126

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Unpatched


Software: RaidenFTPD 2.x

Description:
dmnt has discovered a vulnerability in RaidenFTPD, which can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to a boundary error when handling overly long requested directory names. This can be exploited to cause a stack-based buffer overflow via e.g. a combination of specially crafted "CWD" and "MLST" commands.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 2.4.3615. Other versions may also be affected.

Solution:
Restrict access to trusted users only.

Provided and/or discovered by:
dmnt

Original Advisory:
http://milw0rm.com/exploits/6742

Release Date: 2008-10-14

Critical:
Not critical
Impact: Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Mozilla Firefox 3.x

Description:
A vulnerability has been reported in Firefox, which can be exploited by malicious people to disclose sensitive information.

The vulnerability is caused due to an error when processing .url shortcuts in HTML elements. This can be exploited to disclose potentially sensitive information from the cache.

Successful exploitation requires that a user is e.g. tricked into opening an HTML page from a local directory or a RAR archive containing .url files.

The vulnerability is reported in version 3.0.3. Other versions may also be affected.

Solution:
Do not open HTML files from untrusted sources.

Provided and/or discovered by:
Liu Die Yu

Original Advisory:
http://liudieyu0.blog124.fc2.com/blog-entry-6.html

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: IndexScript 3.x

Description:
d3v1l has reported a vulnerability in IndexScript, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "parent_id" parameter in sug_cat.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in version 3.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
d3v1l

Original Advisory:
http://milw0rm.com/exploits/6746

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: Exposure of sensitive information

Where: From remote
Solution Status: Vendor Patch


Software: ENOVIA V5

Description:
A vulnerability has been reported in ENOVIA, which can potentially be exploited by malicious people to disclose sensitive information.

The vulnerability is caused due to an error in the document viewer and can potentially be exploited to open documents without having proper permissions.

The vulnerability is reported in ENOVIA SmarTeam in versions prior to V5R18 SP5.

Solution:
Update to version 5 release 18 SP5 or later.

Provided and/or discovered by:
Reported via IBM.

Original Advisory:
IBM: (BR10000057036 HD71425)
http://www-01.ibm.com/support/docview.wss?uid=swg27012567

14 October 2008

Three security holes in CUPS, the printer service for Unix systems such as Linux and Mac OS X, have been closed in version 1.3.9. According to the release notes, previous versions of CUPS are vulnerable to remote code exploitation when the service is given SGI format image files for manipulation or when printing text files. The issues relate directly to the imagetops and texttops filters.

More: http://www.heise-online.co.uk/security/CUPS-printer-service-update-closes-security-holes--/news/111721

Here is the attack forecast

By John Leyden

14th October 2008

Microsoft plans to debut impact predictions related to vulnerabilities with the next edition of its Patch Tuesday update cycle.

The 11 bulletins due to arrive later on Tuesday (14 October) will contain "weather predictions" detailing factors such as whether exploit code is likely to appear, alongside the established rating system on the severity of vulnerabilities. Microsoft hopes its Exploitability Index will help organisations to prioritise patching.

Microsoft, unlike Cisco and organisations like US Cert, won't be rating vulnerabilities under Common Vulnerability Scoring System. This is because it reckons (with some justification) that descriptions such as 'critical' or 'moderate' are more meaningful to the majority of people than ratings of between one and ten covered by CVSS.

More: http://www.theregister.co.uk/2008/10/14/ms_vulnerability_assessment/

38 Slimline models buggered

By John Oates
14th October 2008

HP has offered free repairs for 38 models of its Pavillion Slimline range of desktop machines, which are having problems with Nvidia graphics units.

Last week, Apple admitted similar problems with MacBook Pros and offered free repairs to affected customers.

HP said on its support site that the problem was "attributable to the computer's motherboard". Some machines either have problems booting or will not show video.

The company is offering a free repair for anyone with a non-working machine which is within 12 months of the expiry of its warranty, or until 31 December 2009, whichever is sooner.

More: http://www.theregister.co.uk/2008/10/14/hp_slimline_problems/

Published: 2008-10-14,
Last Updated: 2008-10-14 18:30:09 UTC
by Swa Frantzen

http://isc.sans.org/

Release Date: 2008-10-14

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Storage Server 2003
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to an input validation error in the Ancillary Function Driver (afd.sys) and can be exploited to execute arbitrary code in kernel mode.

Solution:
Apply patches.

Windows XP SP2/SP3:
http://www.microsoft.com/downloads/de...=b16d9dac-c430-4dd8-a1e5-9a614801f1d9

Windows XP Professional x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/de...=5b607efc-c6fb-4079-8478-e4f3262386d3

Windows Server 2003 SP1/SP2:
http://www.microsoft.com/downloads/de...=ee88ff2d-1b12-4f4c-a081-9f27a6fba074

Windows Server 2003 x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/de...=ab4d94d3-458c-4946-ab7f-03a279629d25

Windows Server 2003 with SP1/SP2 for Itanium-based systems:
http://www.microsoft.com/downloads/de...=63234f85-6e5d-4ef6-b7cf-d1d2c78a5517

Provided and/or discovered by:
The vendor credits Fabien Le Mentec, SkyRecon.

Original Advisory:
MS08-066 (KB956803):
http://www.microsoft.com/technet/security/Bulletin/MS08-066.mspx

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: System access

Where: From local network
Solution Status: Vendor Patch


OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server

Description:
A vulnerability has been reported in Microsoft Windows 2000, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error when parsing RPC requests to the Message Queuing (MSMQ) service. This can be exploited to cause a heap-based buffer overflow by sending a specially crafted RPC request to the affected service.

Successful exploitation may allow execution of arbitrary code with SYSTEM privileges, but requires that the MSMQ service is enabled (not installed by default).

Solution:
Apply patch.

Microsoft Windows 2000 SP4:
http://www.microsoft.com/downloads/de...=899e2728-2433-4ccb-a195-05b5d65e5469

Provided and/or discovered by:
The vendor credits TippingPoint and the Zero Day Initiative.

Original Advisory:
MS08-065 (KB951071):
http://www.microsoft.com/technet/security/Bulletin/MS08-065.mspx

Release Date: 2008-10-14

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to an integer overflow error when processing Virtual Address Descriptor (VAD) parameters. This can be exploited to cause a memory allocation mapping error and corrupt memory.

Successful exploitation allows execution of arbitrary code with escalated privileges.

Solution:
Apply patches.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
MS08-064 (KB956841):
http://www.microsoft.com/technet/security/Bulletin/MS08-064.mspx

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: System access

Where: From local network
Solution Status: Vendor Patch


OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an input validation error in the handling of file names in the Microsoft SMB (Server Message Block) protocol, which can be exploited to cause a buffer underflow.

Successful exploitation may allow execution of arbitrary code, but requires access to a disk share.

Solution:
Apply patches.

Provided and/or discovered by:
The vendor credits Joshua Morin, Codenomicon.

Original Advisory:
MS08-063 (KB957095):
http://www.microsoft.com/technet/security/Bulletin/MS08-063.mspx

Release Date: 2008-10-14

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to an integer overflow error within the IPP (Internet Printing Protocol) ISAPI extension for IIS when processing specially crafted IPP responses. This can be exploited to execute arbitrary code by tricking an affected web server into connecting to a malicious IPP server via a specially crafted HTTP "POST" request.

Successful exploitation requires that IPP is enabled in IIS.

Solution:
Apply patches.

Provided and/or discovered by:
Reported as a 0-day.

Original Advisory:
MS08-062 (KB953155):
http://www.microsoft.com/technet/security/Bulletin/MS08-062.mspx

Release Date: 2008-10-14

Critical:
Less critical
Impact: Privilege escalation
DoS

Where: Local system
Solution Status: Vendor Patch


OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Description:
Some vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges.

Solution:
Apply patches.

Provided and/or discovered by:
1) The vendor credits Paul Caton of iShadow.
2) The vendor credits Thomas Garnier of SkyRecon.
3) Reported by the vendor.

Original Advisory:
MS08-061 (KB954211):
http://www.microsoft.com/technet/security/Bulletin/MS08-061.mspx

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: System access

Where: From local network
Solution Status: Vendor Patch


OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Server



Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an incorrect memory allocation when processing LDAP and LDAPS requests. This can be exploited to cause a buffer overflow via a specially crafted request.

Successful exploitation may allow execution of arbitrary code, but requires that the affected system is configured as a domain controller.

Solution:
Apply vendor patch.

Windows 2000 Server SP4:
http://www.microsoft.com/downloads/de...=8ed7bb9a-4b26-49d7-8c14-60226d2bc20d

Provided and/or discovered by:
The vendor credits Paul Miseiko, nCircle.

Original Advisory:
MS08-060 (KB954211):
http://www.microsoft.com/technet/security/Bulletin/MS08-060.mspx

Release Date: 2008-10-14

Critical:
Moderately critical
Impact: Security Bypass
System access

Where: From local network
Solution Status: Vendor Patch


Software: Microsoft Host Integration Server 2000
Microsoft Host Integration Server 2000 Administrator Client
Microsoft Host Integration Server 2004
Microsoft Host Integration Server 2004 (Client)
Microsoft Host Integration Server 2006

Description:
A vulnerability has been reported in Microsoft Host Integration Server, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error in the SNA RPC service. This allows bypassing the authentication mechanism and access administrative functionality via a specially crafted RPC request.

Solution:
Apply patches.

Provided and/or discovered by:
The vendor credits Stephen Fewer, Harmony Security via iDefense VCP.

Original Advisory:
MS08-059 (KB956695):
http://www.microsoft.com/technet/security/Bulletin/MS08-059.mspx

Release Date: 2008-10-14

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office 2007
Microsoft Office 2008 for Mac
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
Microsoft Office Excel 2007
Microsoft Office Excel Viewer
Microsoft Office Excel Viewer 2003
Microsoft Office SharePoint Server 2007
Microsoft Office XP
Microsoft Open XML File Format Converter for Mac

Description:
Some vulnerabilities have been reported in Microsoft Excel, which can be exploited by malicious people to potentially compromise a user's system.

Solution:
Apply patches.

Provided and/or discovered by:
1) The vendor credits:
* Lionel d'Hauenens, Labo Skopia via iDefense VCP.
* Joshua J. Drake, iDefense.
2) The vendor credits Wushi via Zero Day Initiative.
3) Reported by the vendor.

Original Advisory:
MS08-057 (KB956416):
http://www.microsoft.com/technet/security/Bulletin/MS08-057.mspx

Release Date: 2008-10-14

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Microsoft Office XP

Description:
A vulnerability has been reported in Microsoft Office, which can be exploited by malicious people to conduct cross-site scripting attacks.

The "cdo:" URI handler does not properly handle requests containing "Content-Disposition: attachment" headers and thus renders these instead of displaying the "File Download" dialog box. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a site.

Solution:
Apply patches.

Microsoft Office XP SP3:
http://www.microsoft.com/downloads/de...=b1aee2d5-bfa0-40e3-91b6-98bf65524e8c

Provided and/or discovered by:
The vendor credits NetAgent Co.

Original Advisory:
MS08-056 (KB957699):
http://www.microsoft.com/technet/security/Bulletin/MS08-056.mspx

added October 14, 2008 at 01:53 pm

In April 2008, Microsoft released Security Advisory 951306 to alert users of a vulnerability in Microsoft Windows. This vulnerability may allow local users, or users who can legitimately run code in the context of IIS or SQL Server, to operate with elevated privileges. Recently, Microsoft Security Response Center (MSRC) posted several blog entries indicating that the Security Advisory was updated to reflect the availability of public exploit code. A patch or update is not available to correct this issue.

US-CERT encourages users and administrators to do the following to help mitigate the risks:


Review the updated Security Advisory 951306 and apply the suggested workarounds.
Review the MSRC blog entries from October 9, 2008 and October 13, 2008.

http://www.us-cert.gov/current/current_activity.html#microsoft_updates_security_advisory_951306

We have noticed that the latest PDF exploit is becoming a hot topic and more people are talking about it. When users open an maliciously crafted PDF document, the payload automatically executes and downloads another malicious file from Internet, which is then executed. Actually, the payload is not triggered by a vulnerability used in the exploit directly but a tag in PDF called OpenAction which can specify an action to be performed when the document is opened.

More: http://securitylabs.websense.com/content/Blogs/3202.aspx