Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES - January 9, 2007

Opera JPEG Processing Heap Corruption Vulnerabilities

Opera is vulnerable in parsing the JPEG file format. Discovered were four vulnerabilities, each in different segments of the file format. posidron will describe in this advisory the two important ones.

1 - ntdll.RtlAllocateHeap() DHT vulnerability
2 - ntdll.RtlAllocateHeap() SOS vulnerability

Opera Mini for mobile phones could be vulnerable also. The second bug looks very interesting to this topic.

Vulnerable Systems:
* Opera version 9.01 Build 8552

Details
The following code produces the sample image on which all further operations are made. It's a valid image which was generated with Adobe Photoshop.

Credit:
The information has been provided by posidron.
The original article can be found at: http://www.milw0rm.com/exploits/3101

http://www.securiteam.com/exploits/5YP082AKAW.html

Discussion is locked
You are posting a reply to: VULNERABILITIES - January 9, 2007
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES - January 9, 2007
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Microsoft Excel Unspecified Code Execution Vulnerability

In reply to: VULNERABILITIES - January 9, 2007

http://secunia.com/advisories/23676/

Affected Software:
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel Viewer 2003
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP
Microsoft Works Suite 2004
Microsoft Works Suite 2005
Microsoft Works Suite 2006

Jie Ma has reported a vulnerability in Microsoft Excel, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error when opening XLS files using Internet Explorer. This can be exploited to execute arbitrary code via a specially crafted XLS file with a certain unspecified opcode.

Solution: Do not open untrusted Office documents.

Provided and/or discovered by: Jie Ma, Fortinet Security Research Team.

Original Advisory: http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-30.html
Collapse -
Internet Explorer Memory Corruption Weakness

In reply to: VULNERABILITIES - January 9, 2007

http://secunia.com/advisories/23655/

Affected Software: Microsoft Internet Explorer 6.x

Michal Zalewski has discovered a weakness in Internet Explorer, which can be exploited by malicious people to cause a DoS (Denial of Service).

The weakness is caused due to a race condition when reloading XML files in iframes. This can be exploited to corrupt memory via specially crafted XML files with nested tags.

Successful exploitation crashes the browser. Execution of arbitrary code has not been proven, but cannot be completely ruled out.

NOTE: Secunia normally doesn't classify a browser crash as a vulnerability nor issue an advisory about it. However, the potential risk of this issue may be more severe than currently believed, which justifies an advisory being issued.

The weakness is confirmed on fully patched Microsoft Windows XP SP2 and Windows 2000 SP4 systems with IE 6.0. Other versions may also be affected.

Solution: Do not browse untrusted sites.

Provided and/or discovered by: Michal Zalewski

Original Advisory: http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/051620.html
Collapse -
HP PML Driver HPZ12 Windows Privilege Escalation Security

In reply to: VULNERABILITIES - January 9, 2007

Issue

http://secunia.com/advisories/23663/

Affected Software: HP PML Driver HPZ12

Sowhat has reported a security issue in HP PLM Driver, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is reported in HP All-in-One products and other HP products that contain the HP PLM Driver.

Solution: Grant only trusted users access to affected systems.

Provided and/or discovered by: Sowhat, Nevis Labs

Original Advisory: http://secway.org/advisory/AD20070108.txt

Collapse -
Magic Photo Storage Website File Inclusion

In reply to: VULNERABILITIES - January 9, 2007

Collapse -
Direct Web Rendering Security Bypass and Denial of Service

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
Direct Web Rendering Security Bypass and Denial of Service

SECUNIA ADVISORY ID:
SA23641

VERIFY ADVISORY:
http://secunia.com/advisories/23641/

CRITICAL:
Moderately critical

IMPACT:
Security Bypass, DoS

WHERE:
From remote

SOFTWARE:
Direct Web Rendering (DWR) 1.x
http://secunia.com/product/13182/

DESCRIPTION:
Some vulnerabilities have been reported in DWR (Direct Web
Rendering), which can be exploited by malicious people to bypass
certain security restrictions or cause a DoS (Denial of Service).

1) An error exists within the include/exclude functionality, which
can be exploited to access restricted methods by sending a specially
crafted request to DWR.

2) DWR does not set a maximum number of calls in a batch, which can
be exploited to stop the servlet engine from responding due to memory
consumption by sending specially crafted requests.

The vulnerabilities are reported in versions prior to 1.1.4.

SOLUTION:
Update to version 1.1.4.

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://getahead.ltd.uk/dwr/changelog

Collapse -
VMWare ESX Server Multiple Vulnerabilities

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
VMWare ESX Server Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA23680

VERIFY ADVISORY:
http://secunia.com/advisories/23680/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Exposure of sensitive information, Privilege
escalation, DoS, System access

WHERE:
From remote

OPERATING SYSTEM:
VMware ESX Server 2.x
http://secunia.com/product/2125/
VMware ESX Server 3.x
http://secunia.com/product/10757/

DESCRIPTION:
Some vulnerabilities have been reported in VMWare ESX Server, which
can be exploited by malicious people to gain knowledge of sensitive
information, bypass certain security restrictions, cause a DoS
(Denial of Service), gain escalated privileges, or compromise a
system.

For more information:
SA8974
SA18579
SA21709
SA22091
SA21120
SA22130
SA22173
SA22276
SA22771

SOLUTION:
Apply patches.

ORIGINAL ADVISORY:
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html

OTHER REFERENCES:
SA8974:
http://secunia.com/advisories/8974

SA18579:
http://secunia.com/advisories/18579

SA21709:
http://secunia.com/advisories/21709

SA22091:
http://secunia.com/advisories/22091

SA21120:
http://secunia.com/advisories/21120

SA22130:
http://secunia.com/advisories/22130

SA22173:
http://secunia.com/advisories/22173

SA22276:
http://secunia.com/advisories/22276

SA22771:
http://secunia.com/advisories/22771

Collapse -
Debian update for openoffice.org

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
Debian update for openoffice.org

SECUNIA ADVISORY ID:
SA23683

VERIFY ADVISORY:
http://secunia.com/advisories/23683/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

OPERATING SYSTEM:
Debian GNU/Linux 3.1
http://secunia.com/product/5307/
Debian GNU/Linux unstable alias sid
http://secunia.com/product/530/

DESCRIPTION:
Debian has issued an update for openoffice.org. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

For more information:
SA23612

SOLUTION:
Apply updated packages.

ORIGINAL ADVISORY:
http://www.debian.org/security/2007/dsa-1246

OTHER REFERENCES:
SA23612:
http://secunia.com/advisories/23612/

Collapse -
Debian update for libapache-mod-auth-kerb

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
Debian update for libapache-mod-auth-kerb

SECUNIA ADVISORY ID:
SA23681

VERIFY ADVISORY:
http://secunia.com/advisories/23681/

CRITICAL:
Moderately critical

IMPACT:
DoS

WHERE:
From remote

OPERATING SYSTEM:
Debian GNU/Linux unstable alias sid
http://secunia.com/product/530/
Debian GNU/Linux 3.1
http://secunia.com/product/5307/

DESCRIPTION:
Debian has issued an update for libapache-mod-auth-kerb. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service).

For more information:
SA23023

SOLUTION:
Apply updated packages.

ORIGINAL ADVISORY:
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00002.html

OTHER REFERENCES:
SA23023:
http://secunia.com/advisories/23023/

Collapse -
Sun Solaris update for gzip

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
Sun Solaris update for gzip

SECUNIA ADVISORY ID:
SA23679

VERIFY ADVISORY:
http://secunia.com/advisories/23679/

CRITICAL:
Moderately critical

IMPACT:
DoS, System access

WHERE:
From remote

OPERATING SYSTEM:
Sun Solaris 8
http://secunia.com/product/94/
Sun Solaris 9
http://secunia.com/product/95/
Sun Solaris 10
http://secunia.com/product/4813/

DESCRIPTION:
Sun has issued an update for gzip. This fixes some vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.

For more information:
SA21996

SOLUTION:
Do not unpack untrusted archive files.

The vendor has issued T-Patches.
http://sunsolve.sun.com/tpatches

ORIGINAL ADVISORY:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102766-1

OTHER REFERENCES:
SA21996:
http://secunia.com/advisories/21996

Collapse -
Sun Solaris Generic Security Services Library Remote Command

In reply to: Sun Solaris update for gzip

Sun Solaris Generic Security Services Library Remote Command Execution Vulnerability

Advisory ID : FrSIRT/ADV-2007-0112
CVE ID : CVE-2006-6144
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-01-09

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in Sun Solaris, which could be exploited by remote attackers to take complete control of an affected system or cause a denial of service. This issue is due to memory management errors in the Generic Security Services library "libgss". For additional information, see : FrSIRT/ADV-2007-0111

Affected Products

Sun Solaris 8
Sun Solaris 9
Sun Solaris 10

Solution

The FrSIRT is not aware of any official supplied patch for this issue.

References

http://www.frsirt.com/english/advisories/2007/0112
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102772-1

Credits

Vulnerability reported by Andrew Korty (Indiana University)

Collapse -
Sun Solaris "libnsl" RPC Requests Handling Remote Denial of

Sun Solaris "libnsl" RPC Requests Handling Remote Denial of Service Vulnerability

Advisory ID : FrSIRT/ADV-2007-0110
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-01-09

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in Sun Solaris, which could be exploited by attackers to cause a denial of service. This issue is due to an error within "libnsl" when processing malformed RPC requests, which could be exploited by remote or local attackers to exhaust all available memory resources or crash the "rpcbind" server, creating a denial of service condition.

Affected Products

Sun Solaris 8
Sun Solaris 9

Solution

Solaris 8 (SPARC) - Apply patch 108993-65
Solaris 9 (SPARC) - Apply patch 113319-27
Solaris 8 (x86) - Apply patch 108994-65
Solaris 9 (x86) - Apply patch 113719-21

References

http://www.frsirt.com/english/advisories/2007/0110
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102713-1

Credits

Vulnerability reported by Anil Kumar (BlueLane Research Team)

Collapse -
IBM AIX ftpd Two Vulnerabilities

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
IBM AIX ftpd Two Vulnerabilities

SECUNIA ADVISORY ID:
SA23688

VERIFY ADVISORY:
http://secunia.com/advisories/23688/

CRITICAL:
Moderately critical

IMPACT:
Exposure of sensitive information, DoS

WHERE:
From remote

OPERATING SYSTEM:
AIX 5.x
http://secunia.com/product/213/

DESCRIPTION:
Two vulnerabilities have been reported in IBM AIX, which can
potentially be exploited by malicious people to gain knowledge of
sensitive information or to cause a DoS (Denial of Service).

The vulnerabilities are caused due to an unspecified error within
bos.net.tcp.client. This can be exploited to crash the service or to
disclose passwords.

SOLUTION:
Apply emergency fixes until APARs are available.

Emergency fix:
ftp://aix.software.ibm.com/aix/efixes/security/ftpd2_ifix.tar.Z

APAR for AIX 5.3.0:
Apply IY89168 (available)

APAR for AIX 5.2.0:
Apply IY91787 (available approx. 2007-01-24)

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://www-1.ibm.com/support/docview.wss?uid=isg1IY89168

Collapse -
rPath update for openoffice.org

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
rPath update for openoffice.org

SECUNIA ADVISORY ID:
SA23682

VERIFY ADVISORY:
http://secunia.com/advisories/23682/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

OPERATING SYSTEM:
rPath Linux 1.x
http://secunia.com/product/10614/

DESCRIPTION:
rPath has issued an update for openoffice.org. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

For more information:
SA23612

SOLUTION:
Update to
"openoffice.org=/conary.rpath.com@rpl:devel//1/2.0.3-1.7-1".

ORIGINAL ADVISORY:
https://issues.rpath.com/browse/RPL-905

OTHER REFERENCES:
SA23612:
http://secunia.com/advisories/23612/

Collapse -
Mandriva update for avahi

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
Mandriva update for avahi

SECUNIA ADVISORY ID:
SA23644

VERIFY ADVISORY:
http://secunia.com/advisories/23644/

CRITICAL:
Less critical

IMPACT:
DoS

WHERE:
From remote

OPERATING SYSTEM:
Mandriva Linux 2007
http://secunia.com/product/12165/

DESCRIPTION:
Mandriva has issued an update for avahi. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

For more information:
SA23660

SOLUTION:
Apply updated packages.

ORIGINAL ADVISORY:
http://www.mandriva.com/security/advisories?name=MDKSA-2007:003

OTHER REFERENCES:
SA23660:
http://secunia.com/advisories/23660/

Collapse -
MediaWiki AJAX Unspecified Cross-Site Scripting

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
MediaWiki AJAX Unspecified Cross-Site Scripting

SECUNIA ADVISORY ID:
SA23647

VERIFY ADVISORY:
http://secunia.com/advisories/23647/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
MediaWiki 1.x
http://secunia.com/product/2546/

DESCRIPTION:
A vulnerability has been reported in MediaWiki, which can be
exploited by malicious people to conduct cross-site scripting
attacks.

Input passed to an unspecified parameter is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.

Successful exploitation requires that $wgUseAjax is set to true,
which is not its default setting.

The vulnerability is reported in the 1.6.x branch before 1.6.9, the
1.7.x branch before 1.7.2, and the 1.8.x branch before 1.8.3.

SOLUTION:
Update to version 1.6.9, 1.7.2 or 1.8.3.

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://sourceforge.net/forum/forum.php?forum_id=652721

Collapse -
OpenPKG Security Update Fixes bzip2 Argument Handling Code E

In reply to: VULNERABILITIES - January 9, 2007

OpenPKG Security Update Fixes bzip2 Argument Handling Code Execution Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-0086
CVE ID : CVE-2005-0758 - CVE-2005-0953
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-01-09

OpenPKG has released security updates to address multiple vulnerabilities identified in bzip2. These issues could be exploited by attackers to execute arbitrary commands or change the permissions of arbitrary files. For additional information, see : FrSIRT/ADV-2005-0560 - FrSIRT/ADV-2005-0754

Affected Products

OpenPKG E1.0-SOLID
OpenPKG 2-STABLE-20061018
OpenPKG 2-STABLE
OpenPKG CURRENT

Solution

Upgrade the affected package :
http://www.openpkg.org/product/packages/?package=bzip2

References

http://www.frsirt.com/english/advisories/2007/0086
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.002.html

Collapse -
OpenPKG Security Update Fixes Fetchmail Password Disclosure

In reply to: VULNERABILITIES - January 9, 2007

OpenPKG Security Update Fixes Fetchmail Password Disclosure and DoS Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-0088
CVE ID : CVE-2006-5867 - CVE-2006-5974
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-01-09

OpenPKG has released security updates to address multiple vulnerabilities identified in Fetchmail. These issues could be exploited by attackers to cause a denial of service or disclose sensitive information. For additional information, see : FrSIRT/ADV-2007-0087

Affected Products

OpenPKG E1.0-SOLID
OpenPKG 2-STABLE-20061018
OpenPKG 2-STABLE
OpenPKG CURRENT

Solution

Upgrade the affected package :
http://www.openpkg.org/product/packages/?package=fetchmail

References

http://www.frsirt.com/english/advisories/2007/0088
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.004.html

Collapse -
OpenPKG Security Update Fixes WordPress Trackback Charset SQ

In reply to: VULNERABILITIES - January 9, 2007

OpenPKG Security Update Fixes WordPress Trackback Charset SQL Injection Issue

Advisory ID : FrSIRT/ADV-2007-0089
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-01-09


OpenPKG has released security updates to address multiple vulnerabilities identified in WordPress. These issues could be exploited by attackers to execute arbitrary commands. For additional information, see : FrSIRT/ADV-2007-0061

Affected Products

OpenPKG E1.0-SOLID
OpenPKG 2-STABLE-20061018
OpenPKG 2-STABLE
OpenPKG CURRENT

Solution

Upgrade the affected package :
http://www.openpkg.org/product/packages/?package=wordpress

References

http://www.frsirt.com/english/advisories/2007/0089
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.005.html

Collapse -
OpenPKG Security Update Fixes Drupal Cross Site Scripting an

In reply to: VULNERABILITIES - January 9, 2007

OpenPKG Security Update Fixes Drupal Cross Site Scripting and DoS Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-0090
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-01-09

OpenPKG has released security updates to address multiple vulnerabilities identified in Drupal. These issues could be exploited by attackers to execute arbitrary scripting code or cause a denial of service. For additional information, see : FrSIRT/ADV-2007-0050 - FrSIRT/ADV-2007-0051

Affected Products

OpenPKG E1.0-SOLID
OpenPKG 2-STABLE-20061018
OpenPKG 2-STABLE
OpenPKG CURRENT

Solution

Upgrade the affected package :
http://www.openpkg.org/product/packages/?package=drupal

References

http://www.frsirt.com/english/advisories/2007/0090
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.003.html

Collapse -
Ubuntu Security Update Fixes Avahi "consume_labels()" Denial

In reply to: VULNERABILITIES - January 9, 2007

Ubuntu Security Update Fixes Avahi "consume_labels()" Denial of Service Vulnerability

Advisory ID : FrSIRT/ADV-2007-0091
CVE ID : CVE-2006-6870
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-01-09

Ubuntu has released security updates to address a vulnerability identified in Avahi. This issue could be exploited by attackers to cause a denial of service. For additional information, see : FrSIRT/ADV-2007-0071

Affected Products

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

Solution

Upgrade the affected packages :
http://www.ubuntu.com/usn/usn-402-1

References

http://www.frsirt.com/english/advisories/2007/0091
http://www.ubuntu.com/usn/usn-402-1

Collapse -
SuSE Security Update Fixes Java Multiple Remote Buffer Overf

In reply to: VULNERABILITIES - January 9, 2007

SuSE Security Update Fixes Java Multiple Remote Buffer Overflow Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-0100
CVE ID : CVE-2006-6731 - CVE-2006-6736 - CVE-2006-6737 - CVE-2006-6745
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-01-09

SuSE has released security updates to address multiple vulnerabilities identified in Java. These issues could be exploited by attackers to execute arbitrary commands or disclose sensitive information. For additional information, see : FrSIRT/ADV-2006-5075 - FrSIRT/ADV-2006-5074 - FrSIRT/ADV-2006-5073

Affected Products

Novell Linux Desktop 9
Novell Linux POS 9
Open Enterprise Server
openSUSE 10.2
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SuSE Linux Desktop 1.0
SuSE Linux Enterprise Server 8
SuSE Linux Openexchange Server 4
SUSE LINUX Retail Solution 8
SuSE Linux School Server
SuSE Linux Standard Server 8
SUSE SLED 10
SUSE SLES 10
SUSE SLES 9
UnitedLinux 1.0

Solution

Upgrade the affected packages :
ftp://ftp.suse.com/pub/suse/update/

References

http://www.frsirt.com/english/advisories/2007/0100
http://lists.suse.com/archive/suse-security-announce/2007-Jan/0003.html

Collapse -
Microsoft Windows Vector Markup Language Buffer Overflow

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
Microsoft Windows Vector Markup Language Buffer Overflow

SECUNIA ADVISORY ID:
SA23677

VERIFY ADVISORY:
http://secunia.com/advisories/23677/

CRITICAL:
Extremely critical

IMPACT:
System access

WHERE:
From remote

OPERATING SYSTEM:
Microsoft Windows XP Professional
http://secunia.com/product/22/
Microsoft Windows XP Home Edition
http://secunia.com/product/16/
Microsoft Windows Server 2003 Web Edition
http://secunia.com/product/1176/
Microsoft Windows Server 2003 Standard Edition
http://secunia.com/product/1173/
Microsoft Windows Server 2003 Enterprise Edition
http://secunia.com/product/1174/
Microsoft Windows Server 2003 Datacenter Edition
http://secunia.com/product/1175/
Microsoft Windows 2000 Server
http://secunia.com/product/20/
Microsoft Windows 2000 Professional
http://secunia.com/product/1/
Microsoft Windows 2000 Datacenter Server
http://secunia.com/product/1177/
Microsoft Windows 2000 Advanced Server
http://secunia.com/product/21/

SOFTWARE:
Microsoft Internet Explorer 7.x
http://secunia.com/product/12366/
Microsoft Internet Explorer 6.x
http://secunia.com/product/11/
Microsoft Internet Explorer 5.01
http://secunia.com/product/9/

DESCRIPTION:
A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to compromise a user's system

The vulnerability is caused due to an integer overflow error in the
Vector Markup Language (VML) implementation and can be exploited to
cause a heap-based buffer overflow via e.g. a specially crafted web
page or HTML e-mail.

Successful exploitation allows execution of arbitrary code.

NOTE: According to Microsoft, the vulnerability is being actively
exploited.

SOLUTION:
Apply patches.

Windows XP SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=81FB6A72-AC8A-4B28-905F-A44691D69432

Windows XP Professional x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=D06FD167-4F3E-4A2C-B52C-7426DDAD6828

Windows Server 2003 (optionally with SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=4FEE481F-DACE-4EAC-9AFE-BC28ADD70CC5

Windows Server 2003 for Itanium-based systems (optionally with SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=C517FB85-128E-43DB-A659-38AF32283716

Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=FF4A1F24-C1E9-4223-965B-14C4793AAF96

Internet Explorer 5.01 SP4 on Windows 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=B1C7F765-772C-4EEB-9438-BC820CB929E1

Internet Explorer 6 SP1 on Windows 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=922A3569-85D1-4584-9B84-4AA7304C69BB

Internet Explorer 7 on Windows XP SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=55A0A6EC-FEFA-40BB-BB6B-3AAB50275A73

Internet Explorer 7 on Windows XP Pro x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=B5A8B1F2-6AF0-4F03-989C-C8DE2EACE71D

Internet Explorer 7 on Windows Server 2003 (optionally with SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=08E5CD2E-55C0-4AC9-859F-1B24497B31CE

Internet Explorer 7 on Windows Server 2003 for Itanium-based systems
(optionally with SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=48B4D271-D494-4A5C-ABA8-11B3B4584902

Internet Explorer 7 on Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F9C3E0DE-DB66-4D83-829F-C93052BDB1FA

PROVIDED AND/OR DISCOVERED BY:
Jospeh Moti

ORIGINAL ADVISORY:
MS07-004 (KB929969):
http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462

Collapse -
Microsoft Outlook Multiple Vulnerabilities

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
Microsoft Outlook Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA23674

VERIFY ADVISORY:
http://secunia.com/advisories/23674/

CRITICAL:
Moderately critical

IMPACT:
DoS, System access

WHERE:
From remote

SOFTWARE:
Microsoft Outlook 2000
http://secunia.com/product/33/
Microsoft Outlook 2002
http://secunia.com/product/34/
Microsoft Outlook 2003
http://secunia.com/product/3292/
Microsoft Office 2000
http://secunia.com/product/24/
Microsoft Office 2003 Professional Edition
http://secunia.com/product/2276/
Microsoft Office 2003 Small Business Edition
http://secunia.com/product/2277/
Microsoft Office 2003 Standard Edition
http://secunia.com/product/2275/
Microsoft Office 2003 Student and Teacher Edition
http://secunia.com/product/2278/
Microsoft Office XP
http://secunia.com/product/23/

DESCRIPTION:
Some vulnerabilities have been reported in Microsoft Outlook, which
can be exploited by malicious people to cause a DoS (Denial of
Service) or compromise a user's system.

1) An error within the processing of VEVENT records can be exploited
to corrupt memory via a specially crafted .ICS (iCal) meeting
request.

Successful exploitation allows execution of arbitrary code.

2) An error within the processing of e-mail header information can be
exploited to crash the mail client via a specially crafted e-mail. In
order to restore functionality, the malicious e-mail has to be
removed manually from the mail server.

3) An error within the processing of Office Saved Searches (.oss)
files can be exploited to corrupt memory by tricking a user into
opening a specially crafted .oss file.

Successful exploitation allows execution of arbitrary code.

SOLUTION:
Apply patches.

Microsoft Outlook 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=97CE0B32-C6AF-4C6C-ABF1-838ED89062EB

Microsoft Outlook 2002:
http://www.microsoft.com/downloads/details.aspx?FamilyId=1D1991C5-3DE3-4258-9120-058FFD62B4F5

Microsoft Outlook 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9E4DD8AE-2564-4176-AC2E-E3760058CB56

PROVIDED AND/OR DISCOVERED BY:
1) Lurene Grenier, Sourcefire.
2) Reported by the vendor.
3) Stuart Pearson, Computer Terrorism.

ORIGINAL ADVISORY:
MS07-003 (KB925938):
http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx

Collapse -
EF Commander ISO Long Pathname Buffer Overflow

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
EF Commander ISO Long Pathname Buffer Overflow

SECUNIA ADVISORY ID:
SA23659

VERIFY ADVISORY:
http://secunia.com/advisories/23659/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
EF Commander 5.x
http://secunia.com/product/13185/

DESCRIPTION:
Tan Chew Keong has reported a vulnerability in EF Commander, which
can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when processing
ISO files containing long pathnames. This can be exploited to cause a
stack-based buffer overflow via a specially crafted ISO file
containing a file within several nested directories.

Successful exploitation allows execution of arbitrary code.

The vulnerability is reported in version 5.75. Other versions may
also be affected.

SOLUTION:
Update to version 5.80.

PROVIDED AND/OR DISCOVERED BY:
Tan Chew Keong, vuln.sg

ORIGINAL ADVISORY:
http://vuln.sg/efcommander575-en.html

Collapse -
Microsoft Office Brazilian Portuguese Grammar Checker Vulner

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
Microsoft Office Brazilian Portuguese Grammar Checker Vulnerability

SECUNIA ADVISORY ID:
SA23671

VERIFY ADVISORY:
http://secunia.com/advisories/23671/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Microsoft Office 2003 Student and Teacher Edition
http://secunia.com/product/2278/
Microsoft Office 2003 Standard Edition
http://secunia.com/product/2275/
Microsoft Office 2003 Small Business Edition
http://secunia.com/product/2277/
Microsoft Office 2003 Proofing Tools
http://secunia.com/product/7426/
Microsoft Office 2003 Professional Edition
http://secunia.com/product/2276/
Microsoft Access 2003
http://secunia.com/product/4904/
Microsoft Word 2003
http://secunia.com/product/4908/
Microsoft Excel 2003
http://secunia.com/product/4970/
Microsoft Outlook 2003
http://secunia.com/product/3292/
Microsoft OneNote 2003
http://secunia.com/product/7140/
Microsoft Powerpoint 2003
http://secunia.com/product/5274/
Microsoft Publisher 2003
http://secunia.com/product/10986/
Microsoft InfoPath 2003
http://secunia.com/product/6463/
Microsoft Frontpage 2003
http://secunia.com/product/6997/
Microsoft Visio 2003
http://secunia.com/product/1092/

DESCRIPTION:
A vulnerability has been reported in Microsoft Office, which can be
exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the Brazilian
Portuguese grammar checker and can be exploited to corrupt memory by
tricking a user into opening a specially crafted Office document.

Successful exploitation allows execution of arbitrary code.

SOLUTION:
Apply patches.

Microsoft Office 2003 SP2 (Brazilian Portuguese Version):
http://www.microsoft.com/downloads/details.aspx?familyid=B828BA91-A993-41EC-839C-8995CCFAEC6B

Microsoft Office Multilingual User Interface 2003 SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=C860DE66-DB1A-489D-8518-42CE468F5965

Microsoft Project Multilingual User Interface 2003 SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=8F233E5D-1270-4041-9CDD-C3541B7F4B40

Microsoft Visio Multilingual User Interface 2003 SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=C5A29C81-419C-440B-BF0B-FEC0C0708430

Microsoft Office Proofing Tools 2003 SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=51E9C97A-C35F-45AD-A587-8F08F1D34B7B

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
MS07-001 (KB921585):
http://www.microsoft.com/technet/security/Bulletin/MS07-001.mspx

Collapse -
Red Hat update for flash-plugin

In reply to: VULNERABILITIES - January 9, 2007

TITLE:
Red Hat update for flash-plugin

SECUNIA ADVISORY ID:
SA23581

VERIFY ADVISORY:
http://secunia.com/advisories/23581/

CRITICAL:
Less critical

IMPACT:
Security Bypass

WHERE:
From remote

SOFTWARE:
Red Hat Enterprise Linux Extras v. 3
http://secunia.com/product/8742/
Red Hat Enterprise Linux Extras v. 4
http://secunia.com/product/8743/

DESCRIPTION:
Red Hat has issued an update for flash-plugin. This fixes some
vulnerabilities, which can be exploited by malicious people to bypass
certain security restrictions.

For more information:
SA22467

SOLUTION:
Updated packages are available from Red Hat Network:
http://rhn.redhat.com

ORIGINAL ADVISORY:
https://rhn.redhat.com/errata/RHSA-2007-0009.html

OTHER REFERENCES:
SA22467:
http://secunia.com/advisories/22467/

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.