Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES - March 2, 2007

by Marianna Schmudlach / March 1, 2007 2:16 PM PST

Recent Threat/Vulnerability Developments

Published: 2007-03-02,
Last Updated: 2007-03-02 04:10:13 UTC
by Kevin Liston (Version: 1)
There have been a few recent minor developments that I think warrant a mention.

There have been a handful of viruses recently that specifically target USB removable media, Win32.Agent,wj and VBS.Solow.E just two mention two. This harks back to the old days of floppy-disk boot-sector viruses. This is not the only old-school re-visitation I've seen in malicious code trends, there have also been a few destructive viruses recently reported.

A vulnerability in Adobe Acrobat that allows a malicious PDF file to call arbitrary file:// URLs was announced last night.


Things to keep an eye on over the weekend:

This Year of MOXB continues with PHP. Something interesting is bound to turn up out of that.
The College Basketball championship begins in the US. I would be surprised to not see any "March Madness" related schemes develop.

http://isc.sans.org/

Discussion is locked
You are posting a reply to: VULNERABILITIES - March 2, 2007
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES - March 2, 2007
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
IBM Lenovo ThinkPad Security Update Fixes Ethernet Privilege
by Marianna Schmudlach / March 2, 2007 12:18 AM PST

IBM Lenovo ThinkPad Security Update Fixes Ethernet Privilege Escalation Vulnerability

Advisory ID : FrSIRT/ADV-2007-0801
CVE ID : CVE-2006-6385
Rated as : Moderate Risk
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in IBM Lenovo ThinkPad, which could be exploited by local attackers to obtain elevated privileges. This issue is due to an error in the Intel PRO/1000 LAN adapter software. For additional information, see : FrSIRT/ADV-2006-4871

Affected Products

IBM Lenovo ThinkPad T60
IBM Lenovo ThinkPad T60p
IBM Lenovo ThinkPad X60
IBM Lenovo ThinkPad X60s
IBM Lenovo ThinkPad X60 Tablet

Solution

Apply patch :
http://www-307.ibm.com/pc/support/site.wss/license.do?filename=mobiles/7ira09ww.exe

References

http://www.frsirt.com/english/advisories/2007/0801
http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-67116

Collapse -
Novell Access Management SSLVPN Server Security Restrictions
by Marianna Schmudlach / March 2, 2007 12:19 AM PST

Novell Access Management SSLVPN Server Security Restrictions Bypass Vulnerability

Advisory ID : FrSIRT/ADV-2007-0800
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in Novell Access Manager, which could be exploited by malicious users to bypass security policies. This issue is due a design within the "actX.ocx" ActiveX control that relies on the "policy.txt" file created by the application to grant access to network resources, which allows authenticated attackers to bypass the server's controls and gain unauthorized access to any resources on the LAN (that would normally be prohibited) by manipulating the affected file.

Affected Products

Novell Access Manager version 3.0 IR1

Solution

Apply patch :
http://download.novell.com/protected/Export.jsp?buildid=Siiw_-VRqLE~

References

http://www.frsirt.com/english/advisories/2007/0800
http://download.novell.com/Download?buildid=Siiw_-VRqLE~

Credits

Vulnerability reported by the vendor

Collapse -
Symantec Mail Security for SMTP Header Handling Remote Code
by Marianna Schmudlach / March 2, 2007 12:20 AM PST

Symantec Mail Security for SMTP Header Handling Remote Code Execution Vulnerability

Advisory ID : FrSIRT/ADV-2007-0799
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in Symantec Mail Security for SMTP, which could be exploited by attackers or worms to take complete control of an affected system. This issue is due to a buffer overflow error when handling malformed email headers, which could be exploited by remote attackers or malware to execute arbitrary commands with SYSTEM privileges by sending a specially crafted email message through a vulnerable application.

Affected Products

Symantec Mail Security for SMTP version 5.0 and prior

Solution

Apply patch 175 :
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_mail_security/5.0_smtp/updates/

References

http://www.frsirt.com/english/advisories/2007/0799
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_mail_security/5.0_smtp/updates/release_notes_p175.txt
http://www.kb.cert.org/vuls/id/875633

Credits

Vulnerability reported by Steve Arvanitis

Collapse -
MPlayer "DMO_VideoDecoder()" File Handling Client-Side Buff
by Marianna Schmudlach / March 2, 2007 12:21 AM PST

MPlayer "DMO_VideoDecoder()" File Handling Client-Side Buffer Overflow Vulnerability

Advisory ID : FrSIRT/ADV-2007-0794
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-01

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in MPlayer, which could be exploited by remote attackers to execute arbitrary commands. This issue is due to a buffer overflow error within the "DMO_VideoDecoder()" [loader/dmo/DMO_VideoDecoder.c] function that does not validate certain values before being copied into an insufficiently sized buffer via a "memcpy()" call, which could be exploited by attackers to crash an affected application or compromise a vulnerable system by tricking a user into opening a specially crafted video file.

Affected Products

MPlayer version 1.0rc1 and prior

Solution

A fix is available via CVS :
http://svn.mplayerhq.hu/mplayer/trunk/loader/dmo/DMO_VideoDecoder.c

References

http://www.frsirt.com/english/advisories/2007/0794

Credits

Vulnerability reported by Moritz Jodeit

Collapse -
Tcpdump "parse_elements()" 802.11 Frame Parsing Remote Buffe
by Marianna Schmudlach / March 2, 2007 12:22 AM PST

Tcpdump "parse_elements()" 802.11 Frame Parsing Remote Buffer Overflow Vulnerability

Advisory ID : FrSIRT/ADV-2007-0793
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-01

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in Tcpdump, which could be exploited by remote attackers to cause a denial of service or execute arbitrary commands. This issue is due to an off-by-one buffer overflow error within the "parse_elements()" [print-802_11.c] function when processing malformed 802.11 frames, which could be exploited by attackers to crash an affected application or potentially compromise a vulnerable system.

Affected Products

Tcpdump version 3.9.5 and prior

Solution

A fix is available via CVS :
http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-802_11.c

References

http://www.frsirt.com/english/advisories/2007/0793

Credits

Vulnerability reported by Moritz Jodeit

Collapse -
Gentoo Security Update Fixes ClamAV Multiple Remote Denial o
by Marianna Schmudlach / March 2, 2007 12:24 AM PST

Gentoo Security Update Fixes ClamAV Multiple Remote Denial of Service Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-0797
CVE ID : CVE-2007-0897 - CVE-2007-0898
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

Gentoo has released security updates to address multiple vulnerabilities identified in ClamAV. These issues could be exploited by attackers to cause a denial of service. For additional information, see : FrSIRT/ADV-2007-0623

Affected Products

app-antivirus/clamav versions prior to 0.90

Solution

Upgrade the affected package :
# emerge --sync
# emerge --ask --oneshot --verbose " >=app-antivirus/clamav-0.90"

References

http://www.frsirt.com/english/advisories/2007/0797
http://www.gentoo.org/security/en/glsa/glsa-200703-03.xml

Collapse -
Gentoo Security Update Fixes SpamAssassin Remote Denial of S
by Marianna Schmudlach / March 2, 2007 12:25 AM PST

Gentoo Security Update Fixes SpamAssassin Remote Denial of Service Vulnerability

Advisory ID : FrSIRT/ADV-2007-0796
CVE ID : CVE-2007-0451
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

Gentoo has released security updates to address a vulnerability identified SpamAssassin. This issue could be exploited by attackers to cause a denial of service. For additional information, see : FrSIRT/ADV-2007-0628

Affected Products

mail-filter/spamassassin versions prior to 3.1.8

Solution

Upgrade the affected package :
# emerge --sync
# emerge --ask --oneshot --verbose " >=mail-filter/spamassassin-3.1.8"

References

http://www.frsirt.com/english/advisories/2007/0796
http://www.gentoo.org/security/en/glsa/glsa-200703-02.xml

Collapse -
Gentoo Security Update Fixes Snort DCE/RPC Preprocessor Buff
by Marianna Schmudlach / March 2, 2007 12:26 AM PST

Gentoo Security Update Fixes Snort DCE/RPC Preprocessor Buffer Overflow Vulnerability

Advisory ID : FrSIRT/ADV-2007-0795
CVE ID : CVE-2006-5276
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

Gentoo has released security updates to address a vulnerability identified in Snort. This issue could be exploited by attackers to execute arbitrary commands or cause a denial of service. For additional information, see : FrSIRT/ADV-2007-0656

Affected Products

net-analyzer/snort versions prior to 2.6.1.3

Solution

Upgrade the affected package :
# emerge --sync
# emerge --ask --oneshot --verbose " >=net-analyzer/snort-2.6.1.3"

References

http://www.frsirt.com/english/advisories/2007/0795
http://www.gentoo.org/security/en/glsa/glsa-200703-01.xml

Collapse -
aWebNews listing.php File Inclusion Vulnerability
by Marianna Schmudlach / March 2, 2007 12:49 AM PST

Secunia Advisory: SA24351
Release Date: 2007-03-02


Critical:
Highly critical
Impact: System access

Where: From remote

Solution Status: Unpatched


Software: aWebNews 1.x

http://secunia.com/advisories/24351/

Collapse -
Contelligent "MoveSortedContentAction" Security Bypass
by Marianna Schmudlach / March 2, 2007 12:51 AM PST

Secunia Advisory: SA24364
Release Date: 2007-03-02


Critical:
Less critical
Impact: Security Bypass

Where: From remote

Solution Status: Vendor Patch


Software: Contelligent 9.x


Description:
A security issue has been reported in Contelligent, which can be exploited by malicious users to bypass certain security restrictions.

The security issue is caused due to the "MoveSortedContentAction" action not properly checking additional security configurations, which can be exploited to reorder components.

Successful exploitation requires that the attacker has write access to the location.

The security issue is reported in version 9.1.4. Prior versions may also be affected.

Solution:
Update to version 9.1.5.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.contelligent.com/contell/c...gent/changelog.html?fromRelease=9.1.4

Collapse -
Kaspersky AntiVirus UPX File Decompression DoS Vulnerability
by Donna Buenaventura / March 2, 2007 5:19 AM PST
DESCRIPTION

Remote exploitation of a denial of service (DoS) vulnerability in Kaspersky Lab's Antivirus could allow an attacker to conduct a DoS attack on a targeted host.

The antivirus engine is vulnerable to a DoS condition when processing an executable packed with UPX compression. Malformed compressed data causes the decompression routine to enter an infinite loop. Specifically, a negative data offset results in the same compressed data chunk being processed endlessly.

ANALYSIS

Exploitation allows an attacker to conduct a DoS attack.

If this attack is conducted against an e-mail gateway running Kaspersky, legitimate clients may be unable to send e-mail through the server.

The infinite loop being executed consists of a short sequence of instructions, which results in maximum CPU usage. On a client desktop, the infinite loop will render the machine nearly unusable. On a server, it severely degrades the quality of service of other applications running.

DETECTION

iDefense has confirmed the existence of this vulnerability in Kaspersky Labs Antivirus Engine version 6.0.1.411 for Windows and 5.5-10 for Linux. Previous versions may also be affected. Any products that use the scanning engine are also affected, which includes the Kaspersky e-mail gateway scanner.

WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VENDOR RESPONSE

Kaspersky Lab reports that it has fixed this vulnerability as of February 7th, 2007. In addition, they stated the following.

"There is no need to download any special patches. All installed Kaspersky Lab products are updated automatically through the regular signature-update functionality. There is not need to contact Kaspersky Lab to obtain this fix."

DISCLOSURE TIMELINE

01/24/2007 Initial vendor notification
03/01/2007 Initial vendor response
03/02/2007 Coordinated public disclosure

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=485
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?