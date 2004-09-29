Spyware, Viruses, & Security forum

Vulnerabilities - September 29, 2004

by Donna Buenaventura / September 29, 2004 12:29 AM PDT

RealOne Player / RealPlayer / Helix Player Multiple Vulnerabilities

Release Date: 2004-09-29

Critical: Highly critical
Impact: Manipulation of data
System access

Where: From remote

Solution Status: Vendor Patch

Software: Helix Player 1.x
RealOne Player v1
RealOne Player v2
RealPlayer 10
RealPlayer 8
RealPlayer Enterprise

Multiple vulnerabilities have been reported in RealOne Player, RealPlayer, and Helix Player, which can be exploited by malicious people to compromise a user's system and delete files.

1) An unspecified error when running local RM files can potentially be exploited to execute arbitrary code.

The vulnerability has been reported in:
* RealPlayer 8 / 10 / 10.5 Beta (6.0.12.1016) / 10.5 (6.0.12.1040) / Enterprise on Windows
* RealOne Player v1, v2 on Windows
* Mac RealPlayer 10 Beta and Mac RealOne Player
* Linux RealPlayer 10 and Helix Player on Linux

2) A problem with malformed calls can be exploited to execute arbitrary code by embedding the player on a malicious website and making specially crafted calls.

The vulnerability has been reported in RealPlayer 10 / 10.5 Beta (6.0.12.1016) / 10.5 (6.0.12.1040) and RealOne Player v1, v2 on Windows.

3) An unspecified error allows malicious websites and media files to delete arbitrary local files.

The vulnerability has been reported in RealPlayer 10 / 10.5 Beta (6.0.12.1016) / 10.5 (6.0.12.1040) and RealOne Player v1, v2 on Windows.

Solution:
Apply updates (see the original vendor advisory).

http://secunia.com/advisories/12672/

Computer Associates Unicenter Common Services Password
by Donna Buenaventura / September 29, 2004 12:31 AM PDT

Disclosure

Release Date: 2004-09-29

Critical: Less critical
Impact: Exposure of sensitive information

Where: Local system

Solution Status: Vendor Patch

Software: CA Common Services 3.x
CA Unicenter Network and Systems Management 3.x
CA Unicenter ServicePlus Service Desk 6.x

A security issue has been reported in Computer Associates Unicenter Common Services, which may disclose sensitive information to malicious, local users.

The problem is that the "SA" database password is stored in plain text in the following files during installation of Common Services:
* TndAddNsp.bat
* TndAddNspTmp.bat
* litestore.dat

Solution:
Apply QO58447 and follow the post-install steps provided by the vendor.

Provided and/or discovered by:
Reported by vendor.

Microsoft SQL Server Can Be Crashed By Remote Users Sending
by Donna Buenaventura / September 29, 2004 12:33 AM PDT

a Specially Crafted Large Buffer

SecurityTracker URL: http://securitytracker.com/id?1011434
Date: Sep 28 2004
Impact: Denial of service via network
Exploit Included: Yes
Version(s): 7.0 SP3 and prior

Description: securma massine reported a denial of service vulnerability in Microsoft SQL Server 7.0. A remote user can cause the target database service to crash.

It is reported that a remote user can supply a large buffer with specially crafted data to cause the 'mssqlserver' service to crash.

Impact: A remote user can cause the database service to stop.

Solution: No solution was available at the time of this entry.

JPEG "Virus" Facts
by Donna Buenaventura / September 29, 2004 12:37 AM PDT

by LURHQ Threat Intelligence Group

URL
http://www.lurhq.com/jpegvirus.html

Release Date
September 28, 2004

***JPEG "Virus" Facts***

A great deal of attention is being paid to a supposed "JPEG virus" discovered in a couple of Usenet postings. Because many people are still not familiar with the workings of the current MS04-028 exploits, much misinformation is being spread in public forums. This advisory is being sent to clear up the facts surrounding this posted JPEG exploit. If you have been following Threat #49 in the LURHQ Sherlock Enterprise Security Portal (MS04-028 Jpeg Comment Buffer Overflow Analysis), you may already be aware of most of this information.

Here are the simple details of this incident:

-It's not a virus. The posted JPEG is actually a trojan downloader. It has no ability to spread on its own.

-It only affects users with Windows XP Service Pack 1.

-It's does not automatically execute on reading the message. The JPEG must be saved into a local folder, then the mouse pointer must be moved over the JPEG file's icon.

-The file is detected by all major antivirus engines with current virus definition files. Because of the nature of the JPEG format, it is impossible to disguise an infected JPEG file. So current signatures should detect ALL future attempts to exploit this vulnerability.

Read more of the "facts" at http://www.lurhq.com/jpegvirus.html

