*************************************************************************

         @RISK: The Consensus Security Vulnerability Alert

August 14, 2008                                           Vol. 7. Week 33

*************************************************************************

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

 

Summary of Updates and Vulnerabilities in this Consensus

Platform                        Number of Updates and Vulnerabilities

------------------------        -------------------------------------

Windows                                        6 (#1, #2, #8)

Microsoft Office                              12 (#3, #4, #5, #6, #7)

Other Microsoft Products                       6 (#12)

Third Party Windows Apps                       4 (#9, #11)

Linux                                          3

HP-UX                                          2

Solaris                                        3

Cross Platform                                11 (#10)

Web Application - Cross Site Scripting        10

Web Application - SQL Injection               14

Web Application                               20

Network Device                                 5

*************************************************************************

Table Of Contents

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

(1) CRITICAL: Microsoft Color Management System Remote Code Execution (MS08-046)

(2) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS08-045)

(3) CRITICAL: Microsoft Access Snapshot Viewer ActiveX Control Remote Code Execution (MS08-041)

(4) CRITICAL: Microsoft Excel Multiple Vulnerabilities (MS08-043)

(5) CRITICAL: Microsoft PowerPoint Multiple Vulnerabilities (MS08-051)

(6) CRITICAL: Microsoft Office Filters Multiple Vulnerabilities (MS08-044)

(7) CRITICAL: Microsoft Word Remote Code Execution Vulnerability (MS08-042)

(8) HIGH: Microsoft Windows Event System Multiple Vulnerabilities (MS08-049)

(9) HIGH: WebEx Meeting Manager ActiveX Control Buffer Overflow

(10) HIGH: BitTorrent and uTorrent Torrent File Processing Buffer Overflow

(11) HIGH: Maxthon Browser Content-Type Handling Buffer Overflow

(12) LOW: Microsoft Windows Messenger Information Disclosure (MS08-050)

 

*************************************************************************

 

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

- -- Windows

08.33.1  - Microsoft Windows "NSlookup.exe" Unspecified Remote Code Execution

08.33.2  - Microsoft Windows Messenger ActiveX Control Information Disclosure

08.33.3  - Microsoft Windows Event System User Subscription Request Remote Code Execution

08.33.4  - Microsoft Windows Event System Array Index Verification Remote Code Execution

08.33.5  - Microsoft Windows Image Color Management Remote Code Execution

08.33.6  - Microsoft Windows IPsec Information Disclosure

- -- Microsoft Office

08.33.7  - Microsoft PowerPoint Picture Index Remote Code Execution

08.33.8  - Microsoft PowerPoint Picture Index Variant Remote Code Execution

08.33.9  - Microsoft PowerPoint List Value Parsing Remote Code Execution

08.33.10 - Microsoft Office Malformed EPS Filter Remote Code Execution

08.33.11 - Microsoft Office Malformed PICT Filter Remote Code Execution

08.33.12 - Microsoft Office PICT Filter Parsing Remote Code Execution

08.33.13 - Microsoft Office Malformed BMP Filter Remote Code Execution

08.33.14 - Microsoft Office WPG Image File Remote Code Execution

08.33.15 - Microsoft Excel Indexing Validation Remote Code Execution

08.33.16 - Microsoft Excel Index Array Remote Code Execution

08.33.17 - Microsoft Excel Record Parsing Remote Code Execution

08.33.18 - Microsoft Excel Credential Caching

- -- Other Microsoft Products

08.33.19 - Microsoft Outlook Express And Windows Mail MHTML Handler Information Disclosure

08.33.20 - Microsoft Internet Explorer HTML Objects Variant Memory Corruption

08.33.21 - Microsoft Internet Explorer Uninitialized Memory Corruption

08.33.22 - Microsoft Internet Explorer HTML Component Handling Memory Corruption

08.33.23 - Microsoft Internet Explorer HTML Objects Memory Corruption

08.33.24 - Microsoft Internet Explorer HTML Object Memory Corruption

- -- Third Party Windows Apps

08.33.25 - Maxthon Browser Content-Type Buffer Overflow

08.33.26 - JComSoft "AniGIF.ocx" ReadGIF and ReadGIF2 Methods ActiveX Buffer Overflow Vulnerabilities

08.33.27 - WebEx Meeting Manager "atucfobj.dll" ActiveX Control Remote Buffer Overflow

08.33.28 - uTorrent and BitTorrent File Handling Remote Buffer Overflow

- -- Linux

08.33.29 - Linux Kernel UBIFS Orphan Inode Local Denial of Service

08.33.30 - IPsec-Tools Remote Denial of Service

08.33.31 - Amarok "MagnatuneBrowser::listDownloadComplete()" Insecure Temporary File Creation

- -- HP-UX

08.33.32 - HP-UX "libc" Unspecified Remote Denial of Service

08.33.33 - HP-UX "ftpd" Unspecifed Remote Privilege Escalation

- -- Solaris

08.33.34 - Sun Solaris Trusted Extensions Labeled Networking Security Bypass

08.33.35 - Sun Solaris "pthread_mutex_reltimedlock_np(3C)" API Local Denial of Service

08.33.36 - Sun Solaris "sendfilev()" Local Denial of Service

- -- Cross Platform

08.33.37 - QEMU Security Bypass

08.33.38 - OpenVMS Finger Service Stack-Based Buffer Overflow

08.33.39 - Sun Java Micro Edition (ME) Multiple Unspecified Security-Bypass Vulnerabilities

08.33.40 - PowerDNS Malformed Query Handling Weakness

08.33.41 - Apache Tomcat UTF-8 Directory Traversal

08.33.42 - Ruby Multiple Security Bypass and Denial of Service Vulnerabilities

08.33.43 - Xen Para Virtualized Frame Buffer 'ioemu' Frontend Frame Buffer Denial of Service

08.33.44 - Vim "mch_expand_wildcards()" Heap-Based Buffer Overflow

08.33.45 - PHP Multiple Buffer Overflow Vulnerabilities

08.33.46 - SOURCENEXT Virus Security and Virus Security ZERO Unspecified Denial of Service

08.33.47 - VMWare VirtualCenter User Account Information Disclosure

- -- Web Application - Cross Site Scripting

08.33.48 - Yogurt Social Network "uid" Parameter Multiple Cross-Site Scripting Vulnerabilities

08.33.49 - RMSOFT Downloads Plus Multiple Cross-Site Scripting Vulnerabilities

08.33.50 - Adobe Presenter Multiple Cross Site Scripting Vulnerabilities

08.33.51 - Google Notebook and Google Bookmarks Multiple Unspecified Cross-Site Scripting Vulnerabilities

08.33.52 - Kshop "kshop_search.php" Cross-Site Scripting

08.33.53 - KAPhotoservice Multiple Cross-Site Scripting Vulnerabilities

08.33.54 - Quate CMS Multiple Cross-Site Scripting Vulnerabilities

08.33.55 - Domain Group Network GooCMS "index.php" Cross-Site Scripting

08.33.56 - Datafeed Studio "search.php" Cross-Site Scripting

08.33.57 - IDevSpot PhpLinkExchange "index.php" Multiple Cross-Site Scripting Vulnerabilities

- -- Web Application - SQL Injection

08.33.58 - e107 CMS "download.php" SQL Injection

08.33.59 - Discuz! "index.php" SQL Injection

08.33.60 - LiteNews "index.php" SQL Injection

08.33.61 - PHP-Nuke Kleinanzeigen Module "lid" Parameter SQL Injection

08.33.62 - Quicksilver Forums "index.php" SQL Injection

08.33.63 - Vacation Rental Script "index.php" SQL Injection

08.33.64 - Battle.net Clan Script "index.php" Multiple SQL Injection Vulnerabilities

08.33.65 - ZeeScripts ZeeBuddy "bannerclick.php" SQL Injection

08.33.66 - psipuss Multiple SQL Injection Vulnerabilities

08.33.67 - OpenImpro "image.php" SQL Injection

08.33.68 - Ovidentia "index.php" SQL Injection

08.33.69 - IceBB "index.php" SQL Injection

08.33.70 - bBlog "builtin.help.php" SQL Injection

08.33.71 - Joomla! "com_user" Component SQL Injection

- -- Web Application

08.33.72 - RMSOFT MiniShop "search.php" Multiple Cross-Site Scripting Vulnerabilities

08.33.73 - Yogurt Social Network Scrapbook HTML Injection

08.33.74 - Contenido Multiple Unspecified Remote File Include Vulnerabilities

08.33.75 - Free Hosting Manager Administrator Cookie Authentication Bypass

08.33.76 - IntelliTamper HTML "Location" Header Parsing Buffer Overflow

08.33.77 - PHP-Ring Administrator Cookie Authentication Bypass

08.33.78 - txtSQL "startup.php" Remote File Include

08.33.79 - pPIM Multiple Remote Vulnerabilities

08.33.80 - LoveCMS Multiple Security Bypass Vulnerabilities

08.33.81 - Gallery Multiple Remote Vulnerabilities

08.33.82 - Chupix CMS Contact Module "index.php" Multiple Local File Include Vulnerabilities

08.33.83 - phpKF-Portal Multiple Local File Include Vulnerabilities

08.33.84 - com_uchat component Mambo and Joomla! Component Multiple Remote File Include Vulnerabilities

08.33.85 - Multiple WebmasterSite Products Remote Command Execution

08.33.86 - DD-WRT Site Survey SSID Script Injection

08.33.87 - Linkspider Multiple Remote File Include Vulnerabilities

08.33.88 - Harmoni "Username" Field HTML Injection

08.33.89 - Kayako SupportSuite Multiple Input Validation Vulnerabilities

08.33.90 - Datafeed Studio "patch.php" Remote File Include

08.33.91 - Bugzilla "--attach_path" Directory Traversal

- -- Network Device

08.33.92 - Nokia Series 40 Multiple Unspecified Unauthorized Access Vulnerabilities

08.33.93 - McAfee Encrypted USB Manager Remote Security Bypass

08.33.94 - Computer Associates "kmxfw.sys" Local Code Execution and Remote Denial of Service Vulnerabilities

08.33.95 - Alcatel-Lucent OmniSwitch Products HTTP Header Remote Buffer Overflow

08.33.96 - NXP Semiconductors MIFARE Classic Smartcard Multiple Unspecified Security Vulnerabilities

 

______________________________________________________________________

 

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

 

*****************************

Widely Deployed Software

*****************************

 

(1) CRITICAL: Microsoft Color Management System Remote Code Execution (MS08-046)

Affected:

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003

 

Description: The Microsoft Color Management System (CMS) is a component of the Windows operating system that parses International Color Consortium (ICC) color profiles in image files that are used to ensure consistent color across displays and platforms. It contains a heap-based buffer overflow vulnerability in its parsing of this profile information. A specially crafted image file embedded in a web page or other document or otherwise opened by a user could trigger this buffer overflow. Successfully exploiting this buffer overflow would allow an attacker to execute arbitrary code with the privileges of the current user. Some technical details are publicly available for these vulnerabilities.

 

Status: Vendor confirmed, updates available.

 

References:

Microsoft Security Bulletin

http://www.microsoft.com/technet/security/bulletin/MS08-046.mspx

iDefense Security Advisory

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=742

International Color Consortium Home Page

http://www.color.org/index.xalter

SecurityFocus BID

http://www.securityfocus.com/bid/30594

 

*******************************************************

 

(2) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS08-045)

Affected:

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003

Microsoft Windows Vista

Microsoft Windows Server 2008

 

Description: Microsoft Internet Explorer contains multiple vulnerabilities in its handling of HTML objects. A specially crafted web page could trigger one of these vulnerabilities using specially crafted HTML or scripts. Successfully exploiting one of these vulnerabilities would allow an attacker to execute arbitrary code with the privileges of the current user. Some technical details are publicly available for some of these vulnerabilities.

 

Status: Vendor confirmed, updates available.

 

References:

Zero Day Initiative Advisories

http://zerodayinitiative.com/advisories/ZDI-08-051/

http://zerodayinitiative.com/advisories/ZDI-08-050/

Microsoft Security Bulletin

http://www.microsoft.com/technet/security/Bulletin/MS08-045.mspx

SecurityFocus BIDs

http://www.securityfocus.com/bid/30614

http://www.securityfocus.com/bid/30611

http://www.securityfocus.com/bid/30613

http://www.securityfocus.com/bid/30610

 

*******************************************************

 

(3) CRITICAL: Microsoft Access Snapshot Viewer ActiveX Control Remote Code Execution (MS08-041)

Affected:

Snapshot Viewer for Microsoft Access

Microsoft Office 2000

Microsoft Office XP

Microsoft Office 2003

 

Description: The Access component of Microsoft Office provides some of its functionality via an ActiveX control. This control contains a flaw in its handling of user input. A malicious web page that instantiated this control could trigger this flaw. Successfully exploiting this flaw would allow an attacker to execute arbitrary code with the privileges of the current user. Proof-of-concept code for this vulnerability is publicly available, and it is believed that this vulnerability is being actively exploited in the wild. This vulnerability was disclosed prior to the Microsoft advisory and was discussed in a previous edition of @RISK.

 

Status: Vendor confirmed, updates available. Users can mitigate the impact of this vulnerability by disabling the affected control via Microsoft's "kill bit" mechanism using CLSIDs "F0E42D50-368C-11D0-AD81-00A0C90DC8D9", "F0E42D60-368C-11D0-AD81-00A0C90DC8D9", and "F2175210-368C-11D0-AD81-00A0C90DC8D9". Note that this may affect normal application functionality.

 

References:

Microsoft Security Bulletin

http://www.microsoft.com/technet/security/bulletin/ms08-041.mspx

Proof-of-Concept

http://pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html

Previous @RISK Entry

https://www.sans.org/newsletters/risk/display.php?v=7&i=28#widely1

SecurityFocus BID

http://www.securityfocus.com/bid/30114

 

*******************************************************

 

(4) CRITICAL: Microsoft Excel Multiple Vulnerabilities (MS08-043)

Affected:

Microsoft Office 2000

Microsoft Office XP

Microsoft Office 2003

Microsoft Office 2007

Microsoft Office Excel Viewer 2003

Microsoft Office Excel SharePoint

Microsoft Office 2004 for Mac

Microsoft Office 2008 for Mac

 

Description: Microsoft Excel contains multiple vulnerabilities in its parsing of Excel documents. A specially crafted Excel file could trigger one of these vulnerabilities. Successfully exploiting these vulnerabilities would allow an attacker to execute arbitrary code with the privileges of the current user or gain access to otherwise secure remote data sources. Note that, on recent versions of Microsoft Office, documents are not opened upon receipt without first prompting the user. Some technical details are publicly available for these vulnerabilities.

 

Status: Vendor confirmed, updates available.

 

References:

Microsoft Security Bulletin

http://www.microsoft.com/technet/security/bulletin/ms08-043.mspx

Zero Day Initiative Advisory

http://zerodayinitiative.com/advisories/ZDI-08-048/

iDefense Advisory

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=740http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=741

SecurityFocus BIDs

http://www.securityfocus.com/bid/30641

http://www.securityfocus.com/bid/30639

http://www.securityfocus.com/bid/30640

 

*******************************************************