Language:
switch to room list switch to menu My folders
Go to page: 1 3 4 5 6 [7] 8 9 10 11 ... Last
[#] Fri Jul 08 2005 17:31:52 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-189A -- Targeted Trojan Email Attacks

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Targeted Trojan Email Attacks

Original release date: July 08, 2005
Last revised: --
Source: US-CERT


Overview

The United States Computer Emergency Readiness Team (US-CERT) has
received reports of an email based technique for spreading trojan
horse programs. A trojan horse is an attack method by which malicious
or harmful code is contained inside apparently harmless files. Once
opened, the malicious code can collect unauthorized information that
can be exploited for various purposes, or permit computers to be used
surreptitiously for other malicious activity. The emails are sent to
specific individuals rather than the random distributions associated
with a phishing attack or other trojan activity. (Phishing is the act
of sending an email to a user falsely claiming to be an established
legitimate enterprise in an attempt to scam the user into surrendering
private information that can be used for identity theft.) These
attacks appear to target US information for exfiltration. This alert
seeks to raise awareness of this kind of attack, highlight the
important need for government and critical infrastructure systems
owners and operators to take appropriate measures to protect their
data, and provide guidance on proper protective measures.


Description

There are two distinct elements that make this attack technique
significant. First, the trojans can elude conventional protective
measures such as anti-virus software and firewalls, both key measures
in protecting the US Critical Infrastructure networks. A number of
open source and tailored trojans, altered to avoid anti-virus
detection, have been used. Trojan capabilities suggest that
exfiltration of data is a fundamental goal. Second, the emails are
sent to specific or targeted recipients. Unlike "phishing" attacks,
the emails use social engineering to appear credible, with subject
lines often referring to work or other subjects that the recipient
would find relevant. The emails containing the trojanized attachments,
or links to websites hosting trojanized files are spoofed, making it
appear to come from a colleague or reliable party. The email
attachments exploit known vulnerabilities to install a trojan on the
user's computer. When opened, the file or link installs the trojan.
Trojans can be configured to transmit information to a remote attacker
using ports assigned to a common service (e.g., TCP port 80, which is
assigned to Web traffic) and thereby defeat firewalls. Once the
trojanized attachment is opened, a remote attacker can then perform
the following functions:

* Collection of usernames and passwords for email accounts
* Collection of critical system information and scanning of network
drives
* Use of infected machine to compromise other machines and networks
* Downloading of further programs (e.g., worms, more advanced
trojans)
* Uploading of documents and data to a remote computer

US-CERT is working with other computer emergency response teams
worldwide to address these types of attacks.


Suggested Actions

Due to the targeted distribution of trojans spread in this way and the
possibility of communication with remote attackers using ports
assigned to common services, detection of this activity is
problematic. US-CERT advises that system administrators take the
following actions:

* Educate users to use an anti-virus scanner on all email
attachments.
* Maintain and update anti-virus software and signatures to detect
malware that may be associated with this attack.
* Block executable and/or suspect attachment types at email gateway
or block the download of executable content via HTTP.
* Investigate anomalous slow-running machines, looking for unknown
processes or unexpected Internet connections, as this may be an
indication of malicious programs operating in the background.
Encourage reporting and full investigation of such behavior.
* Update operating system and application software to patch
vulnerabilities exploited in the past by these Trojans.
* Implement spam filtering to guard against infrastructures (e.g.,
dial-ups, open proxies and open relays) commonly used by the
attackers.
* As Microsoft Office vulnerabilities have been targeted and
exploited, ensure that Microsoft security bulletins are followed.

Microsoft Security Bulletins Search
http://www.microsoft.com/technet/security/current.aspx

* Turn off 'Preview Pane' functionality in email clients and set the
default options to view opened emails as plain text
* Examine firewall logs of critical systems, or networks used for
processing sensitive information, for connections to or from
anomalous IP addresses.
* Consider traffic analysis to identify any compromised computers
that are exfiltrating files. Data on the size and times of HTTP
transactions or TCP port 80 flows may help detect exfiltration by
highlighting connections where the data volume sent is far greater
than that received from the remote server or when data is being
sent at times outside of normal working hours.
* Analyze log files to determine whether the attackers are spoofing
your domain.
* Consider implementing IP address lists of outbound Internet
connections, denying access except from address ranges relevant to
your business activities, such as a "default deny" policy. This
provides some protection against computers in third countries
being used by attackers to control trojans.

Incidents or suspected malicious activity of this nature, as well as
all cyber security incidents affecting the US Critical Infrastructure
should be reported to the United States Computer Emergency Readiness
Team (US-CERT) via email to soc@us-cert.gov or by telephone (703)
235-5110.


Vendor Product Names

The following anti-virus product names are associated with known
trojans used in the attacks since January 2005.

McAfee
<http://www.mcafee.com>

* Backdoor-BCB
* BackDoor-CPY!chm
* Backdoor-TW
* Downloader-WY
* Exploit-1Table
* JS/BackDoor-CPY
* MultiDropper-MR
* Proxy-Sysgam
* Pusno
* StartPage-DH.dll

Sophos
<http://www.sophos.com>

* Troj/Agent-BX
* Troj/Agent-T
* Troj/DDrop-A
* Troj/Dloader-KF
* Troj/Dloader-KZ
* Troj/Lecna-C
* Troj/Nethief-M
* Troj/Nethief-N
* Troj/Nethief-O
* Troj/Netter-A
* Troj/Riler-E
* Troj/Riler-F
* Troj/Riler-J
* Troj/RPE-A
* Troj/Sharp-F
* Troj/VBDrop-A
* WM97/Loof-D

Symantec
<http://www.symantec.com>

* Trojan.Dropper
* Trojan.Mdropper.B
* Trojan.Riler.C

Trend Micro
<http://www.trendmicro.com>

* BKDR_NETHIEF.L
* BKDR_NETHIEF.R
* BKDR_NETHIEF.S
* BKDR_TUIMER.A
* TROJ_AGENT.KZ
* TROJ_SHARP.C
* TROJ_WINBLUE.A
* W2KM_PASSPRO.A
* W2KM_PASSPRO.C
* W2KM_PASSPRO.E
_________________________________________________________________

Feedback can be directed to US-CERT at soc@us-cert.gov
_________________________________________________________________

Produced 2005 by US-CERT, a government organization.

This document is available online.

<http://www.us-cert.gov/cas/techalerts/TA05-189A.html>

Terms of use

<http://www.us-cert.gov/legal.html>

Revision History

[#] Tue Jul 12 2005 18:22:40 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-193A -- Microsoft Windows, Internet Explorer, and Word Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA05-193A

Microsoft Windows, Internet Explorer, and Word Vulnerabilities

Original release date: July 12, 2005
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Office
* Microsoft Internet Explorer

For more complete information, refer to the Microsoft Security
Bulletin Summary for July, 2005.


Overview

Microsoft has released updates that address critical vulnerabilities
in Windows, Office, and Internet Explorer. Exploitation of these
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code on an affected system.


I. Description

Microsoft Security Bulletins for July, 2005 address vulnerabilities in
Windows, Office, and Internet Explorer. Further information is
available in the following Vulnerability Notes:


VU#218621 - Microsoft Word buffer overflow in font processing routine

A buffer overflow in the font processing routine of Microsoft Word may
allow a remote attacker to execute code on a vulnerable system.
(CAN-2005-0564)


VU#720742 - Microsoft Color Management Module buffer overflow during
profile tag validation

Microsoft Color Management Module fails to properly validate input
data, allowing a remote attacker to execute arbitrary code.
(CAN-2005-1219)


VU#939605 - JVIEW Profiler (javaprxy.dll) COM object contains an
unspecified vulnerability

The JVIEW Profiler COM object contains an unspecified vulnerability,
which may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CAN-2005-2087)


II. Impact

Exploitation of these vulnerabilities could allow a remote,
unauthenticated attacker to execute arbitrary code with the privileges
of the user. If the user is logged on with administrative privileges,
the attacker could take control of an affected system.


III. Solution

Apply Updates

Microsoft has provided the updates for these vulnerabilities in the
Security Bulletins and on the Microsoft Update site.

Workarounds

Please see the individual Vulnerability Notes for workarounds.


Appendix A. References

* Microsoft Security Bulletin Summary for July, 2005
<http://www.microsoft.com/technet/security/bulletin/ms05-jul.mspx>

* US-CERT Vulnerability Note VU#218621
<http://www.kb.cert.org/vuls/id/218621>

* US-CERT Vulnerability Note VU#720742
<http://www.kb.cert.org/vuls/id/720742>

* US-CERT Vulnerability Note VU#939605
<http://www.kb.cert.org/vuls/id/939605>

* CAN-2005-0564
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0564>

* CAN-2005-1219
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1219>

* CAN-2005-2087
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2087>

* Microsoft Update
<http://update.microsoft.com/>

* Microsoft Update Overview
<http://www.microsoft.com/technet/prodtechnol/microsoftupdate/defa
ult.mspx>

_________________________________________________________________

Feedback can be directed to the US-CERT Technical Staff.

Please send mail to cert@cert.org with the subject:

"TA05-193A Feedback VU#720742"
_________________________________________________________________

This document is available at

<http://www.us-cert.gov/cas/techalerts/TA05-193A.html>
_________________________________________________________________

Produced 2005 by US-CERT, a government organization.
_________________________________________________________________

Terms of use

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

July 12, 2005: Initial release

Last updated July 12, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQtRCSxhoSezw4YfQAQKuoAf+P5DLO5gulibqEf0d8OSYwzOGAS46sab2
ohaHuzzXgvBamlAbi/bWgcFkjgt9MMqnT8BgAuaHYRGBeGLzps4ZdLvKiNDD8HW4
jqtEczddlJCD9j8MHM3anjbLr4ZYioVkIF/z9R/X3HhKswLy4HtdTzyR8I5xt3mf
eWSdqWYofctzNdWdIWkWzW2spOcy4LbV8UqAdg6aIgrWZK7vfDNisJiTvZQAbcoE
38UEvCmnY2K9Ox4BYPHQZ/OaLZhURSw1N5kEv+icXM8NTk3hSzPErdmG47Cjyfa6
4B+fjpCzfw7HAy0DbuuaZXcxaCH+fsiiymySmvT8z5aQVZmgbp8Zyg==
=eMPQ
-----END PGP SIGNATURE-----

[#] Wed Jul 13 2005 16:28:48 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-194A -- Oracle Products Contain Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA05-194A archive

Oracle Products Contain Multiple Vulnerabilities

Original release date: July 13, 2005
Last revised: --
Source: US-CERT


Systems Affected

According to Oracle Critical Patch Update - July 2005:

* Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3,
10.1.0.4

* Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6

* Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5,
9.0.1.5 FIPS

* Oracle8i Database Server Release 3, version 8.1.7.4

* Oracle8 Database Release 8.0.6, version 8.0.6.3

* Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2,
10.1.0.3

* Oracle Enterprise Manager 10g Database Control, versions 10.1.0.2,
10.1.0.3, 10.1.0.4

* Oracle Enterprise Manager Application Server Control, versions
9.0.4.0, 9.0.4.1

* Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1

* Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1

* Oracle9i Application Server Release 1, version 1.0.2.2

* Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2

* Oracle E-Business Suite and Applications Release 11i, versions
11.5.1 through 11.5.10

* Oracle E-Business Suite and Applications Release 11.0

* Oracle Workflow, versions 11.5.1 through 11.5.9.5

* Oracle Forms and Reports, versions 4.5.10.22, 6.0.8.25

* Oracle JInitiator, versions 1.1.8, 1.3.1

* Oracle Developer Suite, versions 9.0.2.3, 9.0.4, 9.0.4.1, 9.0.5,
10.1.2

* Oracle Express Server, version 6.3.4.0


Overview

Various Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include
unauthenticated, remote code execution, information disclosure, and
denial of service.


I. Description

Oracle released a Critical Patch Update in July 2005 that addresses
more than forty vulnerabilities in different Oracle products and
components. The Critical Patch Update provides information about which
components are affected, what access and authorization are required,
and how data confidentiality, integrity, and availability may be
impacted. Public reports describe vulnerabilities related to insecure
password and temporary file handling and SQL injection.

US-CERT strongly recommends that sites running Oracle review the
Critical Patch Update, apply patches, and take other mitigating action
as appropriate.

Oracle HTTP Server is based on the Apache HTTP Server. Some Oracle
products include Java components from Sun Microsystems. According to
Oracle, the July 2005 Critical Patch Update addresses previously
disclosed vulnerabilities in Apache and Java. Oracle also notes that
Oracle Database Client-only installations are not affected by
vulnerabilities listed in the July 2005 Critical Patch Update.

US-CERT is tracking all of these issues under VU#613562. As further
information becomes available, we will publish individual
Vulnerability Notes.


II. Impact

The impacts of these vulnerabilities vary depending on product or
component and configuration. Potential consequences include remote
execution of arbitrary code or commands, information disclosure, and
denial of service. An attacker who compromises an Oracle database may
be able to gain access to sensitive information.


III. Solution

Apply a patch

Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - July 2005. The update notes that some Oracle
patches are cumulative while others are not:

The Oracle Database Server, Enterprise Manager, and the Oracle
Application Server patches in the Updates are cumulative; each
successive Critical Patch Update contains the fixes from the
previous Critical Patch Updates.
E-Business Suite patches are not cumulative, so E-Business Suite
customers should refer to previous Critical Patch Updates to
identify previous fixes they wish to apply.
Oracle Collaboration Suite patches are not cumulative, so Oracle
Collaboration Suite customers should refer to previous Critical
Patch Updates to identify previous fixes they wish to apply.


Workarounds

It may be possible to mitigate some vulnerabilities by disabling or
removing unnecessary components, restricting network access, and
restricting access to temporary files.

Oracle Critical Patch Update - July 2005 suggests setting a TNS
listner password to mitigate a vulnerability in Oracle Database Server
(DB08).


Appendix A. Vendor Information

Oracle

Please see Oracle Critical Patch Update - July 2005 and Critical Patch
Updates and Security Alerts.


Appendix B. References

* Critical Patch Update - July 2005-
<http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.h
tml>

* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>

* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_
to_advisory_mapping.html>

* US-CERT Vulnerability Note VU#613562 -
<http://www.kb.cert.org/vuls/id/613562>

* Oracle JDeveloper passes Plaintext Password -
<http://www.red-database-security.com/advisory/oracle_jdeveloper_p
asses_plaintext_password.html>

* Oracle JDeveloper Plaintext Passwords -
<http://www.red-database-security.com/advisory/oracle_jdeveloper_p
laintext_password.html>

* Oracle Forms Builder Password in Temp Files -
<http://www.red-database-security.com/advisory/oracle_formsbuilder
_temp_file_issue.html>

* Oracle Forms Insecure Temporary File Handling -
<http://www.red-database-security.com/advisory/oracle_forms_unsecu
re_temp_file_handling.html>

* Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i
- <http://www.integrigy.com/alerts/OraCPU0705.htm>

_________________________________________________________________

Information used in this document came from Red-Database-Security and
Oracle. Oracle credits Qualys Inc., Application Security, Inc., Red
Database Security GmbH, Integrigy, NGS Software, nCircle Network
Security, and Rigel Kent Security.
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff.

Please send mail to cert@cert.org with the subject:

"TA05-194A Feedback VU#613562"
_________________________________________________________________

This document is available at

<http://www.us-cert.gov/cas/techalerts/TA05-194A.html>
_________________________________________________________________

Produced 2005 by US-CERT, a government organization.
_________________________________________________________________

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

July 13, 2005: Initial release

Last updated July 13, 2005





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQtV4cxhoSezw4YfQAQLYkgf+I48YLEeutCHbzFWvz77pu+m4hs6Gltzf
Nd6nhkzdfsU6arAqb1hXG5p7GEJ1adJB8Nz+df12MKxMVJAWfW6xjlEhlsHnuVJM
hLThHyI166U34qbQt0SWKwlg1aKonAuP3p6XY16LCm7Vbq9G1HQgDGpK02LHbf/8
rWs2bUNqhPy7iz6wRwrF0w7CxJxI6+m6nfVnASwVknDCClz0bRyyw5oT6GUTeXOa

[#] Fri Jul 29 2005 17:35:37 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-210A -- Cisco IOS IPv6 Vulnerability

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA05-210A


Cisco IOS IPv6 Vulnerability

Original release date: July 29, 2005
Last revised: --
Source: US-CERT


Systems Affected

* Cisco IOS devices with IPv6 enabled

For specific information, please see the Cisco Advisory.


Overview

Cisco IOS IPv6 processing functionality contains a vulnerability that
could allow an unauthenticated, remote attacker to execute arbitrary
code or cause a denial of service.


I. Description

Cisco IOS contains a vulnerability in the way IPv6 packets are
processed. US-CERT has not confirmed further technical details.

According to the Cisco Advisory, this vulnerability could be exploited
by an attacker on the same IP subnet:

Crafted packets from the local segment received on logical
interfaces (that is, tunnels including 6to4 tunnels) as well as
physical interfaces can trigger this vulnerability. Crafted packets
can not traverse a 6to4 tunnel and attack a box across the tunnel.

The crafted packet must be sent from a local network segment to
trigger the attack. This vulnerability can not be exploited one or
more hops from the IOS device.

US-CERT strongly recommends that sites running Cisco IOS devices
review the Cisco Advisory and upgrade as appropriate. We are tracking
this vulnerability as VU#930892.


II. Impact

This vulnerability could allow an unauthenticated, remote attacker on
the same IP subnet to execute arbitrary code or cause a denial of
service. The attacker may be able to take control of a vulnerable
device.


III. Solutions

Upgrade

Upgrade to a fixed version of IOS. Please see the Software Versions
and Fixes section of the Cisco Advisory for details.

Disable IPv6

From the Cisco Advisory:

In networks where IPv6 is not needed, disabling IPv6 processing on
an IOS device will eliminate exposure to this vulnerability. On a
router which supports IPv6, this must be done by issuing the
command "no ipv6 enable" and "no ipv6 address" on each interface.


Appendix A. Vendor Information

Cisco Systems, Inc.

Cisco Systems, Inc. has released a security advisory regarding a
vulnerability which was disclosed on July 27, 2005 at the Black Hat
security conference. Security advisory is available at:

http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml

For up-to-date information on security vulnerabilities in Cisco
Systems, Inc. products, visit http://www.cisco.com/go/psirt.


Appendix B. References

* US-CERT Vulnerability Note VU#930892 -
<http://www.kb.cert.org/vuls/id/930892>

* Cisco Security Advisory: IPv6 Crafted Packet Vulnerability -
<http://www.cisco.com/en/US/products/products_security_advisory091
86a00804d82c9.shtml>

_________________________________________________________________


Information regarding this vulnerability was primarily provided by
Cisco Systems, who in turn acknowledge the disclosure of this
vulnerability at the Black Hat USA 2005 Briefings.

_________________________________________________________________


Feedback can be directed to US-CERT Technical Staff. Send mail to
<cert@cert.org> with "TA05-210A feedback VU#930892" in the subject.

_________________________________________________________________


The most recent version of this document is available at:

<http://www.us-cert.gov/cas/techalerts/TA05-210A.html>

_________________________________________________________________

Produced 2005 by US-CERT, a government organization.
_________________________________________________________________

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________


Revision History

July 29, 2005: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQuqgLRhoSezw4YfQAQI5iwgAkSYXPNt6Hffg7BfMeYoBaZ4Co6XFVjQ6
nWHKt1inYcYta/DXEuWJAhcjI/t8v74OH0b5sxGEr0mwtzEwV2r5pAF6nQesqyoj
q3r60OE3TZygxUZPrGNmmkSpkhoNap9cSVs97Xt6Fd4evOmp0VZ6pqMdJtQ/r5xk
d67LicCM9NLNoC0LPoen2/7ICu7jqxZnoF4oHDkZS8b2g2mx7vfz3Htj44Nd5/eD
tWe8HqF8ReSyLEiOj8z8vrjcfz+BIwSLXnyr6DDxSvFmhy0CunGFkCQq074CwbVE
GZjAJSn2r/A2Pp3HBP/RxQ9BNv8rHrSF7DkG9gADc5PV8WpaLCHP0Q==
=4jtB
-----END PGP SIGNATURE-----

[#] Tue Aug 09 2005 19:15:55 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-221A -- Microsoft Windows and Internet Explorer Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Technical Cyber Security Alert TA05-221A
Microsoft Windows and Internet Explorer Vulnerabilities

Original release date: August 09, 2005
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer

For more complete information, refer to the Microsoft Security
Bulletin Summary for August, 2005.

Overview

Microsoft has released updates that address critical vulnerabilities
in Windows and Internet Explorer. Exploitation of these
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code or cause a denial of service on an affected
system.

I. Description

Microsoft Security Bulletins for August, 2005 address vulnerabilities
in Windows and Internet Explorer. Further information is available in
the following Vulnerability Notes:

VU#965206 - Microsoft Internet Explorer JPEG rendering library
vulnerable to buffer overflow

Microsoft Internet Explorer contains a flaw related to JPEG image
rendering that may allow an attacker to remotely execute arbitrary
code.
(CAN-2005-1988)


VU#959049 - Several COM objects cause memory corruption in Internet
Explorer

Microsoft Internet Explorer allows instantiation of non-ActiveX COM
objects, which may allow an attacker to execute arbitrary code or
crash Internet Explorer.
(CAN-2005-1990)


VU#998653 - Microsoft Plug and Play contains a buffer overflow
vulnerability

Microsoft Plug and Play contains a flaw in the handling of message
buffers that may result in a local or remote denial-of-service
condition and arbitrary code execution.
(CAN-2005-1983)


VU#490628 - Microsoft Remote Desktop Protocol service contains an
unspecified vulnerability

An input validation error in the Microsoft Remote Desktop Protocol
(RDP) service may allow a remote attacker to cause a denial-of-service
condition.
(CAN-2005-1218)


VU#220821 - Microsoft Print Spooler service contains a buffer overflow

A buffer overflow in the Microsoft Print Spooler service may allow a
remote attacker to execute arbitrary code on a vulnerable system.
(CAN-2005-1984)

II. Impact

Exploitation of these vulnerabilities may allow a remote,
unauthenticated attacker to execute arbitrary code with SYSTEM
privileges or with the privileges of the user. If the user is logged
on with administrative privileges, the attacker could take complete
control of an affected system. An attacker may also be able to cause a
denial of service.

III. Solution

Apply Updates

Microsoft has provided the updates for these vulnerabilities in the
Security Bulletins and on the Microsoft Update site.

Workarounds

Please see the individual Vulnerability Notes for workarounds.

Appendix A. References

* Microsoft Security Bulletin Summary for August, 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-aug.mspx>

* US-CERT Vulnerability Note VU#965206 -
<http://www.kb.cert.org/vuls/id/965206>

* US-CERT Vulnerability Note VU#959049 -
<http://www.kb.cert.org/vuls/id/959049>

* US-CERT Vulnerability Note VU#998653 -
<http://www.kb.cert.org/vuls/id/998653>

* US-CERT Vulnerability Note VU#490628 -
<http://www.kb.cert.org/vuls/id/490628>

* US-CERT Vulnerability Note VU#220821 -
<http://www.kb.cert.org/vuls/id/220821>

* CAN-2005-1988 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1988>

* CAN-2005-1990 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1990>

* CAN-2005-1983 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1983>

* CAN-2005-1218 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1218>

* CAN-2005-1984 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1984>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate>

* Microsoft Update Overview -
<http://www.microsoft.com/technet/prodtechnol/microsoftupdate/defa
ult.mspx>
_________________________________________________________________

Feedback can be directed to the US-CERT Technical Staff.

Please send mail to cert@cert.org with the subject:

"TA05-221A Feedback VU#959049"
_________________________________________________________________

This document is available at

<http://www.us-cert.gov/cas/techalerts/TA05-221A.html>
_________________________________________________________________

Produced 2005 by US-CERT, a government organization.
_________________________________________________________________

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

August 09, 2005: Initial Release



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQvk4zxhoSezw4YfQAQKraAf/b5uL0gaNUl6kICwCTHqpvqik4vW/k6h6
6wmx8K/r1cxQibBE4+3JZ0TxTLaa3nJIDoX7Q/MQxvlOowDd2OMh73Lf/Vm3+myj
V+IMm1bq7EjgJ5o3AbailAzHYwuju+SGNODS8X94BtLkVVlTE6kT4It9FU6oV0Wf
ktkJkuMUxc6tvvi/QutC8Xi5mZZS9FgpAZxJthZhEZ94Qq1ftMrjQeFnEQnzEGLs
kT0CA7pNb8PReO19s9gfdiLiEPhHhBx0A9HFC3+1K7/FurYFblXmVaPi9iMdeIdF
JSGbequI70AjZnl8PcLj22wngqPKez25SvBZemg4HBEdSYA3mBWK1g==
=kIj8
-----END PGP SIGNATURE-----

[#] Fri Aug 12 2005 18:16:06 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-224A -- VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA05-224A


VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

Original release date: August 12, 2005
Last revised: --
Source: US-CERT


Systems Affected

* VERITAS Backup Exec Remote Agent for Windows Servers


Overview

VERITAS Backup Exec Remote Agent for Windows Servers uses
hard-coded administrative authentication credentials. An attacker
with knowledge of these credentials and access to the Remote Agent
could retrieve arbitrary files from a vulnerable system.


I. Description

VERITAS Backup Exec Remote Agent for Windows Servers is a data
backup and recovery solution that supports the Network Data
Management Protocol (NDMP). NDMP "...is an open standard protocol
for enterprise-wide backup of heterogeneous network-attached
storage." By default, the Remote Agent listens for NDMP traffic on
port 10000/tcp.

The VERITAS Backup Exec Remote agent uses hard-coded administrative
authentication credentials. An attacker with knowledge of these
credentials and access to the Remote Agent may be able to retrieve
arbitrary files from a vulnerable system. The Remote Agent runs
with SYSTEM privileges.

Exploit code, including the credentials, is publicly available.
US-CERT has also seen reports of increased scanning activity on
port 10000/tcp. This increase may be caused by attempts to locate
vulnerable systems.

US-CERT is tracking this vulnerability as VU#378957.

Please note that VERITAS has recently merged with Symantec.


II. Impact

A remote attacker with knowledge of the credentials and access to
the Remote Agent may be able to retrieve arbitrary files from a
vulnerable system.


III. Solution

Restrict access

US-CERT recommends taking the following actions to reduce the chances
of exploitation:

* Use firewalls to limit connectivity so that only authorized backup
server(s) can connect to the Remote Agent. The default port for
this service is port 10000/tcp.

* At a minimum, implement some basic protection at the network
perimeter. When developing rules for network traffic filters,
realize that individual installations may operate on
non-standard ports.

* In addition, changing the Remote Agent's default port from
10000/tcp may reduce the chances of exploitation. Please refer
to VERITAS support document 255174 for instructions on how to
change the default port.

For more information, please see US-CERT Vulnerability Note VU#378957.


Appendix A. References

* US-CERT Vulnerability Note VU#378957 -
<http://www.kb.cert.org/vuls/id/378957>

* Veritas Backup Exec Remote Agent for Windows Servers Arbitrary
File Download Vulnerability -
<http://securityresponse.symantec.com/avcenter/security/Content/14
551.html>

* VERITAS support document 255831 -
<http://seer.support.veritas.com/docs/255831.htm>

* VERITAS support document 258334 -
<http://seer.support.veritas.com/docs/258334.htm>

* VERITAS support document 255174 -
<http://seer.support.veritas.com/docs/255174.htm>

* What is NDMP? - <http://www.ndmp.org/info/faq.shtml#1>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA05-224A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA05-224A Feedback VU#378957" in the
subject.
____________________________________________________________________

To unsubscribe:

<http://www.us-cert.gov/cas/#unsubscribe>
____________________________________________________________________

Produced 2005 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

Aug 12, 2005: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQv0e3BhoSezw4YfQAQJbFQf9E5d1IyfH5OwAVMgoHwZ2zUiozACJfoEN
zh2X3pYbYCmBhfzr9uQDJW1U0TJfQXvgQUs/bpGVVFH1YHGjTV/Op6vGt4KnUFjW
KRcQrKAy+evk/ajrFlcLr/mM3oM4GdsJvqz9UdFBmU0ET53a10PAxYwLWY+5weB+
7d+TCXvnUkpwrDHo1N331QxrcZaFqZEA0b86dL7X6Cjt39NDv/4EVkoDiWv608w3
V6FGeXIXFpLP241141lQcDnf2WLmAD3oNSK6YbJ1utDu4dezoR164apTZBLEhcp0
AUptGGZGe9PxjyrylxIv8KSxEWB7oajKziQxcQG0IRv4CTP0UPLB7Q==
=cO6/
-----END PGP SIGNATURE-----

[#] Wed Aug 17 2005 15:30:08 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-229A -- Apple Mac Products are Affected by Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA05-229A


Apple Mac Products are Affected by Multiple Vulnerabilities

Original release date: August 17, 2005
Last revised: --
Source: US-CERT


Systems Affected

* Apple Mac OS X version 10.3.9 (Panther) and version 10.4.2 (Tiger)
* Apple Mac OS X Server version 10.3.9 and version 10.4.2
* Apple Safari web browser

Please see Apple Security Update 2005-007 for further information.


Overview

Apple has released Security Update 2005-007 to address multiple
vulnerabilities affecting Mac OS X, Mac OS X Server, Safari web
browser, and other products. The most serious of these vulnerabilities
may allow a remote attacker to execute arbitrary code. Impacts of
other vulnerabilities include bypassing security restrictions and
denial of service.


I. Description

Apple Security Update 2005-007 resolves a number of vulnerabilities
affecting Mac OS X, OS X Server, Safari web browser, and other
products. Further details are available in the following Vulnerability
Notes:

VU#913820 - Apple Mac OS X Directory Services contains a buffer
overflow

A buffer overflow in Apple Mac OS X Directory Service's authentication
process may allow a remote, unauthenticated attacker to execute
arbitrary code on a vulnerable system.
(CAN-2005-2507)

VU#461412 - Apple Mac OS X Server servermgrd authentication vulnerable
to buffer overflow

Apple Mac OS X Server servermgrd contains an unspecified buffer
overflow vulnerability in its authentication handling routines. This
vulnerability may lead to remote execution of arbitrary code.
(CAN-2005-2518)

VU#435188 - Apple Mac OS X AppKit vulnerable to buffer overflow via
the handling of maliciously crafted rich text files

A buffer overflow vulnerability exists in a component of Apple's Mac
OS X operating system that handles rich text files.
(CAN-2005-2501)

VU#172948 - Apple Mac OS X AppKit vulnerable to buffer overflow via
maliciously crafted Microsoft Word files

A buffer overflow vulnerability exists in a component of Apple's Mac
OS X operating system that handles Microsoft Word files.
(CAN-2005-2502)

VU#420316 - Apple Mac OS X Safari vulnerable to arbitrary command
execution via URLs in PDF files

Apple Mac OS X WebKit and Safari security controls may be bypassed,
possibly allowing remote command execution.
(CAN-2005-2522)

VU#709220 - Apple Safari fails to perform security checks on links in
rich text content

Apple Safari fails to perform security checks on hyperlinks in rich
text content, which may allow an attacker to execute arbitrary
commands on a vulnerable system.
(CAN-2005-2516)

Please note that Apple Security Update 2005-007 addresses
additional vulnerabilities not described above. As further
information becomes available, we will publish individual
Vulnerability Notes.


II. Impact

The impacts of these vulnerabilities vary. For information about
specific impacts please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.


III. Solution

Install an update

Install the update as described in Apple Security Update 2005-007. In
addition, this update is available via Apple Update.


Appendix A. References

* US-CERT Vulnerability Note VU#913820 -
<http://www.kb.cert.org/vuls/id/913820>

* US-CERT Vulnerability Note VU#461412 -
<http://www.kb.cert.org/vuls/id/461412>

* US-CERT Vulnerability Note VU#435188 -
<http://www.kb.cert.org/vuls/id/435188>

* US-CERT Vulnerability Note VU#172948 -
<http://www.kb.cert.org/vuls/id/172948>

* US-CERT Vulnerability Note VU#420316 -
<http://www.kb.cert.org/vuls/id/420316>

* US-CERT Vulnerability Note VU#709220 -
<http://www.kb.cert.org/vuls/id/709220>

* Apple Security Update 2005-007 -
<http://docs.info.apple.com/article.html?artnum=302163>

* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA05-229A.html>
____________________________________________________________________

Feedback can be directed to US-CERT. Please send email to
<cert@cert.org> with "TA05-229A Feedback VU#913820" in the subject.
____________________________________________________________________

Mailing list information:

<http://www.us-cert.gov/cas/>
____________________________________________________________________

Produced 2005 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

August 17, 2005: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQwOKkRhoSezw4YfQAQLxywgAkWTcoA3KoWAiY5YYPGejCVbWw/yFzAqy
4Fb0z9WXfwhwB3/L/IxLvJGhPdVF/b6buP/KZgIxalwsRu6GPjJp5Aj+Cbtf/8KI
2ca0bRxS3vZJS52ZOEVpS2Z2M8JdcBA2CgfvIw6GEklXD9MTjXXwYUhB6tYK4Ar0
+UAk6xxaaMRvKztOYbRZhy5/5Kz2Xd9a5UwO/hbojQmilv4elW3iZhGWP+nLEpSI
D680yttkY++UzmYGYHO0Wm+SAK4fzXKxs/4PMfWvNgP8lKJsHXjjr7KLFtmgCiWU
oxhOB8RdqVNTKE2kYEq1kiopusBtwK/x35VNr3uCjg23CxYuv8HAjw==
=yJpi
-----END PGP SIGNATURE-----

[#] Wed Sep 28 2005 10:33:33 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert -- New US-CERT PGP Key

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New US-CERT PGP Key

The current US-CERT PGP key is expiring and we have generated a new
key to replace it. We use this key to sign all outgoing email,
including documents sent to this list. Effective immediately, this
new key is available and will be valid until Sunday, October 1,
2006. To obtain further information or to download the new US-CERT
public PGP key, please visit

<http://www.us-cert.gov/pgp/encryptmail.html>
or
<https://www.us-cert.gov/pgp/encryptmail.html>

A copy of the new key has also been included at the bottom of this
message and sent to public PGP key servers.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQzql8BhoSezw4YfQAQJSPQf+Iu+LaRKB8rDHvR09AOVhZEJwtwjSbIpv
/XJNdWi4QSMfKd64cvPYDjDSiXX8P6EEH/14RDAG7xta5mHG9qtgCTnOlY9G7Kk+
LrlyB6cMC8leBnrhJBc/fdU30GW1Tjfffgvolm7FRO7OGBEs1qNdKrsHzEGUhLD0
zfXxYLLsMvMgyTNH5owvMNTg8i4Xd05mvywtbbqtwNacIHlLB9N3prwYyq7Fzsv7
4a0bl09UYg+0F1BpdFlTrWFjfDh9D845KvmKnnENGjIt1j+cDT/AeL5FNiI0MUX3
gVr9XJc0MBwICWC2jMsMtqQFoA9fU7taaLm0jGsTqByA5qNUvzLAHQ==
=xpXm
-----END PGP SIGNATURE-----

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)

mQELBEM5USwBCADWUsrqh414Dhq3ISsfwhxvO3wQnqNhIyL8llfNgH7x+G3hHqMi
vwEQB+j/H3bDvHYh4EG2OYvNM9kNzregmG7ZxtkzvphRmCCIOz6qJuMkw9cW/3q4
q+vet/7RxMM5DmwNSNebzeTlP0FAFlkBADyGGvafRfkVkCIAR8tl4J+OoW4dKVXj
NiwGlopceFCgMlSagqKm5PCCcFo+5HCrbRrMQTJ2qv9VPXrqN8b+9BlY01Iv4wTg
gFgASFTVaOH5OqPBZqln6EXHPUcJBh3+2LyKNdR5oFrYNp7AmV6z4InBBNlJv6DB
cve3eLvGgtV4okbp+SlFn4gn0HwZWVSxJj9pAAYptCxVUy1DRVJUIE9wZXJhdGlv
bnMgS2V5IDx1cy1jZXJ0QHVzLWNlcnQuZ292PokBPQQTAQIAJwUCQzlRLAIbDwUJ
AeZ5gAcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAKCRB9KY+fd5YOdP3mB/9w5i5U
L9YU1yEju6nd1tg+srOa/a8th+SVF+LLqbs08hu08sXYGgqK7jVlcZRun1kh88NF
qXLHZVCODyIBtuMueTY6Gytf+eXYX76wr67jE0fteZM12kd6o3rblV9aBfRtWLr1
jFi/U1Rqa1qTDfuXz6U/7X8evb5XHq4kB84MjNpTaLMZ5qtjL+TKUOLZvyR94ntI
gCUFLSOHZ88D3d4naJQLaUraWzwgyzXY/lT7Q+7NRMyum36nL2JRpsYvTeWTe78E
vf89fuUExtueE0sU0twkye259555Mg/z9A8YnacuIS5jvr3SgGqSQCFaJ8gCG+g4
0vAgtM8/+D2wEAAniQIcBBABAgAGBQJDOVVUAAoJEJJlsCnQFQjMA3IP/3eRY3So
i5xY1hY7bFjb3M5kKICQF8AwQvUKNkvlnY28Ykd+HL4JmHba28+9yVQZp4PkEW91
2Ry6LbIszpz3nQOP+aviu53rl3ovQ9EPX8CEYHqB/qJMsU9eB+mCMISjtwlLoELM
tr4AosBAfh5vzp/YXKwjgNnc2iiDrmhoouxLoHIzhx4WDM6Vp5Ggz6rbJ1JktxK6
tIucrjVGHeS2PHfqYrLovPXbYq7SSalDAGzmjYCdcxIwW/y5rcMZaypwVV8282ve
F5fy2KrykRSk8c6QwZOzb0JXMxIA9C2CWUeJcfLNUU9/r2vnzjtUDFWgmrli/E2X
o3+bQt9n6Y55mx6HMwvYZnM2TBgCXi2jr/3VIX8ZzIeSJ0p5mpR/nn/K9RvCMxLf
K2WisX5KZ2cH8auoOQ/N8hYfU04rLFeC9Jr+vNVwGGNAi2AnGDgZ7LNEvSK7IZ2Q
r6/o1oj7NrT2Ry68Rearpet5DA4lulMgrRE6UspDgIMP2NW0lWLOrMzYc31W/4eQ
DBbzFOpb+WiJRHXKZozQNTwWU4sE3Umx3+74nqcV1O6rZPptzHV8DLUH5BorhU2M
Hxi1d1BAzs9KcEezUc3hgn9ObbulO7nJRCz/ipWywUiHaDruOaYCHKohH4LMZwTN
uPYSv7Uss414n4lRea8ERMveGcu0cmbtqlJdiQEcBBABAgAGBQJDOVYAAAoJEBho
Sezw4YfQvJ0IAInvUbtaZ9bGx1YBGfhJA84VAerbC8thb2EHFQDkCpFMui5MvvkA
WABEtctgZ9MsWHmGUnscQXH0wzABwByodn7RAKCNn/zp786ouF24107riP3eNjWh
4rUFw07R67Q2/wN99eNxehulQDVS9W1N7KGrcpCE46EnMdXTxsI32f/+uYLCG0XG
JT9vCFIfcRGNT75NC2Lh7pTUrjezT0R40vNQzz/Zw9YQFqZCstfgDuawStcLJzpq
PODfQbXUfg62wHmEHye8TJEeN92/q4ANvhqkRka1k6wz99GCIb3yG0hQtJ5r4OoO
tBRS4dQglF1zLKkdI7XqEraGEhVgqEKGO1KJARwEEAECAAYFAkM5VyAACgkQrXsg
45S/AYOeiggAmCdtl1xLzrflDeU2rufwP7A7hFv8zD2KL6XiHLZB6QgUfZn2aT/s
BcHX4lKDwXp4OpEzOJrTrZgDLsMHNCMOhCIUArKsOaS+/rGAjcdQ81UGn2PUSR2l
1T4yPTNZWdQGNdeUi2Dr6NelFGorYcczOLmUaJyV+0s2JBktPP3IpLX/nV+jkFdc
H2ccgPMAMPlZ4o4SUYVcC6AzQ6SiFQFe59YmKNFU5RB+GHxJQLCzGRYVyZF6nVYS
uE5b6Bjfxc1pDWyzmY3GPbdZWXuW1pvpBPpKITEBn0c533LCPF1P/uWz4J4hQrs1
AZjul1Bko6XEtp+L6hC/yuwMNxY7Vlf55Q==
=T5PH
-----END PGP PUBLIC KEY BLOCK-----

[#] Tue Oct 11 2005 18:55:28 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-284A -- Microsoft Windows, Internet Explorer, and Exchange Server Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Technical Cyber Security Alert TA05-284A
Microsoft Windows, Internet Explorer, and Exchange Server
Vulnerabilities

Original release date: October 11, 2005
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Exchange Server

For more complete information, refer to the Microsoft Security
Bulletin Summary for October 2005.

Overview

Microsoft has released updates that address critical vulnerabilities
in Windows, Internet Explorer, and Exchange Server. Exploitation of
these vulnerabilities could allow a remote, unauthenticated attacker
to execute arbitrary code or cause a denial of service on an affected
system.

I. Description

Microsoft Security Bulletins for October 2005 address vulnerabilities
in Windows and Internet Explorer. Further information is available in
the following US-CERT Vulnerability Notes:


VU#214572 - Microsoft Plug and Play fails to properly validate user
supplied data

Microsoft Plug and Play contains a flaw in the handling of message
buffers that may result in local or remote arbitrary code execution or
denial-of-service conditions.
(CAN-2005-2120)


VU#883460 - Microsoft Collaboration Data Objects buffer overflow

A buffer overflow in Microsoft Collaboration Data Objects may allow a
remote, unauthenticated attacker to execute arbitrary code on a
vulnerable system.
(CAN-2005-1987)


VU#922708 - Microsoft Windows Shell fails to handle shortcut files
properly

Microsoft Windows Shell does not properly handle some shortcut files
and may permit arbitrary code execution when a specially-crafted file
is opened.
(CAN-2005-2122)


VU#995220 - Microsoft DirectShow buffer overflow

A buffer overflow in Microsoft DirectShow may allow a remote,
unauthenticated attacker to execute arbitrary code on a vulnerable
system.
(CAN-2005-2128)


VU#180868 - Microsoft Distributed Transaction Coordinator vulnerable
to buffer overflow via specially crafted network message

Microsoft Distributed Transaction Coordinator (MSDTC) may be
vulnerable to a flaw that allows remote, unauthenticated attackers to
execute arbitrary code.
(CAN-2005-2119)


VU#950516 - Microsoft COM+ contains a memory management flaw

Microsoft COM+ contains a vulnerability due to a memory management
flaw that may allow an attacker to take complete control of an
affected system.
(CAN-2005-1978)


VU#959049 - Several COM objects cause memory corruption in Microsoft
Internet Explorer

Microsoft Internet Explorer will initialize COM objects that were not
intended to be used in the web browser. Several COM objects have been
identified that may allow an attacker to execute arbitrary code or
crash Internet Explorer.
(CAN-2005-2127)


VU#680526 - Microsoft Internet Explorer allows non-ActiveX COM objects
to be instantiated

Microsoft Internet Explorer will initialize COM objects that were not
intended to be used in the web browser. This may allow an attacker to
execute arbitrary code or crash Internet Explorer.
(CAN-2005-0163)

II. Impact

Exploitation of these vulnerabilities may allow a remote,
unauthenticated attacker to execute arbitrary code with SYSTEM
privileges or with the privileges of the user. If the user is logged
on with administrative privileges, the attacker could take complete
control of an affected system. An attacker may also be able to cause a
denial of service.

III. Solution

Apply Updates

Microsoft has provided the updates for these vulnerabilities in the
Security Bulletins and on the Microsoft Update site.

Workarounds

Please see the following US-CERT Vulnerability Notes for workarounds.

Appendix A. References

* Microsoft Security Bulletin Summary for October 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-oct.mspx>

* US-CERT Vulnerability Note VU#214572 -
<http://www.kb.cert.org/vuls/id/214572>

* US-CERT Vulnerability Note VU#883460 -
<http://www.kb.cert.org/vuls/id/883460>

* US-CERT Vulnerability Note VU#922708 -
<http://www.kb.cert.org/vuls/id/922708>

* US-CERT Vulnerability Note VU#995220 -
<http://www.kb.cert.org/vuls/id/995220>

* US-CERT Vulnerability Note VU#180868 -
<http://www.kb.cert.org/vuls/id/180868>

* US-CERT Vulnerability Note VU#950516 -
<http://www.kb.cert.org/vuls/id/950516>

* US-CERT Vulnerability Note VU#959049 -
<http://www.kb.cert.org/vuls/id/959049>

* US-CERT Vulnerability Note VU#680526 -
<http://www.kb.cert.org/vuls/id/680526>

* CAN-2005-2120 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2120>

* CAN-2005-1987 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1987>

* CAN-2005-2122 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2122>

* CAN-2005-2128 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2128>

* CAN-2005-2119 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2119>

* CAN-2005-1978 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1978>

* CAN-2005-2127 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2127>

* CAN-2005-0163 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0163>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate>


_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA05-284A.html>
_________________________________________________________________

Feedback can be directed to US-CERT. Please send email to:
<cert@cert.org> with "TA05-284A Feedback VU#959049" in the subject.
_________________________________________________________________

Revision History

Oct 11, 2004: Initial release
_________________________________________________________________

Produced 2005 by US-CERT, a government organization.

Terms of use

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/>.





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ0xBVn0pj593lg50AQJvOQf/QqIy3putm/wkUAUguQaylsCfC38Lysdc
bqbtj7oF6HEoCzhQguaqQdMGOqa4QJnrObnkHN29xFhYovKWOIYkYsh6c3IXaNLK
PdImVbcMFNn9VsBNNRVr2dqPXJPvgFFzQKsDcKkknnZyxLf5mshwDJoKFsKDGr9c
1P9yxwyagQ8G73gTq6hPV/Wl/6zElXH/chlh6haXe6XN9ArTmz8A3OCAN+BZQUqe
/9T4US8oxLeLlNDcQc/PV5v3VuXXW0v9kjEjqAVEH5tRKH/oIkVdgpj7gdrAzDjM
MUojHfl1v2/JwWubQ9DFQsBx4Jxv5YvJEREsU7RbVJotn02+Yaaeog==
=5hXu
-----END PGP SIGNATURE-----

[#] Tue Oct 18 2005 14:52:48 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-291A -- Snort Back Orifice Preprocessor Buffer Overflow

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA05-291A


Snort Back Orifice Preprocessor Buffer Overflow

Original release date: October 18, 2005
Last revised: --
Source: US-CERT


Systems Affected

* Snort versions 2.4.0 to 2.4.2
* Sourcefire Intrusion Sensors

Other products that use Snort or Snort components may be affected.


Overview

The Snort Back Orifice preprocessor contains a buffer overflow that
could allow a remote attacker to execute arbitrary code on a
vulnerable system.


I. Description

Snort is a widely-deployed, open-source network intrusion detection
system (IDS). Snort and its components are used in other IDS
products, notably Sourcefire Intrusion Sensors, and Snort is
included with a number of operating system distributions.

Snort preprocessors are modular plugins that extend functionality
by operating on packets before the detection engine is run. The
Back Orifice preprocessor decodes packets to determine if they
contain Back Orifice ping messages. The ping detection code does
not adequately limit the amount of data that is read from the
packet into a fixed-length buffer, thus creating the potential for
a buffer overflow.

The vulnerable code will process any UDP packet that is not
destined to or sourced from the default Back Orifice port
(31337/udp). An attacker could exploit this vulnerability by
sending a specially crafted UDP packet to a host or network
monitored by Snort.

US-CERT is tracking this vulnerability as VU#175500. Further
information is available in an advisory from Internet Security
Systems (ISS).


II. Impact

A remote attacker who can send UDP packets to a Snort sensor may be
able to execute arbitrary code. Snort typically runs with root or
SYSTEM privileges, so an attacker could take complete control of a
vulnerable system. An attacker does not need to target a Snort
sensor directly; the attacker can target any host or network
monitored by Snort.


III. Solution

Upgrade

Sourcefire has released Snort 2.4.3 which is available from the
Snort download site. For information about other vendors, please
see the Systems Affected section of VU#175500.

Disable Back Orifice Preprocessor

To disable the Back Orifice preprocessor, comment out the line that
loads the preprocessor in the Snort configuration file (typically
/etc/snort.conf on UNIX and Linux systems):

[/etc/snort.conf]
...
#preprocessor bo
...

Restart Snort for the change to take effect.

Restrict Outbound Traffic

Consider preventing Snort sensors from initiating outbound
connections and restricting outbound traffic to only those hosts
and networks that have legitimate requirements to communicate with
the sensors. While this will not prevent exploitation of the
vulnerability, it may make it more difficult for an attacker to
access a compromised system or reconnoiter other systems.


Appendix A. References

* US-CERT Vulnerability Note VU#175500 -
<http://www.kb.cert.org/vuls/id/177500>

* Fixes and Mitigation Instructions Available for Snort Back
Orifice Vulnerability -
<http://www.snort.org/pub-bin/snortnews.cgi#99>

* Snort downloads - <http://www.snort.org/dl/>

* Snort 2.4.3 Changelog -
<http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>

* Preprocessors -
<http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/
node11.html#SECTION00310000000000000000>

* Snort Back Orifice Parsing Remote Code Execution -
<http://xforce.iss.net/xforce/alerts/id/207>


____________________________________________________________________

This vulnerability was researched and reported by Internet Security
Systems (ISS).
____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA05-291A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2005 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

Oct 18, 2005: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3
T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H
+qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX
4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM
nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme
jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ==
=jjID
-----END PGP SIGNATURE-----

[#] Wed Oct 19 2005 16:17:08 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-292A -- Oracle Products Contain Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA05-292A


Oracle Products Contain Multiple Vulnerabilities

Original release date: October 19, 2005
Last revised: --
Source: US-CERT


Systems Affected

* Oracle Database Server 10g
* Oracle9i Database Server
* Oracle8i Database Server
* Oracle8 Database Server
* Oracle Enterprise Manager 10g Grid Control
* Oracle Enterprise Manager Application Server Control
* Oracle Enterprise Manager 10g Database Control
* Oracle Application Server 10g
* Oracle9i Application Server
* Oracle Collaboration Suite 10g
* Oracle9i Collaboration Suite
* Oracle E-Business Suite Release 11i
* Oracle E-Business Suite Release 11.0
* Oracle Clinical
* JD Edwards EnterpriseOne, OneWorld XE
* Oracle Developer Suite
* Oracle Workflow

For more information regarding affected product versions, please see
the Oracle Critical Patch Update - October 2005.


Overview

Various Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include
unauthenticated, remote code execution, information disclosure, and
denial of service.


I. Description

Oracle released a Critical Patch Update in October 2005. It addresses
more than eighty vulnerabilities in different Oracle products and
components.

The Critical Patch Update provides information about affected
components, access and authorization required, and the impact of the
vulnerabilities on data confidentiality, integrity, and availability.
For more information on terms used in the Critical Patch Update,
Metalink customers should refer to MetaLink Note 293956.1.

According to the Critical Patch Update: "The new database
vulnerabilities addressed by this Critical Patch Update do not affect
Oracle Database Client-only installations (installations that do not
have the Oracle Database Server installed). Therefore, it is not
necessary to apply this Critical Patch Update to client-only
installations if a prior Critical Patch Update, or Alert 68, has
already been applied to the client-only installations."

US-CERT recommends that sites running Oracle review the Critical Patch
Update, apply patches, and take other mitigating action as
appropriate. US-CERT is tracking all of these issues under VU#210524.
As further information becomes available, we will publish individual
Vulnerability Notes.

Note that according to public reports, the patches included in this
update, as well as previous updates, may not adequately correct all
security vulnerabilities.


II. Impact

The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include remote execution of arbitrary code or commands, information
disclosure, and denial of service. An attacker who compromises an
Oracle database may be able to gain access to sensitive information.


III. Solution

Apply a patch

Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - October 2005. Note that this Critical Patch
Update only lists newly corrected issues. Updates to patches for
previously known issues are not listed.

Workarounds

It may be possible to mitigate some vulnerabilities by disabling or
removing unnecessary components, restricting network access, and
restricting access to temporary files.

Oracle Critical Patch Update - October 2005 suggests disabling the
PSQL Manager to mitigate a vulnerability in PeopleSoft Enterprise
PeopleTools (PSE04).


Appendix A. Vendor Information

Oracle

Please see Oracle Critical Patch Update - October 2005 and Critical
Patch Updates and Security Alerts.


Appendix B. References

* Critical Patch Update - October 2005 -
<http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.h
tml>

* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>

* MetaLink Note 293956.1 -
<http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=29395
6.1>

* US-CERT Vulnerability Note VU#210524 -
<http://www.kb.cert.org/vuls/id/210524>

* US-CERT Vulnerability Notes Related to Critical Patch Update -
October 2005 -
<http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_octo
ber_2005>

* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_
to_advisory_mapping.html>

* SecurityFocus BugTraq -
<http://www.securityfocus.com/archive/1/413827/30/0/threaded>


_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA05-292A.html>
_________________________________________________________________

Feedback can be directed to US-CERT. Please send email to:
<cert@cert.org> with "TA05-292A Feedback VU#210524" in the subject.
_________________________________________________________________

Revision History

Oct 19, 2005: Initial release
_________________________________________________________________

Produced 2005 by US-CERT, a government organization.

Terms of use

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/>.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ1aoq30pj593lg50AQLg0wgAz83P5EEFyjDoBxSNW/yZBNkgQz6Wiq2K
2JPMbO6qFg/pQoXyrwxJL5qAUXHGSbWUNbUHI77iKr88pHqtNwg7fKj4jPv9CAJA
GfYYZPBdRKmHsEXRwfUddiD2x/CdTpxuvqer9u9KKgSqo91g4m6EwfHgntsRU6Qm
wSsGPVZAjt0spBnK1TcGV1OuPvQDpoArXNnlXZZxgx+u2Qx8Qo1zEXStZjEsyeMc
Y7wEJnsxktUM/qvc9cbjuA3tqBd1Cmazh5I8jqC+81aVW/I8/aY9rd9YEyRzHIcI
WLKW4GPw/f0dynNPNqkM5TEAMb+iHzfDSESTHuZnQHLd8b+6AFDGCg==
=Lcm/
-----END PGP SIGNATURE-----

[#] Tue Nov 08 2005 19:00:38 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-312A -- Microsoft Windows Image Processing Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA05-312A


Microsoft Windows Image Processing Vulnerabilities

Original release date: November 08, 2005
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003

For more complete information, refer to Microsoft Security Bulletin
MS05-053.


Overview

Microsoft has released updates that address critical vulnerabilities
in Windows graphics rendering services. A remote, unauthenticated
attacker exploiting these vulnerabilities could execute arbitrary code
or cause a denial of service on an affected system.


I. Description

The Microsoft Security Bulletin for November 2005 addresses multiple
buffer overflows in Windows image processing routines. Viewing a
specially crafted image from an application that uses a vulnerable
routine may trigger these vulnerabilities. If this application can
access images from remote sources, such as web sites or email, then
remote exploitation is possible.

Further information is available in the following US-CERT
Vulnerability Notes:

VU#300549 - Microsoft Windows Graphics Rendering Engine buffer
overflow vulnerability

Microsoft Windows Graphics Rendering Engine contains a buffer overflow
that may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2005-2123)


VU#433341 - Microsoft Windows vulnerable to buffer overflow via
specially crafted "WMF" file

Microsoft Windows may be vulnerable to remote code execution via a
buffer overflow in the Windows Metafile image format handling.
(CVE-2005-2124)


VU#134756 - Microsoft Windows buffer overflow in Enhanced Metafile
rendering API

Microsoft Windows Enhanced Metafile Format image rendering routines
contain a buffer overflow flaw that may allow an attacker to cause a
denial-of-service condition.
(CVE-2005-0803)


III. Solution

Apply Updates

Microsoft has provided the updates to correct these vulnerabilities in
Microsoft Security Bulletin MS05-053. These updates are also available
on the Microsoft Update site.


II. Impact

A remote, unauthenticated attacker exploiting these vulnerabilities
could execute arbitrary code with the privileges of the user. If the
user is logged on with administrative privileges, the attacker could
take control of an affected system. An attacker may also be able to
cause a denial of service.


Appendix A. References

* Microsoft Security Bulletin MS05-053 -
<http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx>

* Microsoft Security Bulletin Summary for November 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-nov.mspx>

* US-CERT Vulnerability Note VU#300549 -
<http://www.kb.cert.org/vuls/id/300549>

* US-CERT Vulnerability Note VU#433341 -
<http://www.kb.cert.org/vuls/id/433341>

* US-CERT Vulnerability Note VU#134756 -
<http://www.kb.cert.org/vuls/id/134756>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate>


_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA05-312A.html>
_________________________________________________________________

Feedback can be directed to US-CERT. Please send email to:
<cert@cert.org> with "TA05-312A Feedback VU#300549" in the subject.
_________________________________________________________________

Revision History

Nov 08, 2005: Initial release
_________________________________________________________________

Produced 2005 by US-CERT, a government organization.

Terms of use

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ3E5BH0pj593lg50AQISLAf+NMAgk3Up6wWphjOIQ89miwTHvpXHGmIH
/mxHQ3PoN82NPkr8NmnLHhNAHqi8+ZI15lrympvr6xvm8C8FTxPU+dCa9CxS3c4l
FLbTDbACHeD/OYwgvbE70Gx5ZUG95MMXgCRMHGiwIHaSHRspUQRMjRN5JubPjsyL
S737+Yr19hMw6JQOWhM+Pn0MyAs6qm+4gfnIxO2Z1PsmpnushpqW505U6B6ZkF7W
zCU0zecdwtZCMhWTu+3L/MqAjzt7VCsd2iC+0HS7WLvAcWoFcEvlL6Ai/E/eJLDm
HQnO34E8231CcKRT4VACvs1QPFV1pvw1pihOAXveiBFoHpCIdPLc6g==
=faQS
-----END PGP SIGNATURE-----

[#] Tue Dec 13 2005 17:32:00 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-347A -- Microsoft Internet Explorer Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Technical Cyber Security Alert TA05-347A

Microsoft Internet Explorer Vulnerabilities

Original release date: December 13, 2005
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer

For more complete information, refer to the Microsoft Security
Bulletin Summary for December 2005.

Overview

Microsoft has released updates that address critical vulnerabilities
in Internet Explorer (IE). A remote, unauthenticated attacker could
exploit these vulnerabilities to execute arbitrary code or cause a
denial of service on an affected system.

I. Description

The Microsoft Security Bulletins for December 2005 address
vulnerabilities in Microsoft Windows and Internet Explorer. By
convincing a user to view a specially crafted HTML document, such as a
web page or an HTML email message or attachment, an attacker could
execute arbitrary code with the privileges of the user. The attacker
could also cause IE or the program using the WebBrowser control to
crash.

Further information is available in the following US-CERT
Vulnerability Notes:

VU#887861 - Microsoft Internet Explorer vulnerable to code execution
via mismatched DOM objects

Microsoft Internet Explorer fails to properly handle requests to
mismatched DOM objects, which may allow a remote attacker to execute
arbitrary code on a vulnerable system.
(CVE-2005-1790)

VU#959049 - Several COM objects cause memory corruption in Microsoft
Internet Explorer

Microsoft Internet Explorer allows instantiation of COM objects not
designed for use in the browser, which may allow an attacker to
execute arbitrary code or crash IE.
(CVE-2005-2127)

II. Impact

A remote, unauthenticated attacker exploiting these vulnerabilities
could execute arbitrary code with the privileges of the user. If the
user is logged on with administrative privileges, the attacker could
take complete control of an affected system or cause a denial of
service.

III. Solution

Apply Updates

Microsoft has provided the updates for these and other vulnerabilities
in the December 2005 Security Bulletins and on the Microsoft Update
site.

Disable ActiveX

Disable ActiveX in the Internet Zone to further protect against the
vulnerabilities described in VU#959049 and VU#680526. Instructions for
disabling ActiveX are available in the CERT/CC Malicious Web Scripts
FAQ. Note that disabling ActiveX will reduce the functionality of some
web sites.

The updates provided by MS05-037, MS05-038, MS05-052, and MS05-054
block COM objects known to be vulnerable, however there may be more.

Appendix A. References

* Microsoft Security Bulletin Summary for December 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx>

* Microsoft Security Bulletin MS05-054 -
<http://www.microsoft.com/technet/security/bulletin/MS05-054.mspx>

* Microsoft Security Bulletin MS05-052 -
<http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx>

* Microsoft Security Bulletin MS05-038 -
<http://www.microsoft.com/technet/security/bulletin/MS05-038.mspx>

* Microsoft Security Bulletin MS05-037 -
<http://www.microsoft.com/technet/security/bulletin/MS05-037.mspx>

* US-CERT Vulnerability Note VU#887861 -
<http://www.kb.cert.org/vuls/id/887861>

* US-CERT Vulnerability Note VU#959049 -
<http://www.kb.cert.org/vuls/id/959049>

* US-CERT Vulnerability Note VU#680526 -
<http://www.kb.cert.org/vuls/id/680526>

* CVE-2005-1790 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1790>

* CVE-2005-2127 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2127>

* CERT/CC Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56>

* Improve the safety of your browsing and e-mail activities -
<http://www.microsoft.com/athome/security/online/browsing_safety.m
spx>

* Security Essentials -
<http://www.microsoft.com/athome/security/protect/default.aspx>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate>

_________________________________________________________________


The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA05-347A.html>

_________________________________________________________________


Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA05-347A Feedback VU#887861" in the
subject.

_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

_________________________________________________________________


Produced 2005 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>

_________________________________________________________________


Revision History

December 13, 2005: Initial release



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ59LY30pj593lg50AQLb7AgAyoitGXFhQ5kbEXQwDyZLsxMnA2NTH3NA
7Xo7HqFr230p0BwzusI48XbEUg/NVN4gEQEqaaI+Rq9hYbLj6mkmgYV0O3ljZ1Xq
zIHakv0GRA71JkC/npDEGeNxIgu3L0jNjnjrBc10Sh3gKTzLamfBpljhLUPkaa8V
SCjYJA3Tq9wJy8vyB+K0ApYYtLvW3LHsQIG3c4nKu/QPfn+uVSSrOFkeQq0JckDY
9P/hrCbfmG7jz8KVAhRl7w90zAZm/uIPUO0LUhBer1WebdUsu+cX/7q4/iDh16Dq
e74OK2S3P1hESn8wo7EYc/VL09aEw8k3EIfuFYO64EuQFu0Dd6Q39g==
=omN4
-----END PGP SIGNATURE-----

[#] Wed Dec 28 2005 20:37:51 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA05-362A -- Microsoft Windows Metafile Handling Buffer Overflow

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft Windows Metafile Handling Buffer Overflow

Original release date: December 28, 2005
Last revised: --
Source: US-CERT

Systems Affected

* Systems running Microsoft Windows

Overview

Microsoft Windows is vulnerable to remote code execution via an error
in handling files using the Windows Metafile image format. Exploit
code has been publicly posted and used to successfully attack
fully-patched Windows XP SP2 systems. However, other versions of the
the Windows operating system may be at risk as well.

I. Description

Microsoft Windows Metafiles are image files that can contain both
vector and bitmap-based picture information. Microsoft Windows
contains routines for displaying various Windows Metafile formats.
However, a lack of input validation in one of these routines may allow
a buffer overflow to occur, and in turn may allow remote arbitrary
code execution.

This new vulnerability may be similar to one Microsoft released
patches for in Microsoft Security Bulletin MS05-053. However, publicly
available exploit code is known to affect systems updated with the
MS05-053 patches.

Not all anti-virus software products are currently able to detect all
known variants of exploits for this vulnerability. However, US-CERT
recommends updating anti-virus signatures as frequently as practical
to provide maximum protection as new variants appear.

US-CERT is tracking this issue as VU#181038. This reference number
corresponds to CVE entry CVE-2005-4560.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary
code if the user is persuaded to view a specially crafted Windows
Metafile.

III. Solution

Since there is no known patch for this issue at this time, US-CERT is
recommending sites follow several potential workarounds.

Workarounds

Please be aware US-CERT has confirmed that filtering based just on the
WMF file extension or MIME type "application/x-msmetafile" will not
block all known attack vectors for this vulnerability. Filter
mechanisms should be looking for any file that Microsoft Windows
recognizes as a Windows Metafile by virtue of its file header.

Do not access Windows Metafiles from untrusted sources

Exploitation occurs by accessing a specially crafted Windows Metafile.
By only accessing Windows Metafiles from trusted or known sources, the
chances of exploitation are reduced.

Attackers may host malicious Windows Metafiles on a web site. In order
to convince users to visit their sites, those attackers often use URL
encoding, IP address variations, long URLs, intentional misspellings,
and other techniques to create misleading links. Do not click on
unsolicited links received in email, instant messages, web forums, or
internet relay chat (IRC) channels. Type URLs directly into the
browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.

Block access to Windows Metafiles at network perimeters

By blocking access to Windows Metafiles using HTTP proxies, mail
gateways, and other network filter technologies, system administrators
may also limit other potential attack vectors.

Reset the program association for Windows Metafiles

Remapping handling of Windows Metafiles to open a program other than
the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent
exploitation via some current attack vectors. However, this may still
allow the underlying vulnerability to be exploited via other known
attack vectors.
_________________________________________________________________


This document is also available at

<http://www.us-cert.gov/cas/techalerts/TA05-362A.html>

Updates will be made at

<http://www.kb.cert.org/vuls/id/181038>

Feedback can be directed to

<mailto:cert@cert.org?subject=TA05-362A%20Feedback%20VU%23181038>
_________________________________________________________________

Produced 2005 by US-CERT, a government organization.

Terms of use

<http://www.us-cert.gov/legal.html>

Revision History

December 28, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ7M8HX0pj593lg50AQJZLAf8DSIBug0PJwRekEIVO98pEJOQByA6oU63
orYhC7cPDlrFEmIXG5Nx+2sDedb83cUmuGbNTFYKd2FqEzdGty7EsMGIKW6NGyIJ
O0qrS+wOm3T6/9XZ0fwuI0cHJjrlDoF3LlTnfsL4SpEEQRFlDsS/Bd9lxuUHDoU6
0PKOiy2j+XjhpyKlNGA5d7a7Qo+HkKYkO4xMm5NPO5kKYKHW81REcs8mqnMbN0JC
JAoFLSWsCrSVqx8arE2ofwZCtOkCb5iQFlkKsc6EUFzUtYzBS8jaAncYEb1KJatl
w3ACj4+Rr/OsbY1Sqle+P6XKPfIVwjx7s/MgvQR20OVtCbIE92N9nw==
=hAPk
-----END PGP SIGNATURE-----

[#] Thu Jan 05 2006 17:12:45 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-005A -- Update for Microsoft Windows Metafile Vulnerability

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA06-005A


Update for Microsoft Windows Metafile Vulnerability

Original release date: January 5, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Systems running Microsoft Windows


Overview

Microsoft Security Bulletin MS06-001 contains an update to fix a
vulnerability in the way Microsoft Windows handles images in the
Windows Metafile (WMF) format.


I. Description

TA05-362A describes a vulnerability in the way Microsoft Windows
handles Windows Metafile images. This vulnerability could allow a
remote attacker to execute arbitrary code. Microsoft Security Bulletin
MS06-001 contains an update to fix this vulnerability.

The vulnerability is described in further detail in VU#181038.


II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary
code if the user is persuaded to view a specially crafted Windows
Metafile.


III. Solution

Apply a patch from your vendor

Install the appropriate update according to Microsoft Security
Bulletin MS06-001.


Appendix A. References

* Microsoft Security Bulletin MS06-001 -
<http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx>

* US-CERT Vulnerability Note VU#181038 -
<http://www.kb.cert.org/vuls/id/181038>

* US-CERT Technical Cyber Security Alert TA05-362A -
<http://www.us-cert.gov/cas/techalerts/TA05-362A.html>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-005A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-005A Feedback VU#181038" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________



Revision History

January 5, 2006: Initial release



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ72ZA30pj593lg50AQLAqgf/Wwj2V0SfgA61RdAw1H8GxAaWjb3Hsuix
8DMAcZv8yITiZLkt2JD/d1piq28v0o23g0TR2I2F5sj+8GsfkmYGLOGkoqYJ4v+0
8yD3JZIxwcR+OJlA29HZebBHUNR00QBUQEb369QK9mntVqUZ/XKGiW05mQPODwhr
rFJQy3hB54evEGltScn4wTzzEB2YsSShKlBCAPOVLocLUNIZ1X60n234fe0YLABK
IUpDp6g/CrDmQ3fQYLfBGQQD462NIdccYzeYNARCOSR77dHbPYAiMvNQiiJSvrEp
4Iz2Gkm0T+jA9o4SgmkuYOtA/+3XaWXDgUP3d6Kwfo4cm9LzciF+vQ==
=GfKm
-----END PGP SIGNATURE-----

[#] Tue Jan 10 2006 17:51:37 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-010A -- Microsoft Windows, Outlook, and Exchange Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



National Cyber Alert System

Technical Cyber Security Alert TA06-010A


Microsoft Windows, Outlook, and Exchange Vulnerabilities

Original release date: January 10, 2006
Last revised: January 10, 2006
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Outlook
* Microsoft Exchange

For more complete information, refer to the Microsoft Security
Bulletin Summary for January 2006.


Overview

Microsoft has released updates that address critical vulnerabilities
in Windows, Outlook, and Exchange. Exploitation of these
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code or cause a denial of service on a vulnerable
system.


I. Description

Microsoft Security Bulletins for January 2006 address vulnerabilities
in Microsoft Windows, Outlook, and Exchange. Further information is
available in the following US-CERT Vulnerability Notes:

VU#915930 - Microsoft embedded web font buffer overflow

A heap-based buffer overflow in the way Microsoft Windows processes
embedded web fonts may allow a remote, unauthenticated attacker to
execute arbitrary code on a vulnerable system.
(CVE-2006-0010)

VU#252146 - Microsoft Outlook and Microsoft Exchange TNEF decoding
vulnerability

Microsoft Outlook and Microsoft Exchange contain an unspecified
vulnerability in processing TNEF attachments. This may allow a remote,
unauthenticated attacker to execute arbitrary code on a system running
the vulnerable software.
(CVE-2006-0002)


II. Impact

Exploitation of these vulnerabilities may allow a remote,
unauthenticated attacker to execute arbitrary code with the privileges
of the user. If the user is logged on with administrative privileges,
the attacker could take complete control of an affected system. An
attacker may also be able to cause a denial of service.


III. Solution

Apply Updates

Microsoft has provided the updates for these vulnerabilities in the
Security Bulletins and on the Microsoft Update site.

Workarounds

Please see the US-CERT Vulnerability Notes in Appendix A for workarounds.


Appendix A. References

* Microsoft Security Bulletin Summary for January 2006 -
<http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx>

* US-CERT Vulnerability Note VU#915930 -
<http://www.kb.cert.org/vuls/id/915930>

* US-CERT Vulnerability Note VU#252146 -
<http://www.kb.cert.org/vuls/id/252146>

* CVE-2006-0002 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0002>

* CAN-2006-0010 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0010>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-010A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-010A Feedback VU#915930" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________



Revision History

January 10, 2006: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ8Q6Bn0pj593lg50AQIL7Qf8CadB1mP4WdchYj+Ge/kKkSYCps/Q5y0S
6sgEiToVljKCUfdBEBbBomuXR5tFlHaIItefeFhzPIAJcVLkudXP3EcwvM8tvDN6
LpnGUquKucZUHFYUbuDdYcYvLRkXf5zTb3dS/zh03UfW2Gn/5s6zyBab30BGl7r/
LRSoF2bVPRY0E2RhYYK1RzY68/ZyPmES0s11RAx5F0QiejQNv/i32jTuoh2SyxIw
4L70DZm/vuAqDsSFCjYb2YUsScKIMJwmU4Hv39J/+dB0TARV7nhscSIHAXXBaccU
XBrGgSJCc+4YZq/8PnpWuDmEBMLcOuAcv8LXjBbcodAWRBwAPBXcBg==
=9cnz
-----END PGP SIGNATURE-----

[#] Wed Jan 11 2006 17:11:11 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-011A -- Apple QuickTime Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA06-011A


Apple QuickTime Vulnerabilities

Original release date: January 11, 2006
Last revised: January 11, 2006
Source: US-CERT

Systems Affected

Apple QuickTime on systems running

* Apple Mac OS X
* Microsoft Windows XP
* Microsoft Windows 2000


Overview

Apple has released QuickTime 7.0.4 to correct multiple
vulnerabilities. The impacts of these vulnerabilities include
execution of arbitrary code and denial of service.


I. Description

Apple QuickTime 7.0.4 resolves a number of image and media file
handling vulnerabilities. Further details are available in the
following Vulnerability Notes:

VU#629845 - Apple QuickTime image handling buffer overflow

Apple QuickTime contains a heap overflow vulnerability that may allow
an attacker to execute arbitrary code or cause a denial-of-service
condition.
(CAN-2005-2340)

VU#921193 - Apple QuickTime fails to properly handle corrupt media
files

Apple QuickTime contains a heap overflow vulnerability in the handling
of media files. This vulnerability may allow a remote, unauthenticated
attacker to execute arbitrary code or cause a denial of service on a
vulnerable system.
(CAN-2005-4092)

VU#115729 - Apple QuickTime fails to properly handle corrupt TGA
images

A flaw in the way Apple QuickTime handles Targa (TGA) image format
files could allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CAN-2005-3707)

VU#150753 - Apple QuickTime fails to properly handle corrupt TIFF
images

Apple QuickTime contains an integer overflow vulnerability in the
handling of TIFF images. This vulnerability may allow a remote,
unauthenticated attacker to execute arbitrary code or cause a denial
of service on a vulnerable system.
(CAN-2005-3710)

VU#913449 - Apple QuickTime fails to properly handle corrupt GIF
images

A flaw in the way Apple QuickTime handles Graphics Interchange Format
(GIF) files could allow a remote attacker to execute arbitrary code on
a vulnerable system.
(CAN-2005-3713)


II. Impact

The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands
and denial of service.


III. Solution

Upgrade

Upgrade to QuickTime 7.0.4.


Appendix A. References

* US-CERT Vulnerability Note VU#629845 -
<http://www.kb.cert.org/vuls/id/629845>

* US-CERT Vulnerability Note VU#921193 -
<http://www.kb.cert.org/vuls/id/921193>

* US-CERT Vulnerability Note VU#115729 -
<http://www.kb.cert.org/vuls/id/115729>

* US-CERT Vulnerability Note VU#150753 -
<http://www.kb.cert.org/vuls/id/150753>

* US-CERT Vulnerability Note VU#913449 -
<http://www.kb.cert.org/vuls/id/913449>

* CVE-2005-2340 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340>

* CVE-2005-4092 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092>

* CVE-2005-3707 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707>

* CVE-2005-3710 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710>

* CVE-2005-3713 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713>

* Security Content for QuickTime 7.0.4 -
<http://docs.info.apple.com/article.html?artnum=303101>

* QuickTime 7.0.4 -
<http://www.apple.com/support/downloads/quicktime704.html>

* About the Mac OS X 10.4.4 Update (Delta) -
<http://docs.info.apple.com/article.html?artnum=302810>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-011A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________



Revision History

January 11, 2006: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj
34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey
AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/
HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL
osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy
0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw==
=5Kiq
-----END PGP SIGNATURE-----

[#] Wed Jan 18 2006 17:10:59 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-018A -- Oracle Products Contain Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-018A


Oracle Products Contain Multiple Vulnerabilities

Original release date: January 18, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Oracle Database 10g
* Oracle9i Database
* Oracle8i Database
* Oracle Enterprise Manager 10g Grid Control
* Oracle Application Server 10g
* Oracle9i Application Server
* Oracle Collaboration Suite 10g
* Oracle9i Collaboration Suite
* Oracle E-Business Suite Release 11i
* Oracle E-Business Suite Release 11.0
* JD Edwards EnterpriseOne, OneWorld Tools
* PeopleSoft Enterprise Portal
* Oracle Workflow

For more information regarding affected product versions, please see
the Oracle Critical Patch Update - January 2006.


Overview

Various Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include remote
execution of arbitrary code, information disclosure, and denial of
service.


I. Description

Oracle has released Critical Patch Update - January 2006. This update
addresses more than eighty vulnerabilities in different Oracle
products and components.

The Critical Patch Update provides information about affected
components, access and authorization required, and the impact of the
vulnerabilities on data confidentiality, integrity, and availability.
For more information on terms used in the Critical Patch Update,
Metalink customers should refer to MetaLink Note 293956.1.

According to Oracle, three of the vulnerabilities corrected un the
Oracle Critical Patch Update for January 2006 affect Oracle Database
Client-only installations.

US-CERT recommends that sites running Oracle review the Critical Patch
Update, apply patches, and take other mitigating action as
appropriate. US-CERT is tracking all of these issues under VU#545804.
As further information becomes available, we will publish individual
Vulnerability Notes.


II. Impact

The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include the execution of arbitrary code or commands, information
disclosure, and denial of service. Vulnerable components are likely to
be available to attackers via remote networks and with limited or no
prior authorization. An attacker who compromises an Oracle database
may be able to gain access to sensitive information.


III. Solution

Apply a patch

Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - January 2006. Note that this Critical Patch
Update only lists newly corrected issues. Updates to patches for
previously known issues are not listed.

As noted in the update, some patches are cumulative, others are not:

The Oracle Database, Oracle Application Server, Oracle Enterprise
Manager Grid Control, Oracle Collaboration Suite, JD Edwards
EnterpriseOne and OneWorld Tools, and PeopleSoft Enterprise Portal
Applications patches in the Updates are cumulative; each successive
Critical Patch Update contains the fixes from the previous Critical
Patch Updates.
Oracle E-Business Suite and Applications patches are not
cumulative, so E-Business Suite and Applications customers should
refer to previous Critical Patch Updates to identify previous fixes
they wish to apply.


Appendix A. Vendor Information

Oracle

Please see Oracle Critical Patch Update - January 2006 and Critical
Patch Updates and Security Alerts.


Appendix B. References

* Critical Patch Update - January 2006 -
<http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.h
tml>

* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>

* MetaLink Note 293956.1 -
<http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=29395
6.1>

* US-CERT Vulnerability Note VU#545804 -
<http://www.kb.cert.org/vuls/id/545804>

* US-CERT Vulnerability Notes Related to Critical Patch Update -
January 2006 -
<http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_janu
ary_2006>

* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_
to_advisory_mapping.html>

* Oracle Database Security Checklist (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/twp_security
_checklist_db_database.pdf>


____________________________________________________________________

Information used in this document came from Oracle.

Oracle credits the following individuals for providing information
regarding vulnerabilities addressed in the Critical Patch Update -
January 2006: Raffaele Amendola; Cesar Cerrudo and Esteban Martinez
Fayo of Application Security, Inc.; Joxean Koret; Alexander Kornbrust
of Red Database Security GmbH; David Litchfield of Next Generation
Security Software Ltd.; Srinivas Nookala of Cenzic, Inc.; Steve Orrin
formally of Watchfire, Inc.; Amichai Shulman of Imperva, Inc.
Feedback can be directed to US-CERT Technical Staff.

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-018A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-018A Feedback VU#545804" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

January 18, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ866SH0pj593lg50AQJQtwgAzAwHvbTaulcH4R76IfBf2K/QLMma7b9B
omvFWMOnClCUDvkLvW2dGBOPJZjmluQz6154w2OfsiHhpHzjlmEjbJlKQ1kVWjKI
o+k3GcCZiIZByEORtcKDpIjZ6U4c4+ZOdya7B/kEdEMOR1kPr2WLf9uZCkKsqxnd
Nm//1GkNC77+NGdhqhdIqcFyL7X1ZmHDNwAbZ9EmMO2Pc5a5ManLgW7LBnuxVzCv
cj9dRYZvbatrr9P2sxaj7xBZgYoDwQWs+oy/N77mva5K/IVLE67UIm0Bj7h9gFiX
dmF/bVU1wocLEHSPY0MqUySI99eJnZv4/IIM61/Moxb/TQ4xoiPsjA==
=D3pG
-----END PGP SIGNATURE-----

[#] Wed Feb 01 2006 14:54:10 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-032A -- Winamp Playlist Buffer Overflow

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA06-032A


Winamp Playlist Buffer Overflow

Original release date: February 1, 2006
Last revised: --
Source: US-CERT


Systems Affected

Microsoft Windows systems with Winamp 5.12 or earlier


Overview

America Online has released Winamp 5.13 to correct a buffer overflow
vulnerability. Exploitation of this vulnerability could allow a remote
attacker to execute arbitrary code with the privileges of the user.


I. Description

Winamp is a media player that is commonly used to play MP3 files.
Winamp 5.13 resolves a buffer overflow vulnerability in how playlist
files are handled. Details are available in the following
Vulnerability Note:

VU#604745 - Winamp fails to properly handle playlists with long
computer names

Winamp contains a buffer overflow vulnerability when processing a
playlist that specifies a long computer name. This may allow a remote
unauthenticated attacker to execute arbitrary code on a vulnerable
system.


II. Impact

By convincing a user to open a specially crafted playlist file, a
remote unauthenticated attacker may be able to execute arbitrary code
with the privileges of the user. Winamp may open a playlist file
without any user interaction as the result of viewing a web page or
other HTML document.


III. Solution

Upgrade

Upgrade to Winamp 5.13.


Appendix A. References

* US-CERT Vulnerability Note VU#604745 -
<http://www.kb.cert.org/vuls/id/604745>
* CVE-2006-0476 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0476>
* National Vulnerability Database (CVE-2006-0476) -
<http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-0476>
* WINAMP.COM | Player | Version History -
<http://www.winamp.com/player/version_history.php>
* WINAMP.COM | Player - <http://www.winamp.com/player>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-032A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-032A Feedback VU#604745" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

Feb 1, 2006: Initial release






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ+EN2H0pj593lg50AQL/zQgAqqNNsBwOLdKKb+e98yUUPRSyj38BKA1G
R4nBJ3mO85BvFFqS9NdcPSYH1DgELKhYwOoicEsbX0bmaF+lmr2ClHBO4af6fA3/
bhLksKmf5qtm61SSIuEVyBsXsDwSFQpLACOAkgarW5D5Ii4bW3CDlc9H/4dHYT3j
jiGMSVBmYWGjyEMEVznZ1liURyK6BpVHGQI0bf2/dhSk3150LJzwa0vACjnCJEeB
0Fs/s7xkAPoGDT4PxWxe/KEK03PZpJY6yZhCP6IayJsuO7kMQhzBoROK615X/Od5
ctU6qLPx8VIcyW7b9xVMl0OuZf7R412qd74bmnDfIYeGexxuLMifFg==
=NZIe
-----END PGP SIGNATURE-----

[#] Tue Feb 07 2006 13:48:21 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-038A -- Multiple Vulnerabilities in Mozilla Products

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



National Cyber Alert System

Technical Cyber Security Alert TA06-038A


Multiple Vulnerabilities in Mozilla Products

Original release date: February 7, 2006
Last revised: --
Source: US-CERT


Systems Affected

Mozilla software, including the following, is affected:
* Mozilla web browser, email and newsgroup client
* Mozilla SeaMonkey
* Firefox web browser
* Thunderbird email client


Overview

Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system.


I. Description

Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes, including:


VU#592425 - Mozilla-based products fail to validate user input to the
attribute name in "XULDocument.persist"

A vulnerability in some Mozilla products that could allow a remote
attacker to execute Javascript commands with the permissions of the
user running the affected application.
(CVE-2006-0296)


VU#759273 - Mozilla QueryInterface memory corruption vulnerability

Mozilla Firefox web browser and Thunderbird mail client contain a
memory corruption vulnerability that may allow a remote attacker to
execute arbitrary code.
(CVE-2006-0295)


II. Impact

The most severe impact of these vulnerabilities could allow a remote
attacker to execute arbitrary code with the privileges of the user
running the affected application. Other impacts include a denial of
service or local information disclosure.


III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.
For Mozilla-based products that have no updates available, users are
strongly encouraged to disable JavaScript.


Appendix A. References

* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>

* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/projects/security/known-vulnerabilities.ht
ml>

* US-CERT Vulnerability Note VU#592425 -
<http://www.kb.cert.org/vuls/id/592425>

* US-CERT Vulnerability Note VU#759273 -
<http://www.kb.cert.org/vuls/id/759273>

* US-CERT Vulnerability Notes Related to February Mozilla Security
Advisories -
<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_200
6>

* US-CERT Vulnerability Note VU#604745 -
<http://www.kb.cert.org/vuls/id/604745>

* CVE-2006-0296 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296>

* CVE-2006-0295 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295>

* Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>

* The SeaMonkey Project -
<http://www.mozilla.org/projects/seamonkey/>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-038A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-038A Feedback VU#592425" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

Feb 7, 2006: Initial release




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ+jqRn0pj593lg50AQLZBQf9Hm+BCzOd/iwaoQVyudnE8ut/m+s/xgeG
10b2mpig57dPaSKsq9EpOitFIdHmvFha85OkAz9lfxTprrGm9kjw1lYlSH8idIst
Oq4oXwpPOcwVpOY/OoVeAyGSuOdmeGl1CsMSczD10XbmWOyPf6NBnR/e8U0Vebeu
GglhyODY/eKjbQ6bvDz19t76F5FwiDYKsMpo6CrEMhJWYwQXw3I4O1c9A2/t4OUP
N7+ZShp5/Cql919Nhl3InYMnlNiOeQLxm45PYfXKwW0r4HCM/Rq/SEKsmuDOYtA/
01gBu67urEw63Z0xbjoVJL/RW+5cavYS+gNbCZmaDNbR9WJP04k2PQ==
=snvO
-----END PGP SIGNATURE-----

Go to page: 1 3 4 5 6 [7] 8 9 10 11 ... Last