Arcane Security Portal - Today's News

Today's News
CIAC Updates
CIAC's latest security bulletins.
T-025: Vulnerabilities in Microsoft XML Core Services A remote code execution vulnerability exists in the way that Microsoft XML Core Services parses XML content. The vulnerability could allow remote code execution if a user browses a Web site that contains specially crafted content or opens specially crafted HTML e-mail. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. T-024: Vulnerability in Server Message Block (SMB) A remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol handles NTLM credentials when a user connects to an attacker's SMB server. This vulnerability allows an attacker to replay the user's credentials back to them and execute code in the context of the logged-on user. The risk is MEDIUM. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. T-023: Multiple Vulnerabilities in Cisco PIX and Cisco ASA Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances: 1) Windows NT domain authentication bypass; 2) IPv6 Denial of Service; and 3) Crypto Accelerator memory leak. NOTE: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. The risk is MEDIUM. A remote intruder could make a VPN connection to a network without needing to authenticate. T-022: OpenOffice.org Security Vulnerabilities Several vulnerabilities have been discovered in the OpenOffice.org office suite, in the WMF file parser and in the EMF file parser that can be triggered by manipulated WMF and EMF files and can lead to heap overflows and arbitrary code execution. The risk is MEDIUM. This can lead to heap overflows and arbitrary code execution. T-021: libspf2 DNS TXT Vulnerability libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records. An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. The risk is MEDIUM. This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running libspf2. T-020: Security Update for Adobe Reader 8 and Acrobat 8 Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. The risk is MEDIUM. A remote intruder who can get a user to open a malicious pdf file could run code as the logged-in user. T-019: libxml2 Vulnerability It was discovered that libxml2, the GNOME XML library, didn't correctly handle long entity names. This could allow the execution of arbitrary code via a malicious XML file. The risk is MEDIUM. Coercing a user to open a specially crafted XML file, could allow an intruder to run arbitrary code with the permissions of the user. T-018: Vulnerability in Server Service A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. The risk is HIGH. An attacker who successfully exploited this vulnerability could take complete control of an affected system. T-017: Gear Software CD DVD Filter Vulnerability The Gear Software CD DVD Filter driver contains a privilege escalation vulnerability, which can allow an attacker to gain SYSTEM privileges. The risk is MEDIUM. An attacker may be able to execute code with SYSTEM privileges. T-016: iseemedia / Roxio / MGI Software LPViewer ActiveX Vulnerabilities The iseemedia LPViewer ActiveX control contains multiple stack buffer overflows, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The risk is MEDIUM. By cinvincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash. T-015: InstallShield / Macrovision / Acresso FLEXnet Connect Vulnerabilities Acresso FLEXnet Connect executes scripts that are insecurely retrieved from a remote web server, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The risk is MEDIUM. By modifying the rule script that is sent to a FLEXnet Connect client, a remote unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. CIACTech08-003: Understanding Cross-Site Scripting (XSS) Cross-Site Scripting has become an increasingly prevalent attack vector that can be leveraged to perform a wide range of compromises. These compromises can range from simple popup displays within a user's browser to session and cookie capture that are used for information and identity theft. As these attacks become more mature, as well as obscure, it is imperative that we understand how they happen, how they propagate, and the ways to prevent them. By understanding the different vectors of attack and realizing and implementing simple security measures against them, we can better protect ourselves and our users now, and in the future. CIACTech08-002: Understanding Windows Hash Dumpers and Crackers Windows hash dumping tools are often spotlighted as hacker tools that can somehow magically extract windows hashes and allow an intruder access to a system. In actuality, the hashes are there, in memory, where any admin or system level user can get at them. The tools just grab them and print them out. This paper will describe how Windows hashes are created, how the hash dumpers get at them, and what can be done with the hashes. CIACTech08-001: Understanding PHP Exploits Many websites use the PHP programming language to build web pages on the fly from individual files and from values obtained from a database. PHP based websites are widely used to create Wikis such as MediaWiki used for Wikipedia. If the PHP programs that generate the web pages are not carefully crafted to check user input before it is used, an intruder could inject code into a page and get it executed. CIACTech07-001: MOICE - Microsoft Office Isolated Conversion Environment A common cyber attack is to send a user an Office document (Word, Excel, PowerPoint) containing malicious code that infects the user's computer and proceeds to do the miscreant's bidding. Targeting of users has gotten so sophisticated that advice such as "don't open files from people you don't know" is no longer effective. MOICE, the Microsoft Office Isolated Conversion Environment opens Office documents before the Office application, converts it to a format that does not "support" malcode and then invokes the application with the newly cleaned document. Properly implemented, this could mitigate attacks using email-borne Office malcode. CIACTech06-001: Protecting Against SQL Injection Attacks SQL injection is a real threat that is being used to exploit company systems and data. This threat can be reduced by a combination of good programming practice, application firewalls, and scanning. CIACTech05-001: Operation of the Sinit/Calypso Worm Many sites have detected large numbers of udp packets directed at the DNS port (53). These packets contain a lot of structure and there is concern that they are exploit or remote control packets. It turns out that they are discovery packets being sent to random IP addresses by the Sinit Calypso worm. They are invalid DNS packets and should be ignored by DNS servers. CIACTech04-001: Remote Detection of the MyDoom.A Worm Before systems containing the MyDoom.A worm can be cleaned, they must be detected. As running a scanner on each system can be difficult and time consuming, a method of remote scanning for infected machines is needed. CIACTech03-001: Spamming using the Windows Messenger Service A spam engine has been released that uses the Windows Messenger Service (not the MSN Messenger instant messaging program) to send spam messages to users. The Messenger service is active on most Windows platforms. CIACTech02-005: Understanding Capturing Files with Microsoft Word Field Codes Several online articles have worried the problem of file capture using Microsoft Word field codes. The articles have gone so far as suggesting that Word be banned from company computers until this is changed. These articles have created undue worry among computer users about what is a relatively low risk vulnerability. CIACTech02-004: Parasite Programs; Adware, Spyware, and Stealth Networks Programs are being intentionally packaged with legitimate software to display advertising on your screen, gather information on your browsing habits, and to sell your unused CPU cycles and disk space. Current applications are relatively benign but could easily be used for an invasion of privacy or other malicious purposes. CIACTech02-003: Office for Mac X Antipiracy Mechanism Opens Server Ports Microsoft Office for Macintosh OS X has an antipiracy mechanism that secretly opens network service ports on a Macintosh system and broadcasts version information to other systems on a single subnet. The problem is that open network services provide attack points for intruders and need to be controlled by users. CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code Browser Helper Objects (BHO) are Microsoft's way of attaching add-ins to Internet Explorer 4 and later. In addition to legitimate uses, BHOs are used to attach spyware to a user's web browser to secretly send a user's browsing habits to a marketing site and could be used for malicious code. The problems are that there is no simple way to know what BHOs are attached to a system and no simple way to control the attachment of new ones. CIACTech02-001: Understanding the SSH CRC32 Exploit In recent months, many servers running ssh have been compromised using the SSH CRC32 Compensation Attack Detector. Compromised machines have either not been upgraded to SSH protocol 2 or have not disabled drop back to SSH protocol 1. Use of this attack allows a remote user to gain root access on a server. T-002: Vulnerability in Host INtegration Server RPC Service A remote code execution vulnerability exists in the SNA Remote Procedure Call (RPC) service for Host Integration Server. An attacker could exploit the vulnerability by constructing a specially crafted RPC request. The risk is HIGH. The vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. T-003: Vulnerabilities in Microsoft Excel Several remote code execution vulnerabilities exist in the way Microsoft Excel: 1) processes a VBA Performance Cache; 2) an improper memory allocationwhenloading Excel objects; and 3) a formula parsing vulnerability when parsing Microsoft Excel documents containing a specially crafted formula embedded inside a cell. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. S-372: Vulnerabilities in GDI+ Remote code execution vulnerabilities exist in the way that GDI+ handles: 1) gradient sizes; 2) memory allocation; 3) parses GIF images; 4) allocates memory for WMF image files; and 5) integer calculations The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. T-004: Cumulative Security Update for Internet Explorer There are multiple remote code execution and information disclosure vulnerabilities in Internet Explorer which could allow an attacker to gain access to a browser window in another domain or Internet Explorer zone allowing remote code execution or information disclosure. The risk is MEDIUM. An attacker could exploit the vulnerability by constructing a specially crafted web page that could allow remote code execution or information disclosure, depending on the operation system, if a user viewed the Web page. S-349: Vulnerabilities in Microsoft Excel There are multiple remote code execution vulnerabilities in the Excel. An attacker could exploit the vulnerability by opening a specially crafted file which could be hosted on a Web site, or included as an e-mail attachment. The risk is MEDIUM. Depending on the attack scenario, the vulnerability could lead to remote code execution ona user's local Excel client, or it could lead to elevation of privilage within a SharePoint Server. T-007: Vulnerability in Windows Internet Printing Service A remote code execution vulnerability exists on Windows systems running IIS with the internet printing service enabled. This issue could allow a remote, authenticated attacker to execute arbitrary code on an affected system. The risk is MEDIUM. This issue could allow a remote, authenticated attacker to execute arbitrary code on an affected system. T-005: Vulnerability in Active Directory A remote code execution vulnerability exists inimplementations of Active Directory on Microsoft Windows 2000 Server. This could allow remote code execution. The risk is MEDIUM. The vulnerability is due to incorrect memory allocation when receiving specially crafted LDAP or LDAPS requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system. S-227: Vulnerabilities in Microsoft Excel (MS08-014) Remote code vulnerabilities exist in the way Excel: 1) processes data validation records when loading Excel files into memory; 2) handles data when importing files into Excel; 3) Style record data when opening Excel files; 4) handles malformed formulas; 5) handles rich text values when loading application data into memory; 6) handles conditional formatting values; and 7) handles macros when opening specially crafted Excel files. The risk is MEDIUM. An attacker could exploit the vulnerabilities by sending malformed files which could be hosted on a specially crafted or compromised Web site, or included as an e-mail attachment. S-347: Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access A remote code execution vulnerability exists in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. The risk is MEDIUM. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. S-175: Vulnerability in Microsoft Word A remote code execution vulnerability exists in the way that Word handles specially crafted Word files. The risk is MEDIUM. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed value. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. S-253: Vulnerability in Microsoft Project A remote code execution vulnerability exists in the way Microsoft Project handles specially crafted Project files. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. S-354: Vulnerabilities in Microsoft PowerPoint Multiple remote code execution vulnerabilities exists in the way that Microsoft Office PowerPoint Viewer 2003 handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. The risk is MEDIUM. An attacker who successfully exploited this vulnerabilities could take complete control of an affected system. S-353: Vulneabilities in Event System Several remote code execution vulnerabilities exists because the Microsoft Windows Event System does not correctly validate user subscriptions requests when created. The vulnerability could allow remote code execution. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. S-178: Vulnerabilities in Microsoft Office Publisher A remote code execution vulnerability exists in the way Microsoft Office Publisher validates application data when loading Publisher files to memory and memory index values. The risk is MEDIUM. An attacker could exploit the vulnerability by constructing a specially crafted Publisher (.pub) file. When a user views the .pub file, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. S-375: Vulnerarability in Microsoft Office A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted URLs using the OneNote protocol handler (onenote://). The vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL. The risk is MEDIUM. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. S-255: Vulnerability in VBScript and JScript Scripting Engines A remote code execution vulnerability exists in the way that the VBScript and JScript scripting engines decode script in Web pages. This vulnerability could allow remote code execution if a user opened a specially crafted file or visited a Web site that is running specially crafted script. The risk is MEDIUM. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.