April 2008 - Posts

Things aren't "official" yet, but I wanted to announce the edition of Ron Crumbaker and  Anthony Clendenen as authors to the Mastering System Center Configuration Manager 2007 book.  That gives us a total of three SCCM MVP's that are providing their knowledge to the book. 

They will make a great addition to the team, and I am glad to have them aboard!

Well its getting close to the end of the day, so I will see everyone at MMS that is going!

 

If you can't keep track of me while I am there, a lot of people on the SMS list are signing up for Twitter so you can go here for updates: https://twitter.com/Mozbe

 Very good point...

Published: 2008-04-25,
Last Updated: 2008-04-25 13:46:06 UTC
by Joel Esler (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=4334&rss'; digg_title = 'One thing to keep in mind about compromised websites'; digg_skin='compact'; digg_topic = 'security';

We've all done it.  Taken some piece of code that machines are being exploited with and plugged it into Google to see how many machines were infected.  You do it, and you say to yourself "OH NOEZ, 10,000 MACHINES!  BIG BIG EXPLOIT RAISE THE RED FLAG!"

(Disclaimer:  Since Google is a verb in today's language, I don't necessarily mean Google, when I say Google.  I mean search engine, but I probably mean Google.  )

Things to keep in mind:

1) When you do that, most likely the exploit method is potentially:

    a) already known

    b) being worked on

    c) already been worked on

    d) cleaned up

2) There aren't that many machines actually infected/exploited.  Google takes awhile to index websites, usually about 2 days behind.  It depends on the popularity of your site.  I am not going to try and explain how the Google search algorithm/page rank thing works, because number one, I don't know, and number two, if I did, I am sure I could command alot of money from both Google and/or Microsoft for me to work there.  But anyway, my point is, Google takes a bit to index sites.  Then once the sites are indexed and are then subsequently cleaned up, Google takes a while to clean the entries back out again.  (Again, by re-indexing.)

So, at any given point, the index results in Google for "x" exploit are not correct.  The numbers at least.  The websites you see in Google are either currently exploited, or have been several days/weeks/whatever ago.  So keep that in mind.

The next time you read something about "OH NOEZ THE EXPLOIT IS TAKING OVER TEH WORLD.  OMG LOL!!11".  Try not and panic, it's probably not as big as it's claimed to be.

 

--

Joel Esler

http://www.joelesler.net

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

 

CNN: Another Target in Information Warfare?

Friday April 25, 2008 at 4:53 am CST
Posted by Di Tian

Trackback

I was not at all surprised when I first saw the Trojan named anticnn.exe, because I’ve followed recent events between China and the Western media. I am not going to offer any political comments on the conflict between these parties; however, the appearance of this malware well illustrates how information warfare works and further proves that this kind of nonmilitary, nongovernmental battle has become an increasingly common phenomenon.

The Chinese “hacktivists” obviously have no intention of hiding their origins. The file has the flag of the People’s Republic of China as its icon. Upon execution, the red flag is displayed in the lower-right corner of the desktop. After a user clicks the flag, a window with a picture of Mao Zedong pops up with the message “It is a red flag action: using rational action to express your patriotism. That attack target is www.cnn.com.”

The file connects with www.cnn.com and keeps sending HTTP GET requests. The Chinese “hacktivists” seem to believe that as long as there are sufficient participants they will be able to succeed in their attack.

McAfee has detected this malware. I remain concerned, however, that anti-virus detection can prevent only those users who are unaware of the situation from getting involved in this event. Eventually this Trojan could be widely distributed via spam, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. This attack looks like it will be hard to stop if many “infected” users intend to get this tool and run it intentionally.

Just one day later, we came across another tool designed for the same purpose. The difference with this tool is that it does not have a hard-coded target address. Instead, it allows users to manually input a target’s IP address or DNS name, and TCP port. Obviously, the organizers do not wish to name their target too early. In the setup program’s readme file, it says the attacker will inform the target a half-hour before the attack will be launched. Another interesting point: The tool developer states in the readme file that the tool has no backdoor inside. That makes me ask, Should the average user trust the developer’s claims?

Computer Security Research - McAfee Avert Labs Blog

 

Published: 2008-04-24,
Last Updated: 2008-04-24 18:22:15 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=4330&rss'; digg_title = 'Targeted attacks using malicious PDF files'; digg_skin='compact'; digg_topic = 'security';

Dating back to the end of February, we have been tracking test runs of malicious PDF messages to very specific targets. These PDF files exploit the recent vulnerability CVE-2008-0655.

Ever since the end of March, beginning of April, the amount of samples seen in the wild has significantly increased. Interestingly enough, there is almost no "public, widespread" exploitation. All reports are limited to very specific, targeted attacks. However, due to the wide scope of these attacks, and the number of targets we know of, we feel a diary entry was in order.

At this point in time, we are receiving more PDF samples from targeted attack victims per day than any other common file type (DOC, CHM, PPT). The threat agents, or attackers, are the same. They are just moving from other file types towards PDF, but are generally using the same control servers and similar backdoor families.

The files contain:
- an embedded trojan installer;
- a clean PDF file.

Once the file is opened in a vulnerable Acrobat Reader version, the backdoor will install, and the clean PDF file is opened in the user's browser. From a user experience, there are two possible methods of detection:

- If the file is opened in a patched Acrobat Reader, an error will be displayed that the file is corrupted;
- If the file is opened in a vulnerable Acrobat Reader, the user will see Acrobat Reader close and immediately reopen the valid PDF document.

Anti virus detection of these samples is usually very low heuristically. The below are detection results from a malicious PDF which had not been reported to an AV vendor yet. Note that these results vary per file. We're not listing MD5 hashes or file names due to the sheer number of samples we've seen so far.

AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 HTML/Shellcode.Gen
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 Exploit.Shellcode.J
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 -
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26.0 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 -
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 Exploit:Win32/ShellCode.C
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 -
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 Mal/JSShell-B
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 Script.Shellcode.Gen

The embedded dropper is generally specifically written for the occasion:

AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 HEUR/Malware
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 -
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 Trojan-Spy.Win32.Agent.bzq
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 Trojan-Spy.Win32.Agent.bzq
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 -
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 W32/Agent.FEOU
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 Heuristic.Malware

Acrobat Reader is proving to be an interesting target because users are not very much inclined to upgrade manually. The file format is relatively stable and users of Acrobat Reader 7 may not always feel a need to upgrade.

As such, we strongly recommend that you:

- Ensure your Acrobat Reader installations have been upgraded to version 8.1.2;
- Disable Javascript parsing through Edit>Preferences>Javascript, by disabling the 'Enable Acrobat JavaScript' option.

Naturally we greatly appreciate any additional information you can provide on attacks you feel may be related to this exploit. Additional amples especially are always welcome.

Cheers,
Maarten

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

 

Published: 2008-04-24,
Last Updated: 2008-04-24 19:36:50 UTC
by donald smith (Version: 1)
1 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=4331&rss'; digg_title = 'Hundreds of thousands of SQL injections'; digg_skin='compact'; digg_topic = 'security';

Hundreds of thousands of SQL injections UPDATE.
It is recommend that you block access to hxxp:/www.nihaorr1.com and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.

1.js is the file they are currently injecting. That could change and has been injected into thousands of legitimate websites. Visitors to this website are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOT visit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip.

The crew over at shadowserver has published additional information related to SQL injected sites. They included the botnet controllers IP address 61.188.39.214 and a content based snort signature for the bot control traffic that is not ip dependent. The bot controller is alive and communicating on port 2034 with some infected clients at this time.
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313

They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or "safe sites".

The register covered it stating their search returned 173k injected results:
http://www.theregister.co.uk/2008/04/24/mass_web_attack/
The number I received doing the same search was 226k. Those are not all unique websites. Many sites got hit more then one time.

Lou a self described “accidental techie” has been discussing it as they have been reinjecting this into his database/website “every other day”. http://www.experts-exchange.com/Database/MySQL/Q_23337211.html
Websense has good information on it here:
http://securitylabs.websense.com/content/Alerts/3070.aspx

We covered the injection tool, the methods to prevent injections and other details here:
http://isc.sans.org/diary.html?storyid=4139
http://isc.sans.org/diary.html?storyid=4294

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

 

New Vulnerability Disclosure for an Old Patch

Wednesday April 23, 2008 at 1:12 pm CST
Posted by Kevin Beets

Trackback

The latest Microsoft ActiveX flaw disclosure looks like a silently patched issue.

The flaw, disclosed by US-CERT, was not part of Microsoft’s MS07-069 Security Bulletin released in December of 2007. The CVE ID (CVE-2007-6255) is not listed in Microsoft’s Bulletin at the time of this writing and is still in the reserved state on MITRE’s CVE Web site.

The vulnerability affects an ActiveX control used to play games on the MSN Games site. When exploited, it would allow for code execution at the rights level of the victim because of improperly processing a crafted “host” parameter.

The workaround for those who have not installed the patch is…

Bingo! Set the kill bit. You’ll want to disable the ActiveX object from loading using this class id: E5D419D6-A846-4514-9FAD-97E826C84822.

This is one of those cases where the moment you hear about the vulnerability, there is a patch available already. This, of course, is better than the alternative. Most of you should have the patch already installed.

I’m not going to get into the “Why weren’t we notified?” issue, I just wanted to call attention to this on the off-chance there is anyone who isn’t patched.

Computer Security Research - McAfee Avert Labs Blog

 

“You won’t know who to trust”

Thursday April 24, 2008 at 5:01 am CST
Posted by Tad Heppner

Trackback

Commonly in conversation with family or friends I am asked questions that begin with statements such as “Well, I had this computer virus…” Further into these conversations after asking some additional questions of my own, I become more convinced that the person believes they had a virus. From the descriptions provided I am often inclined to suspect classes of malware and potentially unwanted programs that are commonly referred to as FakeAlerts and rogue security software are responsible.

I have come across many of these types of programs disguised as anti-virus or anti-spyware products that generate false warnings of malware that is supposedly present on the system:

Fake alerts are typically trojans that generate false warnings of spyware on the computer. These alerts are most often displayed as a balloon pop-up from the systray. The fake alerts will typically encourage the user to download or install a rogue security software product by means of “detecting” bogus infections on the system and frighten the user into buying the rogue software in order to clean the fictitious malware that that was discovered.

I am continually surprised at the prevalence of these types of applications and how many computer users install and use these so I thought it might be useful to post some tips that may help with identifying traits that are commonly associated with these types of scams.

Use Responsible browsing practices:
Trojans typically spread manually, often under the premise that they are beneficial or wanted. To do this often times similar techniques such as those used in product marketing are involved. Responsible browsing practices can include identifying when propaganda is used to persuade one into believing something, doing something, or buying something. This is not solely indicative of something malicious in nature, however being able to tell when these methods are utilized can sometimes help one to know when to ask more questions about the motivation or intentions for the use of the tactic.

Do some quick research:
If something does flag ones attention it may be worth the effort to do some quick investigation. Use a well known search engine and enter search terms such as the name of the product you are being asked to purchase, the title of the dialog being displayed, the name of the malware that is being detected, etc. Try to avoid pages that are sponsored by the target of your investigation. Look for third party opinions or reviews. This may help provide some additional counterpoints that may help with an objective analysis of the software in question.

Are there any secondary indications of an infection?
Look for the presence of the files being identified by the software as malicious. Often these files will not exist on the system at all. Sometimes however these types of programs will write the fake files to the system so that it can later detect them as malicious.

Check the time and date stamps on the files. Are they similar to that of the time the program was installed or ran a scan?

Submit the file to an online scanning service such as VirusTotal and see if established anti-virus programs detect them.

These are just a few simple examples from the quick and easy do-it-yourself malware research guide!! ;)

Computer Security Research - McAfee Avert Labs Blog

 

ClamAV Multiple Vulnerabilities
Advisory Available in German

Secunia Advisory:
SA29000

Release Date:
2008-04-14

Last Update:
2008-04-22

Critical:

Highly critical

Impact:
Security Bypass
DoS
System access

Where:
From remote

Solution Status:
Vendor Patch

Software:
Clam AntiVirus (clamav) 0.x
ClamWin Free Antivirus 0.x

CVE reference:
CVE-2008-1100 (Secunia mirror)
CVE-2008-0314 (Secunia mirror)
CVE-2008-1387 (Secunia mirror)
CVE-2008-1833 (Secunia mirror)
CVE-2008-1835 (Secunia mirror)
CVE-2008-1836 (Secunia mirror)
CVE-2008-1837 (Secunia mirror)

Description:
Some vulnerabilities have been reported in ClamAV, which can be exploited by malicious people to bypass certain security restrictions, to cause a DoS (Denial of Service), or to compromise a vulnerable system.

1) A boundary error exists within the "cli_scanpe()" function in libclamav/pe.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted "Upack" executable.

Successful exploitation allows execution of arbitrary code.

2) A boundary error within the processing of PeSpin packed executables in libclamav/spin.c can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

3) An unspecified error in the processing of ARJ files can be exploited to hang ClamAV.

4) A boundary error within the processing of WWPack packed PE files in libclamav/pe.c can be exploited to cause a heap corruption.

Successful exploitation may allow execution of arbitrary code.

5) An error in the processing of RAR files can be exploited to bypass the scanning mechanism via a RAR file containing an invalid version number.

6) An error exists within the "rfc2231()" function in message.c. This can be exploited to trigger the return of strings that are not NULL terminated and cause a crash.

7) An error in libclamunrar can be exploited to crash the application via specially crafted RAR files.

The vulnerabilities are reported in version 0.92.1. Prior versions may also be affected.

Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, scan using the Network Software Inspector.

Solution:
Update to version 0.93.

Provided and/or discovered by:
1) Alin Rad Pop, Secunia Research.
2) Damian Put, reported via iDefense.
3) Discovered using the PROTOS Genome Test Suite. Reported by Hanno Böck.
4) Damian Put and Thomas Pollet, reported via iDefense.
5) Reported by Thierry Zoller in a ClamAV bug report.
6) Reported by the vendor.
7) Discovered using the PROTOS Genome Test Suite. Reported by the vendor.

Changelog:
2008-04-15: Added vulnerabilities #2 and #3 to the advisory. Updated "Solution", credits, and "Original Advisory" sections.
2008-04-16: Added vulnerability #4. Updated credits and "Original Advisory" section.
2008-04-17: Added CVE reference.
2008-04-21: Added ClamWin to list of affected products. Added CVE reference. Added link to US-CERT.
2008-04-22: Added vulnerabilities #5, #6, and #7 to the advisory. Updated credits and "Original Advisory" section. Added CVE references.

Original Advisory:
ClamAV:
https://www.clamav.net/bugzilla/show_bug.cgi?id=878
https://www.clamav.net/bugzilla/show_bug.cgi?id=876
https://www.clamav.net/bugzilla/show_bug.cgi?id=897
https://www.clamav.net/bugzilla/show_bug.cgi?id=877
https://www.clamav.net/bugzilla/show_bug.cgi?id=541
https://www.clamav.net/bugzilla/show_bug.cgi?id=881
https://www.clamav.net/bugzilla/show_bug.cgi?id=898

Secunia Research:
http://secunia.com/secunia_research/2008-11/

Hanno Böck:
http://int21.de/cve/CVE-2008-1387-clamav.html

iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=686
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=687

Other References:
US-CERT VU#858595:
http://www.kb.cert.org/vuls/id/858595



ClamAV Multiple Vulnerabilities - Advisories - Secunia

 

Mailbot.f (a.k.a “Kraken”) gets stealthier

Wednesday April 23, 2008 at 11:19 am CST
Posted by Ravi Balupari

Trackback

After the recent interest in Kraken bot by various communities, Gaurav Dalal, Denys Ma, and I have been observing the network behavior of the bot very closely.  About 2 weeks after the initial analysis from SANS, it seems like the bot author has seeded the bot with an update via TCP port 447. The updated bot now uses a stealthier command and control (c&c) mechanism that will evade previously proposed detections. The updated bot no longer uses UDP port 447 with 74 bytes of payload. After the bot updated itself, we observed that it uses UDP packets with random ports and also random packet payload lengths for its c&c communication. All of this c&c communication is encrypted. As a surprise, we also noticed that the updated bot now uses the well known HTTP protocol on TCP port 80 and 443 to send and receive encrypted c&c communication data. More interestingly, the communication on port 443 is encrypted but non-SSL. The process of the upgrade and also the c&c mechanism itself seems to be very interesting. We are continuing our research and will update this blog with more technical information soon.

Computer Security Research - McAfee Avert Labs Blog

 

Mass SQL injection
Posted by Patrik @ 03:59 GMT | Comment (1)


There's another round of mass SQL injections going on which has infected hundreds of thousands of websites.
Performing a Google search results in over 510,000 modified pages.

Google Search Results for SQL Injections

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.
Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):

   DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300
   4C00410052004500200040005400200076006100720063006800610072
   00280032003500350029002C0040004300200076006100720063006800
   610072002800320035003500290020004400450043004C004100520045
   0020005400610062006C0065005F0043007500720073006F0072002000
   43005500520053004F005200200046004F0052002000730065006C0065
   0063007400200061002E006E0061006D0065002C0062002E006E006100
   6D0065002000660072006F006D0020007300790073006F0062006A0065
   00630074007300200061002C0073007900730063006F006C0075006D00
   6E00730020006200200077006800650072006500200061002E00690064
   003D0062002E0069006400200061006E006400200061002E0078007400
   7900700065003D00270075002700200061006E0064002000280062002E
   00780074007900700065003D003900390020006F007200200062002E00
   780074007900700065003D003300350020006…

Which when decoded becomes:

   DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor
   CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b
   where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
   or b…

What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.
So far three different domains have been used to host the malicious content — nmidahena.com, aspder.com and nihaorr1.com. There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them.
So what should you do?
First of all, search your website logs for the code above and see if you've been hit. If so, clean up your database to prevent your website visitors from becoming infected. Second, make sure that all the data you pass to your database is sanitized and that no code elements can be stored there. Third, block access to the sites above. Fourth, make sure the software you use is patched, F-Secure Health Check is an easy way to do this. Fifth, keep your antivirus solution up-to-date.

Mass SQL injection - F-Secure Weblog : News from the Lab

 

Oracle Products Multiple Vulnerabilities
Advisory Available in German

Secunia Advisory:
SA29829

Release Date:
2008-04-16

Last Update:
2008-04-24

Critical:

Highly critical

Impact:
Unknown
Security Bypass
Manipulation of data
DoS
System access

Where:
From remote

Solution Status:
Vendor Patch

Software:
Oracle Application Server 10g
Oracle Collaboration Suite 10.x
Oracle Database 10.x
Oracle Database 11.x
Oracle E-Business Suite 11i
Oracle E-Business Suite 12.x
Oracle JInitiator 1.x
Oracle PeopleSoft Enterprise Human Capital Management 8.x
Oracle PeopleSoft Enterprise Human Capital Management 9.x
Oracle PeopleSoft Enterprise Tools 8.x
Oracle Siebel SimBuilder 7.x
Oracle9i Database Enterprise Edition
Oracle9i Database Standard Edition

CVE reference:
CVE-2008-1811 (Secunia mirror)
CVE-2008-1812 (Secunia mirror)
CVE-2008-1813 (Secunia mirror)
CVE-2008-1814 (Secunia mirror)
CVE-2008-1815 (Secunia mirror)
CVE-2008-1816 (Secunia mirror)
CVE-2008-1817 (Secunia mirror)
CVE-2008-1818 (Secunia mirror)
CVE-2008-1819 (Secunia mirror)
CVE-2008-1820 (Secunia mirror)
CVE-2008-1821 (Secunia mirror)
CVE-2008-1822 (Secunia mirror)
CVE-2008-1823 (Secunia mirror)
CVE-2008-1824 (Secunia mirror)
CVE-2008-1825 (Secunia mirror)
CVE-2008-1826 (Secunia mirror)
CVE-2008-1827 (Secunia mirror)
CVE-2008-1828 (Secunia mirror)
CVE-2008-1829 (Secunia mirror)
CVE-2008-1830 (Secunia mirror)
CVE-2008-1831 (Secunia mirror)

Oracle Products Multiple Vulnerabilities - Advisories - Secunia

 

DivX Player Subtitle Parsing Buffer Overflow Vulnerabilities

Secunia Advisory:
SA29780

Release Date:
2008-04-16

Last Update:
2008-04-22

Critical:

Highly critical

Impact:
System access

Where:
From remote

Solution Status:
Unpatched

Software:
DivX for Windows 6.x
DivX Player 6.x

CVE reference:
CVE-2008-1912 (Secunia mirror)

Description:
Some vulnerabilities have been discovered in DivX Player, which can potentially be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to boundary errors in the processing of subtitle files (*.SRT, *.SUB). These can be exploited to cause stack-based buffer overflows via a specially crafted, overly long subtitle line contained in a malicious SRT or SUB file.

Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into opening a specially crafted SRT or SUB file.

The vulnerability is confirmed in DivX Player 6.7 (build 6.7.0.22). Other versions may also be affected.

Solution:
Disable the automatic loading of subtitles. Do not open untrusted subtitles.

Provided and/or discovered by:
securfrog

Additional information provided by Secunia Research.

Changelog:
2008-04-17: Updated advisory based on additional information from Secunia Research.
2008-04-22: Added CVE reference.

Original Advisory:
http://milw0rm.com/exploits/5453


DivX Player Subtitle Parsing Buffer Overflow Vulnerabilities - Advisories - Secunia

 

HP OpenView Network Node Manager Multiple Vulnerabilities
Advisory Available in German

Secunia Advisory:
SA29849

Release Date:
2008-04-17

Last Update:
2008-04-18

Critical:

Moderately critical

Impact:
Cross Site Scripting
DoS
System access

Where:
From local network

Solution Status:
Vendor Patch

Software:
HP OpenView Network Node Manager (NNM) 6.x
HP OpenView Network Node Manager (NNM) 7.x

CVE reference:
CVE-2005-3352 (Secunia mirror)
CVE-2005-3357 (Secunia mirror)
CVE-2006-3747 (Secunia mirror)

Description:
HP has acknowledged some vulnerabilities in OpenView Network Node Manager, which can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or compromise a vulnerable system.

For more information:
SA18008
SA18307
SA21197

The vulnerabilities affect versions 6.41, 7.01, and 7.51 running Apache on HP-UX, Solaris, and Linux.

Solution:
Apply patches. Please see the vendor's advisory for details.

Changelog:
2008-04-18: Updated "Description" and "Original Advisory" section. The vendor has removed Windows as affected platform and removed the patches from the vendor advisory.

Original Advisory:
HPSBMA02328 SSRT071293:
http://www12.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01428449

Other References:
SA18008:
http://secunia.com/advisories/18008/

SA18307:
http://secunia.com/advisories/18307/

SA21197:
http://secunia.com/advisories/21197/

HP OpenView Network Node Manager Multiple Vulnerabilities - Advisories - Secunia

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: April 23, 2008

********************************************************************

Summary

=======

The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS08-024 - Critical

* MS08-023 - Critical

* MS08-019 - Important

* MS07-040 - Critical

* MS07-015

Bulletin Information:

=====================

* MS08-024 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx

- Reason for Revision: V2.1 (April 23, 2008): Bulletin updated:

Removed erroneous references to Windows XP Professional x64 Edition Service Pack 3.

- Originally posted: April 8, 2008

- Updated: April 23, 2008

- Bulletin Severity Rating: Critical

- Version: 2.1

* MS08-023 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-023.mspx

- Reason for Revision: Corrected the Registry Key Verification for all supported x64-based editions of Windows Server 2003

- Originally posted: April 8, 2008

- Updated: April 23, 2008

- Bulletin Severity Rating: Critical

- Version: 1.2

* MS08-019 - Important

- http://www.microsoft.com/technet/security/bulletin/ms08-019.mspx

- Reason for Revision: V1.5 (April 23, 2008): Clarified the Update FAQ entry about the last revision, dated April 18. That change was a detection change only that does not affect the files contained in the initial update.

- Originally posted: April 8, 2008

- Updated: April 23, 2008

- Bulletin Severity Rating: Important

- Version: 1.5

* MS07-040 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx

- Reason for Revision: V3.1 (April 23, 2008): Bulletin updated:

Removed erroneous references to Windows XP Professional x64 Edition Service Pack 3.

- Originally posted: July 10, 2007

- Updated: April 23, 2008

- Bulletin Severity Rating: Critical

- Version: 3.1

* MS07-015

- http://www.microsoft.com/technet/security/bulletin/ms07-015.mspx

- Reason for Revision: V1.2 (April 23, 2008) Bulletin updated:

Microsoft Visio 2002 removed from Microsoft Office XP Service Pack 3 section of Affected Software table. Microsoft Visio

2002 Service Pack 2 is listed separately in the Affected Software table.

- Originally posted: February 13, 2007

- Updated: April 23, 2008

- Bulletin Severity Rating: Critical

- Version: 1.2

More Posts Next page »