WINDOWS CENTER: SecurityFocus Newsletter #467

SecurityFocus Newsletter #467
----------------------------------------

This issue is sponsored by Sponsored by Ironkey: The World's Most Secure Flash Drive

IronKey flash dives lock down your most sensitive data using today's most advanced security technology.
IronKey uses military-grade AES CBC-mode hardware encryption that cannot be disabled by malware or an
intruder and provides rugged and waterproof protection to safeguard your data.
https://www.ironkey.com/forenterprise2

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.Get Off My Cloud
2.An Astonishing Collaboration
II. BUGTRAQ SUMMARY
1. Microsoft Excel Credential Caching Vulnerability
2. Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability
3. Postfix Local Information Disclosure and Local Privilege Escalation Vulnerabilities
4. Apache Tomcat Accept-Language Cross Site Scripting Vulnerability
5. Microsoft Internet Explorer HTML Component Handling Memory Corruption Vulnerability
6. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
7. Macrovision InstallShield Update Service 'isusweb.dll' Remote Buffer Overflow Vulnerability
8. Microsoft Windows Media Player Remote Skin Header Code Execution Vulnerability
9. Microsoft Office PICT Filter Parsing Remote Heap Buffer Overflow Vulnerability
10. Aurigma Image Uploader 'ImageUploader4.ocx' ActiveX Control Buffer Overflow Vulnerability
11. Microsoft Office Malformed Malformed PICT Filter Remote Code Execution Vulnerability
12. Aurigma Image Uploader Multiple ActiveX Controls Multiple Unspecified Security Vulnerabilities
13. Aurigma Image Uploader ActiveX Control Multiple Remote Stack Buffer Overflow Vulnerabilities
14. Microsoft Internet Explorer HTML Objects Variant Memory Corruption Vulnerability
15. HP Instant Support 'HPISDataManager.dll' ActiveX Control Arbitrary File Download Vulnerability
16. PHP-Nuke Book Catalog Module 'catid' Parameter SQL Injection Vulnerability
17. Microsoft Windows Image Color Management Remote Code Execution Vulnerability
18. HP Instant Support 'HPISDataManager.dll' ActiveX Control Arbitrary File Delete Vulnerability
19. Microsoft Outlook Express And Windows Mail MHTML Handler Information Disclosure Vulnerability
20. Perl 'rmtree()' Function Local Insecure Permissions Vulnerability
21. COWON America jetAudio JetFlExt.dll ActiveX Control Insecure Method Vulnerability
22. Microsoft Windows Event System User Subscription Request Remote Code Execution Vulnerability
23. C6 Messenger Installation URL Downloader ActiveX Control Arbitrary File Download Vulnerability
24. Jonascms Multiple Local File Include Vulnerabilities
25. Microsoft Office Malformed EPS Filter Remote Code Execution Vulnerability
26. Zenturi ProgramChecker ActiveX Control Arbitrary File Deletion/Overwrite Vulnerability
27. Microsoft Excel Record Parsing Remote Code Execution Vulnerability
28. Linux Kernel 'snd_seq_oss_synth_make_info()' Information Disclosure Vulnerability
29. Linux Kernel 'do_change_type()' Local Security Bypass Vulnerability
30. Linux Kernel TTY Operations NULL Pointer Dereference Denial of Service Vulnerabilities
31. Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability
32. Linux Kernel UBIFS Orphan Inode Local Denial of Service Vulnerability
33. Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability
34. Microsoft Excel Index Array Remote Code Execution Vulnerability
35. Microsoft Excel Indexing Validation Remote Code Execution Vulnerability
36. Sun Java Runtime Environment Virtual Machine Privilege Escalation Vulnerability
37. IntelliTamper HTML 'href' Parsing Buffer Overflow Vulnerability
38. Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability
39. OpenSSH ForceCommand Command Execution Weakness
40. rdesktop Multiple Remote Memory Corruption Vulnerabilities
41. Microsoft Internet Explorer HTML Objects Memory Corruption Vulnerability
42. LibTIFF EstimateStripByteCounts() Denial of Service Vulnerability
43. LibTIFF TiffScanLineSize Remote Buffer Overflow Vulnerability
44. xine-lib 'rmff_dump_cont()' Remote Heap Buffer Overflow Vulnerability
45. Microsoft Office WPG Image File Remote Code Execution Vulnerability
46. MPlayer 'demux_audio.c' Remote Stack Based Buffer Overflow Vulnerability
47. Microsoft Windows 'NSlookup.exe' Unspecified Remote Code Execution Vulnerability
48. Microsoft Windows DNS Server Cache Poisoning Vulnerability
49. OpenSSH X11 Cookie Local Authentication Bypass Vulnerability
50. Microsoft Office Malformed BMP Filter Remote Code Execution Vulnerability
51. Harmoni 'Username' Field HTML Injection Vulnerability
52. Perl Unicode '\Q...\E' Quoting Construct Regular Expression Buffer Overflow Vulnerability
53. Orca 'params.php' Remote File Include Vulnerability
54. xine-lib Matroska Demuxer Remote Buffer Overflow Vulnerability
55. xine-lib Multiple Heap Based Remote Buffer Overflow Vulnerabilities
56. Linux kernel 'sctp_getsockopt_local_addrs_old() ' function Local Buffer Overflow Vulnerability
57. Multiple Vendor BIOS Keyboard Buffer Password Persistence Weakness
58. artegic AG Dana Remote Buffer Overflow Vulnerability
59. Sun Solaris Netscape Portable Runtime API Local Privilege Escalation Vulnerability
60. PHP 5.2.4 and Prior Versions Multiple Vulnerabilities
61. Domain Group Network GooCMS 'index.php' Cross-Site Scripting Vulnerability
62. PHP 5.2.5 and Prior Versions Multiple Vulnerabilities
63. X.Org X Server RENDER Extension 'ProcRenderCreateCursor()' Denial of Service Vulnerability
64. Net-SNMP Remote Authentication Bypass Vulnerability
65. pPIM Multiple Remote Vulnerabilities
66. X.Org X server RENDER Extension Multiple Integer Overflow Vulnerabilities
67. Net-SNMP Perl Module Buffer Overflow Vulnerability
68. LibTIFF tiff2pdf Remote Buffer Overflow Vulnerability
69. Microsoft Internet Explorer CreateTextRange.text Code Execution Vulnerability
70. Vacation Rental Script 'index.php' SQL Injection Vulnerability
71. LibTIFF TiffFetchShortPair Remote Buffer Overflow Vulnerability
72. txtSQL 'startup.php' Remote File Include Vulnerability
73. LibTIFF PixarLog Decoder Remote Heap Buffer Overflow Vulnerability
74. HP Instant Support 'HPISDataManager.dll' ActiveX Control Arbitrary File Creation Vulnerability
75. HP Instant Support 'HPISDataManager.dll' 'StartApp' ActiveX Control Insecure Method Vulnerability
76. LibTIFF Next RLE Decoder Remote Heap Buffer Overflow Vulnerability
77. Retired: DriveCrypt Incorrect BIOS API Usage Security Vulnerability
78. IntelliTamper HTML 'Location' Header Parsing Buffer Overflow Vulnerability
79. HP Instant Support 'HPISDataManager.dll' 'MoveFile' ActiveX Control Buffer Overflow Vulnerability
80. HP Instant Support 'HPISDataManager.dll' 'GetFileTime' ActiveX Control Buffer Overflow Vulnerability
81. PHP cURL 'safe mode' Security Bypass Vulnerability
82. JComSoft 'AniGIF.ocx' ReadGIF and ReadGIF2 Methods ActiveX Buffer Overflow Vulnerabilities
83. OpenSSL SSLv2 Null Pointer Dereference Client Denial of Service Vulnerability
84. PowerDVD '.m3u' and '.pls' File Multiple Buffer Overflow Vulnerabilities
85. RMSOFT Downloads Plus Multiple Cross-Site Scripting Vulnerabilities
86. Sun Java Runtime Environment Multiple Weaknesses
87. Yogurt Social Network 'uid' Parameter Multiple Cross-Site Scripting Vulnerabilities
88. Sun Java Runtime Environment Image Parsing Heap Buffer Overflow Vulnerability
89. Sun Java SE Multiple Security Vulnerabilities
90. Yogurt Social Network Scrapbook HTML Injection Vulnerability
91. Vim Insufficient Shell Escaping Multiple Command Execution Vulnerabilities
92. Belkin F5D7230-4 Wireless G Router 'setup_dns.exe' Authentication Vulnerability
93. Sun Java RunTime Environment Read and Write Permission Multiple Privilege Escalation Vulnerabilities
94. RMSOFT MiniShop 'search.php' Multiple Cross-Site Scripting Vulnerabilities
95. Maxthon Browser Content-Type Buffer Overflow Vulnerability
96. Adobe Presenter Multiple Cross Site Scripting Vulnerabilities
97. Ipswitch WS_FTP Server Message Response Buffer Overflow Vulnerability
98. Vortex CMS 'index.php' SQL Injection Vulnerability
99. Red Hat OpenSSH Backdoor Vulnerability
100. Microsoft Windows IPsec Information Disclosure Vulnerability
III. SECURITYFOCUS NEWS
1. Online intruders hit Red Hat, Fedora Project
2. Researchers race to zero in record time
3. Gov't charges alleged TJX credit-card thieves
4. Poisoned DNS servers pop up as ISPs patch
IV. SECURITY JOBS LIST SUMMARY
1. [SJ-JOB] Senior Software Engineer, Redwood Shores
2. [SJ-JOB] Security Engineer, Chicago
3. [SJ-JOB] Technical Support Engineer, Redwood Shores
4. [SJ-JOB] Security Engineer, Glen Ellyn
5. [SJ-JOB] Security Engineer, Pittsburgh
6. [SJ-JOB] Security Engineer, Arlington
7. [SJ-JOB] Developer, Redwood Shores
8. [SJ-JOB] Quality Assurance, Redwood Shores
9. [SJ-JOB] Developer, Redwood Shores
10. [SJ-JOB] Application Security Engineer, Washington
11. [SJ-JOB] Senior Software Engineer, 21287
12. [SJ-JOB] Security Engineer, Gaithersburg
13. [SJ-JOB] Security Engineer, Albuquerque
14. [SJ-JOB] Sr. Security Engineer, West Des Moines
15. [SJ-JOB] Database Security Engineer, CHICAGO
V. INCIDENTS LIST SUMMARY
VI. VULN-DEV RESEARCH LIST SUMMARY
1. Version-independent IOS shellcode
2. ToorCon 10 Call For Papers
VII. MICROSOFT FOCUS LIST SUMMARY
1. Identifying Security Metrics in the Windows Enterprise
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Get Off My Cloud
By Mark Rasch
One of the features of Apple's device that appeals to me is the new MobileMe service, where you can "access and manage your email, contacts, calendar, photos, and files at me.com," according to Apple.
More companies, among them Microsoft and Google, already allow people to store information and use common services online -- or "in the cloud" -- leading analysts to refer to the entire trend as "cloud computing."
http://www.securityfocus.com/columnists/478

2.An Astonishing Collaboration
By Dan Kaminsky
Wow. It's out. It's finally, finally out. Sweet!
http://www.securityfocus.com/columnists/477

II. BUGTRAQ SUMMARY
--------------------
1. Microsoft Excel Credential Caching Vulnerability
BugTraq ID: 30641
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30641
Summary:
Microsoft Excel is prone to a vulnerability that allows unauthorized access to remote data source credentials that have been cached in Excel files.

This issue is limited to Microsoft Excel 2007 and Microsoft Office 2008 for Mac.

2. Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability
BugTraq ID: 23194
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/23194
Summary:
Microsoft Windows is prone to a stack buffer-overflow vulnerability because of insufficient format validation that occurs when handling malformed ANI cursor or icon files.

An attacker can exploit this issue to execute arbitrary code with the privileges of an unsuspecting user. A successful attack can result in the compromise of affected user accounts and computers.

This issue affects Windows Vista, Windows XP SP2, and Windows Server 2003 SP1 when running Internet Explorer 6 and 7; other versions and client applications may also be affected.

Microsoft has recently disclosed that Outlook 2007 is not vulnerable, that Windows Mail on Vista is vulnerable in replying to or forwarding emails containing malicious ANI files, and that Outlook Express is vulnerable to this issue.

Third-party applications such as browsers that handle ANI files and call the ANI rendering functionality in GDI pose an attack vector for this vulnerability.

3. Postfix Local Information Disclosure and Local Privilege Escalation Vulnerabilities
BugTraq ID: 30691
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30691
Summary:
Postfix is prone to a local privilege-escalation vulnerability and a local information-disclosure vulnerability.

Local attackers can exploit this issue to read other users mail or execute arbitrary commands with superuser privileges.

Versions prior to Postfix 2.5.4 Patchlevel 4 are vulnerable.

4. Apache Tomcat Accept-Language Cross Site Scripting Vulnerability
BugTraq ID: 24524
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/24524
Summary:
Apache Tomcat is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to inject HTML and script code into the browser of an unsuspecting victim. The attacker may then steal cookie-based authentication credentials and launch other attacks.

This issue may have been reported as part of the vulnerabilities described in BID 24058 (Apache Tomcat Documentation Sample Application Multiple Cross-Site Scripting Vulnerabilities). Symantec has not been able to confirm this information. We will update this BID when more information emerges.

5. Microsoft Internet Explorer HTML Component Handling Memory Corruption Vulnerability
BugTraq ID: 30612
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30612
Summary:
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability that occurs when the application tries to parse a specially crafted web page.

Successfully exploiting this issue would allow an attacker to execute arbitrary code in the context of the currently logged-in user.

6. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
BugTraq ID: 30611
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30611
Summary:
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability that occurs when the application tries to parse a specially crafted web page.

Successfully exploiting this issue would allow an attacker to execute arbitrary code in the context of the currently logged-in user.

7. Macrovision InstallShield Update Service 'isusweb.dll' Remote Buffer Overflow Vulnerability
BugTraq ID: 27013
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/27013
Summary:
InstallShield Update Service is prone to a remote buffer-overflow vulnerability because it fails to adequately sanitize user-supplied data.

Successfully exploiting this issue will allow an attacker to execute arbitrary code with the permissions of the user running the application.

This issue affects InstallShield Update Service 5.1.100.47363; other versions may also be affected.

NOTE: Reportedly, this issue differs from those documented in BID 26280 (Macrovision InstallShield Update Service Isusweb.DLL Multiple Remote Code Execution Vulnerabilities).

8. Microsoft Windows Media Player Remote Skin Header Code Execution Vulnerability
BugTraq ID: 25305
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/25305
Summary:
Microsoft Windows Media Player is prone to a remote code-execution vulnerability when handling specially crafted skin files.

Attackers exploit this issue by coercing unsuspecting users to download and open Windows Media Player skin files (WMZ or WMD files). Note that users must attempt to apply the skin files.

Successful exploits allow attackers to execute arbitrary code in the context of the vulnerable application. This facilitates the remote compromise of affected computers.

9. Microsoft Office PICT Filter Parsing Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 30598
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30598
Summary:
Microsoft Office is prone to a remote heap-based buffer-overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data.

An attacker could exploit this issue by enticing a victim to open a malicious PICT file.

Successfully exploiting this issue would allow the attacker to corrupt memory and execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will result in a denial-of-service condition.

10. Aurigma Image Uploader 'ImageUploader4.ocx' ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 27539
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/27539
Summary:
Aurigma Image Uploader ActiveX control is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

Image Uploader 4.5.70.0 is vulnerable; other versions may also be affected.

NOTE: This issue may be related to the issues covered in BID 27533 (MySpace Uploader 'MySpaceUploader.ocx' ActiveX Control Buffer Overflow) and BID 27534 (Facebook Photo Uploader 4 'ImageUploader4.1.ocx' ActiveX Control Buffer Overflow Vulnerability).

11. Microsoft Office Malformed Malformed PICT Filter Remote Code Execution Vulnerability
BugTraq ID: 30597
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30597
Summary:
Microsoft Office is prone to a remote code-execution vulnerability.

An attacker could exploit this issue by enticing a victim to open a malicious PICT file.

Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user.

12. Aurigma Image Uploader Multiple ActiveX Controls Multiple Unspecified Security Vulnerabilities
BugTraq ID: 30548
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30548
Summary:
Multiple Aurigma Image Uploader ActiveX controls are prone to multiple unspecified security issues.

Very little information is known about these issues. We will update this BID as soon as more information becomes available:

Aurigma Image Uploader 4.7 and 5.1 are vulnerable; other versions may also be affected.

13. Aurigma Image Uploader ActiveX Control Multiple Remote Stack Buffer Overflow Vulnerabilities
BugTraq ID: 26537
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/26537
Summary:
Aurigma Image Uploader ActiveX control is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

Versions prior to Aurigma Image Uploader 4.5.70 are affected.

UPDATE (November 26, 2007): Reports indicate that this issue occurs because of a buffer-overflow issue that affects a Win32API method. This has not been confirmed. We will update this BID as more information emerges.

14. Microsoft Internet Explorer HTML Objects Variant Memory Corruption Vulnerability
BugTraq ID: 30610
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30610
Summary:
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability that occurs when the application tries to parse a specially crafted web page.

Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user.

15. HP Instant Support 'HPISDataManager.dll' ActiveX Control Arbitrary File Download Vulnerability
BugTraq ID: 29530
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29530
Summary:
HP Instant Support ActiveX control in 'HPISDataManager.dll' is prone to a vulnerability that lets attackers download arbitrary files.

Attackers may exploit this issue by enticing victims into visiting a maliciously crafted webpage.

Successful exploits will allow remote attackers to download files from arbitrary locations to the affected computer. The attacker can also specify arbitrary download locations on the target system.

NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own record because of new information.

16. PHP-Nuke Book Catalog Module 'catid' Parameter SQL Injection Vulnerability
BugTraq ID: 30511
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30511
Summary:
The Book Catalog module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

17. Microsoft Windows Image Color Management Remote Code Execution Vulnerability
BugTraq ID: 30594
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30594
Summary:
Microsoft Windows is prone to a remote code-execution vulnerability because of a flaw in the Microsoft Color Management System (MSCMS) module of the Image Color Management System (ICM).

An attacker could exploit this issue by enticing a victim to open a malicious image file.

Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user.

18. HP Instant Support 'HPISDataManager.dll' ActiveX Control Arbitrary File Delete Vulnerability
BugTraq ID: 29536
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29536
Summary:
HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a vulnerability that lets attackers delete arbitrary files on the affected computer in the context of the application using the ActiveX control. Successful attacks can result in denial-of-service conditions.

HP Instant Support 1.0.0.22 and earlier versions are affected.

19. Microsoft Outlook Express And Windows Mail MHTML Handler Information Disclosure Vulnerability
BugTraq ID: 30585
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30585
Summary:
Microsoft Outlook Express And Windows Mail are prone to an information-disclosure vulnerability because of an error in the Windows MHTML protocol handler.

Note that an attacker can exploit this issue via Internet Explorer because the browser internally uses the vulnerable component of Outlook Express and Windows Mail. Successful exploits will allow the attacker to bypass Internet Explorer domain restrictions and to read data from a different Internet Explorer domain or security zone.

20. Perl 'rmtree()' Function Local Insecure Permissions Vulnerability
BugTraq ID: 29902
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29902
Summary:
Computers running Perl are prone to a local vulnerability that occurs when handling symbolic links.

Attackers can leverage this issue to change the permissions of arbitrary files.

Perl 5.10.0 is vulnerable; other versions may also be affected.

21. COWON America jetAudio JetFlExt.dll ActiveX Control Insecure Method Vulnerability
BugTraq ID: 25723
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/25723
Summary:
jetAudio is prone to a vulnerability that lets attackers overwrite arbitrary files. The problem stems from an insecure method caused by a design error in the affected application.

An attacker can exploit this issue to overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).

This issue affects jetAudio 7.0.3 Basic; other versions may also be affected.

22. Microsoft Windows Event System User Subscription Request Remote Code Execution Vulnerability
BugTraq ID: 30584
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30584
Summary:
Microsoft Windows Event System is prone to a remote code-execution vulnerability.

Remote authenticated attackers can exploit this issue to execute arbitrary code with SYSTEM privileges.

A successful attack can result in a full compromise of the affected computer.

23. C6 Messenger Installation URL Downloader ActiveX Control Arbitrary File Download Vulnerability
BugTraq ID: 29519
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29519
Summary:
C6 Messenger Installation URL Downloader ActiveX control is prone to a vulnerability that lets remote attackers download files from arbitrary locations to an affected computer.

Attackers may exploit this issue by enticing victims into visiting a maliciously crafted webpage.

24. Jonascms Multiple Local File Include Vulnerabilities
BugTraq ID: 29950
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29950
Summary:
Jonascms is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities using directory-traversal strings to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

Jonascms 1.2 is vulnerable; other versions may also be affected.

25. Microsoft Office Malformed EPS Filter Remote Code Execution Vulnerability
BugTraq ID: 30595
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30595
Summary:
Microsoft Office is prone to a remote code-execution vulnerability.

An attacker could exploit this issue by enticing a victim to open a malicious EPS (Encapsulated PostScript) file.

Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user.

26. Zenturi ProgramChecker ActiveX Control Arbitrary File Deletion/Overwrite Vulnerability
BugTraq ID: 24377
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/24377
Summary:
Zenturi ProgramChecker ActiveX control is prone to a vulnerability that could permit an attacker to delete or overwrite arbitrary files.

The attacker can exploit this issue to delete or overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).

NOTE: This issue was previously discussed in BID 24217 (Zenturi ProgramChecker SASATL.DLL ActiveX Control Multiple Buffer Overflow Vulnerabilities), but has been assigned its own record because it is a different vulnerability.

27. Microsoft Excel Record Parsing Remote Code Execution Vulnerability
BugTraq ID: 30640
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30640
Summary:
Microsoft Excel is prone to a remote code-execution vulnerability.

Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel file.

Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application.

28. Linux Kernel 'snd_seq_oss_synth_make_info()' Information Disclosure Vulnerability
BugTraq ID: 30559
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30559
Summary:
The Linux kernel is prone to an information-disclosure vulnerability.

Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks.

Versions prior to Linux kernel 2.6.27-rc2 are vulnerable.

29. Linux Kernel 'do_change_type()' Local Security Bypass Vulnerability
BugTraq ID: 30126
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30126
Summary:
The Linux kernel is prone to a local security-bypass vulnerability because the 'do_change_type()' routine fails to adequately verify user permissions before performing mountpoint type changes.

Attackers can exploit this issue to bypass security restrictions and change mountpoint types. Attackers could mark private mounts as sharable to gain access to potentially sensitive information. Other attacks are also possible.

Linux kernel 2.6.15-rc1 to 2.6.21 are vulnerable.

30. Linux Kernel TTY Operations NULL Pointer Dereference Denial of Service Vulnerabilities
BugTraq ID: 30076
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30076
Summary:
The Linux kernel is prone to multiple local denial-of-service vulnerabilities.

Attackers can exploit these issues to crash the affected kernel, denying service to legitimate users. Given the nature of these issues, attackers may also be able to execute arbitrary code, but this has not been confirmed.

These issues affect versions prior to Linux kernel 2.6.25.10.

31. Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability
BugTraq ID: 30114
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30114
Summary:
Snapshot Viewer for Microsoft Access is prone to a vulnerability that can cause malicious files to be downloaded and saved to arbitrary locations on an affected computer.

Attackers may exploit this issue to put malicious files in arbitrary locations on a victim's computer. This will facilitate a remote compromise.

UPDATE (August 1, 2008): Symantec has observed in-the-wild attacks leveraging a new vector of attack for this issue. The newly discovered vector greatly increases the severity of the flaw because users who do not have the Snapshot Viewer control on their system can be forced to download the control without interaction and can then be exploited.

32. Linux Kernel UBIFS Orphan Inode Local Denial of Service Vulnerability
BugTraq ID: 30647
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30647
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability affecting the VFS behavior in UBIFS (UBI File System).

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.

33. Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability
BugTraq ID: 30674
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30674
Summary:
The Microsoft Visual Studio ActiveX control, MaskedEdit, is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

An attacker can exploit this issue to execute arbitrary code in the context of an application using the affected ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

'Msmask32.ocx' 6.0.81.69 is vulnerable; other versions may also be affected.

UPDATE: Testing indicates that 'Msmask32.ocx' 6.0.84.18 is not vulnerable; we are working with Microsoft to confirm our findings and gain further details. We recommend that users update to 6.0.84.18 or a later version.

34. Microsoft Excel Index Array Remote Code Execution Vulnerability
BugTraq ID: 30639
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30639
Summary:
Microsoft Excel is prone to a remote code-execution vulnerability.

Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel file.

Successful exploits may allow an attacker to execute arbitrary code with the privileges of the user running the application.

35. Microsoft Excel Indexing Validation Remote Code Execution Vulnerability
BugTraq ID: 30638
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30638
Summary:
Microsoft Excel is prone to a remote code-execution vulnerability.

Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel file.

Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application. This may facilitate a compromise of vulnerable computers.

36. Sun Java Runtime Environment Virtual Machine Privilege Escalation Vulnerability
BugTraq ID: 30141
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30141
Summary:
Sun Java Runtime Environment Virtual Machine is prone to a privilege-escalation vulnerability when running untrusted applications or applets.

Successful exploits may allow attackers to read, write, or execute arbitrary local files in the context of the user running an untrusted application in the affected virtual machine. This may result in a compromise of the underlying system.

This issue affects the following versions:

JDK and JRE 6 Update 6 and earlier
JDK and JRE 5.0 Update 15 and earlier
SDK and JRE 1.4.2_17 and earlier

37. IntelliTamper HTML 'href' Parsing Buffer Overflow Vulnerability
BugTraq ID: 30317
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30317
Summary:
IntelliTamper is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

This issue allows remote attackers to execute arbitrary machine code in the context of the application. Failed exploit attempts will likely crash the application, denying service to legitimate users.

IntelliTamper 2.07 is vulnerable; other versions may also be affected.

38. Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability
BugTraq ID: 30614
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30614
Summary:
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability that occurs when the application tries to parse a specially crafted web page.

Successfully exploiting this issue would allow an attacker to execute arbitrary code in the context of the currently logged-in user.

39. OpenSSH ForceCommand Command Execution Weakness
BugTraq ID: 28531
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/28531
Summary:
OpenSSH is prone to a weakness that may allow attackers to execute arbitrary commands.

Successful exploits may allow attackers to execute arbitrary commands, contrary to the wishes of administrators and bypassing the intent of the 'ForceCommand' option.

Versions prior to OpenSSH 4.9 are vulnerable.

40. rdesktop Multiple Remote Memory Corruption Vulnerabilities
BugTraq ID: 29097
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29097
Summary:
The 'rdesktop' program is prone to multiple remote memory-corruption vulnerabilities because it fails to properly validate incoming packets.

A remote attacker can exploit these issues to execute arbitrary code in the context of the currently logged-in user.

These issues affect rdesktop 1.5.0; other versions may also be vulnerable.

41. Microsoft Internet Explorer HTML Objects Memory Corruption Vulnerability
BugTraq ID: 30613
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30613
Summary:
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability that occurs when the application tries to parse a specially crafted web page.

Successfully exploiting this issue would allow an attacker to execute arbitrary code in the context of the currently logged-in user.

42. LibTIFF EstimateStripByteCounts() Denial of Service Vulnerability
BugTraq ID: 19284
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/19284
Summary:
LibTIFF is affected by a denial-of-service vulnerability.

An attacker can exploit this vulnerability to cause a denial of service in applications using the affected library.

43. LibTIFF TiffScanLineSize Remote Buffer Overflow Vulnerability
BugTraq ID: 19288
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/19288
Summary:
LibTIFF is prone to a buffer-overflow vulnerability because the library fails to do proper boundary checks before copying user-supplied data into a finite-sized buffer.

This issue allows remote attackers to execute arbitrary machine code in the context of applications using the affected library. Failed exploit attempts will likely crash the application, denying service to legitimate users.

44. xine-lib 'rmff_dump_cont()' Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 27198
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/27198
Summary:
The xine-lib library is prone to a remote heap-based buffer-overflow vulnerability. This issue occurs because the software fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.

This issue affects xine-lib 1.1.9 and prior versions.

45. Microsoft Office WPG Image File Remote Code Execution Vulnerability
BugTraq ID: 30600
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30600
Summary:
Microsoft Office is prone to a remote code-execution vulnerability.

An attacker could exploit this issue by enticing a victim to open a malicious WPG (WordPerfect Graphics) file.

Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user.

46. MPlayer 'demux_audio.c' Remote Stack Based Buffer Overflow Vulnerability
BugTraq ID: 27441
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/27441
Summary:
MPlayer is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer.

Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

MPlayer 1.0 rc2 is vulnerable; other versions may also be affected.

47. Microsoft Windows 'NSlookup.exe' Unspecified Remote Code Execution Vulnerability
BugTraq ID: 30636
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30636
Summary:
Microsoft Windows is prone to a remote code-execution vulnerability caused by an unspecified error in 'NSlookup.exe'.

Successfully exploiting this issue would allow an attacker to execute arbitrary code on an affected computer. Failed attacks will cause denial-of-service conditions.

Microsoft Windows XP Professional SP2 is vulnerable; other versions and products may also be affected.

48. Microsoft Windows DNS Server Cache Poisoning Vulnerability
BugTraq ID: 30132
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30132
Summary:
Microsoft Windows DNS servers are prone to a vulnerability that lets attackers poison DNS caches. This occurs because the software fails to properly handle responses containing data outside of their authority.

Successfully exploiting this issue allows remote attackers to poison DNS caches, allowing them to redirect network traffic and to launch man-in-the-middle attacks.

49. OpenSSH X11 Cookie Local Authentication Bypass Vulnerability
BugTraq ID: 25628
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/25628
Summary:
OpenSSH is prone to a local authentication-bypass vulnerability because the software fails to properly manage trusted and untrusted X11 cookies.

Successfully exploiting this issue allows local attackers to potentially launch a forwarded X11 session through SSH in an unauthorized manner. Further details are currently unavailable. We will update this BID as more information emerges.

This issue affects OpenSSH 4.6; previous versions may be affected as well.

50. Microsoft Office Malformed BMP Filter Remote Code Execution Vulnerability
BugTraq ID: 30599
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30599
Summary:
Microsoft Office is prone to a remote code-execution vulnerability.

An attacker could exploit this issue by enticing a victim to open a malicious BMP file.

Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user.

51. Harmoni 'Username' Field HTML Injection Vulnerability
BugTraq ID: 30637
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30637
Summary:
Harmoni is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Versions prior to Harmoni 1.4.7 are vulnerable.

52. Perl Unicode '\Q...\E' Quoting Construct Regular Expression Buffer Overflow Vulnerability
BugTraq ID: 28928
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/28928
Summary:
Perl is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied input.

Successfully exploiting this issue may allow attackers to execute arbitrary machine code in the context of Perl applications using regular expressions in a vulnerable manner. This facilitates the remote compromise of affected computers. Failed exploits can cause denial-of-service conditions.

Perl 5.8.8 is vulnerable to this issue; other versions may also be affected.

NOTE: This issue may be related to BID 26350 ('Perl Unicode Regular Expression Buffer Overflow Vulnerability').

53. Orca 'params.php' Remote File Include Vulnerability
BugTraq ID: 29974
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29974
Summary:
Orca is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects Orca 2.0; other versions may also be affected.

54. xine-lib Matroska Demuxer Remote Buffer Overflow Vulnerability
BugTraq ID: 28543
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/28543
Summary:
The 'xine-lib' library is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Attackers can exploit this issue to cause denial-of-service conditions and possibly execute arbitrary code in the context of applications that use the library.

Versions prior to xine-lib 1.1.10.1 are vulnerable.

55. xine-lib Multiple Heap Based Remote Buffer Overflow Vulnerabilities
BugTraq ID: 28370
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/28370
Summary:
The 'xine-lib' library is prone to multiple heap-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input.

Attackers can exploit these issues to execute arbitrary code in the context of applications that use the library. Failed attacks will cause denial-of-service conditions.

These issues affect xine-lib 1.1.11; other versions may also be affected.

56. Linux kernel 'sctp_getsockopt_local_addrs_old() ' function Local Buffer Overflow Vulnerability
BugTraq ID: 29990
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29990
Summary:
Linux kernel is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to crash the affected kernel, denying service to legitimate users. Given the nature of the issue, arbitrary code execution may also be possible, but this has not been confirmed.

57. Multiple Vendor BIOS Keyboard Buffer Password Persistence Weakness
BugTraq ID: 15751
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/15751
Summary:
Multiple vendors fail to clear the BIOS (Basic Input-Output System) keyboard buffer after reading the pre-boot authentication password during the system startup process.

Depending on the operating system running on affected computers, the memory region may or may not be available for user-level access. With Linux operating systems, superuser access is required. With Microsoft Windows operating systems, non-privileged users may access the keyboard buffer region.

Attackers that obtain the password used for pre-boot authentication may then utilize it for further attacks.

UPDATE: It was reported that the BIOS API calls and the BIOS keyboard buffer are used by various pre-boot authentication applications to read a password from the keyboard in an insecure manner. These applications are also vulnerable to this issue.

This issue is reported to affect the following software:

- Truecrypt 5.0 for Windows
- DiskCryptor 0.2.6 for Windows and prior
- Secu Star DriveCrypt Plus Pack v3.9 and prior
- Grub Legacy (GNU GRUB 0.97) and prior
- Lilo version 22.6.1 and prior
- Award BIOS Modular 4.50pg
- Insyde BIOS V190
- Intel Corp BIOS PE94510M.86A.0050.2007.0710.1559 (07/10/2007)
- Hewlett-Packard BIOS 68DTT Ver. F.0D (11/22/2005)
- IBM Lenovo BIOS 7CETB5WW v2.05 (10/13/2006)

58. artegic AG Dana Remote Buffer Overflow Vulnerability
BugTraq ID: 29724
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29724
Summary:
Dana is prone to a remote buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

An attacker may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

This issue affects Dana 1.4 and prior versions.

59. Sun Solaris Netscape Portable Runtime API Local Privilege Escalation Vulnerability
BugTraq ID: 20471
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/20471
Summary:
The Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.

A successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer.

Version 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.

60. PHP 5.2.4 and Prior Versions Multiple Vulnerabilities
BugTraq ID: 26403
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/26403
Summary:
PHP 5.2.4 and prior versions are prone to multiple security vulnerabilities. Successful exploits could allow an attacker to bypass security restrictions, cause a denial-of-service condition, and potentially execute code.

61. Domain Group Network GooCMS 'index.php' Cross-Site Scripting Vulnerability
BugTraq ID: 30635
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30635
Summary:
GooCMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

GooCMS 1.02 is vulnerable; other versions may also be affected.

62. PHP 5.2.5 and Prior Versions Multiple Vulnerabilities
BugTraq ID: 29009
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29009
Summary:
PHP 5.2.5 and prior versions are prone to multiple security vulnerabilities.

Successful exploits could allow an attacker to bypass security restrictions, cause a denial-of-service condition, and potentially execute code.

These issues are reported to affect PHP 5.2.5 and prior versions.

63. X.Org X Server RENDER Extension 'ProcRenderCreateCursor()' Denial of Service Vulnerability
BugTraq ID: 29665
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29665
Summary:
X.Org X Server is prone to a denial-of-service vulnerability because the software fails to properly handle exceptional conditions.

Attackers who can connect to a vulnerable X Server may exploit this issue to crash the targeted server, denying further service to legitimate users.

64. Net-SNMP Remote Authentication Bypass Vulnerability
BugTraq ID: 29623
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29623
Summary:
Net-SNMP is prone to a remote authentication-bypass vulnerability caused by a design error.

Successfully exploiting this issue will allow attackers to gain unauthorized access to the affected application.

Net-SNMP 5.4.1, 5.3.2, 5.2.4, and prior versions are vulnerable.

65. pPIM Multiple Remote Vulnerabilities
BugTraq ID: 30627
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30627
Summary:
pPIM is prone to multiple vulnerabilities, including two security-bypass issues, a cross-site scripting issue, and a file-upload issue.

Attackers can exploit these issues to:

- execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- steal cookie-based authentication credentials
- delete local files within the context of the webserver process
- upload arbitrary PHP scripts and execute them in the context of the webserver
- change user passwords

These issues affect pPIM 1.0 and prior versions.

66. X.Org X server RENDER Extension Multiple Integer Overflow Vulnerabilities
BugTraq ID: 29670
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29670
Summary:
The RENDER component for X Server is prone to multiple integer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data.

Successful exploits may allow attackers to execute arbitrary code with the privileges of a user running the software. Failed exploit attempts likely cause denial-of-service conditions.

67. Net-SNMP Perl Module Buffer Overflow Vulnerability
BugTraq ID: 29212
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29212
Summary:
Net-SNMP is prone a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.

Exploiting this issue may allow attackers to execute arbitrary machine code in the context of applications using the affected Net-SNMP Perl module. Failed exploit attempts will likely cause denial-of-service conditions.

This issue affects Net-SNMP 5.4.1, 5.2.4, and 5.1.4; other versions may also be vulnerable.

68. LibTIFF tiff2pdf Remote Buffer Overflow Vulnerability
BugTraq ID: 18331
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/18331
Summary:
The tiff2pdf utility is prone to a buffer-overflow vulnerability because the application fails to do proper boundary checks before copying user-supplied data into a finite-sized buffer.

Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely crash the application, denying service to legitimate users.

69. Microsoft Internet Explorer CreateTextRange.text Code Execution Vulnerability
BugTraq ID: 28295
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/28295
Summary:
Microsoft Internet Explorer is prone to a code-execution vulnerability because the application fails to handle certain JavaScript code.

This issue is triggered when a remote attacker entices a victim to visit a malicious site.

Attackers may exploit this issue to execute arbitrary code in the context of the logged-in user, facilitating the remote compromise of affected computers.

70. Vacation Rental Script 'index.php' SQL Injection Vulnerability
BugTraq ID: 30626
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30626
Summary:
Vacation Rental Script is prone to an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input before using it an SQL-query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Vacation Rental Script 3.0 is vulnerable; other versions may also be affected.

71. LibTIFF TiffFetchShortPair Remote Buffer Overflow Vulnerability
BugTraq ID: 19283
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/19283
Summary:
LibTIFF is prone to a buffer-overflow vulnerability because the library fails to do proper boundary checks before copying user-supplied data into a finite-sized buffer.

This issue allows remote attackers to execute arbitrary machine code in the context of appications using the affected library. Failed exploit attempts will likely crash the application, denying service to legitimate users.

72. txtSQL 'startup.php' Remote File Include Vulnerability
BugTraq ID: 30625
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30625
Summary:
txtSQL is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.

txtSQL 2.2 Final is vulnerable; other versions may be affected as well.

73. LibTIFF PixarLog Decoder Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 19290
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/19290
Summary:
The PixarLog Decoder for libTIFF is prone to a remote heap buffer-overflow vulnerability.

This issue may allow attackers to execute arbitrary machine code within the context of the vulnerable application or to cause a denial-of-service.

74. HP Instant Support 'HPISDataManager.dll' ActiveX Control Arbitrary File Creation Vulnerability
BugTraq ID: 29535
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29535
Summary:
HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a vulnerability that lets attackers create and overwrite files with arbitrary, attacker-controlled content.

Successful exploits may compromise affected computers and aid in further attacks.

HP Instant Support 1.0.0.22 and earlier versions are affected.

75. HP Instant Support 'HPISDataManager.dll' 'StartApp' ActiveX Control Insecure Method Vulnerability
BugTraq ID: 29533
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29533
Summary:
HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to an insecure-method vulnerability.

Successfully exploiting this issue allows remote attackers to launch arbitrary applications with the privileges of the application running the ActiveX control (typically Internet Explorer).

Note that if the attacker could place a malicious executable on the system, they would be able to launch it using this vulnerability.

HP Instant Support 1.0.0.22 and earlier versions are affected.

76. LibTIFF Next RLE Decoder Remote Heap Buffer Overflow Vulnerability
BugTraq ID: 19282
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/19282
Summary:
The Next RLE Decoder for libTIFF is prone to a remote heap buffer-overflow vulnerability.

This issue occurs because the application fails to check boundary conditions on certain RLE decoding operations.

This issue may allow attackers to execute arbitrary machine code within the context of the vulnerable application or to cause a denial of service.

77. Retired: DriveCrypt Incorrect BIOS API Usage Security Vulnerability
BugTraq ID: 30818
Remote: No
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30818
Summary:
DriveCrypt is prone to a security vulnerability that may cause a denial-of-service condition or allow attackers to gain access to plain text passwords.

Local attackers can exploit this issue to gain access to access to sensitive information or cause the affected computer to reboot.

DriveCrypt Plus Pack version 3.9 is vulnerable; other versions may also be affected.

Note: This vulnerability is the same issue described in BID 15751 (Multiple Vendor BIOS Keyboard Buffer Password Persistence Weakness) therefore this BID is being retired.

78. IntelliTamper HTML 'Location' Header Parsing Buffer Overflow Vulnerability
BugTraq ID: 30622
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30622
Summary:
IntelliTamper is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

This issue allows remote attackers to execute arbitrary machine code in the context of the application. Failed exploit attempts will likely crash the application, denying service to legitimate users.

IntelliTamper 2.07 is vulnerable; other versions may also be affected.

79. HP Instant Support 'HPISDataManager.dll' 'MoveFile' ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 29532
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29532
Summary:
HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

An attacker can exploit this issue to execute arbitrary code in the context of an application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

HP Instant Support 1.0.0.22 and earlier versions are affected.

80. HP Instant Support 'HPISDataManager.dll' 'GetFileTime' ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 29531
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29531
Summary:
HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

HP Instant Support 1.0.0.22 and earlier versions are affected.

81. PHP cURL 'safe mode' Security Bypass Vulnerability
BugTraq ID: 27413
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/27413
Summary:
PHP cURL is prone to a 'safe mode' security-bypass vulnerability.

Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks.

The issue affects PHP 5.2.5 and 5.2.4.

82. JComSoft 'AniGIF.ocx' ReadGIF and ReadGIF2 Methods ActiveX Buffer Overflow Vulnerabilities
BugTraq ID: 30621
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30621
Summary:
JComSoft Animation GIF ActiveX control is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions.

Animation GIF ActiveX 2.47, 1.12a, and 1.12b are vulnerable; other versions may also be affected.

83. OpenSSL SSLv2 Null Pointer Dereference Client Denial of Service Vulnerability
BugTraq ID: 20246
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/20246
Summary:
OpenSSL is prone to a denial-of-service vulnerability.

A malicious server could cause a vulnerable client application to crash, effectively denying service.

84. PowerDVD '.m3u' and '.pls' File Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 30341
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30341
Summary:
PowerDVD is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input.

Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions.

PowerDVD 8.0 is vulnerable; prior versions may also be affected.

85. RMSOFT Downloads Plus Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 30620
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30620
Summary:
RMSOFT Downloads Plus is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Downloads Plus 1.5 and 1.7 are affected; other versions may also be vulnerable.

86. Sun Java Runtime Environment Multiple Weaknesses
BugTraq ID: 25918
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/25918
Summary:
Sun Java Runtime Environment is prone to multiple weaknesses that may allow JavaScript code or applets to connect to resources other than the one the scripts or applets were downloaded from. One of the weaknesses may allow an attacker to obscure a Java warning about an untrusted applet from the user.

These issues affect the following packages for Windows, Solaris, and Linux:

JDK and JRE 6 Update 2 and earlier
JDK and JRE 5.0 Update 12 and earlier
SDK and JRE 1.4.2_15 and earlier
SDK and JRE 1.3.1_20 and earlier

87. Yogurt Social Network 'uid' Parameter Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 30618
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30618
Summary:
Yogurt Social Network is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

Yogurt Social Network 3.2 rc1 is affected; other versions may also be vulnerable.

88. Sun Java Runtime Environment Image Parsing Heap Buffer Overflow Vulnerability
BugTraq ID: 28125
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/28125
Summary:
Sun Java Runtime Environment is prone to a heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely crash the application.

This issue affects the following products and versions:

JDK and JRE 6 prior to Update 5
JDK and JRE 5.0 prior to Update 15
SDK and JRE prior to 1.4.2_17
SDK and JRE prior to 1.3.1_22

This vulnerability was previously covered in BID 28083 (Sun Java SE Multiple Security Vulnerabilities), but has been given its own record to better document the issue.

89. Sun Java SE Multiple Security Vulnerabilities
BugTraq ID: 28083
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/28083
Summary:
Sun has released advisories addressing multiple vulnerabilities affecting the following software:

JDK and JRE 6 Update 5
JDK and JRE 5.0 Update 15
SDK and JRE 1.4.2_17
SDK and JRE 1.3.1_22

90. Yogurt Social Network Scrapbook HTML Injection Vulnerability
BugTraq ID: 30619
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30619
Summary:
Yogurt Social Network is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Yogurt Social Network 3.2 rc1 is vulnerable; other versions may also be affected.

91. Vim Insufficient Shell Escaping Multiple Command Execution Vulnerabilities
BugTraq ID: 30795
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30795
Summary:
Vim is prone to multiple command-execution vulnerabilities because the application fails to sufficiently sanitize user-supplied data.

Successfully exploiting these issues can allow an attacker to execute arbitrary commands with the privileges of the user running the affected application.

Vim 7.2 is vulnerable; other versions may also be affected.

92. Belkin F5D7230-4 Wireless G Router 'setup_dns.exe' Authentication Vulnerability
BugTraq ID: 28319
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/28319
Summary:
The Belkin F5D7230-4 Wireless G Router is prone to a vulnerability because of a lack of authentication when users access 'cgi-bin/setup_dns.exe'.

Attackers can exploit this issue to perform administrative functions without authorization.

Belkin F5D7230-4 running firmware 9.01.10 is vulnerable; other devices and firmware versions may also be affected.

93. Sun Java RunTime Environment Read and Write Permission Multiple Privilege Escalation Vulnerabilities
BugTraq ID: 27650
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/27650
Summary:
Sun Java Runtime Environment is prone to multiple privilege-escalation vulnerabilities when running untrusted applications or applets.

Successful exploits will compromise arbitrary data and possibly the underlying computer.

These issues affect the following versions:

JDK and JRE 6 Update 1 and earlier
JDK and JRE 5.0 Update 13 and earlier.

94. RMSOFT MiniShop 'search.php' Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 30616
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30616
Summary:
RMSOFT MiniShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

MiniShop 1.0 is affected; other versions may also be vulnerable.

95. Maxthon Browser Content-Type Buffer Overflow Vulnerability
BugTraq ID: 30617
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30617
Summary:
Maxthon Browser is prone to a buffer-overflow vulnerability.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Versions prior to Maxthon Browser 2.0 are vulnerable.

96. Adobe Presenter Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 30615
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30615
Summary:
Adobe Presenter is prone to multiple cross-site scripting vulnerabilities because sites generated with the vulnerable application fail to sufficiently sanitize user-supplied data.

An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

These issues affect Adobe Presenter 6 and 7.

97. Ipswitch WS_FTP Server Message Response Buffer Overflow Vulnerability
BugTraq ID: 30728
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30728
Summary:
Ipswitch WS_FTP is prone to a remote buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

98. Vortex CMS 'index.php' SQL Injection Vulnerability
BugTraq ID: 29146
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/29146
Summary:
Vortex CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

99. Red Hat OpenSSH Backdoor Vulnerability
BugTraq ID: 30794
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30794
Summary:
OpenSSH running on Red Hat operating systems are prone to a backdoor vulnerability.

Attackers can exploit this issue by enticing an unsuspecting victim to download and install a malicious OpenSSH package from a compromised Red Hat software repository or from mirrors that replicated the malicious packages. Successfully exploiting this issue will compromise the affected computer.

This issue affects OpenSSH running on the following operating systems:

Red Hat Enterprise Linux 4 i386
Red Hat Enterprise Linux 4 x86_64
Red Hat Enterprise Linux 5 x86_64

100. Microsoft Windows IPsec Information Disclosure Vulnerability
BugTraq ID: 30634
Remote: Yes
Last Updated: 2008-08-25
Relevant URL: http://www.securityfocus.com/bid/30634
Summary:
Microsoft Windows is prone to a vulnerability in the IPsec implementation.

The vulnerability causes IPsec policies that are imported from a Windows Server 2003 domain to a Windows Server 2008 domain to be ignored. This will cause network traffic to be transmitted in clear text instead of being encrypted.

III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Online intruders hit Red Hat, Fedora Project
By: Robert Lemos
A leading Linux company and its open-source distribution acknowledge that attackers breached several systems, including one that manages the Fedora signing process.
http://www.securityfocus.com/news/11532

2. Researchers race to zero in record time
By: Robert Lemos
On the first day, three teams of security professional finished the Race to Zero contest, successfully modifying nine well-known viruses and exploits to escape detection by major antivirus engines.
http://www.securityfocus.com/news/11531

3. Gov't charges alleged TJX credit-card thieves
By: Robert Lemos
U.S. prosecutors charge eleven people with taking part in an identity-theft ring that stole millions of credit-card accounts from major retailers, among them TJX Companies.
http://www.securityfocus.com/news/11530

4. Poisoned DNS servers pop up as ISPs patch
By: Robert Lemos
An online attacker poisons at least one domain-name server at a major Internet service provider to send Google lookups to a pay-per-click ad network.
http://www.securityfocus.com/news/11529

IV. SECURITY JOBS LIST SUMMARY
-------------------------------
1. [SJ-JOB] Senior Software Engineer, Redwood Shores
http://www.securityfocus.com/archive/77/495594

2. [SJ-JOB] Security Engineer, Chicago
http://www.securityfocus.com/archive/77/495595

3. [SJ-JOB] Technical Support Engineer, Redwood Shores
http://www.securityfocus.com/archive/77/495598

4. [SJ-JOB] Security Engineer, Glen Ellyn
http://www.securityfocus.com/archive/77/495599

5. [SJ-JOB] Security Engineer, Pittsburgh
http://www.securityfocus.com/archive/77/495601

6. [SJ-JOB] Security Engineer, Arlington
http://www.securityfocus.com/archive/77/495587

7. [SJ-JOB] Developer, Redwood Shores
http://www.securityfocus.com/archive/77/495592

8. [SJ-JOB] Quality Assurance, Redwood Shores
http://www.securityfocus.com/archive/77/495596

9. [SJ-JOB] Developer, Redwood Shores
http://www.securityfocus.com/archive/77/495600

10. [SJ-JOB] Application Security Engineer, Washington
http://www.securityfocus.com/archive/77/495602

11. [SJ-JOB] Senior Software Engineer, 21287
http://www.securityfocus.com/archive/77/495584

12. [SJ-JOB] Security Engineer, Gaithersburg
http://www.securityfocus.com/archive/77/495585

13. [SJ-JOB] Security Engineer, Albuquerque
http://www.securityfocus.com/archive/77/495586

14. [SJ-JOB] Sr. Security Engineer, West Des Moines
http://www.securityfocus.com/archive/77/495593

15. [SJ-JOB] Database Security Engineer, CHICAGO
http://www.securityfocus.com/archive/77/495583

V. INCIDENTS LIST SUMMARY
---------------------------
VI. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. Version-independent IOS shellcode
http://www.securityfocus.com/archive/82/495640

2. ToorCon 10 Call For Papers
http://www.securityfocus.com/archive/82/495607

VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Identifying Security Metrics in the Windows Enterprise
http://www.securityfocus.com/archive/88/495617

VIII. SUN FOCUS LIST SUMMARY
----------------------------
IX. LINUX FOCUS LIST SUMMARY
----------------------------
X. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

XI. SPONSOR INFORMATION
------------------------
This issue is sponsored by Sponsored by Ironkey: The World's Most Secure Flash Drive

News

Monday, August 25, 2008

SecurityFocus Newsletter #467

No comments:

WINDOWS CENTER

Blog Archive