CIAC's latest security bulletins. http://www.ciac.org/ciac/index.html Several remote vulnerabilities have been discovered in the Common Unix Printing System (CUPS). The risk is LOW. Could possibly run arbitrary code through crafted HP-GL and GIF files. http://www.ciac.org/ciac/bulletins/s-371.shtml 20 Aug 2008 16:00 GMT New Bulletin It was discovered that afuse, an automounting file system in user-space, did not properly escape meta characters in paths. This allowed a local attacker with read access to the file system to execute commands as the owner of the file system. The risk is LOW. This allows a local attacker with read access to the file system to execute commands as the owner of the file system. http://www.ciac.org/ciac/bulletins/s-370.shtml 20 Aug 2008 16:00 GMT New Bulletin The PDF Distiller service that is provided with BlackBerry Enterprise Server contains a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The risk is MEDIUM. By convincing a user to open a spsecially-crafted PDF attachment on a BlackBerry smartphone, a remote, unauthenticated attacker may be able to execute arbitrary code on the system that runs the BlackBerry Attachment Service. http://www.ciac.org/ciac/bulletins/s-369.shtml 20 Aug 2008 16:00 GMT New Bulletin RealPlayer contains a buffer overflow vulnerability that may allow an attacker to execute code on a vulnerable system. The risk is MEDIUM. BY convincing a user to visit a website, a remote attacker may be able to execute arbitrary code. http://www.ciac.org/ciac/bulletins/s-368.shtml 20 Aug 2008 16:00 GMT New Bulletin An exploit has been public which may impact the availability, confidentiality or integrity of WebLogic Server applications which use the Apache web server configured with the WebLogic plug-in for Apache. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. The risk is MEDIUM. A remote, authenticated attacker may be able to execute arbitrary code. http://www.ciac.org/ciac/bulletins/s-367.shtml 20 Aug 2008 16:00 GMT New Bulletin It was discovered that Gaim, an multi-protocol instant messaging client, was vulnerable to several integer overflows in its MSN protocol handlers. These could allow a remote attacker to execute arbitrary code. The risk is MEDIUM. These could allow a remote attacker to execute arbitrary code. http://www.ciac.org/ciac/bulletins/s-366.shtml 20 Aug 2008 16:00 GMT New Bulletin Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The risk is MEDIUM. May lead to denial of service or the execution of arbitrary code. http://www.ciac.org/ciac/bulletins/s-365.shtml 20 Aug 2008 16:00 GMT New Bulletin A vulnerability in the ClamAV anti-virus toolkit's parsing of Petite-packed Win32 executables. The weakness leads to an invalid memory access, and could enable an attacker to crash clamav by supplying a maliciously crafted Petite-compressed binary for scanning. The risk is MEDIUM. In some configurations, such as when ClamAV is used in combination with mail servers, this could cause a system to "fail open," facilitating a follow-on viral attack. http://www.ciac.org/ciac/bulletins/s-364.shtml 20 Aug 2008 16:00 GMT New Bulletin It was discovered that a buffer overflow in the RC4 functions of libexslt may lead to the execution of arbitrary code. The risk is MEDIUM. May lead to the execution of arbitrary code. http://www.ciac.org/ciac/bulletins/s-363.shtml 20 Aug 2008 14:00 GMT New Bulletin It was discovered that OpenSC, a library and utilities to handle smart cards, would initialise smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN. The risk is MEDIUM. With this bug anyone can change a user PIN without having the PIN or PUK or the superusers PIN or PUK. However it can not be used to figure out the PIN. http://www.ciac.org/ciac/bulletins/s-362.shtml 20 Aug 2008 13:00 GMT New Bulletin Oracle has released a critical patch update for multiple security vulnerabilities. The risk is MEDIUM. May be remotely exploitable without authentication, i.e. may be exploited over a network with out the need for a username or password. http://www.ciac.org/ciac/bulletins/s-361.shtml 18 Aug 2008 19:00 GMT New New Bulletin Cross-Site Scripting has become an increasingly prevalent attack vector that can be leveraged to perform a wide range of compromises. These compromises can range from simple popup displays within a user's browser to session and cookie capture that are used for information and identity theft. As these attacks become more mature, as well as obscure, it is imperative that we understand how they happen, how they propagate, and the ways to prevent them. By understanding the different vectors of attack and realizing and implementing simple security measures against them, we can better protect ourselves and our users now, and in the future. http://www.ciac.org/ciac/techbull/CIACTech08-003.shtml 3 Jun 2008 17:00 GMT New Bulletin Windows hash dumping tools are often spotlighted as hacker tools that can somehow magically extract windows hashes and allow an intruder access to a system. In actuality, the hashes are there, in memory, where any admin or system level user can get at them. The tools just grab them and print them out. This paper will describe how Windows hashes are created, how the hash dumpers get at them, and what can be done with the hashes. http://www.ciac.org/ciac/techbull/CIACTech08-002.shtml 21 May 2008 23:00 GMT New Bulletin Many websites use the PHP programming language to build web pages on the fly from individual files and from values obtained from a database. PHP based websites are widely used to create Wikis such as MediaWiki used for Wikipedia. If the PHP programs that generate the web pages are not carefully crafted to check user input before it is used, an intruder could inject code into a page and get it executed. http://www.ciac.org/ciac/techbull/CIACTech08-001.shtml 29 Jan 2008 18:00 GMT New Bulletin A common cyber attack is to send a user an Office document (Word, Excel, PowerPoint) containing malicious code that infects the user's computer and proceeds to do the miscreant's bidding. Targeting of users has gotten so sophisticated that advice such as "don't open files from people you don't know" is no longer effective. MOICE, the Microsoft Office Isolated Conversion Environment opens Office documents before the Office application, converts it to a format that does not "support" malcode and then invokes the application with the newly cleaned document. Properly implemented, this could mitigate attacks using email-borne Office malcode. http://www.ciac.org/ciac/techbull/CIACTech07-001.shtml 22 May 2007 23:00 GMT New Revised Bulletin SQL injection is a real threat that is being used to exploit company systems and data. This threat can be reduced by a combination of good programming practice, application firewalls, and scanning. http://www.ciac.org/ciac/techbull/CIACTech06-001.shtml 6 Sep 2006 21:00 GMT 28 Apr 2008 21:00 GMT Revised Bulletin Many sites have detected large numbers of udp packets directed at the DNS port (53). These packets contain a lot of structure and there is concern that they are exploit or remote control packets. It turns out that they are discovery packets being sent to random IP addresses by the Sinit Calypso worm. They are invalid DNS packets and should be ignored by DNS servers. http://www.ciac.org/ciac/techbull/CIACTech05-001.shtml 15 Nov 2004 20:00 GMT Before systems containing the MyDoom.A worm can be cleaned, they must be detected. As running a scanner on each system can be difficult and time consuming, a method of remote scanning for infected machines is needed. http://www.ciac.org/ciac/techbull/CIACTech04-001.shtml 30 Jan 2004 23:00 GMT New Bulletin A spam engine has been released that uses the Windows Messenger Service (not the MSN Messenger instant messaging program) to send spam messages to users. The Messenger service is active on most Windows platforms. http://www.ciac.org/ciac/techbull/CIACTech03-001.shtml 29 Oct 2002 24:00 GMT New Bulletin Several online articles have worried the problem of file capture using Microsoft Word field codes. The articles have gone so far as suggesting that Word be banned from company computers until this is changed. These articles have created undue worry among computer users about what is a relatively low risk vulnerability. http://www.ciac.org/ciac/techbull/CIACTech02-005.shtml 27 Sep 2002 24:00 GMT New Bulletin Programs are being intentionally packaged with legitimate software to display advertising on your screen, gather information on your browsing habits, and to sell your unused CPU cycles and disk space. Current applications are relatively benign but could easily be used for an invasion of privacy or other malicious purposes. http://www.ciac.org/ciac/techbull/CIACTech02-004.shtml 11 Nov 2002 23:00 GMT New Bulletin Microsoft Office for Macintosh OS X has an antipiracy mechanism that secretly opens network service ports on a Macintosh system and broadcasts version information to other systems on a single subnet. The problem is that open network services provide attack points for intruders and need to be controlled by users. http://www.ciac.org/ciac/techbull/CIACTech02-003.shtml 26 Apr 2002 00:00 GMT New Bulletin Browser Helper Objects (BHO) are Microsoft's way of attaching add-ins to Internet Explorer 4 and later. In addition to legitimate uses, BHOs are used to attach spyware to a user's web browser to secretly send a user's browsing habits to a marketing site and could be used for malicious code. The problems are that there is no simple way to know what BHOs are attached to a system and no simple way to control the attachment of new ones. http://www.ciac.org/ciac/techbull/CIACTech02-002.shtml 2 Apr 2002 23:00 GMT New Bulletin In recent months, many servers running ssh have been compromised using the SSH CRC32 Compensation Attack Detector. Compromised machines have either not been upgraded to SSH protocol 2 or have not disabled drop back to SSH protocol 1. Use of this attack allows a remote user to gain root access on a server. http://www.ciac.org/ciac/techbull/CIACTech02-001.shtml 9 May 2002 19:00 GMT New Bulletin A remote code execution vulnerability exists in the way DirectX handles supported format files. The risk is MEDIUM. This vulnerability could allow remote code execution if a user opened a specially crafted file. http://www.ciac.org/ciac/bulletins/s-312.shtml 12 Jun 2008 14:00 GMT 18 Aug 2008 14:00 GMT Revised Bulletin There are multiple remote code execution vulnerabilities in the Excel. An attacker could exploit the vulnerability by opening a specially crafted file which could be hosted on a Web site, or included as an e-mail attachment. The risk is MEDIUM. Depending on the attack scenario, the vulnerability could lead to remote code execution ona user's local Excel client, or it could lead to elevation of privilage within a SharePoint Server. http://www.ciac.org/ciac/bulletins/s-349.shtml 13 Aug 2008 17:00 GMT 18 Aug 2008 17:00 GMT Revised Bulletin Multiple interger overflows to a heap overflow were discovered in the array- and string-handling code used by Ruby. The risk is MEDIUM. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. http://www.ciac.org/ciac/bulletins/s-344.shtml 28 Jul 2008 19:00 GMT 18 Aug 2008 19:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way that the VBScript and JScript scripting engines decode script in Web pages. This vulnerability could allow remote code execution if a user opened a specially crafted file or visited a Web site that is running specially crafted script. The risk is MEDIUM. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-255.shtml 9 Apr 2008 20:00 GMT 18 Aug 2008 20:00 GMT Revised Bulletin Multiple remote code execution vulnerabilities exists in the way that Microsoft Office filter handles images. An attacker could exploit the vulneraiblity by constructing a specially crafted Encapsulated PostScript (EPS) file that could allow remote code execution if a user opened the file with a Microsoft Office application. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability. http://www.ciac.org/ciac/bulletins/s-350.shtml 13 Aug 2008 17:00 GMT 18 Aug 2008 17:00 GMT Revised Bulletin An information disclosure vulnerability exists in the manner in which IPsec policies are imported to Windows Server 2008 domains from Windows Server 2003 domains. This vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text. This, in turn, would potentially disclose information intended to be encrypted on the network. The risk is LOW. An attacker intercepting the traffic on the network would be able to view and possibly modify the contents of the traffic. http://www.ciac.org/ciac/bulletins/s-355.shtml 13 Aug 2008 18:00 GMT 18 Aug 2008 18:00 GMT Revised Bulletin Several vulnerabilties exists in SQL Server that could allow a authenticated attacker to gain elevation of privilege. An attacker who successfully exploited this vulnerability could run code and take complete control of the system. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could run code and take complete control of the system. http://www.ciac.org/ciac/bulletins/s-334.shtml 8 Jul 2008 18:00 GMT 18 Aug 2008 18:00 GMT Revised Bulletin There is a heap-based buffer overflow vulnerability in Mozilla mail code which could potentially allow an attacker to run arbitrary code. The risk is MEDIUM. COuld potentially allow an attacker to run arbitrary code. The vulnerability is caused by allocating a buffer that can be three bytes too small in certain cases when viewing an email message with an external MIME body. http://www.ciac.org/ciac/bulletins/s-207.shtml 27 Feb 2008 19:00 GMT 18 Aug 2008 19:00 GMT Revised Bulletin Several vulnerabilities have been discovered in the interpreter for the Python language which may lead to the execution of arbitrary code. The risk is MEDIUM. May lead to the execution of arbitrary code if a user is tricked into processing malformed images. http://www.ciac.org/ciac/bulletins/s-276.shtml 25 Apr 2008 12:00 GMT 18 Aug 2008 12:00 GMT Revised Bulletin A spoofing vulnerability exists in Windows DNS client and Windows DNS server. This vulnerability could allow a remote unauthenticated attacker to quickly and reliably spoof responses and insert records into the DNS server or client cache, thereby redirecting Internet traffic. The risk is MEDIUM. This vulnerability could allow a remote unauthenticated attacker to quickly and reliably spoof responses and insert records into the DNS server or client cache, thereby redirecting Internet traffic. http://www.ciac.org/ciac/bulletins/s-332.shtml 8 Jul 2008 18:00 GMT 18 Aug 2008 18:00 GMT Revised Bulletin Multiple remote code execution vulnerabilities exists in the way that Microsoft Office PowerPoint Viewer 2003 handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. The risk is MEDIUM. An attacker who successfully exploited this vulnerabilities could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-354.shtml 13 Aug 2008 17:00 GMT 18 Aug 2008 17:00 GMT Revised Bulletin Multiple issues were discovered in the gd GIF image-handling code. The risk is MEDIUM. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. http://www.ciac.org/ciac/bulletins/s-218.shtml 4 Mar 2008 16:00 GMT 18 Aug 2008 16:00 GMT Revised Bulletin Microsoft is investigating active, targeted attacks leveraging a potential vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. The risk is MEDIUM. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. http://www.ciac.org/ciac/bulletins/s-337.shtml 8 Jul 2008 18:00 GMT 18 Aug 2008 18:00 GMT Revised Bulletin There is a vulnerability in Firefox that could crash in Mozilla's block reflow code that could be used by an attacker to crash the browser and run arbitrary code on the victim's computer. The risk is MEDIUM. A remote, unauthenticated attacker may be able to execute arbitrary code or cause a vulnerable browser to crash. http://www.ciac.org/ciac/bulletins/s-335.shtml 8 Jul 2008 18:00 GMT 18 Aug 2008 18:00 GMT Revised Bulletin Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches. The risk is HIGH. Successful exploitation of the vulnerability described in this document may result in invalid hostname-to-IP address mappings in the cache of an affected DNS server. This may lead of this DNS server to contact with wrong provider of network services. http://www.ciac.org/ciac/bulletins/s-341.shtml 28 Jul 2008 19:00 GMT 18 Aug 2008 19:00 GMT Revised Bulletin An information disclosure vulnerability exists in Outlook Express and Windows mail because the MHTML protocol handler incorrectly interprets MHTML URL redirections that could potentially bypass Internet Explorer domain restrictions when running MHTML content. An attacker could exploit the vulneraiblity by constructing a specially crafted Web page. The risk is LOW. An attacker who successfully exploited this vulnerability could read data from another Internet Explorer domain or the local computer. http://www.ciac.org/ciac/bulletins/s-356.shtml 13 Aug 2008 18:00 GMT 18 Aug 2008 18:00 GMT Revised Bulletin There is a cross-site scripting vulnerability in the affected versions of Outlook Web Access (OWA) for Exchange Server. Exploitation of the vulnerability could lead to elevation of privilege on individual OWA clients connecting to Outlook Web Access for Exchange Server. The risk is LOW. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted e-mail that would run malicious script from within an individual OWA client. If the malicious script is executed, the script would run inthe security context of the user's OWA session and could perform any action that user could perform such as reading, sending, and deleting e-mail as the logged-on user. http://www.ciac.org/ciac/bulletins/s-339.shtml 8 Jul 2008 19:00 GMT 30 Jul 2008 19:00 GMT Revised Bulletin A buffer overfun vulnerability exists in the Microsoft Jet Database Engine (JET) that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by creating a specially crafted database query and sending it through an application that is using Jet on an affected system. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-290.shtml 13 May 2008 19:00 GMT 29 Jul 2008 19:00 GMT Revised Bulletin There are several vulnerabilities with Microsoft DirectX where a remote code execution vulnerability exists in the way DirectX handles: 1) parsing SAMI Files; and 2) parsing WAV and AVI files. The risk is MEDIUM. This vulnerability could allow code execution if a user opened a specially crafted file. http://www.ciac.org/ciac/bulletins/s-074.shtml 11 Dec 2007 20:00 GMT 29 Jul 2008 20:00 GMT Revised Bulletin A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). This vulnerability could be exploited remotely to execute arbitrary code or to create a Denial of Service (DoS). The risk is MEDIUM. The vulnerability could be exploited remotely execute arbitrary code or to create a Denial of Service (DoS). http://www.ciac.org/ciac/bulletins/s-317.shtml 19 Jun 2008 16:00 GMT 8 Jul 2008 16:00 GMT Revised Bulletin PHP contains a path translation vulnerability that may allow an attacker to execute arbitrary code. The risk is MEDIUM. An attacker may be able to execute arbitrary code in the context of an application that uses the vulnerable function. The scope of the impact depends on how the affected application works. Applications that process filename input from the network, such as public-facing web applications, would be vulnerable to a remote attacker. http://www.ciac.org/ciac/bulletins/s-286.shtml 9 May 2008 15:00 GMT 27 Jun 2008 15:00 GMT Revised Bulletin A remote code execution vulnerability exists in the Bluetooth stack in Microsoft Windows because the Bluetooth stack does not correctly handle a large nubmer of service description requests. The risk is MEDIUM. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulenrability could take complete contorl of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. http://www.ciac.org/ciac/bulletins/s-314.shtml 12 Jun 2008 14:00 GMT 27 Jun 2008 14:00 GMT Revised Bulletin A buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to denial of service and potentially the execution of arbitrary code. The risk is MEDIUM. Could lead to denial of service and potentially the execution of arbitrary code. http://www.ciac.org/ciac/bulletins/s-164.shtml 11 Feb 2008 18:00 GMT 27 Jun 2008 18:00 GMT Revised Bulletin A remote code execution vulnerability exists in Microsoft XML Core Services that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-onuser. The risk is MEDIUM. If the user is logged on with administrative user rights, an attacker could take complete control of the affected system. http://www.ciac.org/ciac/bulletins/r-316.shtml 14 Aug 2007 18:00 GMT 27 Jun 2008 18:00 GMT Revised Bulletin A potential security vulnerability has been identified with HP-UX running HP CIFS Server (Samba). The risk is MEDIUM. This vulnerability could be exploited remotely to execute arbitrary code. http://www.ciac.org/ciac/bulletins/s-232.shtml 27 Mar 2008 14:00 GMT 27 Jun 2008 14:00 GMT Revised Bulletin A heap-based buffer overflow flaw was found in the way Samba clients handle over-sized packets. If a client connected to a malicious Samba server, it was possible to execute arbitrary code as the Samba client user. The risk is MEDIUM. A malicious Samba server could run arbitrary code on a Samba client as the Samba client user. Alternately, a malicious client could run arbitrary code on a Samba server with the permissions of the Samba server. http://www.ciac.org/ciac/bulletins/s-301.shtml 30 May 2008 12:00 GMT 27 Jun 2008 12:00 GMT Revised Bulletin A remote code execution exists in Outlook. The risk is MEDIUM. The vulnerability could allow remote code execution if Outlook is passed a specially crafted malito URI. http://www.ciac.org/ciac/bulletins/s-226.shtml 14 Mar 2008 17:00 GMT 5 Jun 2008 17:00 GMT Revised Bulletin Several flaws werer reported in the way libvorbis processed audio data. The risk is MEDIUM. An attacker could create a carefully crafted OGG audio file in such a way that it could cause an application linked with libvorbis to crash, or execute arbitrary code when it was opened. http://www.ciac.org/ciac/bulletins/s-294.shtml 15 May 2008 20:00 GMT 5 Jun 2008 20:00 GMT Revised Bulletin Remote code vulnerabilities exist in the way Excel: 1) processes data validation records when loading Excel files into memory; 2) handles data when importing files into Excel; 3) Style record data when opening Excel files; 4) handles malformed formulas; 5) handles rich text values when loading application data into memory; 6) handles conditional formatting values; and 7) handles macros when opening specially crafted Excel files. The risk is MEDIUM. An attacker could exploit the vulnerabilities by sending malformed files which could be hosted on a specially crafted or compromised Web site, or included as an e-mail attachment. http://www.ciac.org/ciac/bulletins/s-227.shtml 14 Mar 2008 17:00 GMT 5 Jun 2008 17:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way Microsoft Publisher validates object header data. An attacker could exploit the vulnerability by sending a specially crafted Publisher file which could be an e-mail attachment, or hosted on a specially crafted or compromised Web site. The risk is MEDIUM. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-289.shtml 13 May 2008 20:00 GMT 5 Jun 2008 19:00 GMT Revised Bulletin