CIAC's latest security bulletins. http://www.ciac.org/ciac/index.html The CA Unicenter DMS ITRM Legends ActiveX control contains an integer overflow vulnerability, which can allow a remote attacker to execute arbitrary code on a vulnerable system. The risk is MEDIUM. By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. http://www.ciac.org/ciac/bulletins/s-287.shtml 9 May 2008 19:00 GMT New Bulletin PHP contains a path translation vulnerability that may allow an attacker to execute arbitrary code. The risk is MEDIUM. An attacker may be able to execute arbitrary code in the context of an application that uses the vulnerable function. The scope of the impact depends on how the affected application works. Applications that process filename input from the network, such as public-facing web applications, would be vulnerable to a remote attacker. http://www.ciac.org/ciac/bulletins/s-286.shtml 9 May 2008 15:00 GMT New Bulletin Several security vulnerabilities have been discovered in Directory Server: 1) a shell command injection flaw in the Red Hat Administration Server replication monitor CGI script used by Red Hat Directory Server 8.0; and 2) the Red Hat Administration Server does not properly restrict access to CGI scripts. The risk is MEDIUM. An attacker with access to the replication monitor web page could execute arbitrary shell commands with the privileges of the Administration Server and an unauthenticated remote user with access to the TCP port used by the Administration Server could access information or perform certain tasks that should have been restricted to Directory Server administrative users. http://www.ciac.org/ciac/bulletins/s-285.shtml 8 May 2008 18:00 GMT New Bulletin Boorder Gateway Protocol (BGP) implementations from multiple vendors including Juniper may not properly handle specially crafted BGP UPDATE messages. These vulnerabilities could allow an unauthenticated, remote attacker to cause a denial of service. Disrupting BGP communication could lead to routing instability. The risk is LOW. A remote attacker could cause a denial of servcie by injecting a specially crafted BGP UPDATE message into a legitimate BGP session. An attacker with a configured BGP session could attack targets several BGP hops away, or an attacker could spoof TCP traffic. http://www.ciac.org/ciac/bulletins/s-284.shtml 7 May 2008 16:00 GMT New Bulletin cPanel contains multiple cross-site request forgery (XSRF) vulnerabilities which may allow an attacker to execute arbitrary commands. The risk is MEDIUM. If successfully exploited, these vulnerabilities may allow an attacker to execute arbitrary commands. http://www.ciac.org/ciac/bulletins/s-283.shtml 2 May 2008 19:00 GMT New Bulletin Potential security vulnerabilities have been identified with HP-UX running WBEM Services that could remotely execute arbitrary code or gain extended privileges. The risk is MEDIUM. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges. http://www.ciac.org/ciac/bulletins/s-282.shtml 1 May 2008 15:00 GMT 7 May 2008 15:00 GMT Revised Bulletin Multiple vulnerabilities were found in SILC Client, Server, and Toolkit, allowing for Denial of Service and remote execution of arbitrary code. The risk is MEDIUM. A remote attacker could exploit these vulnerabilities to cause a Denial of Service or execute arbitrary code with the privileges of the user running the application. http://www.ciac.org/ciac/bulletins/s-281.shtml 28 Apr 2008 19:00 GMT New Bulletin Microsoft is investigating a new public report of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Servcie Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. The risk is MEDIUM. Could allow elevation of privilege. http://www.ciac.org/ciac/bulletins/s-280.shtml 25 Apr 2008 14:00 GMT New Bulletin A potential vulnerability has been identified with the HPeDiag ActiveX control which is a component of HP Software Update running under Windows. The risk is MEDIUM. This vulnerability could be exploited to allow remote disclosure of information and execution of arbitrary code. http://www.ciac.org/ciac/bulletins/s-279.shtml 25 Apr 2008 12:00 GMT New Bulletin It was discovered that suphp, an Apache module to run PHP scripts with owner permissions handles symlinks insecurely, which may lead to privilege escalation by local users. The risk is LOW. May lead to privilege escalation by local users. http://www.ciac.org/ciac/bulletins/s-278.shtml 25 Apr 2008 12:00 GMT New Bulletin Roundup, an issue tracking system, fails to properly escape HTML input, allowing an attacker to inject client-side code (typically JavaScript) into a document that may be viewed int he victim's browser. The risk is LOW. May allow an attacker to inject client-side code (typically JavaScript) into a document that may be viewed in the victim's browser. http://www.ciac.org/ciac/bulletins/s-277.shtml 25 Apr 2008 12:00 GMT New Bulletin Many websites use the PHP programming language to build web pages on the fly from individual files and from values obtained from a database. PHP based websites are widely used to create Wikis such as MediaWiki used for Wikipedia. If the PHP programs that generate the web pages are not carefully crafted to check user input before it is used, an intruder could inject code into a page and get it executed. http://www.ciac.org/ciac/techbull/CIACTech08-001.shtml 29 Jan 2008 18:00 GMT New Bulletin A common cyber attack is to send a user an Office document (Word, Excel, PowerPoint) containing malicious code that infects the user's computer and proceeds to do the miscreant's bidding. Targeting of users has gotten so sophisticated that advice such as "don't open files from people you don't know" is no longer effective. MOICE, the Microsoft Office Isolated Conversion Environment opens Office documents before the Office application, converts it to a format that does not "support" malcode and then invokes the application with the newly cleaned document. Properly implemented, this could mitigate attacks using email-borne Office malcode. http://www.ciac.org/ciac/techbull/CIACTech07-001.shtml 22 May 2007 23:00 GMT New Revised Bulletin SQL injection is a real threat that is being used to exploit company systems and data. This threat can be reduced by a combination of good programming practice, application firewalls, and scanning. http://www.ciac.org/ciac/techbull/CIACTech06-001.shtml 6 Sep 2006 21:00 GMT 28 Apr 2008 21:00 GMT Revised Bulletin Many sites have detected large numbers of udp packets directed at the DNS port (53). These packets contain a lot of structure and there is concern that they are exploit or remote control packets. It turns out that they are discovery packets being sent to random IP addresses by the Sinit Calypso worm. They are invalid DNS packets and should be ignored by DNS servers. http://www.ciac.org/ciac/techbull/CIACTech05-001.shtml 15 Nov 2004 20:00 GMT Before systems containing the MyDoom.A worm can be cleaned, they must be detected. As running a scanner on each system can be difficult and time consuming, a method of remote scanning for infected machines is needed. http://www.ciac.org/ciac/techbull/CIACTech04-001.shtml 30 Jan 2004 23:00 GMT New Bulletin A spam engine has been released that uses the Windows Messenger Service (not the MSN Messenger instant messaging program) to send spam messages to users. The Messenger service is active on most Windows platforms. http://www.ciac.org/ciac/techbull/CIACTech03-001.shtml 29 Oct 2002 24:00 GMT New Bulletin Several online articles have worried the problem of file capture using Microsoft Word field codes. The articles have gone so far as suggesting that Word be banned from company computers until this is changed. These articles have created undue worry among computer users about what is a relatively low risk vulnerability. http://www.ciac.org/ciac/techbull/CIACTech02-005.shtml 27 Sep 2002 24:00 GMT New Bulletin Programs are being intentionally packaged with legitimate software to display advertising on your screen, gather information on your browsing habits, and to sell your unused CPU cycles and disk space. Current applications are relatively benign but could easily be used for an invasion of privacy or other malicious purposes. http://www.ciac.org/ciac/techbull/CIACTech02-004.shtml 11 Nov 2002 23:00 GMT New Bulletin Microsoft Office for Macintosh OS X has an antipiracy mechanism that secretly opens network service ports on a Macintosh system and broadcasts version information to other systems on a single subnet. The problem is that open network services provide attack points for intruders and need to be controlled by users. http://www.ciac.org/ciac/techbull/CIACTech02-003.shtml 26 Apr 2002 00:00 GMT New Bulletin Browser Helper Objects (BHO) are Microsoft's way of attaching add-ins to Internet Explorer 4 and later. In addition to legitimate uses, BHOs are used to attach spyware to a user's web browser to secretly send a user's browsing habits to a marketing site and could be used for malicious code. The problems are that there is no simple way to know what BHOs are attached to a system and no simple way to control the attachment of new ones. http://www.ciac.org/ciac/techbull/CIACTech02-002.shtml 2 Apr 2002 23:00 GMT New Bulletin In recent months, many servers running ssh have been compromised using the SSH CRC32 Compensation Attack Detector. Compromised machines have either not been upgraded to SSH protocol 2 or have not disabled drop back to SSH protocol 1. Use of this attack allows a remote user to gain root access on a server. http://www.ciac.org/ciac/techbull/CIACTech02-001.shtml 9 May 2002 19:00 GMT New Bulletin There are several security issues in PCRE library which potentially allow attackers to execute arbitrary code by compiling specially crafted regular expressions. The risk is LOW. Could potentially allow attackers to execute arbitrary code by compiling specially crafted regular expressions. http://www.ciac.org/ciac/bulletins/s-037.shtml 7 Nov 2007 15:00 GMT 8 May 2008 15:00 GMT Revised Bulletin A remote code execution vulnerability exists in .NET Framework that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user. The risk is HIGH. A remote code execution vulnerability exists in .NET Framework that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user. http://www.ciac.org/ciac/bulletins/r-295.shtml 10 Jul 2007 20:00 GMT 8 May 2008 20:00 GMT Revised Bulletin There is a flaw in the way kpdf displayed malformed fonts embedded in PDF files which could potentially execute arbitrary code. The risk is MEDIUM. An attacker could create a malicious PDF file that would cause kpdf to crash, or potentially, execute arbitrary code when opened. http://www.ciac.org/ciac/bulletins/s-269.shtml 25 Apr 2008 11:00 GMT 8 May 2008 11:00 GMT Revised Bulletin There are several vulnerabilities in PHP. The risk is MEDIUM. Could possibly execute arbitrary code as the apache user. http://www.ciac.org/ciac/bulletins/r-355.shtml 20 Sep 2007 20:00 GMT 07 May 2008 18:00 GMT Revised Bulletin Several vulnerabilities have been discovered in GNU Tar. The risk is MEDIUM. May lead to arbitrary code execution when processing maliciously crafted archives. http://www.ciac.org/ciac/bulletins/s-100.shtml 3 Jan 2008 22:00 GMT 7 May 2008 22:00 GMT Revised Bulletin A flaw was found in the processing of malformed JavaScript content which could lead to the execution of arbitrary code. The risk is MEDIUM. A web page containing such maliciuos content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. http://www.ciac.org/ciac/bulletins/s-270.shtml 25 Apr 2008 11:00 GMT 2 May 2008 11:00 GMT Revised Bulletin There are remote code execution vulnerabilities that exist in the way Microsoft Office handles specially crafted Excel files and processes malformed Office files. The risk is MEDIUM. An attacker could exploit the vulnerability by creating a malformed file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-225.shtml 14 Mar 2008 17:00 GMT 1 May 2008 17:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object. The risk is MEDIUM. Code runs in the context of the user. http://www.ciac.org/ciac/bulletins/r-232.shtml 9 May 2007 12:00 GMT 1 May 2008 12:00 GMT Revised Bulletin Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. The risk is MEDIUM. Could lead to the potential execution of arbitrary code. http://www.ciac.org/ciac/bulletins/s-092.shtml 21 Dec 2007 21:00 GMT 28 Apr 2008 21:00 GMT Revised Bulletin Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets. The risk is LOW. Successful exploitation of these vulnerabilities may result in the reload of the device or memory leaks, leading to a DoS condition. http://www.ciac.org/ciac/bulletins/s-241.shtml 27 Mar 2008 19:00 GMT 28 Apr 2008 19:00 GMT Revised Bulletin Vulnerabilities exist in Microsoft PowerPoint and Excel that could allow remote code execution. The risk is MEDIUM. An intruder who can coerce a user to open a malicious PowerPoint or Excel document can run arbitrary code in the security context of the logged-in user. http://www.ciac.org/ciac/bulletins/r-131.shtml 14 Feb 2007 12:00 GMT 24 Apr 2008 12:00 GMT Revised Bulletin A remote code execution vulnerability exists in the ActiveX control hxvz.dll and an update that includes kill bits that will prevent ActiveX controls from being run in Internet Explorer. The risk is MEDIUM. An attacker who successfully exploited this vulenrability could gain the same user rights as the logged on user. http://www.ciac.org/ciac/bulletins/s-256.shtml 9 Apr 2008 20:00 GMT 24 Apr 2008 20:00 GMT Revised Bulletin Several remote code execution vulnerabilities exists in the way Microsoft Visio validates: 1) object header data in specially crafted file; and 2) memory allocations when loading specially-crafted .DXF files from disk into memory. The risk is MEDIUM. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. http://www.ciac.org/ciac/bulletins/s-252.shtml 9 Apr 2008 19:00 GMT 24 Apr 2008 19:00 GMT Revised Bulletin A remote code execution vulnerability exists in Internet Explorer because of the way that it processes data streams. An attacker could exploit the vulnerability by constructing a specially crafted Web page. The risk is MEDIUM. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. http://www.ciac.org/ciac/bulletins/s-257.shtml 9 Apr 2008 20:00 GMT 24 Apr 2008 20:00 GMT Revised Bulletin A remote code vulnerability exists in Microsoft Works File Converter due to the way that it improperly validates: 1) section length headers with the .wps format; 2) section header index table information with the .wps file format; and 3) various field lengths information with the .wps file format. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. http://www.ciac.org/ciac/bulletins/s-177.shtml 13 Feb 2008 13:00 GMT 17 Apr 2008 13:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way that the VBScript and JScript scripting engines decode script in Web pages. This vulnerability could allow remote code execution if a user opened a specially crafted file or visited a Web site that is running specially crafted script. The risk is MEDIUM. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-255.shtml 9 Apr 2008 20:00 GMT 17 Apr 2008 20:00 GMT Revised Bulletin Microsoft Office has an execution jump vulnerability which could allow remote code execution if a user opens a specially crafted Microsoft Office document with a malformed object inserted into the document. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. http://www.ciac.org/ciac/bulletins/s-179.shtml 13 Feb 2008 13:00 GMT 17 Apr 2008 13:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way Microsoft Project handles specially crafted Project files. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-253.shtml 9 Apr 2008 19:00 GMT 17 Apr 2008 19:00 GMT Revised Bulletin There are several memory corruption vulnerabilities in Internet Explorer that could allow remote code execution. The risk is MEDIUM. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. http://www.ciac.org/ciac/bulletins/s-176.shtml 12 Feb 2008 21:00 GMT 17 Apr 2008 21:00 GMT Revised Bulletin An elevation of privilege vulnerability exists due to the Windows kernel improperly validating input passed from user mode to the kernel. The vulnerability could allow an attacker to run code with elevated privileges. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-258.shtml 9 Apr 2008 21:00 GMT 17 Apr 2008 21:00 GMT Revised Bulletin A spoofing vulnerability exists in Windows DNS clients. The vulnerability could allow an unauthenticated attacker to send malicious responses to DNS requests made by vulnerable clients, thereby spoofing or redirecting Internet traffic from legitimate locations. The risk is MEDIUM. Could allow an unauthenticated attacker to send malicious responses to DNS requests made by vulnerable clients, thereby spoofing or redirecting Internet traffic from legitimate locations. http://www.ciac.org/ciac/bulletins/s-251.shtml 9 Apr 2008 19:00 GMT 17 Apr 2008 19:00 GMT Revised Bulletin Remote code vulnerabilities exist in the way Excel: 1) processes data validation records when loading Excel files into memory; 2) handles data when importing files into Excel; 3) Style record data when opening Excel files; 4) handles malformed formulas; 5) handles rich text values when loading application data into memory; 6) handles conditional formatting values; and 7) handles macros when opening specially crafted Excel files. The risk is MEDIUM. An attacker could exploit the vulnerabilities by sending malformed files which could be hosted on a specially crafted or compromised Web site, or included as an e-mail attachment. http://www.ciac.org/ciac/bulletins/s-227.shtml 14 Mar 2008 17:00 GMT 17 Apr 2008 17:00 GMT Revised Bulletin A remote code execution exists in Outlook. The risk is MEDIUM. The vulnerability could allow remote code execution if Outlook is passed a specially crafted malito URI. http://www.ciac.org/ciac/bulletins/s-226.shtml 14 Mar 2008 17:00 GMT 17 Apr 2008 17:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way that Word handles specially crafted Word files. The risk is MEDIUM. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed value. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. http://www.ciac.org/ciac/bulletins/s-175.shtml 12 Feb 2008 21:00 GMT 17 Apr 2008 21:00 GMT Revised Bulletin Several remote code execution vulnerabilities exist in the way that GDI handles: 1) integer valculations; and 2) filename parameters in EMF files. The vulnerability could allow remote code execution if a user opens a specially crafted EMF or WMF image file. The risk is HIGH. An attacker who successfully exploited this vulnerability could take complete control of an affected system. This exploit has been seen in the wild. http://www.ciac.org/ciac/bulletins/s-254.shtml 9 Apr 2008 20:00 GMT 17 Apr 2008 20:00 GMT Revised Bulletin An integer overflow flaw was found in the way Cairo processes PNG images. The risk is MEDIUM. It is possible to execute arbitrary code as the user running the application. http://www.ciac.org/ciac/bulletins/s-063.shtml 3 Dec 2007 14:00 GMT 14 Apr 2008 14:00 GMT Revised Bulletin There is a flaw in the way the OpenLDAP slapd daemon handled modified and modrdn request with NOOP control on objects stored in a Berkeley DB (BDB) storage backend. The risk is LOW. An authenticated attacker with permission to perform modify or modrdn operations on such LDAP ojects could cause slapd to crash. http://www.ciac.org/ciac/bulletins/s-199.shtml 25 Feb 2008 21:00 GMT 14 Apr 2008 21:00 GMT Revised Bulletin Several local vulnerabilities have been discovered in Xine, a media player library, allowed for a denial of service or arbitrary code execution, which could be exploited through viewing malicious content. The risk is MEDIUM. Allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code. http://www.ciac.org/ciac/bulletins/s-261.shtml 10 Apr 2008 15:00 GMT 14 Apr 2008 15:00 GMT Revised Bulletin A potential security vulnerability has been identified in HP OpenView Operations (OVO) Agents running Shared Trace Service. The risk is MEDIUM. Could be remotely exploited to execute arbitrary code. http://www.ciac.org/ciac/bulletins/s-111.shtml 11 Jan 2008 19:00 GMT 10 Apr 2008 19:00 GMT Revised Bulletin