November 27, 2006 - Current Activity

Vulnerability in Computer Associates BrightStor ARCServe Backup Tape Engine

US-CERT is aware of a new vulnerability in Computer Associates BrightStor ARCserve Backup Tape Engine. There is a flaw in the way RPC requests are handled by the Tape Engine. By sending a malformed RPC request to port 6502/tcp on a vulnerable system, a remote, unauthenticated attacker could execute arbitrary code with SYSTEM privileges.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#437300 - Computer Associates BrightStor ARCserve Backup Tape Engine fails to properly handle RPC requests

Initial reports indicate that BrightStor ARCserve Backup version 11.5 is affected by the flaw; however other versions may be affected as well. Computer Associates has reported that they are aware of this issue and are currently working on a solution.

Until an official update, patch, or more information becomes available, US-CERT recommends the following action to help mitigate the security risks:

• Block port 6502/tcp at the firewall.

US-CERT will continue to investigate and provide additional information as it becomes available.

Proof-of-Concept Exploit for Unpatched Vulnerability in Mac OS X

US-CERT is aware of a publically available proof-of-concept exploit for an unpatched vulnerability in Mac OS X. The exploit targets a flaw in the way that Mac OS X handles disk image structures (DMG files) resulting in memory corruption, causing a denial of service or possibly arbitrary code execution.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#367424 - Apple Mac OS X fails to properly handle corrupted DMG image structures

Mac users can protect themselves by turning off the default setting that allows "safe" files to automatically open after downloading. We strongly encourage users not to open files from untrusted sources.

Exploit Code Posted for Vulnerability in Microsoft Workstation Service

US-CERT is aware of public exploit code for a buffer overflow vulnerability in Microsoft Workstation Service. There is a flaw in the way Microsoft Workstation Service parses very long network messages. By sending specially crafted network messages to a vulnerable system, a remote, unauthenticated attacker could execute arbitrary code with administrator level privileges or cause a denial-of-service condition.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#778036 - Microsoft Workstation Service fails to properly parse malformed network messages

US-CERT strongly encourages users to take the following actions to mitigate the security risks:

• Apply updates as described in Microsoft Security Bulletin MS06-070 .
• Block ports 139/tcp and 445/tcp at the firewall as recommended in Microsoft Security Bulletin MS06-070.

Multiple ActiveX Vulnerabilities in Sky Software Component Used by WinZip 10

US-CERT is aware of multiple vulnerabilities in the Sky Software FileView ActiveX control used by WinZip 10. The first vulnerability is that the FileView ActiveX control contains several unsafe methods, but is marked as safe for scripting. By persuading a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), a remote attacker may be able to execute arbitrary commands (e.g., copy, delete, execute, or any available command on the vulnerable system) with the privileges of the user. More information about this vulnerability can be found in the following:

• Vulnerability Note VU#512804 - Sky Software FileView ActiveX control allows arbitrary command execution via unsafe methods

The second vulnerability is a stack buffer overflow in the handling of the filepattern property. By persuading a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), a remote attacker may be able to execute arbitrary code or crash Internet Explorer. There is public exploit code that takes advantage of this vulnerability. More information about this vulnerability can be found in the following:

• Vulnerability Note VU#225217 - Sky Software FileView ActiveX control buffer overflow vulnerability

US-CERT recommends the following actions to help mitigate the security risks:

• WinZip 10 users upgrade to WinZip 10.0 Build 7245.
• Disable ActiveX as specified in the Securing Your Web Browser document.
• Disable FileView object in Internet Explorer as described in Vulnerability Note VU#512804.
• Do not follow unsolicited links.
• Review the steps described in Microsoft's document to improve the safety of your browser.

Microsoft Releases November Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows and XML Core Services as part of the Microsoft Security Bulletin Summary for November 2006.

We strongly encourage users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

Additionally, more information about these vulnerabilities can be found in the Vulnerability Notes Database and Technical Cyber Security Alert TA06-318A.

Exploit Released for Broadcom Wireless Device Driver

US-CERT is aware of an exploit released for a vulnerability in the Broadcom BCMWL5.SYS wireless driver used in a various laptops including Dell, eMachines, Gateway, and HP. The flaw is due to a stack-based buffer overflow in the wireless device driver that could be exploited by an attacker to take complete control of a vulnerable system. The overflow is caused by improper handling of 802.11 probe responses containing an overly long SSID (service set identifier) field.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#209376 - Broadcom wireless driver fails to properly process 802.11 probe response frames

US-CERT recommends the following actions to help mitigate the security risks:

• Upgrade your wireless device driver when possible.
• Use wired networking methods until updates can be applied.
• Disable your wireless adapter when not in use.

Update to Microsoft PowerPoint Vulnerability and Proof-of-Concept Code

Microsoft has posted follow-up information for the PowerPoint 2003 proof-of-concept code previously reported in October. The follow up, posted on the Microsoft Security Response Center Blog, states that the vulnerability in PowerPoint 2003 can not be used to execute remote code as earlier stated. It goes on to further state that the flaw could be used to crash PowerPoint, and this flaw will be corrected in the next release of the product.

More information concerning this flaw is available at the Microsoft Security Response Center Blog.

US-CERT recommends the following actions to help protect your system:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not open unfamiliar or unexpected email attachments, even if sent by a known and trusted source.
• Save and scan any attachments before opening them.
• Review Cyber Security Tip ST04-010 for more information on working with email attachments.

Microsoft Releases Advance Notification for November Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that their November release cycle will contain six bulletins, some of which have a maximum severity rating of Critical. The notification further states that five of the bulletins are for Windows, and one is for their XML Core Services. The release is scheduled for Tuesday, November 14th.

US-CERT will provide additional information as it becomes available.

Mozilla Releases Security Advisories to Address Multiple Vulnerabilities

The Mozilla Foundation has released three security advisories to address multiple vulnerabilities in Firefox, Thunderbird, and SeaMonkey. The vulnerabilities include flaws in the way JavaScript and RSA signatures are handled. If successfully exploited, these vulnerabilities may allow a remote, unauthenticated attacker to execute arbitrary code, forge an RSA signature, or cause a denial of service.

Notes:

• JavaScript must be enabled for a remote attacker to execute arbitrary code.
• Forging an RSA signature may allow an attacker to craft a valid certificate and impersonate a trusted website or email system that uses certificates for authentication.

More information about these vulnerabilities can be found in the following:

• Vulnerability Notes
• Technical Cyber Security Alert TA06-312A - Mozilla Updates for Multiple Vulnerabilities
• Mozilla Foundation Security Advisories - November 7, 2006

US-CERT strongly encourages users to take the following actions to help mitigate the security risks:

• Upgrade to the latest release of Firefox, Thunderbird and SeaMonkey .
• Disable JavaScript as specified in the Securing Your Web Browser document.
• Do not follow unsolicited links.

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

US-CERT is investigating reports of a vulnerability found in the XMLHTTP 4.0 ActiveX Control, which is a part of the Microsoft XML Core Services 4.0 on Windows. Microsoft and ISS are reporting limited attacks attempting to use this vulnerability. By persuading a user with Internet Explorer to view a specially crafted HTML document (malicious website), a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system with the privileges of the user.

Note: Microsoft states that users running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#585137 - Microsoft XML Core Services XMLHTTP ActiveX control vulnerability
• Microsoft Security Advisory 927892

Until an official update, patch, or more information becomes available, we recommend the following actions to help mitigate the security risks:

• Disable the XMLHTTP 4.0 object in Internet Explorer as specified in Microsoft Support Document 240797.
• Disable ActiveX as specified in the Securing Your Web Browser document.
• Do not follow unsolicited links.
• Review the steps described in Microsoft's document to improve the safety of your browser.

Exploit Code Posted for Unpatched Vulnerability in Apple AirPort Driver

US-CERT is aware of public exploit code for an unpatched vulnerability in Apple AirPort Wireless Drivers. There is a flaw in the way certain AirPort drivers process 802.11 wireless Ethernet frames. If successfully exploited, this vulnerability may allow a remote, unauthenticated attacker to create a denial-of-service condition on an affected system.

Note: Apple has stated that only AirPort drivers provided with Orinoco-based AirPort cards (1999-2003) are vulnerable.

Until an official update, patch, or more information becomes available, we recommend the following action to help mitigate the security risks:

• Disable the wireless adapter when not in use as specified on the AirPort Help webpage.

Exploit Code Posted for Vulnerability in Microsoft's Visual Studio

US-CERT is aware of publicly available exploit code for a new vulnerability in the Windows Management Instrumentation (WMI) Object Broker ActiveX control. This control is packaged with Microsoft Visual Studio 2005 and can be loaded by a malicious website using Internet Explorer. By persuading a user to view a specially crafted HTML document (e.g., a web page or an HTML email message) with Internet Explorer, a remote attacker may be able to execute arbitrary code on a vulnerable system.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#854856 - WMI Object Broker ActiveX Control bypasses ActiveX security model
• Microsoft Security Advisory 927709

Until an official update, patch, or more information becomes available, we recommend the following actions to help mitigate the security risks:

• Review the workarounds described in Microsoft Security Advisory 927709.
• Disable ActiveX as specified in the Securing Your Web Browser document and the Malicious Web Scripts FAQ.
• Do not follow unsolicited links.
• Review the steps described in Microsoft's document to improve the safety of your browser.