secfeeds_vulnheadlines

Vuln: Pligg CMS 'status' Parameter SQL Injection Vulnerability

Sat, 29 Dec 2012 00:00:00 +0000

Pligg CMS 'status' Parameter SQL Injection Vulnerability

Vuln: WordPress WP-FaceThumb 'pagination_wp_facethum' Parameter Cross Site Scripting Vulnerability

Tue, 15 May 2012 00:00:00 +0000

WordPress WP-FaceThumb 'pagination_wp_facethum' Parameter Cross Site Scripting Vulnerability

Vuln: Serendipity SQL Injection and Cross Site Scripting Vulnerabilities

Tue, 15 May 2012 00:00:00 +0000

Serendipity SQL Injection and Cross Site Scripting Vulnerabilities

Vuln: RETIRED: Serendipity SQL Injection and Cross Site Scripting Vulnerabilities

Tue, 15 May 2012 00:00:00 +0000

RETIRED: Serendipity SQL Injection and Cross Site Scripting Vulnerabilities

MS12-035 - Critical : Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777) - Version: 2.0

Fri, 11 May 2012 07:00:00 +0000

Severity Rating: Critical
Revision Note: V2.0 (May 11, 2012): Added an entry to the update FAQ to communicate that security update KB2656353 addresses the vulnerabilities described in this bulletin for all supported systems running Microsoft .NET Framework 1.1 Service Pack 1, except when installed on Windows Server 2003 Service Pack 2. There were no changes to the security update files. Customers who have successfully installed the update do not need to take any action.
Summary: This security update resolves two privately reported vulnerabilities in the .NET Framework. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS11-100 - Critical : Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420) - Version: 1.4

Fri, 11 May 2012 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.4 (May 11, 2012): Added entry to the update FAQ to announce that KB2656353, offered in this bulletin, also addresses CVE-2012-0160 and CVE-2012-0161, which are documented in MS12-035.
Summary: This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

MS12-029 - Critical : Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352) - Version: 1.1

Wed, 09 May 2012 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.1 (May 9, 2012): Corrected update replacement information for Microsoft Office Compatibility Pack Service Pack 2. This is a bulletin change only. There were no changes to detection logic or security update files.
Summary: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

TA12-129A: Microsoft Updates for Multiple Vulnerabilities

Tue, 08 May 2012 21:01:03 +0000

Original release date: May 08, 2012 | Last revised: -- Systems Affected Microsoft Windows Microsoft .NET Framework Microsoft Office Microsoft Silverlight Overview Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for May 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for May 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for May 2012 - Microsoft Windows Server Update Services - Microsoft Update - Microsoft Update Overview - Turn Automatic Updating On or Off - Revision History May 08, 2012: Initial release

MS12-034 - Critical : Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578) - Version: 1.0

Tue, 08 May 2012 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.0 (May 8, 2012): Bulletin published.
Summary: This security update resolves three publicly disclosed vulnerabilities and seven privately reported vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework, and Microsoft Silverlight. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.

MS12-033 - Important : Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege (2690533) - Version: 1.0

Tue, 08 May 2012 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (May 8, 2012): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

MS12-032 - Important : Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338) - Version: 1.0

Tue, 08 May 2012 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (May 8, 2012): Bulletin published.
Summary: This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.

MS12-031 - Important : Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2597981) - Version: 1.0

Tue, 08 May 2012 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (May 8, 2012): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS12-030 - Important : Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2663830) - Version: 1.0

Tue, 08 May 2012 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (May 8, 2012): Bulletin published.
Summary: This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

VU#520827: PHP-CGI query string parameter vulnerability

US-CERT — Thu, 03 May 2012 19:29:56 +0000

Vulnerability Note VU#520827

PHP-CGI query string parameter vulnerability

Original Release date: 03 May 2012 | Last revised: 08 May 2012

Overview

PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files.

Description

According to PHP's website, "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.

An example of the -s command, allowing an attacker to view the source code of index.php is below:

http://localhost/index.php?-s

Additional information can be found in the vulnerability reporter's blog post.

Impact

A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.

Solution

Apply update

PHP has released version 5.4.3 and 5.3.13 to address this vulnerability. PHP is recommending that users upgrade to the latest version of PHP.

PHP has stated, PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues.

Apply mod_rewrite rule

PHP has stated an alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:

RewriteCond %{QUERY_STRING} ^[^=]*$

RewriteCond %{QUERY_STRING} %2d|\- [NC]

RewriteRule .? - [F,L]

Vendor Information

According to PHP's website Apache+mod_php and nginx+php-fpm are not affected.

Vendor	Status	Date Notified	Date Updated
The PHP Group	Affected	23 Feb 2012	08 May 2012

CVSS Metrics (Learn More)

Group	Score	Vector
Base	9.0	AV:N/AC:L/Au:N/C:C/I:P/A:P
Temporal	8.5	E:F/RL:U/RC:C
Environmental	8.7	CDP:L/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to De Eindbazen for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-1823 CVE-2012-2311
Date Public: 03 May 2012
Date First Published: 03 May 2012
Date Last Updated: 08 May 2012
Document Revision: 29

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

VU#359816: Oracle database TNS listener vulnerability

US-CERT — Tue, 01 May 2012 18:43:31 +0000

Vulnerability Note VU#359816

Oracle database TNS listener vulnerability

Original Release date: 01 May 2012 | Last revised: 01 May 2012

Overview

The Oracle database component contains a vulnerability in the TNS listener service that may be exploited to sniff database traffic and run arbitrary database commands.

Description

The Oracle database component contains a vulnerability in the TNS listener service that has been referred to as (TNS Poison) in public discussions. The TNS listener service accepts unauthenticated remote registrations with the appropriate connect packet (COMMAND=SERVICE_REGISTER_NSGR). Joxean Koret's email to the Full Disclosure mailing list contains additional details. Oracle Security Alert for CVE-2012-1675 also contains more information.

Impact

An unauthenticated attacker may be able to register a client using an already registered database's instance name to perform a man-in-the-middle attack that allows the attack to sniff database traffic and inject database commands to the server.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds provided by Oracle.

Using Class of Secure Transport (COST) to Restrict Instance Registration

"To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = (IPC)" is used to restrict instance registration with database listeners. With this COST restriction in place only local instances will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only local instances."

Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC

To demonstrate how the COST parameter "SECURE_REGISTER_

listener_name

= " is used to restrict instance registration with local node and SCAN listeners in an 11.2. RAC environment. With COST restrictions in place only local and authorized instances having appropriate credentials will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only those instances having appropriate credentials."

Additional information may be found at the links above.

Vendor Information

Vendor	Status	Date Notified	Date Updated
Oracle Corporation	Affected	-	01 May 2012

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	5.9	E:POC/RL:OF/RC:C
Environmental	5.9	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was discovered by Joxean Koret.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2012-1675
Date Public: 27 Apr 2012
Date First Published: 01 May 2012
Date Last Updated: 01 May 2012
Document Revision: 15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

MS12-027 - Critical : Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258) - Version: 2.0

Thu, 26 Apr 2012 07:00:00 +0000

Severity Rating: Critical
Revision Note: V2.0 (April 26, 2012): Added Service Pack 1 versions of SQL Server 2008 R2 to the Affected Software and added an entry to the update FAQ to explain which SQL Server 2000 update to use based on version ranges. These are informational changes only. There were no changes to the security update files or detection logic. For a complete list of changes, see the entry to the section, Frequently Asked Questions (FAQ) Related to This Security Update.
Summary: This security update resolves a privately disclosed vulnerability in Windows common controls. The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The malicious file could be sent as an email attachment as well, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability.

MS12-028 - Important : Vulnerability in Microsoft Office Could Allow Remote Code Execution (2639185) - Version: 1.1

Wed, 25 Apr 2012 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.1 (April 25, 2012): Added an entry to the update FAQ to explain why this update is offered to customers running Microsoft Office 2007 Service Pack 3.
Summary: This security update resolves a privately reported vulnerability in Microsoft Office and Microsoft Works. The vulnerability could allow remote code execution if a user opens a specially crafted Works file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

VU#889195: RuggedCom Rugged Operating System (ROS) contains hard-coded user account with predictable password

US-CERT — Tue, 24 Apr 2012 19:43:31 +0000

Vulnerability Note VU#889195

RuggedCom Rugged Operating System (ROS) contains hard-coded user account with predictable password

Original Release date: 24 Apr 2012 | Last revised: 01 May 2012

Overview

RuggedCom Rugged Operating System (ROS) contains a hard-coded user account with a predictable password.

Description

RuggedCom Rugged Operating System (ROS), used in RuggedCom network infrastructure devices, contains a hard-coded user account named "factory" that cannot be disabled. The password for this account is based on the device's MAC address and can be reverse engineered easily (CWE-261: Weak Cryptography for Passwords).

ROS also supports HTTP(S) and ssh services. In ROS 3.3.x, these services do not use the factory account. ROS does not appear to log successful or unsuccessful login attempts for the factory account.

More information is available in "Undocumented Backdoor Access to RuggedCom Devices" and RuggedCom's security bulletin.

Impact

An attacker with knowledge of an ROS device's MAC address may be able to gain complete administrative control of the device. The MAC address is displayed in the pre-authentication banner.

Solution

We are currently unaware of a practical solution to this problem.

According to RuggedCom's security bulletin, "In the next few weeks, RuggedCom will be releasing new versions of ROS firmware that removes the undocumented factory account. RuggedCom plans to have all the above-mentioned upgrades to ROS firmware and RuggedExplorer available through our customer support channel within the next few weeks and will issue another bulletin containing further details at that time."

Workarounds

ROS 3.3.x allows users to disable the rsh service and set the number of allowed telnet connections to 0. ROS 3.2.x does not alllow the rsh or telnet services to be disabled.

Vendor Information

Vendor	Status	Date Notified	Date Updated
RuggedCom	Affected	10 Feb 2012	01 May 2012
Siemens	Affected	-	01 May 2012

CVSS Metrics (Learn More)

Group	Score	Vector
Base	8.5	AV:N/AC:M/Au:S/C:C/I:C/A:C
Temporal	7.3	E:POC/RL:W/RC:C
Environmental	1.8	CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Justin W. Clarke, an independent security researcher in San Francisco, California, for reporting this vulnerability.

This document was written by Michael Orlando and Art Manion.

Other Information

CVE IDs: CVE-2012-1803
Date Public: 23 Apr 2012
Date First Published: 24 Apr 2012
Date Last Updated: 01 May 2012
Document Revision: 45

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

MS12-026 - Important : Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure (2663860) - Version: 1.1

Wed, 18 Apr 2012 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.1 (April 18, 2012): Corrected the bulletin replacement information for Microsoft Forefront Unified Access Gateway 2010 Service Pack 1. This is a bulletin change only. There were no changes to the detection or security update files.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG). The more severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted query to the UAG server.

MS12-017 - Important : Vulnerability in DNS Server Could Allow Denial of Service (2647170) - Version: 1.1

Wed, 18 Apr 2012 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.1 (April 18, 2012): Added a link to Microsoft Knowledge Base Article 2647170 under Known Issues in the Executive Summary and corrected the bulletin replacement information for Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition Service Pack 2, and Windows Server 2003 with SP2 for Itanium-based Systems. This is a bulletin change only. There were no changes to the detection.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote unauthenticated attacker sends a specially crafted DNS query to the target DNS server.

MS12-025 - Critical : Vulnerability in .NET Framework Could Allow Remote Code Execution (2671605) - Version: 1.1

Fri, 13 Apr 2012 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.1 (April 13, 2012): Added a link to Microsoft Knowledge Base Article 2671605 under Known Issues
Summary: This security update resolves one privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. In a web browsing attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

TA12-101B: Adobe Reader and Acrobat Security Updates and Architectural Improvements

Tue, 10 Apr 2012 22:02:05 +0000

Original release date: April 10, 2012 | Last revised: -- Systems Affected Adobe Reader X (10.1.2) and earlier 10.x versions for Windows and Macintosh Adobe Reader 9.5 and earlier 9.x versions for Windows, Macintosh, and UNIX Adobe Acrobat X (10.1.2) and earlier 10.x versions for Windows and Macintosh Adobe Acrobat 9.5 and earlier 9.x versions for Windows and Macintosh Overview Adobe has released Security Bulletin APSB12-08, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. As part of this update, Adobe Reader and Acrobat 9.x will use the system-wide Flash Player browser plug-in instead of the Authplay component. In addition, Reader and Acrobat now disable the rendering of 3D content by default. Description Adobe Security Bulletin APSB12-08 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Adobe Reader and Acrobat versions 9.x through 9.5, and Reader X and Acrobat X versions prior to 10.1.3. The Adobe ASSET blog provides additional details on new security architecture changes to Adobe Reader and Acrobat. Adobe Reader and Acrobat 9.5.1 will use the Adobe Flash Player plug-in version installed on the user’s system rather than the Authplay component that ships with Adobe Reader and Acrobat. This change helps limit the number of out-of-date, vulnerable Flash runtimes available to an attacker. Adobe Reader and Acrobat 9.5.1 also now disable rendering of 3D content by default because the 3D rendering components have a history of vulnerabilities. US-CERT recommends that Flash users upgrade to the latest version of Adobe Flash Player and turn on automatic updates. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. This can happen automatically as the result of viewing a webpage. Impact These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file. Solution Update Reader Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB12-08 and update vulnerable versions of Adobe Reader and Acrobat. In addition to updating, please consider the following mitigations. Disable JavaScript in Adobe Reader and Acrobat Disabling JavaScript may prevent some exploits from resulting in code execution. You can disable Acrobat JavaScript using the Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable Acrobat JavaScript). Adobe provides a framework to blacklist specific JavaScipt APIs. If JavaScript must be enabled, this framework may be useful when specific APIs are known to be vulnerable or used in attacks. Prevent Internet Explorer from automatically opening PDF files The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF files in the web browser Preventing PDF files from opening inside a web browser will partially mitigate this vulnerability. Applying this workaround may also mitigate future vulnerabilities. To prevent PDF files from automatically being opened in a web browser, do the following: 1. Open Adobe Acrobat Reader. 2. Open the Edit menu. 3. Choose the Preferences option. 4. Choose the Internet section. 5. Uncheck the "Display PDF in browser" checkbox. Do not access PDF files from untrusted sources Do not open unfamiliar or unexpected PDF files, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. References Security update available for Adobe Reader and Acrobat - Adobe Reader and Acrobat JavaScript Blacklist Framework - Background on Security Bulletin APSB12-08 - Adobe Flash Player - Adobe Flash vulnerability affects Flash Player and other Adobe products - Vulnerability Notes with advice to disable 3D rendering - Revision History April 10, 2012: Initial release

TA12-101A: Microsoft Updates for Multiple Vulnerabilities

Tue, 10 Apr 2012 18:37:12 +0000

Original release date: April 10, 2012 | Last revised: -- Systems Affected Microsoft Windows Microsoft Internet Explorer Microsoft .NET Framework Microsoft Office Microsoft Server Software Microsoft SQL Server Microsoft Developer Tools Microsoft Forefront United Access Gateway Overview There are multiple vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Microsoft Server Software, Microsoft SQL Server, Microsoft Developer Tools, and Microsoft Forefront United Access Gateway. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for April 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for April 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for April 2012 - Microsoft Windows Server Update Services - Microsoft Update - Microsoft Update Overview - Turn Automatic Updating On or Off - Revision History April 10, 2012: Initial release

VU#400619: Pluck SiteLife software multiple XSS vulnerabilities

US-CERT — Tue, 10 Apr 2012 15:21:12 +0000

Vulnerability Note VU#400619

Pluck SiteLife software multiple XSS vulnerabilities

Original Release date: 10 Apr 2012 | Last revised: 12 Apr 2012

Overview

Pluck SiteLife software contains multiple XSS vulnerabilities.

Description

According to DemandMedia's website Pluck SiteLife software is an integrated community platform architected for brands. Pluck SiteLife software contains multiple cross site scripting (XSS) vulnerabilities.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

http://sitelife.example.host/ver1.0/Direct/Process?referrerURL=x&jsonRequest=

<body%20onload=alert(1)//>

http://sitelife.example.host/ver1.0/Direct/jsonp.htm?r=

<img%20src=x%20onerror=alert(2)//>&cb=<body%20onload=alert(1)//>

http://sitelife.example.host/ver1.0/sys/jsonp.app/.htm?cb=

<img%20src=x%20onerror=alert(1)>&widget_path=pluck%2fuser%2fpersona%wffirstperson%2fprofile.app

It has also has been reported that the cv, jsonRequest, r and ctk parameter could be vulnerable in some instances.

Impact

An attacker with access to the Pluck SiteLife software can conduct a cross site scripting attack, which could be used to result in information leakage, privilege escalation, and/or denial of service.

Solution

Apply an Update

Pluck has stated that all affected customers have already been notified via email in regards to the new release and changelog documentation is available for customers who login to the Pluck Connect portal. Users are advised to upgrade to release 5.0.13 or later.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing a Pluck SiteLife software using stolen credentials from a blocked network location.

Vendor Information

Vendor	Status	Date Notified	Date Updated
Pluck	Affected	03 Jan 2012	12 Apr 2012

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.0	AV:N/AC:M/Au:S/C:P/I:P/A:P
Temporal	5.0	E:F/RL:OF/RC:C
Environmental	3.8	CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Phil Purviance for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-0253
Date Public: 10 Apr 2012
Date First Published: 10 Apr 2012
Date Last Updated: 12 Apr 2012
Document Revision: 21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

MS12-024 - Critical : Vulnerability in Windows Could Allow Remote Code Execution (2653956) - Version: 1.0

Tue, 10 Apr 2012 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.0 (April 10, 2012): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

MS12-023 - Critical : Cumulative Security Update for Internet Explorer (2675157) - Version: 1.0

Tue, 10 Apr 2012 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.0 (April 10, 2012): Bulletin published.
Summary: This security update resolves five privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

VU#232979: Multiple vulnerabilities in Intuit QuickBooks

US-CERT — Mon, 02 Apr 2012 18:59:56 +0000

Vulnerability Note VU#232979

Multiple vulnerabilities in Intuit QuickBooks

Original Release date: 02 Apr 2012 | Last revised: 08 May 2012

Overview

Intuit QuickBooks 2009 through 2012 have been reported to contain a file disclosure and heap corruption vulnerability.

Description

Derek Soeder's vulnerability report states the following:

Intuit Help System Protocol File Retrieval
The vulnerability described in this document can be exploited by malicious HTML and Javascript to retrieve a file from a ZIP archive to which the user viewing the HTML has local or network file system access. The attacker must know or guess the path and file name of the target ZIP archive and the target file it contains. A further significant limitation is that files in subdirectories inside of ZIP archives have proven inaccessible, based on a sampling of Windows ZIPs, Microsoft Office 2007 documents, JARs, and APKs.

Intuit Help System Protocol URL Heap Corruption and Memory Leak
The vulnerability described in this document can potentially be exploited by malicious HTML and/or Javascript to execute arbitrary code as the user viewing the malicious content.

Additional details may be found in the full advisories linked above.

Impact

An attacker may be able to retrieve sensitive files or run arbitrary code.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workaround.

Disable the Intuit Help System protocol

Delete, rename, or restrict read access to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Classes\PROTOCOLS\Handler\intu-help-qb#

Where '#' is a digit from 1 to 5, or delete, rename, or restrict execute access to the "HelpAsyncPluggableProtocol.dll" file in the QuickBooks installation directory, and then restart Internet Explorer and any application that uses it as an embedded Web browser. Note that disabling the protocol will prevent QuickBooks from displaying help pages.

Vendor Information

Vendor	Status	Date Notified	Date Updated
Intuit, Inc.	Affected	23 Mar 2012	08 May 2012

CVSS Metrics (Learn More)

Group	Score	Vector
Base	5.0	AV:A/AC:--/Au:N/C:C/I:C/A:P
Temporal	3.6	E:U/RL:W/RC:UC
Environmental	3.6	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Derek Soeder for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: Unknown
Date Public: 30 Mar 2012
Date First Published: 02 Apr 2012
Date Last Updated: 08 May 2012
Document Revision: 12

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

VU#928795: Netgear FVS318N router default remote management vulnerability

US-CERT — Mon, 02 Apr 2012 15:42:13 +0000

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

VU#834723: TP-Link 8840T DSL router default remote management vulnerability

US-CERT — Mon, 02 Apr 2012 14:12:13 +0000

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

VU#551715: Quagga contains multiple vulnerabilities

US-CERT — Fri, 23 Mar 2012 12:10:13 +0000

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Zend Server Multiple HTML Injection Vulnerabilities

Fri, 23 Mar 2012 07:08:47 +0000

EJBCA "issuer" Parameter Cross-Site Scripting

Fri, 23 Mar 2012 07:08:32 +0000

OpenLDAP LDAP Search Request Remote Denial of Service

Fri, 23 Mar 2012 07:08:17 +0000

Vegas Movie Studio HD "CFHDDecoder.dll" DLL Loading Arbitrary Code Execution

Fri, 23 Mar 2012 07:08:00 +0000

Microsoft Expression "wintab32.dll" DLL Loading Arbitrary Code Execution

Fri, 23 Mar 2012 07:07:38 +0000

Jenkins Multiple Cross-Site Scripting and Directory Traversal Vulnerabilities

Thu, 22 Mar 2012 13:19:48 +0000

SquirrelMail Autocomplete Plugin Email Addresses Cross-Site Scripting

Thu, 22 Mar 2012 13:19:35 +0000

Google Chrome Remote Code Execution

Thu, 22 Mar 2012 13:19:23 +0000

XnView Multiple Buffer Overflow Vulnerabilities

Thu, 22 Mar 2012 13:19:10 +0000

Microsoft Windows "DirectWrite" API Denial of Service

Thu, 22 Mar 2012 13:18:52 +0000

VU#743555: @Mail Open webmail client contains multiple vulnerabilities

US-CERT — Thu, 22 Mar 2012 12:40:14 +0000

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

VU#523027: LG-Nortel ELO GS24M Switch contains multiple vulnerabilities

US-CERT — Wed, 21 Mar 2012 12:40:14 +0000

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

VU#364363: WebGlimpse command injection vulnerability

US-CERT — Tue, 20 Mar 2012 20:35:13 +0000

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

VU#212651: InspIRCd heap corruption vulnerability

US-CERT — Mon, 19 Mar 2012 20:33:49 +0000

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

VU#913483: Quantum Scalar i500, Dell ML6000 and IBM TS3310 tape libraries web interface and preconfigured password vulnerabilities

US-CERT — Mon, 19 Mar 2012 19:00:12 +0000

Vulnerability Note VU#913483

Quantum Scalar i500, Dell ML6000 and IBM TS3310 tape libraries web interface and preconfigured password vulnerabilities

Original Release date: 19 Mar 2012 | Last revised: 13 Apr 2012

Overview

Cross scripting and preconfigured password vulnerabilities have been reported to exist in the Quantum Scalar i500, Dell ML6000 and IBM TS3310 tape libraries.

Description

Quantum Scalar i500, Dell ML6000 and IBM TS3310 enterprise tape libraries contain multiple web interface and preconfigured account password vulnerabilities.

The Quantum Scalar i500 and Dell ML6000 tape libraries contain the following web interface vulnerabilities.

CWE-552: Files or Directories Accessible to External Parties
The web interface allows an unauthenticated remote user to view any file on the web server, for example http://device/logShow.htm?file=/etc/shadow (CVE-2012-1841).
CWE-200: Information Exposure
A cross-site scripting vulnerability in http://device/checkQKMProg.htm allows compromise of active session ids (CVE-2012-1842).
CWE-352: Cross-Site Request Forgery (CSRF)
A command-injection vulnerability in http://device/saveRestore.htm (via the fileName POST parameter) allows execution of arbitrary commands as the root user, by an authenticated remote web user (CVE-2012-1843).

CWE-259: Use of Hard-coded Password
The Quantum Scalar i500, Dell ML6000 and IBM TS3310 tape libraries also contain preconfigured passwords for certain accounts which are considered to be weak and could be exploited allowing an attacker user access (CVE-2012-1844).

The CVSS metrics below apply to CVE-2012-1844.

Impact

An attacker with access to a local user account or via malicious URL can execute arbitrary code or commands on the vulnerable system. It has been reported to us that customer data residing on the tapes within the libraries are not affected.

Solution

Upgrade firmware

Quantum has released a firmware update i7.0.3 (604G.GS00100) or greater will correct these issues.

Dell firmware update A20-00 (590G.GS00100) or greater will correct these issues.

IBM firmware update R6C (606G.GS001) or greater will correct these issues.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing a Quantum Scalar i500, Dell ML6000 and IBM TS3310 tape libraries using stolen credentials from a blocked network location.

Vendor Information

Vendor	Status	Date Notified	Date Updated
Dell Computer Corporation, Inc.	Affected	16 Nov 2011	13 Apr 2012
IBM Corporation	Affected	23 Nov 2011	13 Apr 2012
Quantum	Affected	23 Nov 2011	13 Apr 2012

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.8	AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal	5.3	E:POC/RL:OF/RC:C
Environmental	5.3	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to NOAA CIRT for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-1844 CVE-2012-1843 CVE-2012-1842 CVE-2012-1841
Date Public: 19 Mar 2012
Date First Published: 19 Mar 2012
Date Last Updated: 13 Apr 2012
Document Revision: 41

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

VU#624051: Microsoft Remote Desktop Protocol (RDP) insecurely deallocates memory

US-CERT — Thu, 15 Mar 2012 19:05:13 +0000

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

VU#339177: Cisco AnyConnect Clientless SSL VPN Portforwarder ActiveX control buffer overflow

US-CERT — Wed, 14 Mar 2012 18:17:27 +0000

Vulnerability Note VU#339177

Cisco AnyConnect Clientless SSL VPN Portforwarder ActiveX control buffer overflow

Overview

The Cisco AnyConnect ActiveX control contains a buffer overflow vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Cisco AnyConnect is an SSL VPN solution that is commonly initiated through use of a web browser. When Internet Explorer is used, the AnyConnect VPN server provides an ActiveX control that downloads and installs the AnyConnect client software. One of the components provided by Cisco AnyConnect for use with Internet Explorer is an ActiveX control called the "CISCO Portforwarder Control." This ActiveX control is provided by the file ciscopf.ocx. The Cisco Portforwarder ActiveX control contains a buffer overflow in its initialization parameters. We have confirmed that version 1.0.1.8 of the Portforwarder control is vulnerable. Previous versions may also be affected.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.

III. Solution

Apply an update

This issue is addressed in Cisco Security Advisory cisco-sa-20120314-asaclient. Please note that updating a Cisco ASA device with the fixed software will not protect systems that have already downloaded the vulnerable control. Please also consider the following workarounds:

Disable the Cisco AnyConnect Portforwarder ActiveX control in Internet Explorer

The vulnerable Cisco AnyConnect Portforwarder ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

{B8E73359-3422-4384-8D27-4EA1B4C01232}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\

{B8E73359-3422-4384-8D27-4EA1B4C01232}

]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\

{B8E73359-3422-4384-8D27-4EA1B4C01232}

]

"Compatibility Flags"=dword:00000400

Vendor Information

Vendor	Status	Date Notified	Date Updated
Cisco Systems, Inc.	Affected	2011-06-16	2012-03-14

References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient
http://www.cisco.com/en/US/products/ps8411/tsd_products_support_series_home.html
http://support.microsoft.com/kb/240797
http://www.us-cert.gov/reading_room/securing_browser/

Credit

This vulnerability was reported by Will Dormann of the CERT/CC

This document was written by Will Dormann.

Other Information

Date Public:	2012-03-14
Date First Published:	2012-03-14
Date Last Updated:	2012-03-14
CERT Advisory:
CVE-ID(s):	CVE-2012-0358
NVD-ID(s):	CVE-2012-0358
US-CERT Technical Alerts:
Severity Metric:	11.03
Document Revision:	18

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

MS12-022 - Important : Vulnerability in Expression Design Could Allow Remote Code Execution (2651018) - Version: 1.1

Wed, 14 Mar 2012 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.1 (March 14, 2012): Removed erroneous installation switch option descriptions from the Security Update Deployment tables for all supported releases. This is an informational change only. There were no changes to the detection logic or the update files.
Summary: This security update resolves one privately reported vulnerability in Microsoft Expression Design. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .xpr or .DESIGN file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Microsoft Expression Design could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .xpr or .DESIGN file) from this location that is then loaded by a vulnerable application.

TA12-073A: Microsoft Updates for Multiple Vulnerabilities

Tue, 13 Mar 2012 18:34:31 +0000

Original release date: March 13, 2012 Last revised: -- Source: US-CERT Systems Affected Microsoft WindowsMicrosoft Visual StudioMicrosoft Expression Design Overview There are multiple vulnerabilities in Microsoft Windows, Microsoft Visual Studio, and Microsoft Expression Design. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for March 2012 describes multiple vulnerabilities in Microsoft Windows, Microsoft Visual Studio, and Microsoft Expression Design. Microsoft has released updates to address the vulnerabilities. II. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. III. Solution Apply updatesMicrosoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. IV. References Microsoft Security Bulletin Summary for March 2012 - Microsoft Windows Server Update Services - Microsoft Update - Microsoft Update Overview - Turn Automatic Updating On or Off - Feedback can be directed to US-CERT. Produced 2012 by US-CERT, a government organization. Terms of use Revision History March 13, 2012: Initial release

MS12-021 - Important : Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019) - Version: 1.0