netVigilance ScoutNews April 24 2009

2009 Issue #17

ScoutNews
The weekly Security update from
the makers of SecureScout
April 24, 2009

Table of Contents

Product Focus

This Week in Review

Top Security News Stories this Week

New Vulnerabilities Tested in SecureScout

New Vulnerabilities found this Week

Product Focus

Spida Digispid Worm Scanner - The S4 Spida Digispid Worm Scanner is a free utility made by SecureScout that will scan up to 256 IP addresses at once to assess if any are prone any of the Microsoft Java Virtual Machine Vulnerabilities (MS02-069).

Download Here:
http://www.netvigilance.com/productdownloads?productname=spidadigispidwormscanner

This Week in Review

Security vendors: Come together. Privacy versus security - a balance. As protection gets better, hackers get better too. Call for new consumer law.

Enjoy reading & Stay safe.

Call or email netVigilance to get an update on SecureScout.
(503) 524 5758 or sales@netVigilance.com

Top Security News Stories this Week

• RSA chief calls for 'inventive collaboration' among security vendors

April 21, 2009 (Computerworld) SAN FRANCISCO -- Two years after suggesting that independent security vendors were headed for extinction, Art Coviello, president of RSA, is calling for "inventive collaboration" among vendors for dealing with the expanding range of threats facing business and government.

Coviello's is a sentiment shared by multiple industry representatives at the conference, who said that the threat facing private and government networks called for a more unified response from all cybersecurity stakeholders.

The key to this happening is for vendors to stop viewing their technologies as "piecemeal" products aimed at addressing discrete security problems, Coviello said. Rather the emphasis needs to be on ensuring that each vendor's products works well with others' products to provide better information risk management opportunities, Coviello said.

Computerworld

Full Story :
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9131947&source=rss_topic17

• RSA: The fundamental challenge of security versus privacy

A fundamental tension exists in balancing individual privacy rights and the collective right to security, Gary McGraw, CTO of application security vendor Cigital, said at the RSA Conference on Tuesday.

"When you do something under FISA, you achieve a good balance," Joel said.

SC Magazine

Full Story :
http://www.scmagazineus.com/RSA-The-fundamental-challenge-of-security-versus-privacy/article/131098/

• RSA: Cybercriminals keeping up with banking safeguards

Threats are becoming more sophisticated, and cybercriminals are getting smarter at evading new authentication controls, according to an RSA Conference panel of security practitioners representing three major financial institutions.

Members of the panel, comprising experts at Bank of America, PayPal and JPMorganChase, agreed Wednesday that the burden is on them to secure their systems for customers -- many of whom are being greeted with slick new attempts to take over accounts. Securing systems includes implementing a defense-in-depth approach that offers multifactor authentication on the front end and fraud detection capabilities on the back end, the panelists said.

"The bad guys invested in a spell checker," joked David Shroyer, senior vice president at Bank of America's Online Security and Enrollment division. "I'd love to combat phishing in 2004 versus what we're facing today."

SC Magazine

Full Story :
http://www.scmagazineus.com/RSA-Cybercriminals-keeping-up-with-banking-safeguards/article/131165/

• RSA: National consumer privacy and security law needed

The question of whether the United States needs a national consumer data privacy and security law was met with a resounding "yes" from panelists on Wednesday at the RSA Conference.

The country is operating amid a fundamental paradox -- it has too many privacy and security laws and at the same time, too few, said panelist James Dempsey, policy director at the Center for Democracy and Technology, a nonprofit advocacy group.

Dempsey said the various federal laws securing credit reports, medical data, education records and credit cards are like a "patchwork quilt." He added that having it this way does not serve either consumers or the industry well.

SC Magazine

Full Story :
http://www.scmagazineus.com/RSA-National-consumer-privacy-and-security-law-needed/article/131187/

New Vulnerabilities Tested in SecureScout

• 18342 Internet Explorer Blended Threat Remote Code Execution Vulnerability (MS09-014/963027) (Remote File Checking)

A blended threat remote code execution vulnerability exists in the way that Internet Explorer locates and opens files on the system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MISC:
http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx
* MISC:
http://blogs.zdnet.com/security/?p=1230
* MISC:
http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html
* MISC:
http://www.microsoft.com/technet/security/advisory/953818.mspx
* APPLE: APPLE-SA-2008-06-19
http://lists.apple.com/archives/security-announce/2008//Jun/msg00001.html
* MS: MS09-015
http://www.microsoft.com/technet/security/bulletin/ms09-015.mspx
* CERT: TA09-104A
http://www.us-cert.gov/cas/techalerts/TA09-104A.html
* BID: 29445
http://www.securityfocus.com/bid/29445
* SECTRACK: 1022047
http://www.securitytracker.com/id?1022047
* VUPEN: ADV-2008-1706
http://www.frsirt.com/english/advisories/2008/1706
* SECTRACK: 1020150
http://securitytracker.com/id?1020150
* SECUNIA: 30467
http://secunia.com/advisories/30467
* VUPEN: ADV-2009-1028
http://www.vupen.com/english/advisories/2009/1028
* VUPEN: ADV-2009-1029
http://www.vupen.com/english/advisories/2009/1029
* XF: apple-safari-windows-code-execution(42765)
http://xforce.iss.net/xforce/xfdb/42765

CVE Reference:

CVE-2008-2540 (cve.mitre.org, nvd.nist.gov)

• 18343 Internet Explorer WinINet Credential Reflection Vulnerability (MS09-014/963027) (Remote File Checking)

A remote code execution vulnerability exists in the way that WinINet handles NTLM credentials when a user connects to an attacker's server by way of the HTTP protocol. This vulnerability allows an attacker to replay the user's credentials back to the attacker and to execute code in the context of the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS09-013
http://www.microsoft.com/technet/security/Bulletin/MS09-013.mspx
* MS: MS09-014
http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
* CERT: TA09-104A
http://www.us-cert.gov/cas/techalerts/TA09-104A.html
* OSVDB: 53619
http://osvdb.org/53619
* SECTRACK: 1022041
http://www.securitytracker.com/id?1022041
* SECUNIA: 34677
http://secunia.com/advisories/34677
* SECUNIA: 34678
http://secunia.com/advisories/34678
* VUPEN: ADV-2009-1027
http://www.vupen.com/english/advisories/2009/1027
* VUPEN: ADV-2009-1028
http://www.vupen.com/english/advisories/2009/1028

CVE Reference:

CVE-2009-0550 (cve.mitre.org, nvd.nist.gov)

• 18344 Internet Explorer Page Transition Memory Corruption Vulnerability (MS09-014/963027) (Remote File Checking)

A remote code execution vulnerability exists in the way Internet Explorer handles transition when navigating between Web pages. As a result, system memory may be corrupted in such a way that an attacker could execute arbitrary code if a user visited a specially crafted Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS09-014
http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
* CERT: TA09-104A
http://www.us-cert.gov/cas/techalerts/TA09-104A.html
* OSVDB: 53624
http://osvdb.org/53624
* SECTRACK: 1022042
http://www.securitytracker.com/id?1022042
* SECUNIA: 34678
http://secunia.com/advisories/34678
* VUPEN: ADV-2009-1028
http://www.vupen.com/english/advisories/2009/1028

CVE Reference:

CVE-2009-0551 (cve.mitre.org, nvd.nist.gov)

• 18345 Internet Explorer Uninitialized Memory Corruption Vulnerability (CVE-2009-0552) (MS09-014/963027) (Remote File Checking)

A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS09-014
http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
* CERT: TA09-104A
http://www.us-cert.gov/cas/techalerts/TA09-104A.html
* OSVDB: 53625
http://osvdb.org/53625
* SECTRACK: 1022042
http://www.securitytracker.com/id?1022042
* SECUNIA: 34678
http://secunia.com/advisories/34678
* VUPEN: ADV-2009-1028
http://www.vupen.com/english/advisories/2009/1028

CVE Reference:

CVE-2009-0552 (cve.mitre.org, nvd.nist.gov)

• 18346 Internet Explorer Uninitialized Memory Corruption Vulnerability (CVE-2009-0553) (MS09-014/963027) (Remote File Checking)

References:

* MS: MS09-014
http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
* CERT: TA09-104A
http://www.us-cert.gov/cas/techalerts/TA09-104A.html
* OSVDB: 53626
http://osvdb.org/53626
* SECTRACK: 1022042
http://www.securitytracker.com/id?1022042
* SECUNIA: 34678
http://secunia.com/advisories/34678
* VUPEN: ADV-2009-1028
http://www.vupen.com/english/advisories/2009/1028

CVE Reference:

CVE-2009-0553 (cve.mitre.org, nvd.nist.gov)

• 18347 Internet Explorer Uninitialized Memory Corruption Vulnerability (CVE-2009-0554) (MS09-014/963027) (Remote File Checking)

A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS09-014
http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
* CERT: TA09-104A
http://www.us-cert.gov/cas/techalerts/TA09-104A.html
* SECTRACK: 1022042
http://www.securitytracker.com/id?1022042
* SECUNIA: 34678
http://secunia.com/advisories/34678
* VUPEN: ADV-2009-1028
http://www.vupen.com/english/advisories/2009/1028

CVE Reference:

CVE-2009-0554 (cve.mitre.org, nvd.nist.gov)

• 18348 Excel Memory Corruption Vulnerability (CVE-2009-0100) (MS09-009/968557) (Remote File Checking)

A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS09-009
http://www.microsoft.com/technet/security/Bulletin/MS09-009.mspx
* CERT: TA09-104A
http://www.us-cert.gov/cas/techalerts/TA09-104A.html
* OSVDB: 53665
http://osvdb.org/53665
* SECTRACK: 1022039
http://www.securitytracker.com/id?1022039

CVE Reference:

CVE-2009-0100 (cve.mitre.org, nvd.nist.gov)

• 18349 Excel Memory Corruption Vulnerability (CVE-2009-0238) (MS09-009/968557) (Remote File Checking)

References:

* MISC:
http://blogs.zdnet.com/security/?p=2658
* MISC:
http://isc.sans.org/diary.html?storyid=5923
* MISC:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-022310-4202-99
* CONFIRM:
http://www.microsoft.com/technet/security/advisory/968272.mspx
* CERT: TA09-104A
http://www.us-cert.gov/cas/techalerts/TA09-104A.html
* BID: 33870
http://www.securityfocus.com/bid/33870
* SECTRACK: 1021744
http://securitytracker.com/id?1021744
* XF: ms-excel-unspecified-code-execution(48875)
http://xforce.iss.net/xforce/xfdb/48875
* MS: MS09-009
http://www.microsoft.com/technet/security/Bulletin/MS09-009.mspx

CVE Reference:

CVE-2009-0238 (cve.mitre.org, nvd.nist.gov)

• 18350 Windows HTTP Services Integer Underflow Vulnerability (MS09-013/960803) (Remote File Checking)

A remote code execution vulnerability exists in the way that Windows HTTP Services handle specific values that are returned by a remote Web server. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with the same user rights as the service or application which calls the WinHTTP API to connect to the attacker's Web server.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS09-013
http://www.microsoft.com/technet/security/Bulletin/MS09-013.mspx
* CERT: TA09-104A
http://www.us-cert.gov/cas/techalerts/TA09-104A.html
* BID: 34435
http://www.securityfocus.com/bid/34435
* OSVDB: 53620
http://osvdb.org/53620
* SECTRACK: 1022041
http://www.securitytracker.com/id?1022041
* SECUNIA: 34677
http://secunia.com/advisories/34677
* VUPEN: ADV-2009-1027
http://www.vupen.com/english/advisories/2009/1027

CVE Reference:

CVE-2009-0086 (cve.mitre.org, nvd.nist.gov)

• 18351 Windows HTTP Services Certificate Name Mismatch Vulnerability (MS09-013/960803) (Remote File Checking)

A spoofing vulnerability exists in Windows HTTP Services as a result of the incomplete validation of the distinguished name in a digital certificate. When combined with specific other attacks, such as DNS spoofing, this may allow an attacker to successfully spoof the digital certificate of a Web site for any application that uses Windows HTTP Services.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Low

References:

* MS: MS09-013
http://www.microsoft.com/technet/security/Bulletin/MS09-013.mspx
* CERT: TA09-104A
http://www.us-cert.gov/cas/techalerts/TA09-104A.html
* BID: 34437
http://www.securityfocus.com/bid/34437
* SECTRACK: 1022041
http://www.securitytracker.com/id?1022041
* SECUNIA: 34677
http://secunia.com/advisories/34677
* VUPEN: ADV-2009-1027
http://www.vupen.com/english/advisories/2009/1027

CVE Reference:

CVE-2009-0089 (cve.mitre.org, nvd.nist.gov)

New Vulnerabilities found this Week

• CVE-2009-1191 Apache CVSS 2.0 Score = 5.0

mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

BID: http://www.securityfocus.com/bid/34663

CONFIRM: http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/PR46949.diff

CONFIRM: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=766938&r2=767089

CONFIRM: https://issues.apache.org/bugzilla/show_bug.cgi?id=46949

XF: http://xforce.iss.net/xforce/xfdb/50059

VUPEN: http://www.vupen.com/english/advisories/2009/1147

UBUNTU: http://www.ubuntu.com/usn/usn-787-1

SECTRACK: http://www.securitytracker.com/id?1022264

MANDRIVA: http://www.mandriva.com/security/advisories?name=MDVSA-2009:102

GENTOO: http://security.gentoo.org/glsa/glsa-200907-04.xml

SECUNIA: http://secunia.com/advisories/35721

SECUNIA: http://secunia.com/advisories/35395

SECUNIA: http://secunia.com/advisories/34827

OSVDB: http://osvdb.org/53921

CVE Reference: CVE-2009-1191

• CVE-2009-0718 HP CVSS 2.0 Score = 10.0

Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 before 5.1.1.1090.15 allows remote attackers to execute arbitrary code via unknown vectors.

Test Case Impact: Vulnerability Impact: Risk: High

References:

VUPEN: http://www.vupen.com/english/advisories/2009/1108

SECTRACK: http://www.securitytracker.com/id?1022087

SECUNIA: http://secunia.com/advisories/34808

HP: http://marc.info/?l=bugtraq&m=124025929213175&w=2

HP: http://marc.info/?l=bugtraq&m=124025929213175&w=2

CVE Reference: CVE-2009-0718

• CVE-2009-0716 HP CVSS 2.0 Score = 7.5

Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 before 5.1.1.1090.15 allows remote attackers to cause a denial of service or obtain "access" via unknown vectors.

Test Case Impact: Vulnerability Impact: Risk: High

References:

VUPEN: http://www.vupen.com/english/advisories/2009/1108

SECTRACK: http://www.securitytracker.com/id?1022085

SECUNIA: http://secunia.com/advisories/34808

HP: http://marc.info/?l=bugtraq&m=124025929213175&w=2

HP: http://marc.info/?l=bugtraq&m=124025929213175&w=2

CVE Reference: CVE-2009-0716

• CVE-2009-0715 HP CVSS 2.0 Score = 6.5

Unspecified vulnerability in Secure NaviCLI in HP Storage Essentials 6.0.2 through 6.0.4 allows remote authenticated users to obtain "access" or "extended privileges" via unknown vectors.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

VUPEN: http://www.vupen.com/english/advisories/2009/1109

SECTRACK: http://www.securitytracker.com/id?1022084

SECUNIA: http://secunia.com/advisories/34807

OSVDB: http://osvdb.org/53881

HP: http://marc.info/?l=bugtraq&m=124025839111157&w=2

CVE Reference: CVE-2009-0715

• CVE-2009-0717 HP CVSS 2.0 Score = 5.0

Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 before 5.1.1.1090.15 allows remote attackers to cause a denial of service via unknown vectors.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

VUPEN: http://www.vupen.com/english/advisories/2009/1108

SECTRACK: http://www.securitytracker.com/id?1022086

SECUNIA: http://secunia.com/advisories/34808

HP: http://marc.info/?l=bugtraq&m=124025929213175&w=2

CVE Reference: CVE-2009-0717

• CVE-2009-0064 Symantec CVSS 2.0 Score = 9.0

Multiple unspecified vulnerabilities in the Control Center in Symantec Brightmail Gateway Appliance before 8.0.1 allow remote authenticated users to gain privileges, and possibly obtain sensitive information or hijack sessions of arbitrary users, via vectors involving (1) administrative scripts or (2) console functions.

Test Case Impact: Vulnerability Impact: Risk: High

References:

VUPEN: http://www.vupen.com/english/advisories/2009/1155

CONFIRM: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01

SECTRACK: http://securitytracker.com/id?1022117

XF: http://xforce.iss.net/xforce/xfdb/50075

BID: http://www.securityfocus.com/bid/34639

SECUNIA: http://secunia.com/advisories/34885

OSVDB: http://osvdb.org/53945

CVE Reference: CVE-2009-0064

• CVE-2009-0063 Symantec CVSS 2.0 Score = 4.3

Cross-site scripting (XSS) vulnerability in the Control Center in Symantec Brightmail Gateway Appliance before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

VUPEN: http://www.vupen.com/english/advisories/2009/1155

CONFIRM: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01

SECTRACK: http://securitytracker.com/id?1022116

XF: http://xforce.iss.net/xforce/xfdb/50074

BID: http://www.securityfocus.com/bid/34641

SECUNIA: http://secunia.com/advisories/34885

OSVDB: http://osvdb.org/53944

CVE Reference: CVE-2009-0063

• CVE-2009-1355 IBM CVSS 2.0 Score = 7.2

Stack-based buffer overflow in muxatmd in IBM AIX 5.2, 5.3, and 6.1 allows local users to gain privileges via a long filename.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CVE Reference: CVE-2009-1355

Vulnerability Resource
Check out this compendium of links and up-to-the minute information about network security issues. Their claim to be the 'security portal for information system security professionals' is well founded. http://www.infosyssec.org/infosyssec/

Thank You
Thanks for sifting through another great edition of the ScoutNews. We hope we captured a flavor for the week and gave you just enough information on newly found vulnerabilities to keep you up-to-date. To subscribe or unsubscribe, contact us at ScoutNews@netVigilance.com

About SecureScout
SecureScout is a leading vulnerability scanner and management tool developed and marketed worldwide by NexantiS Corporation.
SecureScout is a trademark of NexantiS Corporation.
netVigilance, Inc. is a partner of NexantiS and an authorized distributor of SecureScout.

For any inquiry about SecureScout by:
Customers in America and Northern Europe contact us at info@netVigilance.com
Customers in France, Italy, Spain, Portugal, Greece, Turkey, Eastern Europe, Middle East, Africa and Asia/Pacific, contact NexantiS at info-scanner@securescout.net