netVigilance ScoutNews February 06 2009

2009 Issue #6

ScoutNews
The weekly Security update from
the makers of SecureScout
February 06, 2009

Table of Contents

Product Focus

This Week in Review

Top Security News Stories this Week

New Vulnerabilities Tested in SecureScout

New Vulnerabilities found this Week

Product Focus

WinHoneyd v1.5b - Download WinHoneyd executable package by filling our download form. Size: 2404KB

Download Here:
http://www.netvigilance.com/productdownloads?productname=winhoneyd-1.5b.zip

This Week in Review

Costs of data breeches on the rise. Your browser and sll. Disk encryption and data recovery. Which browser to use - that is the question.

Enjoy reading & Stay safe.

Call or email netVigilance to get an update on SecureScout.
(503) 524 5758 or sales@netVigilance.com

Top Security News Stories this Week

• Costs of a Data Breach: Can You Afford $6.65 Million?

February 4, 2009 (CIO) Affixing a dollar cost to a problem has immense benefit, and The Ponemon Institute goes to great lengths to arrive at the figures for its Annual Cost of a Data Breach Study.

In 2008 the average total cost of a data breach was $6.65 million, up from $6.35 million last year and $4.54 in 2005. In 2008, the per-victim cost of a data breach was $202, up from $197 in 2007, and from $138 when the study was launched in 2005. Breaches involving a third party to which data had been outsourced bore a per-victim cost of $231, whereas self contained breaches bore a per-victim cost of $179. Breaches that were the result of a malicious act bore a per-victim cost of $225, whereas breaches that were the result of negligence bore a per-victim cost of $199. Breaches that were the result of a lost of stolen laptop computer bore a per-victim cost of $249, whereas breaches that did not involve a lost or stolen laptop computer bore a per-victim cost of $177. If the data breach was a first-time event for the company the per victim cost was $243, but if the company had experienced a breach previously the per victim cost was $192.

Computerworld

Full Story :
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127376&source=rss_topic17

• Browser secrets of secure connections

February 3, 2009 (InfoWorld) Although most users don't know it, their Web browser plays a key part in determining the strength of the ciphers used between their client and an HTTPS-protected Web site. Encryption ciphers used in the SSL/TLS (Secure Sockets Layer/Transport Layer Security) negotiations can range from very strong to weak, and involve asymmetric ciphers, symmetric ciphers, key exchange algorithms and hash functions.

[ For more on browser security, see InfoWorld's special report, as well as individual reviews of Chrome, Firefox, Internet Explorer, Opera, and Safari. ]

Computerworld

Full Story :
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127249&source=rss_topic17

• New disk encryption standards could complicate data recovery

February 2, 2009 (Computerworld) When the world's largest disk-makers joined last week to announce a single standard for encrypting disk drives, the move raised questions among users about how to deal with full-disk encryption once it's native on all laptop or desktop computers.

"Then you have just killed yourself," said Dave Hill, an analyst at research firm Mesabi Group.

Some industry observers believe that within five years, all disk drive manufacturers will be offering drives -- both hard disk and solid-state disk -- that use the specifications for firmware-based encryption.

Computerworld

Full Story :
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127178&source=rss_topic17

• IE or Firefox: Which browser is more secure?

February 2, 2009 (CSO) The conventional wisdom in security circles used to be that Microsoft's Internet Explorer was hopelessly attack-prone and that only someone with a cyber death wish would prefer it over such alternatives as Mozilla Firefox, Opera or Apple's Safari browser.

CSOonline.com recently conducted a highly unscientific, very informal poll of security practitioners, asking which browser they consider more secure. Firefox still scores well for many who like the frequent and easy security updates. But IE seems to be gaining more acceptance, especially since Microsoft released version 7 a couple of years ago. As for Google's Chrome, the jury is still out.

Computerworld

Full Story :
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127158&source=rss_topic17

New Vulnerabilities Tested in SecureScout

• 13679 Oracle Database Server - Oracle Application Express component unspecified Vulnerability (oct-2008/CVE-2008-4005)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Oracle Application Express" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

* CONFIRM:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html
* FRSIRT: ADV-2008-2825
http://www.frsirt.com/english/advisories/2008/2825
* SECTRACK: 1021050
http://www.securitytracker.com/id?1021050
* SECUNIA: 32291
http://secunia.com/advisories/32291
* XF: oracle-database-apex-priv-escalation(45907)
http://xforce.iss.net/xforce/xfdb/45907

CVE Reference:

CVE-2008-4005 (cve.mitre.org, nvd.nist.gov)

• 13680 Oracle Database Server - Core RDBMS component unspecified Vulnerability (oct-2008/CVE-2008-2625)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Core RDBMS" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

* BUGTRAQ: 20081019 CVE-2008-2625: Oracle DBMS ? Proxy Authentication Vulnerability
http://www.securityfocus.com/archive/1/archive/1/497539/100/0/threaded
* CONFIRM:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html
* FRSIRT: ADV-2008-2825
http://www.frsirt.com/english/advisories/2008/2825
* SECTRACK: 1021050
http://www.securitytracker.com/id?1021050
* SECUNIA: 32291
http://secunia.com/advisories/32291
* XF: oracle-db-corerdbms-unauth-access(45880)
http://xforce.iss.net/xforce/xfdb/45880

CVE Reference:

CVE-2008-2625 (cve.mitre.org, nvd.nist.gov)

• 13681 Oracle Database Server - Oracle OLAP component unspecified Vulnerability (oct-2008/CVE-2008-3990)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Oracle OLAP" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2008-3990 (cve.mitre.org, nvd.nist.gov)

• 13682 Oracle Database Server - Oracle OLAP component unspecified Vulnerability (oct-2008/CVE-2008-3991)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Oracle OLAP" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2008-3991 (cve.mitre.org, nvd.nist.gov)

• 16678 Oracle Enterprise Manager - Database Control component unspecified Vulnerability (oct-2007/EM01)

An unspecified vulnerability with unknown impact exists in Oracle Enterprise Manager Database Control component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

* CONFIRM:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html
* CERT: TA07-290A
http://www.us-cert.gov/cas/techalerts/TA07-290A.html
* FRSIRT: ADV-2007-3524
http://www.frsirt.com/english/advisories/2007/3524
* SECTRACK: 1018823
http://www.securitytracker.com/id?1018823
* SECUNIA: 27251
http://secunia.com/advisories/27251

CVE Reference:

CVE-2007-5530 (cve.mitre.org, nvd.nist.gov)

• 16679 Oracle Enterprise Manager - Oracle Help for Web component unspecified Vulnerability (oct-2007/EM02)

An unspecified vulnerability with unknown impact exists in Oracle Enterprise Manager Oracle Help for Web component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2007-5531 (cve.mitre.org, nvd.nist.gov)

• 16686 Oracle Enterprise Manager - Oracle Agent component unspecified Vulnerability (apr-2007/EM01)

An unspecified vulnerability with unknown impact exists in Oracle Enterprise Manager Oracle Agent component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

* MISC:
http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html
* CONFIRM:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html
* HP: HPSBMA02133
http://www.securityfocus.com/archive/1/archive/1/466329/100/200/threaded
* BID: 23532
http://www.securityfocus.com/bid/23532
* FRSIRT: ADV-2007-1426
http://www.frsirt.com/english/advisories/2007/1426
* SECTRACK: 1017927
http://www.securitytracker.com/id?1017927

CVE Reference:

CVE-2007-2129 (cve.mitre.org, nvd.nist.gov)

• 16702 Oracle Enterprise Manager - Oracle Agent component unspecified Vulnerability (jan-2007/EM01)

An unspecified vulnerability with unknown impact exists in Oracle Enterprise Manager Oracle Agent component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* CONFIRM:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
* CERT: TA07-017A
http://www.us-cert.gov/cas/techalerts/TA07-017A.html
* SECTRACK: 1017522
http://securitytracker.com/id?1017522
* SECUNIA: 23794
http://secunia.com/advisories/23794
* XF: oracle-cpu-jan2007(31541)
http://xforce.iss.net/xforce/xfdb/31541

CVE Reference:

CVE-2007-0292 (cve.mitre.org, nvd.nist.gov)

• 16703 Oracle Enterprise Manager - Oracle Agent component unspecified Vulnerability (jan-2007/EM02)

An unspecified vulnerability with unknown impact exists in Oracle Enterprise Manager Oracle Agent component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

CVE Reference:

CVE-2007-0292 (cve.mitre.org, nvd.nist.gov)

• 16704 Oracle Enterprise Manager - Oracle Agent component unspecified Vulnerability (jan-2007/EM03)

An unspecified vulnerability with unknown impact exists in Oracle Enterprise Manager Oracle Agent component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2007-0293 (cve.mitre.org, nvd.nist.gov)

New Vulnerabilities found this Week

• CVE-2009-0419 Microsoft CVSS 2.0 Score = 5.0

Microsoft XML Core Services, as used in Microsoft Expression Web, Office, Internet Explorer 6 and 7, and other products, does not properly restrict access from web pages to Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-4033.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

MISC: https://bugzilla.mozilla.org/show_bug.cgi?id=380418

XF: http://xforce.iss.net/xforce/xfdb/48815

CVE Reference: CVE-2009-0419

• CVE-2008-6063 Microsoft CVSS 2.0 Score = 4.3

Microsoft Word 2007, when the "Save as PDF" add-on is enabled, places an absolute pathname in the Subject field during an "Email as PDF" operation, which allows remote attackers to obtain sensitive information such as the sender's account name and a Temporary Internet Files subdirectory name.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/486088/100/0/threaded

CVE Reference: CVE-2008-6063

• CVE-2008-6065 Oracle CVSS 2.0 Score = 5.1

Oracle Database Server 10.1, 10.2, and 11g grants directory WRITE permissions for arbitrary pathnames that are aliased in a CREATE OR REPLACE DIRECTORY statement, which allows remote authenticated users with CREATE ANY DIRECTORY privileges to gain SYSDBA privileges by aliasing the pathname of the password directory, and then overwriting the password file through UTL_FILE operations, a related issue to CVE-2006-7141.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

XF: http://xforce.iss.net/xforce/xfdb/48814

BID: http://www.securityfocus.com/bid/31738

BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/497286/100/0/threaded

MISC: http://www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/

CVE Reference: CVE-2008-6065

• CVE-2009-0418 HP CVSS 2.0 Score = 9.3

The IPv6 Neighbor Discovery Protocol (NDP) implementation in HP HP-UX B.11.11, B.11.23, and B.11.31 does not validate the origin of Neighbor Discovery messages, which allows remote attackers to cause a denial of service (loss of connectivity), read private network traffic, and possibly execute arbitrary code via a spoofed message that modifies the Forward Information Base (FIB), a related issue to CVE-2008-2476.

Test Case Impact: Vulnerability Impact: Risk: High

References:

SECTRACK: http://www.securitytracker.com/id?1021660

VUPEN: http://www.frsirt.com/english/advisories/2009/0312

SECUNIA: http://secunia.com/advisories/33787

OVAL: http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5943

HP: http://marc.info/?l=bugtraq&m=123368621330334&w=2

CVE Reference: CVE-2009-0418

• CVE-2008-4419 HP CVSS 2.0 Score = 7.8

Directory traversal vulnerability in the HP JetDirect web administration interface in the HP-ChaiSOE 1.0 embedded web server on the LaserJet 9040mfp, LaserJet 9050mfp, and Color LaserJet 9500mfp before firmware 08.110.9; LaserJet 4345mfp and 9200C Digital Sender before firmware 09.120.9; Color LaserJet 4730mfp before firmware 46.200.9; LaserJet 2410, LaserJet 2420, and LaserJet 2430 before firmware 20080819 SPCL112A; LaserJet 4250 and LaserJet 4350 before firmware 20080819 SPCL015A; and LaserJet 9040 and LaserJet 9050 before firmware 20080819 SPCL110A allows remote attackers to read arbitrary files via directory traversal sequences in the URI.

Test Case Impact: Vulnerability Impact: Risk: High

References:

BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/500657/100/0/threaded

SECTRACK: http://www.securitytracker.com/id?1021687

BID: http://www.securityfocus.com/bid/33611

VUPEN: http://www.frsirt.com/english/advisories/2009/0341

SECUNIA: http://secunia.com/advisories/33779

HP: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905

HP: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905

CVE Reference: CVE-2008-4419

• CVE-2009-0391 IBM CVSS 2.0 Score = 7.8

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0.1 on z/OS allows attackers to read arbitrary files via unknown vectors.

Test Case Impact: Vulnerability Impact: Risk: High

References:

SECTRACK: http://www.securitytracker.com/id?1021658

BID: http://www.securityfocus.com/bid/33533

VUPEN: http://www.frsirt.com/english/advisories/2009/0423

AIXAPAR: http://www-01.ibm.com/support/docview.wss?uid=swg1PK79232

SECUNIA: http://secunia.com/advisories/33729

OSVDB: http://osvdb.org/51663

CVE Reference: CVE-2009-0391

• CVE-2009-0062 Cisco CVSS 2.0 Score = 9.0

Unspecified vulnerability in the Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.2.173.0 allows remote authenticated users to gain privileges via unknown vectors, as demonstrated by escalation from the (1) Lobby Admin and (2) Local Management User privilege levels.

Test Case Impact: Vulnerability Impact: Risk: High

References:

SECTRACK: http://www.securitytracker.com/id?1021678

BID: http://www.securityfocus.com/bid/33608

CISCO: http://www.cisco.com/en/US/products/products_security_advisory09186a0080a6c1dd.shtml

SECUNIA: http://secunia.com/advisories/33749

CVE Reference: CVE-2009-0062

• CVE-2009-0059 Cisco CVSS 2.0 Score = 7.8

The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.2.x before 5.2.157.0 allow remote attackers to cause a denial of service (device reload) via a web authentication (aka WebAuth) session that includes a malformed POST request to login.html.

Test Case Impact: Vulnerability Impact: Risk: High

References:

SECTRACK: http://www.securitytracker.com/id?1021679

BID: http://www.securityfocus.com/bid/33608

CISCO: http://www.cisco.com/en/US/products/products_security_advisory09186a0080a6c1dd.shtml

SECUNIA: http://secunia.com/advisories/33749

CVE Reference: CVE-2009-0059

Vulnerability Resource
Check out this compendium of links and up-to-the minute information about network security issues. Their claim to be the 'security portal for information system security professionals' is well founded. http://www.infosyssec.org/infosyssec/

Thank You
Thanks for sifting through another great edition of the ScoutNews. We hope we captured a flavor for the week and gave you just enough information on newly found vulnerabilities to keep you up-to-date. To subscribe or unsubscribe, contact us at ScoutNews@netVigilance.com

About SecureScout
SecureScout is a leading vulnerability scanner and management tool developed and marketed worldwide by NexantiS Corporation.
SecureScout is a trademark of NexantiS Corporation.
netVigilance, Inc. is a partner of NexantiS and an authorized distributor of SecureScout.

For any inquiry about SecureScout by:
Customers in America and Northern Europe contact us at info@netVigilance.com
Customers in France, Italy, Spain, Portugal, Greece, Turkey, Eastern Europe, Middle East, Africa and Asia/Pacific, contact NexantiS at info-scanner@securescout.net