netVigilance ScoutNews January 23 2009

2009 Issue #4

ScoutNews
The weekly Security update from
the makers of SecureScout
January 23, 2009

Table of Contents

Product Focus

This Week in Review

Top Security News Stories this Week

New Vulnerabilities Tested in SecureScout

New Vulnerabilities found this Week

Product Focus

WinArpd v1.0b8 - Download WinArpd executable by filling our download form. Size: 55KB

Download Here:
http://www.netvigilance.com/productdownloads?productname=winarpd.exe.zip

This Week in Review

New lists from SANS and Mitre. Risk management in times of recession. Virtual machines directly on hardware more secure. Need for a better CAPTCHA.

Enjoy reading & Stay safe.

Call or email netVigilance to get an update on SecureScout.
(503) 524 5758 or sales@netVigilance.com

Top Security News Stories this Week

• Frankly Speaking: What would really make software more secure

January 19, 2009 (Computerworld) Oh, not again. Last week, the SANS Institute and Mitre released yet another list of the most serious programming errors that break software security. And this time, SANS and Mitre got dozens of other organizations to sign on, including Microsoft, Apple, Oracle, Tata, Symantec, the Department of Homeland Security and the National Security Agency.

Yes, it's a fine list. It includes all our old favorites: overflowing buffers, unchecked input, random numbers that aren't really random, failure to block cross-site scripting and SQL injection. (You can find the complete list at www.sans.org/top25errors.)

SANS and Mitre say this one is better, because this time they tapped dozens of other organizations to help compile the top 25 programming problems. Surely that will convince programmers to see the error of their ways and start coding securely, won't it?

Computerworld

Full Story :
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=332461&source=rss_topic17

• Security Manager\'s Journal: Eyeing risks while cutting spending

January 19, 2009 (Computerworld) We're still dealing with fallout from the weakening economy. Besides the massive layoff I wrote about last time, each department has been told to decrease spending by 15%.

First up is intrusion detection. Our 12 sensors are positioned to monitor the DMZs at corporate and remote offices as well as major data centers and some interoffice communications. We're using several offshore analysts to monitor those sensors; they attend to the alerts and, when necessary, escalate things to our analysts here in the U.S. for evaluation and action. But we're definitely monitoring more attack signatures than we need to. Our analysts spend a good part of their days chasing false positives.

Action Plan: Do a thorough risk assessment before making any cuts. Risking a vulnerability in order to save money would be foolhardy -- and, in the long run, expensive.

Computerworld

Full Story :
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=332097&source=rss_topic17

• Virtual desktops getting security boost

January 22, 2009 (Network World) Businesses looking for safer virtual desktops can cut the risk of attacks if they run their virtual-machine hypervisors directly on computer hardware, eliminating reliance on separate operating systems that can be vulnerable to attack.

Beyond the security implications, client hypervisors offer the additional management benefits of centralizing content, enforcing access control to desktop images, updating and patching desktops and supporting multiple virtual machines on a single device while keeping them isolated from each other.

The Citrix client hypervisor is scheduled to be available around the time that VMware releases its client hypervisor. But the difference is that VMware's runs on top of the host machine's operating system, says Mark Bowker, an analyst with Enterprise Strategy Group.

Computerworld

Full Story :
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126671&source=rss_topic17

• Building a better spam-blocking CAPTCHA

January 23, 2009 (Computerworld) How do you let people create user accounts or post comments on your Web site without letting spam bots in? Simple -- make your users prove they're human. Many Web sites use CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) technology to try to tell the bots from the people.

A basic CAPTCHA But while no one has yet come up with a computer that can fool people into thinking it's another person, computers are great at fooling other computers. These days, malware makers and spammers regularly trick the CAPTCHA systems at big-name Web sites such as Yahoo Mail, Gmail and Craigslist, and use these sites to automate their attacks.

Computerworld

Full Story :
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126378&source=rss_topic17

New Vulnerabilities Tested in SecureScout

• 13683 Oracle Database Server - Job Queue component unspecified Vulnerability (jan-2009/CVE-2008-5437)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Job Queue" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

* SECUNIA: 33525
http://secunia.com/advisories/33525/
* SECTRACK: 1021561: Oracle Database Lets Remote Authenticated Users Access and Modify Data and Cause Denial of Service Conditions
http://securitytracker.com/alerts/2009/Jan/1021561.html
* MISC:
http://blog.red-database-security.com/category/cpujan2009/
* CONFIRM:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
* FRSIRT: ADV-2009-0115
http://www.frsirt.com/english/advisories/2009/0115

CVE Reference:

CVE-2008-5437 (cve.mitre.org, nvd.nist.gov)

• 13684 Oracle Database Server - Oracle OLAP component unspecified Vulnerability (jan-2009/CVE-2008-5436)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Oracle OLAP" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2008-5436 (cve.mitre.org, nvd.nist.gov)

• 13685 Oracle Database Server - Oracle Spatial component unspecified Vulnerability (jan-2009/CVE-2008-3978)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Oracle Spatial" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2008-3978 (cve.mitre.org, nvd.nist.gov)

• 13686 Oracle Database Server - Oracle Spatial component unspecified Vulnerability (jan-2009/CVE-2008-3979)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Oracle Spatial" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

* SECUNIA: 33525
http://secunia.com/advisories/33525/
* SECTRACK: 1021561: Oracle Database Lets Remote Authenticated Users Access and Modify Data and Cause Denial of Service Conditions
http://securitytracker.com/alerts/2009/Jan/1021561.html
* MISC:
http://blog.red-database-security.com/category/cpujan2009/
* BUGTRAQ: 20090113 Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2
http://www.securityfocus.com/archive/1/archive/1/500061/100/0/threaded
* CONFIRM:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
* FRSIRT: ADV-2009-0115
http://www.frsirt.com/english/advisories/2009/0115

CVE Reference:

CVE-2008-3979 (cve.mitre.org, nvd.nist.gov)

• 13687 Oracle Database Server - Oracle Streams component unspecified Vulnerability (jan-2009/CVE-2008-4015)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Oracle Streams" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2008-4015 (cve.mitre.org, nvd.nist.gov)

• 13688 Oracle Database Server - Oracle OLAP component unspecified Vulnerability (jan-2009/CVE-2008-3974)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Oracle OLAP" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2008-3974 (cve.mitre.org, nvd.nist.gov)

• 13689 Oracle Database Server - Oracle OLAP component unspecified Vulnerability (jan-2009/CVE-2008-3997)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Oracle OLAP" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2008-3997 (cve.mitre.org, nvd.nist.gov)

• 13690 Oracle Database Server - Oracle OLAP component unspecified Vulnerability (jan-2009/CVE-2008-3999)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "Oracle OLAP" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2008-3999 (cve.mitre.org, nvd.nist.gov)

• 13691 Oracle Database Server - SQL*Plus Windows GUI component unspecified Vulnerability (jan-2009/CVE-2008-5439)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "SQL*Plus Windows GUI" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2008-5439 (cve.mitre.org, nvd.nist.gov)

• 13692 Oracle Database Server - SQL*Plus Windows GUI component unspecified Vulnerability (jan-2009/CVE-2008-3973)

An unspecified vulnerability with unknown impact exists in Oracle Database Server "SQL*Plus Windows GUI" component.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Low

References:

CVE Reference:

CVE-2008-3973 (cve.mitre.org, nvd.nist.gov)

New Vulnerabilities found this Week

• CVE-2009-0244 Microsoft CVSS 2.0 Score = 8.5

Directory traversal vulnerability in the OBEX FTP Service in the Microsoft Bluetooth stack in Windows Mobile 6 Professional, and probably Windows Mobile 5.0 for Pocket PC and 5.0 for Pocket PC Phone Edition, allows remote authenticated users to list arbitrary directories, and create or read arbitrary files, via a .. (dot dot) in a pathname. NOTE: this can be leveraged for code execution by writing to a Startup folder.

Test Case Impact: Vulnerability Impact: Risk: High

References:

XF: http://xforce.iss.net/xforce/xfdb/48124

MISC: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html

BID: http://www.securityfocus.com/bid/33359

BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/500199/100/0/threaded

SREASON: http://securityreason.com/securityalert/4938

SECUNIA: http://secunia.com/advisories/33598

CVE Reference: CVE-2009-0244

• CVE-2009-0243 Microsoft CVSS 2.0 Score = 7.2

Microsoft Windows does not properly enforce the Autorun and NoDriveTypeAutoRun registry values, which allows physically proximate attackers to execute arbitrary code by (1) inserting CD-ROM media, (2) inserting DVD media, (3) connecting a USB device, and (4) connecting a Firewire device; (5) allows user-assisted remote attackers to execute arbitrary code by mapping a network drive; and allows user-assisted attackers to execute arbitrary code by clicking on (6) an icon under My Computer\Devices with Removable Storage and (7) an option in an AutoPlay dialog, related to the Autorun.inf file. NOTE: vectors 1 and 3 on Vista are already covered by CVE-2008-0951.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CERT: http://www.us-cert.gov/cas/techalerts/TA09-020A.html

SECTRACK: http://www.securitytracker.com/id?1021629

MISC: http://isc.sans.org/diary.html?storyid=5695

CVE Reference: CVE-2009-0243

• CVE-2008-5912 Microsoft CVSS 2.0 Score = 2.1

An unspecified function in the JavaScript implementation in Microsoft Internet Explorer creates and exposes a "temporary footprint" when there is a current login to a web site, which makes it easier for remote attackers to trick a user into acting upon a spoofed pop-up message, aka an "in-session phishing attack." NOTE: as of 20090116, the only disclosure is a vague pre-advisory with no actionable information. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

Test Case Impact: Vulnerability Impact: Risk: Low

References:

XF: http://xforce.iss.net/xforce/xfdb/48173

MISC: http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf

BID: http://www.securityfocus.com/bid/33276

MISC: http://www.infoworld.com/article/09/01/13/Browser_bug_could_allow_phishing_without_email_1.html

MISC: http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212900161

MISC: http://arstechnica.com/news.ars/post/20090113-new-method-of-phishmongering-could-fool-experienced-users.html

CVE Reference: CVE-2008-5912

• CVE-2009-0026 Apache CVSS 2.0 Score = 4.3

Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

CONFIRM: https://issues.apache.org/jira/browse/JCR-1925

XF: http://xforce.iss.net/xforce/xfdb/48110

BID: http://www.securityfocus.com/bid/33360

BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/500196/100/0/threaded

VUPEN: http://www.frsirt.com/english/advisories/2009/0177

CONFIRM: http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt

SREASON: http://securityreason.com/securityalert/4942

SECUNIA: http://secunia.com/advisories/33576

CVE Reference: CVE-2009-0026

• CVE-2008-4388 Symantec CVSS 2.0 Score = 9.3

The LaunchObj ActiveX control before 5.2.2.865 in launcher.dll in Symantec AppStream Client 5.2.x before 5.2.2 SP3 MP1 does not properly validate downloaded files, which allows remote attackers to execute arbitrary code via the installAppMgr method and unspecified other methods.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CERT-VN: http://www.kb.cert.org/vuls/id/194505

CONFIRM: http://www.symantec.com/avcenter/security/Content/2009.01.15.html

BID: http://www.securityfocus.com/bid/33247

SECTRACK: http://securitytracker.com/id?1021609

CVE Reference: CVE-2008-4388

• CVE-2009-0178 IBM CVSS 2.0 Score = 10.0

Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 release 3.2.0 SP1 has unknown impact and attack vectors.

Test Case Impact: Vulnerability Impact: Risk: High

References:

XF: http://xforce.iss.net/xforce/xfdb/48010

CONFIRM: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4521

BID: http://www.securityfocus.com/bid/33293

VUPEN: http://www.frsirt.com/english/advisories/2009/0158

SECUNIA: http://secunia.com/advisories/33518

OSVDB: http://osvdb.org/51432

CVE Reference: CVE-2009-0178

• CVE-2008-3820 Cisco CVSS 2.0 Score = 6.8

Cisco Security Manager 3.1 and 3.2 before 3.2.2, when Cisco IPS Event Viewer (IEV) is used, exposes TCP ports used by the MySQL daemon and IEV server, which allows remote attackers to obtain "root access" to IEV via unspecified use of TCP sessions to these ports.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

CISCO: http://www.cisco.com/en/US/products/products_security_advisory09186a0080a6192a.shtml

XF: http://xforce.iss.net/xforce/xfdb/48134

SECTRACK: http://www.securitytracker.com/id?1021619

BID: http://www.securityfocus.com/bid/33381

FRSIRT: http://www.frsirt.com/english/advisories/2009/0214

SECUNIA: http://secunia.com/advisories/33633

CVE Reference: CVE-2008-3820

• CVE-2008-5911 RealNetworks CVSS 2.0 Score = 10.0

Multiple buffer overflows in RealNetworks Helix Server and Helix Mobile Server 11.x before 11.1.8 and 12.x before 12.0.1 allow remote attackers to (1) cause a denial of service via three crafted RTSP SETUP commands, or execute arbitrary code via (2) an NTLM authentication request with malformed base64-encoded data, (3) an RTSP DESCRIBE command, or (4) a DataConvertBuffer request.

Test Case Impact: Vulnerability Impact: Risk: High

References:

SECTRACK: http://www.securitytracker.com/id?1021501

SECTRACK: http://www.securitytracker.com/id?1021500

SECTRACK: http://www.securitytracker.com/id?1021499

SECTRACK: http://www.securitytracker.com/id?1021498

FRSIRT: http://www.frsirt.com/english/advisories/2008/3521

SECUNIA: http://secunia.com/advisories/33360

CONFIRM: http://docs.real.com/docs/security/SecurityUpdate121508HS.pdf

CVE Reference: CVE-2008-5911

Vulnerability Resource
Check out this compendium of links and up-to-the minute information about network security issues. Their claim to be the 'security portal for information system security professionals' is well founded. http://www.infosyssec.org/infosyssec/

Thank You
Thanks for sifting through another great edition of the ScoutNews. We hope we captured a flavor for the week and gave you just enough information on newly found vulnerabilities to keep you up-to-date. To subscribe or unsubscribe, contact us at ScoutNews@netVigilance.com

About SecureScout
SecureScout is a leading vulnerability scanner and management tool developed and marketed worldwide by NexantiS Corporation.
SecureScout is a trademark of NexantiS Corporation.
netVigilance, Inc. is a partner of NexantiS and an authorized distributor of SecureScout.

For any inquiry about SecureScout by:
Customers in America and Northern Europe contact us at info@netVigilance.com
Customers in France, Italy, Spain, Portugal, Greece, Turkey, Eastern Europe, Middle East, Africa and Asia/Pacific, contact NexantiS at info-scanner@securescout.net