netVigilance ScoutNews April 15 2011

2011 Issue #15

ScoutNews
The weekly Security update from
the makers of SecureScout
April 15, 2011

Table of Contents

Product Focus

This Week in Review

Top Security News Stories this Week

New Vulnerabilities Tested in SecureScout

New Vulnerabilities found this Week

Product Focus

Apache Chunked Vulnerability Scanner - The S4 Apache Chunked Vulnerability Scanner is a free utility made by SecureScout that will scan up to 256 IP addresses at once to assess if any are vulnerable to the Apache Chunked Encoding buffer overflow.

Download Here:
http://www.netvigilance.com/productdownloads?productname=apachechunkedvulnerabilityscanner

This Week in Review

A call for a new security model. Michael Barret on current security events. Security holes that could enable hackers to shop for free found. US officials turning off malware on infected PCs.

Enjoy reading & Stay safe.

Call or email netVigilance to get an update on SecureScout.
(503) 524 5758 or sales@netVigilance.com

Top Security News Stories this Week

• Security fragmentation needs to end

Network World - A new week, a new rash of attacks against security vendors, email marketers and banks. It would be easy to point fingers and laugh at the irony, especially in the case of security vendors, but that would be both petty and shortsighted.

More on network security problems: 10 of the Worst Moments in Network Security History

The stark reality is that security breaches can, will and do happen to everyone. For every security control and process we put in place, somewhere else there's a vulnerability, a weakness, an untrained employee or a path of least resistance for an attack. All the point solutions in the world are not going to make us any more secure. What we desperately need is a new model for integrating security solutions across vendors, across devices, across operating systems and across the globe. Computerworld

Full Story :
http://www.computerworld.com/s/article/9215802/Security_fragmentation_needs_to_end?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fs%2Ffeed%2Ftopic%2F17+%28Computerworld+Security+News%29

• PayPal security chief on Epsilon breach and more (Q&A)

Michael Barrett, chief information security officer at PayPal

(Credit: PayPal)

CNET got a few minutes on the phone today with Michael Barrett, chief information security officer at online payment processor PayPal, and asked him his opinion on some current events in the world of security. Here are edited excerpts of the interview with the man responsible for making sure the personal and financial data of millions of PayPal customers and thousands of employees is secure. Cnet Security

Full Story :
http://news.cnet.com/8301-27080_3-20052310-245.html?part=rss&subj=news&tag=2547-1_3-0-20

• Could criminals shop for free online?

A group of security researchers say they have found ways to trick online cashier systems into ordering items for free or at a discount.

Researchers from Indiana University and Microsoft Research found security holes in a software development kit from payment hosting provider Amazon Payments, Rui Wang, a Ph.D. student at Indiana University, told CNET in a recent interview. Amazon fixed the problems after being notified by the researchers, and integration bugs found in merchant shopping-cart applications and implementations on several retail sites have also been fixed. Cnet Security

Full Story :
http://news.cnet.com/8301-27080_3-20049044-245.html?part=rss&subj=news&tag=2547-1_3-0-20

• U.S. shutters botnet, can disable malware remotely

By seizing servers and domain names and getting permission to remotely turn off malware on compromised PCs, U.S. officials have disabled a botnet that steals data from infected computers.

The legal actions are part of the "most complete and comprehensive enforcement action ever taken by U.S. authorities to disable an international botnet," according to a statement from the Department of Justice. A botnet is a group of computers that have been compromised and are being remotely controlled by attackers, typically to send spam or attack other computers.

It's the first time law enforcement in the U.S. has requested permission from a court to take control of a botnet, according to a request for a temporary restraining order that was granted. Similar action was taken by Dutch officials who downloaded "good" software to computers infected with Bredolab botnet malware, the filing said. Cnet Security

Full Story :
http://news.cnet.com/8301-27080_3-20053708-245.html?part=rss&subj=news&tag=2547-1_3-0-20

New Vulnerabilities Tested in SecureScout

• 19164 SSL renegotiation supported

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

This test case tests if the target's SSL layer accepts SSL renegotiation requests from clients.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium

References:

CVE Reference:

CVE-2009-3555 (cve.mitre.org, nvd.nist.gov)

• 19255 Layouts Handling Memory Corruption Vulnerability (MS11-018/2497640) (Remote File Checking)

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-018
http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx
* BID: 47190
http://www.securityfocus.com/bid/47190
* VUPEN: VUPEN/ADV-2011-0937
http://www.vupen.com/english/advisories/2011/0937
* SECTRACK: 1025327
http://www.securitytracker.com/id/1025327

CVE Reference:

CVE-2011-0094 (cve.mitre.org, nvd.nist.gov)

• 19256 MSHTML Memory Corruption Vulnerability (MS11-018/2497640) (Remote File Checking)

References:

* MS: MS11-018
http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx
* BID: 45639
http://www.securityfocus.com/bid/45639
* VUPEN: VUPEN/ADV-2011-0937
http://www.vupen.com/english/advisories/2011/0937
* SECTRACK: 1025327
http://www.securitytracker.com/id/1025327

CVE Reference:

CVE-2011-0346 (cve.mitre.org, nvd.nist.gov)

• 19257 Frame Tag Information Disclosure Vulnerability (MS11-018/2497640) (Remote File Checking)

An information disclosure vulnerability exists in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page disguised as legitimate content. The user's actions on the page could allow information disclosure or clickjacking, whereby the user's clicks perform unwanted actions.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-018
http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx
* BID: 47191
http://www.securityfocus.com/bid/47191
* VUPEN: VUPEN/ADV-2011-0937
http://www.vupen.com/english/advisories/2011/0937
* SECTRACK: 1025327
http://www.securitytracker.com/id/1025327

CVE Reference:

CVE-2011-1244 (cve.mitre.org, nvd.nist.gov)

• 19258 Javascript Information Disclosure Vulnerability (MS11-018/2497640) (Remote File Checking)

An information disclosure vulnerability exists in Internet Explorer that could allow script to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-018
http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx
* BID: 47192
http://www.securityfocus.com/bid/47192
* VUPEN: VUPEN/ADV-2011-0937
http://www.vupen.com/english/advisories/2011/0937
* SECTRACK: 1025327
http://www.securitytracker.com/id/1025327

CVE Reference:

CVE-2011-1245 (cve.mitre.org, nvd.nist.gov)

• 19259 Object Management Memory Corruption Vulnerability (MS11-018/2497640) (Remote File Checking)

References:

* MS: MS11-018
http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx
* BID: 46821
http://www.securityfocus.com/bid/46821
* VUPEN: VUPEN/ADV-2011-0937
http://www.vupen.com/english/advisories/2011/0937
* SECTRACK: 1025327
http://www.securitytracker.com/id/1025327

CVE Reference:

CVE-2011-1345 (cve.mitre.org, nvd.nist.gov)

• 19260 Browser Pool Corruption Vulnerability (MS11-019/2511455) (Remote File Checking)

An unauthenticated remote code execution vulnerability exists in the way that the Common Internet File System (CIFS) Browser Protocol implementation parses malformed browser messages. An attempt to exploit the vulnerability would not require authentication. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-019
http://www.microsoft.com/technet/security/Bulletin/MS11-019.mspx
* EXPLOIT-DB: 16166
http://www.exploit-db.com/exploits/16166
* FULLDISC: 20110214 MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow
http://archives.neohapsis.com/archives/fulldisclosure/current/0284.html
* CONFIRM:
http://blogs.technet.com/b/mmpc/archive/2011/02/16/my-sweet-valentine-the-cifs-browser-protocol-heap-corruption-vulnerability.aspx
* CONFIRM:
http://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspx
* BID: 46360
http://www.securityfocus.com/bid/46360
* SECUNIA: 43299
http://secunia.com/advisories/43299
* VUPEN: ADV-2011-0394
http://www.vupen.com/english/advisories/2011/0394
* XF: ms-win-server-browser-bo(65376)
http://xforce.iss.net/xforce/xfdb/65376
* SECTRACK: 1025328
http://www.securitytracker.com/id/1025328

CVE Reference:

CVE-2011-0654 (cve.mitre.org, nvd.nist.gov)

• 19261 SMB Client Response Parsing Vulnerability (MS11-019/2511455) (Remote File Checking)

An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block (SMB) client validates specially crafted SMB responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-019
http://www.microsoft.com/technet/security/Bulletin/MS11-019.mspx
* SECTRACK: 1025328
http://www.securitytracker.com/id/1025328
* BID: 47239
http://www.securityfocus.com/bid/47239
* VUPEN: VUPEN/ADV-2011-0938
http://www.vupen.com/english/advisories/2011/0938

CVE Reference:

CVE-2011-0660 (cve.mitre.org, nvd.nist.gov)

• 19262 SMB Transaction Parsing Vulnerability (MS11-020/2508429) (Remote File Checking)

An unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB packet to a computer running the Server service. An attacker who successfully exploited this vulnerability could take complete control of the system.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-020
http://www.microsoft.com/technet/security/Bulletin/MS11-020.mspx
* SECTRACK: 1025329
http://www.securitytracker.com/id/1025329
* BID: 47198
http://www.securityfocus.com/bid/47198
* VUPEN: VUPEN/ADV-2011-0939
http://www.vupen.com/english/advisories/2011/0939

CVE Reference:

CVE-2011-0661 (cve.mitre.org, nvd.nist.gov)

• 19263 DNS Query Vulnerability (MS11-030/2509553) (Remote File Checking)

A remote code execution vulnerability exists in the way that the DNS client service handles specially crafted LLMNR queries. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the NetworkService account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-030
http://www.microsoft.com/technet/security/Bulletin/MS11-030.mspx
* SECTRACK: 1025332
http://www.securitytracker.com/id/1025332
* BID: 47242
http://www.securityfocus.com/bid/47242
* VUPEN: VUPEN/ADV-2011-0948
http://www.vupen.com/english/advisories/2011/0948

CVE Reference:

CVE-2011-0657 (cve.mitre.org, nvd.nist.gov)

New Vulnerabilities found this Week

• CVE-2011-0661 Microsoft CVSS 2.0 Score = 10.0

The SMB Server service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate fields in SMB requests, which allows remote attackers to execute arbitrary code via a malformed request in a (1) SMBv1 or (2) SMBv2 packet, aka "SMB Transaction Parsing Vulnerability."

Test Case Impact: Vulnerability Impact: Risk: High

References:

MS: http://www.microsoft.com/technet/security/Bulletin/MS11-020.mspx

CVE Reference: CVE-2011-0661

• CVE-2011-0657 Microsoft CVSS 2.0 Score = 10.0

DNSAPI.dll in the DNS client in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly process DNS queries, which allows remote attackers to execute arbitrary code via (1) a crafted LLMNR broadcast query or (2) a crafted application, aka "DNS Query Vulnerability."

Test Case Impact: Vulnerability Impact: Risk: High

References:

MS: http://www.microsoft.com/technet/security/Bulletin/MS11-030.mspx

CVE Reference: CVE-2011-0657

• CVE-2011-0655 Microsoft CVSS 2.0 Score = 9.3

Microsoft PowerPoint 2007 SP2 and 2010; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; PowerPoint Viewer; PowerPoint Viewer 2007 SP2; and PowerPoint Web App do not properly validate TimeColorBehaviorContainer Floating Point records in PowerPoint documents, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document containing an invalid record, aka "Floating Point Techno-color Time Bandit RCE Vulnerability."

Test Case Impact: Vulnerability Impact: Risk: High

References:

MS: http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx

CVE Reference: CVE-2011-0655

• CVE-2011-0663 Microsoft CVSS 2.0 Score = 9.3

Multiple integer overflows in the Microsoft (1) JScript 5.6 through 5.8 and (2) VBScript 5.6 through 5.8 scripting engines allow remote attackers to execute arbitrary code via a crafted web page, aka "Scripting Memory Reallocation Vulnerability."

Test Case Impact: Vulnerability Impact: Risk: High

References:

MS: http://www.microsoft.com/technet/security/Bulletin/MS11-031.mspx

CVE Reference: CVE-2011-0663

• CVE-2011-0660 Microsoft CVSS 2.0 Score = 9.3

The SMB client in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote SMB servers to execute arbitrary code via a crafted (1) SMBv1 or (2) SMBv2 response, aka "SMB Client Response Parsing Vulnerability."

Test Case Impact: Vulnerability Impact: Risk: High

References:

MS: http://www.microsoft.com/technet/security/Bulletin/MS11-019.mspx

CVE Reference: CVE-2011-0660

• CVE-2011-0656 Microsoft CVSS 2.0 Score = 9.3

Microsoft PowerPoint 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; PowerPoint Viewer; PowerPoint Viewer 2007 SP2; and PowerPoint Web App do not properly validate PersistDirectoryEntry records in PowerPoint documents, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document containing an invalid record, aka "Persist Directory RCE Vulnerability."

Test Case Impact: Vulnerability Impact: Risk: High

References:

MS: http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx

CVE Reference: CVE-2011-0656

• CVE-2011-0107 Microsoft CVSS 2.0 Score = 9.3

Untrusted search path vulnerability in Microsoft Office XP SP3, Office 2003 SP3, and Office 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Office Component Insecure Library Loading Vulnerability."Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path'

Test Case Impact: Vulnerability Impact: Risk: High

References:

MS: http://www.microsoft.com/technet/security/Bulletin/MS11-023.mspx

CVE Reference: CVE-2011-0107

• CVE-2011-0105 Microsoft CVSS 2.0 Score = 9.3

Microsoft Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac obtain a certain length value from an uninitialized memory location, which allows remote attackers to trigger a buffer overflow and execute arbitrary code via a crafted Excel file, aka "Excel Data Initialization Vulnerability."

Test Case Impact: Vulnerability Impact: Risk: High

References:

MS: http://www.microsoft.com/technet/security/Bulletin/MS11-021.mspx

CVE Reference: CVE-2011-0105

Vulnerability Resource
Check out this compendium of links and up-to-the minute information about network security issues. Their claim to be the 'security portal for information system security professionals' is well founded. http://www.infosyssec.org/infosyssec/

Thank You
Thanks for sifting through another great edition of the ScoutNews. We hope we captured a flavor for the week and gave you just enough information on newly found vulnerabilities to keep you up-to-date. To subscribe or unsubscribe, contact us at ScoutNews@netVigilance.com

About SecureScout
SecureScout is a leading vulnerability scanner and management tool developed and marketed worldwide by NexantiS Corporation.
SecureScout is a trademark of NexantiS Corporation.
netVigilance, Inc. is a partner of NexantiS and an authorized distributor of SecureScout.

For any inquiry about SecureScout by:
Customers in America and Northern Europe contact us at info@netVigilance.com
Customers in France, Italy, Spain, Portugal, Greece, Turkey, Eastern Europe, Middle East, Africa and Asia/Pacific, contact NexantiS at info-scanner@securescout.net