netVigilance - assurance has arrived
2011 Issue #33

ScoutNews
The weekly Security update from
the makers of SecureScout
August 19, 2011


Table of Contents

Product Focus

This Week in Review

Top Security News Stories this Week

New Vulnerabilities Tested in SecureScout

New Vulnerabilities found this Week


Product Focus

Apache Chunked Vulnerability Scanner - The S4 Apache Chunked Vulnerability Scanner is a free utility made by SecureScout that will scan up to 256 IP addresses at once to assess if any are vulnerable to the Apache Chunked Encoding buffer overflow.

Download Here:
http://www2.netvigilance.com/productdownloads?productname=apachechunkedvulnerabilityscanner


This Week in Review

netVigilance is pleased to annouce the release of 64-bit support for Vindows Vista, Windows 7 and Windows 2008 Server /R2. Follow the download instructions in your (existing) license email to obtain the new installers.

Anonymous strongly opposes BART cell phone service cut. Scheme to steal customer data sued by AT&T. Children's app maker fined for privacy violation. Former employee pleads guilty to cyber attack.

Enjoy reading & Stay safe.

Call or email netVigilance to get an update on SecureScout.
(503) 524 5758 or sales@netVigilance.com


Top Security News Stories this Week

Attacks on BART continue as police records dumped

Revenge-seeking hackers have again struck at Bay Area Rapid Transit (BART), this time infiltrating the agency's police association website to steal the personal information belonging to 102 officers.

The private details, which included the names, home and email addresses, and passwords of members of the BART Police Officers' Association, were published on Pastebin. The BART POA site is currently offline.

The action comes in response to BART's decision to cut mobile web and phone service during last Thursday evening's commute at four downtown San Francisco stations. Officials said a demonstration was planned to protest the July killing of a man by a BART police officer, and they wanted to prevent participants from being able to use mobile devices to communicate. SC Magazine

Full Story :
http://www.scmagazineus.com/attacks-on-bart-continue-as-police-records-dumped/article/209808/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29


AT&T sues two over scheme to steal customer data

AT&T has accused two Utah men of carrying out a data mining scheme, using automatic dialing programs to harvest information from its customer database and costing the company more than $6.5 million. In a complaint filed late last week in federal court in Dallas, AT&T and its subsidiaries named Phil Iverson and Chris Gose as the masterminds behind the fraud.

AT&T claims that over at least the past five years, the defendants used computerized auto-dialing programs to place hundreds of millions of phone calls to numbers they purchased from AT&T, according to the complaint.

The calls, however, were spoofed to make it appear like the calls were coming from other AT&T customer numbers, which tricked AT&T's systems into delivering caller ID name information stored in its customer database. SC Magazine

Full Story :
http://www.scmagazineus.com/att-sues-two-over-scheme-to-steal-customer-data/article/209763/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29


FTC fines children's app maker $50K for privacy violation

In its first settlement related to deceptive mobile applications, the Federal Trade Commission has ordered an app maker to pay $50,000 to settle claims that its program illegally collected and disclosed the personal data of tens of thousands of children.

According to the FTC, a number of children's game-playing apps produced by Cupertino, Calif.-based W3 Innovations violated a federal law that requires website operators to state their information-collection policies and obtain parental approval prior to accumulating and disclosing personal data about children ages 12 and under.

Specifically, W3, which does business as Broken Thumbs Apps, violated The Children's Online Privacy Protection Act (COPPA) by collecting and maintaining the email addresses of children, and permitting them to publicly post personal information on message boards from their apps. SC Magazine

Full Story :
http://www.scmagazineus.com/ftc-fines-childrens-app-maker-50k-for-privacy-violation/article/209707/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29


IT worker pleads guilty to crippling ex-employer's network

A former IT worker pleaded guilty in federal court Tuesday to launching an attack that crippled his ex-employer's computer network and caused the company hundreds of thousands of dollars in damages.

Jason Cornish, 37, of Smyrna, Ga., faces up to 10 years in prison and a $250,000 fine for breaking into the  network of Shionogi, the U.S.-based subsidiary of a Japanese pharmaceutical company, and deleting the contents of 15 virtual hosts that housed the equivalent of 88 servers, U.S. prosecutors said in a news release Tuesday.

Cornish, who began working for Shionogi in 2009, but quit the following year after a dispute with a senior manager, carried out the cyber assault after a close friend was fired from the company, prosecutors said. SC Magazine

Full Story :
http://www.scmagazineus.com/it-worker-pleads-guilty-to-crippling-ex-employers-network/article/209878/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29


New Vulnerabilities Tested in SecureScout

19421 Window Open Race Condition Vulnerability (MS11-057/2559049) (Remote File Checking)

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that may have been corrupted due to a race condition. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-057
http://www.microsoft.com/technet/security/Bulletin/MS11-057.mspx
* BID: 48994
http://www.securityfocus.com/bid/48994
* SECTRACK: 1025893
http://www.securitytracker.com/id/1025893

CVE Reference:

CVE-2011-1257 (cve.mitre.org, nvd.nist.gov)

19422 Event Handlers Information Disclosure Vulnerability (MS11-057/2559049) (Remote File Checking)

An information disclosure vulnerability exists in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page disguised as legitimate content. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.

Test Case Impact: Gather Info Vulnerability Impact: Gather Info Risk: Medium

References:

* MS: MS11-057
http://www.microsoft.com/technet/security/Bulletin/MS11-057.mspx
* BID: 49023
http://www.securityfocus.com/bid/49023
* SECTRACK: 1025893
http://www.securitytracker.com/id/1025893

CVE Reference:

CVE-2011-1960 (cve.mitre.org, nvd.nist.gov)

19423 Telnet Handler Remote Code Execution Vulnerability (MS11-057/2559049) (Remote File Checking)

A remote code execution vulnerability exists in the way that Internet Explorer uses the telnet URI handler. The handler may be used in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-057
http://www.microsoft.com/technet/security/Bulletin/MS11-057.mspx
* BID: 49027
http://www.securityfocus.com/bid/49027
* SECTRACK: 1025893
http://www.securitytracker.com/id/1025893

CVE Reference:

CVE-2011-1961 (cve.mitre.org, nvd.nist.gov)

19424 Shift JIS Character Encoding Vulnerability (MS11-057/2559049) (Remote File Checking)

An information disclosure vulnerability exists in Internet Explorer that could allow script to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by inserting specially crafted strings in to a Web site, resulting in information disclosure when a user viewed the Web site. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.

Test Case Impact: Gather Info Vulnerability Impact: Gather Info Risk: Medium

References:

* MS: MS11-057
http://www.microsoft.com/technet/security/Bulletin/MS11-057.mspx
* BID: 49032
http://www.securityfocus.com/bid/49032
* SECTRACK: 1025893
http://www.securitytracker.com/id/1025893

CVE Reference:

CVE-2011-1962 (cve.mitre.org, nvd.nist.gov)

19425 XSLT Memory Corruption Vulnerability (MS11-057/2559049) (Remote File Checking)

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-057
http://www.microsoft.com/technet/security/Bulletin/MS11-057.mspx
* BID: 49037
http://www.securityfocus.com/bid/49037
* SECTRACK: 1025893
http://www.securitytracker.com/id/1025893

CVE Reference:

CVE-2011-1963 (cve.mitre.org, nvd.nist.gov)

19426 Style Object Memory Corruption Vulnerability (MS11-057/2559049) (Remote File Checking)

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-057
http://www.microsoft.com/technet/security/Bulletin/MS11-057.mspx
* BID: 49039
http://www.securityfocus.com/bid/49039
* SECTRACK: 1025893
http://www.securitytracker.com/id/1025893

CVE Reference:

CVE-2011-1964 (cve.mitre.org, nvd.nist.gov)

19427 Drag and Drop Information Disclosure Vulnerability (MS11-057/2559049) (Remote File Checking)

An information disclosure vulnerability exists in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page and performed a drag-and-drop operation. An attacker who successfully exploited this vulnerability could gain access to cookie files stored in the local machine.

Test Case Impact: Gather Info Vulnerability Impact: Gather Info Risk: Medium

References:

* MS: MS11-057
http://www.microsoft.com/technet/security/Bulletin/MS11-057.mspx
* BID: 47989
http://www.securityfocus.com/bid/47989
* SECTRACK: 1025893
http://www.securitytracker.com/id/1025893

CVE Reference:

CVE-2011-2383 (cve.mitre.org, nvd.nist.gov)

19428 pStream Release RCE Vulnerability (MS11-060/2560978) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Visio validates objects in memory when parsing specially crafted Visio files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-060
http://www.microsoft.com/technet/security/Bulletin/MS11-060.mspx
* BID: 49024
http://www.securityfocus.com/bid/49024
* SECTRACK: 1025896
http://www.securitytracker.com/id/1025896

CVE Reference:

CVE-2011-1972 (cve.mitre.org, nvd.nist.gov)

19429 Move Around the Block RCE Vulnerability (MS11-060/2560978) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Visio validates objects in memory when parsing specially crafted Visio files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-060
http://www.microsoft.com/technet/security/Bulletin/MS11-060.mspx
* SECTRACK: 1025896
http://www.securitytracker.com/id/1025896

CVE Reference:

CVE-2011-1979 (cve.mitre.org, nvd.nist.gov)

19430 Data Access Components Insecure Library Loading Vulnerability (MS11-059/2560978) (Remote File Checking)

A remote code execution vulnerability exists in the way that the Windows Data Access Tracing component handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS11-059
http://www.microsoft.com/technet/security/Bulletin/MS11-059.mspx
* SECTRACK: 1025895
http://www.securitytracker.com/id/1025895
* BID: 49026
http://www.securityfocus.com/bid/49026

CVE Reference:

CVE-2011-1975 (cve.mitre.org, nvd.nist.gov)


New Vulnerabilities found this Week

CVE-2011-2729    Apache    CVSS 2.0 Score = 5.0

native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

CONFIRM: https://issues.apache.org/jira/browse/DAEMON-214

CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=730400

XF: http://xforce.iss.net/xforce/xfdb/69161

BID: http://www.securityfocus.com/bid/49143

CONFIRM: http://tomcat.apache.org/security-7.html

CONFIRM: http://tomcat.apache.org/security-6.html

CONFIRM: http://tomcat.apache.org/security-5.html

CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1153824

CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1153379

CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1152701

SECTRACK: http://securitytracker.com/id?1025925

CONFIRM: http://people.apache.org/~markt/patches/2011-08-12-cve2011-2729-tc5.patch

MLIST: http://mail-archives.apache.org/mod_mbox/tomcat-announce/201108.mbox/%3C4E45221D.1020306@apache.org%3E

MLIST: http://mail-archives.apache.org/mod_mbox/commons-dev/201108.mbox/%3C4E451B2B.9090108@apache.org%3E

CVE Reference: CVE-2011-2729

CVE-2011-2481    Apache    CVSS 2.0 Score = 4.6

Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

CONFIRM: http://tomcat.apache.org/security-7.html

CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1138788

CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1137753

CONFIRM: https://issues.apache.org/bugzilla/show_bug.cgi?id=51395

SECTRACK: http://securitytracker.com/id?1025924

CVE Reference: CVE-2011-2481

CVE-2011-0551    Symantec    CVSS 2.0 Score = 6.8

Cross-site request forgery (CSRF) vulnerability in the Web Interface in the Endpoint Protection Manager in Symantec Endpoint Protection (SEP) 11.0.600x through 11.0.6300 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

CONFIRM: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00

BID: http://www.securityfocus.com/bid/49101

OSVDB: http://www.osvdb.org/74467

SECTRACK: http://securitytracker.com/id?1025919

SECUNIA: http://secunia.com/advisories/43662

CVE Reference: CVE-2011-0551

CVE-2011-0550    Symantec    CVSS 2.0 Score = 4.3

Multiple cross-site scripting (XSS) vulnerabilities in the Web Interface in the Endpoint Protection Manager in Symantec Endpoint Protection (SEP) 11.0.600x through 11.0.6300 allow remote attackers to inject arbitrary web script or HTML via (1) the token parameter to portal/Help.jsp or (2) the URI in a console/apps/sepm request.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

XF: http://xforce.iss.net/xforce/xfdb/69136

CONFIRM: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00

BID: http://www.securityfocus.com/bid/48231

OSVDB: http://www.osvdb.org/74466

OSVDB: http://www.osvdb.org/74465

SECTRACK: http://securitytracker.com/id?1025919

SECUNIA: http://secunia.com/advisories/43662

CVE Reference: CVE-2011-0550

CVE-2011-3140    IBM    CVSS 2.0 Score = 5.0

IBM Web Application Firewall, as used on the G400 IPS-G400-IB-1 and GX4004 IPS-GX4004-IB-2 appliances with update 31.030, does not properly handle query strings with multiple instances of the same parameter, which allows remote attackers to bypass intended intrusion prevention by dividing a dangerous parameter value into substrings, as demonstrated by a SQL statement that is split across multiple iid parameters and then sent to a .aspx file on an IIS web server.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

MISC: https://www.trustwave.com/spiderlabs/advisories/TWSL2011-006.txt

XF: http://xforce.iss.net/xforce/xfdb/67178

BID: http://www.securityfocus.com/bid/48370

BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/518556/100/0/threaded

CONFIRM: http://www.iss.net/security_center/reference/vuln/HTTP_Parameter_Abuse.htm

SECTRACK: http://securitytracker.com/id?1025683

CVE Reference: CVE-2011-3140

CVE-2011-0257    Apple    CVSS 2.0 Score = 9.3

Integer signedness error in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PnSize opcode in a PICT file that triggers a stack-based buffer overflow.

Test Case Impact: Vulnerability Impact: Risk: High

References:

MISC: http://zerodayinitiative.com/advisories/ZDI-11-252/

CONFIRM: http://support.apple.com/kb/HT4826

CVE Reference: CVE-2011-0257

CVE-2011-0256    Apple    CVSS 2.0 Score = 9.3

Integer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted track run atoms in a QuickTime movie file.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CONFIRM: http://support.apple.com/kb/HT4826

CVE Reference: CVE-2011-0256

CVE-2011-2424    Adobe    CVSS 2.0 Score = 9.3

Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted SWF file, as demonstrated by "about 400 unique crash signatures."

Test Case Impact: Vulnerability Impact: Risk: High

References:

CONFIRM: http://www.adobe.com/support/security/bulletins/apsb11-21.html

MISC: http://twitter.com/taviso/statuses/101046396790128640

MISC: http://twitter.com/taviso/statuses/101046246277521409

MISC: http://googleonlinesecurity.blogspot.com/2011/08/fuzzing-at-scale.html

CONFIRM: http://blogs.adobe.com/asset/2011/08/how-did-you-get-to-that-number.html

CVE Reference: CVE-2011-2424


Vulnerability Resource
Check out this compendium of links and up-to-the minute information about network security issues. Their claim to be the 'security portal for information system security professionals' is well founded. http://www.infosyssec.org/infosyssec/

Thank You
Thanks for sifting through another great edition of the ScoutNews. We hope we captured a flavor for the week and gave you just enough information on newly found vulnerabilities to keep you up-to-date. To subscribe or unsubscribe, contact us at ScoutNews@netVigilance.com

About SecureScout
SecureScout is a leading vulnerability scanner and management tool developed and marketed worldwide by NexantiS Corporation.
SecureScout is a trademark of NexantiS Corporation.
netVigilance, Inc. is a partner of NexantiS and an authorized distributor of SecureScout.

For any inquiry about SecureScout by:
Customers in America and Northern Europe contact us at info@netVigilance.com
Customers in France, Italy, Spain, Portugal, Greece, Turkey, Eastern Europe, Middle East, Africa and Asia/Pacific, contact NexantiS at info-scanner@securescout.net