netVigilance ScoutNews January 06 2012

2012 Issue #1

ScoutNews
The weekly Security update from
the makers of SecureScout
January 06, 2012

Table of Contents

Product Focus

This Week in Review

Top Security News Stories this Week

New Vulnerabilities Tested in SecureScout

New Vulnerabilities found this Week

Product Focus

Apache Chunked Vulnerability Scanner - The S4 Apache Chunked Vulnerability Scanner is a free utility made by SecureScout that will scan up to 256 IP addresses at once to assess if any are vulnerable to the Apache Chunked Encoding buffer overflow.

Download Here:
http://www2.netvigilance.com/productdownloads?productname=apachechunkedvulnerabilityscanner

This Week in Review

Cyber gang claims to have stolen Symantec source code. Seven patches on the way from Microsoft. Anonymous hacking California Union. Ramnit stealing Facebook login.

Enjoy reading & Stay safe.

Call or email netVigilance to get an update on SecureScout.
(503) 524 5758 or sales@netVigilance.com

Top Security News Stories this Week

• Hackers say they have Symantec's Norton AV source code

Hackers, possibly from India, claim they have lifted the source code for Symantec's Norton AntiVirus product, and are planning to post it.

A cyber gang calling itself "The Lords of Dharmaraja" promised to release the entire source code, but first issued what they said was a sneak peak, according to a Pastebin document, which has since been removed.The group said it stole the data by infiltrating servers belonging to an Indian military intelligence agency.

However, a Symantec spokesman said the document didn't include any proprietary programming language. SC Magazine

Full Story :
http://www.scmagazine.com/hackers-say-they-have-symantecs-norton-av-source-code/article/222003/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

• Microsoft preps seven security patches

Microsoft announced Thursday that it plans to release seven patches next week to address eight security vulnerabilities.

As part of its first monthly security update of the new year, the software giant expects to patch flaws in Windows, as well as in its developer tools software, according to an advance notification. It does not appear that any publicly known issues are being patched.

Just one of the seven bulletins is deemed "critical" in nature, Microsoft's highest severity rating. SC Magazine

Full Story :
http://www.scmagazine.com/microsoft-preps-seven-security-patches/article/221982/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

• California union latest Anonymous police victim

Anonymous hackers affiliated with the group's "AntiSec" initiative stuck again over the New Year's weekend, this time dumping private data they stole by breaking into the website belonging to the California Statewide Law Enforcement Association (CSLEA) union.

The hacktivists were driven by a number of reasons, they said in an online dispatch, including the fatal shooting of Oscar Grant by a Bay Area Rapid Transit (BART) police officer three years earlier and the attempted repression by authorities of the Occupy Wall Street movement.

The intruders made off with 2,519 first and last names, usernames, email addresses and clear-text passwords, according to DataBreaches.net. They also absconded with credit card details -- apparently unencrypted -- belonging to users who made purchases at the site's gift shop. SC Magazine

Full Story :
http://www.scmagazine.com/california-union-latest-anonymous-police-victim/article/221643/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

• New Ramnit variant steals Facebook logins

The ever-evolving Ramnit worm is back, and this time it has gone after Facebook users, harvesting more than 45,000 login credentials worldwide, primarily from users in the U.K. and France, according to a blog post from Seculert Research Lab, which discovered a command-and-control (C&C) server holding the pilfered data.

Researchers found that the C&C server contained an open directory called "Facebook," with a text file called "Facebook accounts," Aviv Ruff, CTO of Seculert, told SCMagazine.com on Thursday. The file contained more than 45,000 unique Facebook usernames and passwords. "We suspect that the attackers behind Ramnit are using the stolen credentials to expand the malware's reach," Seculert said. SC Magazine

Full Story :
http://www.scmagazine.com/new-ramnit-variant-steals-facebook-logins/article/221980/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

New Vulnerabilities Tested in SecureScout

• 19712 Mozilla Firefox JSSubScriptLoader vulnerability (CVE-2011-3647)

The JSSubScriptLoader in Mozilla Firefox before 3.6.24 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

* CONFIRM:
http://www.mozilla.org/security/announce/2011/mfsa2011-46.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=680880
* BID: 50589
http://www.securityfocus.com/bid/50589

CVE Reference:

CVE-2011-3647 (cve.mitre.org, nvd.nist.gov)

• 19713 Mozilla Firefox Cross-site scripting (XSS) vulnerability (CVE-2011-3648)

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

* CONFIRM:
http://www.mozilla.org/security/announce/2011/mfsa2011-47.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=690225
* BID: 50593
http://www.securityfocus.com/bid/50593

CVE Reference:

CVE-2011-3648 (cve.mitre.org, nvd.nist.gov)

• 19714 Mozilla Firefox handling JavaScript files vulnerability (CVE-2011-3650)

Mozilla Firefox before 3.6.24 and 4.x through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

* CONFIRM:
http://www.mozilla.org/security/announce/2011/mfsa2011-49.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=674776
* BID: 50595
http://www.securityfocus.com/bid/50595

CVE Reference:

CVE-2011-3650 (cve.mitre.org, nvd.nist.gov)

• 19715 Mozilla Firefox multiple unspecified vulnerabilities (CVE-2011-3651)

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 7.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

CVE Reference:

CVE-2011-3651 (cve.mitre.org, nvd.nist.gov)

• 19716 Mozilla Firefox remote memory corruption vulnerability (CVE-2011-3652)

The browser engine in Mozilla Firefox before 8.0 does not properly allocate memory, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

* CONFIRM:
http://www.mozilla.org/security/announce/2011/mfsa2011-48.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=682727
* BID: 50600
http://www.securityfocus.com/bid/50600

CVE Reference:

CVE-2011-3652 (cve.mitre.org, nvd.nist.gov)

• 19717 Mozilla Firefox mpath elements remote memory corruption vulnerability (CVE-2011-3654)

The browser engine in Mozilla Firefox before 8.0 does not properly handle links from SVG mpath elements to non-SVG elements, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

* CONFIRM:
http://www.mozilla.org/security/announce/2011/mfsa2011-48.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=694953
* BID: 50602
http://www.securityfocus.com/bid/50602

CVE Reference:

CVE-2011-3654 (cve.mitre.org, nvd.nist.gov)

• 19718 Microsoft Windows VBScript Stack-based buffer overflow vulnerability (CVE-2010-0917)

Stack-based buffer overflow in VBScript in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, might allow user-assisted remote attackers to execute arbitrary code via a long string in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution when the F1 key is pressed.

Test Case Impact: Gather Info Vulnerability Impact: DoS Risk: Medium

References:

* MISC:
http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt
* MISC:
http://isec.pl/vulnerabilities10.html
* MISC:
http://www.theregister.co.uk/2010/03/01/ie_code_execution_bug/
* CONFIRM:
http://blogs.technet.com/msrc/archive/2010/03/01/security-advisory-981169-released.aspx
* CONFIRM:
http://www.microsoft.com/technet/security/advisory/981169.mspx
* XF: ms-win-winhlp32-bo(56560)
http://xforce.iss.net/xforce/xfdb/56560

CVE Reference:

CVE-2010-0917 (cve.mitre.org, nvd.nist.gov)

• 19719 Mozilla Firefox denial of service (application crash) vulnerability (CVE-2011-3665)

Mozilla Firefox 4.x through 8.0 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an Ogg VIDEO element that is not properly handled after scaling.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

* CONFIRM:
http://www.mozilla.org/security/announce/2011/mfsa2011-58.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=701259
* BID: 51134
http://www.securityfocus.com/bid/51134

CVE Reference:

CVE-2011-3665 (cve.mitre.org, nvd.nist.gov)

• 19720 Mozilla Firefox dangling pointer remote code execution vulnerability (CVE-2011-0073)

Mozilla Firefox before 3.5.19 does not properly use nsTreeRange data structures, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer."

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

* CONFIRM:
http://www.mozilla.org/security/announce/2011/mfsa2011-13.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=630919
* DEBIAN: DSA-2227
http://www.debian.org/security/2011/dsa-2227
* DEBIAN: DSA-2228
http://www.debian.org/security/2011/dsa-2228
* DEBIAN: DSA-2235
http://www.debian.org/security/2011/dsa-2235
* MANDRIVA: MDVSA-2011:079
http://www.mandriva.com/security/advisories?name=MDVSA-2011:079
* SREASON: 8310
http://securityreason.com/securityalert/8310

CVE Reference:

CVE-2011-0073 (cve.mitre.org, nvd.nist.gov)

• 19721 Mozilla Firefox HTML Iframe tag memory corruption vulnerability (CVE-2011-0075)

Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

* CONFIRM:
http://www.mozilla.org/security/announce/2011/mfsa2011-12.html
* CONFIRM:
https://bugzilla.mozilla.org/show_bug.cgi?id=635977
* DEBIAN: DSA-2227
http://www.debian.org/security/2011/dsa-2227
* DEBIAN: DSA-2228
http://www.debian.org/security/2011/dsa-2228
* DEBIAN: DSA-2235
http://www.debian.org/security/2011/dsa-2235
* MANDRIVA: MDVSA-2011:080
http://www.mandriva.com/security/advisories?name=MDVSA-2011:080
* MANDRIVA: MDVSA-2011:079
http://www.mandriva.com/security/advisories?name=MDVSA-2011:079

CVE Reference:

CVE-2011-0075 (cve.mitre.org, nvd.nist.gov)

New Vulnerabilities found this Week

• CVE-2011-4858 Apache CVSS 2.0 Score = 5.0

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

CERT-VN: http://www.kb.cert.org/vuls/id/903934

CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=750521

MISC: http://www.ocert.org/advisories/ocert-2011-003.html

MISC: http://www.nruns.com/_downloads/advisory28122011.pdf

CONFIRM: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

MLIST: http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3c4EFB9800.5010106@apache.org%3e

CVE Reference: CVE-2011-4858

• CVE-2011-4905 Apache CVSS 2.0 Score = 5.0

Apache ActiveMQ before 5.6.0 allows remote attackers to cause a denial of service (file-descriptor exhaustion and broker crash or hang) by sending many openwire failover:tcp:// connection requests.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

CONFIRM: https://issues.apache.org/jira/browse/AMQ-3294

BID: http://www.securityfocus.com/bid/50904

CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1211844

CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1209700

SECUNIA: http://secunia.com/advisories/47112

MLIST: http://openwall.com/lists/oss-security/2011/12/25/6

MLIST: http://openwall.com/lists/oss-security/2011/12/25/2

CVE Reference: CVE-2011-4905

• CVE-2011-5049 MySQL CVSS 2.0 Score = 7.8

MySQL 5.5.8, when running on Windows, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted packet to TCP port 3306.

Test Case Impact: Vulnerability Impact: Risk: High

References:

XF: http://xforce.iss.net/xforce/xfdb/71965

EXPLOIT-DB: http://www.exploit-db.com/exploits/18269

CVE Reference: CVE-2011-5049

• CVE-2011-1386 IBM CVSS 2.0 Score = 4.3

IBM Tivoli Federated Identity Manager (TFIM) and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.1.1, 6.2.0, and 6.2.1 do not properly handle signature validations based on SAML 1.0, 1.1, and 2.0, which allows remote attackers to bypass intended authentication or authorization requirements via a non-conforming SAML signature.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

CONFIRM: http://www.ibm.com/support/docview.wss?uid=swg21575309

AIXAPAR: http://www-01.ibm.com/support/docview.wss?uid=swg1IV10793

XF: http://xforce.iss.net/xforce/xfdb/71686

AIXAPAR: http://www-01.ibm.com/support/docview.wss?uid=swg1IV10813

AIXAPAR: http://www-01.ibm.com/support/docview.wss?uid=swg1IV10801

CVE Reference: CVE-2011-1386

• CVE-2011-5048 IBM CVSS 2.0 Score = 4.3

Multiple cross-site scripting (XSS) vulnerabilities in IBM Web Experience Factory (aka WEF, formerly WebSphere Portlet Factory) 7.0 and 7.0.1 allow remote attackers to inject arbitrary web script or HTML via a (1) text INPUT element or (2) TEXTAREA element, related to an interaction between Smart Refresh and Dojo.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

CONFIRM: http://www-01.ibm.com/support/docview.wss?uid=swg21575083

AIXAPAR: http://www-01.ibm.com/support/docview.wss?uid=swg1LO65985

AIXAPAR: http://www-01.ibm.com/support/docview.wss?uid=swg1LO65984

CVE Reference: CVE-2011-5048

• CVE-2011-1384 IBM CVSS 2.0 Score = 4.0

The (1) bin/invscoutClient_VPD_Survey and (2) sbin/invscout_lsvpd programs in invscout.rte before 2.2.0.19 on IBM AIX 7.1, 6.1, 5.3, and earlier allow local users to delete arbitrary files, or trigger inventory scout operations on arbitrary files, via a symlink attack on an unspecified file.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

XF: http://xforce.iss.net/xforce/xfdb/71615

BID: http://www.securityfocus.com/bid/51083

BID: http://www.securityfocus.com/bid/51059

AIXAPAR: http://www-01.ibm.com/support/docview.wss?uid=isg1IV11643

SECUNIA: http://secunia.com/advisories/47222

CONFIRM: http://aix.software.ibm.com/aix/efixes/security/invscout_advisory2.asc

CVE Reference: CVE-2011-1384

• CVE-2011-3669 Mozilla CVSS 2.0 Score = 6.8

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that upload attachments.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

CONFIRM: https://bugzilla.mozilla.org/show_bug.cgi?id=703983

CONFIRM: http://www.bugzilla.org/security/3.4.12/

CVE Reference: CVE-2011-3669

• CVE-2011-3668 Mozilla CVSS 2.0 Score = 6.8

Cross-site request forgery (CSRF) vulnerability in post_bug.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that create bug reports.

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

CONFIRM: https://bugzilla.mozilla.org/show_bug.cgi?id=703975

CONFIRM: http://www.bugzilla.org/security/3.4.12/

CVE Reference: CVE-2011-3668

Vulnerability Resource
Check out this compendium of links and up-to-the minute information about network security issues. Their claim to be the 'security portal for information system security professionals' is well founded. http://www.infosyssec.org/infosyssec/

Thank You
Thanks for sifting through another great edition of the ScoutNews. We hope we captured a flavor for the week and gave you just enough information on newly found vulnerabilities to keep you up-to-date. To subscribe or unsubscribe, contact us at ScoutNews@netVigilance.com

About SecureScout
SecureScout is a leading vulnerability scanner and management tool developed and marketed worldwide by NexantiS Corporation.
SecureScout is a trademark of NexantiS Corporation.
netVigilance, Inc. is a partner of NexantiS and an authorized distributor of SecureScout.

For any inquiry about SecureScout by:
Customers in America and Northern Europe contact us at info@netVigilance.com
Customers in France, Italy, Spain, Portugal, Greece, Turkey, Eastern Europe, Middle East, Africa and Asia/Pacific, contact NexantiS at info-scanner@securescout.net