Apple has released QuickTime version 7.3.1 to address the RTSP vulnerability we talked about earlier. Coinciding with the release of this latest version, Apple has released information for two addition vulnerabilities. Both of the new vulnerabilities allow for the execution of code, so everyone with Quicktime on their systems should apply the update.
HP-UX DCE Denial of Service
An unspecified issue has been reported in HP-UX programs that run DCE. One such program is Software Distributor (SD). A successful exploit can cause a remote Denial of Service. Additionally, systems running some versions of OpenSSL are also prone to DoS and possibly system compromise.
For more details see: HP Support Document HPSBUX02294 SSRT071451 DCE DoS
HPSBUX02296 SSRT071504 OpenSSL DoS/Code Execution
Solaris 10 NFS Privilege Escalation
Solaris 10 systems running with kernel patches 120011-04 or later for SPARC and 120012-04 or later for x86 may allow unauthorized root access to files served by NFS. To be vulnerable the system must be running an NFS server and have one or more netgroups configured with root privileges. Full details can be found in the Sunsolve document 103162.
Avaya Products Using Samba
Avaya products that use samba may be at risk for system compromise. The affected products are: Intuity Audix LX, Messaging Storage Server and Message Networking. Full details can be found at ASA-2007-520
After reports of squirrelly package checksums the developers have discovered that the distribution for version 1.4.12 was compromised by some third party. The compromised code involves PHP though the effect of the changes has not yet been determined. The development team “strongly recommend everybody that has downloaded the 1.4.12 package after the 8th December, to redownload the package.”
For full details and correct checksums see http://www.squirrelmail.org
WordPress – Another SQL injection vector has been discovered. This time the vulnerability is in the search function. At this time it is known to be exploitable using the character sets Big5 and GBK. Other character sets may that use a backslash as a part of the character may also be exploitable. Successful attacks can reveal the contents of the underlying database or be used in conjunction with other vulnerabilities to gain administrative privileges on the host server.
HP Laptops – Multiple Hewlett-Packard notebooks are vulnerable to a remote code execution via the pre-loaded “HP Info Center” software. An ActiveX control within the software is the cause of the vulnerability. A patch is not yet available for this issue.
SquirrelMail GPG Plugin – Two vulnerabilities have been discovered in this plugin. The first issue can allow a user to delete or modify files that are owned by the web site user. The second issue allows users to modify the html of the displayed message.
A total of seven new Microsoft patches were released yesterday. Three were rated by MS as being Critical with the remaining four being rated as Important. There are exploits available for MS07-065, MS07-067 and MS07-069. Below is a quick summary of the releases. More details can be obtained from the original MS advisories:
http://www.microsoft.com/protect/computer/updates/bulletins/200712.mspx
Rated Critical
MS07-069 Cumulative Security Update for Internet Explorer [Could Allow Remote Code Execution] (942615)
MS07-064 Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)
MS07-068 Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)
MS07-069 Cumulative Security Update for Internet Explorer (942615)
Rated Important
MS07-063 Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)
MS07-065 Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)
MS07-066 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078)
MS07-067 Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653)
The first is a potential remote execution of code on HP-UX systems that are running Apache. HP-UX B.11.11, B.11.23, B.11.31 running Apache v2.0.59.00.0 or earlier are known to be vulnerable. While the HP security bulletin is a vague, it does cite CVE-2007-5135 which details an off-by-one error in the SSL_get_shared_ciphers function of OpenSSL 0.9.7 – 0.9.7l, and 0.9.8 – 0.9.8f. HP’s original security bulletin is HPSBUX02292 SSRT071499 rev.1. Updates are available.
The second is an XSS issue in HP OpenView Network Node Manager. It appears to be remotely exploitable. Affected versions are HP OpenView Network Node Manager (OV NNM) 6.41, 7.01, 7.51 running on HP-UX B.11.00, B.11.11, and B.11.23, Solaris, Windows NT, Windows 2000, Windows XP, and Linux. The original HP security bulletin is HPSBMA02283 SSRT071319 rev.1. Updates are available for this as well.
The latest releases of Firefox (2.0.0.10) and SeaMonkey (1.1.7) address three recently discovered vulnerabilities. The first is a race condition in window.location that can allow Cross-site scripting via referer-spoofing. The second is a memory corruption issue which could lead to the execution of arbitrary code. The third is a jar URI scheme vulnerability that can also allow Cross-site scripting to occur.
You should update if you are using one of these products.
For for the original notifications travel over to Mozilla’s known vulnerabilities site
Two denial of service vulnerabilities were reported in Linux kernels prior to 2.6.23.8 this weekend.
The first is caused by a design flaw in the “wait_task_stopped()” function. It is locally exploitable by manipulating the state of a child process. Kernel version 2.6.24-rc1 is also known to be vulnerable. See CVE-2007-5500 for more details.
The second involves a design flaw in the “write_queue_from” which creates a NULL-pointer issue. This vulnerability is remotely exploitable by sending the system a specially crafted ACK packet. See CVE-2007-5501 for more details.
The original advisory can be viewed at:
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.8
A new samba patch was released yesterday to address two buffer overflows. The first allows for the execution of arbitrary code when the WINS support option is enabled. An attacker would send specially crafted WINS requests to take advantage of this vulnerability. The second d can be exploited by sending a specially crafted GETDC mailslot request. For this second exploit to succeed samba must be configured as a Domain Controller. Samba versions 3.0.0-3.0.26a are know to be vulnerable to these issues.
The original advisory and patches are available at:
http://us1.samba.org/samba/history/security.html
Apple has released new security updates for Mac OS X. The updates address a variety of issues including vulnerabilities in the Adobe Flash Player, AppleRAID, BIND, FTP, the kernel and various sub-systems. Successful exploitation of these issues could lead to system access, privilege escalation, Denial of Service issues, etc.
All users are strongly encouraged to update to Mac OS X 10.4.11 or apply Security Update 2007-008.
Full details can be found in the original Apple advisory:
http://docs.info.apple.com/article.html?artnum=307041