Apple has released security update 2007-009. This update contains fixes for several critical vulnerabilities, plus fixes for other issues.  Updates are available for 10.4.11 and 10.5.1. For a complete list of vulnerabilities fixed, please visit http://docs.info.apple.com/article.html?artnum=307179.

There is buffer overflow in HP-UX. The issue lies in a function call to sw_rpc_agent_init within swagentd that if given malformed arguments, could result in a buffer overflow. This could allow attackers to execute arbitrary code. Authentication is not required. Hewlett-Packard has released an update to address this vulnerability, available from HP document ID #SB2294r1.

Trend Micro ServerProtect contains an insecure method exposure in the StRpcSrv.dll. The bug exists in the SpntSvc.exe daemon running on TCP port 5168. An attack against this vector could result in full file system access that could be leveraged to execute arbitrary code. An update to this issue has been release, and more information can be found at http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt.

The perl package Net::DNS is vulnerable to a denial of service. By sending a malformed DNS reply to a server or application running Net::DNS, it is possible to cause the package to crash. This would in turn crash any application running the Net::DNS module.  Net::DNS version 0.60 build 654 is vulnerable. This issue has been assigned CVE-2007-6341.

St. Bernard Open File Manager is vulnerable to a heap-based buffer overflow. This is due to a boundary error in ofmnt.exe, in which an attacker can send a malicious packet to the service and cause the overflow. This could result in the execution of code as a SYSTEM user. Version 9.6 build 602 available to customers addresses this issue. Other vendors using this software may have made updates available as well.

Apple has released QuickTime version 7.3.1 to address the RTSP vulnerability we talked about earlier. Coinciding with the release of this latest version, Apple has released information for two addition vulnerabilities. Both of the new vulnerabilities allow for the execution of code, so everyone with Quicktime on their systems should apply the update.

HP-UX DCE Denial of Service

An unspecified issue has been reported in HP-UX programs that run DCE. One such program is Software Distributor (SD). A successful exploit can cause a remote Denial of Service. Additionally, systems running some versions of OpenSSL are also prone to DoS and possibly system compromise.

For more details see: HP Support Document HPSBUX02294 SSRT071451 DCE DoS

HPSBUX02296 SSRT071504 OpenSSL DoS/Code Execution

Solaris 10 NFS Privilege Escalation
Solaris 10 systems running with kernel patches 120011-04 or later for SPARC and 120012-04 or later for x86 may allow unauthorized root access to files served by NFS. To be vulnerable the system must be running an NFS server and have one or more netgroups configured with root privileges. Full details can be found in the Sunsolve document 103162.

Avaya Products Using Samba
Avaya products that use samba may be at risk for system compromise. The affected products are: Intuity Audix LX, Messaging Storage Server and Message Networking. Full details can be found at ASA-2007-520

After reports of squirrelly package checksums the developers have discovered that the distribution for version 1.4.12 was compromised by some third party. The compromised code involves PHP though the effect of the changes has not yet been determined. The development team “strongly recommend everybody that has downloaded the 1.4.12 package after the 8th December, to redownload the package.”

For full details and correct checksums see http://www.squirrelmail.org

Certain Avaya products are affected by a vulnerability in PCRE (perl compatible regular expressions). This could cause a denial of service on the Avaya system, or lead to compromise using the affected library. The following applications are affected:

* Avaya Communication Manager (CM 3.x and 4.x)
* Avaya CCS/SES (3.1.1, 3.1.2 and 4.0)
* Avaya AES (4.0.1, 4.1)
* Avaya Intuity AUDIX LX (2.0)
* Avaya Message Networking (3.1)
* Avaya Messaging Storage Server (MSS 3.x)

For more information, see the original advisory at http://support.avaya.com/elmodocs2/security/ASA-2007-505.htm.

IBM AIX 5.x contains multiple, unspecified vulnerabilities. There are too many to list here, so if you are a user of AIX 5.x, please visit IBM support and obtain the latest updates for your specific version.

WordPress – Another SQL injection vector has been discovered. This time the vulnerability is in the search function.  At this time it is known to be exploitable using the character sets Big5 and GBK. Other character sets may that use a backslash as a part of the character may also be exploitable. Successful attacks can reveal the contents of the underlying database or be used in conjunction with other vulnerabilities to gain administrative privileges on the host server.

HP Laptops – Multiple Hewlett-Packard notebooks are vulnerable to a remote code execution via the pre-loaded “HP Info Center” software. An ActiveX control within the software is the cause of the vulnerability. A patch is not yet available for this issue.

SquirrelMail GPG Plugin – Two vulnerabilities have been discovered in this plugin. The first issue can allow a user to delete or modify files that are owned by the web site user. The second issue allows users to modify the html of the displayed message.

A total of seven new Microsoft patches were released yesterday. Three were rated by MS as being Critical with the remaining four being rated as Important. There are exploits available for MS07-065, MS07-067 and MS07-069. Below is a quick summary of the releases. More details can be obtained from the original MS advisories:
http://www.microsoft.com/protect/computer/updates/bulletins/200712.mspx

Rated Critical
MS07-069 Cumulative Security Update for Internet Explorer [Could Allow Remote Code Execution] (942615)
MS07-064 Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)
MS07-068 Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)
MS07-069 Cumulative Security Update for Internet Explorer (942615)

Rated Important
MS07-063 Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)
MS07-065 Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)
MS07-066 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078)
MS07-067 Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653)