CIAC's latest security bulletins. http://www.ciac.org/ciac/index.html A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely to gain unauthorized access to data. The risk is LOW. The vulnerability could be exploited remotely to gain unauthorized access to data. http://www.ciac.org/ciac/bulletins/s-340.shtml 8 Jul 2008 19:00 GMT New Bulletin There is a cross-site scripting vulnerability in the affected versions of Outlook Web Access (OWA) for Exchange Server. Exploitation of the vulnerability could lead to elevation of privilege on individual OWA clients connecting to Outlook Web Access for Exchange Server. The risk is LOW. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted e-mail that would run malicious script from within an individual OWA client. If the malicious script is executed, the script would run inthe security context of the user's OWA session and could perform any action that user could perform such as reading, sending, and deleting e-mail as the logged-on user. http://www.ciac.org/ciac/bulletins/s-339.shtml 8 Jul 2008 19:00 GMT New Bulletin The Apple Webkit contains a memory corruption vulnerability. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code. The risk is MEDIUM. A remote, unauthenticated attacker may be able to execute arbitrary code. http://www.ciac.org/ciac/bulletins/s-338.shtml 8 Jul 2008 18:00 GMT New Bulletin Microsoft is investigating active, targeted attacks leveraging a potential vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. The risk is MEDIUM. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. http://www.ciac.org/ciac/bulletins/s-337.shtml 8 Jul 2008 18:00 GMT New Bulletin It was discovered that PCRE, the Perl-Compatible Regular Expression library, may encounter a heap overflow condition when compiling certain regular expressions involving in-pattern options and branches, potentially leading to arbitrary code execution. The risk is MEDIUM. May encounter a heap overflow condition when compiling certain regular expressions involving in-pattern options and branches, potentially leading the arbitrary code execution. http://www.ciac.org/ciac/bulletins/s-336.shtml 8 Jul 2008 18:00 GMT New Bulletin There is a vulnerability in Firefox that could crash in Mozilla's block reflow code that could be used by an attacker to crash the browser and run arbitrary code on the victim's computer. The risk is MEDIUM. A remote, unauthenticated attacker may be able to execute arbitrary code or cause a vulnerable browser to crash. http://www.ciac.org/ciac/bulletins/s-335.shtml 8 Jul 2008 18:00 GMT New Bulletin Several vulnerabilties exists in SQL Server that could allow a authenticated attacker to gain elevation of privilege. An attacker who successfully exploited this vulnerability could run code and take complete control of the system. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could run code and take complete control of the system. http://www.ciac.org/ciac/bulletins/s-334.shtml 8 Jul 2008 18:00 GMT New Bulletin A remote code execution vulnerability exists when saving a specially crafted search file within Windows Explorer. This operation causes Windows Explorer to exit and restart in an exploitable manner. The risk is MEDIUM. This operation causes Windows Explorer to exit and restart in an exploitable manner. http://www.ciac.org/ciac/bulletins/s-333.shtml 8 Jul 2008 18:00 GMT New Bulletin A spoofing vulnerability exists in Windows DNS client and Windows DNS server. This vulnerability could allow a remote unauthenticated attacker to quickly and reliably spoof responses and insert records into the DNS server or client cache, thereby redirecting Internet traffic. The risk is MEDIUM. This vulnerability could allow a remote unauthenticated attacker to quickly and reliably spoof responses and insert records into the DNS server or client cache, thereby redirecting Internet traffic. http://www.ciac.org/ciac/bulletins/s-332.shtml 8 Jul 2008 18:00 GMT New Bulletin There are updated kernel packages that fix various security issues and a bug that are available for Red Hat Enterprise Linux 5. The risk is LOW. This could allow a local unprivileged user to cause a heap overflow, gaining privileges for arbitrary code execution. http://www.ciac.org/ciac/bulletins/s-331.shtml 26 Jun 2008 19:00 GMT New Bulletin Cisco Unified Communications Manager (CUCM), formerly Cisco CallManager, contains a denial of service (DoS) vulnerability in the Computer Telephony Integration (CTI) Manager service that may cause an interruption in voice services and an authentication bypass vulnerability inthe Real-Time Information Server (RIS) Data Collector that may expose information that is useful for reconnaissance. The risk is LOW. Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services or disclosure of information useful for reconnaissance. http://www.ciac.org/ciac/bulletins/s-330.shtml 26 Jun 2008 18:00 GMT New Bulletin Cross-Site Scripting has become an increasingly prevalent attack vector that can be leveraged to perform a wide range of compromises. These compromises can range from simple popup displays within a user's browser to session and cookie capture that are used for information and identity theft. As these attacks become more mature, as well as obscure, it is imperative that we understand how they happen, how they propagate, and the ways to prevent them. By understanding the different vectors of attack and realizing and implementing simple security measures against them, we can better protect ourselves and our users now, and in the future. http://www.ciac.org/ciac/techbull/CIACTech08-003.shtml 3 Jun 2008 17:00 GMT New Bulletin Windows hash dumping tools are often spotlighted as hacker tools that can somehow magically extract windows hashes and allow an intruder access to a system. In actuality, the hashes are there, in memory, where any admin or system level user can get at them. The tools just grab them and print them out. This paper will describe how Windows hashes are created, how the hash dumpers get at them, and what can be done with the hashes. http://www.ciac.org/ciac/techbull/CIACTech08-002.shtml 21 May 2008 23:00 GMT New Bulletin Many websites use the PHP programming language to build web pages on the fly from individual files and from values obtained from a database. PHP based websites are widely used to create Wikis such as MediaWiki used for Wikipedia. If the PHP programs that generate the web pages are not carefully crafted to check user input before it is used, an intruder could inject code into a page and get it executed. http://www.ciac.org/ciac/techbull/CIACTech08-001.shtml 29 Jan 2008 18:00 GMT New Bulletin A common cyber attack is to send a user an Office document (Word, Excel, PowerPoint) containing malicious code that infects the user's computer and proceeds to do the miscreant's bidding. Targeting of users has gotten so sophisticated that advice such as "don't open files from people you don't know" is no longer effective. MOICE, the Microsoft Office Isolated Conversion Environment opens Office documents before the Office application, converts it to a format that does not "support" malcode and then invokes the application with the newly cleaned document. Properly implemented, this could mitigate attacks using email-borne Office malcode. http://www.ciac.org/ciac/techbull/CIACTech07-001.shtml 22 May 2007 23:00 GMT New Revised Bulletin SQL injection is a real threat that is being used to exploit company systems and data. This threat can be reduced by a combination of good programming practice, application firewalls, and scanning. http://www.ciac.org/ciac/techbull/CIACTech06-001.shtml 6 Sep 2006 21:00 GMT 28 Apr 2008 21:00 GMT Revised Bulletin Many sites have detected large numbers of udp packets directed at the DNS port (53). These packets contain a lot of structure and there is concern that they are exploit or remote control packets. It turns out that they are discovery packets being sent to random IP addresses by the Sinit Calypso worm. They are invalid DNS packets and should be ignored by DNS servers. http://www.ciac.org/ciac/techbull/CIACTech05-001.shtml 15 Nov 2004 20:00 GMT Before systems containing the MyDoom.A worm can be cleaned, they must be detected. As running a scanner on each system can be difficult and time consuming, a method of remote scanning for infected machines is needed. http://www.ciac.org/ciac/techbull/CIACTech04-001.shtml 30 Jan 2004 23:00 GMT New Bulletin A spam engine has been released that uses the Windows Messenger Service (not the MSN Messenger instant messaging program) to send spam messages to users. The Messenger service is active on most Windows platforms. http://www.ciac.org/ciac/techbull/CIACTech03-001.shtml 29 Oct 2002 24:00 GMT New Bulletin Several online articles have worried the problem of file capture using Microsoft Word field codes. The articles have gone so far as suggesting that Word be banned from company computers until this is changed. These articles have created undue worry among computer users about what is a relatively low risk vulnerability. http://www.ciac.org/ciac/techbull/CIACTech02-005.shtml 27 Sep 2002 24:00 GMT New Bulletin Programs are being intentionally packaged with legitimate software to display advertising on your screen, gather information on your browsing habits, and to sell your unused CPU cycles and disk space. Current applications are relatively benign but could easily be used for an invasion of privacy or other malicious purposes. http://www.ciac.org/ciac/techbull/CIACTech02-004.shtml 11 Nov 2002 23:00 GMT New Bulletin Microsoft Office for Macintosh OS X has an antipiracy mechanism that secretly opens network service ports on a Macintosh system and broadcasts version information to other systems on a single subnet. The problem is that open network services provide attack points for intruders and need to be controlled by users. http://www.ciac.org/ciac/techbull/CIACTech02-003.shtml 26 Apr 2002 00:00 GMT New Bulletin Browser Helper Objects (BHO) are Microsoft's way of attaching add-ins to Internet Explorer 4 and later. In addition to legitimate uses, BHOs are used to attach spyware to a user's web browser to secretly send a user's browsing habits to a marketing site and could be used for malicious code. The problems are that there is no simple way to know what BHOs are attached to a system and no simple way to control the attachment of new ones. http://www.ciac.org/ciac/techbull/CIACTech02-002.shtml 2 Apr 2002 23:00 GMT New Bulletin In recent months, many servers running ssh have been compromised using the SSH CRC32 Compensation Attack Detector. Compromised machines have either not been upgraded to SSH protocol 2 or have not disabled drop back to SSH protocol 1. Use of this attack allows a remote user to gain root access on a server. http://www.ciac.org/ciac/techbull/CIACTech02-001.shtml 9 May 2002 19:00 GMT New Bulletin A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). This vulnerability could be exploited remotely to execute arbitrary code or to create a Denial of Service (DoS). The risk is MEDIUM. The vulnerability could be exploited remotely execute arbitrary code or to create a Denial of Service (DoS). http://www.ciac.org/ciac/bulletins/s-317.shtml 19 Jun 2008 16:00 GMT 8 Jul 2008 16:00 GMT Revised Bulletin A potential security vulnerability has been identified with HP-UX running HP CIFS Server (Samba). The risk is MEDIUM. This vulnerability could be exploited remotely to execute arbitrary code. http://www.ciac.org/ciac/bulletins/s-232.shtml 27 Mar 2008 14:00 GMT 27 Jun 2008 14:00 GMT Revised Bulletin A heap-based buffer overflow flaw was found in the way Samba clients handle over-sized packets. If a client connected to a malicious Samba server, it was possible to execute arbitrary code as the Samba client user. The risk is MEDIUM. A malicious Samba server could run arbitrary code on a Samba client as the Samba client user. Alternately, a malicious client could run arbitrary code on a Samba server with the permissions of the Samba server. http://www.ciac.org/ciac/bulletins/s-301.shtml 30 May 2008 12:00 GMT 27 Jun 2008 12:00 GMT Revised Bulletin A buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to denial of service and potentially the execution of arbitrary code. The risk is MEDIUM. Could lead to denial of service and potentially the execution of arbitrary code. http://www.ciac.org/ciac/bulletins/s-164.shtml 11 Feb 2008 18:00 GMT 27 Jun 2008 18:00 GMT Revised Bulletin PHP contains a path translation vulnerability that may allow an attacker to execute arbitrary code. The risk is MEDIUM. An attacker may be able to execute arbitrary code in the context of an application that uses the vulnerable function. The scope of the impact depends on how the affected application works. Applications that process filename input from the network, such as public-facing web applications, would be vulnerable to a remote attacker. http://www.ciac.org/ciac/bulletins/s-286.shtml 9 May 2008 15:00 GMT 27 Jun 2008 15:00 GMT Revised Bulletin A remote code execution vulnerability exists in the Bluetooth stack in Microsoft Windows because the Bluetooth stack does not correctly handle a large nubmer of service description requests. The risk is MEDIUM. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulenrability could take complete contorl of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. http://www.ciac.org/ciac/bulletins/s-314.shtml 12 Jun 2008 14:00 GMT 27 Jun 2008 14:00 GMT Revised Bulletin A remote code execution vulnerability exists in Microsoft XML Core Services that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-onuser. The risk is MEDIUM. If the user is logged on with administrative user rights, an attacker could take complete control of the affected system. http://www.ciac.org/ciac/bulletins/r-316.shtml 14 Aug 2007 18:00 GMT 27 Jun 2008 18:00 GMT Revised Bulletin A buffer overfun vulnerability exists in the Microsoft Jet Database Engine (JET) that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by creating a specially crafted database query and sending it through an application that is using Jet on an affected system. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-290.shtml 13 May 2008 19:00 GMT 5 Jun 2008 19:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way Microsoft Publisher validates object header data. An attacker could exploit the vulnerability by sending a specially crafted Publisher file which could be an e-mail attachment, or hosted on a specially crafted or compromised Web site. The risk is MEDIUM. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-289.shtml 13 May 2008 20:00 GMT 5 Jun 2008 19:00 GMT Revised Bulletin Several flaws werer reported in the way libvorbis processed audio data. The risk is MEDIUM. An attacker could create a carefully crafted OGG audio file in such a way that it could cause an application linked with libvorbis to crash, or execute arbitrary code when it was opened. http://www.ciac.org/ciac/bulletins/s-294.shtml 15 May 2008 20:00 GMT 5 Jun 2008 20:00 GMT Revised Bulletin A remote code execution exists in Outlook. The risk is MEDIUM. The vulnerability could allow remote code execution if Outlook is passed a specially crafted malito URI. http://www.ciac.org/ciac/bulletins/s-226.shtml 14 Mar 2008 17:00 GMT 5 Jun 2008 17:00 GMT Revised Bulletin Remote code vulnerabilities exist in the way Excel: 1) processes data validation records when loading Excel files into memory; 2) handles data when importing files into Excel; 3) Style record data when opening Excel files; 4) handles malformed formulas; 5) handles rich text values when loading application data into memory; 6) handles conditional formatting values; and 7) handles macros when opening specially crafted Excel files. The risk is MEDIUM. An attacker could exploit the vulnerabilities by sending malformed files which could be hosted on a specially crafted or compromised Web site, or included as an e-mail attachment. http://www.ciac.org/ciac/bulletins/s-227.shtml 14 Mar 2008 17:00 GMT 5 Jun 2008 17:00 GMT Revised Bulletin The libxslt library did not properly process long "transformation match" conditions in the XSL stylesheet files. The risk is MEDIUM. An attacker could create a malicious XSL file that would cause a crash, or, possibly, execute and arbitrary code with the privileges of the application using libxslt library to perform XSL transformations. http://www.ciac.org/ciac/bulletins/s-297.shtml 22 May 2008 13:00 GMT 29 May 2008 13:00 GMT Revised Bulletin The Speex library was found to not properly validate input values read from the Speex files headers, which could allow arbitrary code execution. The risk is MEDIUM. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. http://www.ciac.org/ciac/bulletins/s-272.shtml 25 Apr 2008 12:00 GMT 29 May 2008 12:00 GMT Revised Bulletin Several local/remote vulnerabilities have been discovered in the image loading library for the Simple DirectMedia Layer 1.2. The risk is MEDIUM. Could result in denial of service and potentially the execution of arbitary code. http://www.ciac.org/ciac/bulletins/s-163.shtml 11 Feb 2008 18:00 GMT 20 May 2008 18:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way that Microsoft Word handle specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed CSS value. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an attected system. http://www.ciac.org/ciac/bulletins/s-288.shtml 13 May 2008 19:00 GMT 20 May 2008 19:00 GMT Revised Bulletin Remote code execution vulnerabilities exist in the way Microsoft Office Web Components manages memory resources. The risk is MEDIUM. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allos remote code execution. http://www.ciac.org/ciac/bulletins/s-224.shtml 14 Mar 2008 17:00 GMT 15 May 2008 17:00 GMT Revised Bulletin There is a flaw in the way kpdf displayed malformed fonts embedded in PDF files which could potentially execute arbitrary code. The risk is MEDIUM. An attacker could create a malicious PDF file that would cause kpdf to crash, or potentially, execute arbitrary code when opened. http://www.ciac.org/ciac/bulletins/s-269.shtml 25 Apr 2008 11:00 GMT 8 May 2008 11:00 GMT Revised Bulletin A remote code execution vulnerability exists in .NET Framework that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user. The risk is HIGH. A remote code execution vulnerability exists in .NET Framework that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user. http://www.ciac.org/ciac/bulletins/r-295.shtml 10 Jul 2007 20:00 GMT 8 May 2008 20:00 GMT Revised Bulletin There are several security issues in PCRE library which potentially allow attackers to execute arbitrary code by compiling specially crafted regular expressions. The risk is LOW. Could potentially allow attackers to execute arbitrary code by compiling specially crafted regular expressions. http://www.ciac.org/ciac/bulletins/s-037.shtml 7 Nov 2007 15:00 GMT 8 May 2008 15:00 GMT Revised Bulletin Several vulnerabilities have been discovered in GNU Tar. The risk is MEDIUM. May lead to arbitrary code execution when processing maliciously crafted archives. http://www.ciac.org/ciac/bulletins/s-100.shtml 3 Jan 2008 22:00 GMT 7 May 2008 22:00 GMT Revised Bulletin Potential security vulnerabilities have been identified with HP-UX running WBEM Services that could remotely execute arbitrary code or gain extended privileges. The risk is MEDIUM. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges. http://www.ciac.org/ciac/bulletins/s-282.shtml 1 May 2008 15:00 GMT 7 May 2008 15:00 GMT Revised Bulletin There are several vulnerabilities in PHP. The risk is MEDIUM. Could possibly execute arbitrary code as the apache user. http://www.ciac.org/ciac/bulletins/r-355.shtml 20 Sep 2007 20:00 GMT 07 May 2008 18:00 GMT Revised Bulletin A flaw was found in the processing of malformed JavaScript content which could lead to the execution of arbitrary code. The risk is MEDIUM. A web page containing such maliciuos content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. http://www.ciac.org/ciac/bulletins/s-270.shtml 25 Apr 2008 11:00 GMT 2 May 2008 11:00 GMT Revised Bulletin There are remote code execution vulnerabilities that exist in the way Microsoft Office handles specially crafted Excel files and processes malformed Office files. The risk is MEDIUM. An attacker could exploit the vulnerability by creating a malformed file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-225.shtml 14 Mar 2008 17:00 GMT 1 May 2008 17:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object. The risk is MEDIUM. Code runs in the context of the user. http://www.ciac.org/ciac/bulletins/r-232.shtml 9 May 2007 12:00 GMT 1 May 2008 12:00 GMT Revised Bulletin Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets. The risk is LOW. Successful exploitation of these vulnerabilities may result in the reload of the device or memory leaks, leading to a DoS condition. http://www.ciac.org/ciac/bulletins/s-241.shtml 27 Mar 2008 19:00 GMT 28 Apr 2008 19:00 GMT Revised Bulletin Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. The risk is MEDIUM. Could lead to the potential execution of arbitrary code. http://www.ciac.org/ciac/bulletins/s-092.shtml 21 Dec 2007 21:00 GMT 28 Apr 2008 21:00 GMT Revised Bulletin A remote code execution vulnerability exists in Internet Explorer because of the way that it processes data streams. An attacker could exploit the vulnerability by constructing a specially crafted Web page. The risk is MEDIUM. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. http://www.ciac.org/ciac/bulletins/s-257.shtml 9 Apr 2008 20:00 GMT 24 Apr 2008 20:00 GMT Revised Bulletin Several remote code execution vulnerabilities exists in the way Microsoft Visio validates: 1) object header data in specially crafted file; and 2) memory allocations when loading specially-crafted .DXF files from disk into memory. The risk is MEDIUM. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. http://www.ciac.org/ciac/bulletins/s-252.shtml 9 Apr 2008 19:00 GMT 24 Apr 2008 19:00 GMT Revised Bulletin