Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Security Advisory (917077)

Published: 2006-03-23
Last Updated: 2006-03-24 20:29:25 UTC
by Deborah Hale (Version: 2)
0 comment(s)
Microsoft has just released a Security Advisory for the HTML Objects vulnerability. This is the reason the Internet Storm Center went to yellow this evening.

From the Microsoft advisory:

"Microsoft has confirmed new public reports of a vulnerability in Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."

Microsoft Suggested Workarounds:

* Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet  and Local intranet security zones.
* Set Internet and Local intranet security zone settings to "high" to prompt before Active Scripting in these zones.

http://www.microsoft.com/technet/security/advisory/917077.mspx

Microsoft says that they are still investigating and will provide more information as it becomes available.  So stay tuned for further updates.

Keywords:
0 comment(s)

Sendmail vuln

Published: 2006-03-23
Last Updated: 2006-03-24 19:22:24 UTC
by Adrien de Beaupre (Version: 2)
0 comment(s)
Update:  The best writeup that we've found for this is http://xforce.iss.net/xforce/alerts/id/216.  Also, Sun has has released a bulletin here, but they claim that Solaris 8 is unaffected (currently that platform is running sendmail 8.11.7).  From reading the other advisories, I believe that this information may be incorrect and the Solaris 8 may be affected since the vulnerability applies to all versions prior to 8.13.6.  --Jim Clausing

Update 2: 2006-03-24 19:21 UTC - Sun has updated the advisory and will be providing patches for Solaris 8 as well.  Thank you, Sun.  --JAC


Sendmail has released an advisory related to a vulnerability in all versions of sendmail 8 previous to 8.13.6 of this popular MTA.  The advisory includes the commercial versions of products using sendmail.

http://www.sendmail.com/company/advisory/
and it has CVE entry CVE-2006-0058

Impact: the attacker could run arbitrary commands.

Mitigation: upgrade to 8.13.6, apply the patch, or setting the RunAsUser option in the configuration file.
This one looks bad.

Sendmail.org

Secunia

Update: as more information becomes available this is starting to look worse.
Patch or upgrade NOW!

Cheers,
Adrien

Keywords:
0 comment(s)

RealPlayer (et al) vulnerabilities & Joomla/Mambo Worm

Published: 2006-03-23
Last Updated: 2006-03-23 13:14:13 UTC
by John Bambenek (Version: 1)
0 comment(s)
There are three vulnerabilities in RealPlayer and associated products that allow from remote code execution and patches have been released to remediate the problems.  The vulnerabilities are with boundary errors caused by certain SWF, MBC or specially crafted webpages that can lead to buffer overflows.  The latest version of RealPlayer is not affected and users should upgrade immediately.  The advisory can be read here with iDefense's original report being here. The matrix of vulnerable products can be seen here.  While exploiting these bugs would still require some social engineering to get people to look at a malicious file, it is still recommended users run the latest version because we all know how popular watching clips on the web is (I like the VW "unpimp my ride" commericals, personally).

A reader wrote in reporting a worm spreading through the latest Mambo/Joomla exploits and establishing an IRC connection.  When I looked it appeared the botnet was already down but it is trivial to modify the shellbot code and regenerate the botnet.  Joomla 1.0.8 was released Feb 26th and had 37 (wow) security fixes, so if you aren't running 1.0.8, you have been warned.  It doesn't appear that any new vulnerabilities have been discovered since the release.

--
John Bambenek
bambenek -at- gmail -dot- com
Keywords:
0 comment(s)
Diary Archives