|
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover multiple vulnerabilities. The FortiGuard Team has observed 21 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the 2.704 IPS Definitions database update. A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 17 )
| Adobe.Acrobat.Firefox.Plugin.RCE.Code.Execution Event ID: 17794 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates an attempt to exploit a remote code execution vulnerability in Adobe Acrobat and Reader. The vulnerability is caused by an error that occurs when the vulnerable software handles a specially crafted webpage. It allows a remote attacker to execute arbitrary code. Affected Products: Adobe Reader 8.1.4 Adobe Reader 7.1.0 Reference IDs: |
| Adobe.Acrobat.JS.Collab.Memory.Corruption Event ID: 17774 |
Release Date: Oct 13, 2009 IPS Definitions DB Version: 2.699 |
|
Description: This indicates an attempt to exploit a memory-corruption vulnerability in Adobe Reader and Adobe Acrobat. The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious JavaScript. It allows a remote attacker to execute arbitrary code via sending a crafted PDF file. Affected Products: Adobe Reader and Adobe Acrobat 7.1.1 Adobe Reader and Adobe Acrobat 8.1.2 Adobe Reader and Adobe Acrobat 9.1.0 Reference IDs: |
| Adobe.Acrobat.U3D.Line.Set.Heap.Corruption Event ID: 17786 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates an attack attempt against a heap-corruption vulnerability in Adobe Reader and Acrobat. The vulnerability is caused by an error when the vulnerable software handles a specially crafted PDF file. It allows a remote attacker to execute arbitrary code. Affected Products: Adobe Reader 9.1.3 and earlier versions Adobe Acrobat 9.1.3 and earlier versions Reference IDs: |
| Adobe.JPEG2000.QCC.Memory.Corruption Event ID: 17781 |
Release Date: Oct 13, 2009 IPS Definitions DB Version: 2.699 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Adobe Reader and Acrobat. The vulnerability is caused by an error that occurs when the vulnerable software handles a specially crafted PDF file. Affected Products: Adobe Reader 9.1.3 and earlier versions Adobe Acrobat 9.1.3 and earlier versions Reference IDs: |
| Adobe.Reader.Font.CFF.Index.Memory.Corruption Event ID: 17780 |
Release Date: Oct 13, 2009 IPS Definitions DB Version: 2.699 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Adobe Reader and Acrobat. The vulnerability is caused by an error that occurs when the vulnerable software handles a specially crafted PDF file. Affected Products: Adobe Reader 9.1.3 and earlier versions Adobe Acrobat 9.1.3 and earlier versions Reference IDs: |
| Adobe.Reader.Metadata.XML.Buffer.Overflow Event ID: 17771 |
Release Date: Oct 13, 2009 IPS Definitions DB Version: 2.699 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Adobe Reader and Acrobat. The vulnerability is caused by an error when the vulnerable software handles a specially crafted PDF file. Affected Products: Adobe Reader 9.1.2 and earlier versions Adobe Acrobat 9.1.2 and earlier versions Reference IDs: |
| Adobe.ShockWave.Player.Activex.Buffer.Overflow Event ID: 17743 |
Release Date: Oct 13, 2009 IPS Definitions DB Version: 2.699 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in Adobe ShockWave Player. The vulnerability is caused by an error when the vulnerable ActiveX control handles a malformed value for the "PlayerVersion" property. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Adobe ShockWave Player 11.5.1.601 Reference IDs: |
| MS.GDIPlus.Multiple.Run.Length.Zero.Code.Execution Event ID: 17818 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates a possible attempt to exploit a buffer overwrite vulnerability in gdiplus.dll of Microsoft Windows operating system. Affected Products: gdiplus.dll version 5.1.3102.5512 Reference IDs: |
| MS.GDIPlus.TIFF.Code.Execution Event ID: 17816 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates a possible attempt to exploit a TIFF file format parsing vulnerability in gdiplus.dll. Successful attacks could lead to arbitrary code execution. Affected Products: gdiplus.dll version 5.1.3102.2180 Other versions may also be affected Reference IDs: |
| MS.IE.Deflate.Content.Code.Execution Event ID: 17801 |
Release Date: Oct 16, 2009 IPS Definitions DB Version: 2.702 |
|
Description: This indicates an attempt to exploit a remote code execution vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error that occurs when the vulnerable software handles data stream headers in specific situations. It allows a remote attacker to execute arbitrary code. Affected Products: Microsoft Internet Explorer 7 and previous versions. Reference IDs: |
| MS.IE.Table.Layout.Code.Execution Event ID: 17805 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates an attempt to exploit a remote code execution vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error that occurs when the vulnerable software handles an object that has not been correctly initialized or has been deleted. It allows a remote attacker to execute arbitrary code. Affected Products: Microsoft Internet Explorer 8 and previous versions. Reference IDs: |
| MS.Office.Art.Drawing.Remote.Code.Execution Event ID: 17812 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates an attempt to exploit a remote code execution vulnerability in MSO.DLL which affects Microsoft Office. The vulnerability is caused by an error that occurs when the vulnerable software handles malicious Office Art drawing containers in Excel/Word file. It allows a remote attacker to execute arbitrary code via sending a crafted Excel/Word file. Affected Products: Microsoft Office 2000 Microsoft Office XP Reference IDs: |
| MS.Windows.GDI+.PNG.Heap.Overflow Event ID: 17819 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates an attempt to exploit a code execution vulnerability in Microsoft Windows. The vulnerability is caused by an error that occurs when Windows GDI+ handles a malformed PNG image file. A remote attacker could exploit this vulnerability to execute arbitrary code by sending a specially crafted PNG file. Affected Products: Microsoft Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Microsoft Office XP Service Pack 3 Microsoft Office 2003 Service Pack 3 2007 Microsoft Office System Service Pack 1 2007 Microsoft Office System Service Pack 2 Microsoft Office Project 2002 Service Pack 1 Microsoft Visio 2002 Service Pack 2 Microsoft Office Word Viewer, Microsoft Word Viewer 2003, Microsoft Word Viewer 2003 Service Pack 3, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 Service Pack 3 Microsoft Office Excel Viewer, Microsoft Office PowerPoint Viewer 2007, Microsoft Office PowerPoint Viewer 2007 Service Pack 1 Microsoft Office PowerPoint Viewer 2007 Service Pack 2 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 Microsoft Expression Web and Microsoft Expression Web 2 Microsoft Office Groove 2007 and Microsoft Office Groove 2007 Service Pack 1 Microsoft Works 8.5 SQL Server 2000 Reporting Services Service Pack 2 SQL Server 2005 Service Pack 2 SQL Server 2005 x64 Edition Service Pack 2 SQL Server 2005 for Itanium-based Systems Service Pack 2 SQL Server 2005 Service Pack 3 SQL Server 2005 x64 Edition Service Pack 3 SQL Server 2005 for Itanium-based Systems Service Pack 3 Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package Microsoft Report Viewer 2008 Redistributable Package Microsoft Report Viewer 2008 Redistributable Package Service Pack 1 Microsoft Forefront Client Security 1.0 when installed on Microsoft Windows 2000 Service Pack 4 Reference IDs: |
| MS.Windows.GDI+.WMF.Integer.Overflow Event ID: 17811 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates an attempt to exploit a code execution vulnerability in Microsoft Windows. The vulnerability is caused by an error that occurs when windows GDI+ handles a malformed wmf image file. A remote attacker could exploit this vulnerability to execute arbitrary code by sending a specially crafted wmf file. Affected Products: Microsoft Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Microsoft Office XP Service Pack 3 Microsoft Office 2003 Service Pack 3 2007 Microsoft Office System Service Pack 1 2007 Microsoft Office System Service Pack 2 Microsoft Office Project 2002 Service Pack 1 Microsoft Visio 2002 Service Pack 2 Microsoft Office Word Viewer, Microsoft Word Viewer 2003, Microsoft Word Viewer 2003 Service Pack 3, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 Service Pack 3 Microsoft Office Excel Viewer, Microsoft Office PowerPoint Viewer 2007, Microsoft Office PowerPoint Viewer 2007 Service Pack 1 Microsoft Office PowerPoint Viewer 2007 Service Pack 2 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 Microsoft Expression Web and Microsoft Expression Web 2 Microsoft Office Groove 2007 and Microsoft Office Groove 2007 Service Pack 1 Microsoft Works 8.5 SQL Server 2000 Reporting Services Service Pack 2 SQL Server 2005 Service Pack 2 SQL Server 2005 x64 Edition Service Pack 2 SQL Server 2005 for Itanium-based Systems Service Pack 2 SQL Server 2005 Service Pack 3 SQL Server 2005 x64 Edition Service Pack 3 SQL Server 2005 for Itanium-based Systems Service Pack 3 Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package Microsoft Report Viewer 2008 Redistributable Package Microsoft Report Viewer 2008 Redistributable Package Service Pack 1 Microsoft Forefront Client Security 1.0 when installed on Microsoft Windows 2000 Service Pack 4 Reference IDs: |
| MS.Windows.Media.Player.Code.Execution Event ID: 17806 |
Release Date: Oct 15, 2009 IPS Definitions DB Version: 2.701 |
|
Description: This indicates a possible attempt to exploit an ASF file format parsing vulnerability in Windows Media Player which could lead to arbitrary code execution. Affected Products: Windows Media Player 6.4 and older versions. Reference IDs: |
| MS.Windows.Media.Runtime.Voice.Sample.Rate.Code.Execution Event ID: 17803 |
Release Date: Oct 16, 2009 IPS Definitions DB Version: 2.702 |
|
Description: This indicates an attempt to exploit a code execution vulnerability in Windows Media Player. The vulnerability is caused by an error that occurs when the vulnerable software handles a malformed ASF file. A remote attacker could exploit this vulnerability to execute arbitrary code by sending a specially crafted audio file. Affected Products: DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager on Microsoft Windows 2000 Service Pack 4 DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager on Windows XP Service Pack 2 and Windows XP Service Pack 3 DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager on Windows XP Professional x64 Edition Service Pack 2 DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager on Windows Server 2003 Service Pack 2 DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager on Windows Server 2003 x64 Edition Service Pack 2 Windows Media Audio Voice Decoder on Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Media Audio Voice Decoder on Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Windows Media Audio Voice Decoder on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Media Audio Voice Decoder on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Reference IDs: |
| Waledac.Botnet Event ID: 17741 |
Release Date: Oct 22, 2009 IPS Definitions DB Version: 2.704 |
|
Description: It indicates that the system might be infected by the Waledac trojan. Affected Products: Any unprotected Windows system is vulnerable to the attack. Reference IDs: |
High ( 17 )
| Adobe.Acrobat.COM.Objects.Memory.Corruption Event ID: 17828 |
Release Date: Oct 15, 2009 IPS Definitions DB Version: 2.701 |
|
Description: This indicates an attempt to exploit a memory corruption vulnerability in Adobe Reader and Acrobat. The vulnerability is caused by an error that occurs when the vulnerable software handles specially crafted COM objects. It allows a remote attacker to execute arbitrary code. Affected Products: Adobe Reader version 9.1.3 and previous versions Adobe Reader version 8.1.6 and previous versions Adobe Reader version 7.1.3 and previous versions Adobe Acrobat version 9.1.3 and previous versions Adobe Acrobat version 8.1.6 and previous versions Adobe Acrobat version 7.1.3 and previous versions Reference IDs: |
| Adobe.Reader.U3D.Mesh.Declaration.Memory.Corruption Event ID: 17791 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates an attempt to exploit a memory corruption vulnerability in Adobe Reader. The vulnerability is caused by an error that occurs when the vulnerable software parses a malformed CLOD Mesh Declaration block in U3D file embeded in a PDF file. It allows a remote attacker to execute arbitrary code via sending a crafted PDF file. Affected Products: Adobe Reader 9.1.3 and older versions Reference IDs: |
| Adobe.Reader.U3D.Progressive.Mesh.Block.Code.Execution Event ID: 17795 |
Release Date: Oct 22, 2009 IPS Definitions DB Version: 2.704 |
|
Description: This indicates an attempt to exploit a memory corruption vulnerability in Adobe Reader. The vulnerability is caused by an error that occurs when the vulnerable software parses a malformed CLOD Progressive Mesh Continuation Block in U3D file embeded in a PDF files. It allows a remote attacker to execute arbitrary code via sending a crafted PDF file. Affected Products: Adobe Reader 9.1.3 and older versions. Reference IDs: |
| Adobe.Reader.Xobject.Image.Integer.Overflow Event ID: 17772 |
Release Date: Oct 22, 2009 IPS Definitions DB Version: 2.704 |
|
Description: This indicates an attack attempt against an integer overflow vulnerability in Adobe Reader and Acrobat. The vulnerability is caused by an error that occurs when the vulnerable software handles a specially crafted PDF file. Affected Products: Adobe Reader 9.1.3 and earlier versions Adobe Acrobat 9.1.3 and earlier versions Reference IDs: |
| Alice.Messenger.ActiveX.Control.Registry.Key.Manipulation Event ID: 17764 |
Release Date: Oct 15, 2009 IPS Definitions DB Version: 2.701 |
|
Description: This indicates an attack attempt against a registry key manipulation vulnerability in Telecom Italy Alice Messenger. The vulnerability is caused by an error when the HPRevolutionRegistryManager ActiveX control in Hp.Revolution.RegistryManager.dll handles a malicious webpage. It allows a remote attacker to create registry keys and values. Affected Products: Telecom Italy Alice Messenger 1 Reference IDs: |
| Bitmap.Header.BiClrUsed.Integer.Overflow Event ID: 17813 |
Release Date: Oct 16, 2009 IPS Definitions DB Version: 2.702 |
|
Description: This indicates an attempt to exploit an integer overflow vulnerability in Microsoft Office. The vulnerability is caused by an error that occurs when the vulnerable software handles a specially crafted .BMP file. It allows a remote attacker to execute arbitrary code. Affected Products: Microsoft Office XP Service Pack 3 Reference IDs: |
| Cisco.Secure.ACS.Management.Interface.Login.Buffer.Overflow Event ID: 17784 |
Release Date: Oct 22, 2009 IPS Definitions DB Version: 2.704 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Cisco Secure ACS. The vulnerability is caused by an error that occurs when the vulnerable software handles malicious login attempts. It allows a remote attacker to execute arbitrary code via sending crafted web requests. Affected Products: Cisco Secure ACS version 3.1.1 and earlier versions Reference IDs: |
| FG-VD-09-019-Adobe Event ID: 17789 |
Release Date: Oct 20, 2009 IPS Definitions DB Version: 2.703 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| MS.IE.Event.Object.Code.Execution Event ID: 17804 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates an attempt to exploit a remote code execution vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error that occurs when the vulnerable software handles a specially crafted webpage. It allows a remote attacker to execute arbitrary code. Affected Products: Microsoft Internet Explorer 8 and previous versions. Reference IDs: |
| MS.Indexing.Service.Memory.Corruption Event ID: 17817 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates an attempt to exploit a memory corruption vulnerability in Microsoft Indexing Service. The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious web content. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Reference IDs: |
| MS.Office.PowerPoint.Atom.Invalid.Text.Type.Code.Execution Event ID: 17841 |
Release Date: Oct 16, 2009 IPS Definitions DB Version: 2.702 |
|
Description: This indicates an attempt to exploit a code execution vulnerability in Microsoft Office PowerPoint. The vulnerability is caused by an error that occurs when the vulnerable software handles a PowerPoint document with a malformed record. A remote attacker could exploit this vulnerability to execute arbitrary code by sending a specially crafted PowerPoint file. Affected Products: Microsoft PowerPoint v. X for Mac 0 Microsoft PowerPoint 2004 for Mac 0 Microsoft PowerPoint 2003 SP3 Microsoft PowerPoint 2003 SP2 Microsoft PowerPoint 2003 SP1 Microsoft PowerPoint 2003 0 Microsoft PowerPoint 2002 SP3 Microsoft PowerPoint 2002 SP2 Microsoft PowerPoint 2002 SP1 Microsoft PowerPoint 2002 Microsoft PowerPoint 2000 SP3 Microsoft PowerPoint 2000 SR1 Microsoft PowerPoint 2000 SP2 Microsoft PowerPoint 2000 Reference IDs: |
| MS.SMBv2.Infinite.Loop.DoS Event ID: 17799 |
Release Date: Oct 16, 2009 IPS Definitions DB Version: 2.702 |
|
Description: This indicates an attempt to exploit a denial of service vulnerability in Microsoft Server Message Block (SMB). The vulnerability is caused by an error that occurs when Microsoft Server Message Block (SMB) Protocol 2.0 software handles a malformed ioctl request. A remote attacker could exploit this vulnerability to crash the vulnerable system. Affected Products: Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Reference IDs: |
| MS.Windows.X509.OID.Spool Event ID: 17814 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates an attempt to exploit a certificate spoof vulnerability in Microsoft Windows. The vulnerability is caused by an error that occurs when the vulnerable software handles a spoofing certificate. It allows a remote attacker to spoof a certificate without indicator. Affected Products: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2* Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems* Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| MS.Windows.X509.OID.Spool Event ID: 17814 |
Release Date: Oct 16, 2009 IPS Definitions DB Version: 2.702 |
|
Description: This indicates an attempt to exploit a certificate spoof vulnerability in Microsoft Windows. The vulnerability is caused by an error that occurs when the vulnerable software handles a spoofing certificate. It allows a remote attacker to spoof a certificate without indicator. Affected Products: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2* Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems* Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| RKD.Software.BarCode.ActiveX.Control.BarCodeAx.DLL.Access Event ID: 17767 |
Release Date: Oct 15, 2009 IPS Definitions DB Version: 2.701 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in RKD Software (barcodetools.com) BarCodeAx.dll. The vulnerability is caused by an error when the vulnerable software handles a specially crafted webpage. It allows a remote attacker to execute arbitrary code. Affected Products: RKD Software BarCode ActiveX Control 4.9 and previous versions Reference IDs: |
| TinyWebGallery.Lang.File.Inclusion Event ID: 17719 |
Release Date: Oct 22, 2009 IPS Definitions DB Version: 2.704 |
|
Description: This indicates an attack attempt against a Local File Include vulnerability in TinyWebGallery. The vulnerability exists because the affected software fails to properly sanitize user-supplied input. This could allow remote attackers to execute arbitrary code via sending a crafted web page. Affected Products: TinyWebGallery 1.7.6 is vulnerable; other versions may also be affected. Reference IDs: |
| XLAtunes.Album.Parameter.SQL.Injection Event ID: 17769 |
Release Date: Oct 15, 2009 IPS Definitions DB Version: 2.701 |
|
Description: This indicates an attack attempt to exploit a SQL injection vulnerability in XLAtunes. The vulnerability is a result of the application's failure to properly sanitize user input before using it in a SQL query. As a result, a remote attacker can send a crafted query to execute SQL commands on a vulnerable server. Affected Products: XLAtunes 0.1 and earlier Reference IDs: |
Medium ( 12 )
| Adobe.Acrobat.ActiveX.Control.DoS Event ID: 17787 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates a possible attempt to exploit a memory-corruption vulnerability in Adobe Reader and Adobe Acrobat. The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious JavaScript. It allows a remote attacker to execute arbitrary code via sending a crafted PDF file. Affected Products: Adobe Reader and Adobe Acrobat 7.1.1 Adobe Reader and Adobe Acrobat 8.1.2 Adobe Reader and Adobe Acrobat 9.1.0 Reference IDs: |
| Adobe.Acrobat.JS.Collab.DoS Event ID: 17788 |
Release Date: Oct 14, 2009 IPS Definitions DB Version: 2.700 |
|
Description: This indicates an attempt to exploit a memory-corruption vulnerability in Adobe Reader and Adobe Acrobat. The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious JavaScript. It allows a remote attacker to execute arbitrary code via sending a crafted PDF file. Affected Products: Adobe Reader and Adobe Acrobat 7.1.1 Adobe Reader and Adobe Acrobat 8.1.2 Adobe Reader and Adobe Acrobat 9.1.0 Reference IDs: |
| Adobe.Acrobat.Stack.Exhaustion.DoS Event ID: 17832 |
Release Date: Oct 15, 2009 IPS Definitions DB Version: 2.701 |
|
Description: This indicates an attempt to exploit a denial of service vulnerability in Adobe Acrobat. The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious PDF file. It allows a remote attacker to cause DoS via sending a crafted PDF file. Affected Products: Adobe Acrobat 9.1.1 Reference IDs: |
| AndoNET.Blog.Comentarios.PHP.SQL.Injection Event ID: 17766 |
Release Date: Oct 15, 2009 IPS Definitions DB Version: 2.701 |
|
Description: This indicates an attack attempt against an SQL injection vulnerability in AndoNET Blog. The vulnerability is caused by an error when the vulnerable software handles a specially crafted URL. It allows a remote attacker to execute arbitrary SQL commands. Affected Products: AndoNET Blog 2004.09.02 Reference IDs: |
| Bwired.NewsID.Parameter.Processing.SQL.Injection Event ID: 17746 |
Release Date: Oct 13, 2009 IPS Definitions DB Version: 2.699 |
|
Description: This indicates an attack attempt against an SQL injection vulnerability in Bwired. The vulnerability is caused by an error when the vulnerable software handles a specially crafted URL. It allows a remote attacker to execute arbitrary SQL commands. Affected Products: Bwired Reference IDs: |
| CMScout.Forums.PHP.SQL.Injection Event ID: 17747 |
Release Date: Oct 13, 2009 IPS Definitions DB Version: 2.699 |
|
Description: This indicates an attack attempt against an SQL injection vulnerability in CMScout. The vulnerability is caused by an error when the vulnerable software handles a specially crafted URL. It allows a remote attacker to execute arbitrary SQL commands. Affected Products: CMScout CMScout 1.23 Reference IDs: |
| Coppermine.Photo.Gallery.XSS Event ID: 17748 |
Release Date: Oct 13, 2009 IPS Definitions DB Version: 2.699 |
|
Description: This indicates an attack attempt against a cross-site scripting (XSS) vulnerability in Coppermine Photo Gallery (CPG). The vulnerability is caused by an error when the vulnerable software handles a specially crafted URL. It allows a remote attacker to inject arbitrary web script or HTML. Affected Products: Coppermine Photo Gallery 1.4.12 Coppermine Photo Gallery 1.4.11 Coppermine Photo Gallery 1.4.10 Coppermine Photo Gallery 1.4.9 Coppermine Photo Gallery 1.4.4 Coppermine Photo Gallery 1.4.2 Coppermine Photo Gallery 1.4 Reference IDs: |
| Cross.Site.Scripting Event ID: 17702 |
Release Date: Oct 22, 2009 IPS Definitions DB Version: 2.704 |
|
Description: This indicates a potential cross-site scripting attack. Cross-site scripting (XSS) is a popular web security issue. If a web application doesn't properly validate input from one user and uses it in the output for other users, attackers can exploit it to send malicious code to other users. Affected Products: All web application environments are susceptible to cross-site scripting. Reference IDs: |
| Cybozu.Garoon.Workflow.SQL.Injection Event ID: 17761 |
Release Date: Oct 15, 2009 IPS Definitions DB Version: 2.701 |
|
Description: This indicates an attack attempt against an SQL injection vulnerability in Cybozu Garoon. The vulnerability is caused by an error when the vulnerable software handles a specially crafted URL. It allows a remote attacker to execute arbitrary SQL commands. Affected Products: Cybozu Garoon 2.1.0 and previous versions Reference IDs: |
| Data.Dynamics.ActiveBar.Actbar3.OCX.Insecure.Method.Access Event ID: 17762 |
Release Date: Oct 15, 2009 IPS Definitions DB Version: 2.701 |
|
Description: This indicates an attack attempt against a Security Bypass vulnerability in the Data Dynamics ActiveBar ActiveX control (actbar3.ocx). The vulnerability is caused by an error when the vulnerable ActiveX control handles a specially crafted full path name. It allows a remote attacker to create or overwrite files. Affected Products: Data Dynamics ActiveBar ActiveX Control 3.2 Data Dynamics ActiveBar ActiveX Control 3.1 Reference IDs: |
| Drupal.Forum.XSS Event ID: 17760 |
Release Date: Oct 15, 2009 IPS Definitions DB Version: 2.701 |
|
Description: This indicates an attack attempt against a XSS vulnerability in Drupal Forum. The vulnerability is caused by an error when the vulnerable software handles a malicious request. It allows a remote attacker to cause XSS via sending a crafted web page. Affected Products: Drupal 6.x before 6.13 Reference IDs: |
| MS.Windows.LSASS.NTLM.Authentication.DoS Event ID: 17800 |
Release Date: Oct 22, 2009 IPS Definitions DB Version: 2.704 |
|
Description: This indicates an attempt to exploit a Denial of Service vulnerability in Windows LSASS component. This vulnerability is caused by an error that occurs when the Windows NTLM implementation in LSASS handles specific malformed packets during the authentication process. A specific malformed packet may lead to an integer underflow in the LSASS process. Affected Products: Windows XP Service Pack 2 and Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Reference IDs: |
Low ( 2 )
| Adobe.Trust.Manager.Restrictions.Bypass Event ID: 17826 |
Release Date: Oct 15, 2009 IPS Definitions DB Version: 2.701 |
|
Description: This indicates a possible attack against a security bypass vulnerability in Adobe Reader and Acrobat, which could be exploited by running certain script inside a PDF file. Affected Products: Adobe Reader 9.1.3 and earlier versions for Windows, Macintosh, and UNIX Adobe Acrobat 9.1.3 and earlier versions for Windows and Macintosh Reference IDs: |
| HTTP.Request.Referer.Overly.Long Event ID: 17556 |
Release Date: Oct 22, 2009 IPS Definitions DB Version: 2.704 |
|
Description: It indicates a possible exploit of a Denial of Service (DoS) vulnerability in the 3Com SuperStack 4400 Switches. A remote authenticated attacker could send a specially-crafted packet that cause the device to reset. Affected Products: 3Com SuperStack 3 4400 switches Reference IDs: |
Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new vectors of exploitation are discovered. The table below details the security content enhanced with this release.
Critical ( 12 )
| Event Name | Revision Notes |
|---|---|
| Adobe.Acrobat.Firefox.Plugin.Remote.Code.Execution | Previous name: "Adobe.Acrobat.Firefox.Plugin.RCE.C... |
| Adobe.Acrobat.JS.Collab.AddStateModel.Memory.Corruption | Previous name: "Adobe.Acrobat.JS.Collab.Memory.Cor... |
| Adobe.Reader.Decode.Color.Remote.Code.Execution | Previous name: "Adobe.0day.17776" |
| MS.DirectX.MsVidCtl.ActiveX.Control.Access | Detection Enhanced |
| MS.Excel.Obj.Record.Code.Execution | Default_action updated to 'pass Detection Enhanced |
| MS.IE.DHTML.Object.Method.Memory.Corruption | Default_action updated to 'drop |
| MS.Office.Drawing.Shapes.Memory.Corruption | Default_action updated to 'drop |
| MS.Office.Excel.BRAI.Record.Code.Execution | Default_action updated to 'drop |
| MS.Windows.Media.Player.Code.Execution | Detection Enhanced |
| MS.Windows.Media.Runtime.Voice.Sample.Rate.Code.Execution | Detection Enhanced |
| MS.Word.PRCDATA.Code.Execution | Default_action updated to 'drop |
| MS.Wordpad.Office.Text.Converter.Memory.Corruption | Detection Enhanced |
High ( 10 )
| Event Name | Revision Notes |
|---|---|
| Adobe.Acrobat.Javascript.Heap.Allocation.Memory.Corruption | Previous name: "FG-VD-09-015-Adobe" |
| Adobe.Acrobat.Plugin.XSS | Previous name: "Hacking.Browser.Plugins" |
| Cue.File.Stack.Overflow | Previous name: "Magic.ISO.Maker.Cue.File.Stack.Buf... |
| HP.Openview.NodeManager.DoS | Previous name: "HPOpenview.NodeManager.DoS" |
| HTTP.URI.SQL.Injection | Detection Enhanced |
| InterNetNews.ARTpost.Control.Message.Buffer.Overflow | Default_action updated to 'drop |
| MS.IE7.CSS.Style.Switching.Memory.Corruption | Default_action updated to 'pass Detection Enhanced |
| MS.RPC.NetDDE.Buffer.Overflow | Default_action updated to 'pass Detection Enhanced |
| MS.Search.Protocol.Handler.Windows.Explorer.Code.Execution | Default_action updated to 'pass Detection Enhanced |
| MS.Works.File.Converter.Stack.Overflow | Default_action updated to 'drop |
Medium ( 2 )
| Event Name | Revision Notes |
|---|---|
| MS.SQL.Server.Injection.Attempt | Previous name: "Microsoft.SQL.Server.Injection.Att... |
| Rlogind.Service.Froot.Authentication.Bypass | Detection Enhanced |
Low ( 1 )
| Event Name | Revision Notes |
|---|---|
| Apache.IPv6.Buffer.Overflow | Default_action updated to 'pass Detection Enhanced |
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes to monitor exploit activity. Vulnerabilities can be classified as active and given a magnitude level. The magnitude level is the rate of activity across the probes. The value of the magnitude is set to low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin (specifically new and enhanced detection) and their corresponding exploit activity magnitude. The data below is as of this writing.
Critical ( 4 of 20 )
High ( 7 of 20 )
Medium ( 4 of 13 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| Adobe.Acrobat.ActiveX.Control.DoS | No | n/a |
| Adobe.Acrobat.JS.Collab.DoS | No | n/a |
| Adobe.Acrobat.Stack.Exhaustion.DoS | No | n/a |
| AndoNET.Blog.Comentarios.PHP.SQL.Injection | No | n/a |
| Bwired.NewsID.Parameter.Processing.SQL.Injection | No | n/a |
| CMScout.Forums.PHP.SQL.Injection | No | n/a |
| Coppermine.Photo.Gallery.XSS | Yes | Low |
| Cross.Site.Scripting | Yes | High |
| Cybozu.Garoon.Workflow.SQL.Injection | No | n/a |
| Data.Dynamics.ActiveBar.Actbar3.OCX.Insecure.Method.Access | No | n/a |
| Drupal.Forum.XSS | No | n/a |
| MS.Windows.LSASS.NTLM.Authentication.DoS | Yes | High |
| Rlogind.Service.Froot.Authentication.Bypass | Yes | Low |
Low ( 2 of 3 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| Adobe.Trust.Manager.Restrictions.Bypass | No | n/a |
| Apache.IPv6.Buffer.Overflow | Yes | High |
| HTTP.Request.Referer.Overly.Long | Yes | High |
Top of Section
Document History
| Revision Date | Version Number | |
|---|---|---|
| Monday, October 26, 2009 | 1 | Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
