|
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover multiple vulnerabilities. The FortiGuard Team has observed 16 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the 2.728 IPS Definitions database update. A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 23 )
| Adobe.Flash.Class.Switch.Memory.Corruption Event ID: 18009 |
Release Date: Dec 08, 2009 IPS Definitions DB Version: 2.723 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. Reference IDs: |
| Adobe.Flash.Player.JPEG.Parsing.Heap.Overflow Event ID: 18003 |
Release Date: Dec 08, 2009 IPS Definitions DB Version: 2.723 |
|
Description: This indicates an attack attempt to exploit a remote code execution vulnerability in Adobe Flash Player. The vulnerability is caused by an error when parsing a JPEG file embedded in an SWF file. It can be exploited via a crafted SWF file, leading to remote code execution. Affected Products: Adobe Flash Player version 10.0.32.18 and the prior Reference IDs: |
| Adobe.Flash.Player.System.Product.Code.Execution Event ID: 17969 |
Release Date: Dec 08, 2009 IPS Definitions DB Version: 2.723 |
|
Description: This indicates an attack attempt to exploit a remote command execution vulnerability in Adobe Flash Player for Linux. The vulnerability is caused by an error when the shared library libflashplayer.so handles a specially crafted Flash file (SWF). It allows a remote attacker to execute arbitrary code. Affected Products: Adobe Flash Player for Linux 10.0.12.36 and previous versions Adobe Flash Player for Linux 9.0.151.0 and previous versions Reference IDs: |
| Adobe.Reader.Javascript.newplayer.Method.Code.Execution Event ID: 18047 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against a zero-day vulnerability in Adobe Reader and Acrobat. The vulnerability is caused by an error when the vulnerable software handles a specially crafted PDF file that could allow remote attackers to execute arbitrary code. Affected Products: Adobe Reader and Acrobat 9.2 Reference IDs: |
| Adobe.U3D.CLOD.Mesh.Declaration.Array.Buffer.Overflow Event ID: 17987 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates a possible attack against a buffer-overflow vulnerability in Adobe Reader and Acrobat. The vulnerability is caused by improper checking of user-supplied input. A remote attacker may expoit this to execute arbitrary code via a specially crafted .pdf file. Affected Products: Adobe Reader 9.1.2 Adobe Reader 8.1.6 Adobe Reader 7.1.3 Adobe Acrobat 7.x before 7.1.4 Adobe Acrobat 8.x before 8.1.7, Adobe Acrobat 9.x before 9.2 Reference IDs: |
| EMC.Captiva.PixTools.Distributed.Imaging.File.Creation Event ID: 17985 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt against a vulnerability in EMC Captiva PixTools Distributed Imaging ActiveX Control. The vulnerability is caused by an error when the vulnerable software handles a specially crafted web page. It allows a remote attacker to create or overwrite arbitrary files on a target host and potentially execute malicious code. Affected Products: EMC PDIControl.dll 2.2.3160 0 Reference IDs: |
| Google.Chrome.File.Type.Security.Bypass Event ID: 17996 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt against a security bypass vulnerability in Google Chrome. The vulnerability is caused by a design weakness within Chrome's automatic download navigation component. It allows a remote attacker to force the download of certain dangerous files. Affected Products: Google Chrome 3.0.195.24 Google Chrome 3.0.195.121 Google Chrome 3.0 Beta Reference IDs: |
| HP.Operations.Manager.Server.Backdoor.Account.Code.Execution Event ID: 17978 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against a code-execution vulnerability in HP Operations Manager. The vulnerability is caused by a hidden account in the vulnerable software that lets malicious users upload packages to the server. Affected Products: HP Operations Manager 8.1 Reference IDs: |
| Hummingbird.STR.Service.Stack.Overflow Event ID: 17892 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against a stack-based buffer-overflow vulnerability in EMC Documentum eRoom, OpenText Hummingbird, and OpenText Search Server. The vulnerability is caused by an error when the vulnerable software handles a malicious packet. It allows a remote attacker to execute arbitrary code. Affected Products: EMC Documentum eRoom older than 7.4.2 Reference IDs: |
| IBM.Informix.Client.SDK.NFX.File.Buffer.Overflow Event ID: 17997 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in IBM Informix Client SDK. The vulnerability is caused by an error when the vulnerable software handles a specially crafted ".nfx" file which contains an overly long "HostList" entry. It allows a remote attacker to execute arbitrary code. Affected Products: IBM Informix CSDK 3.50 IBM Informix Connect 3.0 Reference IDs: |
| IBM.Installation.Manager.URI.Argument.Injection Event ID: 17938 |
Release Date: Dec 10, 2009 IPS Definitions DB Version: 2.725 |
|
Description: This indicates an attack attempt against a Argument Injection vulnerability in IBM Installation Manager. The vulnerability is caused by an error when the vulnerable software handles a malicious "iim:" URI handler. It allows a remote attacker to load arbitrary DLL from UNC share via sending a crafted web page. Affected Products: IBM Installation Manager 1.3.2 and earlier Reference IDs: |
| Mozilla.Firefox.First.Letter.Frame.Memory.Corruption Event ID: 17884 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Mozilla Firefox web browser. The vulnerability is caused by an error when the vulnerable software handles a specially crafted first letter frame. It allows a remote attacker to execute arbitrary code or cause a denial of service. Affected Products: Mozilla Firefox 3.5.3 and previous versions Reference IDs: |
| Mozilla.Firefox.Floating.Point.Number.Memory.Corruption Event ID: 17886 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Mozilla Firefox Browser. The vulnerability is caused by a boundary error when the vulnerable software handles a very long floating point number. It allows a remote attacker to execute arbitrary code. Affected Products: Mozilla Firefox 3.5.3 and previous versions Reference IDs: |
| MS.ADFS.Malformed.HTTP.Header.Code.Execution Event ID: 18016 |
Release Date: Dec 09, 2009 IPS Definitions DB Version: 2.724 |
|
Description: This indicates an attack attempt to exploit a remote code execution vulnerability in Microsoft Windows Active Directory Federation Services (ADFS). The vulnerability is caused by an error when handling malformed request header passed to an ADFS enabled Web server. It can be exploited via a crafted http request, leading to remote code execution. Affected Products: Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Reference IDs: |
| MS.IAS.Privilege.Elevation Event ID: 18018 |
Release Date: Dec 09, 2009 IPS Definitions DB Version: 2.724 |
|
Description: This indicates an attack attempt against a privilege elevation vulnerability in EAP-MSCHAPv2 authentication used in VPN tunnel protocols or 802.1x authentication. Affected Products: Microsoft Internet Authentication Service in following systems: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista and Windows Vista Service Pack 1 Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 Windows Server 2008 for 32-bit Systems Windows Server 2008 for x64-based Systems Windows Server 2008 for Itanium-based Systems Reference IDs: |
| MS.IE.DOM.Operation.Circular.Reference.Memory.Corruption Event ID: 18024 |
Release Date: Dec 09, 2009 IPS Definitions DB Version: 2.724 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error when the vulnerable software handles a specially crafted web page. It allows a remote attacker to execute arbitrary code. Affected Products: Microsoft Internet Explorer 8 Reference IDs: |
| MS.IE.DOM.Operation.Memory.Corruption Event ID: 18015 |
Release Date: Dec 09, 2009 IPS Definitions DB Version: 2.724 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error when the vulnerable software handles a specially crafted web page. It allows a remote attacker to execute arbitrary code. Affected Products: Microsoft Internet Explorer 8 Reference IDs: |
| Oracle.Database.Server.Network.Authentication.Buffer.Overflow Event ID: 17864 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Oracle Database server. The vulnerability is caused by an error when the oracle.exe handles a specially crafted length field of the AUTH_SESSKEY parameter. It allows a remote attacker to execute arbitrary code with the SYSTEM privileges of the oracle.exe process. Affected Products: Oracle Oracle10g Standard Edition 10.1 .5 Oracle Oracle10g Standard Edition 10.2.0.4 Oracle Oracle10g Enterprise Edition 10.1 .5 Oracle Oracle10g Enterprise Edition 10.2.0.4 Reference IDs: |
| Oracle.Database.Server.Network.Authentication.Buffer.Overflow Event ID: 17864 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Oracle Database server. The vulnerability is caused by an error when the oracle.exe handles a specially crafted length field of the AUTH_SESSKEY parameter. It allows a remote attacker to execute arbitrary code with the SYSTEM privileges of the oracle.exe process. Affected Products: Oracle Oracle10g Standard Edition 10.1 .5 Oracle Oracle10g Standard Edition 10.2.0.4 Oracle Oracle10g Enterprise Edition 10.1 .5 Oracle Oracle10g Enterprise Edition 10.2.0.4 Reference IDs: |
| Sun.Java.Runtime.AWT.SetBytePixels.Heap.Overflow Event ID: 17975 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in Sun Java Runtime. The vulnerability is caused by an error when the vulnerable software handles a malicious parameter. It allows a remote attacker to execute arbitrary code via sending a crafted .class file. Affected Products: JDK and JRE 6 Update 16 and earlier JDK and JRE 5.0 Update 21 and earlier Reference IDs: |
| Sun.Java.Runtime.Environment.JPEGImageReader.Heap.Overflow Event ID: 17976 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt against an integer-overflow vulnerability in Sun Java Runtime. The vulnerability is caused by an error when the vulnerable software handles JPEG image dimensions. It allows a remote attacker to execute arbitrary code via sending a crafted .jar file. Affected Products: JDK and JRE 6 Update 16 and earlier JDK and JRE 5.0 Update 21 and earlier Reference IDs: |
| Sun.Java.Web.Start.Arbitrary.Command.Execution Event ID: 17973 |
Release Date: Dec 10, 2009 IPS Definitions DB Version: 2.725 |
|
Description: This indicates an attack attempt against a command execution vulnerability in Sun Java Web Start. The vulnerability is caused by an error when the vulnerable software handles a malicious jnlp. It allows a remote attacker to execute arbitrary command via sending a crafted jnlp file. Affected Products: Java Runtime Environment 6u10~6u13 earlier versions likely to be affected. Reference IDs: |
| Xpdf.Splash.DrawImage.Integer.Overflow Event ID: 18004 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against an integer-overflow vulnerability in Xpdf. The vulnerability is caused by an error when the vulnerable software handles a specially crafted PDF document. It allows a remote attacker to cause a denial of service (application crash) or possibly execute arbitrary code. Affected Products: Xpdf Xpdf 3.0 pl3 and previous versions Reference IDs: |
High ( 18 )
| Apple.QuickTime.AVI.header.Nblockalign.Heap.Corruption Event ID: 17217 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt to exploit a remote code-execution vulnerability in Apple Quicktime. The vulnerability is caused by an error when parsing a malformed AVI file header. It can be exploited via a crafted AVI file, leading to remote code execution. Affected Products: Apple QuickTime Player 7.5.5 Apple QuickTime Player 7.4.5 Apple QuickTime Player 7.4.1 Apple QuickTime Player 7.3.1 .70 Apple QuickTime Player 7.3.1 Apple QuickTime Player 7.1.6 Apple QuickTime Player 7.1.5 Apple QuickTime Player 7.1.4 Apple QuickTime Player 7.1.3 Apple QuickTime Player 7.1.2 Apple QuickTime Player 7.1.1 Apple QuickTime Player 7.0.4 Apple QuickTime Player 7.0.3 Apple QuickTime Player 7.0.2 Apple QuickTime Player 7.0.1 Apple QuickTime Player 7.0 Apple QuickTime Player 6.5.2 Apple QuickTime Player 6.5.1 Apple QuickTime Player 6.5 Apple QuickTime Player 6.1 Apple QuickTime Player 5.0.2 Apple QuickTime Player 7.5 Apple QuickTime Player 7.4 Apple QuickTime Player 7.4 Apple QuickTime Player 7.3 Apple QuickTime Player 7.2 Apple QuickTime Player 7.1 Apple QuickTime Player 6.4 Apple QuickTime Player 6 Reference IDs: |
| Apple.QuickTime.Cinepak.Codec.MDAT.Parsing.Heap.Corruption Event ID: 17218 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt to exploit a remote code-execution vulnerability in Apple Quicktime. The vulnerability is caused by an error when parsing the 'mdat' atom in a MOV file. It can be exploited via a crafted MOV file (.mov), leading to remote code execution. Affected Products: Apple QuickTime Player 7.5.5 Apple QuickTime Player 7.4.5 Apple QuickTime Player 7.4.1 Apple QuickTime Player 7.3.1 .70 Apple QuickTime Player 7.3.1 Apple QuickTime Player 7.1.6 Apple QuickTime Player 7.1.5 Apple QuickTime Player 7.1.4 Apple QuickTime Player 7.1.3 Apple QuickTime Player 7.1.2 Apple QuickTime Player 7.1.1 Apple QuickTime Player 7.0.4 Apple QuickTime Player 7.0.3 Apple QuickTime Player 7.0.2 Apple QuickTime Player 7.0.1 Apple QuickTime Player 7.0 Apple QuickTime Player 6.5.2 Apple QuickTime Player 6.5.1 Apple QuickTime Player 6.5 Apple QuickTime Player 6.1 Apple QuickTime Player 5.0.2 Apple QuickTime Player 7.5 Apple QuickTime Player 7.4 Apple QuickTime Player 7.4 Apple QuickTime Player 7.3 Apple QuickTime Player 7.2 Apple QuickTime Player 7.1 Apple QuickTime Player 6.4 Apple QuickTime Player 6 Reference IDs: |
| Apple.WebKit.Attr.Invalid.Attribute.Memory.Corruption Event ID: 18008 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Apple WebKit. The vulnerability is caused by an error when the vulnerable software handles attr() functions in a CSS content object. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Apple Safari 3.2.3 Apple Safari 3.2.2 Apple Safari 3.1.2 Apple Safari 3.1.1 Apple Safari 3.0.3 Apple Safari 3.0.2 Apple Safari 3.0.1 Apple Safari 2.0.4 Reference IDs: |
| Apple.WebKit.Dir.Attribute.Freeing.Code.Execution Event ID: 17963 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against a code-execution vulnerability in Apple WebKit. The vulnerability is caused by an error when the vulnerable software deallocates rendering objects. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Apple Safari 3.2.3 Apple Safari 3.2.2 Apple Safari 3.1.2 Apple Safari 3.1.2 Apple Safari 3.1.1 Apple Safari 2.0.4 Reference IDs: |
| CVSTrac.FileDiff.Parameter.Command.Execution Event ID: 17871 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against a remote command-execution vulnerability in CVSTrac. The vulnerability is caused by an error when the vulnerable software handles a malicious "FileDiff" property. It allows a remote attacker to execute arbitrary commands via sending a crafted web request. Affected Products: CVSTrac 1.1.3 CVSTrac 1.1.2 CVSTrac 1.1.1 Reference IDs: |
| Digium.Asterisk.IAX2.Call.Number.DoS Event ID: 17991 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt against a resource-exhaustion-based denial-of-service vulnerability in Digium's Asterisk. The vulnerability is caused by a design weakness when the vulnerable software handles a large number of messages. It allows a remote attacker to cause a denial-of-service condition. Affected Products: Asterisk Asterisk Business Edition C.3.1.0 and previous versions Asterisk Asterisk 1.6.1 5 and previous versions Reference IDs: |
| EasyMail.AddAttachment.ActiveX.Buffer.Overflow Event ID: 17998 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in the EasyMail ActiveX control in emsmtp.dll. The vulnerability is caused by an error when the vulnerable software handles a specially crafted argument to the AddAttachment method. It allows a remote attacker to execute arbitrary code. Affected Products: EasyMail 6 is vulnerable; other versions may also be affected. Reference IDs: |
| EMC.Replication.Manager.Client.Control.Service.Code.Execution Event ID: 17654 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against a remote code-execution vulnerability in EMC Replication Manager Client. The vulnerability is caused by an error when the vulnerable software handles a malicious "RunProgram" message. It allows a remote attacker to execute arbitrary code via sending a crafted request. Affected Products: EMC Replication Manager Client Reference IDs: |
| FFmpeg.OGV.File.Format.Memory.Corruption Event ID: 17999 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in FFmpeg. The vulnerability is caused by an error when the vulnerable software handles a specially crafted "ogv" file. It allows a remote attacker to execute arbitrary code. Affected Products: FFmpeg 0.5 Reference IDs: |
| FlexBB.Flexbb_lang_id.Cookie.Parameter.SQL.Injection Event ID: 17970 |
Release Date: Dec 08, 2009 IPS Definitions DB Version: 2.723 |
|
Description: This indicates an attack attempt against an SQL injection vulnerability in Flexbb. The vulnerability exists in includes/start.php when it handles a specially crafted flexbb_lang_id COOKIE parameter. It allows a remote attacker to execute arbitrary SQL commands. Affected Products: FlexBB FlexBB 1.0 10005 Beta Release 1 Reference IDs: |
| GeoBlog.Cat.Parameter.SQL.Injection Event ID: 17979 |
Release Date: Dec 08, 2009 IPS Definitions DB Version: 2.723 |
|
Description: This indicates an attack attempt against an SQL injection vulnerability in viewcat.php in BitDamaged geoBlog. The vulnerability is caused by an error when the vulnerable software handles a specially crafted HTTP request. It allows a remote attacker to execute arbitrary SQL commands. Affected Products: geoBLog geoBlog MOD_1.0 Reference IDs: |
| Google.Apps.Googleapps.Url.Mailto.URI.Argument.Injection Event ID: 17990 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt against an argument-injection vulnerability in Google Apps. The vulnerability is caused by an input validation error when the googleapps.exe program handles a specially crafted "googleapps.url.mailto://" URI. It allows a remote attacker to execute arbitrary programs on a vulnerable system. Affected Products: Google Apps 1.1.110 6031 Reference IDs: |
| IBiz.E-Banking.Integrator.ActiveX.Control.Insecure.Method Event ID: 17983 |
Release Date: Dec 10, 2009 IPS Definitions DB Version: 2.725 |
|
Description: This indicates an attack attempt against an insecure method-access vulnerability in IBiz E-Banking Integrator. The vulnerability is caused by an error when the vulnerable software handles a specially crafted web page. It allows a remote attacker to overwrite arbitrary files. Affected Products: IBiz E-Banking Integrator 2.0 Reference IDs: |
| Mozilla.Firefox.Layout.Engine.Memory.Corruption Event ID: 17949 |
Release Date: Dec 08, 2009 IPS Definitions DB Version: 2.723 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Mozilla Firefox. The vulnerability is caused by an error when the vulnerable software handles a specially crafted web page. It allows a remote attacker to cause a denial of service (crash). Affected Products: Mozilla Firefox 2.0.0.2 and previous versions Mozilla Firefox 1.5.0.11 and previous versions Reference IDs: |
| MS.Windows.Indeo.Codec.Memory.Corruption Event ID: 18013 |
Release Date: Dec 09, 2009 IPS Definitions DB Version: 2.724 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This vulnerability is located in the indeo codec module that delivered in affected system. Microsoft will not give a patch for this vulnerability, instead they provide some solutions in the Microsoft Security Advisory reference below and keep this vulnerability zero-Day. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an solution is available from the vendor. Affected Products: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows Server 2003 Service Pack 2 Reference IDs: |
| MS.Word.Text.Converter.Memory.Corruption Event ID: 18019 |
Release Date: Dec 09, 2009 IPS Definitions DB Version: 2.724 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Microsoft WordPad and Office. The vulnerability is caused by an error when the vulnerable software handles a malicious .DOC file. It allows a remote attacker to execute arbitrary code by sending specially crafted Document file. Affected Products: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Office Software and Components Microsoft Office Word 2002 Service Pack 3 Microsoft Office Word 2003 Service Pack 3 Microsoft Works 8.5 Microsoft Office Converter Pack Reference IDs: |
| NetWin.SurgeMail.Webmail.Server.Page.Parameter.Format.String Event ID: 17947 |
Release Date: Dec 10, 2009 IPS Definitions DB Version: 2.725 |
|
Description: This indicates an attack attempt to exploit a Format String vulnerability in NetWin WebMail and SurgeMail. This is possible because the user input filters fail to properly sanitize the page parameter value that is passed to the real CGI executables. An attacker may execute arbitrary code by sending a crafted http request to the real CGI executables. Affected Products: NetWin WebMail 3.1s NetWin SurgeMail 3.0 c2 NetWin SurgeMail 3.0 a NetWin SurgeMail 2.2 g3 NetWin SurgeMail 2.2 g2 NetWin SurgeMail 2.2 c9 NetWin SurgeMail 2.2 c10 NetWin SurgeMail 2.2 a6 NetWin SurgeMail 2.1 c7 NetWin SurgeMail 2.1 a NetWin SurgeMail 2.0 g2 NetWin SurgeMail 2.0 e NetWin SurgeMail 2.0 c NetWin SurgeMail 2.0 a2 NetWin SurgeMail 1.9 b2 NetWin SurgeMail 1.9 NetWin SurgeMail 1.8 g3 NetWin SurgeMail 1.8 e NetWin SurgeMail 1.8 d NetWin SurgeMail 1.8 b3 NetWin SurgeMail 1.8 a NetWin SurgeMail beta 39a NetWin SurgeMail 3.9a NetWin SurgeMail 3.8k4 NetWin SurgeMail 3.8f3 Reference IDs: |
| Novell.Netware.CALLIT.RPC.Stack.Overflow Event ID: 17773 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in the Novell NetWare NFS Portmapper daemon. The vulnerability is caused by an error when the vulnerable software handles a specially crafted CALLIT RPC call. It allows a remote attacker to execute arbitrary code. Affected Products: Novell Netware 6.5.0 SP8 Reference IDs: |
Medium ( 6 )
| Adobe.Flash.Local.File.Check.Disclosure Event ID: 18005 |
Release Date: Dec 08, 2009 IPS Definitions DB Version: 2.723 |
|
Description: This indicates an attack attempt against a local file information-disclosure vulnerability in Adobe Flash. The vulnerability is caused by an error when the vulnerable software checks the local file state. It allows a remote attacker to obtain information about the existence of local files. Affected Products: Shockwave Player 11 and earlier versions Reference IDs: |
| Benders.Calendar.PHP.SQL.Injection Event ID: 17993 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt to exploit an SQL-injection vulnerability in index.php. The vulnerability is a result of the application's failure to properly sanitize user input before using it in an SQL query. As a result, a remote attacker can send a crafted query to execute SQL commands on a vulnerable server. Affected Products: Benders Calendar Benders Calendar 1.0 Reference IDs: |
| FFmpeg.Vmd_read_header.Integer.Overflow Event ID: 18001 |
Release Date: Dec 17, 2009 IPS Definitions DB Version: 2.728 |
|
Description: This indicates an attack attempt against an integer-overflow vulnerability in FFmpeg. The vulnerability is caused by an error when the vulnerable software handles a specially crafted VMD file. It allows a remote attacker to execute arbitrary code. Affected Products: FFmpeg 0.5 Reference IDs: |
| Mozilla.Firefox.HTTP.302.Redirect.Information.Disclosure Event ID: 14802 |
Release Date: Dec 08, 2009 IPS Definitions DB Version: 2.723 |
|
Description: This indicates an attack attempt against an Information Disclosure vulnerability in Mozilla Firefox. The vulnerability is caused by an error when the vulnerable software handles a specially crafted web page. It allows a remote attacker to obtain sensitive information. Affected Products: Mozilla Firefox 2.0.4 and previous versions Reference IDs:
|
| Oracle.Database.Server.CREATE_TABLES.SQL.Injection Event ID: 17995 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt against an SQL-injection vulnerability in Oracle Database server. The vulnerability is caused by an error when the vulnerable software handles a specially crafted function CREATE_TABLES of the package CTXSYS.DRVXTABC. It allows a remote attacker to inject and execute malicious SQL commands on the target server. Affected Products: Oracle Oracle9i Standard Edition 9.2 .8DV Oracle Oracle9i Standard Edition 9.2 .8 Oracle Oracle9i Personal Edition 9.2 .8DV Oracle Oracle9i Personal Edition 9.2 .8 Oracle Oracle9i Enterprise Edition 9.2 .8DV Oracle Oracle9i Enterprise Edition 9.2 .8.0 Oracle Oracle10g Standard Edition 10.1 .0.5 Oracle Oracle10g Standard Edition 10.2.0.4 Oracle Oracle10g Personal Edition 10.1 .5 Oracle Oracle10g Personal Edition 10.2.0.4 Oracle Oracle10g Enterprise Edition 10.1 .5 Oracle Oracle10g Enterprise Edition 10.2.0.4 Reference IDs: |
| S9Y.Serendipity.Index.PHP.SQL.Injection Event ID: 17989 |
Release Date: Dec 15, 2009 IPS Definitions DB Version: 2.726 |
|
Description: This indicates an attack attempt to exploit an SQL-injection vulnerability in S9Y Serendipity. The vulnerability is a result of the application's failure to properly sanitize user input before using it in a SQL query. As a result, a remote attacker can send a crafted query to execute SQL commands on a vulnerable server. Affected Products: S9Y Serendipity 1.1.1 Reference IDs: |
Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new vectors of exploitation are discovered. The table below details the security content enhanced with this release.
Critical ( 28 )
High ( 19 )
Medium ( 6 )
| Event Name | Revision Notes |
|---|---|
| Fullaspsite.Asp.Hosting.SQL.Injection | Detection Enhanced |
| Grandstream.GXV-3000.Phone.Remote.DoS | Detection Enhanced |
| MS.Outlook.Express.MHTML.Parsing.Information.Disclosure | Detection Enhanced |
| MS.RDS.Dataspace.ActiveX.Vuln | Detection Enhanced |
| MS.Windows.GDI.Library.EMF.DoS | Status updated to 'disable |
| PHP.Index.php.TID.Parameter.SQL.Injection | Detection Enhanced |
Low ( 2 )
| Event Name | Revision Notes |
|---|---|
| Cisco.WebEx.Player.atas32.DoS | Previous name: "FG-VD-09-016-Cisco" |
| Cisco.WebEx.Player.atrpui.DoS | Previous name: "FG-VD-09-008-Cisco" |
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes to monitor exploit activity. Vulnerabilities can be classified as active and given a magnitude level. The magnitude level is the rate of activity across the probes. The value of the magnitude is set to low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin (specifically new and enhanced detection) and their corresponding exploit activity magnitude. The data below is as of this writing.
Critical ( 5 of 45 )
High ( 8 of 35 )
Medium ( 2 of 11 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| Adobe.Flash.Local.File.Check.Disclosure | Yes | Low |
| Benders.Calendar.PHP.SQL.Injection | No | n/a |
| FFmpeg.Vmd_read_header.Integer.Overflow | No | n/a |
| Fullaspsite.Asp.Hosting.SQL.Injection | No | n/a |
| Grandstream.GXV-3000.Phone.Remote.DoS | No | n/a |
| Mozilla.Firefox.HTTP.302.Redirect.Information.Disclosure | No | n/a |
| MS.Outlook.Express.MHTML.Parsing.Information.Disclosure | No | n/a |
| MS.RDS.Dataspace.ActiveX.Vuln | Yes | Medium |
| Oracle.Database.Server.CREATE_TABLES.SQL.Injection | No | n/a |
| PHP.Index.php.TID.Parameter.SQL.Injection | No | n/a |
| S9Y.Serendipity.Index.PHP.SQL.Injection | No | n/a |
Top of Section
Document History
| Revision Date | Version Number | |
|---|---|---|
| Monday, December 21, 2009 | 1 | Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
