|
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover multiple vulnerabilities. The FortiGuard Team has observed 20 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the 2.770 IPS Definitions database update. A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 8 )
| Apple.iTunes.PLS.Processing.Buffer.Overflow Event ID: 17745 |
Release Date: Mar 02, 2010 IPS Definitions DB Version: 2.763 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in Apple iTunes. The vulnerability is caused by an error when the vulnerable software handles a malicious .PLS file. It allows a remote attacker to execute arbitrary code via sending a crafted .pls file. Affected Products: Apple iTunes before 9.0.1 Reference IDs: |
| HP.OpenView.NNM.OvWebHelp.Buffer.Overflow Event ID: 18229 |
Release Date: Mar 09, 2010 IPS Definitions DB Version: 2.767 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in HP OpenView Network Node Manager (NNM). The vulnerability is caused by an error when the vulnerable software handles a specially crafted HTTP POST request. It allows a remote attacker to execute arbitrary code. Affected Products: HP OpenView Network Node Manager 7.50 Windows 2000/XP HP OpenView Network Node Manager 7.50 Solaris HP OpenView Network Node Manager 7.50 Linux HP OpenView Network Node Manager 7.50 HP-UX 11.X HP OpenView Network Node Manager 7.50 HP OpenView Network Node Manager 7.53 HP OpenView Network Node Manager 7.51 HP OpenView Network Node Manager 7.50 HP OpenView Network Node Manager 7.01 Reference IDs: |
| MS.Embedded.OpenType.Font.Engine.Memory.Corruption Event ID: 18111 |
Release Date: Mar 09, 2010 IPS Definitions DB Version: 2.767 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Microsoft Windows. The vulnerability is caused by an error when the LZCOMP Decompressor is handling a malformed ".eot" file . It may allow remote attackers to execute arbitrary code by sending a crafted Embedded OpenType (EOT) file. Affected Products: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| MS.IE.Userdata.Behavior.Code.Execution Event ID: 18281 |
Release Date: Mar 11, 2010 IPS Definitions DB Version: 2.769 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Microsoft Internet Explorer. The vulnerability is due to an invalid pointer reference when Internet Explorer handles a web page. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Vista x64 Edition , Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition and Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 7 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Reference IDs: |
| MS.Office.Excel.DbOrParamQry.Record.Parsing.Code.Execution Event ID: 18277 |
Release Date: Mar 10, 2010 IPS Definitions DB Version: 2.768 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Microsoft Office Excel. The vulnerability is caused by an error when the vulnerable software is parsing a ".xls" file with malformed DbOrParamQry Record. It may allow remote attackers to execute arbitrary code by sending a crafted XLS file. Affected Products: Microsoft Office 2004 for Mac Microsoft Office 2008 for Mac Open XML File Format Converter for Mac Microsoft Office Excel 2002 Service Pack 3 Reference IDs: |
| MS.Office.Excel.XLSX.File.Parsing.Code.Execution Event ID: 18272 |
Release Date: Mar 10, 2010 IPS Definitions DB Version: 2.768 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Microsoft Office Excel. The vulnerability is caused by an error when the vulnerable software is parsing a malformed ".xlsx" file. It may allow remote attackers to execute arbitrary code by sending a crafted XLSX file. Affected Products: Microsoft Office Excel 2007 Service Pack 1 and Microsoft Office Excel 2007 Service Pack 2 Microsoft Office 2008 for Mac Open XML File Format Converter for Mac Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2 Microsoft Office Compatibility Pack for Word, Excel, an Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions) and Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions) Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions) and Microsoft Office SharePoint Server 2007 Service Pack 2 (64-bit editions) Reference IDs: |
| OpenOffice.Word.sprmTDefTable.Integer.Overflow Event ID: 18234 |
Release Date: Mar 09, 2010 IPS Definitions DB Version: 2.767 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in OpenOffice Word. The vulnerability is caused by an error when the vulnerable software handles a malicious .doc file. It allows a remote attacker to execute arbitrary code via sending a crafted .doc file. Affected Products: OpenOffice.org (OOo) before 3.2 Reference IDs: |
| Sun.Java.Runtime.Environment.JPEGImageReader.Buffer.Overflow Event ID: 18087 |
Release Date: Mar 11, 2010 IPS Definitions DB Version: 2.769 |
|
Description: This indicates an attack attempt against a heap-overflow vulnerability in Sun Java Runtime Environment. The vulnerability is caused by an error when the vulnerable software handles specially crafted JPEG image dimensions. It allows a remote attacker to execute arbitrary code. Affected Products: Sun Java JDK and JRE version 6 Update 16 and previous versions Sun Java JDK and JRE version 5.0 Update 21 and previous versions Sun Java SDK and JRE version 1.4.2_23 and previous versions Sun Java SDK and JRE version 1.3.1_26 and previous versions Reference IDs: |
High ( 13 )
| Apache.Tomcat.Shell.JSP.Command.Stager.Detection Event ID: 18233 |
Release Date: Mar 09, 2010 IPS Definitions DB Version: 2.767 |
|
Description: This indicates an attack attempt against a remote command execution vulnerability in Apache Tomcat server. A vulnerability has been reported in Apache Tomcat server that may allow an attacker to execute shell commands on a vulnerable system. This is possible because the user input filters fail to properly sanitize the command passed to shell.jsp application installed on an Apache Tomcat server. An attacker may include shell commands by supplying an crafted url. Affected Products: Apache Tomcat server |
| BOOTP.Boot.File.Name.Buffer.Overflow Event ID: 18223 |
Release Date: Mar 11, 2010 IPS Definitions DB Version: 2.769 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Bootpd. The vulnerability is caused by an error when the vulnerable software handles a specially crafted filename that is longer than 1024 bytes. It allows a remote attacker to execute arbitrary code. Affected Products: Bootpd 2.4.3 and previous versions Reference IDs: |
| MS.Excel.BRAI.BIFF.Record.Code.Execution Event ID: 18273 |
Release Date: Mar 10, 2010 IPS Definitions DB Version: 2.768 |
|
Description: This indicates an attack attempt against a remote code execution vulnerability in Microsoft Office Excel. The vulnerability is caused by an error when the vulnerable software handles a specially crafted .XLS file. It allows a remote attacker to execute arbitrary code. Affected Products: Microsoft Office Excel 2002 Service Pack 3 Microsoft Office Excel 2003 Service Pack 3 Microsoft Office Excel 2007 Service Pack 1 Microsoft Office Excel 2007 Service Pack 2 Reference IDs: |
| MS.Excel.FnGroupName.Record.Code.Execution Event ID: 18279 |
Release Date: Mar 10, 2010 IPS Definitions DB Version: 2.768 |
|
Description: This indicates an attack attempt against a remote code execution vulnerability in Microsoft Office Excel. The vulnerability is caused by an error when the vulnerable software handles a specially crafted .XLS file. It allows a remote attacker to execute arbitrary code. Affected Products: Microsoft Office Excel 2007 Service Pack 1 Microsoft Office Excel 2007 Service Pack 2 Reference IDs: |
| MS.IE.Mshtml.DLL.Script.Action.Handler.Buffer.Overflow Event ID: 18237 |
Release Date: Mar 11, 2010 IPS Definitions DB Version: 2.769 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error when mshtml.dll is handling a malicious HTML including a large number of script action handlers. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Microsoft Internet Explorer 5.0.1 SP4 Microsoft Internet Explorer 5.0.1 SP3 Microsoft Internet Explorer 5.0.1 SP2 Microsoft Internet Explorer 5.0.1 SP1 Microsoft Internet Explorer 5.0.1 for Windows NT 4.0 Microsoft Internet Explorer 5.0.1 for Windows 98 Microsoft Internet Explorer 5.0.1 for Windows 95 Microsoft Internet Explorer 5.0.1 for Windows 2000 Microsoft Internet Explorer 5.0.1 Microsoft Internet Explorer 7.0 beta2 Microsoft Internet Explorer 7.0 beta1 Microsoft Internet Explorer 6.0 SP2 - do not use Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Reference IDs: |
| MS.IE.VBScript.Malicious.HLP.File.Command.Execution Event ID: 18252 |
Release Date: Mar 03, 2010 IPS Definitions DB Version: 2.764 |
|
Description: This indicates an attack attempt against a command execution vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error when the vulnerable software handles a malicious VBScript code that tricks user to press F1 key. It allows a remote attacker to execute arbitrary command via sending a crafted web page. Affected Products: Microsoft Internet Explorer 7 and 8 on Windows XP Reference IDs:
|
| MS.Office.Excel.EntExU.Memory.Corruption Event ID: 18275 |
Release Date: Mar 10, 2010 IPS Definitions DB Version: 2.768 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Microsoft Office Excel. The vulnerability is caused by an error when the vulnerable software handles a malicious .xls file. It allows a remote attacker to execute arbitrary code via sending a crafted .xls page. Affected Products: Microsoft Office Excel 2002 Service Pack 3 Reference IDs: |
| MS.Office.Excel.Mdxset.Heap.Overflow Event ID: 18278 |
Release Date: Mar 10, 2010 IPS Definitions DB Version: 2.768 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Microsoft Office Excel. The vulnerability is caused by an error when the vulnerable software handles a malicious .xls file. It allows a remote attacker to execute arbitrary code via sending a crafted .xls page. Affected Products: Microsoft Office Excel 2007 Service Pack 1 and Microsoft Office Excel 2007 Service Pack 2 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 Reference IDs: |
| MS.Office.Excel.Mdxtuple.Heap.Overflow Event ID: 18276 |
Release Date: Mar 10, 2010 IPS Definitions DB Version: 2.768 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Microsoft Office Excel. The vulnerability is caused by an error when the vulnerable software handles a malicious .xls file. It allows a remote attacker to execute arbitrary code via sending a crafted .xls page. Affected Products: Microsoft Office Excel 2007 Service Pack 1 and Microsoft Office Excel 2007 Service Pack 2 Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 Reference IDs: |
| MS.Windows.Movie.Maker.Producer.2003.Heap.Overflow Event ID: 18274 |
Release Date: Mar 10, 2010 IPS Definitions DB Version: 2.768 |
|
Description: This indicates an attack attempt against a heap-based buffer overflow vulnerability in Windows Movie Maker and Microsoft Producer 2003, which is caused by improper size check on Windows Movie Maker project file (.MSWMM) or .MSProducer or .MSProducerZ file. Affected Products: Microsoft Movie Maker 2.1 for Windows XP Microsoft Movie Maker 6.0 and 2.6 for Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Microsoft Movie Maker 2.6 for Windows 7 for 32-bit Systems and x64-based Systems Reference IDs: |
| Trojan.Goolbot Event ID: 18178 |
Release Date: Mar 11, 2010 IPS Definitions DB Version: 2.769 |
|
Description: This indicates detection of the backdoor installed by Trojan Goolbot. Goolbot is classified as a trojan. Trojans have the capabilities for remote access connection handling, perform Denial of Service (DoS) or Distributed DoS (DDoS), capture keyboard input, delete files or objects, or terminate processes. Affected Products: N/A Reference IDs: |
| Twiki.Search.Shell.Metacharacter.Command.Execution Event ID: 18236 |
Release Date: Mar 11, 2010 IPS Definitions DB Version: 2.769 |
|
Description: This indicates a possible attack against an arbitrary code execution vulnerability in TWiki which allows remote attackers to inject arbitrary commands via shell metacharacters in a search string. Affected Products: TWiki TWiki 20040901 TWiki TWiki 20030201 TWiki TWiki 01-Feb-2003 TWiki TWiki 01-Dec-2001 TWiki TWiki 01-Dec-2000 Gentoo Linux Conectiva Linux 10.0 Reference IDs: |
| VideoLAN.VLC.Media.Player.SMB.URI.Invalid.Free Event ID: 18244 |
Release Date: Mar 11, 2010 IPS Definitions DB Version: 2.769 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in VideoLAN VLC media player. The vulnerability is caused by an invalid free error when the vulnerable software handles a specially crafted SMB URI. It allows a remote attacker to execute arbitrary code. Affected Products: VideoLAN VLC media player 1.0.1 VideoLAN VLC media player 1.0 VideoLAN VLC media player 0.9.9 |
Medium ( 1 )
| MySQL.YaSSL.CertDecoder.GetName.Buffer.Overflow Event ID: 18153 |
Release Date: Mar 11, 2010 IPS Definitions DB Version: 2.769 |
|
Description: This indicates s possible attack against a buffer overflow vulnerability in yaSSL which could be exploited to cause Denial of services or arbitrary code execution due to an error in the processing of SSL certificates. Affected Products: yaSSL prior to 1.9.9 |
Low ( 1 )
| Apache.Mod.Perl.Status.XSS Event ID: 17366 |
Release Date: Mar 11, 2010 IPS Definitions DB Version: 2.769 |
|
Description: This indicates an attack attempt against a cross-site scripting vulnerability in Apache Perl module. If /perl-status is accessible, malicious attackers could inject web scripts via a malicious HTTP request. Affected Products: Apache Software Foundation mod_perl 2.0.4 and olders Reference IDs: |
Info ( 2 )
| Freegate.Searching Event ID: 16771 |
Release Date: Mar 02, 2010 IPS Definitions DB Version: 2.763 |
|
Description: This indicates a connection attempt to Freegate Server made by Freegate client. Freegate is a popular proxy software. Affected Products: Freegate 6.80 and higher Reference IDs:
|
| Ultrasurf.9.6+ Event ID: 18007 |
Release Date: Mar 02, 2010 IPS Definitions DB Version: 2.763 |
|
Description: This indicates an attempt to use the Ultra Surf web proxy to defeat network traffic filtering. Ultra Surf is a software that helps defend against traffic filtering. In some cases company or network policy may restrict the use of Ultra Surf because it allows users to hide prohibited network activities. Affected Products: Ultra Surf 9.6 Ultra Surf 9.7 Ultra Surf 9.8 Ultra Surf 9.9 Ultra Surf 9.91 Ultra Surf 9.92 Reference IDs:
|
Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new vectors of exploitation are discovered. The table below details the security content enhanced with this release.
Critical ( 23 )
High ( 19 )
Medium ( 12 )
| Event Name | Revision Notes |
|---|---|
| 427BB.Showthread.PHP.ForumID.Parameter.SQL.Injection | Default_action updated to 'drop' |
| ADNForum.Index.PHP.FID.Parameter.SQL.Injection | Default_action updated to 'drop' |
| Benders.Calendar.PHP.SQL.Injection | Default_action updated to 'drop' |
| Chimera.Web.Portal.Linkcategory.Id.Parameter.SQL.Injection | Default_action updated to 'drop' |
| Digium.Asterisk.IAX2.POKE.Request.DoS | Default_action updated to 'drop' |
| ExAir.Search.ASP.Access | Detection Enhanced |
| MS.IE.Event.Handling.Cross.Domain.Security.Bypass | Default_action updated to 'drop' |
| MS.IE.NavCancel.HTM.XSS | Status updated to 'disable' Detection Enhanced |
| MS.IE.Temporary.Internet.Folder.Access | Default_action updated to 'drop' |
| MS.IIS.WebDAV.Authentication.Bypass | Status updated to 'disable' Detection Enhanced |
| MS.RDS.Dataspace.ActiveX.Vuln | Detection Enhanced |
| VideoLAN.VLC.Media.Player.MP4_BoxDumpStructure.Buffer.Overflow | Default_action updated to 'drop' |
Low ( 1 )
| Event Name | Revision Notes |
|---|---|
| Apache.IPv6.Buffer.Overflow | Default_action updated to 'drop' |
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes to monitor exploit activity. Vulnerabilities can be classified as active and given a magnitude level. The magnitude level is the rate of activity across the probes. The value of the magnitude is set to low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin (specifically new and enhanced detection) and their corresponding exploit activity magnitude. The data below is as of this writing.
Critical ( 7 of 21 )
High ( 8 of 21 )
Medium ( 4 of 5 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| ExAir.Search.ASP.Access | Yes | Medium |
| MS.IE.NavCancel.HTM.XSS | Yes | Low |
| MS.IIS.WebDAV.Authentication.Bypass | Yes | Low |
| MS.RDS.Dataspace.ActiveX.Vuln | Yes | Low |
| MySQL.YaSSL.CertDecoder.GetName.Buffer.Overflow | No | n/a |
Low ( 1 of 1 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| Apache.Mod.Perl.Status.XSS | Yes | Low |
Top of Section
Document History
| Revision Date | Version Number | |
|---|---|---|
| Monday, March 15, 2010 | 1 | Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
