|
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover multiple vulnerabilities. The FortiGuard Team has observed 18 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the 2.795 IPS Definitions database update. A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 13 )
| Apple.QuickTime.FLI.LinePacket.Code.Execution Event ID: 20849 |
Release Date: Apr 22, 2010 IPS Definitions DB Version: 2.795 |
|
Description: This indicates an attack attempt against a code-execution vulnerability in Apple Quicktime. The vulnerability is caused by an error when the vulnerable software handles a malicious FLI file. It allows a remote attacker to execute arbitrary code via sending a crafted file. Affected Products: QuickTime in Apple Mac OS X before 10.6.3 Reference IDs: |
| Apple.QuickTime.MediaVideo.Compressor.Name.Code.Execution Event ID: 20847 |
Release Date: Apr 22, 2010 IPS Definitions DB Version: 2.795 |
|
Description: This indicates an attack attempt against a code-execution vulnerability in Apple QuickTime. The vulnerability is caused by an error when the vulnerable software handles a malicious MediaVideo file. It allows a remote attacker to execute arbitrary code via sending a crafted video file. Affected Products: Apple QuickTime before 7.6.6 Reference IDs: |
| Apple.QuickTime.QDM2.QDCA.Atom.Code.Execution Event ID: 20846 |
Release Date: Apr 22, 2010 IPS Definitions DB Version: 2.795 |
|
Description: This indicates an attack attempt against a code-execution vulnerability in Apple Quicktime. The vulnerability is caused by an error when the vulnerable software handles a malicious video with a QDM2 encoding audio content. It allows a remote attacker to execute arbitrary code via sending a crafted video. Affected Products: Apple QuickTime on Apple Mac OS X before 10.6.3 Reference IDs: |
| Mozilla.Products.JavaScript.String.Replace.Buffer.Overflow Event ID: 20811 |
Release Date: Apr 15, 2010 IPS Definitions DB Version: 2.789 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in multiple Mozilla products. The vulnerability is caused by an error when the vulnerable software handles a specially crafted substring with the replace operation in Javascript. It allows a remote attacker to execute arbitrary code. Affected Products: Mozilla Firefox 3.5.2 and previous versions Mozilla SeaMonkey 1.1.18 and previous versions Mozilla Thunderbird 2.0.9 and previous versions Reference IDs: |
| MS.Office.Publisher.File.Conversion.Buffer.Overflow Event ID: 20890 |
Release Date: Apr 14, 2010 IPS Definitions DB Version: 2.788 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in Microsoft Office Publisher. The vulnerability is caused by an error when the vulnerable software handles a malformed Publisher file (.pub). It may allow remote attackers to execute arbitrary code by sending a crafted Publisher file. Affected Products: Microsoft Office Publisher 2002 Service Pack 3 Microsoft Office Publisher 2003 Service Pack 3 Microsoft Office Publisher 2007 Service Pack 1 Microsoft Office Publisher 2007 Service Pack 2 Reference IDs: |
| MS.SMB.Client.Memory.Allocation.Code.Execution Event ID: 20900 |
Release Date: Apr 19, 2010 IPS Definitions DB Version: 2.792 |
|
Description: This indicates an attack attempt against a code-execution vulnerability in Microsoft SMB Client. The vulnerability is caused by an error when the vulnerable software handles a malicious SMB response. It allows a remote attacker to execute arbitrary code via sending a crafted SMB response. Affected Products: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2* Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems* Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| MS.SMB.Client.Response.Parsing.Code.Execution Event ID: 20906 |
Release Date: Apr 16, 2010 IPS Definitions DB Version: 2.790 |
|
Description: This indicates an attack attempt against a code-execution vulnerability in Microsoft SMB Client. The vulnerability is caused by an error when the vulnerable software handles a malicious SMB response. It allows a remote attacker to execute arbitrary code via sending a crafted SMB response. Affected Products: Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2* Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Reference IDs: |
| MS.Windows.Media.Player.Invalid.Pointer.Operation Event ID: 20888 |
Release Date: Apr 14, 2010 IPS Definitions DB Version: 2.788 |
|
Description: This indicates a possible attack against an invalid-pointer-operation vulnerability in Windows Media Player. The vulnerability is caused by an error when the vulnerable software handles an invalid pointer. This may lead to arbitrary code execution or denial of service if properly exploited. Affected Products: Windows Media Player 9 Series Reference IDs: |
| MS.Windows.Media.Services.Stack.Buffer.Overflow Event ID: 20897 |
Release Date: Apr 14, 2010 IPS Definitions DB Version: 2.788 |
|
Description: This indicates an attack attempt against a stack-based buffer-overflow vulnerability in Microsoft Media Services. The vulnerability is caused by an error when the vulnerable software handles a malformed MMS client request. It may allow remote attackers to execute arbitrary code by sending a crafted MMS message. Affected Products: Microsoft Windows 2000 Server Service Pack 4 Reference IDs: |
| MS.Windows.MPEG.Layer3.Audio.Decoder.Stack.Overflow Event ID: 20903 |
Release Date: Apr 14, 2010 IPS Definitions DB Version: 2.788 |
|
Description: This indicates an attack attempt against a stack-based buffer-overflow vulnerability in Microsoft MPEG Layer-3 codecs. The vulnerability is caused by an error when the vulnerable software handles a malformed AVI file. It may allow remote attackers to execute arbitrary code by sending a crafted AVI file. Affected Products: MPEG Layer-3 codecs on Microsoft Windows 2000 Service Pack 4 MPEG Layer-3 codecs on Windows XP Service Pack 2 and Windows XP Service Pack 3 MPEG Layer-3 codecs on Windows XP Professional x64 Edition Service Pack 2 MPEG Layer-3 codecs on Windows Server 2003 Service Pack 2 MPEG Layer-3 codecs on Windows Server 2003 x64 Edition Service Pack 2 MPEG Layer-3 codecs on Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 MPEG Layer-3 codecs on Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 MPEG Layer-3 codecs on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 MPEG Layer-3 codecs on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Reference IDs: |
| OpenOffice.Microsoft.Word.File.SprmTSetBrc.Buffer.Overflow Event ID: 20845 |
Release Date: Apr 22, 2010 IPS Definitions DB Version: 2.795 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in OpenOffice. The vulnerability is caused by an error when the vulnerable software handles a specially crafted Microsoft Word file. It allows a remote attacker to execute arbitrary code. Affected Products: OpenOffice.org versions prior to 3.2 Reference IDs: |
| SAP.GUI.SAPBExCommonResources.ActiveX.Control.Access Event ID: 20505 |
Release Date: Apr 15, 2010 IPS Definitions DB Version: 2.789 |
|
Description: This indicates an attempt to exploit a buffer-overflow vulnerability in SAP GUI. This vulnerability is caused by an error in the "SAPBExCommonResources" ActiveX control when processing malicious arguments passed to the "Execute()" method. It allows a remote attacker to execute arbitrary code via a crafted web page. Affected Products: SAP GUI versions 7.x Reference IDs: |
| Webwail.Audio.Captcha Event ID: 18246 |
Release Date: Apr 19, 2010 IPS Definitions DB Version: 2.792 |
|
Description: This indicates that the system might be infected by the Webwail botnet. Affected Products: Any unprotected Windows system is vulnerable to the attack. |
High ( 8 )
| Apache.Mod.Isapi.Dangling.Pointer.Code.Execution Event ID: 18270 |
Release Date: Apr 22, 2010 IPS Definitions DB Version: 2.795 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in the Apache HTTP server. The vulnerability is caused by an error when the mod_isapi module is handling a malicious POST request followed by a RST packet. It may allow remote attackers to execute arbitrary code by sending crafted HTTP POST requests. Affected Products: Slackware Linux x86_64 -current Slackware Linux 13.0 x86_64 Slackware Linux 13.0 Slackware Linux 12.2 Slackware Linux 12.1 Slackware Linux 12.0 Slackware Linux -current IBM HTTP Server 6.1.0 Apache Software Foundation Apache 2.2.14 Apache Software Foundation Apache 2.2.13 Apache Software Foundation Apache 2.2.12 Apache Software Foundation Apache 2.2.11 Apache Software Foundation Apache 2.2.10 Apache Software Foundation Apache 2.2.9 Apache Software Foundation Apache 2.2.8 Apache Software Foundation Apache 2.2.6 Apache Software Foundation Apache 2.2.5 Apache Software Foundation Apache 2.2.4 Apache Software Foundation Apache 2.2.3 Apache Software Foundation Apache 2.2.2 Apache Software Foundation Apache 2.2 .0 Apache Software Foundation Apache 2.0.63 Apache Software Foundation Apache 2.0.59 Apache Software Foundation Apache 2.0.56 -dev Apache Software Foundation Apache 2.0.55 Apache Software Foundation Apache 2.0.54 Apache Software Foundation Apache 2.0.53 Apache Software Foundation Apache 2.0.52 Apache Software Foundation Apache 2.0.51 Apache Software Foundation Apache 2.0.50 Apache Software Foundation Apache 2.0.49 Apache Software Foundation Apache 2.0.48 Apache Software Foundation Apache 2.0.47 Apache Software Foundation Apache 2.0.46 Apache Software Foundation Apache 2.0.45 Apache Software Foundation Apache 2.0.44 Apache Software Foundation Apache 2.0.43 Apache Software Foundation Apache 2.0.42 Apache Software Foundation Apache 2.0.41 Apache Software Foundation Apache 2.0.40 Apache Software Foundation Apache 2.0.39 Apache Software Foundation Apache 2.0.38 Apache Software Foundation Apache 2.0.37 Apache Software Foundation Apache 2.2.7-dev Apache Software Foundation Apache 2.2.6-dev Apache Software Foundation Apache 2.2.5-dev Apache Software Foundation Apache 2.2.1 Apache Software Foundation Apache 2.2 Apache Software Foundation Apache 2.0.62-dev Apache Software Foundation Apache 2.0.61-dev Apache Software Foundation Apache 2.0.60-dev Apache Software Foundation Apache 2.0.58 Apache Software Foundation Apache 2.0.57 Reference IDs: |
| FeedDemon.OPML.Outline.Tag.Buffer.Overflow Event ID: 20104 |
Release Date: Apr 20, 2010 IPS Definitions DB Version: 2.793 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in FeedDemon. The vulnerability is caused by an error when the vulnerable software handles a malicious OPML file. It allows a remote attacker to execute arbitrary code via sending a crafted OPML file. Affected Products: FeedDemon version 2.7 and below Reference IDs: |
| IBM.Lotus.Domino.Web.Access.ActiveX.Controls.Buffer.Overflow Event ID: 20819 |
Release Date: Apr 20, 2010 IPS Definitions DB Version: 2.793 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in IBM Domino Web Access. The vulnerability is caused by an error when the vulnerable software handles a specially crafted packet passed to the iNotes Web Access ActiveX controls. It allows a remote attacker to execute arbitrary code. Affected Products: IBM Domino Web Access 8.0.2 FP4 IBM Domino Web Access 8.0.1 IBM Domino Web Access 7.0.3 IBM Domino Web Access 7.0.1 IBM Domino Web Access 6.5.6 IBM Domino Web Access 6.5.5 IBM Domino Web Access 6.5.5 IBM Domino Web Access 6.5.4 IBM Domino Web Access 6.5.3 IBM Domino Web Access 6.5.2 IBM Domino Web Access 6.5.1 IBM Domino Web Access 6.0.5 IBM Domino Web Access 6.0.4 IBM Domino Web Access 6.0.3 IBM Domino Web Access 6.0.2 .2 IBM Domino Web Access 6.0.2 .1 IBM Domino Web Access 6.0.1 .3 IBM Domino Web Access 6.0.1 .2 IBM Domino Web Access 6.0.1 .1 IBM Domino Web Access 6.0.1 IBM Domino Web Access 8.0 IBM Domino Web Access 7.0 IBM Domino Web Access 6.5 IBM Domino Web Access 6.0 Reference IDs: |
| MIT.Kerberos.KDC.Authentication.DoS Event ID: 20810 |
Release Date: Apr 15, 2010 IPS Definitions DB Version: 2.789 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in MIT's Kerberos KDC. The vulnerability is caused by an error when the vulnerable software handles a specially crafted packet. It allows a remote attacker to cause a denial of service. Affected Products: MIT Kerberos 5 1.7.1 MIT Kerberos 5 1.7 Reference IDs: |
| MS.Network.Share.Provider.Unchecked.Buffer.DoS Event ID: 13707 |
Release Date: Apr 19, 2010 IPS Definitions DB Version: 2.792 |
|
Description: The Microsoft Windows has a denial of service vulnerability. A remote attacker could make the victim?s system to crash with a specially-crafted SMB_CON_TRANSACTION packet that requests the NetServerEnum2, NetServerEnum3, or NetShareEnum function. Affected Products: Microsoft Corporation: Windows 2000 Advanced Server Microsoft Corporation: Windows 2000 Any version Microsoft Corporation: Windows 2000 Professional Microsoft Corporation: Windows 2000 Server Microsoft Corporation: Windows 2003 Any version Microsoft Corporation: Windows NT 4.0 Microsoft Corporation: Windows NT 4.0 TSE Microsoft Corporation: Windows NT Any version Microsoft Corporation: Windows XP Professional Reference IDs: |
| MS.Windows.SMTP.Component.DNS.Mail.Exchanger.DoS Event ID: 20893 |
Release Date: Apr 14, 2010 IPS Definitions DB Version: 2.788 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in Microsoft Windows Simple Mail Transfer Protocol (SMTP) component. The vulnerability is caused by an error when the vulnerable software handles a specially crafted DNS Mail Exchanger (MX) resource record. It allows a remote attacker to cause the SMTP service to stop responding until restarted. Affected Products: Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 2 Microsoft Windows XP Service Pack 3 Microsoft Windows XP Professional x64 Edition Service Pack 2 Microsoft Windows Server 2003 Service Pack 2 Microsoft Windows Server 2003 x64 Edition Service Pack 2 Microsoft Windows Server 2003 with SP2 for Itanium-based Systems Microsoft Windows Server 2008 for 32-bit Systems Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft Windows Server 2008 for x64-based Systems Microsoft Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft Windows Server 2008 R2 for x64-based Systems Microsoft Exchange Server 2003 Service Pack 2 Reference IDs: |
| Oracle.Java.Soundbank.Resource.Name.Buffer.Overflow Event ID: 20839 |
Release Date: Apr 22, 2010 IPS Definitions DB Version: 2.795 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in Oracle Java. The vulnerability is caused by an error when the vulnerable software handles a malicious soundbank file. It allows a remote attacker to execute arbitrary code via sending a crafted .jar file. Affected Products: Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 Reference IDs: |
| VariCAD.DWB.File.Stack.Overflow Event ID: 18735 |
Release Date: Apr 13, 2010 IPS Definitions DB Version: 2.785 |
|
Description: This indicates an attack attempt against a stack-based buffer overflow vulnerability in VariCAD and VariCAD Viewer, which is caused by improper boundary check in the processing of DWB files. Affected Products: VariCAD version 2.05 on Windows VariCAD Viewer version 2.05 on Windows Other versions may also be affected Reference IDs: |
Medium ( 2 )
| PostgreSQL.Bit.Substring.Buffer.Overflow Event ID: 20818 |
Release Date: Apr 20, 2010 IPS Definitions DB Version: 2.793 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in the PostgreSQL database server. The vulnerability is caused by an error when the vulnerable software handles a specially crafted SQL substring function with malicious input. It allows a remote attacker to cause a denial of service (daemon crash). Affected Products: PostgreSQL PostgreSQL 8.0.23 Reference IDs: |
| Squid.Proxy.HTCP.Packet.Processing.DoS Event ID: 20820 |
Release Date: Apr 20, 2010 IPS Definitions DB Version: 2.793 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in Squid Proxy. The vulnerability is caused by an error when the vulnerable software handles a specially crafted Hypertext Caching Protocol (HTCP) packet. It allows a remote attacker to cause a denial of service. Affected Products: Squid Web Proxy Cache 3.0 PRE3 and previous versions Reference IDs: |
Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new vectors of exploitation are discovered. The table below details the security content enhanced with this release.
Critical ( 36 )
High ( 27 )
Medium ( 9 )
| Event Name | Revision Notes |
|---|---|
| Apple.CUPS.CupsdDoSelect.Remote.Code.Execution | Default_action updated to 'pass' |
| Best.Software.SalesLogix.View.ID.Parameter.SQL.Injection | Default_action updated to 'pass' |
| Mozilla.Firefox.XSL.Parsing.Remote.Memory.Corruption | Default_action updated to 'pass' |
| MS.GdiPlus.Dll.EMF.GpFont.SetData.Stack.Overflow | Default_action updated to 'pass' |
| MS.IE.SSL.Spoofing | Detection Enhanced |
| MS.IE.XMLHttpRequest.Http.Header.Overwritten | Default_action updated to 'pass' |
| MS.Windows.PnP.DoS | Default_action updated to 'drop' Detection Enhanced |
| Nabopoll.Web.Poll.Package.Blind.SQL.Injection | Default_action updated to 'pass' |
| Oracle.Database.Server.CREATE_TABLES.SQL.Injection | Default_action updated to 'pass' |
Low ( 1 )
| Event Name | Revision Notes |
|---|---|
| Best.Software.SalesLogix.Database.Credentials.Disclosure | Default_action updated to 'pass' |
Info ( 2 )
| Event Name | Revision Notes |
|---|---|
| SMB.Login.Failure | Previous name: "SMB.Logon.Failure" Severity updated to 'low' |
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes to monitor exploit activity. Vulnerabilities can be classified as active and given a magnitude level. The magnitude level is the rate of activity across the probes. The value of the magnitude is set to low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin (specifically new and enhanced detection) and their corresponding exploit activity magnitude. The data below is as of this writing.
Critical ( 8 of 27 )
High ( 7 of 23 )
Medium ( 2 of 4 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| MS.IE.SSL.Spoofing | Yes | Medium |
| MS.Windows.PnP.DoS | Yes | Low |
| PostgreSQL.Bit.Substring.Buffer.Overflow | No | n/a |
| Squid.Proxy.HTCP.Packet.Processing.DoS | No | n/a |
Top of Section
Document History
| Revision Date | Version Number | |
|---|---|---|
| Monday, April 26, 2010 | 1 | Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
