| Threat Type | Multiple Vulnerabilities |
IPS Definition
DB Versions | 2.832 - 2.835 |
| Coverage Release Date | Jul 06, 2010 - Jul 15, 2010 |
| Published Date | Monday, July 19, 2010 |
| Version # | 1 |
| |
| Severity | Number of
Vulnerabilities | Active
Exploitation |
| Critical | 10 | 2 | | High | 15 | 2 | | Medium | 8 | 2 | | Low | 5 | 2 | | Info | - | n/a | | Total | 38 | 8 |
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover multiple vulnerabilities. The FortiGuard Team has observed 8 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the 2.835 IPS Definitions database update. A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 5 )
Description:
This indicates an attack attempt against a use-after-free vulnerability in WebKit in Apple Safari.
The vulnerability is caused by an error when the vulnerable software handles a specially crafted web page. It allows a remote attacker to execute arbitrary code.
Affected Products:
Apple Safari 4.0.5
Apple Safari 4.0.4
Apple Safari 4.0.3
Apple Safari 4.0.2
Apple Safari 4.0.1
Apple Safari 4 Beta
Apple Safari 4
Reference IDs:
|
Description:
This indicates an attack attempt against a memory-corruption vulnerability in Apple Webkit.
The vulnerability is caused by an error when the vulnerable software handles a web page with the a malformed "DOCUMENT_POSITION_DISCONNECTED" attribute. It may allow remote attackers to execute arbitrary code by sending a crafted web page.
Affected Products:
Safari 4 (Mac OS X 10.4)
Safari 5 (Windows)
Safari 5 (Mac OS X 10.6)
Safari 5 (Mac OS X 10.5)
Reference IDs:
|
Description:
This indicates an attack attempt against a remote code-execution vulnerability in Apple Safari.
The vulnerability is caused by an error when the Webkit handles a specially crafted web page. It allows a remote attacker to execute arbitrary code.
Affected Products:
Apple Safari 4.0.5
Apple Safari 4.0.4
Apple Safari 4.0.3
Apple Safari 4.0.2
Apple Safari 4.0.1
Apple Safari 4 Beta
Apple Safari 4
Reference IDs:
|
Description:
This indicates an attack attempt against a remote code-execution vulnerability in Microsoft Access.
The vulnerability is due to an error when the vulnerable software instantiates three specific ActiveX controls in a particular order. A remote attacker may exploit this to execute arbitrary code.
Affected Products:
Microsoft Office Access 2003 Service Pack 3
Microsoft Office Access 2007 Service Pack 2
Microsoft Office Access 2007 Service Pack 1
Reference IDs:
|
Description:
This indicates an attack attempt against a code-execution vulnerability in Microsoft Office and Internet Explorer.
The vulnerability is caused by an error when the vulnerable software handles a Microsoft Office document or web page with a misused ActiveX control. It may allow remote attackers to execute arbitrary code by sending a crafted Office file or web page.
Affected Products:
Microsoft Office Access 2003 Service Pack 3
Microsoft Office Access 2007 Service Pack 1 and Microsoft Office Access 2007 Service Pack 2
Reference IDs:
|
High ( 8 )
Description:
This indicates an attack attempt to exploit a buffer-overflow vulnerability in EasyBits Extra Manager.
The vulnerability is located in the ActiveX control through misuse of an unspecified method. It may allow remote attackers to execute arbitrary code in the context of the application using the affected ActiveX control. Failed exploit attempts will likely cause the program to crash, resulting in a denial-of-service condition.
Affected Products:
Skype Technologies Skype 4.1.166
EasyBits Software Extras Manager 2.0.0.67
Reference IDs:
|
Description:
This indicates an attack attempt against a remote code-execution vulnerability in JustSystems Ichitaro.
The vulnerability is caused by an error when the vulnerable software processes
malicious character attributes. It allows a remote attacker to execute
arbitrary code via sending a crafted file.
Affected Products:
Justsystem Ichitaro 2009
Justsystem Ichitaro 2008
Justsystem Ichitaro 2007
Justsystem Ichitaro 2006
Justsystem Ichitaro 2005
Justsystem Ichitaro 2004
Reference IDs:
|
Description:
This indicates an attack attempt against an integer-overflow vulnerability in the Windows Canonical Display Driver, which may lead to arbitrary code execution.
Affected Products:
Windows 7 for x64-based Systems
Windows Embedded Standard 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Reference IDs:
|
Description:
This indicates an attack attempt against an attachment-spoofing vulnerability in Microsoft Office Outlook.
The vulnerability is caused by an error when the vulnerable software handles a malicious attachment. It allows a remote attacker to run a malicious file via sending a crafted mail.
Affected Products:
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2
Reference IDs:
|
Description:
This indicates an attack attempt against a buffer-overflow vulnerability in TweakFS Zip.
The vulnerability is caused by an error when the vulnerable software handles a malicious .zip file. It allows a remote attacker to execute arbitrary code via sending a crafted .zip file.
Affected Products:
TweakFS Zip Utility 1.0
Reference IDs:
|
Description:
This indicates an attack attempt against a buffer-overflow vulnerability in Viscom Software Movie Player Pro SDK.
The vulnerability is caused by an error when the vulnerable software handles a malicious "strFontName" parameter. It allows a remote attacker to execute arbitrary code via sending a crafted web page.
Affected Products:
Viscom Software Movie Player Pro SDK ActiveX version 6.8
Reference IDs:
|
Description:
This indicates an attack attempt against a buffer-overflow vulnerability in Winamp.
The vulnerability is caused by an error when the vulnerable software handles a malicious .mp4 file. It allows a remote attacker to execute arbitrary code via sending a crafted mp4 file.
Affected Products:
Winamp version 5.552. Prior versions may also be affected.
Reference IDs:
|
Description:
This indicates that the system might be infected by the Yahoo Messenger Worm.
Affected Products:
Any unprotected Windows system is vulnerable to the attack.
|
Medium ( 4 )
Description:
This indicates an attack attempt against a denial-of-service vulnerability in EMC RepliStor Server.
The vulnerability is caused by an error when the vulnerable software handles a malicious packet. It allows a remote attacker to cause denial of service via sending a crafted packet.
Affected Products:
EMC RepliStor 6.3 SP1 rep_srv.exe version 6.3.1.3. Other versions may also be affected.
Reference IDs:
|
Description:
This indicates an attack attempt to exploit a denial-of-service vulnerability in Microsoft Internet Explorer.
The vulnerability is located in the "HtmlDlgSafeHelper.HtmlDlgSafeHelper" ActiveX control through misuse of the "fonts" property. It may allow remote attackers to crash the application using the affected ActiveX control.
Affected Products:
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
Reference IDs:
|
Description:
This indicates an attack attempt against a DNS-spoofing vulnerability in the Microsoft Windows Simple Mail Transfer Protocol (SMTP) Server.
The vulnerability is caused by an error when the vulnerable software handles specially crafted DNS responses. It allows a remote attacker to redirect network traffic and perform man-in-the-middle attacks by spoofing DNS responses.
Affected Products:
Microsoft Windows 2000 (SP4 and previous)
Microsoft Windows XP (SP3, SP2 and previous)
Microsoft Windows 2003 (SP2 and previous)
Microsoft Windows 2008 (SP2 and previous)
Microsoft Windows 2008 R2
Microsoft Exchange Server 2003 (SP3, SP2 and previous)
Microsoft Exchange Server 2007 (SP2, SP1 and previous)
Microsoft Exchange Server 2010
Reference IDs:
|
Description:
This indicates an attack attempt against an SQL-injection vulnerability in print.php in Articles 1.02 and earlier modules for Xoops.
The vulnerability is caused by an error when the vulnerable software handles a specially crafted uri. It allows a remote attacker to execute arbitrary SQL commands.
Affected Products:
Xoops Articles Module 1.02 and previous versions
|
Low ( 3 )
Description:
This indicates TCP packets with the FIN flag only ("TCP Headers With FIN Only"). Normally, TCP FIN packets also have the ACK flag to acknowledge the previous packet received.
"TCP FIN Without ACK" can be used to do FIN scan or evade detection.
Affected Products:
Any Operating System may be affected.
|
Description:
This indicates a possible attack against a directory-traversal vulnerability in TitanFtp Server.
The vulnerability is in the xcrc command which could lead to arbitrary file information disclosure.
Affected Products:
TitanFTP Server Versions 8.10.1125 and previous
Reference IDs:
|
Trojan.Asprox
Event ID: 20185 |
Release Date: Jul 13, 2010
IPS Definitions DB Version: 2.834 |
Description:
The target system appears to have been infected with Trojan.Asprox.
Trojan.Asprox is a Trojan horse that uses the compromised computer as a proxy server. It is designed to create a spam botnet which can be used to send phishing emails.
One or more of the following files/registry keys, associated with the Trojan, have been detected on the system:
%Windir%\system32\aspimgr.exe
%Windir%\s32.txt
%Windir%\db32.txt
%Windir%\g32.txt
%Windir%\gs32.txt
%Windir%\ws386.ini
%Temp%\_check32.bat
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft
Affected Products:
|
Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new vectors of exploitation are discovered. The table below details the security content enhanced with this release.
Critical ( 5 )
High ( 7 )
Medium ( 5 )
Low ( 2 )
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes to monitor exploit activity. Vulnerabilities can be classified as active and given a magnitude level. The magnitude level is the rate of activity across the probes. The value of the magnitude is set to low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin (specifically new and enhanced detection) and their corresponding exploit activity magnitude. The data below is as of this writing.
Critical ( 2 of 9 )
High ( 2 of 14 )
Medium ( 2 of 8 )
Low ( 2 of 5 )
Top of Section
Document History
| Revision Date | Version Number | |
|---|
| Monday, July 19, 2010 | 1 | Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
