|
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover multiple vulnerabilities. The FortiGuard Team has observed 16 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the 2.848 IPS Definitions database update. A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 21 )
| Adobe.0day.24004 Event ID: 24004 |
Release Date: Aug 06, 2010 IPS Definitions DB Version: 2.844 |
|
Description: This signature has been released by the FortiGuard Global Security Research Team in order to protect against a Zero-Day vulnerability. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details will be made available in our advisory on the FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that is currently being investigated by the FortiGuard Global Security Research Team. Reference IDs: |
| Adobe.0day.24007 Event ID: 24007 |
Release Date: Aug 06, 2010 IPS Definitions DB Version: 2.844 |
|
Description: This signature has been released by the FortiGuard Global Security Research Team in order to protect against a Zero-Day vulnerability. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details will be made available in our advisory on the FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that is currently being investigated by the FortiGuard Global Security Research Team. Reference IDs: |
| Adobe.0day.24008 Event ID: 24008 |
Release Date: Aug 06, 2010 IPS Definitions DB Version: 2.844 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability protected by the signature which has been released by Fortinet's FortiGuard Labs. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that is currently being investigated by Fortinet's FortiGuard Labs. Reference IDs: |
| Adobe.Reader.Font.Parsing.Integer.Overflow Event ID: 24005 |
Release Date: Aug 13, 2010 IPS Definitions DB Version: 2.848 |
|
Description: This indicates an attack attempt against an integer-overflow vulnerability in Adobe Acrobat and Reader. The vulnerability is caused by an error when the vulnerable software handles PDF files with a malformed value for a certain TrueType Font field. It allows a remote attacker to execute arbitrary code via sending a crafted PDF file. Affected Products: Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3 Reference IDs: |
| HP.OpenView.NNM.Webappmon.EXE.Execvpnc.Code.Execution Event ID: 23917 |
Release Date: Aug 05, 2010 IPS Definitions DB Version: 2.843 |
|
Description: This indicates an attack attempt against a stack-based buffer-overflow vulnerability in HP OpenView. The vulnerability is caused by an error when the vulnerable software handles an overly long "sel" parameter. It allows a remote attacker to execute arbitrary code via sending a crafted HTTP request. Affected Products: HP OpenView Network Node Manager 7.51 Reference IDs: |
| IBM.Informix.Client.SDK.NFX.File.Buffer.Overflow Event ID: 17997 |
Release Date: Aug 12, 2010 IPS Definitions DB Version: 2.847 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in IBM Informix Client SDK. The vulnerability is caused by an error when the vulnerable software handles a specially crafted ".nfx" file which contains an overly long "HostList" entry. It allows a remote attacker to execute arbitrary code. Affected Products: IBM Informix CSDK 3.50 IBM Informix Connect 3.0 Reference IDs: |
| MoreAmp.Maf.Buffer.Overflow Event ID: 23920 |
Release Date: Aug 10, 2010 IPS Definitions DB Version: 2.845 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in MoreAmp. The vulnerability is caused by an error when the vulnerable software handles a malicious .maf playlist. It allows a remote attacker to execute arbitrary code via sending a crafted .maf file. Affected Products: MoreAmp MoreAmp 0.1.25 Reference IDs: |
| MS.Excel.SXVI.iCache.Memory.Corruption Event ID: 24050 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Microsoft Office Excel. The vulnerability is caused by an error due to lack of validation on the SXVI.iCache value during loading of BIFF 8 files. It allows a remote attacker to execute arbitrary code via sending a malicious .xls file. Affected Products: Microsoft Office Excel 2002 Service Pack 3 Microsoft Office Excel 2003 Service Pack 3 Microsoft Office 2004 for Mac Microsoft Office 2008 for Mac Open XML File Format Converter for Mac Reference IDs: |
| MS.IE.Close.Event.Handling.Memory.Corruption Event ID: 24058 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error when the vulnerable software handles an object that is uninitialized or has been deleted. It may allow remote attackers to execute arbitrary code by sending a crafted web page. Affected Products: Internet Explorer 6 for Windows XP Service Pack 3 Internet Explorer 6 for Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6 for Windows Server 2003 Service Pack 2 Internet Explorer 6 for Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6 for Windows Server 2003 with SP2 for Itanium-based Systems Reference IDs: |
| MS.IE.HTML.Layout.Memory.Corruption Event ID: 24062 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error when the vulnerable software handles an object that is uninitialized or has been deleted. It may allow remote attackers to execute arbitrary code by sending a crafted web page. Affected Products: Internet Explorer 6 for Windows XP Service Pack 3 Internet Explorer 6 for Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6 for Windows Server 2003 Service Pack 2 Internet Explorer 6 for Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6 for Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 7 for Windows XP Service Pack 3 Internet Explorer 7 for Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 7 for Windows Server 2003 Service Pack 2 Internet Explorer 7 for Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 7 for Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 7 in Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Internet Explorer 7 in Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 8 for Windows XP Service Pack 3 Internet Explorer 8 for Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 8 for Windows Server 2003 Service Pack 2 Internet Explorer 8 for Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 8 in Vista Service Pack 1 and Windows Vista Service Pack 2 Internet Explorer 8 in Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 8 in Windows 7 for 32-bit Systems Internet Explorer 8 in Windows 7 for x64-based Systems Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| MS.IE.Iframe.Uninitialized.Memory.Corruption Event ID: 24047 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error when the vulnerable software handles an object that is uninitialized or has been deleted. It may allow remote attackers to execute arbitrary code by sending a crafted web page. Affected Products: Internet Explorer 6 for Windows XP Service Pack 3 Internet Explorer 6 for Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6 for Windows Server 2003 Service Pack 2 Internet Explorer 6 for Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6 for Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 7 for Windows XP Service Pack 3 Internet Explorer 7 for Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 7 for Windows Server 2003 Service Pack 2 Internet Explorer 7 for Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 7 for Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 7 in Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Internet Explorer 7 in Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 8 for Windows XP Service Pack 3 Internet Explorer 8 for Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 8 for Windows Server 2003 Service Pack 2 Internet Explorer 8 for Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 8 in Vista Service Pack 1 and Windows Vista Service Pack 2 Internet Explorer 8 in Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 8 in Windows 7 for 32-bit Systems Internet Explorer 8 in Windows 7 for x64-based Systems Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| MS.IE.Stytle.Changing.Memory.Corruption Event ID: 24061 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error when the vulnerable software handles an object that is uninitialized or has been deleted. It may allow remote attackers to execute arbitrary code by sending a crafted web page. Affected Products: Internet Explorer 8 for Windows XP Service Pack 3 Internet Explorer 8 for Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 8 for Windows Server 2003 Service Pack 2 Internet Explorer 8 for Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 8 in Vista Service Pack 1 and Windows Vista Service Pack 2 Internet Explorer 8 in Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 8 in Windows 7 for 32-bit Systems Internet Explorer 8 in Windows 7 for x64-based Systems Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| MS.Silverlight.Memory.Corruption Event ID: 24064 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Microsoft Silverlight. The vulnerability is caused by an error when the vulnerable software handles certain pointers. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Microsoft Silverlight 3 when installed on Mac Microsoft Silverlight 3 when installed on all releases of Microsoft Windows clients Microsoft Silverlight 3 when installed on all releases of Microsoft Windows servers (Server Core installation not affected) Reference IDs: |
| MS.SMB.Server.Code.Execution Event ID: 24053 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates a possible attack against an unauthenticated remote code-execution vulnerability in the Microsoft Server Message Block (SMB) Protocol. The vulnerability is due to improper handling of user-supplied input. A remote attacker may exploit this by sending a crafted SMB packet to a vulnerable SMB server. A successful exploit allows execution of arbitrary code. Affected Products: Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| MS.VS.VCMUTL.DLL.Unicode.ActiveX.Control.Access Event ID: 23922 |
Release Date: Aug 12, 2010 IPS Definitions DB Version: 2.847 |
|
Description: This indicates an attack attempt to exploit a buffer-overflow vulnerability in Microsoft Visual Studio. The vulnerability is located in the "VCMUTL.dll" ActiveX control through misuse of the "RegisterApplication" method. It may allow remote attackers to execute arbitrary code in the context of the application using the affected ActiveX control. Failed exploit attempts will likely cause the program to crash, resulting in a denial-of-service condition. Affected Products: Microsoft Visual Studio 6.0 Reference IDs: |
| MS.Word.Linked.Objects.Memory.Corruption Event ID: 24069 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates a possible attack against a memory-corruption vulnerability in Microsoft Word. The vulnerability is caused by the vulnerable software's inability to properly handle malformed data in Word documents. An attacker may exploit this to execute arbitrary code. Affected Products: Microsoft Office Word 2002 Service Pack 3 Microsoft Office Word 2003 Service Pack 3 Microsoft Office Word Viewer Reference IDs: |
| MS.Word.RTF.Parsing.Buffer.Overflow Event ID: 24063 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates a possible attack against a buffer-overflow vulnerability in Microsoft Office. The vulnerability is due to the vulnerable software's handling of RTF data. An attacker may exploit this to execute arbitrary code by sending a malicious .rtf file. Affected Products: Microsoft Office XP Service Pack 3 Microsoft Office 2003 Service Pack 3 Microsoft Office System 2007 Service Pack 2 Reference IDs: |
| MS.Word.RTF.Parsing.Engine.Memory.Corruption Event ID: 24060 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Microsoft Office Word. The vulnerability is caused by an error when the vulnerable software parses a malformed RTF file. It may allow a remote attacker to execute arbitrary code by convincing a victim to open a malicious file in MS Word. Affected Products: Microsoft Office XP Service Pack 3 Microsoft Office 2003 Service Pack 3 Microsoft Office 2007 Service Pack 2 Microsoft Office 2004 for Mac Microsoft Office 2008 for Mac Open XML File Format Converter for Mac Reference IDs: |
| MS.Word.SPRM.Record.Parsing.Arbitrary.Code.Execution Event ID: 24056 |
Release Date: Aug 13, 2010 IPS Definitions DB Version: 2.848 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Microsoft Office Word. The vulnerability is caused by an error when the vulnerable software parses a malformed Word file. It may allow a remote attacker to execute arbitrary code by convincing a victim to open a malicious file in MS Word. Affected Products: Microsoft Office Word 2002 Service Pack 3 Microsoft Office Word 2003 Service Pack 3 Microsoft Office Word 2007 Service Pack 2 Microsoft Office 2004 for Mac Microsoft Office 2008 for Mac Open XML File Format Converter for Mac Microsoft Office Word Viewer Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 Microsoft Works 9 Reference IDs: |
| Novell.Teaming.ajaxUploadImageFile.Code.Execution Event ID: 23916 |
Release Date: Aug 10, 2010 IPS Definitions DB Version: 2.845 |
|
Description: This indicates an attack attempt to exploit a code-execution vulnerability in Novell Teaming. This issue is caused by an error when the vulnerable software handles an upload_image_file operation with a malicious filename. It may allow remote attackers to execute arbitrary code by sending a crafted file uploading request. Affected Products: Novell Teaming 2.1 Reference IDs: |
| SapGUI.BI.Wadmxhtml.DLL.ActiveX.Control.Access Event ID: 23909 |
Release Date: Aug 05, 2010 IPS Definitions DB Version: 2.843 |
|
Description: This indicates an attack attempt to exploit a heap-corruption vulnerability in SapGUI BI. The vulnerability is located in the "wadmxhtml.dll" ActiveX control through misuse of the "Tags" property. It may allow remote attackers to execute arbitrary code in the context of the application using the affected ActiveX control. Failed exploit attempts will likely cause the program to crash, resulting in a denial-of-service condition. Affected Products: SapGUI BI v7100.1.400.8 Reference IDs: |
High ( 10 )
| Backdoor.WordPress.ix.Code.Execution Event ID: 23098 |
Release Date: Aug 10, 2010 IPS Definitions DB Version: 2.845 |
|
Description: This indicates detection of the WordPress backdoor trojan. The WordPress backdoor is classified as a trojan with backdoor properties. Backdoor trojans have the capability to receive remote connections and perform actions against the compromised system. Affected Products: N/A |
| Backdoor.WordPress.iz.Command.Execution Event ID: 23123 |
Release Date: Aug 10, 2010 IPS Definitions DB Version: 2.845 |
|
Description: This indicates detection of the WordPress iz Parameter backdoor trojan. The WordPress backdoor is classified as a trojan with backdoor properties. Backdoor trojans have the capability to receive remote connections and perform actions against the compromised system. Affected Products: N/A |
| EasyFTP.Server.List.Html.Path.Stack.Overflow Event ID: 23945 |
Release Date: Aug 12, 2010 IPS Definitions DB Version: 2.847 |
|
Description: This indicates a possible attack against a buffer-overflow vulnerability in Easy FTP Server. The vulnerability is due to an error when the vulnerable software handles an overly long string to the "path" parameter of the "list.html" script. An attacker may exploit this to execute arbitrary code. Affected Products: Easy FTP Server version 1.7.0.2 Reference IDs: |
| Hyleos.ChemView.ActiveX.Control.Stack.Overflow Event ID: 23923 |
Release Date: Aug 12, 2010 IPS Definitions DB Version: 2.847 |
|
Description: This indicates a possible attack against any of multiple stack-based buffer-overflow vulnerabilities in Hyleos ChemView. The vulnerabilities are in the HyleosChemView.HLChemView ActiveX control. An attacker may exploit this by sending a malicious web page containing a large number of white space characters in the filename argument to the ActiveX Control methods. A successful exploit may allow execution of arbitrary code. Affected Products: Hyleos chemView 1.9.5 1 Hyleos chemView 1.9.4 Hyleos chemView 1.9.3 Hyleos chemView 1.9.2 Hyleos chemView 0.1.8 Hyleos chemView 0.1.7 Hyleos chemView 0.1.6 Hyleos chemView 0.1.5 Hyleos chemView 0.1.4 Reference IDs: |
| Kingsoft.Writer.DOC.Buffer.Overflow Event ID: 23846 |
Release Date: Aug 03, 2010 IPS Definitions DB Version: 2.842 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in Kingsoft Writer. The vulnerability is caused by an error when the vulnerable software handles a malicious .doc file. It allows a remote attacker to execute arbitrary code via sending a crafted .doc file. Affected Products: Kingsoft Writer 2010 (6.6.0.2462). Other versions may also be affected. Reference IDs: |
| MS.Cinepak.Codec.Decompression.Code.Execution Event ID: 24071 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against a remote code-execution vulnerability in Microsoft Windows Media Player. The vulnerability is caused by an error when the vulnerable software handles a malicious ".avi" file. A remote attacker may exploit this to execute arbitrary code via a crafted ".avi" file. Affected Products: Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Windows 7 for x64-based Systems Windows 7 for 32-bit Systems Reference IDs: |
| MS.Movie.Maker.Memory.Corruption Event ID: 24070 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against a remote code-execution vulnerability in Microsoft Movie Maker. The vulnerability is caused by an error when the vulnerable software handles a malicious ".MSWMM" file. A remote attacker may exploit this to execute arbitrary code via a crafted ".MSWMM" file. Affected Products: Windows Movie Maker 2.1 on Windows XP Service Pack 3 Windows Movie Maker 2.1 on Windows XP Professional x64 Edition Service Pack 2 Windows Movie Maker 6.0 on Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Windows Movie Maker 6.0 on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Windows Movie Maker 2.6 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Windows Movie Maker 2.6 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Reference IDs: |
| MS.MPEG.Audio.Decoder.Buffer.Overflow Event ID: 24073 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against a remote code-execution vulnerability in Microsoft MPEG Layer-3 Codecs. The vulnerability is caused by an error when the vulnerable software handles a malicious ".ASX" file. A remote attacker may exploit this to execute arbitrary code via a crafted ".ASX" file. Affected Products: Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Reference IDs: |
| MS.XML.Core.Services.Memory.Corruption Event ID: 24072 |
Release Date: Aug 12, 2010 IPS Definitions DB Version: 2.847 |
|
Description: This indicates an attack attempt against a remote code-execution vulnerability in Microsoft XML Core Services. The vulnerability is due to the vulnerable software's inability to properly handle unexpected HTTP response patterns. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 1 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 1 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems* Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Server 2008 for x64-based Systems* Windows Server 2008 for x64-based Systems Service Pack 2* Windows Server 2008 for Itanium-based Systems Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems* Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| OpenSSL.CMS.Structure.OriginatorInfo.Memory.Corruption Event ID: 23855 |
Release Date: Aug 03, 2010 IPS Definitions DB Version: 2.842 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in the OpenSSL library. The vulnerability is caused by an error when the vulnerable software handles a specially crafted CMS (Cryptographic Message Syntax) structure. It allows a remote attacker to execute arbitrary code. Affected Products: OpenSSL Project OpenSSL 1.0 Beta2 OpenSSL Project OpenSSL 0.9.8 k OpenSSL Project OpenSSL 0.9.8 j OpenSSL Project OpenSSL 0.9.8 i OpenSSL Project OpenSSL 0.9.8 h OpenSSL Project OpenSSL 0.9.8l Reference IDs: |
Medium ( 5 )
| MS.IE.Frame.FrameBorder.DoS Event ID: 23946 |
Release Date: Aug 12, 2010 IPS Definitions DB Version: 2.847 |
|
Description: This indicates an attack attempt to exploit a memory-corruption vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error when the vulnerable software handles an HTML page with a malformed value for "frame.frameBorder". It may allow a remote attacker to crash the vulnerable software by sending a crafted web page. Affected Products: Microsoft Internet Explorer 6 and 7 Reference IDs: |
| MS.ISA.Server.Forefront.Threat.Management.Gateway.DoS Event ID: 17394 |
Release Date: Aug 10, 2010 IPS Definitions DB Version: 2.845 |
|
Description: This indicates an attack attempt against a denial of service issue in Microsoft ISA Server and Forefront Threat Management Gateway. The vulnerability is caused by an error when the vulnerable software handles TCP states. It allows a remote attacker to deny legitimate access from customers. Affected Products: Microsoft ISA Server Microsoft Forefront Threat Management Gateway Reference IDs: |
| MS.SMB.Stack.Exhaustion Event ID: 24068 |
Release Date: Aug 12, 2010 IPS Definitions DB Version: 2.847 |
|
Description: This indicates an attack attempt against a remote unauthenticated stack-exhaustion denial-of-service vulnerability in the Microsoft Server Message Block (SMB) Protocol. The vulnerability is caused when the Microsoft Server Message Block (SMB) Protocol software insufficiently handles specially crafted compounded requests. An attacker who exploits this vulnerability may cause the affected system to stop responding until it is manually restarted. Affected Products: Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| MS.SMB.Variable.Validation Event ID: 24067 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against a remote unauthenticated vulnerability in the Microsoft Server Message Block (SMB) Protocol. The vulnerability is caused when the Microsoft Server Message Block (SMB) Protocol software improperly validates an internal variable when parsing specially crafted SMB packets. An attacker who successfully exploited this vulnerability could cause a user's system to stop responding until manually restarted. Affected Products: Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| SquirrelMail.Mapyp.Command.Injection Event ID: 23908 |
Release Date: Aug 05, 2010 IPS Definitions DB Version: 2.843 |
|
Description: This indicates an attack attempt against a command-injection vulnerability in SquirrelMail. The vulnerability is caused by an error when the vulnerable software handles a malicious GET request. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Versions prior to SquirrelMail 1.4.18 Reference IDs: |
Low ( 1 )
| MS.IE.Event.Handler.Cross.Domain.Information.Disclosure Event ID: 24042 |
Release Date: Aug 11, 2010 IPS Definitions DB Version: 2.846 |
|
Description: This indicates an attack attempt against an information-disclosure vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error when the vulnerable software handles a certain DOM operation. It may allow remote attackers to gain sensitive information by sending a crafted web page. Affected Products: Internet Explorer 6 for Windows XP Service Pack 3 Internet Explorer 6 for Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6 for Windows Server 2003 Service Pack 2 Internet Explorer 6 for Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6 for Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 7 for Windows XP Service Pack 3 Internet Explorer 7 for Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 7 for Windows Server 2003 Service Pack 2 Internet Explorer 7 for Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 7 for Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 7 in Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Internet Explorer 7 in Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 8 for Windows XP Service Pack 3 Internet Explorer 8 for Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 8 for Windows Server 2003 Service Pack 2 Internet Explorer 8 for Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 8 in Vista Service Pack 1 and Windows Vista Service Pack 2 Internet Explorer 8 in Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 8 in Windows 7 for 32-bit Systems Internet Explorer 8 in Windows 7 for x64-based Systems Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new vectors of exploitation are discovered. The table below details the security content enhanced with this release.
Critical ( 22 )
High ( 29 )
Medium ( 14 )
| Event Name | Revision Notes |
|---|---|
| Apple.Safari.File.Stealing | Default_action updated to 'drop' |
| Apple.Safari.XSL.File.Stealing | Default_action updated to 'drop' |
| FCKeditor.CurrentFolder.Arbitrary.File.Upload | Detection Enhanced |
| MS.IE.NavCancel.HTM.XSS | Detection Enhanced |
| MS.Windows.LSASS.NTLM.Authentication.DoS | Default_action updated to 'drop' |
| MS.Windows.Print.Spooler.Information.Disclosure | Default_action updated to 'drop' |
| MySQL.YaSSL.CertDecoder.GetName.Buffer.Overflow | Default_action updated to 'drop' |
| Oracle.Ntlm.Stealer | Default_action updated to 'drop' |
| Oracle.SQL.Injection.DBMS.CDC.IPUBLISH | Default_action updated to 'drop' |
| Oracle.W32.File.Upload | Default_action updated to 'drop' |
| Pixel.Motion.Config.PHP.Command.Execution | Detection Enhanced |
| Samba.Symbolic.Link.Handling.Directory.Traversal | Default_action updated to 'drop' |
| TrackerCam.PHP.Argument.Buffer.Overflow | Detection Enhanced |
| Trend.Micro.OfficeScan.Update.Agent.Directory.Traversal | Default_action updated to 'drop' |
Low ( 1 )
| Event Name | Revision Notes |
|---|---|
| Veritas.Backup.Exec.Agent.Invalid.Error.Status.DoS | Status updated to 'disable' |
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes to monitor exploit activity. Vulnerabilities can be classified as active and given a magnitude level. The magnitude level is the rate of activity across the probes. The value of the magnitude is set to low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin (specifically new and enhanced detection) and their corresponding exploit activity magnitude. The data below is as of this writing.
Critical ( 4 of 24 )
High ( 6 of 18 )
Medium ( 4 of 9 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| FCKeditor.CurrentFolder.Arbitrary.File.Upload | No | n/a |
| MS.IE.Frame.FrameBorder.DoS | Yes | Low |
| MS.IE.NavCancel.HTM.XSS | Yes | Low |
| MS.ISA.Server.Forefront.Threat.Management.Gateway.DoS | No | n/a |
| MS.SMB.Stack.Exhaustion | Yes | High |
| MS.SMB.Variable.Validation | No | n/a |
| Pixel.Motion.Config.PHP.Command.Execution | No | n/a |
| SquirrelMail.Mapyp.Command.Injection | No | n/a |
| TrackerCam.PHP.Argument.Buffer.Overflow | Yes | Low |
Low ( 0 of 1 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| MS.IE.Event.Handler.Cross.Domain.Information.Disclosure | No | n/a |
Top of Section
Document History
| Revision Date | Version Number | |
|---|---|---|
| Monday, August 16, 2010 | 1 | Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
