FGCenter - Latest Threats, Advisories, Reports and News http://www.fortiguard.com/ en Copyright 2010 Fortinet Inc. All Rights Reserved Tue, 16 Mar 2010 16:30:01 -0800 Fortinet Protects Against Internet Explorer Could Allow Remote Code Execution Vulnerability Summary:

Fortinet's FortiGuard Labs Protects Against a Vulnerability in Internet Explorer.

Impact:

Remote Code Execution

Risk:

Critical

Affected Software:

For a list of Internet Explorer versions affected, please see the references below.

Additional Information:

The vulnerability exists due to an invalid pointer reference of a freed object that could cause remote code execution.

FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.

Solutions:

  • FortiGuard Labs released the following signature which covers this specific vulnerability
    • "MS.IE.Userdata.Behavior.Code.Execution" on March 11, 2010

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

]]> http://www.fortiguard.com/advisory/FGA-2010-14.html http://www.fortiguard.com/advisory/FGA-2010-14.html Tue, 09 Mar 2010 00:00:00 -0800 Microsoft Security Bulletin for March 09, 2010
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS10-016Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)ImportantRemote Code ExecutionMicrosoft Windows, Microsoft Office CVE-2010-0265
MS10-017Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)ImportantRemote Code ExecutionMicrosoft Office CVE-2010-0257 CVE-2010-0260 CVE-2010-0261 CVE-2010-0263 CVE-2010-0264 CVE-2010-0258 CVE-2010-0262


Threat Remediation


Fortinet provides coverage on Microsoft vulnerabilities in March 09, 2010.

CVE NumberSignature Name
CVE-2010-0257MS.Office.Excel.EntExU.Memory.Corruption
CVE-2010-0260MS.Office.Excel.Mdxtuple.Heap.Overflow
CVE-2010-0261MS.Office.Excel.Mdxset.Heap.Overflow
CVE-2010-0263MS.Office.Excel.XLSX.File.Parsing.Code.Execution
CVE-2010-0264MS.Office.Excel.DbOrParamQry.Record.Parsing.Code.Execution
CVE-2010-0265MS.Windows.Movie.Maker.Producer.2003.Heap.Overflow
CVE-2010-0258MS.Excel.BRAI.BIFF.Record.Code.Execution
CVE-2010-0262MS.Excel.FnGroupName.Record.Code.Execution

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Tuesday, March 09 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-13.html http://www.fortiguard.com/advisory/FGA-2010-13.html Tue, 09 Mar 2010 00:00:00 -0800 Fortinet Protects Against VBScript Could Allow Remote Code Execution Vulnerability Summary:

Fortinet's FortiGuard Labs Protects Against a Vulnerability in VBScript.

Impact:

Remote Code Execution

Risk:

High

Affected Software:

For a list of softwares affected, please see the references below.

Additional Information:

The interaction of VBScript with Windows Help files when used with Internet Explorer could cause remote code execution. User interaction is required to a successful exploitation of this vulnerability.

FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.

Solutions:

  • FortiGuard Labs released the following signature which covers this specific vulnerability
    • "MS.IE.VBScript.Malicious.HLP.File.Command.Execution" on March 03,2010

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

]]> http://www.fortiguard.com/advisory/FGA-2010-12.html http://www.fortiguard.com/advisory/FGA-2010-12.html Mon, 01 Mar 2010 00:00:00 -0800 Threatscape Report - February 2010 Edition

Table of Contents:


FortiGuard Labs

Exploits and Intrusion Prevention



Top 10 Attacks & Regions



The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
RankVulnerabilityPercentageSeverityTop 100 Shift
1Gumblar.Botnet26.5Critical-
2MS.DCERPC.NETAPI32.Buffer.Overflow22.8Critical-
3MS.IE.Event.Invalid.Pointer.Memory.Corruption15.3Critical+1
4Waledac.Botnet9.0Critical-1
5Sun.Java.HsbParser.GetSoundBank.Stack.Buffer.Overflow8.0Criticalnew
6FTP.USER.Command.Overflow6.6High+1
7AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation6.0High+3
8Apache.Expect.Header.XSS5.6Medium-
9MS.Content.Management.Server.Code.Execution4.7Critical+3
10RoundCube.Webmail.Pregreplace.Code.Execution4.1High+3



Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases


New Vulnerability Coverage



There were a total of 117 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 45 were reported to be actively exploited (38.5%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today



Top 10 Variants



Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

]]> http://www.fortiguard.com/reports/roundup_february_2010.htmlhttp://www.fortiguard.com/reports/roundup_february_2010.htmlFri, 26 Feb 2010 00:00:00 -0800 Adobe Security Bulletin for February 16, 2010
RankMalware VariantPercentageTop 100 Shift
Adobe Vulnerability Identifier Adobe Bulletin DescriptionSeverityAffected SoftwareCVE ID
APSB10-07A vulnerability that could subvert the domain sandbox.CriticalAdobe Reader, Adobe Acrobat CVE-2010-0188 CVE-2010-0186


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities in February 16, 2010.

CVE NumberSignature Name
CVE-2010-0188Adobe.Acrobat.Reader.Tiff.Buffer.Overflow

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Tuesday, February 16 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-11.html http://www.fortiguard.com/advisory/FGA-2010-11.html Tue, 16 Feb 2010 00:00:00 -0800 Adobe Security Bulletin for February 11, 2010
Adobe Vulnerability Identifier Adobe Bulletin DescriptionSeverityAffected SoftwareCVE ID
APSB10-05A vulnerability that could result in disclosure of information when processing XML.ImportantAdobe BlazeDS, Adobe LiveCycle, Adobe LiveCycle Data Services, Adobe Flex Data Services,Adobe ColdFusion CVE-2009-3960
APSB10-06A vulnerability that could subvert the domain sandbox and make unauthorized requests.CriticalAdobe Flash Player, Adobe AIR CVE-2010-0186 CVE-2010-0187


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities in February 11, 2010.

CVE NumberSignature Name
CVE-2009-3960Adobe.XML.Entity.Injection
CVE-2009-3960Adobe.XML.Tag.Injection
CVE-2010-0187Adobe.Shockwave.Flash.DoS

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Thursday, February 11 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-10.html http://www.fortiguard.com/advisory/FGA-2010-10.html Thu, 11 Feb 2010 00:00:00 -0800 Microsoft Security Bulletin for February 09, 2010
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS10-003Vulnerability in Microsoft Office (MSO)) Could Allow Remote Code Execution (978214)ImportantRemote Code ExecutionMicrosoft Office CVE-2010-0243
MS10-004Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416)ImportantRemote Code ExecutionMicrosoft Office CVE-2010-0029 CVE-2010-0030 CVE-2010-0031 CVE-2010-0032 CVE-2010-0033 CVE-2010-0034
MS10-005Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706)ModerateRemote Code ExecutionMicrosoft Windows CVE-2010-0028
MS10-006Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-0016 CVE-2010-0017
MS10-007Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-0027
MS10-008Cumulative Security Update of ActiveX Kill Bits (978262)CriticalRemote Code ExecutionMicrosoft Windows
MS10-009Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-0239 CVE-2010-0240 CVE-2010-0241 CVE-2010-0242
MS10-010Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894)ImportantDenial of ServiceMicrosoft Windows CVE-2010-0026
MS10-011Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037)ImportantElevation of PrivilegeMicrosoft Windows CVE-2010-0023
MS10-012Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)ImportantRemote Code ExecutionMicrosoft Windows CVE-2010-0020 CVE-2010-0021 CVE-2010-0022 CVE-2010-0231
MS10-013Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-0250
MS10-014Vulnerability in Kerberos Could Allow Denial of Service (977290)ImportantDenial of ServiceMicrosoft Windows CVE-2010-0035
MS10-015Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)ImportantElevation of PrivilegeMicrosoft Windows CVE-2010-0232 CVE-2010-0233


Threat Remediation


Fortinet provides coverage on Microsoft vulnerabilities in February 09, 2010.

]]> http://www.fortiguard.com/advisory/FGA-2010-09.htmlhttp://www.fortiguard.com/advisory/FGA-2010-09.htmlTue, 09 Feb 2010 00:00:00 -0800 Fortinet Protects Against Oracle Privilege Escalation Vulnerability Summary:

Fortinet's FortiGuard Labs Protects Against a Vulnerability in Oracle.

Impact:

Remote Command Execution

Risk:

Critical

Affected Software:

For a list of Oracle versions affected, please see the BugTraq reference below.

Additional Information:

It is possible for a low privileged users to grant themselves arbitrary permissions through an overly permissive PL/SQL package.

FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.

Solutions:

  • FortiGuard Labs released the following signature which covers this specific vulnerability
    • "Oracle.Database.JAVA.Packages.Command.Execution" on Feb. 10, 2010

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

]]> http://www.fortiguard.com/advisory/FGA-2010-08.html http://www.fortiguard.com/advisory/FGA-2010-08.html Mon, 08 Feb 2010 00:00:00 -0800 Fortinet Protects Against Microsoft Internet Explorer Vulnerability (980088) Summary:

Fortinet's FortiGuard Labs Protects Against a Vulnerability in Microsoft Internet Explorer.

Impact:

Information Disclosure

Risk:

High

Affected Software:

For a list of Internet Explorer versions affected, please see the Microsoft Security Advisory reference below.

Additional Information:

The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites.

FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.

Solutions:
  • Follow the workarounds provided by Microsoft (980088).
  • FortiGuard Labs released a signature "MS.IE.Information.Disclosure" on Feb. 05,2010, which covers this specific vulnerability


Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:
]]> http://www.fortiguard.com/advisory/FGA-2010-07.html http://www.fortiguard.com/advisory/FGA-2010-07.html Thu, 04 Feb 2010 00:00:00 -0800 Threatscape Report - January 2010 Edition

Table of Contents:


FortiGuard Labs

Exploits and Intrusion Prevention



Top 10 Attacks & Regions



Top 10 attack attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
RankVulnerabilityPercentageSeverityTop 100 Shift
1Gumblar.Botnet31.3Criticalnew
2MS.DCERPC.NETAPI32.Buffer.Overflow24.3Critical-1
3Waledac.Botnet7.6Critical-1
4MS.IE.Event.Invalid.Pointer.Memory.Corruption7.4Criticalnew
5Adobe.Products.SWF.Remote.Code.Execution6.9Critical+6
6MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption6.5Critical-
7FTP.USER.Command.Overflow6.1High-3
8Apache.Expect.Header.XSS6.0Medium-
9Adobe.Reader.Printf.Buffer.Overflow5.8Critical+10
10AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation5.8High-7



Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases


New Vulnerability Coverage



There were a total of 150 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 34 were reported to be actively exploited (22.7%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today



Top 10 Variants



Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

RankMalware VariantPercentageTop 100 Shift
]]> http://www.fortiguard.com/reports/roundup_january_2010.html http://www.fortiguard.com/reports/roundup_january_2010.html Wed, 27 Jan 2010 00:00:00 -0800 Fortinet Discovers Microsoft Internet Explorer Vulnerability (MS10-002) Summary:

Fortinet's FortiGuard Labs has discovered a memory corruption vulnerability in Microsoft's Internet Explorer.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of Internet Explorer versions affected, please see the Microsoft Security Advisory reference below.

Additional Information:

In order to compromise a system / remotely execute code, an attacker would lure a user to a maliciously crafted website. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

Solutions:

Since an attack scenario would require a user to visit a malicious website, it is recommended to have a layered security solution through webfiltering and intrusion prevention for mitigation.
  • Use the solution provided by Microsoft (MS10-002).
  • FortiGuard Labs released the signature "MS.IE.MergeAttributes.Remote.Code.Execution".
    • Advanced zero-day protection has been available since September 3, 2009.
FortiGuard Labs continues to monitor attacks against this vulnerability.

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

Acknowledgment:
  • Haifei Li of Fortinet's FortiGuard Labs.
]]> http://www.fortiguard.com/advisory/FGA-2010-05.html http://www.fortiguard.com/advisory/FGA-2010-05.html Thu, 21 Jan 2010 00:00:00 -0800 Microsoft Security Bulletin for January 21, 2010
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS10-002Cumulative Security Update for Internet Explorer (978207)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-4074 CVE-2010-0027 CVE-2010-0244 CVE-2010-0245 CVE-2010-0246 CVE-2010-0247 CVE-2010-0248 CVE-2010-0249


Threat Remediation


Fortinet provides coverage on Microsoft vulnerabilities in January 21, 2010.

CVE NumberSignature Name
CVE-2010-0244MS.IE.Object.Handler.Memory.Corruption
CVE-2010-0245MS.IE.DOM.Operation.Memory.Corruption
CVE-2010-0246MS.IE8.Uninitialized.Memory.Corruption
CVE-2010-0247MS.IE.MergeAttributes.Remote.Code.Execution
CVE-2010-0248MS.IE.HTML.Removed.Table.Reference.Memory.Corruption
CVE-2010-0249MS.IE.Event.Invalid.Pointer.Memory.Corruption

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Thursday, January 21 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-06.html http://www.fortiguard.com/advisory/FGA-2010-06.html Thu, 21 Jan 2010 00:00:00 -0800 Adobe Security Bulletin for January 19, 2010
Adobe Vulnerability Identifier Adobe Bulletin TitleSeverityAffected SoftwareCVE ID
apsb10-03Vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system.CriticalShockwave Player 11.5.2.602 and earlier versions for Windows and Macintosh CVE-2009-4002 CVE-2009-4003


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities in January 19, 2010.

CVE NumberSignature Name
CVE-2009-4002Adobe.Shockwave.Player.Dir.File.Parsing.Heap.Overflow
CVE-2009-4003Adobe.Shockwave.Player.Dir.File.Parsing.Integer.Overflow

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Thursday, January 19 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-04.html http://www.fortiguard.com/advisory/FGA-2010-04.html Tue, 19 Jan 2010 00:00:00 -0800 Vulnerability in Internet Explorer Could Allow Remote Code Execution (979352) Summary:

Fortinet's FortiGuard Labs protects against a remote code execution vulnerability in Internet Explorer.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of Internet Explorer versions affected, please see the Microsoft Security Advisory reference below.

Additional Information:

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. In order to compromise a system / remotely execute code, an attacker would lure a user to a maliciously crafted website.

Solutions:

Since an attack scenario would require a user to visit a malicious website, it is recommended to have a layered security solution through webfiltering and intrusion prevention for mitigation.

Updated: January 21, 2009
  • Use the solution provided by Microsoft.
  • FortiGuard Labs released the signature "MS.IE.Event.Invalid.Pointer.Memory.Corruption" (CVE-2010-0249).
FortiGuard Labs continues to monitor attacks against this vulnerability.

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:
]]> http://www.fortiguard.com/advisory/FGA-2010-03.html http://www.fortiguard.com/advisory/FGA-2010-03.html Mon, 18 Jan 2010 00:00:00 -0800 Adobe Security Bulletin for January 12, 2010
Adobe Vulnerability Identifier Adobe Bulletin TitleSeverityAffected SoftwareCVE ID
apsb10-02Vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.CriticalAdobe Reader 9.2 and earlier versions for Windows, Macintosh, and UNIX,Adobe Acrobat 9.2 and earlier versions for Windows and Macintosh CVE-2009-3953 CVE-2009-3954 CVE-2009-3955 CVE-2009-3956 CVE-2009-3957 CVE-2009-3958 CVE-2009-3959 CVE-2009-4324


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities in January 12, 2010.

CVE NumberSignature Name
CVE-2009-3953Adobe.U3D.CLOD.Mesh.Declaration.Array.Buffer.Overflow
CVE-2009-3955Adobe.Reader.JpxDecode.Jp2c.Stream.Memory.Corruption
CVE-2009-3956Adobe.Reader.FDF.Javascript.Execution
CVE-2009-3957Adobe.PDF.Colors.Code.Execution
CVE-2009-3958Adobe.Get.Atlcom.ActiveX.Control.Access
CVE-2009-3959Adobe.Acrobat.Reader.U3D.Content.Integer.Overflow
CVE-2009-4324Adobe.Reader.Javascript.newplayer.Method.Code.Execution

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Tuesday, January 12 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-02.html http://www.fortiguard.com/advisory/FGA-2010-02.html Tue, 12 Jan 2010 00:00:00 -0800 Microsoft Security Bulletin for January 2010
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS10-001Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-0018


Document History


Revision DateVersion Number
Tuesday, January 12 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-01.html http://www.fortiguard.com/advisory/FGA-2010-01.html Tue, 12 Jan 2010 00:00:00 -0800 Threatscape Report - December 2009 Edition

Table of Contents:


FortiGuard Labs

Exploits and Intrusion Prevention



Top 10 Attacks & Regions



Top 10 attack attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
RankVulnerabilityPercentageSeverity
1MS.DCERPC.NETAPI32.Buffer.Overflow55.6Critical
2Waledac.Botnet8.2Critical
3AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation6.1High
4FTP.USER.Command.Overflow4.6High
5MS.Windows.LSASS.Buffer.Overflow4.5High
6MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption3.7Critical
7SMTP.Auth.Buffer.Overflow3.1Critical
8Apache.Expect.Header.XSS2.5Medium
9Apache.MyFaces.Tomahawk.JSF.Framework.XSS2.4Medium
10FTP.Command.REST.Overflow2.3High



Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases


New Vulnerability Coverage



There were a total of 157 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 46 were reported to be actively exploited (29.3%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today



Top 10 Variants



Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

RankMalware VariantPercentageTop 100 Shift
1W32/PackBredolab.C!tr66.5new
2JS/PackRedir.A!tr.dldr6.8+17
3JS/Feebs.A@mm2.2+14
http://www.fortiguard.com/reports/roundup_december_2009.html http://www.fortiguard.com/reports/roundup_december_2009.html Thu, 24 Dec 2009 00:00:00 -0800 Adobe Security Bulletin for December 18, 2009
Adobe Vulnerability Identifier Adobe Bulletin TitleSeverity Affected SoftwareCVE ID
apsb09-18Vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system.CriticalFlash Media Server 3.5.2 and earlier versions CVE-2009-3791 CVE-2009-3792


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities in December 2009.

CVE NumberSignature Name
CVE-2009-3791Adobe.Flash.Media.Server.Resource.Exhaustion.DoS
CVE-2009-3792Adobe.Flash.Media.Server.Directory.Traversal

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Friday, December 18 20091Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2009-49.html http://www.fortiguard.com/advisory/FGA-2009-49.html Fri, 18 Dec 2009 00:00:00 -0800 Fortinet Discovers Multiple Cisco WebEx WRF Player Vulnerabilities Summary:

Multiple memory corruption vulnerabilities exist in Cisco WebEx WRF Player which allow a remote attacker to compromise a vulnerable system.

Impact:

Remote code execution / Denial of service.

Risk:

  • Critical

Affected Software:

  • Cisco WebEx WRF Player 3.0 or earlier versions on Linux,Microsoft Windows and Mac OS X

Additional Information:

Six vulnerabilities were discovered in Cisco WebEx WRF Player, each of which is highlighted below:

  • FG-VD-09-008: Cisco WebEx WRF Player Denial Of Service in "atrpui.dll" (CVE-2009-2880)
  • FG-VD-09-010: Cisco WebEx WRF Player Heap Overflow in "atas32.dll" (CVE-2009-2879)
  • FG-VD-09-012: Cisco WebEx WRF Player Heap Overflow in "atas32.dll" (CVE-2009-2876)
  • FG-VD-09-013: Cisco WebEx WRF Player Heap Overflow in "atas32.dll" (CVE-2009-2878)
  • FG-VD-09-014: Cisco WebEx WRF Player Stack Overflow in "ataudio.dll" (CVE-2009-2877)
  • FG-VD-09-016: Cisco WebEx WRF Player Denial of Service in "atas32.dll" (CVE-2009-2875)

Solutions:

Use the solution provided by Cisco:

  • FG-VD-09-008: fixed in WebEx releases T26 and T27
  • FG-VD-09-010: fixed in WebEx releases T26SP49EP32 and T27SP10
  • FG-VD-09-012: fixed in WebEx releases T26SP49EP32 and T27SP10
  • FG-VD-09-013: fixed in WebEx releases T26SP49EP32 and T27SP10
  • FG-VD-09-014: fixed in WebEx releases T26LSp49EP32 and T27SP10
  • FG-VD-09-016: fixed in WebEx release T26SP49EP

FortiGuard Labs released the following signatures to protect against these vulnerabilities

  • "Cisco.WebEx.Player.atas32.Heap.Overflow" (CVE-2009-2879, CVE-2009-2876, CVE-2009-2878)
  • "Cisco.WebEx.Player.ataudio.Buffer.Overflow" (CVE-2009-2877)
  • "Cisco.WebEx.Player.atrpui.DoS" (CVE-2009-2880)
  • "Cisco.WebEx.Player.atas32.DoS" (CVE-2009-2875)

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against these memory corruption vulnerabilities. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by Fortinet's FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

Acknowledgment:

  • Zhenhua Liu and XiaoPeng Zhang of Fortinet's FortiGuard Labs
]]> http://www.fortiguard.com/advisory/FGA-2009-48.html http://www.fortiguard.com/advisory/FGA-2009-48.html Wed, 16 Dec 2009 00:00:00 -0800 Adobe Reader / Acrobat Remote Code Execution Vulnerability (APSA09-07) Summary:

Fortinet's FortiGuard Labs investigates a vulnerability in Adobe Acrobat / Adobe Reader that leads to remote code execution.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of product versions affected, please see the Adobe Security Advisory reference below.

Additional Information:

Attacks have been spotted in the wild which exploit this vulnerability through a maliciously crafted PDF file using Javascript functions. When the document is opened, further malicious components are typically downloaded for execution. FortiGuard Labs continues to monitor attacks against this vulnerability.

Solutions:

  • Use the solution provided by Adobe (APSA09-07).
  • FortiGuard Labs released the signature "Adobe.Reader.Javascript.newplayer.Method.Code.Execution" (CVE-2009-4324).


Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by Fortinet's FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

]]> http://www.fortiguard.com/advisory/FGA-2009-47.html http://www.fortiguard.com/advisory/FGA-2009-47.html Tue, 15 Dec 2009 00:00:00 -0800 Adobe Security Bulletin for December 08, 2009
Adobe Vulnerability Identifier Adobe Bulletin TitleSeverity Affected SoftwareCVE ID
APSB09-19Vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.Critical Adobe Flash Player 10.0.32.18 and earlier versions,Adobe AIR 1.5.2 and earlier versions CVE-2009-3794 CVE-2009-3796 CVE-2009-3797 CVE-2009-3798 CVE-2009-3799 CVE-2009-3800 CVE-2009-3951


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities in December 2009.

CVE NumberSignature Name
CVE-2009-3794Adobe.Flash.Player.JPEG.Parsing.Heap.Overflow
CVE-2009-3797FG-VD-09-024-Adobe (real name: Adobe.Flash.Getproperty.Memory.Corruption)
CVE-2009-3798FG-VD-09-026-Adobe (real name: Adobe.Flash.Class.Switch.Memory.Corruption)
CVE-2009-3951Adobe.Flash.Local.File.Check.Disclosure

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Tuesday, December 8, 20091Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2009-46.html http://www.fortiguard.com/advisory/FGA-2009-46.html Tue, 08 Dec 2009 00:00:00 -0800 Fortinet Discovers Adobe Flash Player Vulnerabilities (APSB09-19) Summary:

Fortinet's FortiGuard Labs discovers multiple vulnerabilities in Adobe Flash Player.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of product versions affected, please see the Adobe Security Bulletin reference below.

Additional Information:

Two vulnerabilities were discovered in Adobe Flash, each of which are highlighted below:
  • FG-VD-09-024: Memory corruption vulnerability in "Flash10.ocx" (CVE-2009-3797)
  • FG-VD-09-026: Memory corruption vulnerability in "Flash10.ocx" (CVE-2009-3798)

Solutions:

FortiGuard Labs released the following signatures:
  • "Adobe.Flash.Getproperty.Memory.Corruption" (CVE-2009-3797)
  • "Adobe.Flash.Class.Switch.Memory.Corruption" (CVE-2009-3798)

  • Use the solution provided by Adobe (APSB09-19)
FortiGuard Labs continues to monitor attacks against these vulnerabilities.

Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against these vulnerabilities. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

Acknowlegement:

Bing Liu of Fortinet's FortiGuard Labs
  • For Discovering: CVE-2009-3797, CVE-2009-3798
]]> http://www.fortiguard.com/advisory/FGA-2009-43.html http://www.fortiguard.com/advisory/FGA-2009-43.html Tue, 08 Dec 2009 00:00:00 -0800 Fortinet Discovers Microsoft Office Project Vulnerability (MS09-074) Summary:

Fortinet's FortiGuard Labs Discovers Memory Corruption Vulnerability in Microsoft Office Project.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of operating system and product versions affected, please see the Microsoft Bulletin reference below.

Additional Information:

The vulnerability lies in "winproj.exe", which is used when processing a Project file. A maliciously crafted document may contain a list structure with a malformed element field, that when processed, will result in memory corruption and allow a remote attacker to arbitrarily execute code on the victims machine.

Solutions:

  • Use the solution provided by Microsoft (MS09-074).
  • FortiGuard Labs released a signature "MS.Project.Props.List.Memory.Corruption", which covers this specific vulnerability.
FortiGuard Labs continues to monitor attacks against this vulnerability.

Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

Acknowlegement:

  • Bing Liu of Fortinet's FortiGuard Labs
]]> http://www.fortiguard.com/advisory/FGA-2009-44.html http://www.fortiguard.com/advisory/FGA-2009-44.html Tue, 08 Dec 2009 00:00:00 -0800 Fortinet Discovers Vulnerability in Indeo Codec Summary:

Fortinet's FortiGuard Labs Discovers Memory Corruption Vulnerability in Indeo Codec.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of operating system and product versions affected, please see the Microsoft Security Advisory reference below.

Additional Information:

The Indeo codec on systems running Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow code to run on users systems when opening specially crafted content. There are multiple ways that the Indeo codec may be used and may be required by certain applications. The Indeo codec may be required when visiting legitimate Web sites, and in corporate environment line-of-business applications.

Solutions:

  • Use the solution provided by Microsoft (Microsoft Security Advisory 954157).
  • FortiGuard Labs released a signature "MS.Windows.Indeo.Codec.Memory.Corruption", which covers this specific vulnerability.
FortiGuard Labs continues to monitor attacks against this vulnerability.

Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

Acknowlegement:

  • Bing Liu of Fortinet's FortiGuard Labs
]]> http://www.fortiguard.com/advisory/FGA-2009-45.html http://www.fortiguard.com/advisory/FGA-2009-45.html Tue, 08 Dec 2009 00:00:00 -0800 Microsoft Security Bulletin for December 2009
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS09-069Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)ImportantDenial of ServiceMicrosoft Windows CVE-2009-3675
MS09-070Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)ImportantRemote Code ExecutionMicrosoft Windows CVE-2009-2508 CVE-2009-2509
MS09-071Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2505 CVE-2009-3677
MS09-072Cumulative Security Update for Internet Explorer (976325)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2493 CVE-2009-3671 CVE-2009-3672 CVE-2009-3673 CVE-2009-3674
MS09-073Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)ImportantRemote Code ExecutionMicrosoft Windows, Microsoft Office CVE-2009-2506
MS09-074Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)CriticalRemote Code ExecutionMicrosoft Office CVE-2009-0102


Threat Remediation


Fortinet provides coverage on Microsoft vulnerabilities in December 2009.

CVE NumberSignature Name
CVE-2009-2509MS.ADFS.Malformed.HTTP.Header.Code.Execution
CVE-2009-3677MS.IAS.Privilege.Elevation
CVE-2009-2493MS.ATL.Object.Type.Mismatch.Code.Execution
CVE-2009-3671MS.IE.DOM.Operation.Memory.Corruption
CVE-2009-3672MS.IE.GetElementsByTagName.CSS.Handling.Code.Execution
CVE-2009-3674MS.IE.DOM.Operation.Circular.Reference.Memory.Corruption
CVE-2009-2506MS.Word.Text.Converter.Memory.Corruption
CVE-2009-0102MS.Project.Props.List.Memory.Corruption

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Tuesday, December 08 20091Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2009-42.html http://www.fortiguard.com/advisory/FGA-2009-42.html Tue, 08 Dec 2009 00:00:00 -0800 Threatscape Report - November 2009 Edition

Table of Contents:


FortiGuard Labs

Exploits and Intrusion Prevention



Top 10 Exploitations & Regions



Top 10 exploitation attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of all cases reported this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Figure 1a below shows the Top 5 regions attacked in comparison to total attack cases reported this period. Critical issues are outlined in bold.
RankVulnerabilityPercentageSeverity
1MS.DCERPC.NETAPI32.Buffer.Overflow31.9Critical
2MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption/td>22.6Critical
3Adobe.Products.SWF.Remote.Code.Execution12.9Critical
4FTP.USER.Command.Overflow9.8High
5Apache.Expect.Header.XSS7.8Medium
6AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation7.8High
7MS.Content.Management.Server.Code.Execution6.4Critical
8MS.DirectX.MsVidCtl.ActiveX.Control.Access6.1Critical
9RoundCube.Webmail.Pregreplace.Code.Execution5.9High
10FTP.Command.REST.Overflow3.2High



Figure 1a: Top 5 regions by number of attack cases


New Vulnerability Coverage



There were a total of 115 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 35 were reported to be actively exploited (30.4%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today



Top 10 Variants



Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

http://www.fortiguard.com/reports/roundup_november_2009.htmlhttp://www.fortiguard.com/reports/roundup_november_2009.htmlFri, 27 Nov 2009 00:00:00 -0800 Vulnerability in Internet Explorer Could Allow Remote Code Execution Summary:

Fortinet's FortiGuard Labs investigates a remote code execution vulnerability in Internet Explorer.

Impact:

Remote Code Execution

Risk:

Critical.

Affected Software:

For a list of Internet Explorer versions affected, please see the Microsoft Security Advisory reference below.

Additional Information:

The vulnerability results from a JScript execution that may cause memory corruption. This memory space is then accessible to a remote attacker, who is able to crash Internet Explorer and execute arbitrary code.

Solutions:

FortiGuard Labs released the following signature:
  • " MS.IE.GetElementsByTagName.CSS.Handling.Code.Execution"
FortiGuard Labs continues to monitor attacks against this vulnerability.

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

]]> http://www.fortiguard.com/advisory/FGA-2009-41.html http://www.fortiguard.com/advisory/FGA-2009-41.html Wed, 25 Nov 2009 00:00:00 -0800 Microsoft Security Bulletin for November 2009 The table below lists the Microsoft vulnerabilities for November.
RankMalware VariantPercentageTop 100 Shift
1W32/Cutwail.K!tr19.8new
2W32/Cutwail.C!tr.dldr13.7new
3W32/Agent.C659!tr.dldr9.0new
4W32/PackAgent!tr8.3new
5W32/Zbot!tr7.2+10
6W32/FraudLoad.DFN!tr6.4new
7W32/FakeAlert.SYY!tr.dldr6.3-2
8W32/Zbot.P!tr3.3new
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS09-063Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2512
MS09-064Vulnerability in License Logging Server Could Allow Remote Code Execution (974783)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2523
MS09-065Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-1127 CVE-2009-2513 CVE-2009-2514
MS09-066Vulnerability in Active Directory Could Allow Denial of Service (973309)ImportantDenial of ServiceMicrosoft Windows CVE-2009-1928
MS09-067Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)ImportantRemote Code ExecutionMicrosoft Office CVE-2009-3127 CVE-2009-3128 CVE-2009-3129 CVE-2009-3130 CVE-2009-3131 CVE-2009-3132 CVE-2009-3133 CVE-2009-3134
MS09-068Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307)ImportantRemote Code ExecutionMicrosoft Office CVE-2009-3135


Threat Remediation


Fortinet provides coverage on Microsoft vulnerabilities in November 2009.

CVE NumberSignature Name
CVE-2009-2512MS.WSDAPI.Message.Handling.Memory.Corruption
CVE-2009-2523MS.License.Logging.Server.RPC.Code.Execution
CVE-2009-2514MS.Kernel.Font.Parsing.Integer.Overflow
CVE-2009-1928LSASS.LDAP.Stack.Overflow
CVE-2009-3127MS.Office.Excel.SXDB.Record.Type.Code.Execution
CVE-2009-3128MS.Office.Excel.SxView.Record.Code.Execution
CVE-2009-3129MS.Office.Excel.FeatHdr.BIFF.Record.Code.Execution
CVE-2009-3130MS.Office.Excel.Row.Record.Integer.Field.Code.Execution
CVE-2009-3131MS.Office.Excel.Formula.Record.Code.Execution
CVE-2009-3132MS.Office.Excel.Formula.Ptg.Code.Execution
CVE-2009-3134MS.Office.Excel.StartObject.Record.Code.Execution
  • "Adobe.Shockwave.Player.Dir.File.Invalid.Index.Code.Execution" (CVE-2009-3463)
  • "Adobe.Shockwave.Player.Dir.File.Invalid.Pointer.Code.Execution" (CVE-2009-3464)
  • "Adobe.Shockwave.Player.Dir.File.Pointer.Handing.Code.Execution" (CVE-2009-3465)
  • "Adobe.Shockwave.Player.Dir.File.Invalid.String.Length.DoS" (CVE-2009-3466)
    • FortiGuard Labs continues to monitor attacks against these vulnerabilities.

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against these vulnerabilities. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
     ]]> http://www.fortiguard.com/advisory/FGA-2009-39.html http://www.fortiguard.com/advisory/FGA-2009-39.html Wed, 04 Nov 2009 00:00:00 -0800 Threatscape Report - October 2009 Edition

    Table of Contents:


    FortiGuard Labs

    Exploits and Intrusion Prevention



    Top 10 Exploitations & Regions



    Top 10 exploitation attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of all cases reported this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Figure 1a below shows the Top 5 regions attacked in comparison to total attack cases reported this period. Critical issues are outlined in bold.
    RankVulnerabilityPercentageSeverity
    1MS.DCERPC.NETAPI32.Buffer.Overflow29.0Critical
    2FTP.USER.Command.Overflow24.4High
    3MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption21.3Critical
    4Adobe.Products.SWF.Remote.Code.Execution8.4Critical
    5Apache.Expect.Header.XSS8.1Medium
    6AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation7.6High
    7MS.Content.Management.Server.Code.Execution6.7Critical
    8RoundCube.Webmail.Pregreplace.Code.Execution5.3High
    9MS.DirectX.MsVidCtl.ActiveX.Control.Access3.2Critical
    10Apache.MyFaces.Tomahawk.JSF.Framework.XSS3.0Medium



    Figure 1a: Top 5 regions by number of attack cases


    New Vulnerability Coverage



    There were a total of 104 vulnerabilities added to FortiGuard IPS coverage this period.
    Of these added vulnerabilities, 29 were reported to be actively exploited (27.9%).

    Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

    For more information, observe the detailed reports for this period at:

    Figure 1b: New vulnerability coverage for this edition, categorized by severity

    Malware Today



    Top 10 Variants



    Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

    RankMalware VariantPercentageTop 100 Shift
    1W32/PackSpam.A!worm20.1new
    2W32/Agent.LGE!tr16.9new
    3W32/Bredolab.X!tr11.4new
    4W32/Bredo.G!tr8.2-2
    5W32/FakeAlert.SYY!tr.dldr7.9new
    6W32/Krap.AD!tr6.6new
    7W32/OnlineGames.BBR!tr3.8-6
    8W32/FraudLoad.WSUT!tr.dldr1.7n ]]> http://www.fortiguard.com/reports/roundup_october_2009.html http://www.fortiguard.com/reports/roundup_october_2009.html Tue, 27 Oct 2009 00:00:00 -0800