FGCenter - Latest Threats, Advisories, Reports and News http://www.fortiguard.com/ en Copyright 2010 Fortinet Inc. All Rights Reserved Tue, 09 Feb 2010 05:20:00 -0800 Fortinet Investigates Oracle Privilege Escalation Vulnerability Summary:

Fortinet's FortiGuard Labs Investigates a Vulnerability in Oracle.

Impact:

Remote Command Execution

Risk:

Critical

Affected Software:

For a list of Oracle versions affected, please see the BugTraq reference below.

Additional Information:

It is possible for a low priviledged users to grant themselves arbitrary permissions through an overly permissive default grant.

FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.


References:
]]> http://www.fortiguard.com/advisory/FGA-2010-08.html http://www.fortiguard.com/advisory/FGA-2010-08.html Mon, 08 Feb 2010 00:00:00 -0800 Fortinet Protects Against Microsoft Internet Explorer Vulnerability (980088) Summary:

Fortinet's FortiGuard Labs Protects Against a Vulnerability in Microsoft Internet Explorer.

Impact:

Information Disclosure

Risk:

High

Affected Software:

For a list of Internet Explorer versions affected, please see the Microsoft Security Advisory reference below.

Additional Information:

The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites.

FortiGuard Labs continues to monitor this vulnerability world wide while developing additional mitigation strategies / solutions based off our findings.

Solutions:
  • Follow the workarounds provided by Microsoft (980088).
  • FortiGuard Labs released a signature "MS.0day.18176" on Feb. 05,2010, which covers this specific vulnerability


Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:
]]> http://www.fortiguard.com/advisory/FGA-2010-07.html http://www.fortiguard.com/advisory/FGA-2010-07.html Thu, 04 Feb 2010 00:00:00 -0800 Threatscape Report - January 2010 Edition

Table of Contents:


FortiGuard Labs

Exploits and Intrusion Prevention



Top 10 Attacks & Regions



Top 10 attack attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
RankVulnerabilityPercentageSeverityTop 100 Shift
1Gumblar.Botnet31.3Criticalnew
2MS.DCERPC.NETAPI32.Buffer.Overflow24.3Critical-1
3Waledac.Botnet7.6Critical-1
4MS.IE.Event.Invalid.Pointer.Memory.Corruption7.4Criticalnew
5Adobe.Products.SWF.Remote.Code.Execution6.9Critical+6
6MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption6.5Critical-
7FTP.USER.Command.Overflow6.1High-3
8Apache.Expect.Header.XSS6.0Medium-
9Adobe.Reader.Printf.Buffer.Overflow5.8Critical+10
10AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation5.8High-7



Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases


New Vulnerability Coverage



There were a total of 150 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 34 were reported to be actively exploited (22.7%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today



Top 10 Variants



Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

RankMalware VariantPercentageTop 100 Shift
]]> http://www.fortiguard.com/reports/roundup_january_2010.html http://www.fortiguard.com/reports/roundup_january_2010.html Wed, 27 Jan 2010 00:00:00 -0800 Fortinet Discovers Microsoft Internet Explorer Vulnerability (MS10-002) Summary:

Fortinet's FortiGuard Labs has discovered a memory corruption vulnerability in Microsoft's Internet Explorer.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of Internet Explorer versions affected, please see the Microsoft Security Advisory reference below.

Additional Information:

In order to compromise a system / remotely execute code, an attacker would lure a user to a maliciously crafted website. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

Solutions:

Since an attack scenario would require a user to visit a malicious website, it is recommended to have a layered security solution through webfiltering and intrusion prevention for mitigation.
  • Use the solution provided by Microsoft (MS10-002).
  • FortiGuard Labs released the signature "MS.IE.MergeAttributes.Remote.Code.Execution".
    • Advanced zero-day protection has been available since September 3, 2009.
FortiGuard Labs continues to monitor attacks against this vulnerability.

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

Acknowledgment:
  • Haifei Li of Fortinet's FortiGuard Labs.
]]> http://www.fortiguard.com/advisory/FGA-2010-05.html http://www.fortiguard.com/advisory/FGA-2010-05.html Thu, 21 Jan 2010 00:00:00 -0800 Microsoft Security Bulletin for January 21, 2010
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS10-002Cumulative Security Update for Internet Explorer (978207)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-4074 CVE-2010-0027 CVE-2010-0244 CVE-2010-0245 CVE-2010-0246 CVE-2010-0247 CVE-2010-0248 CVE-2010-0249


Threat Remediation


Fortinet provides coverage on Microsoft vulnerabilities in January 21, 2010.

CVE NumberSignature Name
CVE-2010-0244MS.IE.Object.Handler.Memory.Corruption
CVE-2010-0245MS.IE.DOM.Operation.Memory.Corruption
CVE-2010-0246MS.IE8.Uninitialized.Memory.Corruption
CVE-2010-0247MS.IE.MergeAttributes.Remote.Code.Execution
CVE-2010-0248MS.IE.HTML.Removed.Table.Reference.Memory.Corruption
CVE-2010-0249MS.IE.Event.Invalid.Pointer.Memory.Corruption

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Thursday, January 21 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-06.html http://www.fortiguard.com/advisory/FGA-2010-06.html Thu, 21 Jan 2010 00:00:00 -0800 Adobe Security Bulletin for January 19, 2010
Adobe Vulnerability Identifier Adobe Bulletin TitleSeverityAffected SoftwareCVE ID
apsb10-03Vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system.CriticalShockwave Player 11.5.2.602 and earlier versions for Windows and Macintosh CVE-2009-4002 CVE-2009-4003


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities in January 19, 2010.

CVE NumberSignature Name
CVE-2009-4002Adobe.Shockwave.Player.Dir.File.Parsing.Heap.Overflow
CVE-2009-4003Adobe.Shockwave.Player.Dir.File.Parsing.Integer.Overflow

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Thursday, January 19 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-04.html http://www.fortiguard.com/advisory/FGA-2010-04.html Tue, 19 Jan 2010 00:00:00 -0800 Vulnerability in Internet Explorer Could Allow Remote Code Execution (979352) Summary:

Fortinet's FortiGuard Labs protects against a remote code execution vulnerability in Internet Explorer.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of Internet Explorer versions affected, please see the Microsoft Security Advisory reference below.

Additional Information:

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. In order to compromise a system / remotely execute code, an attacker would lure a user to a maliciously crafted website.

Solutions:

Since an attack scenario would require a user to visit a malicious website, it is recommended to have a layered security solution through webfiltering and intrusion prevention for mitigation.

Updated: January 21, 2009
  • Use the solution provided by Microsoft.
  • FortiGuard Labs released the signature "MS.IE.Event.Invalid.Pointer.Memory.Corruption" (CVE-2010-0249).
FortiGuard Labs continues to monitor attacks against this vulnerability.

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:
]]> http://www.fortiguard.com/advisory/FGA-2010-03.html http://www.fortiguard.com/advisory/FGA-2010-03.html Mon, 18 Jan 2010 00:00:00 -0800 Adobe Security Bulletin for January 12, 2010
Adobe Vulnerability Identifier Adobe Bulletin TitleSeverityAffected SoftwareCVE ID
apsb10-02Vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.CriticalAdobe Reader 9.2 and earlier versions for Windows, Macintosh, and UNIX,Adobe Acrobat 9.2 and earlier versions for Windows and Macintosh CVE-2009-3953 CVE-2009-3954 CVE-2009-3955 CVE-2009-3956 CVE-2009-3957 CVE-2009-3958 CVE-2009-3959 CVE-2009-4324


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities in January 12, 2010.

CVE NumberSignature Name
CVE-2009-3953Adobe.U3D.CLOD.Mesh.Declaration.Array.Buffer.Overflow
CVE-2009-3955Adobe.Reader.JpxDecode.Jp2c.Stream.Memory.Corruption
CVE-2009-3956Adobe.Reader.FDF.Javascript.Execution
CVE-2009-3957Adobe.PDF.Colors.Code.Execution
CVE-2009-3958Adobe.Get.Atlcom.ActiveX.Control.Access
CVE-2009-3959Adobe.Acrobat.Reader.U3D.Content.Integer.Overflow
CVE-2009-4324Adobe.Reader.Javascript.newplayer.Method.Code.Execution

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Tuesday, January 12 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-02.html http://www.fortiguard.com/advisory/FGA-2010-02.html Tue, 12 Jan 2010 00:00:00 -0800 Microsoft Security Bulletin for January 2010
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS10-001Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)CriticalRemote Code ExecutionMicrosoft Windows CVE-2010-0018


Document History


Revision DateVersion Number
Tuesday, January 12 20101Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2010-01.html http://www.fortiguard.com/advisory/FGA-2010-01.html Tue, 12 Jan 2010 00:00:00 -0800 Threatscape Report - December 2009 Edition

Table of Contents:


FortiGuard Labs

Exploits and Intrusion Prevention



Top 10 Attacks & Regions



Top 10 attack attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
RankVulnerabilityPercentageSeverity
1MS.DCERPC.NETAPI32.Buffer.Overflow55.6Critical
2Waledac.Botnet8.2Critical
3AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation6.1High
4FTP.USER.Command.Overflow4.6High
5MS.Windows.LSASS.Buffer.Overflow4.5High
6MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption3.7Critical
7SMTP.Auth.Buffer.Overflow3.1Critical
8Apache.Expect.Header.XSS2.5Medium
9Apache.MyFaces.Tomahawk.JSF.Framework.XSS2.4Medium
10FTP.Command.REST.Overflow2.3High



Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases


New Vulnerability Coverage



There were a total of 157 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 46 were reported to be actively exploited (29.3%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today



Top 10 Variants



Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

RankMalware VariantPercentageTop 100 Shift
1W32/PackBredolab.C!tr66.5new
2JS/PackRedir.A!tr.dldr6.8+17
3JS/Feebs.A@mm2.2+14
http://www.fortiguard.com/reports/roundup_december_2009.html http://www.fortiguard.com/reports/roundup_december_2009.html Thu, 24 Dec 2009 00:00:00 -0800 Adobe Security Bulletin for December 18, 2009
Adobe Vulnerability Identifier Adobe Bulletin TitleSeverity Affected SoftwareCVE ID
apsb09-18Vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system.CriticalFlash Media Server 3.5.2 and earlier versions CVE-2009-3791 CVE-2009-3792


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities in December 2009.

CVE NumberSignature Name
CVE-2009-3791Adobe.Flash.Media.Server.Resource.Exhaustion.DoS
CVE-2009-3792Adobe.Flash.Media.Server.Directory.Traversal

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Friday, December 18 20091Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2009-49.html http://www.fortiguard.com/advisory/FGA-2009-49.html Fri, 18 Dec 2009 00:00:00 -0800 Fortinet Discovers Multiple Cisco WebEx WRF Player Vulnerabilities Summary:

Multiple memory corruption vulnerabilities exist in Cisco WebEx WRF Player which allow a remote attacker to compromise a vulnerable system.

Impact:

Remote code execution / Denial of service.

Risk:

  • Critical

Affected Software:

  • Cisco WebEx WRF Player 3.0 or earlier versions on Linux,Microsoft Windows and Mac OS X

Additional Information:

Six vulnerabilities were discovered in Cisco WebEx WRF Player, each of which is highlighted below:

  • FG-VD-09-008: Cisco WebEx WRF Player Denial Of Service in "atrpui.dll" (CVE-2009-2880)
  • FG-VD-09-010: Cisco WebEx WRF Player Heap Overflow in "atas32.dll" (CVE-2009-2879)
  • FG-VD-09-012: Cisco WebEx WRF Player Heap Overflow in "atas32.dll" (CVE-2009-2876)
  • FG-VD-09-013: Cisco WebEx WRF Player Heap Overflow in "atas32.dll" (CVE-2009-2878)
  • FG-VD-09-014: Cisco WebEx WRF Player Stack Overflow in "ataudio.dll" (CVE-2009-2877)
  • FG-VD-09-016: Cisco WebEx WRF Player Denial of Service in "atas32.dll" (CVE-2009-2875)

Solutions:

Use the solution provided by Cisco:

  • FG-VD-09-008: fixed in WebEx releases T26 and T27
  • FG-VD-09-010: fixed in WebEx releases T26SP49EP32 and T27SP10
  • FG-VD-09-012: fixed in WebEx releases T26SP49EP32 and T27SP10
  • FG-VD-09-013: fixed in WebEx releases T26SP49EP32 and T27SP10
  • FG-VD-09-014: fixed in WebEx releases T26LSp49EP32 and T27SP10
  • FG-VD-09-016: fixed in WebEx release T26SP49EP

FortiGuard Labs released the following signatures to protect against these vulnerabilities

  • "Cisco.WebEx.Player.atas32.Heap.Overflow" (CVE-2009-2879, CVE-2009-2876, CVE-2009-2878)
  • "Cisco.WebEx.Player.ataudio.Buffer.Overflow" (CVE-2009-2877)
  • "Cisco.WebEx.Player.atrpui.DoS" (CVE-2009-2880)
  • "Cisco.WebEx.Player.atas32.DoS" (CVE-2009-2875)

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against these memory corruption vulnerabilities. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by Fortinet's FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

Acknowledgment:

  • Zhenhua Liu and XiaoPeng Zhang of Fortinet's FortiGuard Labs
]]> http://www.fortiguard.com/advisory/FGA-2009-48.html http://www.fortiguard.com/advisory/FGA-2009-48.html Wed, 16 Dec 2009 00:00:00 -0800 Adobe Reader / Acrobat Remote Code Execution Vulnerability (APSA09-07) Summary:

Fortinet's FortiGuard Labs investigates a vulnerability in Adobe Acrobat / Adobe Reader that leads to remote code execution.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of product versions affected, please see the Adobe Security Advisory reference below.

Additional Information:

Attacks have been spotted in the wild which exploit this vulnerability through a maliciously crafted PDF file using Javascript functions. When the document is opened, further malicious components are typically downloaded for execution. FortiGuard Labs continues to monitor attacks against this vulnerability.

Solutions:

  • Use the solution provided by Adobe (APSA09-07).
  • FortiGuard Labs released the signature "Adobe.Reader.Javascript.newplayer.Method.Code.Execution" (CVE-2009-4324).


Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by Fortinet's FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

]]> http://www.fortiguard.com/advisory/FGA-2009-47.html http://www.fortiguard.com/advisory/FGA-2009-47.html Tue, 15 Dec 2009 00:00:00 -0800 Adobe Security Bulletin for December 08, 2009
Adobe Vulnerability Identifier Adobe Bulletin TitleSeverity Affected SoftwareCVE ID
APSB09-19Vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.Critical Adobe Flash Player 10.0.32.18 and earlier versions,Adobe AIR 1.5.2 and earlier versions CVE-2009-3794 CVE-2009-3796 CVE-2009-3797 CVE-2009-3798 CVE-2009-3799 CVE-2009-3800 CVE-2009-3951


Threat Remediation


Fortinet provides coverage on Adobe vulnerabilities in December 2009.

CVE NumberSignature Name
CVE-2009-3794Adobe.Flash.Player.JPEG.Parsing.Heap.Overflow
CVE-2009-3797FG-VD-09-024-Adobe (real name: Adobe.Flash.Getproperty.Memory.Corruption)
CVE-2009-3798FG-VD-09-026-Adobe (real name: Adobe.Flash.Class.Switch.Memory.Corruption)
CVE-2009-3951Adobe.Flash.Local.File.Check.Disclosure

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Tuesday, December 8, 20091Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2009-46.html http://www.fortiguard.com/advisory/FGA-2009-46.html Tue, 08 Dec 2009 00:00:00 -0800 Fortinet Discovers Adobe Flash Player Vulnerabilities (APSB09-19) Summary:

Fortinet's FortiGuard Labs discovers multiple vulnerabilities in Adobe Flash Player.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of product versions affected, please see the Adobe Security Bulletin reference below.

Additional Information:

Two vulnerabilities were discovered in Adobe Flash, each of which are highlighted below:
  • FG-VD-09-024: Memory corruption vulnerability in "Flash10.ocx" (CVE-2009-3797)
  • FG-VD-09-026: Memory corruption vulnerability in "Flash10.ocx" (CVE-2009-3798)

Solutions:

FortiGuard Labs released the following signatures:
  • "Adobe.Flash.Getproperty.Memory.Corruption" (CVE-2009-3797)
  • "Adobe.Flash.Class.Switch.Memory.Corruption" (CVE-2009-3798)

  • Use the solution provided by Adobe (APSB09-19)
FortiGuard Labs continues to monitor attacks against these vulnerabilities.

Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against these vulnerabilities. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

Acknowlegement:

Bing Liu of Fortinet's FortiGuard Labs
  • For Discovering: CVE-2009-3797, CVE-2009-3798
]]> http://www.fortiguard.com/advisory/FGA-2009-43.html http://www.fortiguard.com/advisory/FGA-2009-43.html Tue, 08 Dec 2009 00:00:00 -0800 Fortinet Discovers Microsoft Office Project Vulnerability (MS09-074) Summary:

Fortinet's FortiGuard Labs Discovers Memory Corruption Vulnerability in Microsoft Office Project.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of operating system and product versions affected, please see the Microsoft Bulletin reference below.

Additional Information:

The vulnerability lies in "winproj.exe", which is used when processing a Project file. A maliciously crafted document may contain a list structure with a malformed element field, that when processed, will result in memory corruption and allow a remote attacker to arbitrarily execute code on the victims machine.

Solutions:

  • Use the solution provided by Microsoft (MS09-074).
  • FortiGuard Labs released a signature "MS.Project.Props.List.Memory.Corruption", which covers this specific vulnerability.
FortiGuard Labs continues to monitor attacks against this vulnerability.

Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

Acknowlegement:

  • Bing Liu of Fortinet's FortiGuard Labs
]]> http://www.fortiguard.com/advisory/FGA-2009-44.html http://www.fortiguard.com/advisory/FGA-2009-44.html Tue, 08 Dec 2009 00:00:00 -0800 Fortinet Discovers Vulnerability in Indeo Codec Summary:

Fortinet's FortiGuard Labs Discovers Memory Corruption Vulnerability in Indeo Codec.

Impact:

Remote Code Execution.

Risk:

Critical.

Affected Software:

For a list of operating system and product versions affected, please see the Microsoft Security Advisory reference below.

Additional Information:

The Indeo codec on systems running Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow code to run on users systems when opening specially crafted content. There are multiple ways that the Indeo codec may be used and may be required by certain applications. The Indeo codec may be required when visiting legitimate Web sites, and in corporate environment line-of-business applications.

Solutions:

  • Use the solution provided by Microsoft (Microsoft Security Advisory 954157).
  • FortiGuard Labs released a signature "MS.Windows.Indeo.Codec.Memory.Corruption", which covers this specific vulnerability.
FortiGuard Labs continues to monitor attacks against this vulnerability.

Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

Acknowlegement:

  • Bing Liu of Fortinet's FortiGuard Labs
]]> http://www.fortiguard.com/advisory/FGA-2009-45.html http://www.fortiguard.com/advisory/FGA-2009-45.html Tue, 08 Dec 2009 00:00:00 -0800 Microsoft Security Bulletin for December 2009
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS09-069Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)ImportantDenial of ServiceMicrosoft Windows CVE-2009-3675
MS09-070Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)ImportantRemote Code ExecutionMicrosoft Windows CVE-2009-2508 CVE-2009-2509
MS09-071Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2505 CVE-2009-3677
MS09-072Cumulative Security Update for Internet Explorer (976325)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2493 CVE-2009-3671 CVE-2009-3672 CVE-2009-3673 CVE-2009-3674
MS09-073Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)ImportantRemote Code ExecutionMicrosoft Windows, Microsoft Office CVE-2009-2506
MS09-074Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)CriticalRemote Code ExecutionMicrosoft Office CVE-2009-0102


Threat Remediation


Fortinet provides coverage on Microsoft vulnerabilities in December 2009.

CVE NumberSignature Name
CVE-2009-2509MS.ADFS.Malformed.HTTP.Header.Code.Execution
CVE-2009-3677MS.IAS.Privilege.Elevation
CVE-2009-2493MS.ATL.Object.Type.Mismatch.Code.Execution
CVE-2009-3671MS.IE.DOM.Operation.Memory.Corruption
CVE-2009-3672MS.IE.GetElementsByTagName.CSS.Handling.Code.Execution
CVE-2009-3674MS.IE.DOM.Operation.Circular.Reference.Memory.Corruption
CVE-2009-2506MS.Word.Text.Converter.Memory.Corruption
CVE-2009-0102MS.Project.Props.List.Memory.Corruption

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


Document History


Revision DateVersion Number
Tuesday, December 08 20091Initial Documentation.


Reference:
]]> http://www.fortiguard.com/advisory/FGA-2009-42.html http://www.fortiguard.com/advisory/FGA-2009-42.html Tue, 08 Dec 2009 00:00:00 -0800 Threatscape Report - November 2009 Edition

Table of Contents:


FortiGuard Labs

Exploits and Intrusion Prevention



Top 10 Exploitations & Regions



Top 10 exploitation attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of all cases reported this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Figure 1a below shows the Top 5 regions attacked in comparison to total attack cases reported this period. Critical issues are outlined in bold.
RankVulnerabilityPercentageSeverity
1MS.DCERPC.NETAPI32.Buffer.Overflow31.9Critical
2MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption/td>22.6Critical
3Adobe.Products.SWF.Remote.Code.Execution12.9Critical
4FTP.USER.Command.Overflow9.8High
5Apache.Expect.Header.XSS7.8Medium
6AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation7.8High
7MS.Content.Management.Server.Code.Execution6.4Critical
8MS.DirectX.MsVidCtl.ActiveX.Control.Access6.1Critical
9RoundCube.Webmail.Pregreplace.Code.Execution5.9High
10FTP.Command.REST.Overflow3.2High



Figure 1a: Top 5 regions by number of attack cases


New Vulnerability Coverage



There were a total of 115 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 35 were reported to be actively exploited (30.4%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today



Top 10 Variants



Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

http://www.fortiguard.com/reports/roundup_november_2009.htmlhttp://www.fortiguard.com/reports/roundup_november_2009.htmlFri, 27 Nov 2009 00:00:00 -0800 Vulnerability in Internet Explorer Could Allow Remote Code Execution Summary:

Fortinet's FortiGuard Labs investigates a remote code execution vulnerability in Internet Explorer.

Impact:

Remote Code Execution

Risk:

Critical.

Affected Software:

For a list of Internet Explorer versions affected, please see the Microsoft Security Advisory reference below.

Additional Information:

The vulnerability results from a JScript execution that may cause memory corruption. This memory space is then accessible to a remote attacker, who is able to crash Internet Explorer and execute arbitrary code.

Solutions:

FortiGuard Labs released the following signature:
  • " MS.IE.GetElementsByTagName.CSS.Handling.Code.Execution"
FortiGuard Labs continues to monitor attacks against this vulnerability.

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

References:

]]> http://www.fortiguard.com/advisory/FGA-2009-41.html http://www.fortiguard.com/advisory/FGA-2009-41.html Wed, 25 Nov 2009 00:00:00 -0800 Microsoft Security Bulletin for November 2009 The table below lists the Microsoft vulnerabilities for November.
RankMalware VariantPercentageTop 100 Shift
1W32/Cutwail.K!tr19.8new
2W32/Cutwail.C!tr.dldr13.7new
3W32/Agent.C659!tr.dldr9.0new
4W32/PackAgent!tr8.3new
5W32/Zbot!tr7.2+10
6W32/FraudLoad.DFN!tr6.4new
7W32/FakeAlert.SYY!tr.dldr6.3-2
8W32/Zbot.P!tr3.3new
MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
MS09-063Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2512
MS09-064Vulnerability in License Logging Server Could Allow Remote Code Execution (974783)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2523
MS09-065Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-1127 CVE-2009-2513 CVE-2009-2514
MS09-066Vulnerability in Active Directory Could Allow Denial of Service (973309)ImportantDenial of ServiceMicrosoft Windows CVE-2009-1928
MS09-067Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)ImportantRemote Code ExecutionMicrosoft Office CVE-2009-3127 CVE-2009-3128 CVE-2009-3129 CVE-2009-3130 CVE-2009-3131 CVE-2009-3132 CVE-2009-3133 CVE-2009-3134
MS09-068Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307)ImportantRemote Code ExecutionMicrosoft Office CVE-2009-3135


Threat Remediation


Fortinet provides coverage on Microsoft vulnerabilities in November 2009.

CVE NumberSignature Name
CVE-2009-2512MS.WSDAPI.Message.Handling.Memory.Corruption
CVE-2009-2523MS.License.Logging.Server.RPC.Code.Execution
CVE-2009-2514MS.Kernel.Font.Parsing.Integer.Overflow
CVE-2009-1928LSASS.LDAP.Stack.Overflow
CVE-2009-3127MS.Office.Excel.SXDB.Record.Type.Code.Execution
CVE-2009-3128MS.Office.Excel.SxView.Record.Code.Execution
CVE-2009-3129MS.Office.Excel.FeatHdr.BIFF.Record.Code.Execution
CVE-2009-3130MS.Office.Excel.Row.Record.Integer.Field.Code.Execution
CVE-2009-3131MS.Office.Excel.Formula.Record.Code.Execution
CVE-2009-3132MS.Office.Excel.Formula.Ptg.Code.Execution
CVE-2009-3134MS.Office.Excel.StartObject.Record.Code.Execution
  • "Adobe.Shockwave.Player.Dir.File.Invalid.Index.Code.Execution" (CVE-2009-3463)
  • "Adobe.Shockwave.Player.Dir.File.Invalid.Pointer.Code.Execution" (CVE-2009-3464)
  • "Adobe.Shockwave.Player.Dir.File.Pointer.Handing.Code.Execution" (CVE-2009-3465)
  • "Adobe.Shockwave.Player.Dir.File.Invalid.String.Length.DoS" (CVE-2009-3466)
    • FortiGuard Labs continues to monitor attacks against these vulnerabilities.

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against these vulnerabilities. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
     ]]> http://www.fortiguard.com/advisory/FGA-2009-39.html http://www.fortiguard.com/advisory/FGA-2009-39.html Wed, 04 Nov 2009 00:00:00 -0800 Threatscape Report - October 2009 Edition

    Table of Contents:


    FortiGuard Labs

    Exploits and Intrusion Prevention



    Top 10 Exploitations & Regions



    Top 10 exploitation attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of all cases reported this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Figure 1a below shows the Top 5 regions attacked in comparison to total attack cases reported this period. Critical issues are outlined in bold.
    RankVulnerabilityPercentageSeverity
    1MS.DCERPC.NETAPI32.Buffer.Overflow29.0Critical
    2FTP.USER.Command.Overflow24.4High
    3MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption21.3Critical
    4Adobe.Products.SWF.Remote.Code.Execution8.4Critical
    5Apache.Expect.Header.XSS8.1Medium
    6AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation7.6High
    7MS.Content.Management.Server.Code.Execution6.7Critical
    8RoundCube.Webmail.Pregreplace.Code.Execution5.3High
    9MS.DirectX.MsVidCtl.ActiveX.Control.Access3.2Critical
    10Apache.MyFaces.Tomahawk.JSF.Framework.XSS3.0Medium



    Figure 1a: Top 5 regions by number of attack cases


    New Vulnerability Coverage



    There were a total of 104 vulnerabilities added to FortiGuard IPS coverage this period.
    Of these added vulnerabilities, 29 were reported to be actively exploited (27.9%).

    Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

    For more information, observe the detailed reports for this period at:

    Figure 1b: New vulnerability coverage for this edition, categorized by severity

    Malware Today



    Top 10 Variants



    Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

    RankMalware VariantPercentageTop 100 Shift
    1W32/PackSpam.A!worm20.1new
    2W32/Agent.LGE!tr16.9new
    3W32/Bredolab.X!tr11.4new
    4W32/Bredo.G!tr8.2-2
    5W32/FakeAlert.SYY!tr.dldr7.9new
    6W32/Krap.AD!tr6.6new
    7W32/OnlineGames.BBR!tr3.8-6
    8W32/FraudLoad.WSUT!tr.dldr1.7n ]]> http://www.fortiguard.com/reports/roundup_october_2009.html http://www.fortiguard.com/reports/roundup_october_2009.html Tue, 27 Oct 2009 00:00:00 -0800 Adobe Security Bulletin for October 2009 The table below lists the Adobe vulnerabilities for October.
    Adobe Vulnerability Identifier Adobe Bulletin TitleSeverity Affected SoftwareCVE ID
    apsb09-15Vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.Critical Adobe Reader 9.1.3 and earlier versions for Windows, Macintosh, and UNIX, Adobe Acrobat 9.1.3 and earlier versions for Windows and Macintosh CVE-2009-2979 CVE-2009-2980 CVE-2009-2984 CVE-2009-2985 CVE-2009-2987 CVE-2009-2988 CVE-2009-2989 CVE-2009-2990 CVE-2009-2991 CVE-2009-2992 CVE-2009-2993 CVE-2009-2994 CVE-2009-2995 CVE-2009-2996 CVE-2009-2997 CVE-2009-2998 CVE-2009-3458 CVE-2009-3460 CVE-2009-3459 CVE-2007-0048 CVE-2007-0045 CVE-2009-2564 CVE-2009-2981 CVE-2009-2982 CVE-2009-2983 CVE-2009-2986 CVE-2009-3431 CVE-2009-3461 CVE-2009-3462


    Threat Remediation


    Fortinet provides coverage on Adobe vulnerabilities in October 2009.

    CVE NumberSignature Name
    CVE-2009-2979Adobe.Reader.Metadata.XML.Buffer.Overflow
    CVE-2009-2980Adobe.Reader.Xobject.Image.Integer.Overflow
    CVE-2009-2985Adobe.Reader.Font.CFF.Index.Memory.Corruption
    CVE-2009-2987Adobe.Acrobat.ActiveX.Control.DoS
    CVE-2009-2988Adobe.Acrobat.JS.Collab.DoS
    CVE-2009-2990Adobe.Reader.U3D.Progressive.Mesh.Block.Code.Execution
    CVE-2009-2991Adobe.Acrobat.Firefox.Plugin.RCE.Code.Execution
    CVE-2009-2994Adobe.JPEG2000.QCC.Memory.Corruption
    CVE-2009-2996Adobe.Acrobat.JS.Collab.Memory.Corruption
    CVE-2009-2997Adobe.Acrobat.U3D.Line.Set.Heap.Corruption
    CVE-2009-2998Adobe.Reader.U3D.Mesh.Declaration.Memory.Corruption
    CVE-2009-3458Adobe.Reader.U3D.Progressive.Mesh.Block.Code.Execution
    MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
    MS09-050Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2526 CVE-2009-2532 CVE-2009-3103
    MS09-051Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-0555 CVE-2009-2525
    MS09-052Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2527
    MS09-053Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)ImportantRemote Code ExecutionMicrosoft Windows CVE-2009-2521 CVE-2009-3023
    MS09-054Cumulative Security Update for Internet Explorer (974455)CriticalRemote Code ExecutionMicrosoft Windows,Internet Explorer CVE-2009-1547 CVE-2009-2529 CVE-2009-2530 CVE-2009-2531
    MS09-055Cumulative Security Update of ActiveX Kill Bits (973525)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2493
    MS09-056Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571)ImportantSpoofingMicrosoft Windows CVE-2009-2510 CVE-2009-2511
    MS09-057Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)ImportantRemote Code ExecutionMicrosoft Windows CVE-2009-2507
    MS09-058Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486)ImportantElevation of PrivilegeMicrosoft Windows CVE-2009-2515 CVE-2009-2516 CVE-2009-2517
    MS09-059Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467)ImportantDenial of ServiceMicrosoft Windows CVE-2009-2524
    MS09-060Vulnerabilities in Microsoft Active Template Library (ATL)) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)CriticalRemote Code ExecutionMicrosoft Office CVE-2009-0901 CVE-2009-2493 CVE-2009-2495
    MS09-061Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)CriticalRemote Code ExecutionMicrosoft Windows, Microsoft .NET Framework, Microsoft Silverlight CVE-2009-0090 CVE-2009-0091 CVE-2009-2497
    MS09-062Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)CriticalRemote Code ExecutionMicrosoft Windows,I ]]> http://www.fortiguard.com/advisory/FGA-2009-36.html http://www.fortiguard.com/advisory/FGA-2009-36.html Tue, 13 Oct 2009 00:00:00 -0800 Multiple Vulnerabilities in Adobe Acrobat / Reader Summary:

    Fortinet discovers multiple vulnerabilities in Adobe Reader / Acrobat which may allow a remote attacker to compromise a system.

    Impact:

    Remote Code Execution / Denial of Service (DoS).

    Risk:

    Critical.

    Affected Software:
    • Adobe Reader 9.1.3 and earlier versions for Windows, Macintosh and UNIX
    • Adobe Acrobat 9.1.3 and earlier versions for Windows and Macintosh

    Additional Information:

    Four vulnerabilities were discovered in Adobe Reader / Acrobat, each of which are highlighted below:
    • FG-VD-09-015: Memory corruption vulnerability in Javascript implementation (CVE-2009-3460)
    • FG-VD-09-017: Denial of service through an ActiveX control specific to the OS, in "AcroPDF.DLL" (CVE-2009-2987)
    • FG-VD-09-018: Denial of service through an input validation issue in "annots.api" (CVE-2009-2988)
    • FG-VD-09-023: Memory corruption vulnerability in Javascript implementation (CVE-2009-2996)

    Solutions:

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against these vulnerabilities. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    Acknowledgment:
    • Zhenhua Liu and XiaoPeng Zhang of Fortinet's FortiGuard Global Security Research Team
      • For Discovering: CVE-2009-2987, CVE-2009-2988, CVE-2009-2996
    • Haifei Li of Fortinet's FortiGuard Global Security Research Team
      • For Discovering: CVE-2009-3460
    ]]>     http://www.fortiguard.com/advisory/FGA-2009-37.html http://www.fortiguard.com/advisory/FGA-2009-37.html Tue, 13 Oct 2009 00:00:00 -0800     Adobe Reader Remote Code Execution Vulnerability (APSB09-15) Summary:

    Fortinet's FortiGuard Global Security Research Team investigates a vulnerability in Adobe Reader.

    Impact:

    Remote Code Execution.

    Affected Software:

    For a full list of affected software, please refer to the Adobe security advisory below.

    Solutions:
    • The FortiGuard Global Security Research Team released a signature "Adobe.Reader.Decode.Color.Remote.Code", which covers this specific vulnerability.
    • The FortiGuard Global Security Research Team released a signature "W32/Protux.GK!exploit", which covers a malicious PDF exploiting this vulnerability in the wild.
    • The FortiGuard Global Security Research Team released a signature "W32/Protux.GK!tr", which covers a trojan dropped by the malicious PDF.
    The FortiGuard Global Security Research Team continues to monitor attacks against this vulnerability.

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this remote code execution vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:

    ]]>     http://www.fortiguard.com/advisory/FGA-2009-35.html http://www.fortiguard.com/advisory/FGA-2009-35.html Thu, 08 Oct 2009 00:00:00 -0800     Threatscape Report - September 2009 Edition

    Table of Contents:


    FortiGuard Global Threat Research

    Exploits and Intrusion Prevention



    Top 10 Exploitations & Regions



    Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:
    RankVulnerabilityPercentageSeverity
    1MS.DCERPC.NETAPI32.Buffer.Overflow13.1Critical
    2HTTP.URI.Overflow11.8Critical
    3MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow5.3High
    4MS.Windows.ASN.1.Bitstring.Overflow4.2High
    5FTP.Bounce.Attack1.7High
    6PNG.Image.Integer.Overflow1.6Critical
    7Trojan.Storm.Worm.HTTP.DoS1.6Low
    8IKE.Exchange.DoS.Version1.4Low
    9NaviCOPA.URI.Buffer.Overflow1.1High
    10MS.Excel.Malformed.OBJECT.Type.File.Code.Execution1.1High



    Figure 1a: Top 5 regions by detected exploit attempts


    New Vulnerability Coverage



    There were a total of 108 vulnerabilities added to FortiGuard IPS coverage this period.
    Of these added vulnerabilities, 46 were reported to be actively exploited (42.6%).

    Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

    For more information, observe the detailed reports for this period at:

    Figure 1b: New vulnerability coverage for this edition, categorized by severity

    Malware Today



    Top 10 Variants



    Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

    RankMalware VariantPercentageTop 100 Shift
    1 W32/OnlineGames.BBR!tr29.4-
    2W32/Bredo.G!tr12.8new
    3JS/PackRedir.A!tr.dldr3.7+2
    4HTML/Iframe.DN!tr.dldr3.6+2
    5Adware/AdClicker3.1+2
    6W32/Virut.A2.9-2
    7W32/Netsky!similar2.7+1
    8HTML/Iframe_CID!exploit2.3+1
    9W32/OnlineGames.DRP!tr.pws2.0+3
    10W32/OnlineGames.EEX!tr1.7+12
    MS.SMB2.Negotiation.Handler.Code.Execution", which covers this specific vulnerability.
  • Apply the suggested workaround from Microsoft.

    • The FortiGuard Global Security Research Team continues to monitor attacks against this vulnerability.

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this remote code execution vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:

    ]]> http://www.fortiguard.com/advisory/FGA-2009-34.html http://www.fortiguard.com/advisory/FGA-2009-34.html Wed, 09 Sep 2009 00:00:00 -0800 Microsoft Security Bulletin for September 2009
    MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
    MS09-045Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-1132
    MS09-046Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2519
    MS09-047Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-2498 CVE-2009-2499
    MS09-048Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)CriticalRemote Code ExecutionMicrosoft Windows CVE-2008-4609 CVE-2009-1925 CVE-2009-1926
    MS09-049Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)CriticalRemote Code ExecutionMicrosoft Windows CVE-2009-1132


    Threat Remediation


    Fortinet provides coverage on Microsoft vulnerabilities in September 2009.

    CVE NumberSignature Name
    CVE-2009-1132MS.JScript.Keyword.Override.Code.Execution
    CVE-2009-2519MS.DHTML.Editing.Component.ActiveX.Control.Code.Execution
    CVE-2009-2498MS.Windows.ASF.Invalid.Free.Code.Execution
    CVE-2009-2499MS.Media.MP3.Memory.Corruption
    CVE-2009-1926TCP.Window.Size.Zero.DoS

    For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


    Document History


    Revision DateVersion Number
    Tuesday, September 8, 20091Initial Documentation.


    Reference:
    ]]>     http://www.fortiguard.com/advisory/FGA-2009-33.html http://www.fortiguard.com/advisory/FGA-2009-33.html Tue, 08 Sep 2009 00:00:00 -0800