Security Hero Rotating Header Image

December, 2008:

Research proves feasibility of collision attacks against MD5 – 12/30/2008

Microsoft Security Advisory (961509): Research proves feasibility of collision attacks against MD5 – 12/30/2008

Revision Note: Advisory published Advisory Summary:Microsoft is aware that research was published at a security conference proving a successful attack against X.509 digital certificates signed using the MD5 hashing algorithm. This attack method would allow an attacker to generate additional digital certificates with different content that have the same digital signature as an original certificate. The MD5 algorithm had previously shown a vulnerability, but a practical attack had not yet been demonstrated.

URL: http://www.microsoft.com/technet/security/advisory/961509.mspx

Fortinet protects against the ‘CurseSMS’ Mobile Attack

Fortinet protects against the ‘CurseSMS’ Mobile Attack

The FortiGuard Global Security Research Team released a new version of its FortiCleanUp tool to effectively block and disable the remote SMS/MMS Denial of Service attack publicly known as “CurseSMS“.

Fortinet’s FortiCleanUp is a range of free tools running on SymbianOS S60 powered phones, designed to remove and disable specific mobile malware and their related variants.

The “CurseSMS” attack is a remote SMS/MMS denial of service, recently discovered by Tobias Engel, and disclosed at CCC. The attack consists in sending a maliciously crafted SMS to the potential target. Upon reception of the malicious SMS, the targeted device may no longer be able to receive any further SMS or MMS messages, its messaging system thereby effectively becoming deaf. Depending on the operating system version, this state may persist until the device is factory reset.

Potentially vulnerable devices are Nokia phones running SymbianOS S60 2nd Edition Feature Pack 2, 2nd Edition Feature Pack 3, 3rd Edition, and 3rd Edition Feature Pack 1. This includes several phones of the “N” series up to the N95 (eg: N90, N92, N93, etc…) and of the “E” series up to the E90, as well as older models such as the 6680. For a list of potentially vulnerable phones, please see below..

Solutions:

Fortinet’s FortiGuard team provides free licenses of its FortiCleanUp tool, for users to protect their mobile devices against the “CurseSMS” attack, or/and to recover from it in case it has already struck; the latter is achieved by automatically removing malicious SMS messages that hamper handset functionality.

Beyond CurseSMS’s case, the FortiGuard team recommends the installation of Fortinet’s FortiClient Mobile on mobile devices, for light-weight, yet complete real-time protection against mobile threats (including but not limited to CurseSMS). FortiClient Mobile is available for SymbianOS S60 and Windows Mobile powered platforms. It provides users with unified security agent features, including SMS antispam, data encryption, call filtering and real time antivirus protection.

Potentially vulnerable handsets, in alphabetical order:

  • Nokia 3250
  • Nokia 5500 Sport
  • Nokia 5700 XpressMusic
  • Nokia 6110 Navigator
  • Nokia 6120 Classic
  • Nokia 6121 Classic
  • Nokia 6124 Classic
  • Nokia 6290
  • Nokia 6630
  • Nokia 6680
  • Nokia 6681
  • Nokia 6682
  • Nokia E50
  • Nokia E51
  • Nokia E60
  • Nokia E61
  • Nokia E62
  • Nokia E63
  • Nokia E65
  • Nokia E66
  • Nokia E70
  • Nokia E71
  • Nokia E90 Communicator
  • Nokia N70
  • Nokia N71
  • Nokia N72
  • Nokia N73
  • Nokia N75
  • Nokia N76
  • Nokia N77
  • Nokia N80
  • Nokia N81
  • Nokia N81 8GB
  • Nokia N82
  • Nokia N90
  • Nokia N91
  • Nokia N91 8GB
  • Nokia N92
  • Nokia N93
  • Nokia N95
  • Nokia N95 8GB

Note that this list may not be exhaustive.

URL: http://www.fortiguardcenter.com/advisory/FGA-2008-31.html

Microsoft SQL Server Memory Corruption Vulnerability

Microsoft SQL Server Memory Corruption Vulnerability

Summary:

A specially crafted stored procedure call can allow a memory write to a controlled location, leading to execution of arbitrary code.

Impact:

Remote code execution.

Risk:

  • Critical

Affected Software:

For a list of SQL Server versions affected, please see the Microsoft Security Advisory reference below.

Additional Information:

The vulnerability lies in the extended stored procedure “sp_replwritetovarbin”, and can be triggered by supplying overly long parameters. The resulting write can potentially allow execution of arbitrary code. By default, the aforementioned stored procedure is accessible to any authenticated users. Alternatively, the vulnerability may be leveraged through SQL injection.

Solutions:

  • The FortiGuard Global Security Research Team created the IPS signature “MS.SQL.Server.Sp_replwritetovarbin.Memory.Overwrite”, which covers this specific vulnerability.

Fortinet customers who subscribe to FortinetíŽs intrusion prevention (IPS) service should be protected against this invalid pointer reference vulnerability. FortinetíŽs IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat’s lifecycle.

References:

URL: http://www.fortiguardcenter.com/advisory/FGA-2008-30.html

Band Microsoft Security Bulletin Summary for December 2008

Out-of-Band Microsoft Security Bulletin Summary for December 2008

Posted by Microsoft on Dec 17

********************************************************************
Out-of-Band Microsoft Security Bulletin Summary for December 2008
Issued: December 17, 2008
********************************************************************

This bulletin summary lists an out-of-band security bulletin

URL: http://seclists.org/microsoft/2008/q4/0006.html

Vulnerability in Internet Explorer Could Allow Remote Code Execution – 12/17/2008

Microsoft Security Advisory (961051): Vulnerability in Internet Explorer Could Allow Remote Code Execution – 12/17/2008

Revision Note: December 17, 2008: Advisory updated to reflect publication of security bulletin. Advisory Summary:Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS08-078 to address this issue. For more information about this issue, including download links for an available security update, please review MS08-078. The vulnerability addressed is the Microsoft XML Core Services Vulnerability – CVE-2008-4844.

URL: http://www.microsoft.com/technet/security/advisory/961051.mspx

Security Update for Internet Explorer (960714)

MS08-078 – Critical: Security Update for Internet Explorer (960714)

Bulletin Severity Rating:Critical – This security update resolves a publicly disclosed vulnerability. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

URL: http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx?pubDate=2008-12-17

Microsoft Internet Explorer Invalid Pointer Reference Vulnerability

Microsoft Internet Explorer Invalid Pointer Reference Vulnerability

Summary:

A specially crafted HTML file can be handled improperly when parsed by Microsoft Internet Explorer, leading to execution of arbitrary code.

Impact:

Remote code execution.

Risk:

  • Critical

Affected Software:

For a list of Internet Explorer versions affected, please see the Microsoft Security Bulletin reference below.

Additional Information:

The vulnerability results from a failure to update an array length after a data-bound object is released by Internet Explorer. This memory space is then accessible to a remote attacker, who is able to crash Internet Explorer and execute arbitrary code.

Solutions:

Fortinet customers who subscribe to FortinetíŽs intrusion prevention (IPS) service should be protected against this invalid pointer reference vulnerability. FortinetíŽs IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat’s lifecycle.

References:

URL: http://www.fortiguardcenter.com/advisory/FGA-2008-29.html

Microsoft Security Bulletin for December 2008

Microsoft Security Bulletin for December 2008

The table below lists the Microsoft vulnerabilities for December 2008.

MS Bulletin Number Microsoft Bulletin Title Severity Impact of Vulnerability Affected Software CVE ID
MS08-070 Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349) Critical Remote Code Execution Microsoft Developer Tools and Software, Microsoft Office CVE-2008-3704 CVE-2008-4252 CVE-2008-4253 CVE-2008-4254 CVE-2008-4255 CVE-2008-4256

MS08-071 Vulnerabilities in GDI Could Allow Remote Code Execution (956802) Critical Remote Code Execution Microsoft Windows CVE-2008-2249 CVE-2008-3465

MS08-072 Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173) Critical Remote Code Execution Microsoft Office CVE-2008-4024 CVE-2008-4025 CVE-2008-4026 CVE-2008-4027 CVE-2008-4028 CVE-2008-4030 CVE-2008-4031 CVE-2008-4837

MS08-073 Cumulative Security Update for Internet Explorer (958215) Critical Remote Code Execution Microsoft Windows, Internet Explorer CVE-2008-4258 CVE-2008-4259 CVE-2008-4260 CVE-2008-4261

MS08-074 Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070) Critical Remote Code Execution Microsoft Office CVE-2008-4264 CVE-2008-4265 CVE-2008-4266

MS08-075 Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349) Critical Remote Code Execution Microsoft Windows CVE-2008-4268 CVE-2008-4269

MS08-076 Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807) Important Remote Code Execution Microsoft Windows CVE-2008-3009 CVE-2008-3010

MS08-077 Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175) Important Elevation of Privilege Microsoft Office, Microsoft Server Software CVE-2008-4032

Threat Remediation

Fortinet provides coverage on Microsoft vulnerabilities in December 2008

CVE Number Signature Name
CVE-2008-2249 MS.GDI.WMF.META.DIBBITBLT.Heap.Overflow
CVE-2008-3010 under analysis.
CVE-2008-3704 MS.Visual.Studio.Msmask32.ActiveX.Control.Access
CVE-2008-4024 MS.Word.PlfLfo.Memory.Corruption
CVE-2008-4025 MS.Word.RTF.Parsing.Code.Execution
<a href=”http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4026

URL: http://www.fortiguardcenter.com/advisory/FGA-2008-28.html

Vulnerability in WordPad Text Converter Could Allow Remote Code Execution – 12/15/2008

Microsoft Security Advisory (960906): Vulnerability in WordPad Text Converter Could Allow Remote Code Execution – 12/15/2008

Revision Note: December 15, 2008: Updated the workaround, Disable the WordPad Text Converter for Word 97. Advisory Summary:Microsoft is investigating new reports of a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Windows XP Service Pack 3, Windows Vista, and Windows Server 2008 are not affected as these operating systems do not contain the vulnerable code.

URL: http://www.microsoft.com/technet/security/advisory/960906.mspx

Microsoft Security Bulletin Summary for December 2008

Microsoft Security Bulletin Summary for December 2008

Posted by Microsoft on Dec 9

********************************************************************
Microsoft Security Bulletin Summary for December 2008
Issued: December 9, 2008
********************************************************************

This bulletin summary lists security bulletins released for
December 2008.

URL: http://seclists.org/microsoft/2008/q4/0004.html

Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)

MS08-077 – Important: Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)

Bulletin Severity Rating:Important – This security update resolves a privately reported vulnerability. The vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure.

URL: http://www.microsoft.com/technet/security/bulletin/ms08-077.mspx?pubDate=2008-12-09

Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)

MS08-076 íV Important: Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)

Bulletin Severity Rating:Important – This security update resolves two privately reported vulnerabilities in the following Windows Media components: Windows Media Player, Windows Media Format Runtime, and Windows Media Services. The most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

URL: http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx?pubDate=2008-12-09

Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)

MS08-075 íV Critical: Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)

Bulletin Severity Rating:Critical – This security update resolves two privately reported vulnerabilities in Windows Search. These vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

URL: http://www.microsoft.com/technet/security/bulletin/ms08-075.mspx?pubDate=2008-12-09

Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)

MS08-074 íV Critical: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)

Bulletin Severity Rating:Critical – This security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

URL: http://www.microsoft.com/technet/security/bulletin/ms08-074.mspx?pubDate=2008-12-09

Cumulative Security Update for Internet Explorer (958215)

MS08-073 – Critical: Cumulative Security Update for Internet Explorer (958215)

Bulletin Severity Rating:Critical – This security update resolves four privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

URL: http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx?pubDate=2008-12-09