CIAC's latest security bulletins. http://www.ciac.org/ciac/index.html A remote code execution vulnerability exists in the way that Microsoft XML Core Services parses XML content. The vulnerability could allow remote code execution if a user browses a Web site that contains specially crafted content or opens specially crafted HTML e-mail. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. http://doecirc.energy.gov/ciac/bulletins/t-025.shtml 13 Nov 2008 15:00 GMT New Bulletin A remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol handles NTLM credentials when a user connects to an attacker's SMB server. This vulnerability allows an attacker to replay the user's credentials back to them and execute code in the context of the logged-on user. The risk is MEDIUM. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. http://doecirc.energy.gov/ciac/bulletins/t-024.shtml 13 Nov 2008 15:00 GMT New Bulletin Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances: 1) Windows NT domain authentication bypass; 2) IPv6 Denial of Service; and 3) Crypto Accelerator memory leak. NOTE: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. The risk is MEDIUM. A remote intruder could make a VPN connection to a network without needing to authenticate. http://doecirc.energy.gov/ciac/bulletins/t-023.shtml 6 Nov 2008 14:00 GMT New Bulletin Several vulnerabilities have been discovered in the OpenOffice.org office suite, in the WMF file parser and in the EMF file parser that can be triggered by manipulated WMF and EMF files and can lead to heap overflows and arbitrary code execution. The risk is MEDIUM. This can lead to heap overflows and arbitrary code execution. http://doecirc.energy.gov/ciac/bulletins/t-022.shtml 6 Nov 2008 14:00 GMT New Bulletin libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records. An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. The risk is MEDIUM. This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running libspf2. http://doecirc.energy.gov/ciac/bulletins/t-021.shtml 6 Nov 2008 14:00 GMT New Bulletin Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. The risk is MEDIUM. A remote intruder who can get a user to open a malicious pdf file could run code as the logged-in user. http://doecirc.energy.gov/ciac/bulletins/t-020.shtml 6 Nov 2008 14:00 GMT New Bulletin It was discovered that libxml2, the GNOME XML library, didn't correctly handle long entity names. This could allow the execution of arbitrary code via a malicious XML file. The risk is MEDIUM. Coercing a user to open a specially crafted XML file, could allow an intruder to run arbitrary code with the permissions of the user. http://doecirc.energy.gov/ciac/bulletins/t-019.shtml 29 Oct 2008 19:00 GMT New Bulletin A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. The risk is HIGH. An attacker who successfully exploited this vulnerability could take complete control of an affected system. http://doecirc.energy.gov/ciac/bulletins/t-018.shtml 23 Oct 2008 17:00 GMT New Bulletin The Gear Software CD DVD Filter driver contains a privilege escalation vulnerability, which can allow an attacker to gain SYSTEM privileges. The risk is MEDIUM. An attacker may be able to execute code with SYSTEM privileges. http://doecirc.energy.gov/ciac/bulletins/t-017.shtml 15 Oct 2008 21:00 GMT New Bulletin The iseemedia LPViewer ActiveX control contains multiple stack buffer overflows, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The risk is MEDIUM. By cinvincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash. http://doecirc.energy.gov/ciac/bulletins/t-016.shtml 15 Oct 2008 21:00 GMT New Bulletin Acresso FLEXnet Connect executes scripts that are insecurely retrieved from a remote web server, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The risk is MEDIUM. By modifying the rule script that is sent to a FLEXnet Connect client, a remote unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. http://doecirc.energy.gov/ciac/bulletins/t-015.shtml 15 Oct 2008 21:00 GMT New Bulletin Cross-Site Scripting has become an increasingly prevalent attack vector that can be leveraged to perform a wide range of compromises. These compromises can range from simple popup displays within a user's browser to session and cookie capture that are used for information and identity theft. As these attacks become more mature, as well as obscure, it is imperative that we understand how they happen, how they propagate, and the ways to prevent them. By understanding the different vectors of attack and realizing and implementing simple security measures against them, we can better protect ourselves and our users now, and in the future. http://www.ciac.org/ciac/techbull/CIACTech08-003.shtml 3 Jun 2008 17:00 GMT New Bulletin Windows hash dumping tools are often spotlighted as hacker tools that can somehow magically extract windows hashes and allow an intruder access to a system. In actuality, the hashes are there, in memory, where any admin or system level user can get at them. The tools just grab them and print them out. This paper will describe how Windows hashes are created, how the hash dumpers get at them, and what can be done with the hashes. http://www.ciac.org/ciac/techbull/CIACTech08-002.shtml 21 May 2008 23:00 GMT New Bulletin Many websites use the PHP programming language to build web pages on the fly from individual files and from values obtained from a database. PHP based websites are widely used to create Wikis such as MediaWiki used for Wikipedia. If the PHP programs that generate the web pages are not carefully crafted to check user input before it is used, an intruder could inject code into a page and get it executed. http://www.ciac.org/ciac/techbull/CIACTech08-001.shtml 29 Jan 2008 18:00 GMT New Bulletin A common cyber attack is to send a user an Office document (Word, Excel, PowerPoint) containing malicious code that infects the user's computer and proceeds to do the miscreant's bidding. Targeting of users has gotten so sophisticated that advice such as "don't open files from people you don't know" is no longer effective. MOICE, the Microsoft Office Isolated Conversion Environment opens Office documents before the Office application, converts it to a format that does not "support" malcode and then invokes the application with the newly cleaned document. Properly implemented, this could mitigate attacks using email-borne Office malcode. http://www.ciac.org/ciac/techbull/CIACTech07-001.shtml 22 May 2007 23:00 GMT New Revised Bulletin SQL injection is a real threat that is being used to exploit company systems and data. This threat can be reduced by a combination of good programming practice, application firewalls, and scanning. http://www.ciac.org/ciac/techbull/CIACTech06-001.shtml 6 Sep 2006 21:00 GMT 28 Apr 2008 21:00 GMT Revised Bulletin Many sites have detected large numbers of udp packets directed at the DNS port (53). These packets contain a lot of structure and there is concern that they are exploit or remote control packets. It turns out that they are discovery packets being sent to random IP addresses by the Sinit Calypso worm. They are invalid DNS packets and should be ignored by DNS servers. http://www.ciac.org/ciac/techbull/CIACTech05-001.shtml 15 Nov 2004 20:00 GMT Before systems containing the MyDoom.A worm can be cleaned, they must be detected. As running a scanner on each system can be difficult and time consuming, a method of remote scanning for infected machines is needed. http://www.ciac.org/ciac/techbull/CIACTech04-001.shtml 30 Jan 2004 23:00 GMT New Bulletin A spam engine has been released that uses the Windows Messenger Service (not the MSN Messenger instant messaging program) to send spam messages to users. The Messenger service is active on most Windows platforms. http://www.ciac.org/ciac/techbull/CIACTech03-001.shtml 29 Oct 2002 24:00 GMT New Bulletin Several online articles have worried the problem of file capture using Microsoft Word field codes. The articles have gone so far as suggesting that Word be banned from company computers until this is changed. These articles have created undue worry among computer users about what is a relatively low risk vulnerability. http://www.ciac.org/ciac/techbull/CIACTech02-005.shtml 27 Sep 2002 24:00 GMT New Bulletin Programs are being intentionally packaged with legitimate software to display advertising on your screen, gather information on your browsing habits, and to sell your unused CPU cycles and disk space. Current applications are relatively benign but could easily be used for an invasion of privacy or other malicious purposes. http://www.ciac.org/ciac/techbull/CIACTech02-004.shtml 11 Nov 2002 23:00 GMT New Bulletin Microsoft Office for Macintosh OS X has an antipiracy mechanism that secretly opens network service ports on a Macintosh system and broadcasts version information to other systems on a single subnet. The problem is that open network services provide attack points for intruders and need to be controlled by users. http://www.ciac.org/ciac/techbull/CIACTech02-003.shtml 26 Apr 2002 00:00 GMT New Bulletin Browser Helper Objects (BHO) are Microsoft's way of attaching add-ins to Internet Explorer 4 and later. In addition to legitimate uses, BHOs are used to attach spyware to a user's web browser to secretly send a user's browsing habits to a marketing site and could be used for malicious code. The problems are that there is no simple way to know what BHOs are attached to a system and no simple way to control the attachment of new ones. http://www.ciac.org/ciac/techbull/CIACTech02-002.shtml 2 Apr 2002 23:00 GMT New Bulletin In recent months, many servers running ssh have been compromised using the SSH CRC32 Compensation Attack Detector. Compromised machines have either not been upgraded to SSH protocol 2 or have not disabled drop back to SSH protocol 1. Use of this attack allows a remote user to gain root access on a server. http://www.ciac.org/ciac/techbull/CIACTech02-001.shtml 9 May 2002 19:00 GMT New Bulletin A remote code execution vulnerability exists in the SNA Remote Procedure Call (RPC) service for Host Integration Server. An attacker could exploit the vulnerability by constructing a specially crafted RPC request. The risk is HIGH. The vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. http://doecirc.energy.gov/ciac/bulletins/t-002.shtml 15 Oct 2008 14:00 GMT 30 Oct 2008 14:00 GMT Revised Bulletin Several remote code execution vulnerabilities exist in the way Microsoft Excel: 1) processes a VBA Performance Cache; 2) an improper memory allocationwhenloading Excel objects; and 3) a formula parsing vulnerability when parsing Microsoft Excel documents containing a specially crafted formula embedded inside a cell. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. http://doecirc.energy.gov/ciac/bulletins/t-003.shtml 15 Oct 2008 14:00 GMT 30 Oct 2008 14:00 GMT Revised Bulletin Remote code execution vulnerabilities exist in the way that GDI+ handles: 1) gradient sizes; 2) memory allocation; 3) parses GIF images; 4) allocates memory for WMF image files; and 5) integer calculations The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-372.shtml 9 Sep 2008 18:00 GMT 30 Oct 2008 18:00 GMT Revised Bulletin There are multiple remote code execution vulnerabilities in the Excel. An attacker could exploit the vulnerability by opening a specially crafted file which could be hosted on a Web site, or included as an e-mail attachment. The risk is MEDIUM. Depending on the attack scenario, the vulnerability could lead to remote code execution ona user's local Excel client, or it could lead to elevation of privilage within a SharePoint Server. http://www.ciac.org/ciac/bulletins/s-349.shtml 13 Aug 2008 17:00 GMT 29 Oct 2008 17:00 GMT Revised Bulletin Remote code vulnerabilities exist in the way Excel: 1) processes data validation records when loading Excel files into memory; 2) handles data when importing files into Excel; 3) Style record data when opening Excel files; 4) handles malformed formulas; 5) handles rich text values when loading application data into memory; 6) handles conditional formatting values; and 7) handles macros when opening specially crafted Excel files. The risk is MEDIUM. An attacker could exploit the vulnerabilities by sending malformed files which could be hosted on a specially crafted or compromised Web site, or included as an e-mail attachment. http://www.ciac.org/ciac/bulletins/s-227.shtml 14 Mar 2008 17:00 GMT 29 Oct 2008 17:00 GMT Revised Bulletin A remote code execution vulnerability exists on Windows systems running IIS with the internet printing service enabled. This issue could allow a remote, authenticated attacker to execute arbitrary code on an affected system. The risk is MEDIUM. This issue could allow a remote, authenticated attacker to execute arbitrary code on an affected system. http://doecirc.energy.gov/ciac/bulletins/t-007.shtml 15 Oct 2008 20:00 GMT 29 Oct 2008 20:00 GMT Revised Bulletin There are multiple remote code execution and information disclosure vulnerabilities in Internet Explorer which could allow an attacker to gain access to a browser window in another domain or Internet Explorer zone allowing remote code execution or information disclosure. The risk is MEDIUM. An attacker could exploit the vulnerability by constructing a specially crafted web page that could allow remote code execution or information disclosure, depending on the operation system, if a user viewed the Web page. http://doecirc.energy.gov/ciac/bulletins/t-004.shtml 15 Oct 2008 14:00 GMT 29 Oct 2008 14:00 GMT Revised Bulletin A remote code execution vulnerability exists inimplementations of Active Directory on Microsoft Windows 2000 Server. This could allow remote code execution. The risk is MEDIUM. The vulnerability is due to incorrect memory allocation when receiving specially crafted LDAP or LDAPS requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system. http://doecirc.energy.gov/ciac/bulletins/t-005.shtml 15 Oct 2008 15:00 GMT 29 Oct 2008 15:00 GMT Revised Bulletin A remote code execution vulnerability exists in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. The risk is MEDIUM. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. http://www.ciac.org/ciac/bulletins/s-347.shtml 13 Aug 2008 17:00 GMT 29 Oct 2008 17:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted URLs using the OneNote protocol handler (onenote://). The vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL. The risk is MEDIUM. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. http://www.ciac.org/ciac/bulletins/s-375.shtml 9 Sep 2008 19:00 GMT 30 Sep 2008 19:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way that Word handles specially crafted Word files. The risk is MEDIUM. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed value. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. http://www.ciac.org/ciac/bulletins/s-175.shtml 12 Feb 2008 21:00 GMT 30 Sep 2008 21:00 GMT Revised Bulletin Multiple remote code execution vulnerabilities exists in the way that Microsoft Office PowerPoint Viewer 2003 handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. The risk is MEDIUM. An attacker who successfully exploited this vulnerabilities could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-354.shtml 13 Aug 2008 17:00 GMT 30 Sep 2008 17:00 GMT Revised Bulletin Several remote code execution vulnerabilities exists because the Microsoft Windows Event System does not correctly validate user subscriptions requests when created. The vulnerability could allow remote code execution. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-353.shtml 13 Aug 2008 17:00 GMT 30 Sep 2008 17:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way Microsoft Office Publisher validates application data when loading Publisher files to memory and memory index values. The risk is MEDIUM. An attacker could exploit the vulnerability by constructing a specially crafted Publisher (.pub) file. When a user views the .pub file, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. http://www.ciac.org/ciac/bulletins/s-178.shtml 13 Feb 2008 13:00 GMT 30 Sep 2008 13:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way Microsoft Project handles specially crafted Project files. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-253.shtml 9 Apr 2008 19:00 GMT 30 Sep 2008 19:00 GMT Revised Bulletin A buffer overflow vulnerability exists in an ActiveX control used by the WebEx Meeting manager. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the user client machine. The risk is MEDIUM. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the user client machine. http://www.ciac.org/ciac/bulletins/s-359.shtml 18 Aug 2008 18:00 GMT 10 Sep 2008 18:00 GMT Revised Bulletin A remote code execution vulnerability exists in Windows Media Format Runtime due to the way it handles Advanced Systems Format (ASF) files. The risk is MEDIUM. A remote code execution vulnerability. http://www.ciac.org/ciac/bulletins/s-078.shtml 11 Dec 2007 21:00 GMT 10 Sep 2008 20:00 GMT Revised Bulletin A remote code execution vulnerability exists in the way that the VBScript and JScript scripting engines decode script in Web pages. This vulnerability could allow remote code execution if a user opened a specially crafted file or visited a Web site that is running specially crafted script. The risk is MEDIUM. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. http://www.ciac.org/ciac/bulletins/s-255.shtml 9 Apr 2008 20:00 GMT 10 Sep 2008 20:00 GMT Revised Bulletin There are updated kernel packages that fix various security issues and a bug that are available for Red Hat Enterprise Linux 5. The risk is LOW. This could allow a local unprivileged user to cause a heap overflow, gaining privileges for arbitrary code execution. http://www.ciac.org/ciac/bulletins/s-331.shtml 26 Jun 2008 19:00 GMT 10 Sep 2008 19:00 GMT Revised Bulletin Multiple remote code execution vulnerabilities exists in Internet Explorer due to attempts to access uninitialized memory incertain situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page. The risk is MEDIUM. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-in user. http://www.ciac.org/ciac/bulletins/s-351.shtml 13 Aug 2008 17:00 GMT 20 Aug 2008 17:00 GMT Revised Bulletin A spoofing vulnerability exists in Windows DNS client and Windows DNS server. This vulnerability could allow a remote unauthenticated attacker to quickly and reliably spoof responses and insert records into the DNS server or client cache, thereby redirecting Internet traffic. The risk is MEDIUM. This vulnerability could allow a remote unauthenticated attacker to quickly and reliably spoof responses and insert records into the DNS server or client cache, thereby redirecting Internet traffic. http://www.ciac.org/ciac/bulletins/s-332.shtml 8 Jul 2008 18:00 GMT 18 Aug 2008 18:00 GMT Revised Bulletin Multiple issues were discovered in the gd GIF image-handling code. The risk is MEDIUM. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. http://www.ciac.org/ciac/bulletins/s-218.shtml 4 Mar 2008 16:00 GMT 18 Aug 2008 16:00 GMT Revised Bulletin Multiple interger overflows to a heap overflow were discovered in the array- and string-handling code used by Ruby. The risk is MEDIUM. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. http://www.ciac.org/ciac/bulletins/s-344.shtml 28 Jul 2008 19:00 GMT 18 Aug 2008 19:00 GMT Revised Bulletin Microsoft is investigating active, targeted attacks leveraging a potential vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. The risk is MEDIUM. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. http://www.ciac.org/ciac/bulletins/s-337.shtml 8 Jul 2008 18:00 GMT 18 Aug 2008 18:00 GMT Revised Bulletin Multiple remote code execution vulnerabilities exists in the way that Microsoft Office filter handles images. An attacker could exploit the vulneraiblity by constructing a specially crafted Encapsulated PostScript (EPS) file that could allow remote code execution if a user opened the file with a Microsoft Office application. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability. http://www.ciac.org/ciac/bulletins/s-350.shtml 13 Aug 2008 17:00 GMT 18 Aug 2008 17:00 GMT Revised Bulletin There is a vulnerability in Firefox that could crash in Mozilla's block reflow code that could be used by an attacker to crash the browser and run arbitrary code on the victim's computer. The risk is MEDIUM. A remote, unauthenticated attacker may be able to execute arbitrary code or cause a vulnerable browser to crash. http://www.ciac.org/ciac/bulletins/s-335.shtml 8 Jul 2008 18:00 GMT 18 Aug 2008 18:00 GMT Revised Bulletin There is a heap-based buffer overflow vulnerability in Mozilla mail code which could potentially allow an attacker to run arbitrary code. The risk is MEDIUM. COuld potentially allow an attacker to run arbitrary code. The vulnerability is caused by allocating a buffer that can be three bytes too small in certain cases when viewing an email message with an external MIME body. http://www.ciac.org/ciac/bulletins/s-207.shtml 27 Feb 2008 19:00 GMT 18 Aug 2008 19:00 GMT Revised Bulletin Several vulnerabilties exists in SQL Server that could allow a authenticated attacker to gain elevation of privilege. An attacker who successfully exploited this vulnerability could run code and take complete control of the system. The risk is MEDIUM. An attacker who successfully exploited this vulnerability could run code and take complete control of the system. http://www.ciac.org/ciac/bulletins/s-334.shtml 8 Jul 2008 18:00 GMT 18 Aug 2008 18:00 GMT Revised Bulletin An information disclosure vulnerability exists in the manner in which IPsec policies are imported to Windows Server 2008 domains from Windows Server 2003 domains. This vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text. This, in turn, would potentially disclose information intended to be encrypted on the network. The risk is LOW. An attacker intercepting the traffic on the network would be able to view and possibly modify the contents of the traffic. http://www.ciac.org/ciac/bulletins/s-355.shtml 13 Aug 2008 18:00 GMT 18 Aug 2008 18:00 GMT Revised Bulletin Several vulnerabilities have been discovered in the interpreter for the Python language which may lead to the execution of arbitrary code. The risk is MEDIUM. May lead to the execution of arbitrary code if a user is tricked into processing malformed images. http://www.ciac.org/ciac/bulletins/s-276.shtml 25 Apr 2008 12:00 GMT 18 Aug 2008 12:00 GMT Revised Bulletin