New Vulnerability Coverage
| Threat Type: |
Multiple Vulnerabilities |
IPS Definition
Database Versions: |
2.476 - 2.481 |
| Coverage Release Date: |
Mar 06, 2008 - Mar 18, 2008 |
| Published Date: |
Wednesday, March 19, 2008 |
| Version #: |
1 |
| |
| Severity |
Number of
Vulnerabilities |
Active
Exploitation |
| Critical | 23 | 8 |
| High | 20 | 8 |
| Medium | 14 | 5 |
| Low | 3 | 1 |
| Info | 4 | n/a |
| Total | 64 | 22 |
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover
multiple vulnerabilities. The FortiGuard Team has observed
22 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at
www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the
2.481 IPS Definitions database update.
A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 9 )
Description:
This indicates an attempt to exploit one of several buffer overflow vulnerabilities in Aurigma Image Uploader.
There are multiple stack based buffer overflow vulnerabilities in an Aurigma Image Uploader ActiveX control, ImageUploader4.ocx, which is used by Facebook PhotoUploader. The vulnerabilities allow remote attackers to execute arbitrary code via long properties.
Affected Products:
Aurigma ImageUploader4 4.5.70.0 and 4.5.126.0
Aurigma ImageUploader4 4.6.17.0
Aurigma ImageUploader5 5.0.10.0
Facebook PhotoUploader 4.5.57.0
Reference IDs:
|
Description:
This indicates an attempt to exploit a buffer overflow vulnerability in the Lianzong ActiveX control, part of a Chinese gaming platform.
The ActiveX control (CLSID:61F5C358-60FB-4A23-A312-D2B556620F20) is vulnerable to a buffer overflow attack through the "hgs_startgame()" and "hgs_startnotify()" functions. By passing an overly long string, a remote attacker can execute arbitrary code on vulnerable computers.
Affected Products:
GLWORLD.2.8.1.2.beta.
Reference IDs:
|
Description:
This indicates an attempt to exploit one of several integer overflow vulnerabilities in libFLAC.
LibFLAC is used by numerous media applications to decode Free Lossless Audio Codec (FLAC) files. There are numerous buffer overflow vulnerabilities in libFLAC. They are a result of the application's failure to bounds check user supplied information before placing it in memory. Successful exploitation may allow a remote attacker to execute arbitrary code on the victim system or cause a denial of service.
Affected Products:
Multiple Products
Reference IDs:
|
Description:
This indicates an attempt to exploit a buffer overflow vulnerability in Lycos File Upload ActiveX control.
The vulnerability is caused by an input validation error when handling the "HandwriterFilename" property in the "FileUploader.FUploadCtl.1" ActiveX control in FileUploader.dll. It allows remote attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page.
Affected Products:
Lycos FileUploader.dll 2.0 2
Reference IDs:
|
Description:
This indicates an attempt to exploit a buffer overflow vulnerability in the MySpace Uploader ActiveX Control.
The software is vulnerable to a buffer overflow when an attacker passes an overly long string to the 'Action' property. This can lead to arbitrary code execution on the target computer.
Affected Products:
MySpaceUploader.ocx version 1.0.0.4
MySpaceUploader.ocx version 1.0.0.5
Reference IDs:
|
Description:
This indicates an attempt to exploit a buffer overflow vulnerability in GlobalLink's 'GLChat.ocx' ActiveX control.
The buffer overflow occurs when a long argument is passed to the 'ChatRoom' variable. An attacker can exploit this issue to execute arbitrary code on a target host or cause a denial of service by crashing their web browser.
Affected Products:
GlobalLink 'GLChat.ocx' ActiveX control.
Reference IDs:
|
Description:
This indicates an attempt to exploit a buffer overflow vulnerability in Persists Software's XUpload.
There is a buffer overflow vulnerability in the "AddFolder()" method of the XUpload control. It allows a remote attacker to execute arbitrary code via a crafted web page.
Affected Products:
Persits XUpload 2.1 1
HP LoadRunner 9.0 0
HP LoadRunner 8.1 0
Groove Networks Virtual Office 3.1.1 2390
Reference IDs:
|
Description:
This indicates an attempt to exploit a buffer overflow vulnerability in
Winamp versions before 5.52.
Winamp contains a vulnerability that can be exploited to cause a stack based buffer overflow via overly long "" and "" tag values. The problem is in "in_mp3.dll", and occurs when constructing stream titles while parsing Ultravox streaming metadata.
Affected Products:
Winamp 5.21, 5.22, 5.23, 5.5, and 5.51.
Reference IDs:
|
Description:
This indicates an attempt to exploit a buffer overflow vulnerability in WinCom LPD Total.
WinCom LPD Total is vulnerable to multiple buffer overflow exploits. By sending an overly long authentication packet to the remote administration service, an attacker may be able to execute arbitrary code.
Affected Products:
WinComLPD 3.0.2 and earlier.
Reference IDs:
|
High ( 13 )
Description:
This indicates an attempt to exploit an arbitrary command execution vulnerability in Comodo Antivirus.
The vulnerability is caused by an input validation error in the "Cavutil.Utility.1" ActiveX control, in the "ExecuteStr()" method. It allows remote attackers to execute arbitrary commands by tricking a user into visiting a specially crafted web page.
Affected Products:
Comodo AntiVirus 2.0
Reference IDs:
|
Description:
This indicates an attempt to exploit one of several remote command execution vulnerabilities in Coppermine Photo Gallery.
The vulnerabilities are caused by an error that occurs when the vulnerable software handles a malformed request. It allows a remote attacker to execute arbitrary code by sending a crafted request.
Affected Products:
Coppermine Photo Gallery version 1.4.4 and prior.
Reference IDs:
|
Description:
This indicates an attempt by the Finjan ActiveX control to create an arbitrary file on a vulnerable system.
The Finjan ActiveX control is used to demonstrate ActiveX vulnerabilities and test the security settings of a proprietary security product.
Affected Products:
Finjan ActiveX control 1.0.0.1
Reference IDs:
|
Description:
This indicates an attempt to exploit a memory corruption vulnerability in Firebird SQL.
There is a vulnerability in Firebird SQL that may allow remote attackers to trigger memory corruption. It can be exploited via crafted (1) op_receive, (2) op_start, (3) op_start_and_receive, (4) op_send, (5) op_start_and_send, or (6) op_start_send_and_receive XDR requests.
Affected Products:
Firebird SQL 1.0.3 and before.
Firebird SQL 1.5.5 and before.
Firebird SQL 2.0.3 and before.
Firebird SQL 2.1.0 Beta 2 and before.
Reference IDs:
|
Description:
This indicates an attempt to exploit a code injection vulnerability in the Joomla! Search component.
The vulnerability is caused by the application's failure to validate the "searchword" parameter in the "components/com_search/views/search/tmpl/default_results.php" and "templates/beez/html/com_search/search/default_results.php" scripts. It allows remote attackers to execute arbitrary php code by sending a malicious request.
Affected Products:
Joomla version 1.5 beta 2 and prior.
Reference IDs:
|
Description:
This indicates a possible attempt to exploit one of several vulnerabilities in Mozilla Firefox and SeaMonkey.
The vulneabilities are a result of memory corruption in the Layout Component. They may allow a remote attacker to crash the application causing a Denial of Service.
Affected Products:
Mozilla Firefox before 2.0.0.10
SeaMonkey before 1.1.7.
Reference IDs:
|
Description:
This indicates a possible attempt to exploit a buffer overflow vulnerability in Mozilla Firefox, Thunderbird and SeaMonkey.
These Mozilla products fail to validate input passed to the 'stroke-width' variable in the '_cairo_pen_init' function, resulting in a heap overflow. With a specially crafted .svg file, an attacker can cause arbitrary code execution resulting in a loss of integrity.
Affected Products:
Multiple Products
Reference IDs:
|
Description:
This indicates a possible attempt to exploit a remote code execution vulnerability in Internet Explorer.
A vulnerability in Microsoft Internet Explorer may make it possible for remote attackers to execute arbitrary code on vulnerable computer systems.
Affected Products:
Microsoft Internet Explorer.
|
Description:
This indicates na attempt to exploit a Denial of Service vulnerability in the DHCP service in Windows Vista.
An attacker can exploit the vulnerability by creating a specially crafted DHCP server that assigns the same broadcast IP address to multiple hosts. This will corrupt the network structure of the host, causing a crash.
Affected Products:
Windows Vista
Windows Vista x64 Edition
Reference IDs:
|
Description:
This indicates an attempt to exploit a local file inclusion vulnerability in PunBB.
PunBB has a local file inclusion vulnerability. It may allow a remote attacker to execute arbitrary scripts on a web server, with the privileges of the server. This can be accomplished via a specially crafted URL request to the 'register.php' script, using the 'language' parameter to specify a malicious PHP file from a remote system.
Affected Products:
PunBB version 1.2.13 and prior.
Reference IDs:
|
Description:
This indicates an attempt to exploit a PHP code injection vulnerability in TikiWiki.
The vulnerability is caused by failure to check user input in "tiki-graph_formula.php". It allows remote attackers to execute arbitrary PHP code via the "f" array parameter.
Affected Products:
TikiWiki Project, TikiWiki 1.9.8
Reference IDs:
|
Description:
This indicates an attempt to exploit a buffer overflow vulnerability in Yahoo! Music Jukebox 2.2.
The vulnerability is caused by an error that occurs when the software handles a malicious "AddImage" method. It allows a remote attacker to execute arbitrary code via a crafted web page.
Affected Products:
Yahoo! Music Jukebox 2.2
Reference IDs:
|
Description:
This indicates an attempt to exploit a buffer overflow vulnerability in Yahoo! Music Jukebox 2.2.
The vulnerability is caused by an error that occurs when the software handles a malicious "AddBitmap" method. It allows a remote attacker to execute arbitrary code via a crafted web page.
Affected Products:
Yahoo! Music Jukebox 2.2
Reference IDs:
|
Medium ( 4 )
Description:
This indicates an attempt to exploit a denial of service vulnerability in Apple iPhone Mobile Safari.
Apple iPhone Mobile Safari is vulnerable to a memory exhaustion exploit, due to a design error in the way memory is allocated from javascript code. An attacker can entrap a user into visiting a malicious web site to disrupt normal use of the targeted device.
Affected Products:
Apple iPhone 1.1.2 and older.
Reference IDs:
|
Description:
This indicates an attempt to exploit a denial of service vulnerability in the GDI functions in Microsoft Windows.
The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious WMF file. It allows a remote attacker to cause a denial of service.
Affected Products:
Microsoft Windows
Reference IDs:
|
Description:
This indicates an attempt to exploit an arbitrary Java code execution vulnerability in OpenOffice.org (OOo).
The vulnerability is caused by an error that occurs when the vulnerable software handles malicious database documents. It allows a remote attacker to execute arbitrary Java code via crafted database documents.
Affected Products:
OpenOffice.org versions prior to 2.3.1
Reference IDs:
|
Description:
This indicates an attempt to exploit one of several remote file inclusion vulnerabilities in phpBG.
The vulnerabilities can be exploited via a specially crafted URL request to 'intern/admin/other/backup.php', 'intern/admin/', 'intern/clan/member_add.php', 'intern/config/key_2.php' or 'intern/config/forum.php'. The request must have the 'set_depth' parameter set to specify a malicious PHP file from a remote system. As a result a remote attacker can execute arbitrary script code on the web server with the privileges of the server.
Affected Products:
phpBG version 0.9.1
Reference IDs:
|
Low ( 1 )
MS.IE.MHTMLFile.DoS
Event ID: 15453
|
Release Date: Mar 11, 2008
IPS Definitions Database Version: 2.478
|
Description:
This indicates an attempt to exploit a Denial of Service vulnerability in Microsoft Internet Explorer.
The vulnerability is due to a NULL pointer dereference error in the "mhtmlfile" object that can occur when setting a "location" or "URL" property. This can be exploited by attackers to crash a vulnerable browser, by tricking a user into visiting a malicious web page.
Affected Products:
Internet Explorer 6 SP2
Reference IDs:
|
 Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new
vectors of exploitation are discovered. The table below details the
security content enhanced with this release.
Critical ( 14 )
High ( 7 )
Medium ( 10 )
Low ( 2 )
Info ( 4 )
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes
to monitor exploit activity. Vulnerabilities can be classified as
active and given a magnitude level. The magnitude level is the rate
of activity across the probes. The value of the magnitude is set to
low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin
and their corresponding exploit activity magnitude. The data below is
as of this writing.
Critical ( 8 of 22 )
High ( 8 of 20 )
Medium ( 5 of 13 )
Low ( 1 of 3 )
Top of Section
Document History
| Revision Date |
Version Number |
|
| Wednesday, March 19, 2008 |
1 |
Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
|
