FGCenter - Latest Threats, Advisories, Reports and News http://www.fortiguardcenter.com/ en Copyright 2009 Fortinet Inc. All Rights Reserved Fri, 03 Jul 2009 11:29:54 -0800 Threatscape Report - June 2009 Edition

Table of Contents:


FortiGuard Global Threat Research

Exploits and Intrusion Prevention



Top 10 Exploitations & Regions



Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:
RankVulnerabilityPercentageSeverity
1MS.Windows.MSDTC.Heap.Overflow13.3Medium
2MS.SQL.Server.Empty.Passwor10.0High
3MS.DCERPC.NETAPI32.Buffer.Overflow6.9Critical
4SSLv3.SessionID.Overflow5.5High
5HTTP.URI.Overflow4.7Critical
6MS.Windows.NAT.Helper.DNS.Query.DoS4.5High
7MS.Exchange.Mail.Calender.Buffer.Overflow3.5High
8MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow2.6High
9MS.Windows.Messenger.Service.Buffer.Overflow1.4High
10FTP_bounce_attack1.2High



Figure 1a: Top 5 regions by detected exploit attempts


New Vulnerability Coverage



There were a total of 108 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 62 were reported to be actively exploited (57.4%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today



Top 10 Variants



Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

RankMalware VariantPercentageTop 100 Shift
1 W32/OnlineGames.BBR!tr14.3new
2W32/Zbot.M!tr.pws11.4+55
3W32/Zbot.V!tr.pws7.5new
4W32/Virut.A7.5-2
5JS/PackRedir.A!tr.dldr4.2+36
6HTML/Iframe.DN!tr.dldr3.2-3
7Adware/AdClicker2.9-2
8W32/FraudLoad.EPB!tr2.8new
9W32/Dloadr.CMV!tr2.6new
10W32/Dropper.PTD!tr2.6-9
APSB09-07).
  • # The FortiGuard Global Security Research Team released the IPS signature "Adobe.Reader.Acrobat.TrueType.Font.Handling.Memory.Corruption", which covers this specific vulnerability.

    • Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    Acknowledgment:
    • Haifei Li of Fortinet's FortiGuard Global Security Research Team
    ]]> http://www.fortiguardcenter.com/advisory/FGA-2009-25.html http://www.fortiguardcenter.com/advisory/FGA-2009-25.html Wed, 10 Jun 2009 00:00:00 -0800 Memory Corruption Vulnerability in Apple Safari Summary:

    A memory corruption vulnerability exists in Apple Safari which allows a remote attacker to execute arbitrary code through a malicious webpage.

    Impact:

    Remote Code Execution.

    Risk:

    Critical.

    Affected Software:

    For a list of product versions affected, please see the Apple Security Update reference below.

    Additional Information:

    The memory corruption vulnerability occurs when handling HTML table elements. A remote attacker may craft a malicious webpage and lure an unsuspecting user. When the page is viewed and these elements are processed, arbitrary code execution may occur resulting in the victims machine being compromised.

    Solutions:
    • Apple security updates are available via their Software Update mechanism
    • Apple security updates are available for manual download here.
    • The FortiGuard Global Security Research Team released a signature "DHTML.Malicious.Table.Elements", which covers this specific vulnerability.

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    Acknowledgment:
    • Haifei Li of Fortinet's FortiGuard Global Security Research Team
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-23.html http://www.fortiguardcenter.com/advisory/FGA-2009-23.html Tue, 09 Jun 2009 00:00:00 -0800     Memory Corruption Vulnerability in Microsoft's Internet Explorer Summary:

    A memory corruption vulnerability exists in the DHTML handling of Microsoft's Internet Explorer which allows a remote attacker to compromise a system through a malicious site.

    Impact:

    Remote Code Execution.

    Risk:

    Critical.

    Affected Software:

    For a list of operating system and product versions affected, please see the Microsoft Bulletin reference below.

    Additional Information:

    The vulnerability occurs when Internet Explorer processes special DHTML functions. A crash may happen when destroying a window after making a sequence of calls on the "tr" element. These calls are linked to the insertion, deletion and attributes of a table cell. The crash may then allow the arbitrary execution of code on the browsers machine.

    Solutions:
    • Use the solution provided by Microsoft (MS09-019).
    • The FortiGuard Global Security Research Team released a signature "MS.IE.DHTML.Function.Remote.Code.Execution", which covers this specific vulnerability.

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    Acknowledgment:
    • Haifei Li of Fortinet's FortiGuard Global Security Research Team
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-22.html http://www.fortiguardcenter.com/advisory/FGA-2009-22.html Tue, 09 Jun 2009 00:00:00 -0800     Microsoft Security Bulletin for June 2009
    MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
    MS09-018Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)CriticalRemote Code ExecutionMicrosoft Windows 2009-1138 2009-1139
    MS09-022Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)CriticalRemote Code ExecutionMicrosoft Windows 2009-0228 2009-0229 2009-0230
    MS09-019Cumulative Security Update for Internet Explorer (969897)CriticalRemote Code ExecutionMicrosoft Windows, Internet Explorer 2007-3091 2009-1140 2009-1141 2009-1528 2009-1529 2009-1530 2009-1531 2009-1532
    MS09-027Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)CriticalRemote Code ExecutionMicrosoft Office 2009-0563 2009-0565
    MS09-021Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)CriticalRemote Code ExecutionMicrosoft Office 2009-0549 2009-0557 2009-0558 2009-0559 2009-0560 2009-0561 2009-1134
    MS09-024Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)CriticalRemote Code ExecutionMicrosoft Office 2009-1533
    MS09-026Vulnerability in RPC Could Allow Elevation of Privilege (970238)ImportantElevation of PrivilegeMicrosoft Windows 2009-0568
    MS09-025Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)ImportantElevation of PrivilegeMicrosoft Windows 2009-1123 2009-1124 2009-1125 2009-1126
    MS09-020Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)ImportantElevation of PrivilegeMicrosoft Windows 2009-1122 2009-1535
    MS09-023Vulnerability in Windows Search Could Allow Information Disclosure (963093)ModerateInformation DisclosureMicrosoft Windows 2009-0239


    Threat Remediation


    Fortinet provides coverage on Microsoft vulnerabilities in June 2009.

    CVE NumberSignature Name
    CVE-2007-3091MS.IE.Javascript.Cross.Domain.Information.Disclosure
    CVE-2009-0228MS.Windows.Print.Spooler.Buffer.Overflow
    http://www.fortiguardcenter.com/advisory/FGA-2009-24.html http://www.fortiguardcenter.com/advisory/FGA-2009-24.html Tue, 09 Jun 2009 00:00:00 -0800 Multiple Memory Corruption Vulnerabilities in Microsoft Office Excel Summary:

    Three memory corruption vulnerabilities exist in Microsoft Office Excel which allows a remote attacker to compromise a system through a malicious document.

    Impact:

    Remote Code Execution.

    Risk:

    Critical.

    Affected Software:

    For a list of operating system and product versions affected, please see the Microsoft Bulletin reference below.

    Additional Information:

    All the three vulnerabilities lies in "excel.exe", which is used when processing an Excel file. A maliciously crafted document may contain a malformed 1) BRAI(0x1051) record or 2)Object (0x5d) record or 3)Formula record (0x06) that when processed, will result in memory corruption and allow a remote attacker to arbitrarily execute code on the victims machine.

    Solutions:
    • Use the solution provided by Microsoft (MS09-021).
    • The FortiGuard Global Security Research Team released signatures "MS.Excel.Record.Pointer.Code.Execution" and "MS.Excel.Field.Sanitization.Memory.Corruption, which cover the specific vulnerability.

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    Acknowledgment:
    • Bing Liu of Fortinet's FortiGuard Global Security Research Team
    ]]> http://www.fortiguardcenter.com/advisory/FGA-2009-21.html http://www.fortiguardcenter.com/advisory/FGA-2009-21.html Tue, 09 Jun 2009 00:00:00 -0800 Microsoft DirectShow Remote Code Execution Vulnerability Summary:

    Fortinet's FortiGuard Global Security Research Team investigates a vulnerability in Microsoft DirectX (DirectShow) through a specially crafted QuickTime media file.

    Impact:

    Remote Code Execution.

    Affected Software:
    • DirectX 7.0 on Microsoft Windows 2000 Service Pack 4
    • DirectX 8.1 on Microsoft Windows 2000 Service Pack 4
    • DirectX 9.0 on Microsoft Windows 2000 Service Pack 4
    • DirectX 9.0 on Windows XP Service Pack 2 and Windows XP Service Pack 3
    • DirectX 9.0 on Windows XP Professional x64 Edition Service Pack 2
    • DirectX 9.0 on Windows Server 2003 Service Pack 2
    • DirectX 9.0 on Windows Server 2003 x64 Edition Service Pack 2
    • DirectX 9.0 on Windows Server 2003 with SP2 for Itanium-based Systems

    Solutions:
    • The FortiGuard Global Security Research Team released a signature "MS.DirectShow.NULL.Byte.Overwrite", which covers this specific vulnerability.

    The FortiGuard Global Security Research Team continues to monitor attacks against this vulnerability.

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this remote code execution vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-20.html http://www.fortiguardcenter.com/advisory/FGA-2009-20.html Fri, 29 May 2009 00:00:00 -0800     Threatscape Report - May 2009 Edition

    Table of Contents:


    FortiGuard Global Threat Research

    Exploits and Intrusion Prevention



    Top 10 Exploitations & Regions



    Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:
    RankVulnerabilityPercentageSeverity
    1MS.DCERPC.NETAPI32.Buffer.Overflow8.2Critical
    2SSLv3.SessionID.Overflow6.8High
    3MS.Windows.NAT.Helper.DNS.Query.DoS5.9High
    4MS.Windows.MSDTC.Heap.Overflow5.9Medium
    5MS.Exchange.Mail.Calender.Buffer.Overflow4.2High
    6MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow3.7High
    7MS.SQL.Server.Empty.Password3.0High
    8MS.IE.HTML.Attribute.Buffer.Overflow2.1High
    9Multiple.Vendor.ICMP.Remote.DoS1.7Low
    10MS.Windows.ASN.1.Bitstring.Overflow1.6High



    Figure 1a: Top 5 regions by detected exploit attempts


    New Vulnerability Coverage



    There were a total of 140 vulnerabilities added to FortiGuard IPS coverage this period.
    Of these added vulnerabilities, 65 were reported to be actively exploited (46.4%).

    Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

    For more information, observe the detailed reports for this period at:

    Figure 1b: New vulnerability coverage for this edition, categorized by severity

    Malware Today



    Top 10 Variants



    Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

    RankMalware VariantPercentageTop 100 Shift
    1W32/Dropper.PTD!tr34.5+1
    2W32/Virut.A7.7-1
    3HTML/Iframe.DN!tr.dldr4.2+3
    4W32/Netsky!similar3.2+3
    5Adware/AdClicker3.2+4
    6HTML/Iframe_CID!exploit3.0+2
    7W32/PackWaledac.B2.8new
    8W32/MyTob.fam@mm1.7+2
    9W32/Delf.AYO!tr1.2+6
    10W32/Virut.E1.1+27
    MS.IIS.WebDAV.Authentication.Bypass", which covers this specific vulnerability.
    The FortiGuard Global Security Research Team continues to monitor attacks against this vulnerability.

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this elevation of privilege vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    ]]> http://www.fortiguardcenter.com/advisory/FGA-2009-19.html http://www.fortiguardcenter.com/advisory/FGA-2009-19.html Tue, 19 May 2009 00:00:00 -0800 Microsoft Security Bulletin for May 2009
    MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
    MS09-017Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340)CriticalRemote Code ExecutionMicrosoft Office 2009-0220 2009-0221 2009-0222 2009-0223 2009-0224 2009-0225 2009-0226 2009-0227 2009-0556 2009-1128 2009-1129 2009-1130 2009-1131 2009-1137


    Threat Remediation


    Fortinet provides coverage on Microsoft vulnerabilities in May 2009.

    CVE NumberSignature Name
    CVE-2009-0220MS.PowerPoint.PP4X322.DLL.Code.Execution
    CVE-2009-0221MS.PowerPoint.Atom.Integer.Overflow
    CVE-2009-0222MS.PowerPoint.PP4X322.DLL.PackedData.Buffer.Overflow
    CVE-2009-0223MS.Powerpoint.Converter.Code.Execution
    CVE-2009-0224MS.Powerpoint.Objects.Size.Heap.Overflow
    CVE-2009-0225MS.Powerpoint.Old.File.Format.Parsing.Code.Execution
    CVE-2009-0226MS.PowerPoint.File.Format.Converter.Code.Execution
    CVE-2009-0227MS.PowerPoint.File.Stack.Buffer.Overrun
    CVE-2009-0556MS.PowerPoint.OutlineTextRefAtom.Memory.Corruption
    CVE-2009-1128MS.PowerPoint.PSTSoundEntity.Code.Execution
    CVE-2009-1129MS.PowerPoint.PSTExEmbed.Code.Execution
    CVE-2009-1130MS.PowerPoint.HashCode10.Code.Execution
    CVE-2009-1131MS.PowerPoint.CurrentUserAtom.Remote.Code.Execution

    For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.


    Document History


    Revision DateVersion Number
    Tuesday, May 12, 20091Initial Documentation.


    Reference:
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-18.html http://www.fortiguardcenter.com/advisory/FGA-2009-18.html Tue, 12 May 2009 00:00:00 -0800     Threatscape Report - April 2009 Edition

    Table of Contents:


    FortiGuard Global Threat Research

    Exploits and Intrusion Prevention



    Top 10 Exploitations & Regions



    Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:
    RankVulnerabilityPercentageSeverity
    1SSLv3.SessionID.Overflow9.3High
    2SMS.SQL.Server.Empty.Password8.4High
    3MS.DCERPC.NETAPI32.Buffer.Overflow5.5Critical
    4MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow4.6High
    5MS.IE.HTML.Attribute.Buffer.Overflow4.0High
    6MS.Windows.NAT.Helper.DNS.Query.DoS3.7High
    7MS.Windows.ASN.1.Bitstring.Overflow1.4High
    8FTP.Bounce.Attack1.2High
    9LPD.Command.Buffer.Overflow1.0High
    10Oracle.sys.pbsde.init.Buffer.Overflow0.9Medium



    Figure 1a: Top 5 regions by detected exploit attempts


    New Vulnerability Coverage



    There were a total of 96 vulnerabilities added to FortiGuard IPS coverage this period.
    Of these added vulnerabilities, 30 were reported to be actively exploited (31.3%).

    Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

    For more information, observe the detailed reports for this period at:

    Figure 1b: New vulnerability coverage for this edition, categorized by severity

    Malware Today



    Top 10 Variants



    Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

    RankMalware VariantPercentageTop 100 Shift
    1W32/Virut.A8.2-
    2W32/Dropper.PTD!tr6.2new
    3W32/OnlineGames.MIG!tr.pws5.7new
    4Spy/OnLineGames5.6+1
    5W32/Agent.JNR!tr4.8new
    6HTML/Iframe.DN!tr.dldr4.8-3
    7W32/Netsky!similar4.2-5
    8HTML/Iframe_CID!exploit3.8-4
    9Adware/AdClicker3.0new
    10W32/MyTob.fam@mm2.8-3
    provided by HP.
  • The FortiGuard Global Security Research Team released the signature "HP.StorageWorks.Storage.Mirroring.Auto.Discovery.Heap.Overflow".

    • Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this buffer overflow vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    Acknowledgement:
    • Zhenhua Liu, Junfeng Jia, and Xiaopeng Zhang of Fortinet's FortiGuard Global Security Research Team
    ]]> http://www.fortiguardcenter.com/advisory/FGA-2009-17.html http://www.fortiguardcenter.com/advisory/FGA-2009-17.html Tue, 21 Apr 2009 00:00:00 -0800 Microsoft Office Excel Memory Corruption Vulnerability Summary:

    Fortinet's FortiGuard Global Security Research Team Discovers Memory Corruption Vulnerability in Microsoft Office Excel.

    Impact:

    Remote code execution.

    Risk:
    • Critical

    Affected Software:

    For a list of operating system and product versions affected, please see the Microsoft Bulletin reference below.

    Additional Information:

    The vulnerability lies in "excel.exe", which is used when processing an Excel file. A maliciously crafted document will cause Excel to crash when processing. The crash occurs while calculating memory using an offset and a two-byte value contained in the document. If the two-byte value is set to a high value, an overflow condition will occur during memory calculation. A remote attacker can potentially control the memory referenced as a result of the overflow to alter program flow, and execute arbitrary code on a victims machine.

    Solutions:
    • Use the solution provided by Microsoft (MS09-009).
    • The FortiGuard Global Security Research Team released a signature "MS.Excel.OBJ.Subrecord.Code.Execution", which covers this specific vulnerability.

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    Acknowledgement:
    • Haifei Li of Fortinet's FortiGuard Global Security Research Team
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-16.html http://www.fortiguardcenter.com/advisory/FGA-2009-16.html Tue, 14 Apr 2009 00:00:00 -0800     Microsoft Security Bulletin for April 2009
    MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
    MS09-009 Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557) Critical Remote Code Execution Microsoft Office CVE-2009-0100
    MS09-010 Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477) Critical Remote Code Execution Microsoft Windows, Microsoft Office CVE-2008-4841 CVE-2009-0087 CVE-2009-0088 CVE-2009-0235
    MS09-011 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373) Critical Remote Code Execution Microsoft Windows CVE-2009-0084
    MS09-012 Vulnerabilities in Windows Could Allow Elevation of Privilege (959454) Important Elevation of Privilege Microsoft Windows CVE-2008-1436 CVE-2009-0078 CVE-2009-0079 CVE-2009-0080
    MS09-013 Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803) Critical Remote Code Execution Microsoft Windows CVE-2009-0086 CVE-2009-0089 CVE-2009-0550
    MS09-014 Cumulative Security Update for Internet Explorer (963027) Critical Remote Code Execution Microsoft Windows, Internet Explorer CVE-2008-2540 CVE-2009-0550 CVE-2009-0551 CVE-2009-0552 CVE-2009-0553 CVE-2009-0554
    MS09-015 Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426) Moderate Elevation of Privilege Microsoft Windows CVE-2008-2540
    MS09-016 Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759) Important Denial of Service Microsoft Forefront Edge Security CVE-2009-0077 CVE-2009-0237


    Threat Remediation


    Fortinet provides coverage on Microsoft vulnerabilities in April 2009.

    CVE NumberSignature Name
    CVE-2008-1436 ASPXSpy.Detection
    CVE-2008-2540 Apple.Safari.Windows.Platform.Arbitrary.File.Download
    CVE-2008-4841 MS.Windows.WordPad.Converter.Code.Execution
    CVE-2009-0077 MS.ISA.Server.Forefront.Threat.Management.Gateway.DoS
    CVE-2009-0078 ASPXSpy.Detection
    CVE-2009-0079 ASPXSpy.Detection

    Solutions:

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    Acknowledgement:
    • Fortinet's FortiGuard Global Security Research Team
    ]]> http://www.fortiguardcenter.com/advisory/FGA-2009-15.html http://www.fortiguardcenter.com/advisory/FGA-2009-15.html Tue, 14 Apr 2009 00:00:00 -0800 EMC RepliStor Buffer Overflow Vulnerability Summary:

    Fortinet's FortiGuard Global Security Research Team has discovered a buffer overflow vulnerability in EMC RepliStor.

    Impact:

    Remote code execution.

    Risk:
    • Critical
    Affected Software:
    • EMC RepliStor 6.2 SP4 and earlier
    • EMC RepliStor 6.3 SP1 and earlier
    Additional Information:

    A remote, unauthenticated user may connect over TCP to the "ctrlservice.exe" or "rep_srv.exe" process and send a specially-crafted message to cause a heap based buffer overflow, which can result in arbitrary code execution.

    Solutions:
    • The FortiGuard Global Security Research Team released the signature "EMC.RepliStor.Integer.Overflow"
    • Users should use EMC's Powerlink solution to upgrade to the following EMC RepliStor products:
      • RepliStor 6.2 SP5: Navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads P-R >RepliStor 6.2 SP5
      • RepliStor 6.3 SP2: Navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads P-R >RepliStor 6.3 SP2
    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this buffer overflow vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    Acknowledgment:
    • Xiaopeng Zhang and Zhenhua Liu of Fortinet's FortiGuard Global Security Research Team
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-13.html http://www.fortiguardcenter.com/advisory/FGA-2009-13.html Wed, 08 Apr 2009 00:00:00 -0800     Microsoft PowerPoint Invalid Object Remote Code Execution Vulnerability (969136) Summary:

    A maliciously crafted Microsoft PowerPoint file may lead to execution of arbitrary code when opened by a potential victim.

    Impact:

    Remote code execution.

    Risk:
    • Critical

    Affected Software:

    • Microsoft Office PowerPoint 2000 Service Pack 3
    • Microsoft Office PowerPoint 2002 Service Pack 3
    • Microsoft Office PowerPoint 2003 Service Pack 3
    • Microsoft Office 2004 for Mac

    Solutions:
    • The FortiGuard Global Security Research Team released the IPS signature "MS.PowerPoint.OutlineTextRefAtom.Memory.Corruption", which covers this specific vulnerability.

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this invalid object vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-12.html http://www.fortiguardcenter.com/advisory/FGA-2009-12.html Fri, 03 Apr 2009 00:00:00 -0800     Threatscape Report - March 2009 Edition

    Table of Contents:


    FortiGuard Global Threat Research

    Exploits and Intrusion Prevention



    Top 10 Exploitations & Regions



    Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:
    RankVulnerabilityPercentageSeverity
    1Trojan.Storm.Worm.Krackin.Detection62.6High
    2SSLv3.SessionID.Overflow 3.1High
    3Oracle.sys.pbsde.init.Buffer.Overflow2.2Medium
    4MS.DCERPC.NETAPI32.Buffer.Overflow2.0Critical
    5MS.IIS.Web.Application.SourceCode.Disclosure2.0Medium
    6MS.Exchange.Mail.Calender.Buffer.Overflow1.6High
    7MS.IE.HTML.Attribute.Buffer.Overflow1.3High
    8MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow1.3High
    9MS.Windows.NAT.Helper.DNS.Query.DoS 1.0High
    10MS.CMM.ICC.Profile.Buffer.Overflow0.8High



    Figure 1a: Top 5 regions by detected exploit attempts


    New Vulnerability Coverage



    There were a total of 85 vulnerabilities added to FortiGuard IPS coverage this period.
    Of these added vulnerabilities, 14 were reported to be actively exploited (16.5%).

    Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

    For more information, observe the detailed reports for this period at:

    Figure 1b: New vulnerability coverage for this edition, categorized by severity

    Malware Today



    Top 10 Variants



    Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

    RankMalware VariantPercentageTop 100 Shift
    1W32/Virut.A9.2+1
    2W32/Netsky!similar8.3-1
    3HTML/Iframe.DN!tr.dldr7.9+1
    4 HTML/Iframe_CID!exploit7.5-1
    5Spy/OnLineGames 6.6-
    6W32/MyTob.FR@mm3.1+7
    7W32/MyTob.fam@mm2.6-1
    8W32/Delf.AYO!tr2.5+8
    9Adware/Bdsearch1.9+10
    10W32/Basine.C!tr.dldr1.6-1
    http://support.apple.com/kb/HT3487
  • Apple Security Updates: http://support.apple.com/kb/ht1222
  • CVE ID: CVE-2009-0016

    • Acknowledgement:
    • Xiaopeng Zhang, Zhenhua Liu, and Junfeng Jia of Fortinet's FortiGuard Global Security Research Team
    ]]> http://www.fortiguardcenter.com/advisory/FGA-2009-11.html http://www.fortiguardcenter.com/advisory/FGA-2009-11.html Thu, 12 Mar 2009 00:00:00 -0800 Microsoft Security Bulletin for March 2009
    MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
    MS09-006Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)CriticalRemote Code ExecutionMicrosoft WindowsCVE-2009-0081 CVE-2009-0082 CVE-2009-0083
    MS09-007Vulnerability in SChannel Could Allow Spoofing (960225)ImportantSpoofingMicrosoft WindowsCVE-2009-0085
    MS09-008Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)ImportantSpoofingMicrosoft WindowsCVE-2009-0093 CVE-2009-0094 CVE-2009-0233CVE-2009-0234


    Threat Remediation


    Fortinet provides coverage on Microsoft vulnerabilities in March 2009.

    CVE NumberSignature Name
    CVE-2009-0081MS.Kernel.GDI32.POLYLINE.Code.Execution
    CVE-2009-0082local vulnerability
    CVE-2009-0083local vulnerability
    CVE-2009-0093MS.Windows.DNS.Server.WPAD.Registration.Spoofing
    CVE-2009-0094MS.Windows.WINS.Server.WPAD.Registration.Spoofing
    CVE-2009-0233covered by tuning the threshold of udp_dst_session in DoS sensor
    CVE-2009-0234covered by tuning the threshold of udp_dst_session in DoS sensor

    For more information on new and enhanced signatures, visit theIPS Service Update History.If you require more information, contact the FortiGuard Team using ourContact Us web page.


    Document History


    Revision DateVersion Number
    Tuesday, March 10, 20091Initial Documentation.


    Reference:
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-10.html http://www.fortiguardcenter.com/advisory/FGA-2009-10.html Tue, 10 Mar 2009 00:00:00 -0800     Adobe Reader / Acrobat Memory Corruption Vulnerability Summary:

    Fortinet's FortiGuard Global Security Research Team protects against a memory corruption vulnerability in Adobe Reader / Acrobat.

    Impact:

    Remote code execution.

    Risk:
    • Critical

    Affected Software:

    • Adobe Reader 9 and earlier versions
    • Adobe Acrobat Standard, Pro, and Pro Extended 9 and earlier versions

    Solutions:

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-09.html http://www.fortiguardcenter.com/advisory/FGA-2009-09.html Fri, 27 Feb 2009 00:00:00 -0800     Threatscape Report - February 2009 Edition

    Table of Contents:


    FortiGuard Global Threat Research

    Exploits and Intrusion Prevention



    Top 10 Exploitations & Regions



    Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:
    RankVulnerabilityPercentageSeverity
    1Trojan.Storm.Worm.Krackin.Detection62.7High
    2MS.IIS.Web.Application.SourceCode.Disclosure3.0Medium
    3SSLv3.SessionID.Overflow2.2High
    4MS.DCERPC.NETAPI32.Buffer.Overflow2.0Critical
    5MS.Exchange.Mail.Calender.Buffer.Overflow1.5High
    6SSH.Client.Buffer.Overflow1.2High
    7MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow1.2High
    8MS.IE.HTML.Attribute.Buffer.Overflow 1.1High
    9MS.Windows.NAT.Helper.DNS.Query.DoS0.9High
    10Squid.NTLM.Authentication.Buffer.Overflow0.5Critical



    Figure 1a: Top 5 regions by detected exploit attempts


    New Vulnerability Coverage



    There were a total of 117 vulnerabilities added to FortiGuard IPS coverage this period.
    Of these added vulnerabilities, 30 were reported to be actively exploited (25.6%).

    Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

    For more information, observe the detailed reports for this period at:

    Figure 1b: New vulnerability coverage for this edition, categorized by severity

    Malware Today



    Top 10 Variants



    Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

    RankMalware VariantPercentageTop 100 Shift
    1W32/Netsky!similar9.3+1
    2W32/Virut.A7.8+1
    3HTML/Iframe_CID!exploit7.8+2
    4HTML/Iframe.DN!tr.dldr6.3-
    5Spy/OnLineGames 6.0-4
    6W32/MyTob.fam@mm3.5+5
    7W32/MyTob.BH.fam@mm2.5-
    8W32/PWS.Y!tr 2.2+29
    9W32/Basine.C!tr.dldr2.1+1
    10W32/MyTob.AQ@mm2.0-1
    http://www.fortiguardcenter.com/reports/roundup_feb_2009.html http://www.fortiguardcenter.com/reports/roundup_feb_2009.html Fri, 27 Feb 2009 00:00:00 -0800 Microsoft Excel Invalid Object Remote Code Execution Vulnerability Summary:

    Fortinet's FortiGuard Global Security Research Team protects against an invalid object error in Microsoft Excel.

    Impact:

    Remote code execution.

    Risk:
    • Critical

    Affected Software:

    • Microsoft Office Excel 2000 Service Pack 3
    • Microsoft Office Excel 2002 Service Pack 3
    • Microsoft Office Excel 2003 Service Pack 3
    • Microsoft Office Excel 2007 Service Pack 1
    • Microsoft Office Excel Viewer 2003
    • Microsoft Office Excel Viewer 2003 Service Pack 3
    • Microsoft Office Excel Viewer
    • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
    • Microsoft Office 2004 for Mac
    • Microsoft Office 2008 for Mac
    • Open XML File Format Converter for Mac

    Solutions:

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this invalid object vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:
    ]]> http://www.fortiguardcenter.com/advisory/FGA-2009-08.html http://www.fortiguardcenter.com/advisory/FGA-2009-08.html Thu, 26 Feb 2009 00:00:00 -0800 Fortinet Investigates a New SMS Mobile Worm: Yxes.A
    This new worm, deemed SymbOS/Yxes.A!worm (also known as "Sexy View"), is targeting mobile devices running SymbianOS S60 3rd Edition (eg: Nokia 3250), but may run on a wider range of devices, as it has been reported to function on phones operating SymbianOS S60 3rd edition FP 1 (eg: Nokia N73). It bears a valid certificate signed by Symbian, and installs as a valid application on factory mobile devices running S60 3rd Edition.

    It gathers phone numbers from the infected device's file system, and repeatedly attempts to send SMS messages to those. The messages feature a malicious Web address (URL); upon "clicking" on the address in the received message, the recipients will download a copy of the worm (provided their phones/subscriptions allow for internet browsing).

    Beyond propagating to as many users as possible via the strategy mentioned above, the worm's aim is to gather intelligence on the infected victim (such as serial number of the phone, subscription number) and post it to a remote server likely controlled by cyber criminals. Whatever the latter may do with such information is unknown as of writing.

    It must be noted that due to its propagation strategy relying on the worm copy being hosted on a web server, the worm can mutate easily. According to Guillaume Lovet, senior manager of Fortinet's Threat Research Team, "As far as our analysis goes, the worm currently does not take commands from the remote servers it contacts. However, since the copies hosted on the malicious servers are controlled by the cyber criminals, they may update them whenever they want, thereby effectively mutating the worm, adding or removing functionality. We're really at the edge of a mobile botnet here."

    The Yxes mobile worm is reported to be currently spreading in the wild. It is recommended for mobile users to have a valid security solution in place, such as Fortinet's FortiClient Mobile, to protect against threats. Caution should always be taken when opening attachments and following URL's received through messages (SMS/MMS). In the case of an infection, please contact your service provider.

    Update:

    Our investigation confirms that the worm executes on Nokia 3250 handsets, but again is likely not limited to this. Once installed, no program icon or related information could be found in the system menu. On launch, the worm executes as the process "EConServer.exe", which is likely meant to camouflage alongside the existing legitimate system process "EComServer.exe". The worm will also automatically run every time the device is rebooted / power cycled. Further, it bears a destructive nature and will kill certain processes such as the application manager (AppMgr). The following is a list of processes sought to destroy: AppMgr, TaskSpy, Y-Tasks, ActiveFile and TaskMan.

    Fortinet's FortiGuard Global Security Research Team protects against additional variants of SymbOS/Yxes.A, namely B, C, and D. Subscribers to Fortinet's FortiClient Mobile should be protected against these variants.

    Action:
    • Fortinet's FortiGuard Antivirus Definitions protecting against Yxes have been available since February 8, 2009
    • Fortinet's FortiGuard Global Security Research Team collaborates with carriers to provide additional protection against mobile threats
    • Symbian's SDN has been notified
    • Registrars of domains hosting copies of the worm have been notified
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-07.html http://www.fortiguardcenter.com/advisory/FGA-2009-07.html Wed, 18 Feb 2009 00:00:00 -0800     Microsoft Security Bulletin for February 2009
    MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
    MS09-002Cumulative Security Update for Internet Explorer (961260)CriticalRemote Code ExecutionMicrosoft Windows, Internet ExplorerCVE-2009-0075 CVE-2009-0076
    MS09-003Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)CriticalRemote Code ExecutionMicrosoft Exchange ServerCVE-2009-0098 CVE-2009-0099
    MS09-004Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420)ImportantRemote Code ExecutionMicrosoft SQL ServerCVE-2008-5416
    MS09-005Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution (957634)ImportantRemote Code ExecutionMicrosoft OfficeCVE-2009-0095 CVE-2009-0096 CVE-2009-0097


    Threat Remediation


    Fortinet provides coverage on Microsoft vulnerabilities in February 2009.

    CVE NumberSignature Name
    CVE-2009-0075MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption
    CVE-2009-0076MS.IE7.CSS.Style.Swithcing.Memory.Corruption
    CVE-2009-0098MS.Exchange.Server.TNEF.Code.Execution
    CVE-2009-0099MS.Exchange.Server.Attendant.DoS
    CVE-2008-5416MS.SQL.Server.Sp_replwritetovarbin.Memory.Overwrite

    For more information on new and enhanced signatures, visit theIPS Service Update History.If you require more information, contact the FortiGuard Team using ourContact Us web page.


    Document History


    Revision DateVersion Number
    Tuesday, February 10, 20091Initial Documentation.


    Reference:
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-05.html http://www.fortiguardcenter.com/advisory/FGA-2009-05.html Tue, 10 Feb 2009 00:00:00 -0800     Multiple vulnerabilities in Microsoft Office Visio Summary:

    Three memory corruption vulnerabilities lie in Microsoft Office Visio 2003, which allow a remote attacker to compromise a system through a malicious document.

    Impact:

    Remote code execution.

    Risk:
    • Critical

    Affected Software:

    For a list of operating systems and product versions affected, please see the Microsoft Security Bulletin reference below.

    Solutions:
    • Use the solution provided by Microsoft (MS09-005).

    References:

    Acknowledgement:
    • Bing Liu of Fortinet's FortiGuard Global Security Research Team
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-06.html http://www.fortiguardcenter.com/advisory/FGA-2009-06.html Tue, 10 Feb 2009 00:00:00 -0800     Fortinet discovers multiple vulnerabilities in RealNetworks' RealPlayer Summary:

    Fortinet's FortiGuard Global Security Research Team has discovered two vulnerabilities in RealPlayer, which allow a remote attacker to compromise a system through a malicious media clip.

    Impact:

    Remote code execution.

    Risk:
    • Critical

    Affected Software:
    • RealNetworks RealPlayer 11

    Additional Information:

    Internet Video Recording (IVR) files contain media content that is played and recorded by RealPlayer. A remote attacker could craft a malicious IVR file, that when sent to an unsuspecting user, may allow the execution of arbitrary code when viewed, using one of two vulnerabilities during RealPlayer's IVR processing routine:
    • A heap corruption vulnerability that occurs when altering a field that determines the length of a structure
    • A vulnerability that allows an attacker to write one null byte to an arbitrary memory address by using an overly long file name length value
    It should be noted that the victim does not necessarily have to open the malicious file for exploitation to occur: the vulnerabilities lie in a DLL that is also used as a plugin for the Windows Explorer shell. A successful attack could take place by merely previewing the IVR file through Windows Explorer.

    Solutions:

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against these two vulnerabilities. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:

    Acknowledgement:
    • Haifei Li of Fortinet's FortiGuard Global Security Research Team
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-04.html http://www.fortiguardcenter.com/advisory/FGA-2009-04.html Thu, 05 Feb 2009 00:00:00 -0800     Threatscape Report - January 2009 Edition

    Table of Contents:


    FortiGuard Global Threat Research

    Exploits and Intrusion Prevention



    Top 10 Exploitations



    Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:
    RankVulnerabilityPercentageSeverity
    1Trojan.Storm.Worm.Krackin.Detection44.1High
    2Danmec.Asprox.SQL.Injection 5.3High
    3MS.SQL.Server.Insert.Statements.Privilege.Elevation3.8High
    4MS.Network.Share.Provider.Unchecked.Buffer.DoS 3.6High
    5MS.IIS.Web.Application.SourceCode.Disclosure2.9Medium
    6TCP.PORT02.7Low
    7SSLv3.SessionID.Overflow2.4High
    8HTTP.Server.Localhost.Request.Source.Code.Disclosure1.5High
    9MS.DCERPC.NETAPI32.Buffer.Overflow1.3Critical
    10MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow1.0High

    New Vulnerability Coverage



    There were a total of 43 vulnerabilities added to FortiGuard IPS coverage this period.
    Of these added vulnerabilities, 13 were reported to be actively exploited (30.2%).

    Figure 1 breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

    For more information, observe the detailed reports for this period at:

    Figure 1: New vulnerability coverage for this edition, categorized by severity

    Malware Today



    Top 10 Variants



    Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

    RankMalware VariantPercentageTop 100 Shift
    1Spy/OnLineGames8.8+2
    2W32/Netsky!similar8.2-
    3W32/Virut.A7.4+3
    4HTML/Iframe.DN!tr.dldr7.1+1
    5HTML/Iframe_CID!exploit6.9-1
    6W32/Dropper.VEM!tr5.4+94
    7W32/MyTob.BH.fam@mm3.7+3
    8W32/Small.AACQ!tr.dldr2.6-1
    9W32/MyTob.AQ@mm2.1+6
    10W32/Basine.C!tr.dldr1.9-2

    Figure 2: Activity curve for top five malware variants


    Regions & Volume



    Top 5 regions for this period, ranked by disti ]]>     http://www.fortiguardcenter.com/reports/roundup_jan_2009.html http://www.fortiguardcenter.com/reports/roundup_jan_2009.html Thu, 29 Jan 2009 00:00:00 -0800     Microsoft Security Bulletin for January 2009
    MS Bulletin Number Microsoft Bulletin TitleSeverityImpact of VulnerabilityAffected SoftwareCVE ID
    MS09-001Vulnerabilities in SMB Could Allow Remote Code Execution (958687)CriticalRemote Code ExecutionMicrosoft WindowsCVE-2008-4114 CVE-2008-4834 CVE-2008-4835


    Threat Remediation


    Fortinet provides coverage on Microsoft vulnerabilities in January 2009.

    CVE NumberSignature Name
    CVE-2008-4114SMB.Malformed.DataOffset
    CVE-2008-4834MS.SMB.Trans.Request.NT.Create.Memory.Corruption
    CVE-2008-4835MS.SMB.Trans2.Request.Memory.Corruption

    For more information on new and enhanced signatures, visit theIPS Service Update History.If you require more information, contact the FortiGuard Team using ourContact Us web page.


    Document History


    Revision DateVersion Number
    Tuesday, January 13, 20091Initial Documentation.
    Tuesday, January 16, 20092Signatures have been released on IPS Definition 2.587 previously in beta state..


    Reference:
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-03.html http://www.fortiguardcenter.com/advisory/FGA-2009-03.html Fri, 16 Jan 2009 00:00:00 -0800     Fortinet discovers multiple vulnerabilities in Oracle Secure Backup Summary:

    Fortinet's FortiGuard Global Security Research Team has discovered five vulnerabilities in Oracle Secure Backup.

    Impact:

    Remote code execution and denial of service.

    Risk:
    • Critical

    Affected Software:

    Please refer to the Oracle Critical Patch Update Advisory for affected versions of Oracle Secure Backup.

    Additional Information:

    By default, Oracle Secure Backup listens and receives NDMP protocol data on TCP port 10,000. The following four vulnerabilities pertain to the handling of this received NDMP data by process "obndmp.exe".

    One buffer overflow vulnerability that can lead to remote code execution was discovered through Oracle Secure Backup:
    • Sending a malformed NDMP client authentication packet will cause a overflow a buffer overflow due to invalid bounds checking

    Three denial of service vulnerabilities were discovered through Oracle Secure Backup by sending malformed data to various ports:
    • Sending a malformed NDMP connect open packet will cause a crash
    • Sending a malformed NDMP connect close packet will cause a crash
    • Sending a malformed NDMP mover get state packet will cause a crash

    By default, Oracle Secure Backup listens and receives private protocol data on TCP port 400. The following vulnerability pertains to the handling of this received data by process "observiced.exe".

    One denial of service vulnerability was discovered through Oracle Secure Backup:
    • Sending some malformed private data will cause a null pointer dereference, leading to a crash

    Solutions:

    Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this buffer overflow vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

    References:

    Acknowledgement:
    • Xiaopeng Zhang and Zhenhua Liu of Fortinet's FortiGuard Global Security Research Team
    ]]>     http://www.fortiguardcenter.com/advisory/FGA-2009-02.html http://www.fortiguardcenter.com/advisory/FGA-2009-02.html Tue, 13 Jan 2009 00:00:00 -0800