US Lacks Staff
to support Networks - posted 6/30/10
NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL
INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY
(posted 6/24/10)
CSCIC ADVISORY NUMBER:
2010-049
DATE(S) ISSUED:
6/23/2010
SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow
Remote Code Execution
OVERVIEW:
Multiple vulnerabilities have been discovered in the
Mozilla Firefox, Mozilla Thunderbird and Mozilla
SeaMonkey applications which could allow remote code
execution. Mozilla Firefox is a web browser used to
access the Internet. Mozilla Thunderbird is an email
client. Mozilla SeaMonkey is a cross platform Internet
suite of tools ranging from a web browser to an email
client.
These vulnerabilities may be exploited if a user visits,
or is redirected to, a web page or opens a malicious
file specifically crafted to take advantage of these
vulnerabilities. Successful exploitation of these
vulnerabilities could result in either an attacker
gaining the same privileges as the logged on user, or
gaining session authentication credentials. Depending on
the privileges associated with the user, an attacker
could install programs; view, change, or delete data; or
create new accounts with full user rights. Failed
exploit attempts may result in a denial-of-service
condition.
-
Mozilla Firefox 3.5.9 and earlier
-
Mozilla Firefox 3.6.3 and earlier
-
Mozilla SeaMonkey 2.0.4 and earlier
-
Mozilla Thunderbird 3.0.4 and earlier
DESCRIPTION:
Eight vulnerabilities have been discovered in Mozilla
Firefox, Mozilla Thunderbird and Mozilla SeaMonkey.
Details of these vulnerabilities are as follows:
Multiple memory corruption vulnerabilities (MFSA2010-26)
Multiple memory corruption vulnerabilities affecting the
browser and JavaScript engine can allow remote attackers
to crash the browser or execute arbitrary code in the
context of the application. Depending on the privileges
associated with the user, an attacker could install
programs; view, change, or delete data; or create new
accounts with full user rights.
A use-after-free error can allow for the execution of
arbitrary code (MFSA2010-27)
A use-after-free error affects the
'nsCycleCollector::MarkRoots()' function, which can
allow attackers to execute arbitrary code. Depending on
the privileges associated with the user, an attacker
could install programs; view, change, or delete data; or
create new accounts with full user rights.
Multiple plugin instances may share references resulting
in arbitrary code execution (MFSA2010-28)
Multiple plugin instances may share references, which
may result in the execution of arbitrary code.
Depending on the privileges associated with the user, an
attacker could install programs; view, change, or delete
data; or create new accounts with full user rights.
A heap-based buffer-overflow may result in the execution
of arbitrary code (MFSA2010-29)
A heap-based buffer-overflow issue affects the
'nsGenericDOMDataNode::SetTextInternal()' function. The
issue can be triggered when overly long strings are used
to set the text value for certain DOM nodes. Attackers
can exploit this issue to run arbitrary code. Depending
on the privileges associated with the user, an attacker
could install programs; view, change, or delete data; or
create new accounts with full user rights.
An integer-overflow issue may result in the execution of
arbitrary code (MFSA2010-30)
An integer-overflow issue affects XSLT node sorting.
Attackers can exploit this issue to run arbitrary code.
Depending on the privileges associated with the user, an
attacker could install programs; view, change, or delete
data; or create new accounts with full user rights.
focus() behavior can be used to inject or steal
keystrokes (MFSA2010-31)
A vulnerability issue with the focus() behavior can be
used by an attacker to inject or steal keystrokes. This
issue could result in an attacker changing a user’s
cursor focus while they are typing and potentially allow
the attacker to gain sensitive information such as
passwords.
A security-bypass issue may allow for cross site
scripting
(MFSA2010-32)
A security-bypass issue affects attachments with
'Content-Disposition' HTTP headers. The header is
ignored when 'Content-Type: multipart' headers are also
present. Attackers can leverage this issue to create
cross-site scripting attacks on certain web pages that
may allow users to upload arbitrary files.
User tracking across sites using Math.random()
(MFSA2010-33)
A vulnerability issue in Math.random() can be used to
identify and track users across different web sites.
This could aid attackers in certain phishing attack
scenarios.
RECOMMENDATIONS:
We recommend the following actions be taken:
-
Upgrade to Mozilla Firefox version 3.6.4 or 3.5.10,
Thunderbird 3.0.5, or SeaMonkey 2.0.5 as needed
immediately after appropriate testing.
-
Run all software as a non-privileged user (one without
administrative privileges) to diminish the effects of a
successful attack.
-
Remind users not to visit un-trusted web sites or follow
links provided by unknown or un-trusted sources.
-
Remind users not to download or open files from
un-trusted web sites.
NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL
INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY - posted
6/11/10
CSCIC ADVISORY NUMBER:
2010-042
SUBJECT:
Vulnerabilities in Media Decompression Could Allow Remote
Code Execution (MS10-033)
OVERVIEW:
Two vulnerabilities have been discovered in Microsoft
Windows that could allow a
remote attacker to take complete control of an affected
system. The vulnerabilities exist in the way Microsoft
Windows handles media files. Exploitation can occur if a
user visits a malicious web page or opens a malicious media
file. Successful exploitation could allow an attacker to
gain the same privileges as the logged on user. Depending on
the privileges associated with the user, an attacker could
then install programs; view, change, or delete data; or
create new accounts with full user rights.
-
Windows 2000
-
Windows XP
-
Windows Server 2003
-
Windows Vista
-
Windows 7
-
Windows Server 2008
-
Windows Server 2008 R2
DESCRIPTION:
Two vulnerabilities have been discovered in Microsoft
Windows that could allow a remote attacker to take complete
control of an affected system. Exploitation can occur when
Windows processes a media file with specially crafted
compression data. Windows systems which use any of the
following components are at risk from this vulnerability:
Any Windows systems running client applications which use
either the ‘Asycfilt.dll’ or ‘Quartz.dll’ libraries are
vulnerable. Systems where MJPEG files are frequently
processed are also at risk of being exploited.
Successful exploitation could allow an attacker to gain the
same privileges as the logged on user. Depending on the
privileges associated with the user, an attacker could then
install programs; view, change, or delete data; or create
new accounts with full user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
-
Apply appropriate patches provided by Microsoft to
vulnerable systems immediately after appropriate testing.
-
Run all software as a non-privileged user (one without
administrative privileges) to diminish the effects of a
successful attack.
-
Remind users not to visit un-trusted websites or follow
links provided by unknown or un-trusted sources.
-
Remind users not to download or open files from un-trusted
websites.
-
Remind users not to open email attachments from unknown or
un-trusted sources.
NEW YORK
STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE
COORDINATION CYBER SECURITY ADVISORY - posted 6/11/10
CSCIC ADVISORY NUMBER:
2010-045
SUBJECT:
Vulnerability in COM Validation in Microsoft Office Could
Allow Remote Code Execution (MS10-036)
OVERVIEW:
A vulnerability has been identified in Microsoft Office,
Microsoft's business application suite. This vulnerability
could allow remote code execution if a user opens a specially
crafted Office document. The document may be received as an
email attachment, or downloaded via the web. Successful
exploitation could result in an attacker gaining the same
privileges as the logged on user. Depending on the privileges
associated with the user, an attacker could then install
programs; view, change, or delete data; or create new accounts
with full user rights.
DESCRIPTION:
A vulnerability has been identified in Microsoft Office
that could allow an attacker to take complete control of an
affected system. This vulnerability can be triggered by
opening a specially crafted Excel, PowerPoint, Publisher,
Visio, or Word document and can be exploited via email or
through the web.
In the email based scenario, the user would have to open the
specially crafted document as an email attachment. In the web
based scenario, a user would have to open the specially
crafted document that is hosted on a website. Successful
exploitation could result in an attacker gaining the same
privileges as the logged on user. Depending on the privileges
associated with the user, an attacker could then install
programs; view, change, or delete data; or create new accounts
with full user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
-
Apply appropriate patches provided by Microsoft to vulnerable
systems immediately after appropriate testing.
-
Remind users not to download or open files from un-trusted
websites.
-
Remind users not to open e-mail attachments from unknown users
or suspicious e-mails from trusted sources.
-
Run all software as a non-privileged user (one without
administrative privileges) to diminish the effects of a
successful attack.
NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL
INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY - posted
6/11/10
CSCIC ADVISORY NUMBER:
2010-044
SUBJECT:
Vulnerabilities in Microsoft Office Excel Could Allow
Remote Code Execution (MS10-038)
OVERVIEW:
Multiple vulnerabilities have been identified in Microsoft
Office Excel, a spreadsheet application. These vulnerabilities
could allow remote code execution if a user opens a specially
crafted Excel file. The file may be received as an email
attachment, or downloaded via the web. Successful exploitation
could result in an attacker gaining the same privileges as the
logged on user. Depending on the privileges associated with
the user, an attacker could then install programs; view,
change, or delete data; or create new accounts with full user
rights.
-
Microsoft Office XP
-
Microsoft Office 2003
-
2007 Microsoft Office System
-
Microsoft Office for Mac
-
Microsoft Office 2004 for Mac
-
Microsoft Office 2008 for Mac
-
Open XML File Format Converter for Mac
-
Microsoft Office Excel Viewer
-
Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint 2007 File Formats
DESCRIPTION:
Fourteen vulnerabilities have been identified in Microsoft
Office Excel that could allow an attacker to take complete
control of an affected system. These vulnerabilities can be
triggered by opening a specially crafted Excel file (.XLS) and
can be exploited via email or through the web. In the email
based scenario, the user would have to open the specially
crafted Excel file as an email attachment. In the web based
scenario, a user would have to open the specially crafted
Excel file that is hosted on a website. When the user opens
the Excel file, the attacker's supplied code will execute.
Thirteen of these vulnerabilities exist because of the way
Microsoft Office Excel parses the Excel file format when
processing Excel files. The last vulnerability exists due to
the incorrect ACLs being applied to the “/Application” folder
on MAC OS X systems. Successful exploitation of any of these
vulnerabilities could result in an attacker gaining the same
privileges as the logged on user. Depending on the privileges
associated with the user, an attacker could then install
programs; view, change, or delete data; or create new accounts
with full user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
-
Apply appropriate patches provided by Microsoft to vulnerable
systems immediately after appropriate testing.
-
Run all software as a non-privileged user (one without
administrative privileges) to diminish the effects of a
successful attack.
-
Remind users not to open email attachments from unknown or
un-trusted sources.
-
Remind users not to visit un-trusted websites or follow links
provided by unknown or un-trusted sources.
-
Consider using the Microsoft Office Isolated Conversion
Environment (MOICE -
http://support.microsoft.com/kb/935865 ) to
mitigate some of the vulnerabilities identified in this
advisory.
NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL
INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY - posted
6/11/10
CSCIC ADVISORY NUMBER:
2010-043
SUBJECT:
Cumulative Security Update of ActiveX Kill Bits (MS10-034)
OVERVIEW:
Microsoft has released a security update which addresses
vulnerabilities discovered in multiple ActiveX controls.
ActiveX controls are small programs or animations that are
downloaded or embedded in web pages which will typically
enhance functionality and user experience. Many web design
and development tools have built ActiveX support into their
products, allowing developers to both create and make use of
ActiveX controls in their programs. There are more than
1,000 existing ActiveX controls available for use today.
When vulnerabilities are discovered in ActiveX controls,
attackers may use specially crafted web pages to exploit
these vulnerabilities. Successful exploitation will result
in an attacker gaining the same user privileges as the
logged on user. Depending on the privileges associated with
this user, an attacker could then install programs; view,
change, or delete data; or create new accounts.
-
Windows 2000
-
Windows XP
-
Windows Server 2003
-
Windows Vista
-
Windows Server 2008
-
Windows 7
DESCRIPTION:
Microsoft Internet Explorer includes a security feature
which will prevent an ActiveX control from being loaded by
using registry settings. This is commonly referred to as
setting the 'kill bit' of an ActiveX component. Once the
kill bit is set, the associated component can never be
loaded.
These vulnerabilities could allow an attacker to take
complete control of an affected system, and could be
exploited if a user visits a specifically crafted web page.
Successful exploitation could allow an attacker to gain the
same privileges as the logged on user. Depending on the
privileges associated with the user, an attacker could then
install programs; view, change, or delete data; or create
new accounts with full user rights.
This update will set the kill bits for the following Class
Identifier (CLSID):
Office Excel ActiveX control for Data Analysis
(max3activex.dll)
CLSID - 14FD1463-1F3F-4357-9C03-2080B442F503
CLSID - E9CB13DB-20AB-43C5-B283-977C58FB5754
This vulnerability for the Microsoft Data Analyzer ActiveX
control is not installed by default and requires manual
installation by a user.
Microsoft Internet Explorer 8 Developer Tools (iedvtool.dll)
CLSID - 8fe85d00-4647-40b9-87e4-5eb8a52f4759
Microsoft Internet Explorer 8 Developer Tools are installed
and enabled by default for Internet Explorer 8. This
vulnerability does not affect hosts running Internet
Explorer 6 or Internet Explorer 7 that have Developer tools
installed on them.
Additionally, this update will set the Class Identifier (CLSID)
for the following third party software:
Danske eSec ActiveX control
CLSID - F6A56D95-A3A3-11D2-AC26-400000058481
CLSID - 56393399-041A-4650-94C7-13DFCB1F4665
Ofoto Upload Manager / Kodak Gallery Easy Upload Manager
ActiveX Control
CLSID - 6f750200-1362-4815-a476-88533de61d0c
CLSID - 6f750201-1362-4815-a476-88533de61d0c
CallPilot Unified Messaging ActiveX Control
CLSID - 7F14A9EE-6989-11D5-8152-00C04F191FCA
RECOMMENDATIONS:
We recommend the following actions be taken:
-
Apply appropriate update provided by Microsoft to vulnerable
systems immediately after appropriate testing.
-
Remind users not to visit un-trusted websites or follow
links provided by unknown or un-trusted sources.
-
Configure Internet Explorer to prompt before running ActiveX
Controls or disable ActiveX controls in the Internet Zone.
NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL
INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY (posted
6/9/10)
CSCIC ADVISORY NUMBER:
2010-040
SUBJECT:
Multiple Adobe Products are Prone to a Remote Code Execution
Vulnerability
OVERVIEW:
A vulnerability has been discovered in the Adobe Acrobat, Adobe
Reader and Adobe Flash Player applications that could allow
attackers to execute arbitrary code on affected systems. Adobe
Reader allows users to view Portable Document Format (PDF)
files. Adobe Acrobat offers users additional features such as
the ability to create PDF files.
Adobe Flash Player is a multimedia and application player used
to enhance the user experience when visiting web pages or other
media which incorporate Flash (.swf) files.
Exploitation can occur if a user visits or is redirected to a
malicious webpage or if a user opens a malicious file designed
to take advantage of this vulnerability, including opening a
malicious attachment. Successful exploitation could result in an
attacker gaining the same privileges as the logged on user.
Depending on the privileges associated with the user, an
attacker could then install programs; view, change, or delete
data; or create new accounts with full user rights. Failed
exploit attempts may result in a denial-of-service condition.
Adobe has indicated that this vulnerability is actively being
exploited and there is no patch available at this time. Adobe
has, however, provided mitigation advice. Please see the
Recommendations section below.
-
Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and
9.0.x versions.
-
Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions.
DESCRIPTION:
A memory error corruption vulnerability has been identified in
multiple Adobe products that could allow for remote code
execution when opening maliciously crafted Flash content. The
memory error corruption vulnerability is triggered by opening a
specially crafted Flash (.swf) file or by opening a .pdf file
with embedded malicious Flash content. Adobe Reader 9.x and
Adobe Acrobat 9.x products are vulnerable via the 'authplay.dll'
which allows those products to view Flash content within PDF
files. Successful exploitation may result in an attacker gaining
the same privileges as the logged on user. Depending on the
privileges associated with the user, an attacker could then
install programs; view, change, or delete data; or create new
accounts with user level of logged on user. Failed exploitation
could result in denial-of-service conditions.
Adobe has indicated that this vulnerability is being actively
exploited over the internet.
Adobe is reporting that Flash player 10.1.53.64 RC7, released on
June 2, 2010, does not appear to be vulnerable.
Note that Adobe Flash player 10.1.x versions have all been BETA
releases.
Adobe Reader 8.x and Adobe Acrobat 8.x products are not
vulnerable.
Adobe has not released a patch for this vulnerability at this
time, and is currently recommending users delete, rename or
remove access to the 'authplay.dll' that ships with Adobe Reader
and Adobe Acrobat 9.x products to mitigate the threat for those
products.
To disable Flash support in Adobe Reader 9 on Microsoft
Windows, delete or rename these files:
"%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll"
To disable Flash support in Adobe Acrobat 9 on Microsoft
Windows, delete or rename these files:
"%ProgramFiles%\Adobe\Acrobat 9.0\Acrobat\authplay.dll"
The above mitigation steps will result in reduced functionality
within Adobe Acrobat and Adobe Reader applications. The file
locations listed above may vary due to customized installations.
Antivirus Vendors have released signatures that will protect
against the currently released exploit.
RECOMMENDATIONS:
We recommend the following actions be taken:
-
Ensure that all antivirus software is up to date with the latest
signatures.
-
Deploy network intrusion detection systems to monitor network
traffic for malicious activity.
-
If you believe you have been affected by attacks exploiting this
vulnerability, please follow your organization's policies for
incident reporting.
-
Run all software as a non-privileged user (one without
administrative privileges) to diminish the effects of a
successful attack.
NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL
INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY
CSCIC ADVISORY NUMBER: posted 5/25/10
2010-027 Updated
SUBJECT:
Multiple Vulnerabilities in the JRE Java Platform Could Allow
Remote Code Execution
ORIGINAL OVERVIEW:
Multiple vulnerabilities have been discovered in the Oracle Java
(formerly known as Sun Java) Runtime Environment (JRE) that
could allow attackers to take complete control of a vulnerable
system. The Java Runtime Environment is used to enhance the user
experience when visiting web sites and is installed on most
desktops and servers. These vulnerabilities may be exploited if
a user visits or is redirected to a specifically crafted web
page, or opens a specially crafted file. Successful exploitation
could result in an attacker gaining the same privileges as the
logged on user. Depending on the privileges associated with the
user, an attacker could then install programs; view, change, or
delete data; or create new accounts with full user rights.
Failed exploit attempts may result in a denial-of-service
condition.
Proof of concept code for this vulnerability has been published
and is publicly available. This code has been verified in our
lab in a Windows environment and confirmed to cause remote code
execution. Due to the ease in which this vulnerability can be
exploited, we believe it is likely that this attack will be seen
in the wild.
April 15 UPDATED OVERVIEW:
Oracle has indicated that Java Runtime Environment 1.6.0_20 (JRE
6 Update 20) has resolved this vulnerability. We have tested
the JRE 6 Update 20 in our lab environment to confirm that it
does resolve this issue.
Please note that we have received reports of this vulnerability
being used to actively compromise systems on the Internet.
Apple has released patches for the vulnerabilities described in
this advisory.
ORIGINAL SYSTEMS AFFECTED:
UPDATED SYSTEMS AFFECTED:
·
Large and medium government entities: High
·
Small government entities: High
·
Large and medium business entities: High
·
Small business entities: High
ORIGINAL DESCRIPTION:
Multiple vulnerabilities have been discovered in the Java
Runtime Environment (JRE) applications that could allow
attackers to execute remote code on a system. The JRE allows a
user to run Java applications, including web programs called
applets, which are used on many websites.
These remote code execution vulnerabilities are due to
insufficient validation of user-supplied input passed to the
'launch' function of the Java Deployment Toolkit plugins and the
'docbase' and 'launchjnlp' parameters of the Java Platform SE
plugins. After the input is passed to the plugins, an attacker
can exploit these issues to pass arbitrary arguments to the
'javaws.exe' command. This vulnerability can be further
leveraged to execute arbitrary JAR or DLL files through the use
of the '-J', '-XXaltjvm' and '-J-XXaltjvm' parameters. These
vulnerabilities may be exploited if a user visits or is
redirected to a specifically crafted web page, or opens a
specially crafted file. Successful exploitation could result in
an attacker gaining the same privileges as the logged on user.
Depending on the privileges associated with the user, an
attacker could then install programs; view, change, or delete
data; or create new accounts with full user rights. Failed
exploit attempts may result in a denial-of-service condition.
The following plugins are affected and installed by default in
the JRE:
This is a Java Development Toolkit plugin for Internet Explorer
implemented as an ActiveX control identified by CLSID:
{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}
npdeploytk.dll
This is a Java Deployment Toolkit plugin for Mozilla Firefox
implemented as an Netscape Plugin Application Programming
Interface (NPAPI) plugin.
npjp2.dll
This is a Java Platform SE plugin for Mozilla Firefox and Google
Chrome.
jp2iexp.dll
This is a Java Platform SE plugin for Internet Explorer
implemented as an ActiveX control identified by CLSID:
{8AD9C840-044E-11D1-B3E9-00805F499D93}
Please note: At this time, Oracle has not provided a patch.
Proof of concept code for this vulnerability has been published
and is publicly available. This code has been verified in our
lab in a Windows environment and confirmed to cause remote code
execution. Due to the trivial nature of this exploit, we believe
it is likely that this attack will be seen in the wild.
April 15 - UPDATED DESCRIPTION:
Oracle has indicated that Java Runtime Environment 1.6.0_20 (JRE
6 Update 20) has resolved this vulnerability. We have tested
the JRE 6 Update 20 in our lab environment to confirm that it
does resolve this issue.
Please note that we have received reports of this vulnerability
being used to actively compromise systems on the Internet.
May 19 UPDATED DESCRIPTION:
Apple has released patches for the vulnerabilities described in
this advisory. These patches fix the JRE implementation in
Apple’s OS X operating
system.
ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken:
-
Set the kill bit on the Class Identifier (CLSID)
{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA }; further instructions on
how to set the kill bit can be found at the following location (
http://support.microsoft.com/kb/240797 )
-
Mozilla Firefox and other NPAPI based browser users can be
protected using File System ACLs to prevent access to
npdeploytk.dll. These ACLs can also be managed via Group Policy
Objects
-
Run all software as a non-privileged user (one without
administrative privileges) to diminish the effects of a
successful attack.
-
Remind users not to download or open files from un-trusted
websites.
-
Remind users not to visit un-trusted websites or follow links
provided by unknown or un-trusted sources.
-
Apply appropriate patches provided by Oracle to vulnerable
systems as soon as they become available.
May 19 - UPDATED RECOMMENDATIONS:
We recommend the following actions be taken:
April 15 - UPDATED REFERENCES:
May 19 - UPDATED REFERENCES:
