netVigilance - assurance has arrived
2009 Issue #21

ScoutNews
The weekly Security update from
the makers of SecureScout

May 22, 2009



Table of Contents

Product Focus

This Week in Review

Top Security News Stories this Week

New Vulnerabilities Tested in SecureScout

New Vulnerabilities found this Week



Product Focus

Request Tracker for Windows (WinRT) by SecureScout v3.0.16 alpha - Download Free WinRT v3.0.16 alpha installer by filling our download form. Size: 33MB

Download Here:
http://www.netvigilance.com/productdownloads?productname=winrt_setup_3_0_16



This Week in Review

New study looks at website risks. New group to advice PCI Security Council. New group formed to fight malware.

Enjoy reading & Stay safe.

Call or email netVigilance to get an update on SecureScout.
(503) 524 5758 or


Top Security News Stories this Week

Website risks highlighted in two new studies

Two reports released this week confirmed the tidal shift in the type of websites into which cybercriminals are injecting malware.

WhiteHat Security, in the seventh installment of its Website Security Statistics Report, to be released on Tuesday, found that 82 percent of websites studied over the past year have had a "high," "critical," or "urgent" issue during their lifetime, with cross-site scripting continuing to top the list.

WhiteHat's report is no more alarming than in the past two years, Jeremiah Grossman, founder and CTO of the company, told SCMagazineUS.com on Monday. But this time, most of the more than 1,000 compromised websites reviewed in the report belong to well-known brands.

SC Magazine

Full Story :
http://www.scmagazineus.com/Website-risks-highlighted-in-two-new-studies/article/137005/


PCI appoints new board of advisers

A roster of new organizations will make up the second Payment Card Industry Security Standards Council (PCI SSC) board of advisers, including Bank of America, Wal-Mart and PayPal, the industry standards body announced Monday.

The advisers will replace the inaugural board, which served a two-year term beginning in 2007. The purpose of the board is to provide strategic and technical guidance to the PCI SSC, which manages the Payment Card Industry Data Security Standard (PCI DSS).

The new board's first task will be reviewing the results of an emerging technology study that was commissioned by the council, according to a PCI news release.

SC Magazine

Full Story :
http://www.scmagazineus.com/PCI-appoints-new-board-of-advisers/article/137025/


"Chain of Trust" initiative launched to fight malware

A group of cybersecurity advocacy organizations have teamed up to fight malware on the web.

The Anti-Spyware Coalition (ASC), National Cyber Security Alliance (NCSA), and StopBadware.org announced their collaboration, known as the Chain of Trust Initiative, Tuesday at the ASC workshop in Washington.

The goal of the partnership is to map the threats by identifying attack vectors and appropriate solutions, Ari Schwartz, ASC coordinator and vice president of the Center for Democracy and Technology (CDT), a nonprofit public interest group, told SCMagazineUS.com Tuesday. The effort has involved security companies, independent researchers, webmasters, registrars, hosting companies, network providers, and enforcement agencies, the organizations said in a news release.

SC Magazine

Full Story :
http://www.scmagazineus.com/Chain-of-Trust-initiative-launched-to-fight-malware/article/137079/


New Vulnerabilities Tested in SecureScout

18378 Microsoft Office PowerPoint Integer Overflow Vulnerability (CVE-2009-0221) (MS09-017/967340) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS09-017
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
* CERT: TA09-132A
http://www.us-cert.gov/cas/techalerts/TA09-132A.html
* BID: 34835
http://www.securityfocus.com/bid/34835
* OSVDB: 54394
http://osvdb.org/54394
* SECTRACK: 1022205
http://www.securitytracker.com/id?1022205
* SECUNIA: 32428
http://secunia.com/advisories/32428
* VUPEN: ADV-2009-1290
http://www.vupen.com/english/advisories/2009/1290

CVE Reference:

CVE-2009-0221 (cve.mitre.org, nvd.nist.gov)

18379 Microsoft Office PowerPoint Legacy File Format Vulnerability (CVE-2009-0222) (MS09-017/967340) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MISC:
http://www.vupen.com/exploits/Microsoft_PowerPoint_Memory_Corruption_Code_Execution_Exploit_MS09_017_1290124.php
* MISC:
http://www.vupen.com/exploits/Microsoft_PowerPoint_Pointer_Overwrite_Code_Execution_Exploit_MS09_017_1290123.php
* MS: MS09-017
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
* CERT: TA09-132A
http://www.us-cert.gov/cas/techalerts/TA09-132A.html
* BID: 34831
http://www.securityfocus.com/bid/34831
* OSVDB: 54382
http://osvdb.org/54382
* SECTRACK: 1022205
http://www.securitytracker.com/id?1022205
* SECUNIA: 32428
http://secunia.com/advisories/32428
* VUPEN: ADV-2009-1290
http://www.vupen.com/english/advisories/2009/1290

CVE Reference:

CVE-2009-0222 (cve.mitre.org, nvd.nist.gov)

18380 Microsoft Office PowerPoint Legacy File Format Vulnerability (CVE-2009-0223) (MS09-017/967340) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS09-017
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
* CERT: TA09-132A
http://www.us-cert.gov/cas/techalerts/TA09-132A.html
* BID: 34834
http://www.securityfocus.com/bid/34834
* SECTRACK: 1022205
http://www.securitytracker.com/id?1022205
* SECUNIA: 32428
http://secunia.com/advisories/32428
* VUPEN: ADV-2009-1290
http://www.vupen.com/english/advisories/2009/1290

CVE Reference:

CVE-2009-0223 (cve.mitre.org, nvd.nist.gov)

18381 Microsoft Office PowerPoint Memory Corruption Vulnerability (CVE-2009-0224) (MS09-017/967340) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS09-017
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
* CERT: TA09-132A
http://www.us-cert.gov/cas/techalerts/TA09-132A.html
* BID: 34879
http://www.securityfocus.com/bid/34879
* SECTRACK: 1022205
http://www.securitytracker.com/id?1022205
* SECUNIA: 32428
http://secunia.com/advisories/32428
* VUPEN: ADV-2009-1290
http://www.vupen.com/english/advisories/2009/1290

CVE Reference:

CVE-2009-0224 (cve.mitre.org, nvd.nist.gov)

18382 Microsoft Office PowerPoint PP7 Memory Corruption Vulnerability (CVE-2009-0225) (MS09-017/967340) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MISC:
http://www.vupen.com/exploits/Microsoft_PowerPoint_Array_Indexing_Code_Execution_Exploit_MS09_017_1290125.php
* MS: MS09-017
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
* CERT: TA09-132A
http://www.us-cert.gov/cas/techalerts/TA09-132A.html
* BID: 34880
http://www.securityfocus.com/bid/34880
* OSVDB: 54388
http://osvdb.org/54388
* SECTRACK: 1022205
http://www.securitytracker.com/id?1022205
* SECUNIA: 32428
http://secunia.com/advisories/32428
* VUPEN: ADV-2009-1290
http://www.vupen.com/english/advisories/2009/1290

CVE Reference:

CVE-2009-0225 (cve.mitre.org, nvd.nist.gov)

18383 Microsoft Office PowerPoint Legacy File Format Vulnerability (CVE-2009-0226) (MS09-017/967340) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* IDEFENSE: 20090512 Microsoft PowerPoint 4.2 Conversion Filter Stack Overflow
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=789
* MS: MS09-017
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
* CERT: TA09-132A
http://www.us-cert.gov/cas/techalerts/TA09-132A.html
* BID: 34881
http://www.securityfocus.com/bid/34881
* SECTRACK: 1022205
http://www.securitytracker.com/id?1022205
* SECUNIA: 32428
http://secunia.com/advisories/32428
* VUPEN: ADV-2009-1290
http://www.vupen.com/english/advisories/2009/1290

CVE Reference:

CVE-2009-0226 (cve.mitre.org, nvd.nist.gov)

18384 Microsoft Office PowerPoint Legacy File Format Vulnerability (CVE-2009-0227) (MS09-017/967340) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* IDEFENSE: 20090512 Microsoft PowerPoint 4.2 Conversion Filter Stack Buffer Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=787
* MS: MS09-017
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
* CERT: TA09-132A
http://www.us-cert.gov/cas/techalerts/TA09-132A.html
* BID: 34882
http://www.securityfocus.com/bid/34882
* OSVDB: 54384
http://osvdb.org/54384
* SECTRACK: 1022205
http://www.securitytracker.com/id?1022205
* SECUNIA: 32428
http://secunia.com/advisories/32428
* VUPEN: ADV-2009-1290
http://www.vupen.com/english/advisories/2009/1290

CVE Reference:

CVE-2009-0227 (cve.mitre.org, nvd.nist.gov)

18385 Microsoft Office PowerPoint Memory Corruption Vulnerability (CVE-2009-0556) (MS09-017/967340) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* CONFIRM:
http://blogs.technet.com/mmpc/archive/2009/04/02/new-0-day-exploits-using-powerpoint-files.aspx
* CONFIRM:
http://blogs.technet.com/msrc/archive/2009/04/02/microsoft-security-advisory-969136.aspx
* CONFIRM:
http://blogs.technet.com/srd/archive/2009/04/02/investigating-the-new-powerpoint-issue.aspx
* CONFIRM:
http://www.microsoft.com/technet/security/advisory/969136.mspx
* MS: MS09-017
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
* CERT: TA09-132A
http://www.us-cert.gov/cas/techalerts/TA09-132A.html
* CERT-VN: VU#627331
http://www.kb.cert.org/vuls/id/627331
* BID: 34351
http://www.securityfocus.com/bid/34351
* OSVDB: 53182
http://osvdb.org/53182
* SECTRACK: 1021967
http://www.securitytracker.com/id?1021967
* SECUNIA: 34572
http://secunia.com/advisories/34572
* VUPEN: ADV-2009-0915
http://www.vupen.com/english/advisories/2009/0915
* VUPEN: ADV-2009-1290
http://www.vupen.com/english/advisories/2009/1290
* XF: powerpoint-unspecified-code-execution(49632)
http://xforce.iss.net/xforce/xfdb/49632

CVE Reference:

CVE-2009-0556 (cve.mitre.org, nvd.nist.gov)

18386 Microsoft Office PowerPoint PP7 Memory Corruption Vulnerability (CVE-2009-1128) (MS09-017/967340) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* MS: MS09-017
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
* CERT: TA09-132A
http://www.us-cert.gov/cas/techalerts/TA09-132A.html
* BID: 34837
http://www.securityfocus.com/bid/34837
* SECTRACK: 1022205
http://www.securitytracker.com/id?1022205
* SECUNIA: 32428
http://secunia.com/advisories/32428
* VUPEN: ADV-2009-1290
http://www.vupen.com/english/advisories/2009/1290

CVE Reference:

CVE-2009-1128 (cve.mitre.org, nvd.nist.gov)

18387 Microsoft Office PowerPoint PP7 Memory Corruption Vulnerability (CVE-2009-1129) (MS09-017/967340) (Remote File Checking)

A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* IDEFENSE: 20090512 Microsoft PowerPoint PPT95 Import Multiple Stack Buffer Overflow Vulnerabilities
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=791
* MS: MS09-017
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
* CERT: TA09-132A
http://www.us-cert.gov/cas/techalerts/TA09-132A.html
* BID: 34839
http://www.securityfocus.com/bid/34839
* OSVDB: 54387
http://osvdb.org/54387
* SECTRACK: 1022205
http://www.securitytracker.com/id?1022205
* SECUNIA: 32428
http://secunia.com/advisories/32428
* VUPEN: ADV-2009-1290
http://www.vupen.com/english/advisories/2009/1290

CVE Reference:

CVE-2009-1129 (cve.mitre.org, nvd.nist.gov)


New Vulnerabilities found this Week

CVE-2009-0721    HP    CVSS 2.0 Score = 10.0

Unspecified vulnerability in Easy Login in the Sender module in HP Remote Graphics Software (RGS) 4.0.0 through 5.2.4 allows remote attackers to execute arbitrary code via unknown vectors.

Test Case Impact: Vulnerability Impact: Risk: High

References:

VUPEN: http://www.vupen.com/english/advisories/2009/1323

SECTRACK: http://securitytracker.com/id?1022221

BID: http://www.securityfocus.com/bid/34980

HP: http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01731970

HP: http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01731970

SECUNIA: http://secunia.com/advisories/35089

SECUNIA: http://secunia.com/advisories/35087

CVE Reference: CVE-2009-0721

CVE-2009-1418    HP    CVSS 2.0 Score = 4.3

Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 3.0.1.73 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.Per: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01745065 "SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP System Management Homepage (SMH) before v3.0.1.73 running on Linux and Windows Server 2003, 2008."

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

SECTRACK: http://securitytracker.com/id?1022242

HP: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01745065

HP: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01745065

XF: http://xforce.iss.net/xforce/xfdb/50633

BID: http://www.securityfocus.com/bid/35031

SECUNIA: http://secunia.com/advisories/35108

JVNDB: http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000029.html

JVN: http://jvn.jp/en/jp/JVN02331156/index.html

CVE Reference: CVE-2009-1418

CVE-2009-0897    IBM    CVSS 2.0 Score = 4.0

IBM WebSphere Partner Gateway (WPG) 6.1.0 before 6.1.0.1 and 6.1.1 before 6.1.1.1 allows remote authenticated users to obtain sensitive information via vectors related to the "schema DB2 instance id" and the bcgarchive (aka the archiver script).

Test Case Impact: Vulnerability Impact: Risk: Medium

References:

AIXAPAR: http://www-01.ibm.com/support/docview.wss?uid=swg21366016

XF: http://xforce.iss.net/xforce/xfdb/50643

BID: http://www.securityfocus.com/bid/35136

CVE Reference: CVE-2009-0897

CVE-2009-1161    Cisco    CVSS 2.0 Score = 10.0

Directory traversal vulnerability in the TFTP service in Cisco CiscoWorks Common Services (CWCS) 3.0.x through 3.2.x on Windows, as used in Cisco Unified Service Monitor, Security Manager, TelePresence Readiness Assessment Manager, Unified Operations Manager, Unified Provisioning Manager, and other products, allows remote attackers to access arbitrary files via unspecified vectors.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CISCO: http://www.cisco.com/en/US/products/products_security_advisory09186a0080ab7b56.shtml

VUPEN: http://www.vupen.com/english/advisories/2009/1390

BID: http://www.securityfocus.com/bid/35040

SECTRACK: http://securitytracker.com/id?1022263

SECUNIA: http://secunia.com/advisories/35179

OSVDB: http://osvdb.org/54616

JVNDB: http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000032.html

JVN: http://jvn.jp/en/jp/JVN62527913/index.html

CVE Reference: CVE-2009-1161

CVE-2009-1783    F-Prot    CVSS 2.0 Score = 10.0

Multiple FRISK Software F-Prot anti-virus products, including Antivirus for Exchange, Linux on IBM zSeries, Linux x86 File Servers, Linux x86 Mail Servers, Linux x86 Workstations, Solaris Mail Servers, Antivirus for Windows, and others, allow remote attackers to bypass malware detection via a crafted CAB archive.

Test Case Impact: Vulnerability Impact: Risk: High

References:

XF: http://xforce.iss.net/xforce/xfdb/50427

BID: http://www.securityfocus.com/bid/34896

BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/503393/100/0/threaded

MISC: http://blog.zoller.lu/2009/04/advisory-f-prot-frisk-cab-bypass.html

CVE Reference: CVE-2009-1783

CVE-2009-1671    Sun    CVSS 2.0 Score = 9.3

Multiple buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll 6.0.130.3 in Sun Java SE Runtime Environment (aka JRE) 6 Update 13 allow remote attackers to execute arbitrary code via a long string argument to the (1) setInstallerType, (2) setAdditionalPackages, (3) compareVersion, (4) getStaticCLSID, or (5) launch method.

Test Case Impact: Vulnerability Impact: Risk: High

References:

MISC: http://www.shinnai.net/xplits/TXT_mhxRKrtrPLyAHRFNm7QR.html

BID: http://www.securityfocus.com/bid/34931

MILW0RM: http://www.milw0rm.com/exploits/8665

CVE Reference: CVE-2009-1671

CVE-2009-1672    Sun    CVSS 2.0 Score = 9.3

The Deployment Toolkit ActiveX control in deploytk.dll 6.0.130.3 in Sun Java SE Runtime Environment (aka JRE) 6 Update 13 allows remote attackers to (1) execute arbitrary code via a .jnlp URL in the argument to the launch method, and might allow remote attackers to launch JRE installation processes via the (2) installLatestJRE or (3) installJRE method.

Test Case Impact: Vulnerability Impact: Risk: High

References:

XF: http://xforce.iss.net/xforce/xfdb/50629

MISC: http://www.shinnai.net/xplits/TXT_mhxRKrtrPLyAHRFNm7QR.html

BID: http://www.securityfocus.com/bid/34931

MILW0RM: http://www.milw0rm.com/exploits/8665

CVE Reference: CVE-2009-1672

CVE-2009-1763    Sun    CVSS 2.0 Score = 7.2

Unspecified vulnerability in the Solaris Secure Digital slot driver (aka sdhost) in Sun OpenSolaris snv_105 through snv_108 on the x86 platform allows local users to gain privileges or cause a denial of service (filesystem or memory corruption) via unknown vectors.

Test Case Impact: Vulnerability Impact: Risk: High

References:

XF: http://xforce.iss.net/xforce/xfdb/50687

VUPEN: http://www.vupen.com/english/advisories/2009/1410

SECTRACK: http://www.securitytracker.com/id?1022271

BID: http://www.securityfocus.com/bid/35069

SUNALERT: http://sunsolve.sun.com/search/document.do?assetkey=1-66-259408-1

CVE Reference: CVE-2009-1763


Vulnerability Resource
Check out this compendium of links and up-to-the minute information about network security issues. Their claim to be the 'security portal for information system security professionals' is well founded. http://www.infosyssec.org/infosyssec/

Thank You
Thanks for sifting through another great edition of the ScoutNews. We hope we captured a flavor for the week and gave you just enough information on newly found vulnerabilities to keep you up-to-date. To subscribe or unsubscribe, contact us at

About SecureScout
SecureScout is a leading vulnerability scanner and management tool developed and marketed worldwide by NexantiS Corporation.
SecureScout is a trademark of NexantiS Corporation.
netVigilance, Inc. is a partner of NexantiS and an authorized distributor of SecureScout.

For any inquiry about SecureScout by:
Customers in America and Northern Europe contact us at
Customers in France, Italy, Spain, Portugal, Greece, Turkey, Eastern Europe, Middle East, Africa and Asia/Pacific, contact NexantiS at