Entitled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)" this bulletin affects users of Microsoft Office 2000 through 2007, plus Office 2004 for Mac, and addresses the vulnerabilities detailed in CVE-2007-0215, CVE-2007-1203, and 2007-0214. Successful exploitation could lead to remote code execution.
Entitled "Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)" this bulletin affects users of Microsoft Office 2000 through 2003, plus Office 2004 for Mac, but does not affect Office 2007, and addresses the vulnerabilities detailed in CVE-2007-0035, CVE-2007-0870, and CVE-2007-1202 Successful exploitation could lead to remote code execution.
Entitled "Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)" this bulletin affects users of Microsoft Office 2000 through 2003, plus Office 2004 for Mac, but does not affect Office 2007, and addresses the vulnerability detailed in CVE-2007-1747. Successful exploitation could lead to remote code execution.
Entitled "Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)" this bulletin affects users of Windows Exchange 2000, Exchange Server 2003, and Exchange Server 2007, and addresses the vulnerabilities detailed in CVE-2007-0220, CVE-2007-0039, CVE-2007-1213, and CVE-2007-0221. Successful exploitation could lead to remote code execution.
Entitled "Cumulative Security Update for Internet Explorer (931768)" this bulletin affects users of Windows 2000 through Vista, Internet Explorer versions 5.01 through 7, and addresses the vulnerabilities detailed in CVE-2007-0942, CVE-2007-0944, CVE-2007-0945, CVE-2007-0946, CVE-2007-0947, and CVE-2007-2221. Successful exploitation could lead to remote code execution.
Entitled "Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)" this bulletin affects users of CAPICOM and BizTalk Server 2004, but not affect BizTalk Server 2000, 2002, and 2006, and addresses the vulnerability detailed in CVE-2007-0940. Successful exploitation could lead to remote code execution.
Entitled "Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)" this bulletin affects users of Windows Server 2000 and 2003, but does not affect Windows 2000, Windows XP (SP2), and Windows Vista, and addresses the vulnerability detailed in CVE-2007-1748. Successful exploitation could lead to remote code execution.
According to Ken Dunham of iDefense, this new variant worm includes anti-security measures to hinder analysis, and sends out copies of itself inside of a password protected ZIP file to evade anti-virus detection. Unfortunately, to further evade detection the e-mails sent are randomized with different filenames, different passwords, and different binaries within the ZIP file.
According to one source, the subject lines include:
"Worm Alert!"
"Worm Detected"
"Virus Alert"
"ATTN!"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Virus Activity Detected!"
According to SANS Internet Storm Center, the zip files appear to be named:
"patch-(random 4 or 5 digit number).zip"
"bugfix-(random 4 or 5 digit number).zip"
"hotfix-(random 4 or 5 digit number).zip"
"removal-(random 4 or 5 digit number).zip"
Once executed the new variant worm installs a rootkit on the infected system and communicates over a private peer-to-peer (P2P) network to update itself. This latest variation may be laying the groundwork for even more attacks in the near future, launching future releases from those machines already infected.
Additional Resources
Trend Micro: Nuwar.AOO
Mitre.org Common Malware Enumeration: CME-711
Additional Resources
MILW0RM: Advisory 3544
Additional Resources
Microsoft: Advisory 934864
FRsirt: 1115
CNET News.com: Windows weakness can lead to network traffic hijacks
Successful exploitation can result in memory corruption when processing cursors, animated cursors, and icons. According to Arbor Networks, the malicious code on compromised Web sites exploiting this flaw appears to be originating from the following sites, which you may want to block:
wsfgfdgrtyhgfd.net
85.255.113.4
uniq-soft.com
fdghewrtewrtyrew.biz
newasp.com.cn
To become infected, users must be using Internet Explorer 6 or 7; there is no need to click, just visiting an infected site is enough for an infection. The flaw does not affect Firefox or Opera Internet Browsers. Microsoft released a patch within its security bulletin MS07-017.
Additional Resources
Microsoft: MS07-017
Zeroday Emergency Response Team (ZERT): Unofficial patch
NIST: CVE-2007-0038
Arbor Networks: Any Ani file could infect you
Websense: Alert
F-Secure: Blog post
There's a vulnerability within Microsoft Internet Explorer 6 while running on a fully patched Windows XP SP2 system that allows remote attackers to cause a denial of service (crash). This flaw is due to an integer overflow error in the Common Controls library "comctl32.dll" when processing a "WebViewFolderIcon" object with a specially crafted "setSlice()" method. Specifically, a 0x7fffffff argument to the setSlice method on a WebViewFolderIcon ActiveX object may lead to an invalid memory copy, which can be exploited by attackers. Successful execution, however, requires that the victim visit a specially crafted Web page.
Additional resources:
- Microsoft: Advisory 926043
- US-CERT Technical Alert: TA06-270A
- US-CERT Vulnerability Note: VU#753044
- BrowserFun: #18
This vulnerability may cause a denial of service (crash) within Microsoft Internet Explorer 6. By accessing the object references of a FolderItem ActiveX object--specifcally, by creating a NULL pointer dereference error when accessing a "FolderItem" object--attackers may crash the Microsoft browser. Successful execution, however, requires a victim to access a malicious Web page.
Additional Resources:
- French Security Incident Response Team: ADV-2006-2814
- BrowserFun: #15
- National Institute of Standards and Technology: CVE-2006-3458
In a conference paper titled "Subverting Ajax," security researchers Stefano Di Paola and Giorgio Fedon identified multiple cross-site scripting (XSS) vulnerabilities. One flaw in particular, the open parameters vulnerability, is quite easy to execute on vulnerable versions of Adobe Reader. A malicious attack can be carried out by referencing any Web-based PDF file and supplying potentially malicious JavaScript code as an open parameter to any Web-based PDF file. For example
http://www.(domain name).com/file.pdf#whatever_name_you_want=javascript:your_code_here
The researchers contacted Adobe in October with their findings and only recently made their work public. Adobe has since released version 8 of Adobe Reader which no longer allows appended JavaScript within site URLs. However, many users continue to use older versions of the Adobe Reader plug-in and should update as soon as possible.
Additional Resources:
- Vendor Patch Information: Adobe Reader 8
- Wise Security: Adobe Acrobat Reader Plugin - Multiple Vulnerabilities
- Gnucitizen: Danger, Danger, Danger
There's a buffer overflow affecting both the Windows and Mac version of Apple QuickTime 7.1.3 real-time streaming protocol (rtsp). The flaw allows remote attackers to execute arbitrary code which could allow remote access and the arbitrary execution of malicious code on compromised machines. If a user clicks a very long and specially crafted QuickTime video URL, an attacker could load malicious code onto Microsoft Windows or Apple Mac OS X machines.
At this time, there is no patch available from Apple. Users should avoid clicking URLs that begin with "rstp://." One workaround within QuickTime is to disable the rtsp:// URL handler. To do so, Mac users should open QuickTime, go to Preferences, click the Advanced tab, and select Mime Settings; once there, uncheck the box next to Streaming - Streaming Movies. For Windows users, click Edit, then Preferences, and then QuickTime Preferences. Select File Types from the pull-down menu or tab options. On the File Types page click Streaming - Streaming Movies to display additional options and uncheck the box next to RSTP stream descriptor if necessary.
Additional Resources:
- NIST: CVE-2007-0015
- MOAB: MOAB-01-01-2007
- Milworm.com: 3064
