This page includes alerts posted before February 15, 2007. For the most current Alerts and Bulletins, see the Current Alerts page.
Security incidents that are critical in nature shall be reported to the DIR within twenty-four hours (TAC 202.26(a) and TAC 202.76(a)). Instructions for reporting an incident.
The emergency number for the Security Office is 512-350-3282.
To immediately report an incident, please contact:
Noel Garcia at 512-463-7542 (office); 512-762-2743 (cell)
February 14, 2007
MS-ISAC ADVISORY NUMBER: 2006-013 - UPDATED
MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER ADVISORY
Date(s) Issued
- 7/17/2006
- 8/8/2006 - Updated
- 2/14/2007 - Updated
Subject
New Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution
Original Overview
A new vulnerability has been discovered in Microsoft Office PowerPoint that could allow a remote attacker to run and execute commands on the local system. This vulnerability can be exploited if a user opens a malicious PowerPoint file which has been specifically crafted to exploit this vulnerability.
August 8 Updated Information
Microsoft has released a new security bulletin (MS06-048) that supplies a patch to the Microsoft Office Library file 'mso.dll'. In addition to the patch, a new vulnerability in Microsoft Office PowerPoint has been found and would allow a remote attacker to run and execute commands on the local system.
February 14, 2007 Updated Overview
Microsoft has released a new security bulletin (MS07-015) that replaces previous security bulletins and supplies a new patch to resolve two vulnerabilities in Microsoft Office that would allow a remote attacker to run and execute commands on the local system. Please see the systems affected and description sections below for additional details.
Original Systems Affected:
- Microsoft PowerPoint 2003
- Microsoft Office 2003
- Microsoft PowerPoint 2003 SP1
- Microsoft Office 2003 SP1
- Microsoft PowerPoint 2003 SP2
- Microsoft Office 2003 SP2
February 14 Updated Systems Affected:
- Microsoft Office 2000 SP 3
- Microsoft Access 2000
- Microsoft Excel 2000
- Microsoft FrontPage 2000
- Microsoft Outlook 2000
- Microsoft PowerPoint 2000
- Microsoft Publisher 2000
- Microsoft Word 2000
- Microsoft Office XP SP3
- Microsoft Access 2002
- Microsoft Excel 2002
- Microsoft FrontPage 2002
- Microsoft Outlook 2002
- Microsoft PowerPoint 2002
- Microsoft Publisher 2002
- Microsoft Visio 2002
- Microsoft Word 2002
- Microsoft Office 2003 SP2
- Microsoft Access 2003
- Microsoft Excel 2003
- Microsoft Excel 2003 Viewer
- Microsoft FrontPage 2003
- Microsoft InfoPath 2003
- Microsoft OneNote 2003
- Microsoft Outlook 2003
- Microsoft PowerPoint 2003
- Microsoft Project 2003
- Microsoft Publisher 2003
- Microsoft Visio 2003
- Microsoft Word 2003
- Microsoft Excel 2003 Viewer
- Microsoft Word 2003 Viewer
- Microsoft Project 2000 Service Release 1
- Microsoft Project 2002 SP1
- Microsoft Visio 2002 SP2
- Microsoft Office 2004 for Mac
Risk
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home users:
Original Description
A new vulnerability has been discovered in Microsoft Office PowerPoint that could allow a remote attacker to run and execute commands on the local system. The vulnerability exists because of a flaw in the shared Microsoft Office Library file 'mso.dll'. This vulnerability can be exploited if a user opens a malicious PowerPoint file which has been specifically crafted to exploit this vulnerability. There are proof of concept PowerPoint files that exploit this vulnerability publicly available on the internet.
After successful exploitation, an attacker could take complete control of a vulnerable system, and perform actions such as install programs, view, change, and delete data, and create user accounts.
August 8 Updated Description
Microsoft has release a new vulnerability that could be exploited when a file containing a malformed record is parsed by PowerPoint. Such a file could be found on a malicious website or be included as an e-mail attachment.
February 14 Updated Description
Microsoft discovered the previous update was not effective in removing the vulnerability from an affected system. This update addresses the flaw in the Microsoft Office Library file 'mso.dll'. At this time there is no known exploit code available for this PowerPoint vulnerability.
IIn addition, this bulletin describes two new vulnerabilities which could be exploited when a file containing a malformed record is opened by Excel or Powerpoint. These files can be hosted on a malicious website or included in an email attachment. Currently, there is a proof of concept Excel file for the Excel vulnerability publicly available on the Internet. We are not aware of any proof of concept code publicly available for the Powerpoint vulnerability.
Recommendations
We recommend the following actions be taken:
- Apply all of the appropriate patches provided by the software vendor to vulnerable systems as soon as possible after appropriate testing.
- Do not visit unknown or un-trusted websites or follow links provided by unknown or un-trusted sources.
- Do not open email attachments from un-trusted sources.
- Ensure that all anti-virus software is up to date with the latest signatures.
References
Microsoft:
http://blogs.technet.com/msrc/archive/2006/07/14/441893.aspx
SecurityFocus:
http://www.securityfocus.com/bid/18993/
SANS:
http://www.incidents.org/diary.php?storyid=1484&isc=016c32f0ee8ed1d28ca2c0c67c298840
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3590
August 8 Updated References
Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms06-048.mspx
February 14 Updated References
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS07-015.mspx
SecurityFocus:
http://www.securityfocus.com/bid/20325/references
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3877
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0671
February 14, 2007
MS-ISAC ADVISORY NUMBER: 2007-007
MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER ADVISORY
Subject
Multiple Remote Code Execution Vulnerabilities Exploitable through Internet Explorer
Overview
Three vulnerabilities have been found in Microsoft Internet Explorer that would allow an attacker to obtain complete control of the affected system. These vulnerabilities can be exploited if a user visits a malicious web site or a legitimate web site that may contain advertisements that have had malicious code inserted into them. Two of the three vulnerabilities have public exploit code available. Microsoft has released three security bulletins addressing each of the vulnerabilities. We are including the three security bulletins in one advisory since they share common exploit mechanisms, workarounds, risk potential; and to emphasize that they should all be applied together to effectively protect users.
Systems Affected
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 for Itanium-based systems
- Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
- Microsoft Windows Server 2003 x64 Edition
- Microsoft Data Access Components 2.5 Service Pack 3 on Microsoft Windows 2000 Service Pack 4
- Microsoft Data Access Components 2.8 Service Pack 1 on Microsoft Windows XP Service Pack 2
- Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003
- Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003 for Itanium-based Systems
- Microsoft Data Access Components 2.7 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4
- Microsoft Data Access Components 2.8 when installed on Microsoft Windows 2000 Service Pack 4
- Microsoft Data Access Components 2.8 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4
- Microsoft Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4
- Microsoft Internet Explorer 6 Service Pack 1 when installed on Windows 2000 Service Pack 4
- Microsoft Internet Explorer 6 for Windows XP Service Pack 2
- Microsoft Internet Explorer 6 for Windows XP Professional x64 Edition
- Microsoft Internet Explorer 6 for Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
- Microsoft Internet Explorer 6 for Windows Server 2003 for Itanium-based Systems and Windows Server 2003 with SP1 for Itanium-based Systems
- Microsoft Internet Explorer 6 for Windows Server 2003 x64 Edition
- Windows Internet Explorer 7 for Windows XP Service Pack 2
- Windows Internet Explorer 7 for Windows XP Professional x64 Edition
- Windows Internet Explorer 7 for Windows Server 2003 Service Pack 1
- Windows Internet Explorer 7 for Windows Server 2003 with SP1 for Itanium-based Systems
- Windows Internet Explorer 7 for Windows Server 2003 x64 Edition
Risk
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home users:
Description
Three new vulnerabilities have been found to be exploitable through Microsoft Internet Explorer that would allow arbitrary code execution on Microsoft systems.
The first vulnerability (MS07-008) is due to a flaw in the HTML Help ActiveX control. Exploitation of this vulnerability could occur if a user visits a Web site that contains malicious content, and could lead to the execution of arbitrary code. The code would be executed with the privileges of the user that is running Internet Explorer.
The second vulnerability (MS07-009) exists in the ADODB.Connection ActiveX control that is included in Internet Explorer as part of Microsoft Data Access Components (MDAC). A Web site that hosts malicious code can pass unexpected data to the aforementioned ActiveX control which could cause Internet Explorer to fail in a way that would allow code execution.
The third vulnerability (MS07-016) exists Internet Explorer in the way the browser instantiates certain COM objects as ActiveX controls. If a malicious COM object is read by Internet Explorer, it may corrupt the system state in a way that an attacker could execute arbitrary code. This COM object could be placed on either a Web site that hosts user-posted content or on a site contains malicious content.
Note: By default, Server 2003 runs Internet Explorer in a restricted mode that sets the security level to high. This prevents users from going to sites that have not been added to the trusted zone. Internet Explorer 7, by default, does not include COM Objects in the allow-list for ActiveX controls. However, if the user had upgraded from a previous version of Internet Explorer that had allowed these COM Objects, the COM Objects will still be allowed in Internet Explorer 7. In this case the user would have to disable the COM Objects for their ActiveX controls.
An attacker who successfully exploited a system with any of the three vulnerabilities mentioned could take complete control of an affected system. If the user running Internet Explorer is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.
Recommendations
We recommend the following actions be taken:
- Apply the appropriate patches provided by Microsoft to vulnerable systems as soon as possible after appropriate testing.
- Do not visit unknown or un-trusted Web sites or follow links provided by unknown or un-trusted sources.
- Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX controls in the Internet Zone.
References
HTML Help ActiveX Control Vulnerability
Microsoft:
SecurityFocus:
US-CERT:
CVE:
February 6, 2007
Daylight Saving Time
This information bulletin discusses the changes in the federal law regarding Daylight Saving Time. The purpose of this bulletin is to inform the community of possible issues and to provide recommendations to minimize problems.
Bulletin
The Energy Policy Act of 2005 amends the Uniform Time Act of 1966 by changing the start and end dates of daylight savings time in the year 2007. Originally the clocks would be set ahead one hour on the first Sunday of April and reversed on the last Sunday of October. The new amendment changes this such that the time is set ahead one hour on the second Sunday of March and reversed on the first Sunday of November. This change could lead to complications of time stamped data services such as databases, mail servers, NTP servers, firewalls, switches, backup and storage systems, printers, pbx systems, fax machines, voice mail systems, interactive voice response (IVR) systems, automated call distributor (ACD) systems, copiers, cell phones and PDA devices. Additionally, it should be noted that there are possible issues that may arise for client/server computer systems such as authentication services as well as other technology services that rely on time stamped information.
There could also be complications in applications that use time stamped data. We are aware of patches for the Sun Java Runtime Environment (JRE); these should be applied and any other applications or application environments should be checked to make sure that they will correctly handle the new daylight savings time rules.
Windows 2000 has passed the end of Mainstream Support and will not be receiving an update without Extended Hotfix Support. Windows XP SP 1 is no longer supported and will not be receiving an update for this issue. Patches are available for Windows XP SP2, Windows Server 2003, and Windows Server SP1. Please confirm with your vendors the needed steps to assure that device times are kept accurate.
Recommendations
- Identify all time dependent applications.
- Update and apply all appropriate patches to applicable systems after appropriate testing.
- Ensure that your users are aware of the change and pay particular attention to calendar entries during the new daylight saving time periods.
- Validate that all critical systems have the correct time after each rotation of DST to mitigate any possible issues on those hosts.
References
Cisco:
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00807ca437.shtml
Oracle:
http://blogs.oracle.com/schan/2006/11/29#a988
Microsoft:
http://www.microsoft.com/windows/timezone/dst2007.mspx
Sun Solaris:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102775-1
Sun Java:
http://java.sun.com/developer/technicalArticles/Intl/USDST/
IBM:
http://www.ibm.com/support/alerts/us/en/daylightsavingstimealert.html
Novell:
http://www.novell.com/support/search.do?cmd=displayKC&sliceId=SAL_Public&externalId=3397648
Apple:
http://docs.info.apple.com/article.html?artnum=303411
RedHat:
http://rhn.redhat.com/errata/RHEA-2005-656.html
Juniper:
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=02520301412e75010ed2ca5414006fc5
MySQL:
http://dev.mysql.com/doc/refman/5.0/en/time-zone-support.html
United States Code (Energy Policy Act of 2005):
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_public_laws&docid=f:publ058.109
Incidents.org:
http://www.incidents.org/diary.html?storyid=2142&dshield=2174350af985659f79babe046f9d6238
Symantec:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2007011911191539?Open&src=w
January 25, 2007
MS-ISAC Advisory - Multiple Vulnerabilities in Cisco IOS -MS-ISAC ADVISORY NUMBER: 2007-004
Risk: High Importance: High
MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER ADVISORY
Subject
Multiple Vulnerabilities in Cisco IOS
Overview
Multiple vulnerabilities have been found in several versions of Cisco network devices including their switches and routers which could allow an attacker to cause a Denial of Service or execute commands by sending specially-formatted network traffic to an affected device.
At this time, there are no known successful compromises or public attack tools for these vulnerabilities. In addition, it is important to note that Cisco PIX firewalls are not affected.
Systems Affected
Cisco IOS software versions 9.x, 10.x, 11.x and 12.x
Risk
Government:
Businesses:
Home users:
Description
The first vulnerability exists in the Cisco IOS listener. An attacker can exploit this vulnerability by sending a specially crafted malicious TCP packet to a Cisco device running an affected IOS. Traffic passing through the Cisco device to another host does not pose a risk. If the attack is successful, it may result in a denial of service condition by causing memory leaks, potentially causing memory exhaustion over time. This vulnerability only affects devices currently running the Internet Protocol version 4 (IPv4). An attacker is not required to complete a full 3-way TCP handshake to carry out this attack.
The second vulnerability exists in IOS's failure to properly process specially-crafted IP options data in certain type of IPv4 packets. Specifically, Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packets can be used to exploit this vulnerability. An attacker who exploits this vulnerability may be able to cause a Denial of Service or execute code on a vulnerable device.
Cisco also announced a vulnerability that can be exploited by malformed IPv6 packets. An attacker can exploit this vulnerability by sending specifically crafted IPv6 Type 0 Routing headers, which are used for source routing. As IPv6 is not enabled by default in Cisco IOS and IPv6 is not widely deployed in most businesses and government organizations, we are considering this vulnerability to be a lower risk than the other two at this time.
At this time, there are no known successful compromises or attack tools for these vulnerabilities.
CVE: CVE numbers have not yet been assigned to these vulnerabilities.
Recommendations
We recommend that all of the following actions be taken:
-
Consider upgrading to a version of IOS that is not affected by these vulnerabilities.
-
Software upgrades can be obtained from Cisco for free by all affected customers. If applying the patches is not an option at this time, consider implementing the workarounds described in the Cisco advisories.
References
Cisco
SecurityFocus
US-CERT
SANS - Internet Storm Center
January 5, 2007
Adobe Acrobat Reader Plugin is Prone to Cross-Site Scripting AttacksSource: Multi-State Information Sharing and Analysis Center Cyber Advisory
MS-ISAC ADVISORY NUMBER: 2007-001
Overview
A vulnerability has been found in multiple versions of the Adobe Acrobat Reader Plugin, which allows users to view Portable Document Format (PDF) files via a web browser such as Internet Explorer or Firefox. The Adobe Acrobat Reader installs the plugin by default. Please note that only the Adobe Acrobat Reader Plugin is vulnerable to this attack. This vulnerability can be exploited if an attacker can convince a user to click on a maliciously crafted link (URL) to open a PDF document. The vulnerability does not exist in the PDF document but in the parameters passed to the plugin. An attacker may be able to use this vulnerability to steal sensitive information from a user’s computer or force the user’s computer to visit arbitrary Web sites.
Systems Affected
- Adobe Acrobat Reader 6.0.1
- Adobe Acrobat Reader 6.0.2
- Adobe Acrobat Reader 6.0.3
- Adobe Acrobat Reader 6.0.4
- Adobe Acrobat Reader 7.0.0
- Adobe Acrobat Reader 7.0.1
- Adobe Acrobat Reader 7.0.2
- Adobe Acrobat Reader 7.0.3
- Adobe Acrobat Reader 7.0.4
- Adobe Acrobat Reader 7.0.5
- Adobe Acrobat Reader 7.0.6
- Adobe Acrobat Reader 7.0.
- Adobe Acrobat Standard, Professional and Elements 7.0.8 and earlier
- Adobe Acrobat 3D
Risk
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home Users: High
Description
Adobe Reader Plugin is prone to a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user input. Cross-site scripting is a vulnerability found in Web applications that unintentionally allows for code injection into the Web pages being viewed by other users. Attackers can inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application and force this code to execute on a user’s machine. The results of a successful XSS attacks include the execution code on a user’s computer, forcing the user’s computer to visit arbitrary Web sites, and theft of cookie data. Stealing cookie data may permit the attacker to impersonate the user and hijack Web applications that use cookies for session management.
The Adobe Reader plugin has a feature called “Open Parameters” that may be used through a URI to specify certain parameters when viewing a PDF. These parameters are not properly sanitized for malicious content. An attacker can craft malicious URI parameters to allow for the execution of arbitrary JavaScript in vulnerable web browsers in the context of a site hosting a PDF file. As a result, an attacker might be able to use the PDF vulnerability to steal cookie based authentication credentials or exploit other client-side vulnerabilities.
Based on information provided by Adobe and other vendors, Adobe’s Acrobat Reader version 8.0.0, and Internet Explorer running Windows XP SP 2 with Acrobat Reader 5.0 or higher are not affected by this vulnerability. We have tested these configurations and confirmed this information.
Proof of concept code has been made available to the public.
Recommendations
We recommend the following actions be taken:
- Upgrade Adobe Reader to version 8.0.0 as soon as possible. The latest version can be found at: http://www.adobe.com/products/reader/
- Do not visit unknown or un-trusted Web sites, or follow links provided by unknown or un-trusted email messages, Web sites, and other sources.
- Only browse the Internet as a non-privileged user (one without administrative privilege) to diminish the effects of a successful attack.
- Consider configuring Web browsers so they do not use this plugin to open PDF files.
- Consider configuring Web browsers to disable the execution of JavaScript and other active content. Please note that this may break the functionality of some Web sites and applications.
References
Click on the link to view alerts posted from 2002-2006 - PDF
This site is a reference site. The links are to provide information security professionals and business continuity planners with a comprehensive listing of references to find answers, learn, stay abreast of the newest information. Some of the information provided in these sites are from commercial vendors and are not an endorsement of any kind. They are used for informational purposes only.
For more information, please contact the DIR Security Division.
