@RISK: The Consensus Security Vulnerability Alert
Week 11 2012



This is a weekly newsletter that provides in-depth analysis of
the latest vulnerabilities with straightforward remediation advice. Qualys
supplies a large part of the newly-discovered vulnerability content used in
this newsletter.

@RISK: The Consensus Security Vulnerability Alert
Week 11 2012

Summary of Updates and Vulnerabilities in this Consensus
Platform                        Number of Updates and Vulnerabilities

Windows                                    4 (#2)
Other Microsoft Products                   2
Third Party Windows Apps                   4 (#1,#3)
Cross Platform                             7
Web Application - Cross Site Scripting     4
Web Application - SQL Injection            1
Web Application                            4

Part I -- Critical Vulnerabilities from HP TippingPoint (dvlabs.tippingpoint.com)
Widely Deployed Software
(1) HIGH: Google Chrome Sandbox Escapes
(2) HIGH: Microsoft Remote Desktop Protocol Vulnerability
(3) HIGH: Mozilla Firefox Use-After-Free Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)
-- Windows
12.11.1  - Microsoft Remote Desktop Protocol Multiple Vulnerabilities
12.11.2  - Microsoft Windows DNS Server Remote Denial of Service
12.11.3  - Microsoft Windows Kernel "Win32k.sys" Local Privilege Escalation
12.11.4  - Microsoft Windows "DirectWrite" API Denial of Service
-- Other Microsoft Products
12.11.5  - Microsoft Expression "wintab32.dll" DLL Loading Arbitrary Code Execution
12.11.6  - Microsoft Visual Studio Add-In Local Privilege Escalation
-- Third Party Windows Apps
12.11.7  - DAEMON Tools "IOCTL" Handling Local Privilege Escalation
12.11.8  - VMware vCenter Chargeback Manager Information Disclosure and Denial of Service Vulnerabilities
12.11.9  - XnView Multiple Buffer Overflow Vulnerabilities
12.11.10 - Vegas Movie Studio HD "CFHDDecoder.dll" DLL Loading Arbitrary Code Execution
-- Cross Platform
12.11.11 - IBM DB2 Multiple Security Vulnerabilities
12.11.12 - IBM Maximo Asset Management Multiple Security Vulnerabilities
12.11.13 - Expat XML Parsing Multiple Remote Denial of Service
12.11.14 - Google Chrome Remote Code Execution
12.11.15 - OpenLDAP LDAP Search Request Remote Denial of Service
12.11.16 - Apple Safari International Domain Name URI Spoofing
12.11.17 - Mozilla Firefox/Thunderbird/SeaMonkey "shlwapi.dll" Use-After-Free Memory Corruption
-- Web Application - Cross Site Scripting
12.11.18 - Splunk Unspecified Cross-Site Scripting
12.11.19 - SquirrelMail Autocomplete Plugin Email Addresses Cross-Site Scripting
12.11.20 - EJBCA "issuer" Parameter Cross-Site Scripting
12.11.21 - Synology Photo Station "photo_one.php" Script Cross-Site Scripting
-- Web Application - SQL Injection
12.11.22 - Aurora WebOPAC "txtEmailAliasBarcode" Parameter SQL Injection
-- Web Application
12.11.23 - LotusCMS Multiple PHP Code Execution Vulnerabilities
12.11.24 - Jenkins Multiple Cross-Site Scripting and Directory Traversal Vulnerabilities
12.11.25 - Zend Server Multiple HTML Injection Vulnerabilities
12.11.26 - Invision Power Board Unspecified HTML Injection

PART I Critical Vulnerabilities
Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process

(1) HIGH: Google Chrome Sandbox Escapes
Affected
Google Chrome Prior to 17.0.963.79
Description Google has released an update for its Chrome web browser
that addresses two flaws reported in Google's recent Pwnium contest. The
undisclosed vulnerabilities can be used by attackers to bypass the
Chrome sandbox. Browser sandboxes like Chrome's are used to mitigate the
damage done by code execution vulnerabilities. Just like user accounts
restrict the way users can access operating system objects, browser
sandboxes can restrict access to memory, the filesystem, and other
resources that could be used to cause trouble. By enticing a target to
view a malicious page, an attacker can exploit this vulnerability in
order to execute arbitrary code on the target's machine with the
permissions of the logged-in user.
Status vendor confirmed, updates available
References
Vendor Site
http://www.google.com
Google Stable Channel Update
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.html
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-update.html
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/52369
http://www.securityfocus.com/bid/52395

(2) HIGH: Microsoft Remote Desktop Protocol Vulnerability
Affected
Windows 7
Windows Server 2003
Windows Server 2008
Windows Vista
Windows XP
Description As part of its Patch Tuesday program, Microsoft has
released patches for a memory corruption vulnerability affecting its
Remote Desktop Protocol, which is disabled by default on Windows
machines. By sending a malicious request, an attacker can exploit this
vulnerability in order to execute arbitrary code on the target's
machine.
Status vendor confirmed, updates available
References
Vendor Site
http://www.microsoft.com
Microsoft Security Bulletin
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/52353

(3) HIGH: Mozilla Firefox Use-After-Free Vulnerability
Affected
Firefox prior to 11.0
Description Mozilla has released a patch for its Firefox web browser.
The vulnerability is due to memory on the heap being used after being
freed, and it can be triggered when a new parent window causes a child
window using the file open dialog box to close. By enticing a target to
view a malicious page, it is possible that an attacker could exploit
this vulnerability in order to execute arbitrary code on the target's
machine.
Status vendor confirmed, updates available
References
Vendor Site
http://www.mozilla.org
Mozilla Security Advisory
http://www.mozilla.org/security/announce/2012/mfsa2012-12.html
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/52455

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 13467 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.

12.11.1 CVE CVE-2012-0002,CVE-2012-0152
Platform Windows
Title Microsoft Remote Desktop Protocol Multiple Vulnerabilities
Description Microsoft Remote Desktop Protocol is a protocol that
allows users to connect to remote desktops. The protocol is exposed to
multiple issues. See reference for detailed information.
All supported releases of Microsoft Windows are affected.
Ref http://technet.microsoft.com/en-us/security/bulletin/MS12-020

12.11.2 CVE CVE-2012-0006
Platform Windows
Title Microsoft Windows DNS Server Remote Denial of Service
Description The Microsoft Windows DNS Server is exposed to a remote
denial of service issue. This issue occurs because the application
fails to properly handle uninitialized objects when looking up a
resource record for a domain that does not exist. The issue
can be exploited by sending a specially crafted DNS query to the
affected server. All supported editions of Windows Server 2003 32-bit
and x64-based editions of Windows Server 2008 and x64-based editions
of Windows Server 2008 R2 are affected.
Ref http://technet.microsoft.com/en-us/security/bulletin/MS12-017

12.11.3 CVE CVE-2012-0157
Platform Windows
Title Microsoft Windows Kernel "Win32k.sys" Local Privilege
Escalation
Description The "Win32k.sys" kernel-mode device driver provides
various functions such as the window manager, collection of user
input, screen output and Graphics Device Interface. It also
serves as a wrapper for DirectX support. Microsoft Windows is exposed
to a local privilege escalation issue that occurs in the Windows
kernel "Win32k.sys" kernel-mode device driver. See reference for
detailed information. All supported releases of Microsoft Windows are
affected.
Ref http://technet.microsoft.com/en-us/security/bulletin/MS12-018

12.11.4 CVE CVE-2012-0156
Platform Windows
Title Microsoft Windows "DirectWrite" API Denial of Service
Description Microsoft Windows is exposed to a remote denial of
service issue because the "DirectWrite" API incorrectly renders a
specially crafted sequence of Unicode characters in memory. See
reference for detailed information. All supported editions of Windows
Vista, Windows Server 2008 (except Windows Server 2008 for
Itanium-based Systems), Windows 7 and Windows Server 2008 R2 are
affected.
Ref http://technet.microsoft.com/en-us/security/bulletin/MS12-019

12.11.5 CVE CVE-2012-0016
Platform Other Microsoft Products
Title Microsoft Expression "wintab32.dll" DLL Loading Arbitrary Code
Execution
Description Microsoft Expression Web is a web design tool for
creating standards-based Web sites. The application is exposed to an
issue that lets attackers execute arbitrary code. The issue arises
because the application searches for the "wintab32.dll" Dynamic Link
Library file in the current working directory. See reference for
detailed information. All supported releases of Microsoft Expression
Design are affected.
Ref http://technet.microsoft.com/en-us/security/bulletin/ms12-022

12.11.6 CVE CVE-2012-0008
Platform Other Microsoft Products
Title Microsoft Visual Studio Add-In Local Privilege Escalation
Description Microsoft Visual Studio is an application development
environment for Microsoft Windows. The application is exposed to a
local privilege escalation issue. Specifically the issue occurs
because Visual Studio loads add-ins from insecure file locations. See
reference for detailed information. All supported editions of
Microsoft Visual Studio 2008 and Microsoft Visual Studio 2010 are
affected.
Ref http://technet.microsoft.com/en-us/security/bulletin/MS12-021

12.11.7 CVE Not Available
Platform Third Party Windows Apps
Title DAEMON Tools "IOCTL" Handling Local Privilege Escalation
Description DAEMON Tools is an optical media emulation application
for Microsoft Windows. The application is exposed to a local privilege
escalation issue due to an indexing error when processing the
0x00222850 "IOCTL" in dtsoftbus01.sys. DAEMON Tools Lite 4.41.3.0173
and DAEMON Tools Pro Standard/Advanced 4.41.0315.0262 are affected.
Ref http://www.securityfocus.com/bid/52417/discuss

12.11.8 CVE CVE-2012-1472
Platform Third Party Windows Apps
Title VMware vCenter Chargeback Manager Information Disclosure and
Denial of Service Vulnerabilities
Description VMware vCenter Server is used to manage VMware vSphere,
which provides the unified management of all server hosts. The application
is exposed to an information disclosure issue and a denial of service
issue. Specifically, the issue is triggered when handling a specially
crafted XML API request. vCenter Chargeback Manager versions prior to
2.0.1 are vulnerable.
Ref
https://www.vmware.com/support/vcbm/doc/vcbm_2_0_1_release_notes.html#aboutrelease
http://www.securityfocus.com/bid/52376/discuss

12.11.9 CVE Not Available
Platform Third Party Windows Apps
Title XnView Multiple Buffer Overflow Vulnerabilities
Description XnView is a graphics application available for Microsoft
Windows. The application is exposed to multiple buffer overflow
issues. A heap-based buffer overflow issue affects the application
when processing a specially crafted "FPX" file. Specifically, the
issue affects the "Xfpx.dll" library due to a signedness error. A
stack-based buffer overflow issue occurs due to a boundary error when
parsing a directory name while browsing folders. A heap-based
buffer overflow issue affects the application when processing a
specially crafted "PCX" file. XnView 1.98.5 is vulnerable and other
versions may also be affected.
Ref http://www.securityfocus.com/bid/52405/discuss

12.11.10 CVE Not Available
Platform Third Party Windows Apps
Title Vegas Movie Studio HD "CFHDDecoder.dll" DLL Loading Arbitrary
Code Execution
Description Vegas Movie Studio HD is video editing software. The
application is exposed to an issue that lets attackers execute
arbitrary code. The issue arises because the application searches for
the "CFHDDecoder.dll" Dynamic Link Library file in the current working
directory. The issue can be exploited by placing both a specially
crafted library file and a file associated with the vulnerable
application in an attacker controlled location. Using the application
to open the associated file will cause the malicious library file to
be executed. Reportedly, the issue arises when the application opens
the following file types: Project (".VF") and Perfect Clarity Audio
(".PCA"). Vegas Movie Studio HD version 11.0 Build 37, Vegas Movie
Studio HD Platinum version 11.0 Build 283 are affected.
Ref http://www.securityfocus.com/bid/52410/references

12.11.11 CVE Not Available
Platform Cross Platform
Title IBM DB2 Multiple Security Vulnerabilities
Description IBM DB2 is a database application available for multiple
platforms. The application is exposed to multiple security issues.  See
reference for further details. IBM DB2 versions prior to 9.5 Fix Pack 9
are vulnerable.
Ref http://www.securityfocus.com/bid/52326/references
http://www-01.ibm.com/support/docview.wss?uid=swg21586193

12.11.12 CVE
CVE-2012-0195,CVE-2011-4819,CVE-2011-4818,CVE-2011-4817,CVE-2011-4816,CVE-2011-1397,CVE-2011-1396,CVE-2011-1395,CVE-2011-1394
Platform Cross Platform
Title IBM Maximo Asset Management Multiple Security Vulnerabilities
Description IBM Maximo Asset Management unifies asset life cycle and
maintenance management on a single platform. The application is
exposed to multiple security issues. See reference for further
information. Maximo Asset Management V7.5, V7.1 and V6.2, Maximo Asset
Management Essentials V7.5, V7.1 and V6.2, Tivoli Asset Management for
IT V7.1, V7.2, V6.2, Tivoli Service Request Manager V7.1, V7.2, Maximo
Service Desk 6.2, Change and Configuration Management Database V7.1,
V7.2, V6.2 are affected.
Ref http://www-01.ibm.com/support/docview.wss?uid=swg21584666

12.11.13 CVE CVE-2012-0876,CVE-2012-1148,CVE-2012-1147
Platform Cross Platform
Title Expat XML Parsing Multiple Remote Denial of Service
Description Expat is a C library used for parsing XML documents. The
library is exposed to multiple issues because it fails to handle
specially crafted XML data. A denial of service issue occurs due to
Resource leak in the "readfilemap.c" file. A denial of service issue
occurs due to memory leak in poolGrow. A denial of service issue occurs
related to hash table collisions. Expat versions prior to 2.1.0 are
vulnerable.
Ref http://www.securityfocus.com/bid/52379/references
http://sourceforge.net/projects/expat/files/expat/2.1.0/

12.11.14 CVE CVE-2011-3047
Platform Cross Platform
Title Google Chrome Remote Code Execution
Description Google Chrome is a web browser for multiple platforms.
The application is exposed to a remote code execution issue.
Specifically, the issue exists in the GPU process and occurs due to a
memory corruption flaw in the plug-in loading mechanism. Google Chrome
versions prior to 17.0.963.79 are vulnerable.
Ref http://www.securityfocus.com/bid/52395/references

12.11.15 CVE Not Available
Platform Cross Platform
Title OpenLDAP LDAP Search Request Remote Denial of Service
Description OpenLDAP is an implementation of the Lightweight
Directory Access Protocol. The implementation is exposed to a
remote denial of service issue. Specifically, the issue occurs when
processing a crafted LDAP search request with "attrsOnly" set to true.
OpenLDAP versions prior to 2.4.30 are affected.
Ref http://www.securityfocus.com/bid/52404/references
http://www.openldap.org/software/release/changes.html

12.11.16 CVE CVE-2012-0584
Platform Cross Platform
Title Apple Safari International Domain Name URI Spoofing
Description Apple Safari is a web browser available for Mac OS X and
Microsoft Windows. The application is affected by a URI spoofing issue
because it fails to adequately handle unspecified characters in IDN
domains. Versions prior to Apple Safari 5.1.4 on Windows systems are
vulnerable.
Ref
http://lists.apple.com/archives/security-announce/2012/Mar/msg00003.html
http://www.securityfocus.com/bid/52419/discuss

12.11.17 CVE CVE-2012-0454
Platform Cross Platform
Title Mozilla Firefox/Thunderbird/SeaMonkey "shlwapi.dll"
Use-After-Free Memory Corruption
Description Firefox is a browser. SeaMonkey is a suite of
applications that includes a browser and an email client. Thunderbird
is an email client. The applications are exposed to a memory
corruption issue in the "shlwapi.dll" file that may allow remote code
execution. Specifically, a use-after-free condition occurs when a
parent window spawns and closes a child window that uses the file open
dialog. Firefox versions prior to 11.0, Firefox ESR versions prior to
10.0.3, Thunderbird versions prior to 11.0, Thunderbird ESR versions
prior to 10.0.3 and SeaMonkey versions prior to 2.8 are affected.
Ref https://www.mozilla.org/security/announce/2012/mfsa2012-12.html

12.11.18 CVE Not Available
Platform Web Application - Cross Site Scripting
Title Splunk Unspecified Cross-Site Scripting
Description Splunk is an IT infrastructure monitoring system. The
application is exposed to an unspecified cross-site scripting issue
because it fails to sufficiently sanitize user-supplied input. Splunk
versions 4.0 through 4.3 are vulnerable.
Ref http://www.splunk.com/view/SP-CAAAGTK
http://www.securityfocus.com/bid/52320/discuss

12.11.19 CVE CVE-2012-0323
Platform Web Application - Cross Site Scripting
Title SquirrelMail Autocomplete Plugin Email Addresses Cross-Site
Scripting
Description Autocomplete is a plugin for the SquirrelMail webmail
application. The application is exposed to a cross-site scripting
issue when searching for registered email addresses in user contacts.
Autocomplete versions prior to 3.0 are vulnerable.
Ref http://jvn.jp/en/jp/JVN56653852/index.html
http://www.securityfocus.com/bid/52387/references

12.11.20 CVE Not Available
Platform Web Application - Cross Site Scripting
Title EJBCA "issuer" Parameter Cross-Site Scripting
Description EJBCA is an enterprise PKI certification authority and
management system. The application is exposed to a cross-site
scripting issue because it fails to sufficiently sanitize
user-supplied input submitted to the "issuer" parameter of the
"certdist" script. EJBCA 4.0.7 is vulnerable and other versions may
also be affected.
Ref
http://primekey.se/News/All+Releases/Release+detail/EJBCA_4.0.8_release_Feb_2012.cid3129
http://www.securityfocus.com/bid/52400/references

12.11.21 CVE CVE-2012-1556
Platform Web Application - Cross Site Scripting
Title Synology Photo Station "photo_one.php" Script Cross-Site
Scripting
Description Synology Photo Station is an application for sharing your
photos, videos and blog over the Internet. The application is exposed
to a cross-site scripting issue because it fails to sanitize
user-supplied input submitted to the "gallery" parameter of the
"index.php" script. Photo Station 5 DSM 3.2 (1955) is vulnerable and
other versions may also be affected.
Ref http://www.securityfocus.com/archive/1/521933

12.11.22 CVE Not Available
Platform Web Application - SQL Injection
Title Aurora WebOPAC "txtEmailAliasBarcode" Parameter SQL Injection
Description Aurora WebOPAC is an online library system. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data submitted to the
"txtEmailAliasBarcode" parameter of the "MemberDetailsRecovery.aspx"
script before using it in an SQL query. Aurora WebOPAC version 3.5.0e,
3.4.6a, 3.5.3, 3.5.0i, 3.4.7b, 3.5.2.2 and 3.4.7b are affected and
other versions may also be affected.
Ref http://www.securityfocus.com/archive/1/521940

12.11.23 CVE Not Available
Platform Web Application
Title LotusCMS Multiple PHP Code Execution Vulnerabilities
Description LotusCMS is a web application implemented in PHP. The
application is exposed to multiple PHP code execution issues. A PHP code
execution issue affects the application because it fails to sanitize
user-supplied input to the "req" parameter of the "index.php" script.
A PHP code execution issue affects the application because it fails to
sanitize user-supplied input to the "page" parameter of the "index.php"
script in the "Router()" function. LotusCMS 3.0.3 and 3.0.5 are
vulnerable.
Ref http://secunia.com/secunia_research/2011-21/
http://www.securityfocus.com/bid/52349/references

12.11.24 CVE CVE-2012-0325,CVE-2012-0324
Platform Web Application
Title Jenkins Multiple Cross-Site Scripting and Directory Traversal
Vulnerabilities
Description Jenkins is a web server application. The application is
exposed to an unspecified cross-site scripting issue and an
unspecified directory traversal issue because it fails to sanitize
user-supplied input. Jenkins versions 1.452 and earlier, Jenkins
Enterprise by CloudBees 1.424.3 and earlier, Jenkins Enterprise by
CloudBees 1.400.0.12 and earlier are affected.
Ref http://www.securityfocus.com/bid/52384/references

12.11.25 CVE Not Available
Platform Web Application
Title Zend Server Multiple HTML Injection Vulnerabilities
Description Zend Server is a web application server implemented in
PHP. The application is exposed to multiple HTML injection issues
because it fails to properly sanitize user-supplied input. Zend Server
5.6.0 is vulnerable and other versions may also be affected.
Ref http://www.securityfocus.com/bid/52397/references

12.11.26 CVE Not Available
Platform Web Application
Title Invision Power Board Unspecified HTML Injection
Description Invision Power Board is a web-based forum application
implemented in PHP. The application is exposed to an unspecified HTML
injection issue when editing another member's post. This issue occurs
because the application fails to sufficiently sanitize user-supplied
input. Invision Power Board 3.2.0, 3.2.1, 3.2.2 and 3.2.3 are vulnerable
and other versions may also be affected.
Ref http://www.securityfocus.com/bid/52406/discuss
http://community.invisionpower.com/topic/358403-ipboard-32x-security-update/
Qualys Solutions
Qualys Community
Free Tools & Trials
Free Trial

Nothing to install or download!

1 (800) 745 4355