Aggregator

小野寺です。 突然ですが、日本は安全な国なんでしょうか？ もちろん IT 的な意味でです。 感覚的には「絶対に安

小野寺です。 6 月のワンポイントセキュリティを公開しました。 Video: Security Updates This Month - June 2008 soapbox 版ではない、フルサイズ版

小野寺です 今月は、事前通知でお伝えしていたとおり 計 7 件 (緊急 3 件, 重要 3 件、警告 1 件)を公開しました

小野寺です。 6 月のワンポイントセキュリティを公開しました。 Video: Security Updates This Month - June 2008 soapbox 版ではない、フルサイズ版

小野寺です 今月は、事前通知でお伝えしていたとおり 計 7 件 (緊急 3 件, 重要 3 件、警告 1 件)を公開しました

小野寺です。 今月は、計 4 件 (緊急 3 件, 警告 1 件) の公開を予定しています。 リリース日は、週明け水曜日 (05/14)

小野寺です。 今月は、計 4 件 (緊急 3 件, 警告 1 件) の公開を予定しています。 リリース日は、週明け水曜日 (05/14)

小野寺です。 3 月頃から SQL インジェクションが原因となる Web サイトの改ざんが報告されているのは皆さまご存じ

小野寺です。 3 月頃から SQL インジェクションが原因となる Web サイトの改ざんが報告されているのは皆さまご存じ

小野寺です。 イギリスの Virus Bulletin Ltd で定期的に VB100 と呼ばれるマルウェア対策ソフトの検出能力テストが行われていま

小野寺です。 イギリスの Virus Bulletin Ltd で定期的に VB100 と呼ばれるマルウェア対策ソフトの検出能力テストが行われていま

Systems Affected

This vulnerability affects the following
Microsoft Windows operating systems by default:

• Microsoft Windows XP and Microsoft Windows XP Service Pack 1
• Microsoft Windows XP 64-Bit Edition Service Pack 1
• Microsoft Windows XP 64-Bit Edition Version 2003
• Microsoft Windows Server 2003
• Microsoft Windows Server 2003 64-Bit Edition

Other Microsoft Windows operating systems, including systems running
Microsoft Windows XP Service Pack 2, are not affected by default. However,
this vulnerability may affect all versions of the Microsoft Windows
operating systems if an application or update installs a vulnerable
version of the gdiplus.dll file onto the system.

Please note that this vulnerability affects any software that uses the
Microsoft Windows operating system or Microsoft's GDI+ library to render
JPEG graphics. Please see the Systems Affected
section of the vulnerability note to determine if third-party software
is affected. A list of affected Microsoft products is available in Appendix B, or for the complete list of affected and
non-affected Microsoft products, please see Microsoft Security
Bulletin MS04-028.

Overview

Microsoft's Graphic Device Interface Plus (GDI+) contains a
vulnerability in the processing of JPEG images. This vulnerability may
allow attackers to remotely execute arbitrary code on the affected
system. Exploitation may occur as the result of viewing a malicious web
site, reading an HTML-rendered email message, or opening a crafted JPEG
image in any vulnerable application. The privileges gained by a remote
attacker depend on the software component being attacked.

Description

Microsoft Security Bulletin MS04-028
describes a remotely exploitable buffer overflow vulnerability in
Microsoft's Graphic Device Interface Plus (GDI+) JPEG processing
component. Attackers can exploit this vulnerability by convincing a victim user to
visit a malicious web site, read an HTML-rendered email message, or
otherwise view a crafted JPEG image with a vulnerable application. No user
intervention is required beyond viewing an attacker-supplied JPEG
image.

Any applications (Microsoft or third-party) that use the GDI+ library
to render JPEG images may present additional attack vectors for this
vulnerability. While some applications use the Windows operating system
version of the GDI+ library, other applications may install and use
another version, which may also be vulnerable. Microsoft has created a
GDI+ Detection Tool to help detect products that may contain a vulnerable
version of the JPEG parsing component. Microsoft Knowledge Base
Article 873374 provides instructions on how to download and use this
tool.

In addition to running Microsoft's detection utility, we recommend
searching your system for "gdiplus.dll" to help determine what
third-party applications may be affected by this vulnerability. Also note
that applications may re-install a vulnerable version of the
GDI+ library if re-installed after a patch has been applied.

We are tracking this vulnerability in Vulnerability
Note VU#297462. This reference number corresponds to CVE candidate CAN-2004-0200.

Impact

Remote attackers exploiting the vulnerability described above may
execute arbitrary code with the privileges of the user running the
software components being attacked.

Solution Apply patches from Microsoft

Apply the appropriate patches as specified in Microsoft Security
Bulletin MS04-028.
Please note that this bulletin provides several updates to the operating
system and various applications that rely on GDI+ to render JPEG images.
Depending on your system's configuration, you may need to install multiple
patches.

In addition to releasing some patches on Windows Update, Microsoft
has released some patches on Office Update, and
developer tool patches are available from MS04-028.

Apply patches from third-party vendors

Third-party software that relies on GDI+ to render JPEG images may
also need to be updated. Apply the appropriate patches specified by
your vendor. Please see your vendor's site and the Systems Affected
section of the vulnerability note for more information. Depending on
your system's configuration, you may need to install multiple patches.

Follow Microsoft recommendations for workarounds

Microsoft provides several workarounds for this vulnerability.
Note that these workarounds do not remove the vulnerability from the
system, and they will limit functionality. Please consult the "Workarounds
for JPEG Vulnerability - CAN-2004-0200" section of Microsoft Security
Bulletin MS04-028.

Appendix A. References

• Microsoft Security Bulletin MS04-028 - http://microsoft.com/technet/security/bulletin/MS04-028.asp
• Microsoft End User Security Bulletin for MS04-028 - http://www.microsoft.com/security/bulletins/200409_jpeg.mspx
• US-CERT Vulnerability Note VU#297462 - http://www.kb.cert.org/vuls/id/297462
• Microsoft KB Article 873374 - http://support.microsoft.com/?id=873374
• CVE CAN-2004-0200 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0200

Appendix B. Affected Microsoft Products

The following Microsoft Products are affected:

• Microsoft Office XP Service Pack 3
• Microsoft Office XP Service Pack 2
• Microsoft Office XP Software:
  • Outlook 2002
  • Word 2002
  • Excel 2002
  • PowerPoint 2002
  • FrontPage 2002
  • Publisher 2002
• Microsoft Office 2003
• Microsoft Office 2003 Software:
  • Outlook 2003
  • Word 2003
  • Excel 2003
  • PowerPoint 2003
  • FrontPage 2003
  • Publisher 2003
  • InfoPath 2003
  • OneNote 2003
• Microsoft Project 2002 Service Pack 1 (all versions)
• Microsoft Project 2003 (all versions)
• Microsoft Visio 2002 Service Pack 2 (all versions)
• Microsoft Visio 2003 (all versions)
• Microsoft Visual Studio .NET 2002
• Microsoft Visual Studio .NET 2002 Software:
  • Visual Basic .NET Standard 2002
  • Visual C# .NET Standard 2002
  • Visual C++ .NET Standard 2002
• Microsoft Visual Studio .NET 2003
• Microsoft Visual Studio .NET 2003 Software:
  • Visual Basic .NET Standard 2003
  • Visual C# .NET Standard 2003
  • Visual C++ .NET Standard 2003
  • Visual J# .NET Standard 2003
• The Microsoft .NET Framework version 1.0 SDK Service Pack 2
• Microsoft Picture It! 2002 (all versions)
• Microsoft Greetings 2002
• Microsoft Picture It! version 7.0 (all versions)
• Microsoft Digital Image Pro version 7.0
• Microsoft Picture It! version 9 (all versions, including Picture It!
  Library)
• Microsoft Digital Image Pro version 9
• Microsoft Digital Image Suite version 9
• Microsoft Producer for Microsoft Office PowerPoint (all versions)
• Microsoft Platform SDK Redistributable: GDI+
• Internet Explorer 6 Service Pack 1
• The Microsoft .NET Framework version 1.0 Service Pack 2
• The Microsoft .NET Framework version 1.1

Feedback can be directed to the US-CERT
Technical Staff.

Revision History

• Sept 16, 2004: Initial release
  

  Last updated

Systems Affected

• Applications that process JPEG images on Microsoft Windows, including
  but not limited to
• Internet Explorer
• Microsoft Office
• Microsoft Visual Studio
• Picture It!
• Applications from other vendors besides Microsoft

Overview

An attacker may be able to gain control of your computer by taking
advantage of the way some programs process the JPEG image format.

Solution Apply a patch

Microsoft has issued updates to address the problem. Obtain the
appropriate update from Windows Update and from Office Update.

Note: You may need to install multiple patches depending what
software you have on your computer.

Use caution with email attachments

Never open unexpected email attachments. Before opening an attachment,
save it to a disk and scan it with anti-virus software. Make sure to
turn off the option to automatically download attachments.

View email messages in plain text

Email programs like Outlook and Outlook Express interpret HTML code
the same way that Internet Explorer does. Attackers may be able to
take advantage of that by sending malicious HTML-formatted email
messages.

Maintain updated anti-virus software

It is important that you use anti-virus software and keep it up to
date. Most anti-virus software vendors frequently release updated
information, tools, or virus databases to help detect and recover from
virus infections. Many anti-virus packages support automatic updates
of virus definitions. US-CERT recommends using these automatic updates
when possible.

Description

Microsoft Windows Graphics Device Interface (GDI+) is used to display information on screens
and printers, including JPEG image files. An attacker could execute arbitrary code on a vulnerable system if the user opens a malicious JPEG file via applications such as a web browser, email program, internet chat program, or
via email attachment. Any application that uses GDI+ to process JPEG image files is vulnerable to this type of attack. This vulnerability also affects products from
companies
other than Microsoft.

References

• September 2004 Security Update for JPEG Processing (GDI+) - <http://www.microsoft.com/security/bulletins/200409_jpeg.mspx>
• US-CERT Vulnerability Note VU#297462 - <http://www.kb.cert.org/vuls/id/297462>

Author: Mindi McDowell. Feedback
can be directed to US-CERT -->.

Copyright 2004 Carnegie Mellon University.
Terms of use

Revision History

• September 14, 2004: Initial release
  

Last updated

Systems Affected

• MIT Kerberos 5 versions prior to krb5-1.3.5
• Applications that use versions of MIT Kerberos 5 libraries prior to krb5-1.3.5
• Applications that contain code derived from MIT Kerberos 5

Updated vendor information is available in the systems affected section of the individual vulnerability notes.

Overview

The MIT Kerberos 5 implementation contains several vulnerabilities, the most severe of which could allow an unauthenticated, remote attacker to execute arbitrary code on a Kerberos Distribution Center (KDC). This could result in the compromise of an entire Kerberos realm.

Description

There are several vulnerabilities in the MIT implementation of the Kerberos 5 protocol. With one exception (VU#550464), all of the vulnerabilities involve insecure deallocation of heap memory (double-free vulnerabilities) during error handling and Abstract Syntax Notation One (ASN.1) decoding. For further details, please see the following vulnerability notes:

VU#795632 - MIT Kerberos 5 ASN.1 decoding functions insecurely deallocate memory (double-free)

The MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in double-free vulnerabilities. An unauthenticated, remote attacker could execute arbitrary code on a KDC server, which could compromise an entire Kerberos realm. An attacker may also be able to execute arbitrary code on Kerberos clients, or cause a denial of service on KDCs or clients.


(Other resources: MITKRB5-SA-2004-002, CAN-2004-0642)

VU#866472 - MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred() insecurely deallocates memory (double-free)

The krb5_rd_cred() function in the MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in a double-free vulnerability. A remote, authenticated attacker could execute arbitrary code or cause a denial of service on any system running an application that calls krb5_rd_cred(). This includes Kerberos application servers and other applications that process Kerberos authentication via the MIT Kerberos 5 library, Generic Security Services Application Programming Interface (GSSAPI), and other libraries.


(Other resources: MITKRB5-SA-2004-002, CAN-2004-0643)

VU#350792 - MIT Kerberos krb524d insecurely deallocates memory (double-free)

The MIT Kerberos krb524d daemon does not securely deallocate heap memory when handling an error condition, resulting in a double-free vulnerability. An unauthenticated, remote attacker could execute arbitrary code on a system running krb524d, which in many cases is also a KDC. The compromise of a KDC system can lead to the compromise of an entire Kerberos realm. An attacker may also be able to cause a denial of service on a system running krb524d.


(Other resources: MITKRB5-SA-2004-002, CAN-2004-0772)

VU#550464 - MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail() does not properly terminate loop

The asn1buf_skiptail() function in the MIT Kerberos 5 library does not properly terminate a loop, allowing an unauthenticated, remote attacker to cause a denial of service in a KDC, application server, or Kerberos client.


(Other resources: MITKRB5-SA-2004-003, CAN-2004-0644)

Impact

The impacts of these vulnerabilities vary, but an attacker may be able to execute arbitrary code on KDCs, systems running krb524d (typically also KDCs), application servers, applications that use Kerberos libraries directly or via GSSAPI, and Kerberos clients. An attacker could also cause a denial of service on any of these systems.

The most severe vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on a KDC system. This could result in the compromise of both the KDC and an entire Kerberos realm.

Solution Apply a patch or upgrade

Check with your vendor(s) for patches or updates. For information about a specific vendor, please see the systems affected sections in the individual vulnerability notes or contact your vendor directly.

Alternatively, apply the appropriate source code patch(es) referenced in MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003 and recompile.

These vulnerabilities will be addressed in krb5-1.3.5.

Appendix A. References

• Vulnerability Note VU#795632 - http://www.kb.cert.org/vuls/id/795632
• Vulnerability Note VU#866472 - http://www.kb.cert.org/vuls/id/866472
• Vulnerability Note VU#350792 - http://www.kb.cert.org/vuls/id/350792
• Vulnerability Note VU#550464 - http://www.kb.cert.org/vuls/id/550464
• MIT krb5 Security Advisory 2004-002 - http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt
• MIT krb5 Security Advisory 2004-003 - http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt
• Kerberos: The Network Authentication Protocol - http://web.mit.edu/kerberos/www/

Thanks to Tom Yu and the MIT Kerberos Development team for addressing these vulnerabilities and coordinating with vendors. MIT credits the following people: Will Fiveash, Joseph Galbraith, John Hawkinson, Marc Horowitz, and Nico Williams.

Revision History

• September 3, 2004: Initial release
  

  Last updated

Systems Affected

The following Oracle applications are affected:

• Oracle Database 10g Release 1, version 10.1.0.2
• Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
• Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
• Oracle8i Database Server Release 3, version 8.1.7.4
• Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
• Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
• Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
• Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
• Oracle9i Application Server Release 1, version 1.0.2.2

Oracle's Collaboration Suite and E-Business Suite 11i contain some of the
vulnerable components and are also affected.

According to Oracle, the following product releases and versions, and
all future releases and versions are not affected:

• Oracle Database 10g Release 1, version 10.1.0.3
• Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3 (not yet
  available)
• Oracle Application Server 10g (9.0.4), version 9.0.4.2 (not yet
  available)

Overview

Several vulnerabilities exist in the Oracle Database Server, Application
Server, and Enterprise Manager software. The most serious vulnerabilities
could allow a remote attacker to execute arbitrary code on an affected
system. Oracle's Collaboration Suite and E-Business Suite 11i contain the
vulnerable software and are affected as well.

Description

Several vulnerabilities have been reported in Oracle's Database Server,
Application Server, and Enterprise Manager software. According to reports,
several buffer overflow, format string, SQL injection and other types of
vulnerabilities were discovered and reported to Oracle.

Oracle has released Oracle
Security Alert #68 (pdf) to address these vulnerabilities.

We are tracking them as follows:

VU#170830 -
Oracle Enterprise Manager contains several vulnerabilities

VU#316206 -
Oracle Database Server contains several vulnerabilities

VU#435974 -
Oracle Application Server contains several vulnerabilities

As more information becomes available, we will update these
vulnerability notes as appropriate.

Impact

The impacts of the vulnerabilities described above are unclear.

According to credible reports, the impacts of these vulnerabilities
range from the remote, unauthenticated execution of arbitrary code to data
corruption or leakage.

Solution Apply a patch or upgrade

Apply the appropriate patch or upgrade as specified in the Oracle
Security Alert #68 (pdf).

Organizations that use Oracle's Collaboration Suite or E-Business Suite
11i should see Oracle
Security Alert #68 (pdf) for remediation instructions.

Appendix A. References

• Oracle Security Alert #68 (pdf) - http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
• US-CERT Vulnerability Note VU#316206 - http://www.kb.cert.org/vuls/id/316206
• US-CERT Vulnerability Note VU#435974 - http://www.kb.cert.org/vuls/id/435974
• US-CERT Vulnerability Note VU#170830 - http://www.kb.cert.org/vuls/id/170830

US-CERT thanks all the parties involved in researching and reporting these
vulnerabilities. Specifically, Oracle credits the people for discovering
these issues: Cesar Cerrudo, Pete Finnigan, Jonathan Gennick, Alexander
Kornbrust of Red Database Security, Stephen Kost of Integrigy, David
Litchfield of NGSS Limited, Matt Moore of PenTest Limited, Aaron Newman of
Application Security Inc., Andy Rees of QinetiQ, Christian Schaller of
Siemens CERT.

Feedback can be directed to the author:
Jason
A. Rafail.

Revision History

• Sep 1, 2004: Initial release
  

  Sep 3, 2004: Updated Credits
  

  Last updated

Systems Affected

• Microsoft Windows XP

Overview

Microsoft Windows XP Service Pack 2 (SP2) significantly improves your computer's defenses against attacks and vulnerabilities.

Recommendation

To help protect your Windows XP computer from attacks and vulnerabilities, install Service Pack 2 using Windows Update or Automatic Updates.

Note: Service Pack 2 makes significant changes to improve the security of Windows XP, and these changes may have negative effects on some programs and Windows functionality. Before you install Service Pack 2, back up your important data and consult your computer manufacturer's web site for information about Service Pack 2.

Description

Windows XP Service Pack 2 is a major operating system update that contains a number of new security updates and features. Like other Microsoft Service Packs, Windows XP Service Pack 2 also includes previously released security fixes and other operating system updates. Following is a summary of the new security updates and features in Service Pack 2:

• Windows Firewall
  
  Windows Firewall is enabled in almost all configurations, blocking network traffic coming into your computer. Blocking this traffic helps to protect you from worms and other malicious code that spread via the Internet.




• Internet Explorer Local Machine Zone Lockdown
  
  New settings for Internet Explorer disable the execution of ActiveX controls and Active scripting in the Local Machine Zone. This protects you from attacks and vulnerabilties such as Download.Ject.




• Additional Internet Explorer Security Changes
  
  Internet Explorer now includes a pop-up blocker, additional window restrictions, and changes in MIME type handling that better defend against social engineering and "phishing" attacks. A browser add-on management interface provides a way to identify and disable programs that run as part of Internet Explorer. Enhanced protection against security zone elevation and object caching vulnerabilities helps defend against malicious web scripts.




• Email Handling Technologies
  
  Outlook Express now supports the ability to read and compose messages in plain text and to block external HTML content such as "web bugs." Security checks are now performed in a more consistent way to help prevent the execution of malicious attachments.




• Security Center
  
  The Security Center "...provides a central location for changing security settings, learning more about security, and ensuring that [your] computer is up to date, with the essential security settings that are recommended by Microsoft."




• Automatic Updates
  
  The update services and automatic update feature of Windows XP have been improved. US-CERT highly recommends that you enable Automatic Updates.




• Data Execution Prevention
  
  Memory protection helps prevent attackers from executing code on your computer.

References

• Windows XP Service Pack 2 - <http://www.microsoft.com/windowsxp/sp2/>
• What to Know Before You Download and Install Windows XP Service Pack 2 - <http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx>
• Get the Latest Updates and Information from Your PC Manufacturer Before Installing Windows XP Service Pack 2 - <http://www.microsoft.com/windowsxp/sp2/oemlinks.mspx>
• Backing up your computer files - <http://www.microsoft.com/athome/security/update/backup.mspx>
• Programs that are known to experience a loss of functionality when they run on a Windows XP Service Pack 2-based computer - <http://support.microsoft.com/?id=884130>

Authors: Art Manion and Mindi McDowell. Feedback can be directed to the US-CERT Technical Staff

.

Copyright 2004 Carnegie Mellon University.
Terms of use

Revision History

• August 30, 2004: Initial release
  
  January 10, 2005: Updated IE links
  

Last updated

Systems Affected

Applications and systems that use the libpng library.

Overview

Several vulnerabilities exist in the libpng library, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.

Description

The Portable Network Graphics (PNG) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng is a popular reference library available for application developers to support the PNG image format.

Several vulnerabilities have been reported in the libpng library. Any application or system that uses this library may be affected. More detailed information is available in the individual vulnerability notes:

VU#388984 - libpng fails to properly check length of transparency chunk (tRNS) data

A buffer overflow vulnerability has been discovered in the way that libpng processes PNG images. This vulnerability could allow a remote attacker to execute arbitrary code on a vulnerable system by introducing a specially crafted PNG image.

(Other references: CAN-2004-0597)

VU#236656 - libpng png_handle_iCCP() NULL pointer dereference

Under some circumstances, a null pointer may be dereferenced during a memory allocation in the png_handle_iCCP() function. As a result, a PNG image with particular characteristics could cause the affected application to crash. Similar errors are reported to exist in other locations within libpng.

(Other references: CAN-2004-0598)

VU#160448 - libpng integer overflow in image height processing

An integer overflow error exists in the handling of PNG image height within the png_read_png() function. As a result, a PNG image with excessive height may cause an integer overflow during a memory allocation operation, which could cause the affected application to crash.

(Other references: CAN-2004-0599)

VU#477512 - libpng png_handle_sPLT() integer overflow

A potential integer overflow error exists during a memory allocation operation within the png_handle_sPLT() function. It is unclear what practical impact this error might have on applications using libpng.

(Other references: CAN-2004-0599)

VU#817368 - libpng png_handle_sBIT() performs insufficient bounds checking

A potentially insufficient bounds check exists within the png_handle_sBIT() function. A similar error exists in the png_handle_hIST() function. While the code that contains these errors could potentially permit a buffer overflow to occur during a subsequent png_crc_read() operation, it is unclear what practical vulnerabilities it might present in applications using libpng.

(Other references: CAN-2004-0597)

VU#286464 - libpng contains integer overflows in progressive display image reading

The libpng library provides the ability to display interlaced, or progressive display, PNG images. A number of potential integer overflow errors exist in libpng's handling of such progressive display images. While the code that contains these errors introduces dangerous conditions, it is unclear what practical vulnerabilities it might present in applications using libpng.

(Other references: CAN-2004-0599)

Impact

In the case of VU#388984, an attacker with the ability to introduce a malformed PNG image to a vulnerable application could cause the application to crash or could potentially execute arbitrary code with the privileges of the user running the affected application.

In the case of VU#236656 and VU#160448, an attacker with the ability to introduce a malformed PNG image to a vulnerable application could cause the application to crash.

The impacts of the other vulnerabilities described above are unclear.

A remote attacker could cause an application to crash or potentially execute arbitrary code by convincing a victim user to visit a malicious web site or view an email message containing a malformed image.

Solution Apply a patch or upgrade

Apply the appropriate patch or upgrade as specified by your vendor. For
vendor-specific responses, please see your vendor's web site or the individual vulnerability
notes.

For individuals who rely on the original source of libpng, these issues
have been resolved in libpng version 1.2.6rc1 (release
candidate 1).

Appendix A. References

• Chris Evans Security Advisory 2004.1 - http://scary.beasts.org/security/CESA-2004-001.txt
• libpng Homepage - http://libpng.sourceforge.net
• Portable Network Graphics (PNG) Homepage - http://www.libpng.org/pub/png
• US-CERT Vulnerability Note VU#388984 - http://www.kb.cert.org/vuls/id/388984
• US-CERT Vulnerability Note VU#817368 - http://www.kb.cert.org/vuls/id/817368
• US-CERT Vulnerability Note VU#286464 - http://www.kb.cert.org/vuls/id/286484
• US-CERT Vulnerability Note VU#477512 - http://www.kb.cert.org/vuls/id/477512
• US-CERT Vulnerability Note VU#160448 - http://www.kb.cert.org/vuls/id/160448
• US-CERT Vulnerability Note VU#236656 - http://www.kb.cert.org/vuls/id/236656
• CVE CAN-2004-0597 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
• CVE CAN-2004-0598 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598
• CVE CAN-2004-0599 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599

US-CERT thanks Chris Evans for researching and reporting these vulnerabilities.

Feedback can be directed to the US-CERT Technical Staff.

Revision History

• Aug 4, 2004: Initial release
  

  Last updated

Systems Affected  

• Microsoft Windows systems; specifically, some versions of the following programs:
  • Microsoft Windows NT
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server 2003
  • Microsoft Windows 98
  • Microsoft Windows Millennium Edition
  • Microsoft Internet Explorer 5
  • Microsoft Internet Explorer 6

  Overview  

Microsoft has reported two vulnerabilities in the way Internet Explorer processes certain types of images. Attackers may be able to gain control of your machine if you view a malicious image, visit a web page, or open an email message that contains these images.

Microsoft has also published an update to address the cross-domain vulnerability discussed in SA04-163A. This vulnerability may allow an attacker to alter a web site to point to a different location. If the attacker can convince you to visit the site, they may be able to gain control of your machine.

Solution Apply a patch

Microsoft has issued updates that resolve this problem. Obtain the appropriate update from Windows Update

Use caution with email attachments

Never open unexpected email attachments. Before opening an attachment, save it to a disk and scan it with anti-virus software. Make sure to turn off the option to automatically download attachments.

View email messages in plain text

Email programs like Outlook and Outlook Express interpret HTML code the same way that Internet Explorer does. Attackers may be able to take advantage of that by sending malicious HTML-formatted email messages.

Maintain updated anti-virus software

It is important that you use anti-virus software and keep it up to date. Most anti-virus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many anti-virus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

  Description  

In Microsoft Security Bulletin MS04-025, Microsoft describes a critical vulnerability in the way Internet Explorer processes .GIF and .BMP images. An attacker can use malicious images on a web page or in HTML-formatted email messages. If the attacker can convince a user to visit the web page, open the message, or otherwise view the image, the attacker may be able to gain control of the user's machine.

There is also a vulnerability in the way Internet Explorer processes scripts. An attacker may be able to take advantage of frames to redirect users to a malicious web site.

More technical information about this issue is available in TA04-212A and Microsoft Security Bulletin MS04-025.

 

References

• Windows Security Updates for July 2004 - <http://www.microsoft.com/security/bulletins/200407_windows.mspx>
• Multiple Remote Code Execution Vulnerabilities in Microsoft Internet Explorer - <http://www.us-cert.gov/cas/techalerts/TA04-212A.html>
• Microsoft Security Bulletin MS04-025 - <http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx>
• US-CERT Computer Virus Resources - <http://www.us-cert.gov/other_sources/viruses.html>
• Understanding Anti-Virus Software - <http://www.us-cert.gov/cas/tips/ST04-005.html>
• Using Caution with Email Attachments - <http://www.us-cert.gov/cas/tips/ST04-010.html>
• Home Network Security - <http://www.cert.org/tech_tips/home_networks.html>
• Home Computer Security - <http://www.cert.org/homeusers/HomeComputerSecurity/

 

Author: Mindi McDowell. Feedback can be directed to the US-CERT Technical Staff.

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• July 30, 2004: Initial release
   

Last updated 

Systems Affected

These vulnerabilities affect the following versions of Microsoft
Internet Explorer:

• Microsoft Internet Explorer 5.01 Service Pack 2
• Microsoft Internet Explorer 5.01 Service Pack 3
• Microsoft Internet Explorer 5.01 Service Pack 4
• Microsoft Internet Explorer 5.5 Service Pack 2
• Microsoft Internet Explorer 6
• Microsoft Internet Explorer 6 Service Pack 1
• Microsoft Internet Explorer 6 Service Pack 1 (64-Bit Edition)
• Microsoft Internet Explorer 6 for Windows Server 2003
• Microsoft Internet Explorer 6 for Windows Server 2003 (64-Bit Edition)

These vulnerabilities affect the following versions of the
Microsoft Windows operating system:

• Microsoft Windows NT Workstation 4.0 Service Pack 6a
• Microsoft Windows NT Server 4.0 Service Pack 6a
• Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
• Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP and Microsoft Windows XP Service Pack 1
• Microsoft Windows XP 64-Bit Edition Service Pack 1
• Microsoft Windows XP 64-Bit Edition Version 2003
• Microsoft Windows Server 2003
• Microsoft Windows Server 2003 64-Bit Edition
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me)

Please note that these vulnerabilities my affect any software that
uses the Microsoft Windows operating system to render HTML or
graphics.

Overview

Microsoft Internet Explorer contains three vulnerabilities that may
allow arbitrary code to be executed. The privileges gained by a remote
attacker depend on the software component being attacked. For example,
a user browsing to an unsafe web page using Internet Explorer could
have code executed with the same privilege as the user. These
vulnerabilities have been reported to be relatively straightforward to
exploit; even vigilant users visiting a malicious website, viewing a
malformed image, or reading an HTML-rendered email message may be
affected.

Description

Microsoft Security Bulletin MS04-025
describes three vulnerabilities in Internet Explorer; more detailed
information is available in the individual vulnerability
notes. Note that in addition to Internet Explorer, any applications
that use the Internet Explorer HTML rendering engine to interpret HTML
documents may present additional attack vectors for these
vulnerabilities.

VU#266926 -
Microsoft Internet Explorer contains an integer overflow in the processing
of bitmap files

An integer overflow vulnerability has been discovered in the way that
Internet Explorer processes bitmap image files. This vulnerability could
allow a remote attacker to execute arbitrary code on a vulnerable system
by introducing a specially crafted bitmap file.

(Other resources: CAN-2004-0566)

VU#685364 -
Microsoft Internet Explorer contains a double-free vulnerability in the
processing of GIF files

A double-free vulnerability has been discovered in the way that
Internet Explorer processes GIF image files. When processing GIF image
files, the routine responsible for freeing memory may attempt to free the
same memory reference more than once. Deallocating the already freed
memory can lead to memory corruption, which could cause a
denial-of-service condition or potentially be leveraged by an attacker to
execute arbitrary code.

(Other resources: CAN-2003-1048)

VU#713878 -
Microsoft Internet Explorer does not properly validate source of
redirected frame Microsoft Internet Explorer does not properly display
URLs

As previously discussed in TA-163A,
Microsoft Internet Explorer does not adequately validate the security
context of a frame that has been redirected by a web server. An
attacker could exploit this vulnerability to evaluate script in
different security domains. By causing script to be evaluated in the
Local Machine Zone, the attacker could execute arbitrary code with the
privileges of the user running Internet Explorer. For a detailed
technical analysis of this vulnerability, please see VU#713878.

(Other resources: CAN-2004-0549)

Impact

Remote attackers exploiting the vulnerabilities described above may
execute arbitrary code with the privileges of the user running the
software components being attacked (e.g., Internet
Explorer). Attackers can exploit these vulnerabilities by convincing a
victim user to visit a malicious website, view a malformed image, or
read an HTML-rendered email message. No user intervention is required
beyond viewing an attacker-supplied HTML document or image. For
further details, please see the individual vulnerability
notes.

Solution Apply a patch from Microsoft

Apply the appropriate patch as specified by Microsoft Security
Bulletin MS04-025.
Please note that this bulletin provides a cumulative update that
replaces all previously released updates for Internet Explorer,
including those provided in MS04-004. However,
users who have applied hotfixes released after MS04-004
will need to install MS04-025. Please
see the FAQ section of Microsoft's advisory for more details.

Follow Microsoft recommendations for workarounds

Microsoft provides several workarounds for each of these vulnerabilities.
Please consult the appropriate section(s) of Microsoft Security Bulletin
MS04-025.

Appendix A. Vendor Information

This appendix contains information provided by vendors for this
advisory. As vendors report new information to US-CERT, we will update
this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.

Microsoft

Please see Microsoft Security Bulletin MS04-025.

Appendix B. References

• US-CERT Technical Cyber Security Alert TA04-163A - http://www.us-cert.gov/cas/techalerts/TA04-163A.html
• US-CERT Cyber Security Alert TA04-212A - http://www.us-cert.gov/cas/alerts/SA04-212A.html
• US-CERT Vulnerability Note VU#266926 - http://www.kb.cert.org/vuls/id/266926
• US-CERT Vulnerability Note VU#685364 - http://www.kb.cert.org/vuls/id/685364
• US-CERT Vulnerability Note VU#713878 - http://www.kb.cert.org/vuls/id/713878
• Microsoft Security Bulletin MS04-025 - http://microsoft.com/technet/security/bulletin/MS04-025.asp
• Microsoft KB Article 867801 - http://support.microsoft.com/?id=867801
• Microsoft KB Article 871260 - http://support.microsoft.com/?id=871260
• Microsoft KB Article 875345 - http://support.microsoft.com/?id=875345
• CVE CAN-2004-0566 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0566
• CVE CAN-2003-1048 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1048
• CVE CAN-2004-0549 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549

Feedback can be directed to the US-CERT
Technical Staff.

Revision History

• Jul 30, 2004: Initial release
  

  Last updated

Systems Affected  

• Microsoft Windows Systems

  Overview  

A new variant of the MyDoom virus is spreading through email. In addition to infecting your computer and emailing itself to other machines, the virus may open a backdoor that could make your machine vulnerable to future attacks.

Solution Avoid opening email attachments

Be sure you know the source of an attachment before opening it. Also remember that it is not enough that the mail originated from an email address you recognize. Many viruses spread precisely because they originate from a familiar email address.

Maintain updated anti-virus software

It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

  Description  

This variant of MyDoom (known as MyDoom.M or MyDoom.O) is significant because it seems to be conducting searches on addresses it harvests from infected computers. Therefore, not only is email activity affected, response times in many popular search engines may be dramatically slower.

 

References

• MyDoom.B Virus - <http://www.us-cert.gov/cas/alerts/SA04-028A.html>
• US-CERT Computer Virus Resources - <http://www.us-cert.gov/other_sources/viruses.html>
• Understanding Anti-Virus Software - <http://www.us-cert.gov/cas/tips/ST04-005.html>
• Using Caution with Email Attachments - <http://www.us-cert.gov/cas/tips/ST04-010.html>
• Home Network Security - <http://www.cert.org/tech_tips/home_networks.html>
• Home Computer Security - <http://www.cert.org/homeusers/HomeComputerSecurity/

 

Author: Mindi McDowell. Feedback can be directed to US-CERT -->.

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• July 26, 2004: Initial release
   

Last updated