General Discussion

[Symantec message filter - multiple vulns]

FYI...

Symantec message filter - multiple vulns
- https://secunia.com/advisories/49727/
Release Date: 2012-06-27
Impact: Hijacking, Cross Site Scripting, Exposure of sensitive information
Where: From remote...
CVE Reference(s): CVE-2012-0300, CVE-2012-0301, CVE-2012-0302, CVE-2012-0303
Original Advisory:
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120626_00

Symantec Message Filter version 6.3.0 Patch 231
* http://www.symantec.com/business/support/index?page=content&id=TECH191487
Updated: 2012-06-27

 

[Symantec/XP users Blue Screen]

FYI...

Symantec/XP users Blue Screen ...
- http://www.symantec.com/docs/TECH192811
Updated: 2012-07-16 - "Problem: On July 11th, 2012 at approximately 22:30 PST, Symantec started receiving reports of customers experiencing blue screens after applying Proactive Threat Protection definition version July 11, 2012 rev 11. Machines may continue to blue screen after they reboot. This problem appears to occur only on Windows XP machines running SEP 12.1.
Error: Blue screen (BSOD) with code 0x000000CB after installing July 11, 2012 rev. 11 definitions.
Environment: SEP 12.1 Systems on Windows XP 32 bit and 64 bit
Cause: Symantec has reproduced the problem and is now trying to identify the root cause.  We have posted updated signatures which resolve the issue to the public LiveUpdate production servers.
Solution: Symantec has posted updated signatures which resolve the issue to the public LiveUpdate production servers. To work around the issue please follow these steps on the impacted machines. For Enterprise customers, make sure you have updated to the latest virus definitions on the Symantec Endpoint Protection Manager(SEPM)..."
(More detail at the Symantec URL above.)

Hat tip to Heise:
- http://h-online.com/-1641046
13 July 2012

   

[McAfee Security for MS SharePoint / MS Exchange Outside-In vulns]

FYI...

McAfee Security for MS SharePoint / MS Exchange Outside-In vulns
- https://secunia.com/advisories/50275/
Release Date: 2012-08-20
Criticality level: Highly critical
Impact: System access
Where: From remote ...
CVE Reference(s): CVE-2012-1766, CVE-2012-1767, CVE-2012-1768, CVE-2012-1769, CVE-2012-1770, CVE-2012-1771, CVE-2012-1772, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108,  CVE-2012-3109, CVE-2012-3110
... vulnerabilities are caused due to the software bundling a vulnerable Outside In library.
For more information see vulnerabilities #1 through #13 in: https://secunia.com/SA49936/
Solution: Apply Patch 1 and Hotfix HF788523.
Original Advisory: McAfee:
https://kc.mcafee.com/corporate/index?page=content&id=KB75998 ...

 

[McAfee DAT versions 6807 or 6808]

FYI...

DAT 6807/6808 causing issues...
- https://kc.mcafee.com/corporate/index?page=content&id=KB76004
Last Modified: August 23, 2012
- https://kc.mcafee.com/corporate/index?page=content&id=KB76048
Last Modified: August 24, 2012

McAfee DAT versions 6807 or 6808 ...
- http://www.theregister.co.uk/2012/08/23/mcafee_net_cutoff_bug/
23rd August 2012 16:29 GMT

> http://service.mcafee.com/faq/TS101446.htm

> https://btbusiness.custhelp.com/app/service_status_consumer/ss_cat/2468,2470
"... some of our customers have lost access to the internet after recent updates by McAfee. If you right-click on your McAfee icon and then select About, you will be able to see the "DAT version". If this is 6807 or 6808, you are likely to be affected. This issue has only affected certain Operating Systems but can be fixed by re-installing your security software.
Affected Operating Systems:
Windows XP
Windows Vista
Windows 7 ...
>> http://www.mcaf.ee/s3b79
Document ID: TS101446

? reinstall... see TS100342.
> http://service.mcafee.com/faq/TS100342.htm

   

[Sophos - False positives]

FYI...

Sophos - False positives ...
- http://www.sophos.com/en-us/support/knowledgebase/118311.aspx
Updated: 25 Sep 2012
"Issue: Numerous binaries are falsely detected as ssh/updater-B.
Cause: An identity released by SophosLabs for use with our Live Protection system is causing False Positives against many binaries that have updating functionality.
What To Do: Customer should ensure that endpoints are update to date with the latest IDE files.  This issue is resolved with javab-jd.ide which was released at Wed, 19 Sep 2012 18:48:35 +0000... (more info at the URL above.)
If you need more information or guidance, then please contact technical support*."
* http://www.sophos.com/en-us/support/contact-support.aspx

- http://www.sophos.com/en-us/support/knowledgebase/118322.aspx
Updated: 25 Sep 2012

- http://www.sophos.com/en-us/support/knowledgebase/118323.aspx
Updated: 25 Sep 2012

- http://www.sophos.com/en-us/support/knowledgebase/118315.aspx
Updated: 25 Sep 2012
___

- http://h-online.com/-1713840
20 Sep 2012

   

[Symantec Enterprise Outside In Filters vulns - update available]

FYI...

Symantec Enterprise Outside In Filters vulns - update available
- https://secunia.com/advisories/50824/
Release Date: 2012-10-01
Criticality level: Highly critical
Impact: DoS, System access
Where: From remote...
Software: Symantec Enterprise Vault 10.x
CVE Reference(s): CVE-2012-1744, CVE-2012-1766, CVE-2012-1767, CVE-2012-1768, CVE-2012-1769, CVE-2012-1770, CVE-2012-1771, CVE-2012-1772, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, CVE-2012-3109, CVE-2012-3110
... more information: https://secunia.com/SA49936/
... vulnerabilities are reported in versions prior to 10.0.2.
Solution: Update to version 10.0.2.
Original Advisory: Symantec (SYM12-015):
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120928_00
... Reference:
- http://www.kb.cert.org/vuls/id/118913
Last revised: 29 Sep 2012

 

[Trend Micro Control Manager SQL injection vuln - updates available]

FYI...

Trend Micro Control Manager SQL injection vuln - updates available
- http://h-online.com/-1721385
01 Oct 2012 - "... Trend Micro's platform for centralised security management is vulnerable to SQL injection attacks. According to US-CERT*, versions 5.5 and 6.0 of the Trend Micro Control Manager are vulnerable. The company has provided patches** for both affected versions. The vulnerability in question concerns a blind SQL injection attack which means the web frontend does not divulge any information from the database. According to a report by security consulting firm Spentera which includes a proof-of-concept, the vulnerable system can be made to leak information like password hashes by analysing the timing of SQL queries."
* http://www.kb.cert.org/vuls/id/950795
Last revised: 27 Sep 2012

** http://esupport.trendmicro.com/solution/en-us/1061043.aspx
"... Critical patches for this vulnerability are now available..."

- http://www.securitytracker.com/id/1027584
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2998 - 7.5 (HIGH)
Sep 28 2012
Impact: Disclosure of system information, Disclosure of user information, User access via network...
... vendor's advisory is available at:
- http://esupport.trendmicro.com/solution/en-us/1061043.aspx

 

[Sophos - critical security vulnerabilities]

FYI....

Sophos - critical security vulnerabilities
- http://h-online.com/-1744777
6 Nov 2012 - "... critical security vulnerabilities in Sophos anti-virus software. This includes the publication of a proof of concept (PoC) for a root exploit for Sophos 8.0.6 for Mac OS X, which utilises a stack buffer overflow when searching through PDF files. The vulnerability is also likely to affect Linux and Windows versions. Ormandy has published a full analysis on the SecLists.org security mailing list newsletter. A module for the Metasploit penetration testing software is now also available... the anti-virus company is not aware of any of the vulnerabilities having been exploited in the wild..."
* http://www.sophos.com/en-us/support/knowledgebase/118424.aspx
Updated: 07 Nov 2012 - "... roll-out of fixes to Sophos customers will begin on November 28th 2012..."
___

- https://secunia.com/advisories/51156/
Release Date: 2012-11-07
Criticality level: Highly critical
Impact: Cross Site Scripting, Privilege escalation, System access
Where: From remote...
Original Advisory: Sophos:
http://www.sophos.com/en-us/support/knowledgebase/118424.aspx

 

[Sophos v9.004 released]

FYI...

Sophos v9.004 released
- https://secunia.com/advisories/51339/
Release Date: 2012-11-19
Criticality level: Highly critical
Impact: Cross Site Scripting, System access
Where: From remote
Operating System: Sophos UTM 9.x
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5671 - 6.8
Solution: Update to version 9.004.
Original Advisory: http://www.astaro.com/blog/up2date/UTM9004
    Support for UTM100 licenses
    Fix: issues with Endpoint Protection on HA/Cluster systems
    Fix: WebAdmin login problems when using French as language
     System will be rebooted
    Configuration will be upgraded...

- http://securitytracker.com/id/1027788
Nov 20 2012
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available: Yes  Vendor Confirmed: Yes 
Version(s): prior to 9.004 ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Sophos UTM web interface, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (9.004)...
> https://www.astaro.com/blog/up2date/UTM9004

 

[SYM12-019 - Symantec Endpoint - multiple issues]

FYI...

SYM12-019 - Symantec Endpoint - multiple issues
- https://secunia.com/advisories/51527/
Release Date: 2012-12-11
Criticality level: Moderately critical
Impact: System access
Where: From local network
... vulnerabilities are reported in the following versions:
* Symantec Endpoint Protection version 11.0
* Symantec Endpoint Protection version 12.0
* Symantec Endpoint Protection version 12.1
Solution: Update to a fixed version.
CVE Reference(s): CVE-2012-4348, CVE-2012-4349
Original Advisory: Symantec (SYM12-019):
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121210_00
"... SEP 12.0 Small Business Edition... Updates are available through customers’ normal support/download locations..."

 

[SYM12-020 Symantec Enterprise Security]

FYI...

SYM12-020 Symantec Enterprise Security ...
- http://www.securitytracker.com/id/1027874
CVE Reference: CVE-2012-4350
Dec 13 2012
Impact: Root access via local system, User access via local system
Version(s): 10.x and prior ...
Solution: The vendor has issued a fix (Security Update SU44, or 11.0).
The vendor's advisory is available at:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121213_00

 

[MS AV def. performance issues]

FYI...

MS AV def. performance issues...
Update signature definitions to resolve performance issues in definitions starting with 1.141.2400.0
- https://blogs.technet.com/b/mmpc/archive/2012/12/27/update-signature-definitions-to-resolve-performance-issues-in-definitions-starting-with-1-141-2400-0.aspx?Redirected=true
27 Dec 2012 - "Some users of Microsoft antimalware products have reported a performance issue with signature definition versions starting with 1.141.2400.0 (12/21/2012 1920 UTC). The current definition files, since 1.141.2639.0 (12/27/2012 0625 UTC), resolve this issue. If you have a signature set in the affected range, please update to the current definition files*."
* http://www.microsoft.com/security/portal/definitions/adl.aspx

 

[MSE Update problems]

FYI...

MSE Update problems
- http://h-online.com/-1791005
24 Jan 2013 - "On Saturday, Microsoft Security Essentials (MSE), Microsoft's free anti-virus software package, stopped automatically updating its malware signatures on some systems. Users are also reporting that clicking on the "Update" button on the program window likewise fails to deliver the anticipated results. The problem appears to have been present on affected systems since 19 January. Microsoft has -not- officially commented on the issue. The problem can apparently be resolved by downloading the malware signatures from Microsoft's Malware Protection Center*. The signatures consists of a 70 MB program which must be run with administrator privileges. When downloading, users need to make sure they get the right executable – different packages are required for the 32- and 64-bit versions of MSE. In addition, users should also install updated network access control rules, available separately from Microsoft**."
* https://www.microsoft.com/security/portal/definitions/adl.aspx?wa=wsignin1.0

** https://www.microsoft.com/security/portal/definitions/howtomse.aspx

  

[Kaspersky update hoses Internet access for XP users]

FYI...

Kaspersky update hoses Internet access for XP users
- http://news.cnet.com/8301-1009_3-57567711-83/kaspersky-update-hoses-internet-access-for-windows-xp-users/
Feb 5, 2013 - "Windows XP users who run certain Kaspersky antivirus software may find themselves offline after downloading a new update... the update causes Windows XP computers to lose their connection to the Internet. IT administrators who use Kaspersky Endpoint Security at their organizations chimed into the Kaspersky forum yesterday and today complaining of connectivity problems. One person who manages around 12,000 computers with KES installed noted a slew of calls to the help desk from users knocked offline. Some IT admins said they were able to restore Internet access by shutting down the monitoring of certain ports or disabling the product's Web Anti-Virus component. But those were deemed temporary solutions at best. Kaspersky did eventually acknowledge the problem, announcing a fix* to the buggy update and offering a resolution..."
* "... Kaspersky Lab has fixed the issue that was causing the Web Anti-Virus component in some products to block Internet access. The error was caused by a database update that was released on Monday, February 4th, at 11:52 a.m., EST. At 5:31 p.m. the same day, the problem was fixed by a database update being uploaded to public servers..."

- http://forum.kaspersky.com/index.php?s=&showtopic=255508&view=findpost&p=1978848

- http://h-online.com/-1799641
7 Feb 2013

   

[AVG false positive on XP System32\wintrust.dll]

FYI...

AVG false positive on XP System32\wintrust.dll
- http://h-online.com/-1823171
14 March 2013 - "On Thursday morning, the protection programs of AVG incorrectly identified the Windows system file wintrust.dll as a trojan of type "Generic32.FJU". Under certain circumstances, the virus hunting software has also labelled programs as malware if they attempted to access the supposed trojan DLL. The solution is a virus signature update. Only Windows XP systems were affected by the problem. Users who deleted the file from their system could not boot their computers any more. In this case, to help restore the system, boot it with the Rescue CD and take wintrust.dll from a still functioning system and copy that to C:\Windows\System32\. At least, according to AVG, the anti-virus software did not automatically delete or quarantine the wintrust.dll file, though other files will have to be moved back into place. The company says it fixed the problem by 12:45 on the same day with updates to virus database number 567 for AVG 9 and 2012 editions and virus database number 6174 for the current 2013 edition."
___

Kaspersky fixes IPv6 problem...
- http://h-online.com/-1822839
14 March 2013 - "Security researcher Marc Heuse discovered that the firewall in Kaspersky Internet Security 2013 has a problem with certain IPv6 packets. The researcher said that he publicly disclosed the details of the problem because Kaspersky didn't respond when he reported it. Shortly after his disclosure, Kaspersky did release a fix. A single packet is all that's required to completely cripple a Windows PC. When running tests with his IPv6 tool suite, Heuse discovered that KIS responds inappropriately to fragmented IPv6 packets that contain an overly long extension header. IPv6 support has been enabled by default since Windows Vista, therefore users would be vulnerable even without one of the still sparsely used IPv6 internet connections – for example on public Wi-Fi networks. Kaspersky has now confirmed the problem for Kaspersky Internet Security 2013, Kaspersky Pure 3.0 and Kaspersky Endpoint Security 10 for Windows. "A non-public patch [for Kaspersky Internet Security 2013] is already available from our support department on request, and an autopatch that will fix the problem automatically will be released in the near future"..."