McAfee Foundstone Update

Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: High CVE: CVE-2007-6250 Description A vulnerability in AOL Radio may allow for remote arbitrary code execution.<br><br> Observation AOL Radio plays streaming audio content. AOL Radio contains a vulnerability that may allow for arbitrary code execution. The flaw resides in the AOL AmpX ActiveX control.<br><br> An attacker would need to convince the victim to visit a malicious Web site or access a malicious HTML document for an attack to occur. 5645 - Adobe Flash Player JPG Processing Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: High CVE: CVE-2007-6242 DISA IAVA: 2008-B-0001 BID: 26951 Description A vulnerability in Adobe Flash player may allow for remote code execution attacks. A user would have to open malicious content for an attack to occur.<br><br> Observation Adobe Flash Player is a multimedia player for Web browsers and operating systems. A vulnerability in Adobe Flash player may allow for remote code execution attacks. The vulnerability lies in lack of proper input validation in multimedia content.<br><br> A user would have to open malicious content for an attack to occur. 5667 - Apple QuickTime RTSP Buffer Overflow Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: High CVE: CVE-2008-0234 Description A vulnerability in Apple QuickTime may allow for code execution attacks. Observation QuickTime is a movie player that runs on the Windows and Mac OS X platforms.<br><br> It is developed by Apple Computers. A vulnerability in Apple QuickTime may allow for code execution attacks. The vulnerability lies in improper processing of Real Time Streaming Media Protocol responses.<br><br> 5661 - SAP MaxDB Remote Code Execution Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: High CVE: CVE-2008-0243 Description A vulnerability is present in SAP MaxDB Server that may allow for arbitrary code execution. Observation SAP DB is an open source based database server. A vulnerability exists in SAP MaxDB that may allow for arbitrary code execution.<br><br> The flaw lies in improper sanitization of database commands, which are execute with system level privileges. 5658 - McAfee e-Business Server Vulnerability Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: Medium CVE: CVE-2008-0127 Description A vulnerability is present in McAfee e-Business Server that may allow for arbitrary command execution or denial of service attacks. Observation McAfee e-Business Server automatically safeguards sensitive corporate data with industry-standard PGP 128-bit encryption and authentication.<br><br> A vulnerability exists in McAfee e-Business Server that may allow for arbitrary command execution or a denial of service. The vulnerability is exhibited when processing maliciously-crafted network traffic. Successful exploitation can disrupt the service functionality or allow for command execution with the same rights as the service.<br><br> 5671 - Microsoft Visual InterDev .sln Vulnerability Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: Medium CVE: CVE-2008-0250 Description Microsoft Visual InterDev has a vulnerability that may allow for arbitrary code execution. Observation Microsoft Visual InterDev allows for Web application development. Microsoft Visual InterDev has a vulnerability that may allow for arbitrary code execution.<br><br> The flaw lies in processing of specially crafted .sln files. Exploitation would rely on the victim processing the such a file. 5656 - RealNetworks RealPlayer Unspecified Buffer Overflow Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: Medium CVE: CVE-2008-0098 BID: 27091 Description A vulnerability is present in RealNetworks RealPlayer that may allow for arbitrary code execution.<br><br> Observation RealNetworks RealPlayer is a multimedia viewing application. A buffer overflow vulnerability exists in RealNetworks RealPlayer that may allow for arbitrary code execution. Successful exploitation would occur at the rights level of the victim when visiting a malicious Web site.<br><br> 5655 - PWS-Onlinegames.e!c5e557dd Category: Windows Host Assessment -> Trojans, Backdoors, Viruses, and Malware (CATEGORY REQUIRES CREDENTIALS) Risk Level: Medium Description PWS-OnlineGames.e!c5e557dd is a password stealing trojan for online games. Observation The risk assessment of this threat was updated to Low-Profiled due to media attention. PWS-OnlineGames.e!c5e557dd is a password stealing trojan for online games including: Lord of the Rings Online World of Warcraft This trojan was recently found installed via MS06-014, Exploit-RealPlay.c or Exploit-RealPlay web exploits when the following URL is accessed: http://n.uc8010.com/[removed].htmThe following file is downloaded to: %TEMP%\commomds.exeThis file will drop a DLL and inject it into Explorer.exe: %WINDOWS%\System32\kb1111p.dll(where %TEMP% is the user temporary directory e.g C: \Documents and Settings\USERNAME\Local Settings\Temp and %WINDOWS% is the Windows directory e.g C:\Windows) 5659 - W32/Fujacks.s - Virus Category: Windows Host Assessment -> Trojans, Backdoors, Viruses, and Malware (CATEGORY REQUIRES CREDENTIALS) Risk Level: Low Description W32/Fujacks.s attempts to infect files on the victim's system and tries to download additional trojans from a remote website.<br><br> Observation W32/Fujacks.s attempts to infect files on the victim's system and tries to download additional trojans from a remote website. Upon execution, the worm drops a copy of itself in %SYSTEM%\drivers folder as spoclsv.exe and executes from there. Creates the following files in all drives: setup.exe autorun.inf Creates Desktop__.ini in all folders.<br><br> Adds the following values to the registry to auto start itself when Windows starts: Software\Microsoft\Windows\CurrentVersion\Run "nvscv32" = "%SYSTEM%\drivers\ncscv32.exe" Terminates processes containing strings: * VirusScan * Symantec AntiVirus * System Safety Monitor * System Repair Engineer * Wrapped gift Killer Terminates the following processes: * CCenter.exe * FrogAgent.exe * KRegEx.exe * KVCenter.kxp * KvMonXP.kxp * KVSrvXP.exe * KVXP.kxp * Logo1_.exe * Logo_1.exe * Mcshield.exe * msconfig.exe * naPrdMgr.exe * nvscv32.exe * Rav.exe * Ravmon.exe * RavmonD.exe * RavStub.exe * RavTask.exe * regedit.exe * Rundl132.exe * scan32.exe * spo0lsv.exe * spoclsv.exe * sppoolsv.exe * SREng.EXE * taskmgr.exe * TBMon.exe * TrojDie.kxp * UIHost.exe * UpdaterUI.exe * VsTskMgr.exe Terminates the following Services: * ccEvtMgr * ccProxy * ccSetMgr * FireSvc * KPfwSvc * KVSrvXP * McAfeeFramework * McShield * McTaskManager * MskService * navapsvc * NPFMntor * RsCCenter * RsRavMon * Schedule * sharedaccess * SNDSrvc * SPBBCSvc * Symantec Core LC * wscsvc Deletes the following Registry entries: SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50 SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE Disables the show hidden file options in folder options using the following registry: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL "CheckedValue" = "00000000" It tries to copy itself to network shares using following passwords: admin$ 0 000000 007 1 110111111 111 1111 11111111 12 121212 123 123123 1234 12345 123456 1234567 12345678 123456789 1234qwer 123abc 123asd 1313fish 2002 2003 2112 2600 5150 520 5201314 54321 654321 6969 7777 88888888 901100 a aaa abc abc123 abcd admin admin123 Administrator alpha asdf baseball ccc computer database enable fuck fuckyou god godblessyou golf Guest harley home ihavenopass letmein login love mustang mypass mypass123 mypc mypc123 owner pass passwd password patrickpat pc pussy pw pw123 pwd qq520 qwer qwerty Root root server sex shadow super sybase123qwe temp temp123 test test123 win xp xxx yxcv zxcv Infects all the EXE, SCR, PIF, COM, htm, html, asp, php, jsp, aspx files. We detect the infected files as W32/Fujacks!htm and W32/Fujacks.s . 5668 - StealthMBR Trojan Category: Windows Host Assessment -> Trojans, Backdoors, Viruses, and Malware (CATEGORY REQUIRES CREDENTIALS) Risk Level: Low Description StealthMBR is a Master Boot Record (MBR) infecting trojan.<br><br> It infects the Master Boot Record on the system hard disk. StealthMBR also exhibits characteristics of Rootkit stealth-like behavior in that it hooks the system before Windows loads giving it the ability to hide from Windows and other applications running within Windows. Observation StealthMBR is a Master Boot Record (MBR) infecting Trojan.<br><br> It infects the Master Boot Record on the system hard disk. StealthMBR also exhibits characteristics of rootkit stealth-like behavior in that it hooks the system before Windows loads, giving it the ability to hide from Windows and other applications running within Windows. * The trojan attempts communication on TCP port 80 to: Http:\\ogercnt.info\[removed] The trojan also creates the following files: * %TEMP%\cln5.tmp * %WINDIR%\Temp\00000219.tmp * %WINDIR%\Temp\ldo6.dll * %WINDIR%\Temp\ldo6.tmp (Exact filenames may very.) ENHANCED CHECKS The following checks have been updated.<br><br> Enhancements may include optimizations, changes that reflect new information on a vulnerability and anything else that improves upon an existing FSL check. 5652 - (MS08-001) Microsoft Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability (941644) Category: Windows Host Assessment -> Patches and Hotfixes (CATEGORY REQUIRES CREDENTIALS) Risk Level: High CVE: CVE-2007-0069 Microsoft ID: MS08-001 3825 - RealPlayer Multiple Vulnerabilities Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: High Check Version: 1.3193 CVE: CVE-2005-2055 3478 - RealPlayer RealText Parsing Heap Overflow Vulnerability Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: High Check Version: 1.3193 CVE: CVE-2005-1766 31462 - 119254-45 update is not installed Category: SSH Module -> NonIntrusive -> Solaris Patches and Hotfixes Risk Level: Medium Check Version: 1.4864 31487 - 119255-45 update is not installed Category: SSH Module -> NonIntrusive -> Solaris Patches and Hotfixes Risk Level: Medium Check Version: 1.4864 32074 - 122793-14 update is not installed Category: SSH Module -> NonIntrusive -> Solaris Patches and Hotfixes Risk Level: Medium Check Version: 1.4489 32075 - 122794-14 update is not installed Category: SSH Module -> NonIntrusive -> Solaris Patches and Hotfixes Risk Level: Medium Check Version: 1.4489 3180 - RealPlayer RealMedia ".rm" Security Bypass Vulnerability Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: Medium Check Version: 1.3193 31635 - 127111-03 update is not installed Category: SSH Module -> NonIntrusive -> Solaris Patches and Hotfixes Risk Level: Low Check Version: 1.4739 31638 - 127112-03 update is not installed Category: SSH Module -> NonIntrusive -> Solaris Patches and Hotfixes Risk Level: Low Check Version: 1.4739 30171 - 109896-35 update is not installed Category: SSH Module -> NonIntrusive -> Solaris Patches and Hotfixes Risk Level: Low Check Version: 1.4512 5582 - Generic Dropper.p Category: Windows Host Assessment -> Trojans, Backdoors, Viruses, and Malware (CATEGORY REQUIRES CREDENTIALS) Risk Level: Low Check Version: 1.4686 70014 - netbios-helpers.fasl3.inc Category: General Vulnerability Assessment -> NonIntrusive -> Invalid Category Risk Level: Informational Check Version: 1.4997 70057 - sapdb-webdbm.fasl3.inc Category: General Vulnerability Assessment -> NonIntrusive -> Invalid Category Risk Level: Informational Check Version: 1.3593 45001 - ShellInitialize.fasl3 Category: General Vulnerability Assessment -> NonIntrusive -> Invalid Category Risk Level: Informational Check Version: 1.4395 70064 - ssh-misc-lib.fasl3.inc Category: General Vulnerability Assessment -> NonIntrusive -> Invalid Category Risk Level: Informational Check Version: 1.5007 70019 - version.fasl3.inc Category: General Vulnerability Assessment -> NonIntrusive -> Invalid Category Risk Level: Informational Check Version: 1.2170 DELETED CHECKS 30054 - 113146-08 update is not installed Category: SSH Module -> NonIntrusive -> Solaris Patches and Hotfixes Risk Level: High 30832 - 114145-07 update is not installed Category: SSH Module -> NonIntrusive -> Solaris Patches and Hotfixes Risk Level: High HOW TO UPDATE FS1000 APPLIANCE customers should follow the instructions for Enterprise/Professional customers, below. In addition, we strongly urge all appliance customers to authorize and install any Windows Update critical patches.<br><br> The appliance will auto-download any critical updates but will wait for your explicit authorization before installing. FOUNDSTONE ENTERPRISE and PROFESSIONAL customers may obtain these new scripts using the FSUpdate Utility by selecting "FoundScan Update" on the help menu. Make sure that you have a valid FSUpdate username and password.<br><br> The new vulnerability scripts will be automatically included in your scans if you have selected that option by right-clicking the selected vulnerability category and checking the "Run New Checks" checkbox. MANAGED SERVICE CUSTOMERS already have the newest update applied to their environment. The new vulnerability scripts will be automatically included when your scans are next scheduled, provided the Run New Scripts option has been turned on.<br><br> MCAFEE TECHNICAL SUPPORT PrimeSupport ServicePortal: http://www.mcafeesecurity.com/us/contact/home.htm This email may contain confidential and privileged material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient please contact the sender and delete all copies.<br><br> Copyright 2004-2008 McAfee, Inc. McAfee is a registered trademark of McAfee, Inc. and/or its affiliates<br><br>

less