Advisories

A critical vulnerability has been identified in Microsoft Server Message Block (SMB) v2 implementation. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.

MyCERT is aware that a '0-day' exploit is being available in the wild and actively being used by the attacker.

2.0 Impact

By exploiting this vulnerability, an attacker could execute arbitrary code on vulnerable installations of Microsoft Server Message Block (SMB) v2 and gain the same privilege as the user.

3.0 Affected Products

Microsoft Windows operating systems listed below are vulnerable to this vulnerability:

• Windows Vista Service Pack 0, Service Pack 1 and Service Pack 2
• Windows Vista x64 Edition Service Pack 0, Service Pack 1 and Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 0 and Service Pack 2
• Windows Server 2008 for x64-based Systems, Service Pack 0 and Service Pack 2
• Windows Server 2008 for Itanium-based, Service Pack 0 and Service Pack 2

4.0 Recommendation

At the time of this writing, Microsoft has not released any patches to address this vulnerability. However, users are recommended to disable SMB on affected systems as the workaround.

To implement the workaround that disables the Microsoft Server Message Block (SMB) v2 automatically, download MicrosoftFixit from this link http://go.microsoft.com/?linkid=9683379 and follow the steps in the wizard.

If you are unable to download it or prefer to the manual way, below are the steps to disable the Microsoft Server Message Block (SMB) v2:

• Open Registry Editor
  
  
   
• Locate and then click on the following registry subkey
   
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
     
• Click LanmanServer
• Click Parameters
• Double-click smb2, and change the Value data field to 0
• Exit
• Restart the "Server" service by performing one of the following:
   
  • Open up the computer management MMC, navigate to Services and Applications, click Services, right-click the Server service name and click Restart. Answer Yes in the pop-up menu
  • From a command prompt and with administrator privileges, type net stop server and then net start server

Users are also advised to block TCP ports 139 and 445 at the firewall

MyCERT advises the users of this software to be updated with the latest security announcements by the vendor. MyCERT can be reached through the following channels:

E-mail : [email protected]
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web : https://www.mycert.org.my

5.0 References

• http://www.microsoft.com/technet/security/advisory/975497.mspx
• http://support.microsoft.com/kb/975497
• http://isc.sans.org/diary.html?storyid=7093
• http://arstechnica.com/microsoft/news/2009/09/microsoft-posts-quick-fix-it-links-for-smb2-flaw-in-vista.ars

A critical vulnerability has been identified in iPhone and iPod Touch operating system. The ACTransformerCodec::AppendInputData() function of AudioCodecs library in both operating systems contain heap buffer overflow vulnerability while parsing maliciously crafted AAC or MP3 files. The vulnerability may be exploited by an attacker to execute arbitrary code in the context of an application using the vulnerable library. One attack vector is iPhone ringtones with malformed sample size table entries.

2.0 Impact

By exploiting this vulnerability, an attacker could execute arbitrary code and cause the application to crash or could potentially allow an attacker to take control of the affected system.

3.0 Affected Products

Products listed below are vulnerable to this vulnerability:

• iPhone OS version 1.0 through 3.0.1
• iPhone OS for iPod touch version 1.1 through 3.0

4.0 Recommendation

MyCERT recommends users of iPhone OS version 3.0.1 and earlier versions to upgrade to version 3.1, while users of iPhone OS for iPod touch version 3.0 and earlier to upgrade to version 3.1.1

Update can be performed with these 4 steps:

• Make sure you are using the latest version of iTunes. iTunes can be downloaded from the following URL: http://www.apple.com/itunes/download/
   
• Connect your iPhone or iPod Touch to your computer
   
• Run iTunes, select your iPhone or iPod under "Devices" in the "Source List" on the left
  
  
   
• Click on "Check for Update" on the summary pane
  
  

MyCERT advises users of this product to keep themselves updated with the latest security announcements by the vendor. In case of public received any suspicious MP3 or AAC files and required our further analysis, please reach us at information below:

E-mail : [email protected]
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web : https://www.mycert.org.my

5.0 References

• http://www.trapkit.de/advisories/TKADV2009-007.txt
• http://support.apple.com/kb/HT3860
• http://www.apple.com/iphone/softwareupdate/#install

Multiple critical vulnerabilities have been identified in PostgreSQL. These vulnerabilities include denial-of-service issue, privilege-escalation issue and authentication-bypass issue.

2.0 Impact

An attacker who has successfully exploited these vulnerabilities can shut down affected servers, perform certain actions with elevated privileges and bypass authentication mechanisms to perform unauthorized actions. Other attacks may also be possible.

3.0 Affected Products

• PostgreSQL PostgreSQL 8.4
• PostgreSQL PostgreSQL 8.3.7
• PostgreSQL PostgreSQL 8.2.13
• PostgreSQL PostgreSQL 8.1.17
• PostgreSQL PostgreSQL 8.0.21
• PostgreSQL PostgreSQL 7.4.25

4.0 Recommendation

Users are recommended to upgrade to the latest update released for specific version used. Versions that are not affected by these vulnerabilities are:

• PostgreSQL PostgreSQL 8.4.1
• PostgreSQL PostgreSQL 8.3.8
• PostgreSQL PostgreSQL 8.2.14
• PostgreSQL PostgreSQL 8.1.18
• PostgreSQL PostgreSQL 8.0.22
• PostgreSQL PostgreSQL 7.4.26

Users can obtain the update from the following URL: http://www.postgresql.org/download/

MyCERT advises the users of this product to be updated with the latest security announcements by the vendor.

MyCERT can be reached through the following channels:

E-mail : [email protected]
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my

5.0 References

• http://www.postgresql.org/support/security
• http://www.securityfocus.com/bid/36314/

A critical vulnerability has been identified in Microsoft Internet Information Server (IIS) FTP server. The Microsoft IIS FTP server contains a stack buffer overflow in the handling of directory names, which may allow a remote attacker to execute arbitrary code on a vulnerable system.

MyCERT is aware that a '0-day' exploit is being available in the wild and actively being used by the attacker.

2.0 Impact

By exploiting this vulnerability, an attacker could execute arbitrary code on vulnerable installations of Microsoft Internet Information Server FTP. For servers that allow anonymous file uploads, the attacker would typically be unauthenticated.

3.0 Affected Products

Microsoft Windows operating systems and components listed below are vulnerable to this vulnerability:

• Microsoft Windows 2000 Service Pack 4
  • Microsoft Internet Information Services 5.0
     
• Windows XP Service Pack 2 and Windows XP Service Pack 3
  • Microsoft Internet Information Services 5.1
     
• Windows XP Service x64 Edition Service Pack 2
  • Microsoft Internet Information Services 6.0
     
• Windows Server 2003 Service Pack 2
  • Microsoft Internet Information Services 6.0
     
• Windows Server 2003 x64 Edition Service Pack 2
  • Microsoft Internet Information Services 6.0
     
• Windows Server 2003 with SP2 for Itanium-based Systems
  • Microsoft Internet Information Services 6.0

4.0 Recommendation

At the time of this writing, Microsoft has not released any patches to address this vulnerability. However, users are recommended to:

• Modify NTFS file system permissions to disallow directory creation by FTP users

An administrator can modify NTFS file system permissions on the root directories of FTP sites hosted on a server to disallow creation of directories by FTP users. This modification still allows FTP users to upload files to existing directories.

As administrator, perform the following steps to remove directory creation privileges from the Users group. If you have a configured FTP user or custom group to manage your FTP users, replace the Users group in Step 5 below with these custom identities.

• • Browse to the root directory of your FTP site. By default this is in %systemroot%\inetpub\ftproot.
  • Right-click on the directory and select Properties.
  • Click the Security tab and click Advanced.
  • Click Change Permissions.
  • Select the Users group and click Edit.
  • Deselect Create Folders/Append Data.

Impact of Workaround: FTP users will not be able to create directories through the FTP service. FTP users will still be able to upload files to existing directories through the FTP service.

• Do not allow FTP write access to untrusted anonymous users

Anonymous users are not granted FTP write access by default. If anonymous write access has been granted on an FTP server, the administrator can modify IIS permissions to prevent anonymous write access. Untrusted users cannot exploit the vulnerability without FTP write access.

To modify IIS permissions to prevent FTP write access to anonymous users, perform the following steps:

• • Launch IIS Manager.
  • Right click Default FTP Site and point to Properties.
    
    
     
  • Click the Home Directory tab.
    
    
     
  • Ensure that Write is deselected.

Impact of Workaround: Users will not be able to transfer files using FTP, but can do so using WebDAV.

• Disable the FTP service
  
  
  
  Note See http://support.microsoft.com/kb/975191 to use the automated Microsoft Fix it solution to apply this workaround.
  
  Impact of Workaround: FTP service will be disabled.

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor. MyCERT can be reached through the following channels:

E-mail : [email protected]
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my

5.0 References

• http://www.microsoft.com/technet/security/advisory/975191.mspx
• http://www.kb.cert.org/vuls/id/276653
• http://support.microsoft.com/kb/975191