MCAFEE FOUNDSTONE FSL UPDATE 2012-JUN-13 To better protect your environment McAfee has created this FSL check update for the Foundstone Product Suite. The following is a detailed summary of the new and updated checks included with this release. NEW CHECKS 13718 - HP System Health Application And Command Line Utilities For Linux Unspecified Vulnerabilities Category: SSH Module -> NonIntrusive -> SSH Miscellaneous CVE: CVE-2012-2000 Multiple unspecified vulnerabilities are present in some versions of HP System Health Application and Command Line Utilities for Linux. The HP System Health Application and Command Line Utilities is collection of applications and tools which enables monitoring of fans, power supplies, temperature sensors, and other management events. Multiple unspecified vulnerabilities are present in some versions of HP System Health Application and Command Line Utilities for Linux. The flaw is caused by an unspecified error. No further information is currently available. Successful exploitation could allow an attacker to execute arbitrary code via unknown vectors. 13738 - (HPSBUX02784) HP-UX Java Multiple Vulnerabilities Category: SSH Module -> NonIntrusive -> HP-UX Patches and Hotfixes CVE: CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0504, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507 Multiple vulnerabilities are present in some versions of HP-UX Java JRE and JDK. HP-UX Java Runtime Environment (JRE) and Java Developer Kit (JDK) are an Oracle Java technology implementation for HP-UX systems. Multiple vulnerabilities are present in some versions of HP-UX Java JRE and JDK. The flaws are present in multiple components of Java. Successful exploitation could allow a remote attacker to cause denial of service, information disclosure and gain unauthorized access to the vulnerable system. 13743 - IBM DB2 Accessories Suite Outside In Technology Multiple Vulnerabilities Category: Windows Host Assessment -> Miscellaneous CVE: CVE-2011-2264, CVE-2011-0794, CVE-2011-0808
Multiple vulnerabilities is present in some versions of IBM DB2. IBM DB2 is a popular relational database management server. Multiple vulnerabilities is present in some versions of IBM DB2. The falws are present in CorelDRAW file parser, File ID SDK and file filters in Oracle Outside In Technology component. Successful exploitation could allow remote attacker to execute arbitrary code. 13750 - (MS12-038) Microsoft.NET Framework Clipboard Unsafe Memory Access Remote Code Execution (2706726) CVE: CVE-2012-1855 Microsoft ID: MS12-038 Microsoft KB: 2706726 A remote code execution vulnerability is present in some versions of Microsoft.NET Framework. A remote code execution vulnerability is present in some versions of Microsoft.NET Framework. The flaw lies in the improper execution of function pointers. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to visit a malicious website or open a malicious file. 13753 - (MS12-036) Microsoft Windows Remote Desktop Protocol Remote Code Execution (2685939) CVE: CVE-2012-0173 Microsoft ID: MS12-036 Microsoft KB: 2685939 A remote code execution vulnerability is present in some versions of Microsoft Windows. A remote code execution vulnerability is present in some versions of Microsoft Windows. The flaw lies in the improper handling of objects in memory. Successful exploitation could allow an attacker to execute remote code. 13754 - (MS12-036) Vulnerability In Remote Desktop Could Allow Remote Code Execution (2685939) Category: Windows Host Assessment -> Patches Only
CVE: CVE-2012-0173 Microsoft ID: MS12-036 A remote code execution vulnerability is present in some versions of Microsoft Windows. A remote code execution vulnerability is present in some versions of Microsoft Windows. The flaw lies in the improper handling of memory by RDP components. Successful exploitation could allow an attacker to execute remote code. Microsoft has provided MS12-036 to address this issue. The host appears to be missing this patch. 13756 - (MS12-037) Microsoft Internet Explorer OnRowsInserted Event Remote Code Execution (2699988) CVE: CVE-2012-1881 The flaw lies in the access to deleted elements. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to visit a malicious website. 13757 - (MS12-037) Microsoft Internet Explorer InsertRow Remote Code Execution (2699988) CVE: CVE-2012-1880 The flaw lies in the access to deleted elements. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to visit a malicious website.
13758 - (MS12-037) Microsoft Internet Explorer InsertAdjacentText Remote Code Execution (2699988) CVE: CVE-2012-1879 The flaw lies in the access to deleted elements. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to visit a malicious website. 13759 - (MS12-037) Microsoft Internet Explorer OnBeforeDeactivate Event Remote Code Execution (2699988) CVE: CVE-2012-1878 The flaw lies in the access to deleted elements. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to visit a malicious website. 13760 - (MS12-037) Microsoft Internet Explorer Developer Toolbar Remote Code Execution (2699988) CVE: CVE-2012-1874
The flaw lies in the handling of previously deleted elements. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to visit a malicious website. 13761 - (MS12-037) Microsoft Internet Explorer Col Element Remote Code Execution (2699988) CVE: CVE-2012-1876 The flaw lies in the access to Col elements that do not exist. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to visit a malicious website. 13764 - (MS12-037) Microsoft Internet Explorer Center Element Remote Code Execution (2699988) CVE: CVE-2012-1523 The flaw lies in an error handling a Center Element previously deleted. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to visit a malicious website. 13766 - (MS12-037) Microsoft Internet Explorer Title Element Change Remote Code Execution (2699988) CVE: CVE-2012-1877
The flaw is specific to an invalid access condition within Title elements. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to visit a malicious website. 13767 - (MS12-037) Cumulative Security Update For Internet Explorer (2699988) Category: Windows Host Assessment -> Patches Only CVE: CVE-2012-1523, CVE-2012-1876, CVE-2012-1874, CVE-2012-1872, CVE-2012-1858, CVE-2012-1879, CVE-2012-1880, CVE-2012-1873, CVE-2012-1878, CVE-2012-1881, CVE-2012-1875, CVE-2012-1882, CVE-2012-1877 Multiple remote code execution vulnerabilities are present in some versions of Microsoft Internet Explorer. Multiple remote code execution vulnerabilities are present in some versions of Microsoft Internet Explorer. Multiple components of Microsoft Internet Explorer are affected. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to visit a malicious website. Microsoft has provided MS12-037 to address these issues. The host appears to be missing this patch. 13768 - (MS12-038) Vulnerability in.net Framework Could Allow Remote Code Execution (2706726) Category: Windows Host Assessment -> Patches Only CVE: CVE-2012-1855 Microsoft ID: MS12-038 A vulnerability exists in some versions of Microsoft.NET Framework. The Microsoft.NET framework is a runtime and software framework for the Windows operating system. A vulnerability exists in some versions of Microsoft.NET Framework. The flaw lies in the improper execution of function pointers. Successful exploitation could allow an attacker to execute remote code. Microsoft has provided MS12-038 to address this issue. The host appears to be missing this patch. 13771 - Microsoft Windows XML Core Services Could Allow Remote Code Execution (2719615) CVE: CVE-2012-1889 Microsoft KB: KB2719615
A remote code execution exists in some versions of Microsoft XML Core Services, as implemented in Microsoft Windows and Microsoft Office. A remote code execution exists in some versions of Microsoft XML Core Services, as implemented in Microsoft Windows and Microsoft Office. The flaw is specific to a function in MSXML and may lead to remote code execution or a denial of service (crash) condition. In particular conditions the problematic function attempts to access objects in memory which have not been properly or fully initialized. This ultimately lead to memory corruption. Exploitation can occur via a maliciously-crafted website or rich content document. Current intelligence indicates that active an functional attacks are targeting this flaw, leveraging objxml.definition called via JavaScript. 13782 - (MS12-039) Microsoft Lync Insecure Library Loading Remote Code Execution (2707956) CVE: CVE-2012-1849 Microsoft ID: MS12-039 Microsoft KB: 2707956 A remote code execution vulnerability is present in some versions of Microsoft Lync. A remote code execution vulnerability is present in some versions of Microsoft Lync. The flaw lies in the loading of DLL files. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to download and open a malicious.ocsmeet file. 13784 - (MS12-039) Microsoft Windows TrueType Font Parsing II Remote Code Execution (2707956) CVE: CVE-2012-0159 Microsoft ID: MS12-039 Microsoft KB: 2707956 A remote code execution vulnerability is present in some versions of Microsoft Lync. A remote code execution vulnerability is present in some versions of Microsoft Lync. The flaw lies in the TrueType font parsing engine. Successful exploitation could allow an attacker to execute remote code. The exploit requires the user to visit a malicious website.
13786 - (MS12-039) Microsoft Windows TrueType Font Parsing Remote Code Execution (2707956) CVE: CVE-2011-3402 Microsoft ID: MS12-039 Microsoft KB: 2707956 A remote code execution vulnerability exists in some versions of Microsoft Lync and related products. A remote code execution vulnerability exists in some versions of Microsoft Lync and related products. A vulnerability in some versions of Microsoft Lync could lead to remote code execution. The flaw lies in the W32k TrueType fontparsing engine. Successful exploitation could allow an attacker to execute commands in kernel mode. This flaw is exploited in the wild as part of the "Duqu" attacks. The victim must open a maliciously crafted Word document that contains the associated exploit code. 13790 - Microsoft IIS 7.5 Classic ASP Authentication Bypass Remote Code Execution Category: Windows Host Assessment -> Miscellaneous A remote code execution vulnerability is present in some versions of Microsoft IIS. A remote code execution vulnerability is present in some versions of Microsoft IIS. The flaw allows an attacker to bypass password protected directories. Successful exploitation by a remote attacker could result in the execution of arbitrary code. 13791 - Microsoft IIS 6.0 PHP Authentication Bypass Remote Code Execution Category: Windows Host Assessment -> Miscellaneous A remote code execution vulnerability is present in some versions of Microsoft IIS. A remote code execution vulnerability is present in some versions of Microsoft IIS. The flaw allows an attacker to bypass password protected directories. Successful exploitation by a remote attacker could result in the execution of arbitrary code. 13792 - Microsoft IIS 7.5.NET Authentication Bypass Remote Code Execution
Category: Windows Host Assessment -> Miscellaneous A remote code execution vulnerability is present in some versions of Microsoft IIS. A remote code execution vulnerability is present in some versions of Microsoft IIS. The flaw allows an attacker to bypass password protected directories. Successful exploitation by a remote attacker could result in the execution of arbitrary code. 13736 - Skywiper Category: Windows Host Assessment -> Trojans, Backdoors, Viruses, and Malware Skywiper coverage malware dessicated with a long-standing, high-evolved, information theft and monitoring campaign, targeted at specific entities in the Middle East and Europe. Skywiper coverage malware dessicated with a long-standing, high-evolved, information theft and monitoring campaign, targeted at specific entities in the Middle East and Europe. McAfee Labs has observed publicly available reports from anti-spyware companies, and log files in public help forums, which could indicate infections of early variants of SkyWiper in Europe and Iran several years ago (for example: March 2010). The threat propagates via its' own native mechanisms, as well as leveraging vulnerabilities described in (MS10-061) and (MS10-046). Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions: - Scanning network resources - Stealing information as specified - Communicate to C&C Servers over SSH and HTTPS protocols - Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc) - Both kernel and user mode logic is used - Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes - It loads as part of Winlogon.exe then injects to Explorer and Services - Conceals its present as ~ named temp files, just like Stuxnet and Duqu - Capable of attacking new systems over USB Flash Memory and local network (slowly spreads) - Creates screen captures - Records voice conversations - Runs on Windows XP, Windows Vista and Windows 7 systems - Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet - Uses SQLite Database to store collected information - Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware) - Often located on nearby systems: a local network for both C&C and target infection cases - Utilizes PE encrypted resources 13751 - (MS12-041) Microsoft Windows Clipboard Format Atom Name Handling Privilege Escalation (2709162)
CVE: CVE-2012-1866 Microsoft ID: MS12-041 Microsoft KB: 2709162 The flaw lies in the handling of kernel-mode driver objects. Successful exploitation could allow an attacker to obtain elevated privileges. The exploit requires the user to have valid credentials to the vulnerable system. 13755 - (MS12-037) Microsoft Internet Explorer Scrolling Events Information Disclosure (2699988) CVE: CVE-2012-1882 An information disclosure vulnerability is present in some versions of Microsoft Internet Explorer. An information disclosure vulnerability is present in some versions of Microsoft Internet Explorer. The flaw lies in the en error in the Scrolling event. Successful exploitation could allow an attacker to obtain sensitive information. The exploit requires the user to visit a malicious website. 13762 - (MS12-037) Microsoft Internet Explorer Null Byte Information Disclosure (2699988) CVE: CVE-2012-1873 An information disclosure vulnerability is present in some versions of Microsoft Internet Explorer. An information disclosure vulnerability is present in some versions of Microsoft Internet Explorer. The flaw lies in the handling of null bytes. Successful exploitation could allow an attacker ot obtain sensitive information. The exploit requires the user to visit a malicious website.
13763 - (MS12-037) Microsoft Internet Explorer EUC-JP Character Encoding Information Disclosure (2699988) CVE: CVE-2012-1872 An information disclosure vulnerability is present in some versions of Microsoft Internet Explorer. An information disclosure vulnerability is present in some versions of Microsoft Internet Explorer. The flaw lies in the handling of special encoding characters. Successful exploitation could allow an attacker to obtain sensitive information. The exploit requires the user to visit a malicious website. 13765 - (MS12-037) Microsoft Internet Explorer HTML Sanitization Information Disclosure (2699988) CVE: CVE-2012-1858 An information disclosure vulnerability is present in some versions of Microsoft Internet Explorer. An information disclosure vulnerability is present in some versions of Microsoft Internet Explorer. The flaw lies in the sanitization of HTML elements. Successful exploitation could allow an attacker to obtain sensitive information. The exploit requires the user to visit a malicious website. 13769 - (MS12-040) Microsoft Dynamic AX Cross Site Scripting Privilege Escalation (2709100) CVE: CVE-2012-1857 Microsoft ID: MS12-040 Microsoft KB: 2709100 A privilege escalation vulnerability is present in some versions of Microsoft Dynamic AX.
A privilege escalation vulnerability is present in some versions of Microsoft Dynamic AX. The flaw lies in the handling of JavaScript code that can cause a cross site scripting error. Successful exploitation could allow an attacker to obtain elevated privileges. The exploit requires the victim to visit a Dynamic AX website using a malicious URL. 13770 - (MS12-040) Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100) Category: Windows Host Assessment -> Patches Only CVE: CVE-2012-1857 Microsoft ID: MS12-040 A vulnerability exists in some versions of Microsoft Dynamic AX. Microsoft Dynamic AX is an enterprise resource planning (ERP) software. A vulnerability exists in some versions of Microsoft Dynamic AX. The flaw lies in the way that Dynamix AX handles JavaScript code, that could cause a cross site scripting error. Successful exploitation could allow an attacker to obtain elevated privileges. Microsoft has provided MS12-040 to address this issue. The host appears to be missing this patch. 13776 - (MS12-041) Microsoft Windows Font Resource Refcount Interger Overflow Privilege Escalation (2709162) CVE: CVE-2012-1867 Microsoft ID: MS12-041 Microsoft KB: 2709162 The flaw lies in the memory allocation for handling fonts. Successful exploitation could allow an attacker to obtain elevated privileges. The exploit requires the user to have valid credentials to the vulnerable system. 13777 - (MS12-041) Microsoft Windows String Atom Class Name Handling Privilege Escalation I (2709162) CVE: CVE-2012-1864 Microsoft ID: MS12-041 Microsoft KB: 2709162
The flaw lies in the handling of kernel-mode driver objects. Successful exploitation could allow an attacker to obtain elevated privileges. The exploit requires the attacker to have valid credentials to the vulnerable system. 13778 - (MS12-041) Microsoft Windows String Atom Class Name Handling Privilege Escalation II (2709162) CVE: CVE-2012-1865 Microsoft ID: MS12-041 Microsoft KB: 2709162 The flaw lies in the handling of kernel-mode driver objects. Successful exploitation could allow an attacker to obtain elevated privileges. The exploit requires the user to have valid credentials to the vulnerable system. 13779 - (MS12-041) Microsoft Windows Win32k.sys Race Condition Privilege Escalation (2709162) CVE: CVE-2012-1868 Microsoft ID: MS12-041 Microsoft KB: 2709162 The flaw lies in the attempts to create specific threads. Successful exploitation could allow an attacker to obtain elevated privileges. The exploit requires the user to have valid credentials to the vulnerable system. 13780 - (MS12-042) Microsoft Windows BIOS ROM Corruption Privilege Escalation (2711167) CVE: CVE-2012-1515
Microsoft ID: MS12-042 Microsoft KB: 2711167 The flaw lies in the handling of BIOS memory. Successful exploitation could allow an attacker to obtain elevated privileges. the exploit requires the attacker to have valid credentials to the vulnerable system. 13781 - (MS12-042) Microsoft Windows User Mode Scheduler Memory Corruption Privilege Escalation (2711167) CVE: CVE-2012-0217 Microsoft ID: MS12-042 Microsoft KB: 2711167 The flaw lies in the handling of system requests by the User Mode Scheduler. Successful exploitation could allow an attacker to obtain elevated privileges. The exploit requires the user to have valid credentials to the vulnerable system. 13783 - (MS12-039) Microsoft Windows HTML Sanitization Information Disclosure (2707956) CVE: CVE-2012-1858 Microsoft ID: MS12-039 Microsoft KB: 2707956 An information disclosure vulnerability is present in some versions of Microsoft Windows. An information disclosure vulnerability is present in some versions of Microsoft Windows. The flaw lies in the filtering of HTML code. Successful exploitation could allow an attacker to obtain sensitive information. 13785 - (MS12-041) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162) Category: Windows Host Assessment -> Patches Only
Risk Level: Informational CVE: CVE-2012-1864, CVE-2012-1865, CVE-2012-1866, CVE-2012-1867, CVE-2012-1868 Microsoft ID: MS12-041 Multiple vulnerabilities are present in Windows kernel-mode drivers. Multiple vulnerabilities are present in Windows kernel-mode drivers. The vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities. Microsoft has provided MS12-041 to address these issues. The host appears to be missing this patch. 13787 - (MS12-042) Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167) Category: Windows Host Assessment -> Patches Only Risk Level: Informational CVE: CVE-2012-0217, CVE-2012-1515 Microsoft ID: MS12-042 Multiple vulnerabilities are present in the Windows kernel. Multiple vulnerabilities are present in the Windows kernel. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that exploits the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. Microsoft has provided MS12-042 to address these issues. The host appears to be missing this patch. 13788 - (MS12-039) Vulnerabilities in Lync Could Allow Remote Code Execution (2707956) Category: Windows Host Assessment -> Patches Only Risk Level: Informational CVE: CVE-2011-3402, CVE-2012-0159, CVE-2012-1849, CVE-2012-1858 Microsoft ID: MS12-039 Multiple vulnerabilities are present in Microsoft Lync. Multiple vulnerabilities are present in Microsoft Lync. The vulnerabilities could allow remote code execution if a user views shared content that contains specially crafted TrueType fonts. The vulnerabilities are a result of how specially crafted True Type Font files are handled, the manner in which Microsoft
Lync loads external libraries, and the way that SafeHTML function sanitizes HTML content. Microsoft has provided MS12-039 to address these issues. The host appears to be missing this patch. ENHANCED CHECKS The following checks have been updated. Enhancements may include optimizations, changes that reflect new information on a vulnerability and anything else that improves upon an existing FSL check. 13631 - (MS12-034) Microsoft Windows TrueType Font Parsing II (2681578) CVE: CVE-2012-0159 DISA IAVA: 2012-A-0079 Microsoft ID: MS12-034 Microsoft KB: 2681578 Update Details is updated. is updated. 13632 - (MS12-034) Microsoft Windows TrueType Font Parsing (2681578) CVE: CVE-2011-3402 DISA IAVA: 2012-A-0079,2011-A-0170 Microsoft ID: MS11-087 Microsoft KB: 2639658 BID: 50462 Update Details is updated. is updated. 13733 - Tftpd32 DNS Server Denial Of Service Vulnerability Category: Windows Host Assessment -> Miscellaneous BID: 53704 Update Details Recommendation is updated.
13739 - (MS12-037) Microsoft Internet Explorer Same ID Property Remote Code Execution (2699988) CVE: CVE-2012-1875 Update Details Name is updated. is updated. is updated. Recommendation is updated. CVE is updated. FASLScript is updated. 6830 - Sun Java Web Console Help JSP File Cross-Site Scripting Vulnerability Category: General Vulnerability Assessment -> NonIntrusive -> Web Server CVE: CVE-2009-2283 Update Details Recommendation is updated. 13489 - McAfee Web Gateway Multiple File Processing Vulnerabilities Category: SSH Module -> NonIntrusive -> SSH Miscellaneous CVE: CVE-2012-1443, CVE-2012-1446, CVE-2012-1459, CVE-2012-1457, CVE-2012-1461, CVE-2012-1456, CVE-2012-1454, CVE-2012-1453, CVE-2012-1442, CVE-2012-1431, CVE-2012-1430, CVE-2012-1429, CVE-2012-1425 Update Details Recommendation is updated. 70014 - netbios-helpers.fasl3.inc Category: General Vulnerability Assessment -> NonIntrusive -> Invalid Category Risk Level: Informational Update Details FASLScript is updated. HOW TO UPDATE FS1000 APPLIANCE customers should follow the instructions for Enterprise/Professional customers, below. In addition, we strongly urge all appliance customers to authorize and install any Windows Update critical patches. The appliance will auto-download any critical updates but will wait for your explicit authorization before installing.
FOUNDSTONE ENTERPRISE and PROFESSIONAL customers may obtain these new scripts using the FSUpdate Utility by selecting "FoundScan Update" on the help menu. Make sure that you have a valid FSUpdate username and password. The new vulnerability scripts will be automatically included in your scans if you have selected that option by right-clicking the selected vulnerability category and checking the "Run New Checks" checkbox. MANAGED SERVICE CUSTOMERS already have the newest update applied to their environment. The new vulnerability scripts will be automatically included when your scans are next scheduled, provided the Run New Scripts option has been turned on. MCAFEE TECHNICAL SUPPORT ServicePortal: https://mysupport.mcafee.com/ Multi-National Phone Support available here: http://www.mcafee.com/us/about/contact/index.html Non-US customers - Select your country from the list of Worldwide Offices. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient please contact the sender and delete all copies. Copyright 2010 McAfee, Inc. McAfee is a registered trademark of McAfee, Inc. and/or its affiliates