May 2, 2005
Principal Investigator: Rohit Dhamankar
Co-investigators: Gerhard Eschelbeck, Marcus Sachs, Johannes Ullrich
The SANS Top20 Internet Security Vulnerabilities (www.sans.org/top20) is an annual consensus effort of leading information security organizations around the world. In 2004, the United Kingdom's NISCC hosted the announcement of the 2004 Top20 with the direct support of the US White House and Public Safety and Emergency Preparedness Canada.
Thousands of organizations rely on the Top20 to help set priorities for what needs to be fixed first. However, since new Internet threats are discovered daily, user organizations that rely on the Top20 as a list of high priority threats have been asking for more frequent updates.
On May 2, 2005, the sponsors of the Top20 project released the first installment in a new program of quarterly updates to the Top20. It updates the annual Top20 and provides an additional roadmap to the new vulnerabilities that must be eliminated in any Internet-connected organization.
The list below summarizes the most critical new vulnerabilities discovered during the first quarter of 2005 by vendor.
Following the brief list, the critical new vulnerabilities are grouped by the vulnerability categories employed in the 2004 Top20 announcement, and summarized with a brief assessment of the impact of exploiting the vulnerabilities and pointers to more detailed information.
Top New Vulnerabilities in Q1, 2005 (Summary List)
Microsoft Products
DNS Cache Poisoning Vulnerability
Multiple Antivirus Products Buffer Overflow Vulnerabilities
Oracle Critical Patch Update
Multiple Media Player Buffer Overflows (RealPlayer, Winamp and iTunes)
***********************************************************
Top New Vulnerabilities in Windows Systems Q1, 2005
Top20 Caterory: W3 Windows Remote Access Services
***********************************************************
Windows License Logging Service Overflow (MS05-010)
Patches:
MS05-010 available.
Affected:
Windows NT/2000/2003 Servers
Risk:
An attacker can execute code with "SYSTEM" privileges.
Exploits:
Exploit code has been published in the Immunitysec CANVAS and CORE Impact tools.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely1
http://www.sans.org/newsletters/risk/display.php?v=4&i=11#exploit1
http://www.microsoft.com/technet/security/bulletin/ms05-010.mspx
CVE:
CAN-2005-0050
*******************************************************************
Microsoft Server Message Block(SMB) Vulnerability (MS05-011)
Patches:
MS05-011 available.
Affected:
Microsoft Windows 2000, XP and Windows Server 2003
Risk:
An attacker can execute code with "SYSTEM" privileges.
Exploits:
The technical details have been posted.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely6
http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx
CVE:
CAN-2005-0045
************************************************************************************
Top20 Category: W6 Web Browsers
Internet Explorer Vulnerabilities (MS05-014 and MS05-008)
Patches:
MS05-014, MS05-008 available.
Affected:
Internet Explorer versions 5.01, 5.5, 6.0
Risk:
An attacker can compromise a client system.
Exploits:
Multiple exploits are available. Flaws being exploited in the wild to install spyware/adware applications.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely2
http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-008.mspx
CVE:
http://www.sans.org/newsletters/risk/display.php?v=4&i=2#widely1
http://www.sans.org/newsletters/risk/display.php?v=3&i=51#widely1
http://www.sans.org/newsletters/risk/display.php?v=3&i=52#widely1
http://www.sans.org/newsletters/risk/display.php?v=4&i=4#widely5
http://www.microsoft.com/technet/security/bulletin/ms05-001.mspx
CVE:
CAN-2004-1043
*******************************************************************
Microsoft DHTML Edit ActiveX Remote Code Execution (MS05-013)
Patches:
MS05-013 available.
Affected:
Windows 98/ME/SE/2000/XP/2003
Risk:
An attacker can compromise a client system.
Exploits:
Multiple exploits are available. Flaws being exploited in the wild.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely3
http://www.microsoft.com/technet/security/bulletin/ms05-013.mspx
CVE:
CAN-2004-1319
**************************************************************************************
Microsoft Cursor and Icon Handling Overflow (MS05-002)
Patches:
MS05-002 available.
Affected:
Windows NT/2000/XP SP0 and SP1/2003
Risk:
An attacker can compromise a client system.
Exploits:
Exploit code available. Flaws being exploited in the wild to install spyware/adware applications.
References:
http://www.sans.org/newsletters/risk/display.php?v=3&i=51#widely2
http://www.sans.org/newsletters/risk/display.php?v=4&i=2#widely2
http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
CVE:
CAN-2004-1049
*******************************************************************
Top20 category: W10 Instant Messaging
Microsoft PNG File Processing Vulnerabilities (MS05-009)
Patches:
MS05-009 available.
Affected:
Windows Media Player 9 series
Windows Messenger version 5.0
MSN Messenger version 6.1 and 6.2
Windows 98/ME/SE
Risk:
An attacker can compromise a client system.
Exploits:
Multiple exploits are available.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely3
http://www.microsoft.com/technet/security/bulletin/ms05-009.mspx
CVE:
CAN-2004-1244, CAN-2004-0597
*******************************************************************
Top New Vulnerabilities in Cross Platform Applications (A new category for the Top20-2005 Study)
*******************************************************************
Computer Associates License Manager Buffer Overflows
Patches:
Available at
http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp
http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp
Affected:
CA License Package versions 1.53 through 1.61.8
All CA products that use the vulnerable CA License Package on AIX, DEC, HP-UX, Linux Intel, Linux s/390, Solaris, Windows and Apple Mac OSs are affected.
Exploits:
Multiple exploits are available.
Risk:
An attacker can execute code with "SYSTEM/root" privileges on systems running any of the vulnerable products.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=9#widely1
CVE:
CAN-2005-0581, CAN-2005-0582, CAN-2005-0583
*******************************************************************
(7) Multiple Antivirus Products Buffer Overflow Vulnerabilities
Patches:
Available
Symantec patch site: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005020911112648
Affected:
Multiple products from Symantec, F-Secure, Trend Micro, McAfee
Risk:
An attacker can execute code with "SYSTEM/root" privileges on systems running any of the vulnerable products.
Exploit:
The technical details regarding the flaws are available in all the cases.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6 (Symantec)
http://www.sans.org/newsletters/risk/display.php?v=4&i=6 (F-Secure)
http://www.sans.org/newsletters/risk/display.php?v=4&i=8#widely2 (Trend Micro)
http://www.sans.org/newsletters/risk/display.php?v=4&i=12#widely1 (McAfee)
CVE:
CAN-2005-0249, CAN-2005-0350, CAN-2005-0644
*********************************************************************************
DNS Cache Poisoning Vulnerability
Patches and Workarounds:
Available (See the referenced links for details):
Symantec Gateway Security 5400 Series version 2.x
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_2_5400/files.html
Symantec Gateway Security 5300 Series 1.0
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_1_52005300/files.html
Symantec Enterprise Firewall version 7.0.x and 8.0 (Windows and Solaris)
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_fw_8/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_fw_8_sol/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_firewall_704_nt/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_firewall_704_solaris/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_firewall_7_nt/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_firewall_7_solaris/files.html
Symantec VelociRaptor Model 1100/1200/1300 version 1.5
http://www.symantec.com/techsupp/enterprise/products/sym_velociraptor/sym_vr_15_1310/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_velociraptor/sym_vr_15_1200_1300/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_velociraptor/sym_vr_15_other_models/files.html
Affected:
Symantec Gateway Security 5400 Series version 2.x
Symantec Gateway Security 5300 Series version 1.0
Symantec Enterprise Firewall version 7.0.x and 8.0 (Windows and Solaris)
Symantec VelociRaptor Model 1100/1200/1300 version 1.5
Windows NT and Windows 2000 (prior to SP3) DNS servers in the default configuration
The following configurations are also reportedly vulnerable:
http://www.sans.org/newsletters/risk/display.php?v=4&i=14#widely1
http://isc.sans.org/presentations/dnspoisoning.php
*******************************************************************
Oracle Critical Patch Update
Patches:
Oracle CPU issued on Jan 18, 2005
Affected:
Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3 and 10.1.0.3.1
Oracle9i Database Server Release 2, versions 9.2.0.4, 9.2.0.5 and 9.2.0.6
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4 (9.0.1.5 FIPS)
Oracle8i Database Server Release 3, version 8.1.7.4
Oracle8 Database Release 8.0.6, version 8.0.6.3
Oracle Application Server 10g Release 2 (10.1.2)
Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
Oracle9i Application Server Release 1, version 1.0.2.2
Oracle Collaboration Suite Release 2, version 9.0.4.2
Oracle E-Business Suite and Applications Release 11i (11.5)
Oracle E-Business Suite and Applications Release 11.0
Risk:
An attacker can potentially compromise an Oracle server.
Exploits:
The technical details have been posted about many of the flaws.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=3#widely1
CVE:
CAN-2005-0298
*******************************************************************
Multiple Media Player Buffer Overflows
Patches:
Available.
Affected:
RealPlayer
==========
For Windows:
RealPlayer version 10.5 Builds 6.0.12.1040-1056
RealPlayer version 10
RealOne Player v2 Builds 6.0.11.853 - 872
RealOne Player v2 Builds 6.0.11.818 - 840
RealOne Player v1
RealPlayer 8
RealPlayer Enterprise
Mac OS
Mac RealPlayer 10 Builds 10.0.0.305 - 325
Mac RealOne Player
For Linux:
Linux RealPlayer 10
Helix Player
iTunes
=======
iTunes versions prior to 4.7.1
Winamp
========
Winamp versions 5.x prior to 5.08c
Risk:
An attacker can compromise a client system.
Exploits:
Multiple exploits available. Flaws being exploited in the wild.
References:
RealPlayer
http://www.sans.org/newsletters/risk/display.php?v=4&i=9#widely2
http://www.sans.org/newsletters/risk/display.php?v=4&i=10#exploit1
iTunes
http://www.sans.org/newsletters/risk/display.php?v=4&i=2#widely3
http://www.sans.org/newsletters/risk/display.php?v=4&i=3#exploit1
Winamp
http://www.sans.org/newsletters/risk/display.php?v=4&i=5#widely1
CVE:
CAN-2005-0455, CAN-2005-0611, CAN-2005-0043
*******************************************************************
Hackers are using popular programs written for cross platform use to access previously relatively secure operating systems.
Clearly Bush's fault.
All email spammers should be strung up with piano wire. Figuratively. Or not.