SecurityFocus Microsoft Newsletter #312
----------------------------------------
This Issue is Sponsored by: SPI Dynamics
ALERT: "How A Hacker Launches A Cross-Site Scripting Attack" - White Paper
Cross-site scripting vulnerabilities in web apps allow hackers to compromise
confidential information, steal cookies and create requests that can be
mistaken
https://download.spidynamics.com/1/ad/xss.asp?Campaign_ID=70160000000Cc5Y
------------------------------------------------------------------
I. FRONT AND CENTER
1. Hacking Web 2.0 Applications with Firefox
II. MICROSOFT VULNERABILITY SUMMARY
1. Novell BorderManager IPSec/IKE Remote Denial Of Service Vulnerability
2. OpenSSH-Portable Existing Password Remote Information Disclosure
Weakness
3. SHTTPD Remote Buffer Overflow Vulnerability
4. Microsoft Word Mac Remote Code Execution Vulnerability
5. Microsoft Office Malformed Record Remote Code Execution Vulnerability
6. Microsoft Office Malformed Chart Record Remote Code Execution
Vulnerability
7. Microsoft Office Improper Memory Access Remote Code Execution
Vulnerability
8. Microsoft Windows SMB Rename Remote Denial of Service Vulnerability
9. CA Multiple Products Discovery Service Remote Buffer Overflow
Vulnerability
10. Symantec AntiVirus IOCTL Kernel Privilege Escalation Vulnerability
11. Microsoft Word Mail Merge Remote Code Execution Vulnerability
12. Microsoft October Advance Notification Multiple Vulnerabilities
13. Microsoft Excel Lotus 1-2-3 File Handling Remote Code Execution
Vulnerability
14. Microsoft Word Malformed String Remote Code Execution Vulnerability
15. Microsoft XML Core Services Information Disclosure Vulnerability
16. Microsoft Windows XML Core Services XSLT Buffer Overrun
Vulnerability
17. Microsoft ASP.NET AutoPostBack Variable Cross-Site Scripting
Vulnerability
18. Invision Gallery Index.PHP Directory Traversal Vulnerability
19. Invision Gallery Index.PHP SQL Injection Vulnerability
20. Microsoft PowerPoint Record Improper Memory Access Remote Code
Execution Vulnerability
21. Microsoft PowerPoint Data Record Remote Code Execution Vulnerability
22. Microsoft Office Smart Tag Remote Code Execution Vulnerability
23. Microsoft Windows Object Packager Remote Code Execution
Vulnerability
24. Microsoft PowerPoint Object Pointer Remote Code Execution
Vulnerability
25. Sunbelt Kerio Personal Firewall Multiple Local Denial of Service
Vulnerabilities
26. ProRat Remote Login Authentication Bypass Vulnerability
27. MailEnable SMTP NTLM Authentication Multiple Vulnerabilities
28. Trend Micro OfficeScan ATXCONSOLE.OCX ActiveX Control Format String
Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. security implications of disabling WMI service
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION
I. FRONT AND CENTER
---------------------
1. Hacking Web 2.0 Applications with Firefox
By Shreeraj Shah
This article looks at some of the methods, tools and tricks to dissect web 2.0
applications (including Ajax) and discover security holes using Firefox and
ithttp://www.securityfocus.com/infocus/1879
II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Novell BorderManager IPSec/IKE Remote Denial Of Service Vulnerability
BugTraq ID: 20428
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20428
Summary:
Novell BorderManager is affected by a remote denial-of-service vulnerability
because the application fails to properly handle user-supplied input.
Exploiting this issue will allow an attacker to cause the affected client
computer to hang, denying service to legitimate users.
Novell BorderManager version 3.8 is vulnerable.
2. OpenSSH-Portable Existing Password Remote Information Disclosure Weakness
BugTraq ID: 20418
Remote: Yes
Date Published: 2006-10-09
Relevant URL: http://www.securityfocus.com/bid/20418
Summary:
It is reported that OpenSSH contains an information disclosure weakness. This
issue exists in the portable version of OpenSSH. The portable version is the
version that is distributed for operating systems other than its native OpenBSD
platform.
This issue has been confirmed as not deriving from either the Pluggable
Authentication Module (PAM) issue disclosed in BID 11781 in 2004, or the more
recent Generic Security Services Application
Programming Interface (GSSAPI) based information leak outlined in BID 20245. It
is reported that it is possible to verify access credentials for users with an
existing system password by measuring SSH authentication timing differences.
This weakness allows remote users to test for the existence of valid usernames
with a password set. Knowledge of system users with established passwords may
aid in further attacks.
3. SHTTPD Remote Buffer Overflow Vulnerability
BugTraq ID: 20393
Remote: Yes
Date Published: 2006-10-06
Relevant URL: http://www.securityfocus.com/bid/20393
Summary:
SHTTPD is prone to a remote buffer-overflow vulnerability.
Specifically, the issue presents itself as an error in the handling of HTTP
POST requests.
SHTTPD 1.34 is reported vulnerable; other versions may be affected as well.
4. Microsoft Word Mac Remote Code Execution Vulnerability
BugTraq ID: 20387
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20387
Summary:
Microsoft Word for Mac is prone to a remote code-execution vulnerability when
parsing Word files. Exploiting this vulnerability may allow an attacker to
execute arbitrary machine code in the context of the user who opened the file.
An attacker could leverage this issue to gain the permissions of an
unsuspecting user. A successful exploit could result in the remote compromise
of the affected system.
5. Microsoft Office Malformed Record Remote Code Execution Vulnerability
BugTraq ID: 20384
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20384
Summary:
Microsoft Office is prone to a remote code-execution vulnerability. This issue
occurs when Office attempts to process malformed files.
An attacker could exploit this issue by enticing a victim to load a malicious
Office file. If the vulnerability is successfully exploited, this could result
in the execution of arbitrary code in the context of the currently logged-in
user.
6. Microsoft Office Malformed Chart Record Remote Code Execution Vulnerability
BugTraq ID: 20383
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20383
Summary:
Microsoft Office is prone to a remote code-execution vulnerability. This issue
occurs when Office attempts to process malformed files.
An attacker could exploit this issue by enticing a victim to load a malicious
Office file. If the vulnerability is successfully exploited, this could result
in the execution of arbitrary code in the context of the currently logged-in
user.
7. Microsoft Office Improper Memory Access Remote Code Execution Vulnerability
BugTraq ID: 20382
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20382
Summary:
Microsoft Office is prone to a remote code-execution vulnerability. This issue
occurs when Office attempts to process malformed files.
An attacker could exploit this issue by enticing a victim to load a malicious
Office file. If the vulnerability is successfully exploited, this could result
in the execution of arbitrary code in the context of the currently logged-in
user.
8. Microsoft Windows SMB Rename Remote Denial of Service Vulnerability
BugTraq ID: 20373
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20373
Summary:
Microsoft Windows is prone to a remote denial-of-service vulnerability because
the Server service fails to properly handle network messages.
Exploiting this issue may cause affected computers to crash, denying service to
legitimate users.
To exploit this issue, an attacker must have valid logon credentials.
9. CA Multiple Products Discovery Service Remote Buffer Overflow Vulnerability
BugTraq ID: 20364
Remote: Yes
Date Published: 2006-10-02
Relevant URL: http://www.securityfocus.com/bid/20364
Summary:
Multiple Computer Associates products are prone to a remote stack-based
buffer-overflow vulnerability.
This issue arises because these applications fail to perform boundary checks
before copying user-supplied data into insufficiently sized buffers.
A successful attack may result in arbitrary code execution with the privileges
of the affected application.
This issue affects client and server versions of the affected products.
10. Symantec AntiVirus IOCTL Kernel Privilege Escalation Vulnerability
BugTraq ID: 20360
Remote: No
Date Published: 2006-10-05
Relevant URL: http://www.securityfocus.com/bid/20360
Summary:
Symantec AntiVirus is prone to a privilege-escalation vulnerability.
Local attackers can exploit this issue to corrupt memory and execute arbitrary
code with kernel-level privileges. Successful exploits may facilitate a
complete system compromise.
This issue affects only Symantec and Norton antivirus products running on
Microsoft Windows NT, Windows 2000, and Windows XP.
11. Microsoft Word Mail Merge Remote Code Execution Vulnerability
BugTraq ID: 20358
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20358
Summary:
Microsoft Word is prone to a remote code-execution vulnerability.
An attacker could exploit this issue by enticing a victim to load a malicious
Word file. If the vulnerability is successfully exploited, this could result in
the execution of arbitrary code in the context of the currently logged-in user.
12. Microsoft October Advance Notification Multiple Vulnerabilities
BugTraq ID: 20357
Remote: Yes
Date Published: 2006-10-05
Relevant URL: http://www.securityfocus.com/bid/20357
Summary:
Microsoft has released advance notification that the vendor will be releasing
11 security bulletins for Windows, Office, and .NET Framework on October 10,
2006. The highest severity rating for these issues is 'Critical'.
Further details about these issues are not currently available. Individual BIDs
will be created for each issue and this record will be removed when the
security bulletins are released.
13. Microsoft Excel Lotus 1-2-3 File Handling Remote Code Execution
Vulnerability
BugTraq ID: 20345
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20345
Summary:
Microsoft Excel is prone to a remote code-execution vulnerability.
A remote attacker may exploit this issue to execute arbitrary machine code in
the context of the user running the application.
This issue was originally described in BID 18989 and has now been assigned its
own BID.
14. Microsoft Word Malformed String Remote Code Execution Vulnerability
BugTraq ID: 20341
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20341
Summary:
Microsoft Word is prone to a remote code-execution vulnerability.
An attacker could exploit this issue by enticing a victim to load a malicious
Word file. If the vulnerability is successfully exploited, this could result in
the execution of arbitrary code in the context of the currently logged-in user.
15. Microsoft XML Core Services Information Disclosure Vulnerability
BugTraq ID: 20339
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20339
Summary:
Microsoft XML Core Services is prone to an information disclosure
vulnerability. This vulnerability is caused by an error in how server
re-directs are handled by the affected component.
This vulnerability could be exploited by enticing a victim user into visiting a
malicious web page.
16. Microsoft Windows XML Core Services XSLT Buffer Overrun Vulnerability
BugTraq ID: 20338
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20338
Summary:
Microsoft Windows is prone to a remotely exploitable buffer-overrun condition
in the XSLT implementation of XML core services.
An attacker can exploit this issue to execute arbitrary code on an unsuspecting
victim's computer. This may facilitate a remote compromise.
17. Microsoft ASP.NET AutoPostBack Variable Cross-Site Scripting Vulnerability
BugTraq ID: 20337
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20337
Summary:
Microsoft ASP.NET is prone to a cross-site scripting vulnerability. This issue
is due to a failure in the application to properly sanitize user-supplied input
before it is rendered in the browser of an unsuspecting user in the context of
the affected site.
An attacker may leverage this issue to have arbitrary script code executed in
the browser of an unsuspecting user, with the privileges of the victim userĂ¢??s
account. This may help the attacker steal cookie-based authentication
credentials, disclose sensitive information, and launch other attacks.
18. Invision Gallery Index.PHP Directory Traversal Vulnerability
BugTraq ID: 20328
Remote: Yes
Date Published: 2006-10-03
Relevant URL: http://www.securityfocus.com/bid/20328
Summary:
Invision Gallery is prone to a directory-traversal vulnerability because the
application fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the
vulnerable system in the context of the affected application. Information
obtained may aid attackers in further attacks.
19. Invision Gallery Index.PHP SQL Injection Vulnerability
BugTraq ID: 20327
Remote: Yes
Date Published: 2006-10-03
Relevant URL: http://www.securityfocus.com/bid/20327
Summary:
Invision Gallery is prone to an SQL-injection vulnerability because the
application fails to properly sanitize user-supplied input before using it in
an SQL query.
A successful exploit could allow an attacker to compromise the application,
access or modify data, or exploit vulnerabilities in the underlying database
implementation.
20. Microsoft PowerPoint Record Improper Memory Access Remote Code Execution
Vulnerability
BugTraq ID: 20325
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20325
Summary:
Microsoft PowerPoint is prone to a remote code-execution vulnerability.
Exploiting this issue can allow remote attackers to execute arbitrary code on a
vulnerable computer by supplying a malicious PowerPoint (.ppt) document to a
user.
21. Microsoft PowerPoint Data Record Remote Code Execution Vulnerability
BugTraq ID: 20322
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20322
Summary:
Microsoft PowerPoint is prone to a remote code-execution vulnerability.
Exploiting this issue can allow remote attackers to execute arbitrary code on a
vulnerable computer by supplying a malicious PowerPoint (.ppt) document to a
user.
22. Microsoft Office Smart Tag Remote Code Execution Vulnerability
BugTraq ID: 20320
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20320
Summary:
Microsoft Office is prone to a remote code-execution vulnerability. This issue
occurs when Office attempts to process malformed files.
An attacker could exploit this issue by enticing a victim to load a malicious
Office file. If the vulnerability is successfully exploited, this could result
in the execution of arbitrary code in the context of the currently logged-in
user.
23. Microsoft Windows Object Packager Remote Code Execution Vulnerability
BugTraq ID: 20318
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20318
Summary:
The Microsoft Windows Object Packager is prone to a remote code-execution
vulnerability. This issue is due to how the affected component handles file
extensions.
This vulnerability could let an attacker spoof dialogues, enticing a victim
into installing a file that has been misrepresented. A successful attack that
exploits this vulnerability could result in execution of arbitrary code. An
exploit could completely compromise the affected computer.
24. Microsoft PowerPoint Object Pointer Remote Code Execution Vulnerability
BugTraq ID: 20304
Remote: Yes
Date Published: 2006-10-10
Relevant URL: http://www.securityfocus.com/bid/20304
Summary:
Microsoft PowerPoint is prone to a remote code-execution vulnerability.
Exploiting this issue can allow remote attackers to execute arbitrary code on a
vulnerable computer by supplying a malicious PowerPoint (.ppt) document to a
user.
25. Sunbelt Kerio Personal Firewall Multiple Local Denial of Service
Vulnerabilities
BugTraq ID: 20299
Remote: No
Date Published: 2006-10-02
Relevant URL: http://www.securityfocus.com/bid/20299
Summary:
Sunbelt Kerio Personal Firewall is prone to multiple local denial-of-service
vulnerabilities because the application fails to properly sanitize
user-supplied input.
These vulnerabilities allow local attackers to crash affected systems,
facilitating a denial-of-service condition on the local computer. Code
execution may also be possible, but this has not been confirmed.
26. ProRat Remote Login Authentication Bypass Vulnerability
BugTraq ID: 20293
Remote: Yes
Date Published: 2006-10-02
Relevant URL: http://www.securityfocus.com/bid/20293
Summary:
ProRat is prone to an authentication-bypass vulnerability.
An attacker can exploit this issue to gain remote access to computers running
this application. A successful exploit will lead to the complete compromise of
affected computers.
27. MailEnable SMTP NTLM Authentication Multiple Vulnerabilities
BugTraq ID: 20290
Remote: Yes
Date Published: 2006-10-02
Relevant URL: http://www.securityfocus.com/bid/20290
Summary:
MailEnable is prone to multiple remote vulnerabilities.
These issues arise in the SMTP server during NTLM authentication and may
facilitate arbitrary code execution or denial-of-service conditions.
MailEnable Professional 2.0 and MailEnable Enterprise 2.0 are reported
vulnerable to these issues.
28. Trend Micro OfficeScan ATXCONSOLE.OCX ActiveX Control Format String
Vulnerability
BugTraq ID: 20284
Remote: Yes
Date Published: 2006-10-01
Relevant URL: http://www.securityfocus.com/bid/20284
Summary:
Trend Micro OfficeScan is prone to a remote format-string vulnerability. This
vulnerability requires a certain amount of user-interaction for an attack to
occur, such as visiting a malicious website. A successful exploit would let a
remote attacker execute code with the privileges of the currently logged-in
user.
Trend Micro OfficeScan Corporate Edition 7.3 is reported vulnerable. Other
versions may be affected as well.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. security implications of disabling WMI service
http://www.securityfocus.com/archive/88/448141
IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to
[EMAIL PROTECTED] from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
the website.
If your email address has changed email [EMAIL PROTECTED] and ask to
be manually removed.
V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: SPI Dynamics
ALERT: "How A Hacker Launches A Cross-Site Scripting Attack" - White Paper
Cross-site scripting vulnerabilities in web apps allow hackers to compromise
confidential information, steal cookies and create requests that can be
mistaken
https://download.spidynamics.com/1/ad/xss.asp?Campaign_ID=70160000000Cc5Y
---------------------------------------------------------------------------
---------------------------------------------------------------------------
