SecurityFocus Microsoft Newsletter #317
----------------------------------------
This Issue is Sponsored by: eEye
Too Many Security Agents Cluttering Your System?
Replace your Firewall, IPS, Anti-Spyware and more with Blink® Professional for
less than what you are currently paying in renewals.
Learn more on how you can experience the simplicity of one. One agent. One
console. One Policy. One Solution.
Introducing eEye Digital Security's Blink® Professional, the first all-in-one
security agent.
http://www.eeye.com/ctrack.asp?ref=SFBlink20061031
------------------------------------------------------------------
I. FRONT AND CENTER
1. Using Nepenthes Honeypots to Detect Common Malware
II. MICROSOFT VULNERABILITY SUMMARY
1. AlTools ALFTP Authentication Bypass And Information Disclosure
Vulenrabilities
2. ASP Portal Default1.ASP SQL Injection Vulnerability
3. Microsoft Agent ActiveX Control Remote Code Execution Vulnerability
4. D-Link DWL-G132 ASAGU.SYS Wireless Device Driver Stack Buffer
Overflow Vulnerability
5. AVG Anti-Virus Multiple Remote Code Execution Vulnerabilities
6. Microsoft Windows Client Service For Netware Remote Code Execution
Vulnerability
7. Microsoft Internet Explorer HTML Rendering Remote Code Execution
Vulnerability
8. Novell BorderManager ISAKMP Predictable Cookie Vulnerability
9. Marshal MailMarshal UNARJ Extraction Remote Directory Traversal
Vulnerability
10. Microsoft November Advance Notification Multiple Vulnerabilities
11. Citrix Presentation Server IMA Service Multiple Remote
Vulnerabilities
12. Microsoft Windows Workstation Service NetpManageIPCConnect Remote
Code Execution Vulnerability
13. Microsoft Client Service for Netware Denial of Service Vulnerability
14. War FTP Daemon CWD Command Remote Denial Of Service Vulnerability
15. IBM Lotus Notes User.ID File Key Information Disclosure
Vulnerability
16. WarFTPD Multiple Format String Vulnerabilities
17. Microsoft Windows GDI Kernel Local Privilege Escalation
Vulnerability
18. America Online ICQ ActiveX Control Remote Code Execution
Vulnerability
19. Essentia Web Server GET And HEAD Requests Remote Buffer Overflow
Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. outlook sending email messages to mapped drives randomly
2. DNS recursive
3. SecurityFocus Microsoft Newsletter #316
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION
I. FRONT AND CENTER
---------------------
1. Using Nepenthes Honeypots to Detect Common Malware
By Jamie Riden
This article describes the use of Nepenthes, a low-interaction honeypot, as an
additional layer of network defense. Nepenthes can be used to capture malware,
alert an administrator about a network compromise, and assist in containing and
removing the infection.
http://www.securityfocus.com/infocus/1880
II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. AlTools ALFTP Authentication Bypass And Information Disclosure
Vulenrabilities
BugTraq ID: 21058
Remote: Yes
Date Published: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21058
Summary:
The ALTOOLS ALFTP server is prone to authentication bypass and information
disclosure vulnerabilities. These issues occur when specific commands are
submitted by a user.
These issues could allow an attacker to gain sensitive directory information or
to create directories in unauthorized locations. This could aid in further
attacks.
Version 4.1 BETA1 is vulnerable; other version may also be affected.
2. ASP Portal Default1.ASP SQL Injection Vulnerability
BugTraq ID: 21039
Remote: Yes
Date Published: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/21039
Summary:
ASP Portal is prone to an SQL injection vulnerability. This issue is due to a
failure in the application to properly sanitize user-supplied input before
using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application,
access or modify data, or exploit latent vulnerabilities in the underlying
database implementation.
ASP Portal versions 4.0.0 and prior are vulnerable.
3. Microsoft Agent ActiveX Control Remote Code Execution Vulnerability
BugTraq ID: 21034
Remote: Yes
Date Published: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21034
Summary:
The Microsoft Agent ActiveX control is prone to remote code execution.
An attacker could exploit this issue to execute code in the context of the user
visiting a malicious web page.
4. D-Link DWL-G132 ASAGU.SYS Wireless Device Driver Stack Buffer Overflow
Vulnerability
BugTraq ID: 21032
Remote: Yes
Date Published: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/21032
Summary:
The D-Link Wireless Device Driver for DWL-G132 devices is prone to a
stack-based buffer-overflow vulnerability because the driver fails to properly
bounds-check user-supplied data before copying it into an insufficiently sized
memory buffer.
Exploiting this issue allows attackers to execute arbitrary machine code in the
context of the kernel hosting the vulnerable driver. Failed attempts will
likely crash the kernel, resulting in denial-of-service conditions.
The ASAGU.SYS driver is primarily used on the Microsoft Window operating
system. It should be noted, however, that Linux and BSD machines using the
'ndiswrapper' tool should determine if they are using a vulnerable instance of
the driver.
It should also be noted that this vulnerability can only be exploited when an
attacker is within the range of broadcast of 802.11 wireless connections.
Version 1.0.1.41 of the ASAGU.SYS driver is reported vulnerable; other versions
may also be affected.
5. AVG Anti-Virus Multiple Remote Code Execution Vulnerabilities
BugTraq ID: 21029
Remote: Yes
Date Published: 2006-11-13
Relevant URL: http://www.securityfocus.com/bid/21029
Summary:
AVG Anti-Virus is prone to multiple remote code-execution vulnerabilities.
These issues are due to flaws in the file-parsing engine of the software.
Successfully exploiting these issues allows for remote code-execution with
elevated privileges, facilitating the complete compromise of affected
computers.
AVG Anti-Virus versions prior to 7.1.407 are vulnerable to these issues.
6. Microsoft Windows Client Service For Netware Remote Code Execution
Vulnerability
BugTraq ID: 21023
Remote: Yes
Date Published: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21023
Summary:
Microsoft Client Service for Netware is prone to a remote code-execution
vulnerability.
A remote attacker can exploit this vulnerability to execute arbitrary code in
the context of the user running the affected service.
Note that the Client Service for Netware is not installed by default on any
affected operating system.
7. Microsoft Internet Explorer HTML Rendering Remote Code Execution
Vulnerability
BugTraq ID: 21020
Remote: Yes
Date Published: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/21020
Summary:
Microsoft Internet Explorer is prone to a remote code-execution vulnerability.
This vulnerability is related to how the browser renders HTML with certain
layout combinations. An attacker could exploit this issue to execute arbitrary
code in the context of the affected web browser.
This issue affects Internet Explorer on Windows 2000, Windows XP, and Windows
Server 2003.
8. Novell BorderManager ISAKMP Predictable Cookie Vulnerability
BugTraq ID: 21014
Remote: Yes
Date Published: 2006-11-10
Relevant URL: http://www.securityfocus.com/bid/21014
Summary:
Novell BorderManager is prone to a vulnerability that results in creating
predictable ISAKMP cookies.
This vulnerability may lead to various attacks including denial-of-service
condition and replay attacks that allow attackers to gain unauthorized access
to sessions. Other attacks may be possible as well.
Novell BorderManager 3.8 Support Pack 4 is reported to be vulnerable. Prior
versions may also be affected.
This issue may be related to BID 20428 (Novell BorderManager IPSec/IKE Remote
Denial Of Service Vulnerability). If further analysis reveals that these
issues are identical, this BID will be retired.
9. Marshal MailMarshal UNARJ Extraction Remote Directory Traversal
Vulnerability
BugTraq ID: 20999
Remote: Yes
Date Published: 2006-11-10
Relevant URL: http://www.securityfocus.com/bid/20999
Summary:
Marshal MailMarshal is affected by a remote directory-traversal vulnerability
because the application fails to properly sanitize or validate filenames prior
to decompression.
Exploiting this issue may allow an attacker to arbitrarily overwrite files with
a user's privileges when a malicious compressed file is decompressed with the
affected application.
MailMarshal SMTP 5.x, MailMarshal SMTP 6.x, MailMarshal SMTP 2006, and
MailMarshal for Exchange 5.x are vulnerable; other versions may also be
affected.
10. Microsoft November Advance Notification Multiple Vulnerabilities
BugTraq ID: 20991
Remote: Yes
Date Published: 2006-11-09
Relevant URL: http://www.securityfocus.com/bid/20991
Summary:
Microsoft has released advance notification that the vendor will be releasing
six security bulletins for Windows and Microsoft XML Core Services on November
14, 2006. The highest severity rating for these issues is 'Critical'.
Further details about these issues are not currently available. Individual BIDs
will be created for each issue; this record will be removed when the security
bulletins are released.
11. Citrix Presentation Server IMA Service Multiple Remote Vulnerabilities
BugTraq ID: 20986
Remote: Yes
Date Published: 2006-11-09
Relevant URL: http://www.securityfocus.com/bid/20986
Summary:
Citrix Presentation Server's IMA service is prone to multiple remote
vulnerabilities. These issues include a buffer-overflow vulnerability and a
denial-of-service vulnerability.
These issue may allow an attacker to execute arbitrary code on the affected
computer or to cause denial-of-service conditions.
12. Microsoft Windows Workstation Service NetpManageIPCConnect Remote Code
Execution Vulnerability
BugTraq ID: 20985
Remote: Yes
Date Published: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20985
Summary:
Microsoft Windows Workstation service is prone to a remote code-execution
vulnerability.
This issue allows remote, anonymous attackers to execute arbitrary machine-code
on affected computers with SYSTEM-level privileges. This facilitates the
complete compromise of affected computers.
Attackers require administrative privileges to exploit this issue on Windows XP
SP2 computers. Anonymous attackers may exploit this issue on Windows 2000
computers.
13. Microsoft Client Service for Netware Denial of Service Vulnerability
BugTraq ID: 20984
Remote: Yes
Date Published: 2006-11-14
Relevant URL: http://www.securityfocus.com/bid/20984
Summary:
Microsoft Client Service for Netware is prone to a denial-of-service
vulnerability.
Exploiting this issue would cause the affected computer to crash, denying
service to legitimate users.
14. War FTP Daemon CWD Command Remote Denial Of Service Vulnerability
BugTraq ID: 20973
Remote: Yes
Date Published: 2006-11-08
Relevant URL: http://www.securityfocus.com/bid/20973
Summary:
War FTP Daemon is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying
service to legitimate users.
War FTP Daemon 1.82.00-RC11 is reported vulnerable to this issue; other
versions may also be affected.
This issue may be related to the issue described in BID 12384 (War FTP Daemon
Remote Denial Of Service Vulnerability).
15. IBM Lotus Notes User.ID File Key Information Disclosure Vulnerability
BugTraq ID: 20960
Remote: Yes
Date Published: 2006-11-08
Relevant URL: http://www.securityfocus.com/bid/20960
Summary:
IBM Lotus Notes is prone to a local information-disclosure vulnerability
because it fails to protect sensitive information from unprivileged users.
A local attacker may exploit this issue to obtain encryption key data from an
unencrypted file that is used by the application. The attacker may then use
this information to retrieve further information or to launch other attacks.
IBM Lotus Notes versions prior to 6.5.5 FP2 and 7.0.2 are vulnerable; other
versions may also be affected.
16. WarFTPD Multiple Format String Vulnerabilities
BugTraq ID: 20944
Remote: Yes
Date Published: 2006-11-07
Relevant URL: http://www.securityfocus.com/bid/20944
Summary:
WarFTPd is prone to multiple remote format-string vulnerabilities because the
application fails to sanitize user-supplied input before passing it to a
formatted-output function.
An attacker can exploit these issues to crash the server and possibly to
execute arbitrary code within the context of the server, but this has not been
confirmed.
WarFTPd 1.82.00-RC11 is reported vulnerable; prior versions may be vulnerable
as well.
17. Microsoft Windows GDI Kernel Local Privilege Escalation Vulnerability
BugTraq ID: 20940
Remote: No
Date Published: 2006-11-06
Relevant URL: http://www.securityfocus.com/bid/20940
Summary:
Microsoft Windows is prone to a local privilege-escalation vulnerability
because data structures mapped by the GDI Kernel can be re-mapped as read-write
by other processes.
An attacker could exploit this issue to execute arbitrary machine code with
SYSTEM-level privileges. A successful exploit could result in the complete
compromise of the affected computer. Failed attempts could cause
denial-of-service conditions.
18. America Online ICQ ActiveX Control Remote Code Execution Vulnerability
BugTraq ID: 20930
Remote: Yes
Date Published: 2006-11-06
Relevant URL: http://www.securityfocus.com/bid/20930
Summary:
The America Online ICQ ActiveX Control is prone to a remote code-execution
vulnerability.
An attacker could exploit this issue simply by sending a message to a victim
ICQ user.
Exploiting this issue could allow an attacker to execute arbitrary code.
The ICQPhone.SipxPhoneManager ActiveX control with a CLSID of
54BDE6EC-F42F-4500-AC46-905177444300 is affected.
19. Essentia Web Server GET And HEAD Requests Remote Buffer Overflow
Vulnerability
BugTraq ID: 20910
Remote: Yes
Date Published: 2006-11-07
Relevant URL: http://www.securityfocus.com/bid/20910
Summary:
Essentia Web Server is prone to a stack-based buffer-overflow vulnerability
because the application fails to bounds-check user-supplied data before copying
it into an insufficiently sized buffer.
An attacker can exploit this issue to execute arbitrary code within the context
of the webserver. Failed exploit attempts will result in a denial-of-service
condition.
This issue affects version 2.15; other versions may also be affected.
This issue may be related to the one described in BID 4159 (Essentia Web
Server Long URL Buffer Overflow Vulnerability).
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. outlook sending email messages to mapped drives randomly
http://www.securityfocus.com/archive/88/451487
2. DNS recursive
http://www.securityfocus.com/archive/88/451486
3. SecurityFocus Microsoft Newsletter #316
http://www.securityfocus.com/archive/88/450867
IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to
[EMAIL PROTECTED] from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
the website.
If your email address has changed email [EMAIL PROTECTED] and ask to
be manually removed.
V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: eEye
Too Many Security Agents Cluttering Your System?
Replace your Firewall, IPS, Anti-Spyware and more with Blink® Professional for
less than what you are currently paying in renewals.
Learn more on how you can experience the simplicity of one. One agent. One
console. One Policy. One Solution.
Introducing eEye Digital Security's Blink® Professional, the first all-in-one
security agent.
http://www.eeye.com/ctrack.asp?ref=SFBlink20061031
---------------------------------------------------------------------------
---------------------------------------------------------------------------
