SecurityFocus Microsoft Newsletter #320 ----------------------------------------
This Issue is Sponsored by: Watchfire Watchfire announces AppScan 7.0! The industry's only web application security scanner with new features that include Privilege Escalation Testing, Validation Highlighting and Reasoning and Complex Authentication Support to automate even more scanning and provide greater visibility and control for security professionals, penetration testers and QA staff. See for yourself. Download an evaluation copy of AppScan now! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTx ------------------------------------------------------------------ I. FRONT AND CENTER 1. Christmas Shopping: Vista Over XP? 2. Vulnerability Scanning Web 2.0 Client-Side Components II. MICROSOFT VULNERABILITY SUMMARY 1. Microsoft Internet Explorer Frame Src Denial Of Service Vulnerability 2. JustSystems Multiple Products Unspecified Buffer Overflow Vulnerability 3. SMF Image File HTML Injection Vulnerability 4. Microsoft Windows Print Spooler GetPrinterData Denial of Service Vulnerability 5. BlazeVideo HDTV PLF Stack Buffer Overflow Vulnerability 6. CoolPlayer Multiple Buffer Overflow Vulnerabilities 7. Outpost Firewall PRO Security Bypass Weakness 8. Invision Gallery Index.PHP IMG Parameter SQL Injection Vulnerability 9. Palm Desktop Application Directory Local Insecure Permissions Vulnerability 10. AtomixMP3 M3U File Path Buffer Overflow Vulnerability 11. Xerox WorkCentre and WorkCentre Pro Multiple Vulnerabilities 12. VUPlayer M3U UNC Name Buffer Overflow Vulnerability 13. MailEnable IMAP Service Multiple Buffer Overflow Vulnerabilities 14. Business Objects Crystal Reports Predictable Session Identifiers Session Hijacking Vulnerability 15. Songbird Media Player Denial of Service Vulnerability 16. Telnet-FTP Server Remote Denial of Service Vulnerability 17. Telnet-FTP Server Directory Traversal Vulnerability 18. BlazeVideo BlazeDVD Playlist Files Remote Memory Corruption Vulnerability 19. Quinnware Quintessential Player Playlist Files Remote Memory Corruption Vulnerability 20. MailEnable WebAdmin Unauthorized Access Vulnerability 21. WarHound General Shopping Cart Item.ASP SQL Injection Vulnerability 22. 3Com 3CTftpSvc Filename Remote Buffer Overflow Vulnerability 23. Allied Telesyn AT-TFTP Server Filename Remote Buffer Overflow Vulnerability 24. 3Com TFTP Transporting Mode Remote Buffer Overflow Vulnerability III. MICROSOFT FOCUS LIST SUMMARY 1. SecurityFocus Microsoft Newsletter #319 2. DNS recursive IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1. Christmas Shopping: Vista Over XP? By Federico Biancuzzi Microsoft has announced Vista's release dates. From a security standpoint what choice should consumers take during this Christmas shopping season? Most will be faced with Windows XP only or Windows XP with Microsoft's Express Upgrade option to Vista. Federico Biancuzzi interviewed a wide range of security researchers and anti-virus folks to get some consensus on the security of Vista over Windows XP for consumers, with some advice for corporate users as well. http://www.securityfocus.com/columnists/425 2. Vulnerability Scanning Web 2.0 Client-Side Components By Shreeraj Shah This article discusses the challenges faced when vulnerability scanning Web 2.0 applications, and then provides a methodology to detect vulnerabilities in Web 2.0 client-side application components. http://www.securityfocus.com/infocus/1881 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. Microsoft Internet Explorer Frame Src Denial Of Service Vulnerability BugTraq ID: 21447 Remote: Yes Date Published: 2006-12-05 Relevant URL: http://www.securityfocus.com/bid/21447 Summary: Microsoft Internet Explorer is prone to a denial-of-service vulnerability because the application fails to handle exceptional conditions. This issue is triggered when an attacker entices a victim user to visit a malicious website. Remote attackers may exploit this issue to crash Internet Explorer, effectively denying service to legitimate users. 2. JustSystems Multiple Products Unspecified Buffer Overflow Vulnerability BugTraq ID: 21445 Remote: Yes Date Published: 2006-12-05 Relevant URL: http://www.securityfocus.com/bid/21445 Summary: Multiple JustSystems products are prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data. A successful attack may allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed attack attempts may cause denial-of-service conditions. http://secunia.com/product/12805/ 3. SMF Image File HTML Injection Vulnerability BugTraq ID: 21431 Remote: Yes Date Published: 2006-12-04 Relevant URL: http://www.securityfocus.com/bid/21431 Summary: SMF is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. Note that this vulnerability may be triggered only in the Internet Explorer browser. SMF version 1.1 is vulnerable to this issue. 4. Microsoft Windows Print Spooler GetPrinterData Denial of Service Vulnerability BugTraq ID: 21401 Remote: Yes Date Published: 2006-12-02 Relevant URL: http://www.securityfocus.com/bid/21401 Summary: Microsoft Windows Print Spooler service is prone to a denial-of-service vulnerability. A remote attacker can exploit this issue to crash the affected service, denying service to legitimate users. Reports indicate that this issue affects Print Spooler on Microsoft Windows 2000 SP4; other versions may also be vulnerable. 5. BlazeVideo HDTV PLF Stack Buffer Overflow Vulnerability BugTraq ID: 21399 Remote: Yes Date Published: 2006-12-01 Relevant URL: http://www.securityfocus.com/bid/21399 Summary: BlazeVideo HDTV is prone to a stack-based buffer-overflow vulnerability because the application fails to handle malformed playlist files. An attacker can exploit this issue to execute arbitrary code within the context of the application or to trigger a denial-of-service condition. BlazeVideo HDTV 2.1 and prior versions are vulnerable to this issue. 6. CoolPlayer Multiple Buffer Overflow Vulnerabilities BugTraq ID: 21396 Remote: Yes Date Published: 2006-12-01 Relevant URL: http://www.securityfocus.com/bid/21396 Summary: CoolPlayer is prone to multiple buffer-overflow vulnerabilities because the application fails to check the size of the data before copying it into a finite-sized internal memory buffer. An attacker can exploit these issues to execute arbitrary code within the context of the application or to cause a denial-of-service condition. CoolPlayer 215 and prior versions are vulnerable to this issue; other versions may also be affected. 7. Outpost Firewall PRO Security Bypass Weakness BugTraq ID: 21390 Remote: No Date Published: 2006-12-01 Relevant URL: http://www.securityfocus.com/bid/21390 Summary: Outpost Firewall PRO is prone to a weakness that may allow local privileged attackers to bypass security restrictions. Successful exploits may allow local privileged attackers to bypass security restrictions to crash the affected application and potentially execute malicious code in the context of the vulnerable application. Outpost Firewall PRO version 4.0 is affected by this issue; other versions may also be affected. 8. Invision Gallery Index.PHP IMG Parameter SQL Injection Vulnerability BugTraq ID: 21388 Remote: Yes Date Published: 2006-12-01 Relevant URL: http://www.securityfocus.com/bid/21388 Summary: Invision Gallery is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. 9. Palm Desktop Application Directory Local Insecure Permissions Vulnerability BugTraq ID: 21382 Remote: No Date Published: 2006-12-01 Relevant URL: http://www.securityfocus.com/bid/21382 Summary: Palm Desktop is prone to an insecure-permissions vulnerability. A local attacker could exploit this issue to gain access to sensitive data. Information obtained may aid in further attacks. Version 4.1.4 is vulnerable; other versions may also be affected. 10. AtomixMP3 M3U File Path Buffer Overflow Vulnerability BugTraq ID: 21380 Remote: Yes Date Published: 2006-12-01 Relevant URL: http://www.securityfocus.com/bid/21380 Summary: AtomixMP3 is prone to a buffer-overflow vulnerability because the application fails to properly verify the size of user-supplied data before copying it into an insufficiently sized memory buffer. Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the user running the affected application. Failed exploit attempts will likely crash applications, denying service to legitimate users. This issue affects AtomixMP3 2.3 and prior versions. 11. Xerox WorkCentre and WorkCentre Pro Multiple Vulnerabilities BugTraq ID: 21365 Remote: Yes Date Published: 2006-11-30 Relevant URL: http://www.securityfocus.com/bid/21365 Summary: Xerox WorkCentre and WorkCentre Pro are prone to multiple vulnerabilities. The issues affect the ESS/Network controler firmware and the MicroServer Web Server application on the vulnerable devices. Successful exploits may allow an attacker to gain unauthorized access to affected devices, make unauthorized changes to system configuration, and bypass security restrictions or anonymously retrieve secure files. Note that the attacker may not be able to obtain password or user information. WorkCentre version 12.060.17.000, WorkCentre Pro version 13.060.17.000, and WorkCentre with PostScript option version 14.060.17.000 are vulnerable. 12. VUPlayer M3U UNC Name Buffer Overflow Vulnerability BugTraq ID: 21363 Remote: Yes Date Published: 2006-11-30 Relevant URL: http://www.securityfocus.com/bid/21363 Summary: VUPlayer is prone to a buffer-overflow vulnerability because the application fails to properly verify the size of user-supplied data before copying it into an insufficiently sized process buffer. This issue allows remote attackers to execute arbitrary machine code in the context of the user running the affected application. Failed exploit attempts will likely crash applications, denying service to legitimate users. This issue affects version 2.44; earlier versions may also be vulnerable. 13. MailEnable IMAP Service Multiple Buffer Overflow Vulnerabilities BugTraq ID: 21362 Remote: Yes Date Published: 2006-11-30 Relevant URL: http://www.securityfocus.com/bid/21362 Summary: MailEnable is prone to multiple buffer-overflow vulnerabilities in the IMAP service because the application fails to properly bounds-check various types of user-supplied data. An attacker may leverage these issues to execute arbitrary code in the context of the running application or to crash the application, causing a denial of service. This issues are reported to affect the following MailEnable versions, but other versions may also be vulnerable: 1.6-1.86 Professional Edition 1.1-1.40 Enterprise Edition 2.0-2.33 Professional Edition 2.0-2.33 Enterprise Edition 14. Business Objects Crystal Reports Predictable Session Identifiers Session Hijacking Vulnerability BugTraq ID: 21350 Remote: Yes Date Published: 2006-11-29 Relevant URL: http://www.securityfocus.com/bid/21350 Summary: Crystal Reports is prone to a session-hijacking vulnerability. An attacker can exploit this issue to gain access to the affected application. Crystal Reports Enterprise versions 9 and 10 are vulnerable to this issue. 15. Songbird Media Player Denial of Service Vulnerability BugTraq ID: 21343 Remote: Yes Date Published: 2006-11-29 Relevant URL: http://www.securityfocus.com/bid/21343 Summary: Songbird Media Player is prone to a denial-of-service vulnerability. An attacker may exploit this issue to cause applications that use the vulnerable library to consume excessive CPU and memory resources and crash, denying further service to legitimate users. Remote code execution may also possible. Songbird Media Player 0.2 and prior versions are vulnerable. 16. Telnet-FTP Server Remote Denial of Service Vulnerability BugTraq ID: 21340 Remote: Yes Date Published: 2006-11-29 Relevant URL: http://www.securityfocus.com/bid/21340 Summary: Telnet-Ftp Server is prone to a remote denial-of-service vulnerability because it fails to properly handle user-supplied input. Exploiting this issue allows remote attackers to crash affected server, denying service to legitimate users. Telnet-Ftp Server 1.0 build 1.250 is confirmed vulnerable; other versions may be affected as well. 17. Telnet-FTP Server Directory Traversal Vulnerability BugTraq ID: 21339 Remote: Yes Date Published: 2006-11-29 Relevant URL: http://www.securityfocus.com/bid/21339 Summary: Telnet-FTP Server is prone to a directory-traversal vulnerability. A remote attacker can exploit this issue to gain access to files in the context of the affected FTP server. Telnet-FTP Server 1.0 is vulnerable; other versions may also be affected. 18. BlazeVideo BlazeDVD Playlist Files Remote Memory Corruption Vulnerability BugTraq ID: 21337 Remote: Yes Date Published: 2006-11-29 Relevant URL: http://www.securityfocus.com/bid/21337 Summary: BlazeDVD is prone to a remote memory-corruption vulnerability because the application fails to handle malformed playlist files. An attacker can exploit this issue to execute arbitrary code within the context of the application or trigger a denial-of-service condition. BlazeDVD 5.0 Professional and Standard versions are vulnerable to this issue. 19. Quinnware Quintessential Player Playlist Files Remote Memory Corruption Vulnerability BugTraq ID: 21331 Remote: Yes Date Published: 2006-11-28 Relevant URL: http://www.securityfocus.com/bid/21331 Summary: Quinnware Quintessential Player is prone to a remote memory-corruption vulnerability because the application fails to handle malformed playlist files. An attacker can exploit this issue to execute arbitrary code within the context of the application or trigger a denial-of-service condition. Quintessential Player version 4.50.1.82 is vulnerable to this issue; other versions may also be affected. 20. MailEnable WebAdmin Unauthorized Access Vulnerability BugTraq ID: 21325 Remote: Yes Date Published: 2006-11-27 Relevant URL: http://www.securityfocus.com/bid/21325 Summary: MailEnable is prone to a vulnerability that can allow remote attackers to gain unauthorized access to the application's web-administration console. MailEnable Professional Edition 2.32 and Enterprise Edition 2.32 are reported affected; other versions may be vulnerable as well. 21. WarHound General Shopping Cart Item.ASP SQL Injection Vulnerability BugTraq ID: 21324 Remote: Yes Date Published: 2006-11-27 Relevant URL: http://www.securityfocus.com/bid/21324 Summary: WarHound General Shopping Cart is prone to an SQL injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. 22. 3Com 3CTftpSvc Filename Remote Buffer Overflow Vulnerability BugTraq ID: 21322 Remote: Yes Date Published: 2006-11-27 Relevant URL: http://www.securityfocus.com/bid/21322 Summary: 3CTftpSvc is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before storing it in a finite-sized buffer. An attacker can exploit this issue to execute arbitrary code and gain unauthorized remote access to a vulnerable computer. A denial-of-service condition may arise as well. 3CTftpSvc 2.0.1 and prior versions are reported to be vulnerable. Other versions may be affected as well. 23. Allied Telesyn AT-TFTP Server Filename Remote Buffer Overflow Vulnerability BugTraq ID: 21320 Remote: Yes Date Published: 2006-11-27 Relevant URL: http://www.securityfocus.com/bid/21320 Summary: AT-TFTP is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before storing it in a finite-sized buffer. An attacker can exploit this issue to execute arbitrary code and gain unauthorized remote access to a vulnerable computer. A denial-of-service condition may arise as well. AT-TFTP 1.9 is reported vulnerable; other versions may be affected as well. 24. 3Com TFTP Transporting Mode Remote Buffer Overflow Vulnerability BugTraq ID: 21301 Remote: Yes Date Published: 2006-11-27 Relevant URL: http://www.securityfocus.com/bid/21301 Summary: 3Com TFTP is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before storing it in a finite-sized buffer. An attacker can exploit this issue to cause the application to crash, denying further service to legitimate users. Due to the nature of this issue, the attacker may presumably be able to exploit it for remote code execution. Version 2.0.1 is vulnerable; other versions may also be affected. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. SecurityFocus Microsoft Newsletter #319 http://www.securityfocus.com/archive/88/452936 2. DNS recursive http://www.securityfocus.com/archive/88/451486 IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This Issue is Sponsored by: Watchfire Watchfire announces AppScan 7.0! The industry's only web application security scanner with new features that include Privilege Escalation Testing, Validation Highlighting and Reasoning and Complex Authentication Support to automate even more scanning and provide greater visibility and control for security professionals, penetration testers and QA staff. See for yourself. Download an evaluation copy of AppScan now! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTx --------------------------------------------------------------------------- ---------------------------------------------------------------------------
