SecurityFocus Microsoft Newsletter #325 ----------------------------------------
This Issue is Sponsored by: Black Hat Black Hat Europe, March 27-30 in Amsterdam, is Europe's premier technical event for ICT security experts. Featuring 10 hands-on training courses and 30 Briefings presentations with lots of new content-the best of Black Hat focused on Europe's infosec challenges. Network with 400 delegates from 25 nations, and see solutions from major sponsors. http://www.blackhat.com ------------------------------------------------------------------ I. FRONT AND CENTER 1. Interview with Bill Cheswick 2. Wireless Forensics: Tapping the Air - Part Two II. MICROSOFT VULNERABILITY SUMMARY 1. Outpost Firewall PRO Local Privilege Escalation Vulnerability 2. Remedy Action Request System Username Enumeration Vulnerability 3. Ipswitch WS_FTP 2007 Professional WSFTPURL.EXE Local Memory Corruption Vulnerability 4. Kaspersky Labs Anti-Virus Local Privilege Escalation Vulnerability 5. KarjaSoft Sami FTP Server Multiple Buffer Overflow Vulnerabilities 6. BolinTech Dream FTP Server USER Remote Buffer Overflow Vulnerability 7. Total Commander Arbitrary File Deletion Vulnerability 8. WinZip Command Line Remote Buffer Overflow Vulnerability 9. Computer Associates BrightStor ARCserve Backup MediaSVR.EXE Variant Buffer Overflow Vulnerability 10. Computer Associates BrightStor ARCserve Backup MediaSVR.EXE Remote Buffer Overflow Vulnerability 11. CA BrightStor ARCserve Backup Tape Engine TCP 6502 Remote Buffer Overflow Vulnerability 12. CA BrightStor ARCserve Backup Message Engine/Tape Engine Remote Buffer Overflow Vulnerability 13. Snort GRE Packet Decoding Integer Underflow Vulnerability 14. EIQ Networks Security Analyzer Null Pointer Dereference Client Denial of Service Vulnerability 15. Microsoft Windows Explorer WMF File Denial of Service Vulnerability 16. Snort Backtracking Denial of Service Vulnerability 17. EF Commander ISO File Remote Buffer Overflow Vulnerability 18. Microsoft Excel Opcode Handling Unspecified Remote Code Execution Vulnerability 19. Microsoft Office Brazilian Portuguese Grammar Checker Remote Code Execution Vulnerability 20. Camouflage Security Password Bypass Vulnerability 21. SecureKit Steganography Carrier File Password Security Bypass Vulnerability 22. Microsoft Outlook Malformed Email Header Remote Denial of Service Vulnerability 23. Microsoft Outlook Advanced Find Remote Code Execution Vulnerability 24. CenterICQ IJHook.CC Remote Buffer Overflow Vulnerability 25. Microsoft Outlook VEVENT Record Remote Code Execution Vulnerability 26. Microsoft Windows Vector Markup Language Buffer Overrun Vulnerability 27. Microsoft Excel Malformed Column Record Remote Code Execution Vulnerability 28. Microsoft Excel Malformed Palette Record Remote Code Execution Vulnerability 29. Microsoft Excel Malformed String Remote Code Execution Vulnerability 30. Microsoft Excel IMDATA Record Remote Code Execution Vulnerability III. MICROSOFT FOCUS LIST SUMMARY 1. SoX & Share Permissions? 2. EFS - new recovery agent 3. SecurityFocus Microsoft Newsletter #324 IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1. Interview with Bill Cheswick By Federico Biancuzzi Many people have seen Internet maps on walls and in various publications over the years. Federico Biancuzzi interviewed Bill Cheswick, who started the Internet Mapping Project that grew into software to map corporate and government networks. They discussed firewalling, logging, NIDS and IPS, how to fight DDoS, and the future of BGP and DNS. http://www.securityfocus.com/columnists/429 2. Wireless Forensics: Tapping the Air - Part Two By Raul Siles, GSE This two-part series looks at the issues associated with collecting and analyzing network traffic from wireless networks in an accurate and comprehensive way; a discipline known as wireless forensics. Part two focuses on the technical challenges for wireless traffic analysis, advanced anti-forensic techniques that could thwart a forensic investigation, and some legal considerations for both the U.S. and Europe. http://www.securityfocus.com/infocus/1885 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. Outpost Firewall PRO Local Privilege Escalation Vulnerability BugTraq ID: 22069 Remote: No Date Published: 2007-01-15 Relevant URL: http://www.securityfocus.com/bid/22069 Summary: Outpost Firewall PRO is prone to a local privilege-escalation vulnerability because it fails to perform adequate SSDT (System Service Descriptor Table) hooking on files in its installation directory. A local attacker can exploit this issue to elevate their privileges, which can lead to the complete compromise of an affected computer. Outpost Firewall PRO 4.0 is vulnerable; other versions may also be affected. 2. Remedy Action Request System Username Enumeration Vulnerability BugTraq ID: 22066 Remote: Yes Date Published: 2007-01-15 Relevant URL: http://www.securityfocus.com/bid/22066 Summary: Remedy Action Request System is prone to a username-enumeration vulnerability because of a design error in the application when verifying user-supplied input. Attackers may exploit this vulnerability to discern valid usernames. This may aid them in brute-force password cracking or other attacks. Version 5.01.02 is vulnerable; other versions may also be affected. 3. Ipswitch WS_FTP 2007 Professional WSFTPURL.EXE Local Memory Corruption Vulnerability BugTraq ID: 22062 Remote: No Date Published: 2007-01-15 Relevant URL: http://www.securityfocus.com/bid/22062 Summary: Ipswitch WS_FTP 2007 Professional is prone to a local memory-corruption vulnerability. This issue occurs when the 'wsbho2k0.dll' library fails to handle specially crafted arguments. Due to the nature of this issue, an attacker may be able to execute arbitrary machine code in the context of the affected kernel, but this has not been confirmed. Failed exploit attempts result in kernel panics, denying service to legitimate users. Ipswitch WS_FTP 2007 Professional is vulnerable to this issue; other versions may also be affected. 4. Kaspersky Labs Anti-Virus Local Privilege Escalation Vulnerability BugTraq ID: 22061 Remote: No Date Published: 2007-01-15 Relevant URL: http://www.securityfocus.com/bid/22061 Summary: Kaspersky Labs Anti-Virus is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. This may facilitate a complete compromise of the affected computer. 5. KarjaSoft Sami FTP Server Multiple Buffer Overflow Vulnerabilities BugTraq ID: 22045 Remote: Yes Date Published: 2007-01-15 Relevant URL: http://www.securityfocus.com/bid/22045 Summary: Sami FTP Server is prone to multiple stack-overflow vulnerabilities. A successful exploit may lead to remote arbitrary code execution with the privileges of the server, facilitating remote compromise of affected computers. Sami FTP Server version 2.0.2 is vulnerable to these issues; other versions may also be affected. 6. BolinTech Dream FTP Server USER Remote Buffer Overflow Vulnerability BugTraq ID: 22044 Remote: Yes Date Published: 2007-01-14 Relevant URL: http://www.securityfocus.com/bid/22044 Summary: A remote buffer-overflow vulnerability is reported in BolinTech Dream FTP Server. This issue occurs because the application fails to properly validate the length of user-supplied strings prior to copying them into finite process buffers. An attacker can exploit this issue to cause the affected server to crash and may be able to execute arbitrary code in the context of the process. 7. Total Commander Arbitrary File Deletion Vulnerability BugTraq ID: 22033 Remote: Yes Date Published: 2007-01-12 Relevant URL: http://www.securityfocus.com/bid/22033 Summary: Total Commander is affected by an arbitrary file-deletion vulnerability because of input-validation errors that allow an attacker to delete arbitrary files and corrupt the filesystem on the affected computer. An attacker can exploit these issues to cause a denial-of-service condition. Total Commander versions prior to 6.5.6 are affected by this issue. 8. WinZip Command Line Remote Buffer Overflow Vulnerability BugTraq ID: 22020 Remote: Yes Date Published: 2007-01-12 Relevant URL: http://www.securityfocus.com/bid/22020 Summary: WinZip is prone to a remote buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input before copying it into an insufficiently sized buffer. An attacker may exploit this issue to cause denial-of-service conditions and possibly to execute arbitrary code within the context of the affected application, but this has not been confirmed. This issue affects version 9.0 SR1; other versions may also be vulnerable. 9. Computer Associates BrightStor ARCserve Backup MediaSVR.EXE Variant Buffer Overflow Vulnerability BugTraq ID: 22016 Remote: Yes Date Published: 2007-01-11 Relevant URL: http://www.securityfocus.com/bid/22016 Summary: Computer Associates BrightStor ARCserve Backup is affected by a remote stack-based buffer-overflow vulnerability because the application fails to perform proper bounds-checking on data supplied to the application. A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. Failed exploit attempts may cause denial-of-service conditions. NOTE: User interaction is not required to exploit this vulnerability. Although this BID closely resembles BID 22015, it is a separate vulnerability. 10. Computer Associates BrightStor ARCserve Backup MediaSVR.EXE Remote Buffer Overflow Vulnerability BugTraq ID: 22015 Remote: Yes Date Published: 2007-01-11 Relevant URL: http://www.securityfocus.com/bid/22015 Summary: Computer Associates BrightStor ARCserve Backup is affected by a remote stack-based buffer-overflow vulnerability because the application fails to perform proper bounds-checking on data supplied to the application. A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. Failed exploit attempts may cause denial-of-service conditions. NOTE: User interaction is not required to exploit this vulnerability. 11. CA BrightStor ARCserve Backup Tape Engine TCP 6502 Remote Buffer Overflow Vulnerability BugTraq ID: 22006 Remote: Yes Date Published: 2007-01-11 Relevant URL: http://www.securityfocus.com/bid/22006 Summary: Computer Associates BrightStor ARCserve Backup is affected by a remote buffer-overflow vulnerability because the application fails to perform proper bounds-checking on data supplied to the application. A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. Failed exploit attempts may cause denial-of-service conditions. 12. CA BrightStor ARCserve Backup Message Engine/Tape Engine Remote Buffer Overflow Vulnerability BugTraq ID: 22005 Remote: Yes Date Published: 2007-01-11 Relevant URL: http://www.securityfocus.com/bid/22005 Summary: Computer Associates BrightStor ARCserve Backup is affected by a remote buffer-overflow vulnerability because the application fails to perform proper bounds-checking on data supplied to the application. A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. Failed exploit attempts may cause denial-of-service conditions. Successful exploits can lead to a complete compromise of affected computers. This issue affects multiple BrightStor ARCserve Backup application agents and the base product. 13. Snort GRE Packet Decoding Integer Underflow Vulnerability BugTraq ID: 22004 Remote: Yes Date Published: 2007-01-11 Relevant URL: http://www.securityfocus.com/bid/22004 Summary: Snort is prone to a denial-of-service vulnerability because the network intrusion detection (NID) system fails to handle specially crafted network packets. An attacker can exploit this issue to corrupt the application's log files and possibly to crash the application (depending on its memory layout). 14. EIQ Networks Security Analyzer Null Pointer Dereference Client Denial of Service Vulnerability BugTraq ID: 21994 Remote: Yes Date Published: 2007-01-10 Relevant URL: http://www.securityfocus.com/bid/21994 Summary: EIQ Networks Security Analyzer is prone to a denial-of-service vulnerability. A malicious server could cause a vulnerable client application to crash, effectively denying service. 15. Microsoft Windows Explorer WMF File Denial of Service Vulnerability BugTraq ID: 21992 Remote: Yes Date Published: 2007-01-10 Relevant URL: http://www.securityfocus.com/bid/21992 Summary: Microsoft Windows Explorer is prone to a denial-of-service vulnerability. A remote attacker may exploit this vulnerability by presenting a malicious file to a victim user and enticing them to open it with the vulnerable application. Users that simply browse folders containing the malicious file will also trigger this issue. A successful exploit will crash the vulnerable application, effectively denying service. This issue may be related to BID 19365: Microsoft Windows GDI32.DLL WMF Remote Denial of Service Vulnerability. 16. Snort Backtracking Denial of Service Vulnerability BugTraq ID: 21991 Remote: Yes Date Published: 2007-01-10 Relevant URL: http://www.securityfocus.com/bid/21991 Summary: Snort is prone to a denial-of-service vulnerability because the network intrusion detection (NID) system fails to handle specially crafted network packets. An attacker can exploit this issue to cause the affected NID system to consume 100% CPU resources, allowing malicious network traffic to avoid detection. This issue affects versions prior to 2.6.1. 17. EF Commander ISO File Remote Buffer Overflow Vulnerability BugTraq ID: 21969 Remote: Yes Date Published: 2007-01-09 Relevant URL: http://www.securityfocus.com/bid/21969 Summary: EF Commander is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data prior to using it in a finite-sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the user running the affected application. This issue affects version 5.75; other versions may also be vulnerable. 18. Microsoft Excel Opcode Handling Unspecified Remote Code Execution Vulnerability BugTraq ID: 21952 Remote: Yes Date Published: 2007-01-09 Relevant URL: http://www.securityfocus.com/bid/21952 Summary: Microsoft Excel is reportedly prone to an unspecified remote code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of targeted users. Note that Microsoft Office applications include functionality to embed Office files as objects contained in other Office files. As an example, Microsoft Word files may contain embedded malicious Microsoft Excel files, making Word and other Office documents another possible attack vector. Insufficient details are currently available to elaborate further. 19. Microsoft Office Brazilian Portuguese Grammar Checker Remote Code Execution Vulnerability BugTraq ID: 21942 Remote: Yes Date Published: 2007-01-09 Relevant URL: http://www.securityfocus.com/bid/21942 Summary: Microsoft Office is prone to a remote code-execution vulnerability. This issue occurs when the application processes certain Office files. Note that this issue may not be exploited automatically through email. For an attack to succeed, a victim must manually open an attachment sent by email or obtained through other means. An attacker may exploit this issue to execute arbitrary code in the context of the currently logged-in user. This issue affects the Microsoft Office 2003 Brazilian Grammar Checker application used in various Microsoft applications that have Brazilian Portuguese language support. 20. Camouflage Security Password Bypass Vulnerability BugTraq ID: 21939 Remote: Yes Date Published: 2007-01-08 Relevant URL: http://www.securityfocus.com/bid/21939 Summary: Camouflage is prone to a security-bypass vulnerability due to a design error. An attacker can exploit this issue to gain access to data 'hidden' by the application. Information gained could aid in further attacks. Version 1.2.1 is vulnerable; other versions may also be affected. 21. SecureKit Steganography Carrier File Password Security Bypass Vulnerability BugTraq ID: 21938 Remote: No Date Published: 2007-01-08 Relevant URL: http://www.securityfocus.com/bid/21938 Summary: SecureKit Stenanography is prone to a security-bypass vulnerability because of a design flaw when encrypting sensitive information. Successful exploits allow local attackers to bypass the security restriction to obtain sensitive information that may lead to other attacks. This issue affects versions 1.8 and 1.71; other versions may also be affected. 22. Microsoft Outlook Malformed Email Header Remote Denial of Service Vulnerability BugTraq ID: 21937 Remote: Yes Date Published: 2007-01-09 Relevant URL: http://www.securityfocus.com/bid/21937 Summary: Microsoft Outlook is prone to a remote denial-of-service vulnerability because the application fails to properly handle malformed email messages. A remote attacker can exploit this issue to crash affected email clients. This issue will persist as long as the email message resides on the mail server, creating a prolonged denial-of-service condition. 23. Microsoft Outlook Advanced Find Remote Code Execution Vulnerability BugTraq ID: 21936 Remote: Yes Date Published: 2007-01-09 Relevant URL: http://www.securityfocus.com/bid/21936 Summary: Microsoft Outlook is prone to a remote code-execution vulnerability because the application fails to properly handle malformed saved search files. A remote attacker can exploit this issue to execute arbitrary code with the privileges of unsuspecting users. A successful exploit may aid in the remote compromise of the underlying computer. 24. CenterICQ IJHook.CC Remote Buffer Overflow Vulnerability BugTraq ID: 21932 Remote: Yes Date Published: 2007-01-08 Relevant URL: http://www.securityfocus.com/bid/21932 Summary: CenterICQ is prone to a remote buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service. This issue affects versions 4.9.11 up to 4.21.0. 25. Microsoft Outlook VEVENT Record Remote Code Execution Vulnerability BugTraq ID: 21931 Remote: Yes Date Published: 2007-01-09 Relevant URL: http://www.securityfocus.com/bid/21931 Summary: Microsoft Outlook is prone to a remote code-execution vulnerability because the application fails to properly handle malformed iCal requests. A remote attacker can exploit this issue to execute arbitrary code with the privileges of unsuspecting users. A successful exploit may aid in the remote compromise of the underlying computer. 26. Microsoft Windows Vector Markup Language Buffer Overrun Vulnerability BugTraq ID: 21930 Remote: Yes Date Published: 2007-01-09 Relevant URL: http://www.securityfocus.com/bid/21930 Summary: Microsoft Windows is prone to a buffer-overrun vulnerability that arises because of an error in the processing of Vector Markup Language documents. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. 27. Microsoft Excel Malformed Column Record Remote Code Execution Vulnerability BugTraq ID: 21925 Remote: Yes Date Published: 2007-01-09 Relevant URL: http://www.securityfocus.com/bid/21925 Summary: Microsoft Excel is prone to a remote code-execution vulnerability. An attacker could exploit this issue to execute arbitrary code with the privileges of the user running the application. The attacker could leverage the issue to compromise affected computers. 28. Microsoft Excel Malformed Palette Record Remote Code Execution Vulnerability BugTraq ID: 21922 Remote: Yes Date Published: 2007-01-09 Relevant URL: http://www.securityfocus.com/bid/21922 Summary: Microsoft Excel is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application, which can result in the compromise of affected computers. 29. Microsoft Excel Malformed String Remote Code Execution Vulnerability BugTraq ID: 21877 Remote: Yes Date Published: 2007-01-09 Relevant URL: http://www.securityfocus.com/bid/21877 Summary: Microsoft Excel is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the affected application, which could result in the compromise of affected computers. 30. Microsoft Excel IMDATA Record Remote Code Execution Vulnerability BugTraq ID: 21856 Remote: Yes Date Published: 2007-01-09 Relevant URL: http://www.securityfocus.com/bid/21856 Summary: Microsoft Excel is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application, which can result in the compromise of affected computers. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. SoX & Share Permissions? http://www.securityfocus.com/archive/88/456972 2. EFS - new recovery agent http://www.securityfocus.com/archive/88/456961 3. SecurityFocus Microsoft Newsletter #324 http://www.securityfocus.com/archive/88/456552 IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This Issue is Sponsored by: Black Hat Black Hat Europe, March 27-30 in Amsterdam, is Europe's premier technical event for ICT security experts. Featuring 10 hands-on training courses and 30 Briefings presentations with lots of new content-the best of Black Hat focused on Europe's infosec challenges. Network with 400 delegates from 25 nations, and see solutions from major sponsors. http://www.blackhat.com
