SecurityFocus Microsoft Newsletter #330 ----------------------------------------
This Issue is Sponsored by: Black Hat Black Hat Europe, March 27-30 in Amsterdam, is Europe's premier technical event for ICT security experts. Featuring 10 hands-on training courses and 30 Briefings presentations with lots of new content-the best of Black Hat focused on Europe's infosec challenges. Network with 400 delegates from 25 nations, and see solutions from major sponsors. http://www.blackhat.com SecurityFocus is proud to introduce the new *Focus On: Vista* section. Offering Vista related news, columns and vulnerabilities, SecurityFocus is your source for Vista-related security. *Visit http://www.securityfocus.com/vista to see for yourself.* ------------------------------------------------------------------ I. FRONT AND CENTER 1. Laptop Losses and Phishing Fruit Salad 2. Vista Review: Bugs and Confusion II. MICROSOFT VULNERABILITY SUMMARY 1. FTP Voyager CWD Parameter Stack Buffer Overflow Vulnerability 2. Microsoft Internet Explorer Local File Access Weakness 3. Multiple Newsreader Applications .NZB File Remote Heap Overflow Vulnerability 4. Grabit Field Handling Denial of Service Vulnerability 5. News Rover Subject Line Stack Buffer Overflow Vulnerability 6. News File Grabber Subject Line Stack Buffer Overflow Vulnerability 7. Snort/Sourcefire DCE/RPC Packet Reassembly Stack Buffer Overflow Vulnerability 8. Apple iTunes XML Parsing Remote Memory Corruption Vulnerability 9. VicFTPS Remote Buffer Overflow Vulnerability 10. Microsoft Word 2000/2002 Remote Code Execution Vulnerability 11. MailEnable SMTP NTLM Authentication Unspecified Denial of Service Vulnerability 12. Microsoft Excel Remote Denial Of Service Vulnerability 13. MailEnable Web Mail Client Multiple HTML Injection and Cross-Site Scripting Vulnerabilities 14. iTinySoft Studio Total Video Player M3U Playlist Buffer Overflow Vulnerability 15. Adobe JRun Administrator Console Cross-Site Scripting Vulnerability 16. Microsoft Internet Explorer JavaScript Key Filtering Variant Vulnerability 17. uTorrent Torrent File Handling Remote Buffer Overflow Vulnerability 18. Microsoft Internet Explorer COM Object Instantiation Variant Memory Corruption Vulnerability 19. Microsoft Windows Image Acquisition Service Privilege Escalation Vulnerability 20. Microsoft Internet Explorer WinINet.DLL FTP Server Response Parsing Memory Corruption Vulnerability 21. Microsoft Internet Explorer IMJPCKSI COM Object Instantiation Memory Corruption Vulnerability 22. Microsoft Step-by-Step Interactive Training Buffer Overflow Vulnerability 23. Microsoft Windows OLE Dialog Remote Code Execution Vulnerability 24. Microsoft Word Malformed Drawing Object Arbitrary Code Execution Vulnerability 25. Microsoft Windows Shell Hardware Detection Service Privilege Escalation Vulnerability 26. Microsoft Antivirus Engine Integer Overflow Vulnerability 27. Microsoft HTML Help ActiveX Control Remote Code Execution Vulnerability 28. Microsoft Word Macro Permissions Bypass Arbitrary Code Execution Vulnerability 29. Microsoft MFC Embedded OLE Object Remote Code Execution Vulnerability III. MICROSOFT FOCUS LIST SUMMARY 1. SecurityFocus Microsoft Newsletter #329 2. Time Zone change and Kerberos Auth IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1. Laptop Losses and Phishing Fruit Salad By Dr. Neal Krawetz Dr. Neal Krawetz takes a look at the numbers behind reports of laptop thefts and phishing attacks, showing inconsistent metrics and the difficulty in using numbers to determine the real level of threat. http://www.securityfocus.com/columnists/435 2. Vista Review: Bugs and Confusion By Thomas C. Greene The Register's Thomas C. Greene offers an entertaining review of Windows Vista, noting price differences in Europe, driver compatibility issues, and security and user interface issues that affect the Vista experience. http://www.securityfocus.com/columnists/436 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. FTP Voyager CWD Parameter Stack Buffer Overflow Vulnerability BugTraq ID: 22637 Remote: Yes Date Published: 2007-02-20 Relevant URL: http://www.securityfocus.com/bid/22637 Summary: FTP Voyager is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue may allow attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition. This issue affects version 14.0.0.3.; other versions may also be affected. 2. Microsoft Internet Explorer Local File Access Weakness BugTraq ID: 22621 Remote: Yes Date Published: 2007-02-20 Relevant URL: http://www.securityfocus.com/bid/22621 Summary: Microsoft Internet Explorer is reportedly prone to multiple local file access weaknesses because the application fails to properly handle HTML tags. These issues are triggered when an attacker entices a victim user to visit a malicious website. It was initially reported that remote attackers may exploit these issues to gain access to local system files via Internet Explorer. This would aid attackers in the theft of confidential information and in launching further attacks. This attack would occur in the context of the user visiting the malicious site. New conflicting reports indicate that these issues only result in verifying the existence of files on a vulnerable system. These issues affect Internet Explorer version 6 on a fully patched Windows XP SP2 system; previous versions and operating systems may also be vulnerable. 3. Multiple Newsreader Applications .NZB File Remote Heap Overflow Vulnerability BugTraq ID: 22620 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22620 Summary: NewsReactor and NewsBin Pro are prone to a remote heap-based buffer-overflow because they fail to perform sufficient boundary checks on user-supplied data before copying it to a buffer. An attacker could leverage this issue to have arbitrary code execute with administrative privileges. A successful exploit could result in the complete compromise of the affected system. 4. Grabit Field Handling Denial of Service Vulnerability BugTraq ID: 22619 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22619 Summary: Grabit is prone to denial-of-service vulnerability. This issue occurs because the application fails to handle exceptional conditions. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. This issue affects version 4.1.0.1; other versions may also be affected. 5. News Rover Subject Line Stack Buffer Overflow Vulnerability BugTraq ID: 22618 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22618 Summary: News Rover is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attackers to execute arbitrary machine code in the context of the affected application. This issue affects version 4.1.0.1; other versions may also be affected. 6. News File Grabber Subject Line Stack Buffer Overflow Vulnerability BugTraq ID: 22617 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22617 Summary: News File Grabber is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attackers to execute arbitrary machine code in the context of the affected application. This issue affects version 4.1.0.1; other versions may also be affected. 7. Snort/Sourcefire DCE/RPC Packet Reassembly Stack Buffer Overflow Vulnerability BugTraq ID: 22616 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22616 Summary: Snort IDS and Sourcefire Intrusion Sensor are prone to a stack-based buffer overflow vulnerability because the network intrusion detection (NID) systems fail to handle specially crafted 'DCE' and 'RPC' network packets. An attacker can exploit this issue to execute malicious code in the context of the user running the affected application. Failed attempts will likely cause these applications to crash. 8. Apple iTunes XML Parsing Remote Memory Corruption Vulnerability BugTraq ID: 22615 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22615 Summary: Apple iTunes is prone to a remote memory-corruption vulnerability because the application fails to handle malformed XML playlist files. An attacker can exploit this issue to corrupt memory and may be able to execute arbitrary code within the context of the application. Failed exploit attempts will likely trigger a denial-of-service condition. Apple iTunes version 7.0.2 for Intel and PowerPC are vulnerable to this issue; other versions may also be affected. 9. VicFTPS Remote Buffer Overflow Vulnerability BugTraq ID: 22608 Remote: Yes Date Published: 2007-02-18 Relevant URL: http://www.securityfocus.com/bid/22608 Summary: A remote buffer-overflow vulnerability is reported in VicFTPS. This issue occurs because the application fails to properly validate the length of user-supplied strings prior to copying them into finite-sized process buffers. An attacker can exploit this issue to cause the affected server to crash and may be able to execute arbitrary code in the context of the server process. VicFTPS versions prior to 5.0 are vulnerable to this issue. 10. Microsoft Word 2000/2002 Remote Code Execution Vulnerability BugTraq ID: 22567 Remote: Yes Date Published: 2007-02-14 Relevant URL: http://www.securityfocus.com/bid/22567 Summary: Microsoft Word is prone to a remote code-execution vulnerability. An attacker could exploit this issue by enticing a victim to open a malicious Word file. If the attack is successful, the attacker may be able to execute arbitrary code in the context of the currently logged-in user. Note that this issue is distinct from previous issues described in Word. This issue has been assigned CVE ID CVE-2007-0870. 11. MailEnable SMTP NTLM Authentication Unspecified Denial of Service Vulnerability BugTraq ID: 22565 Remote: Yes Date Published: 2007-02-14 Relevant URL: http://www.securityfocus.com/bid/22565 Summary: MailEnable is prone to a remote denial-of-service vulnerability. This issue arises in the SMTP server during NTLM authentication and may result in a crash of the affected service. Arbitrary code execution may also be possible; this has not been confirmed. This issue was originally discussed in BID 20290 (MailEnable SMTP NTLM Authentication Multiple Vulnerabilities), but further reports and analysis show it is a separate vulnerability and has been assigned its own BID. 12. Microsoft Excel Remote Denial Of Service Vulnerability BugTraq ID: 22555 Remote: Yes Date Published: 2007-02-14 Relevant URL: http://www.securityfocus.com/bid/22555 Summary: Microsoft Excel is reportedly prone to a denial-of-service vulnerability. This issue occurs when the application handles a specially crafted file. This issue stems from a NULL-pointer dereference. Exploitation could cause the application to crash, resulting in a denial of service. 13. MailEnable Web Mail Client Multiple HTML Injection and Cross-Site Scripting Vulnerabilities BugTraq ID: 22554 Remote: Yes Date Published: 2007-02-14 Relevant URL: http://www.securityfocus.com/bid/22554 Summary: MailEnable Web Mail Client is prone to multiple HTML-njection and cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials. The attacker could also exploit the HTML-injection issues to control how the site is rendered to the user; other attacks are also possible. These issues affect MailEnable Professional version 2.351; other versions may also be vulnerable. 14. iTinySoft Studio Total Video Player M3U Playlist Buffer Overflow Vulnerability BugTraq ID: 22553 Remote: Yes Date Published: 2007-02-14 Relevant URL: http://www.securityfocus.com/bid/22553 Summary: Total Video Player is prone to a buffer-overflow vulnerability because the application fails to properly verify the size of user-supplied data before copying it into an insufficiently sized process buffer. Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the user running the affected application. Failed exploit attempts will likely crash applications, denying service to legitimate users. This issue affects version 1.03; other versions may also be vulnerable. 15. Adobe JRun Administrator Console Cross-Site Scripting Vulnerability BugTraq ID: 22547 Remote: Yes Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22547 Summary: Adobe JRun is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 16. Microsoft Internet Explorer JavaScript Key Filtering Variant Vulnerability BugTraq ID: 22531 Remote: Yes Date Published: 2007-02-12 Relevant URL: http://www.securityfocus.com/bid/22531 Summary: Microsoft Internet Explorer is prone to a JavaScript key-filtering vulnerability because the browser fails to securely handle keystroke input from users. Exploiting this issue requires that users manually type the full path of files that attackers wish to download. This may require substantial typing from targeted users, so attackers will likely use keyboard-based games, blogs, or other similar pages to entice users to enter the required keyboard input to exploit this issue. This issue is similar to the one described in BID 22524 (Mozilla Firefox JavaScript Key Filtering Variant Vulnerability), and is a variant of the one described in BID 18308 (Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability). 17. uTorrent Torrent File Handling Remote Buffer Overflow Vulnerability BugTraq ID: 22530 Remote: Yes Date Published: 2007-02-12 Relevant URL: http://www.securityfocus.com/bid/22530 Summary: uTorrent is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attackers to execute arbitrary machine code in the context of the application. This issue affects version 1.6; other versions may also be affected. 18. Microsoft Internet Explorer COM Object Instantiation Variant Memory Corruption Vulnerability BugTraq ID: 22504 Remote: Yes Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22504 Summary: Microsoft Internet Explorer is prone to a memory-corruption vulnerability when instantiating certain COM objects. Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the affected application. This facilitates the remote compromise of affected computers. Internet Explorer 7 on Microsoft Vista is not affected by this issue; Internet Explorer 7 on other Windows versions is affected only if COM objects have been enabled by the ActiveX opt-in feature. This issue is similar to the ones described in previous COM object instantiation records, but it affects a different set of COM objects. 19. Microsoft Windows Image Acquisition Service Privilege Escalation Vulnerability BugTraq ID: 22499 Remote: No Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22499 Summary: Microsoft Windows Image Acquisition (WIA) service is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to elevate user privileges. Successful exploits will result in the complete compromise of vulnerable computers. NOTE: The affected service is available only on Windows XP. 20. Microsoft Internet Explorer WinINet.DLL FTP Server Response Parsing Memory Corruption Vulnerability BugTraq ID: 22489 Remote: Yes Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22489 Summary: Microsoft Internet Explorer is prone to a memory-corruption vulnerability when parsing certain FTP server responses. Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the affected application. This facilitates the remote compromise of affected computers. 21. Microsoft Internet Explorer IMJPCKSI COM Object Instantiation Memory Corruption Vulnerability BugTraq ID: 22486 Remote: Yes Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22486 Summary: Microsoft Internet Explorer is prone to a memory-corruption vulnerability when instantiating certain COM objects. Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the affected application. This facilitates the remote compromise of affected computers. Internet Explorer 7 on Microsoft Vista is not affected by this issue; Internet Explorer 7 on other Windows versions is affected only if COM objects have been enabled by the ActiveX opt-in feature. This BID is similar to the one described in BID 15827 (Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability), but it affects a different set of COM objects. 22. Microsoft Step-by-Step Interactive Training Buffer Overflow Vulnerability BugTraq ID: 22484 Remote: Yes Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22484 Summary: Microsoft Step-by-Step Interactive Training is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker could exploit this issue by enticing a victim to load a bookmark link file. If the vulnerability is successfully exploited, this could result in the execution of arbitrary code in the context of the currently logged-in user. 23. Microsoft Windows OLE Dialog Remote Code Execution Vulnerability BugTraq ID: 22483 Remote: Yes Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22483 Summary: Microsoft Windows is prone to a remote code-execution vulnerability that occurs when the application attempts to parse malformed Rich Text Files (RTF). An attacker could exploit this issue by enticing a victim to load a malicious RTF file. If the vulnerability is successfully exploited, this could result in the execution of arbitrary code in the context of the currently logged-in user. 24. Microsoft Word Malformed Drawing Object Arbitrary Code Execution Vulnerability BugTraq ID: 22482 Remote: Yes Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22482 Summary: Microsoft Word is prone to a remote code-execution vulnerability. An attacker could exploit this issue by enticing a victim to open a malicious Word file. If the vulnerability is successfully exploited, this could result in the execution of arbitrary code in the context of the currently logged-in user. 25. Microsoft Windows Shell Hardware Detection Service Privilege Escalation Vulnerability BugTraq ID: 22481 Remote: No Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22481 Summary: Microsoft Windows is prone to a local privilege-escalation vulnerability due to a lack of proper input validation. A local attacker can exploit this issue to elevate user privileges. Successful exploits will result in the complete compromise of vulnerable computers. 26. Microsoft Antivirus Engine Integer Overflow Vulnerability BugTraq ID: 22479 Remote: Yes Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22479 Summary: Microsoft Antivirus Engine is prone to an integer-overflow vulnerability when the application processes maliciously crafted files. This issue is currently being exploited via Portable Document Files (PDF), but other Microsoft applications are also reported vulnerable. An attacker could exploit this issue by enticing a victim into receiving or opening a malicious Office file. If the vulnerability is successfully exploited, this could result in the execution of arbitrary code in the context of the currently logged-in user. 27. Microsoft HTML Help ActiveX Control Remote Code Execution Vulnerability BugTraq ID: 22478 Remote: Yes Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22478 Summary: The Microsoft HTML Help ActiveX control is prone to a remote code-execution vulnerability. An attacker could exploit this issue to execute code in the context of the user visiting a malicious web page. 28. Microsoft Word Macro Permissions Bypass Arbitrary Code Execution Vulnerability BugTraq ID: 22477 Remote: Yes Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22477 Summary: Microsoft Word is prone to a remote code-execution vulnerability. An attacker could exploit this issue by enticing a victim to open a malicious Word file. If the vulnerability is successfully exploited, this could result in the execution of arbitrary code in the context of the currently logged-in user. 29. Microsoft MFC Embedded OLE Object Remote Code Execution Vulnerability BugTraq ID: 22476 Remote: Yes Date Published: 2007-02-13 Relevant URL: http://www.securityfocus.com/bid/22476 Summary: The Microsoft MFC component for Microsoft Windows and Microsoft Visual Studio .NET is prone to a remote code-execution vulnerability. This issue occurs when the application using the component attempts to parse malformed Rich Text Files (RTF). An attacker could exploit this issue by enticing a victim to load a malicious RTF file. If the vulnerability is successfully exploited, this could result in the execution of arbitrary code in the context of the currently logged-in user. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. SecurityFocus Microsoft Newsletter #329 http://www.securityfocus.com/archive/88/460056 2. Time Zone change and Kerberos Auth http://www.securityfocus.com/archive/88/459446 IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This Issue is Sponsored by: Black Hat Black Hat Europe, March 27-30 in Amsterdam, is Europe's premier technical event for ICT security experts. Featuring 10 hands-on training courses and 30 Briefings presentations with lots of new content-the best of Black Hat focused on Europe's infosec challenges. Network with 400 delegates from 25 nations, and see solutions from major sponsors. http://www.blackhat.com
