SecurityFocus Microsoft Newsletter #331 ----------------------------------------
This Issue is Sponsored by: SPI Dynamics While Ajax can greatly improve the usability of a Web application, it can also create several opportunities for possible attack if the application is not designed with security in mind. Download this SPI Dynamics white paper. https://download.spidynamics.com/1/ad/AJAX.asp?Campaign_ID=70160000000Cj51 SecurityFocus is proud to introduce the new *Focus On: Vista* section. Offering Vista related news, columns and vulnerabilities, SecurityFocus is your source for Vista-related security. *Visit http://www.securityfocus.com/vista to see for yourself.* ------------------------------------------------------------------ I. FRONT AND CENTER 1. Building Secure Applications: Consistent Logging 2. Vista Review: Bugs and Confusion II. MICROSOFT VULNERABILITY SUMMARY 1. Nullsoft Shoutcast Logfile HTML Injection Vulnerability 2. NetProxy Security Restriction Bypass Vulnerability 3. Secunia Software Inspector Security Update Verification Weakness 4. Microsoft Office Publisher Remote Denial of Service Vulnerability 5. Microsoft Excel NULL Pointer Dereference Denial Of Service Vulnerability 6. Microsoft Office 2003 Denial of Service Vulnerability 7. Microsoft Windows Explorer WMF File Handling Denial of Service Vulnerability 8. Windows Shell User Logon ActiveX Control Create Method Unauthorized User Creation Vulnerability 9. Microsoft Office Publisher Unspecified Remote Code Execution Vulnerability 10. Multiple Web Browser UTF-7 Cross-Domain Character-Set-Inheritance Vulnerability 11. Microsoft Internet Explorer OnUnload Javascript Browser Entrapment Vulnerability 12. Mozilla Firefox OnUnload Memory Corruption Vulnerability 13. Microsoft Internet Explorer OnUnload Null Pointer Dereference Vulnerability 14. IBM DB2 Universal Database Multiple Local Privilege Escalation Vulnerabilities 15. RETIRED: VeriSign ConfigCHK ActiveX Control VerCompare Buffer Overflow Vulnerability 16. VeriSign Configuration Checker ActiveX Control Remote Buffer Overflow Vulnerability 17. Microsoft Windows ReadDirectoryChangesW Information Disclosure Vulnerability 18. Trend Micro ServerProtect Session ID Authentication Bypass Vulnerability 19. NewsBin Pro NBI File Remote Buffer Overflow Vulnerabilities 20. BrowseDialog ActiveX Control CCRPBDS6.DLL Multiple Buffer Overflow Vulnerabilities 21. FTP Explorer PWD Parameter Denial Of Service Vulnerability 22. FTP Voyager CWD Parameter Stack Buffer Overflow Vulnerability 23. Microsoft Internet Explorer Local File Access Weakness 24. Multiple Newsreader Applications .NZB File Remote Heap Overflow Vulnerability 25. Grabit Field Handling Denial of Service Vulnerability 26. News Rover Subject Line Stack Buffer Overflow Vulnerability 27. News File Grabber Subject Line Stack Buffer Overflow Vulnerability 28. Snort/Sourcefire DCE/RPC Packet Reassembly Stack Buffer Overflow Vulnerability 29. Apple iTunes XML Parsing Remote Memory Corruption Vulnerability 30. VicFTPS Remote Buffer Overflow Vulnerability 31. SupportSoft ActiveX Controls Remote Buffer Overflow Vulnerabilities III. MICROSOFT FOCUS LIST SUMMARY 1. IIS 5 2. AD Global Security group with an email address behavior. 3. Vista "complaints" 4. App FW for isa2K4 2K6 5. Prevent users/admin from installing softwares. 6. SecurityFocus Microsoft Newsletter #330 IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1. Building Secure Applications: Consistent Logging By Rohit Sethi and Nish Bhalla This article focuses on developers and discusses how to use consistent application-layer logging along with Log4J or Log4net for the real-time detection of attacks. http://www.securityfocus.com/infocus/1888 2. Vista Review: Bugs and Confusion By Thomas C. Greene The Register's Thomas C. Greene offers an entertaining review of Windows Vista, noting price differences in Europe, driver compatibility issues, and security and user interface issues that affect the Vista experience. http://www.securityfocus.com/columnists/436 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. Nullsoft Shoutcast Logfile HTML Injection Vulnerability BugTraq ID: 22742 Remote: Yes Date Published: 2007-02-27 Relevant URL: http://www.securityfocus.com/bid/22742 Summary: Nullsoft SHOUTcast is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would be executed in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. This issue affects version 1.9.7 for Microsoft Windows; other versions may also be vulnerable. 2. NetProxy Security Restriction Bypass Vulnerability BugTraq ID: 22741 Remote: Yes Date Published: 2007-02-27 Relevant URL: http://www.securityfocus.com/bid/22741 Summary: NetProxy is prone to a security-restriction-bypass vulnerability because the software fails to properly sanitize user-supplied input. Attackers can exploit this issue to bypass the security restrictions and gain unauthorized access to restricted sites. This may allow attackers to bypass the security restrictions enforced by the application. NetProxy version 4.03 is vulnerable; other versions may also be affected. 3. Secunia Software Inspector Security Update Verification Weakness BugTraq ID: 22736 Remote: Yes Date Published: 2007-02-26 Relevant URL: http://www.securityfocus.com/bid/22736 Summary: Secunia Software Inspector is prone to a weakness that provides a false sense of security to users. Users rely on this application to provide assurance of security updates for their computers. However, this issue may cause users to be unaware of available patches for known vulnerabilities. 4. Microsoft Office Publisher Remote Denial of Service Vulnerability BugTraq ID: 22724 Remote: Yes Date Published: 2007-02-26 Relevant URL: http://www.securityfocus.com/bid/22724 Summary: Microsoft Office Publisher is prone to a remote denial-of-service vulnerability because the application fails to properly handle malformed files. Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users. Microsoft Office Publisher 2007 is vulnerable; other versions may also be affected. 5. Microsoft Excel NULL Pointer Dereference Denial Of Service Vulnerability BugTraq ID: 22717 Remote: Yes Date Published: 2007-02-26 Relevant URL: http://www.securityfocus.com/bid/22717 Summary: Microsoft Excel is reportedly prone to a denial-of-service vulnerability. This issue occurs when the application handles a specially crafted file. This issue stems from a NULL-pointer dereference. Initial reports indicate that this issue is distinct from that outlined in BID 22555 Microsoft Excel Remote Denial Of Service Vulnerability. Exploitation could cause the application to crash, resulting in a denial of service. 6. Microsoft Office 2003 Denial of Service Vulnerability BugTraq ID: 22716 Remote: Yes Date Published: 2007-02-25 Relevant URL: http://www.securityfocus.com/bid/22716 Summary: Microsoft Office is prone to a denial-of-service condition when the malformed WMF file is viewed in an Office application. Exploiting this issue allows remote attackers to crash applications, denying service to legitimate users. Microsoft Office 2003 is vulnerable to this issue; other versions may also be affected. Note: IrfanView version 3.99 is also vulnerable to this issue. 7. Microsoft Windows Explorer WMF File Handling Denial of Service Vulnerability BugTraq ID: 22715 Remote: Yes Date Published: 2007-02-25 Relevant URL: http://www.securityfocus.com/bid/22715 Summary: Microsoft Windows Explorer is prone to a denial-of-service vulnerability. A remote attacker may exploit this vulnerability by presenting a malicious file to a victim user. Users do not have to open the file -- simply browsing a folder containing the malicious file is sufficient to trigger this issue. A successful exploit will crash the vulnerable application, effectively denying service. This issue may be related to BID 19365 (Microsoft Windows GDI32.DLL WMF Remote Denial of Service Vulnerability) or BID 21992 (Microsoft Windows Explorer WMF File Denial of Service Vulnerability). 8. Windows Shell User Logon ActiveX Control Create Method Unauthorized User Creation Vulnerability BugTraq ID: 22710 Remote: Yes Date Published: 2007-02-24 Relevant URL: http://www.securityfocus.com/bid/22710 Summary: The Windows Shell User Logon ActiveX control is prone to a vulnerability that allows attackers to create user accounts on victim computers. Exploiting this issue can aid in further attacks and may result in the compromise of affected computers. Version 6.0.2900.2180 is vulnerable; other versions may also be affected. 9. Microsoft Office Publisher Unspecified Remote Code Execution Vulnerability BugTraq ID: 22702 Remote: Yes Date Published: 2007-02-23 Relevant URL: http://www.securityfocus.com/bid/22702 Summary: Microsoft Office Publisher is prone to an unspecified remote code-execution vulnerability. An attacker could exploit this issue by enticing an unsuspecting victim to open a malicious file. A successful exploit will allow arbitrary code to run in the context of the currently logged-in user. Currently, little is known about this issue. This BID will be updated as more information becomes available. 10. Multiple Web Browser UTF-7 Cross-Domain Character-Set-Inheritance Vulnerability BugTraq ID: 22701 Remote: Yes Date Published: 2007-02-23 Relevant URL: http://www.securityfocus.com/bid/22701 Summary: Opera Web Browser and Microsoft Internet Explorer are prone to a cross-domain character-set-inheritance vulnerability. Exploiting this issue can allow attackers to perform cross-site scripting attacks on unsuspecting users. If successful, attackers can steal cookie-based authentication credentials. Opera Web Browser 9 series and Microsoft Internet Explorer 7 series are affected. 11. Microsoft Internet Explorer OnUnload Javascript Browser Entrapment Vulnerability BugTraq ID: 22680 Remote: Yes Date Published: 2007-02-22 Relevant URL: http://www.securityfocus.com/bid/22680 Summary: Microsoft Internet Explorer is prone to a vulnerability that allows attackers to trap users at a particular webpage and spoof page transitions. Attackers may exploit this via a malicious page to spoof the contents and origin of a page that the victim may trust. This vulnerability may be useful in phishing or other attacks that rely on content spoofing. Note that Mozilla Firefox is likely susceptible to a variation of this vulnerability. This BID will be updated as more information emerges. Internet Explorer 6 and 7 are confirmed vulnerable to this issue. 12. Mozilla Firefox OnUnload Memory Corruption Vulnerability BugTraq ID: 22679 Remote: Yes Date Published: 2007-02-23 Relevant URL: http://www.securityfocus.com/bid/22679 Summary: Mozilla Firefox is prone to a remote memory-corruption vulnerability. Successfully exploiting this issue may allow remote attackers to execute arbitrary machine code in the context of the affected application. This could facilitate the remote compromise of affected computers. Mozilla Firefox version 2.0.0.1 is vulnerable to this issue; other versions are also likely affected. 13. Microsoft Internet Explorer OnUnload Null Pointer Dereference Vulnerability BugTraq ID: 22678 Remote: Yes Date Published: 2007-02-22 Relevant URL: http://www.securityfocus.com/bid/22678 Summary: Microsoft Internet Explorer is prone to a race condition that causes a denial of service. The source of the crash is reportedly a NULL-pointer dereference. This vulnerability is similar to the one being tracked as Bugzilla ID 371321 and BID 22679 (Mozilla Firefox OnUnload Memory Corruption Vulnerability). Microsoft Internet Explorer 6 and 7 are vulnerable to this issue. 14. IBM DB2 Universal Database Multiple Local Privilege Escalation Vulnerabilities BugTraq ID: 22677 Remote: No Date Published: 2007-02-22 Relevant URL: http://www.securityfocus.com/bid/22677 Summary: IBM DB2 is prone to multiple local privilege escalation vulnerabilities. These issues can allow an attacker to completely compromise a vulnerable computer. These issues affect DB2 version 9.1 and 8x running on all supported platforms. 15. RETIRED: VeriSign ConfigCHK ActiveX Control VerCompare Buffer Overflow Vulnerability BugTraq ID: 22676 Remote: Yes Date Published: 2007-02-22 Relevant URL: http://www.securityfocus.com/bid/22676 Summary: The VeriSign ConfigChk ActiveX control is prone to a buffer-overflow vulnerability because the software fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer. A remote attacker may exploit this vulnerability by presenting a malicious file to a victim user and enticing them to open it with the vulnerable application. Successful attacks can cause denial-of-service conditions in a browser or other applications that use the vulnerable application. Arbitrary code execution may also be possible, but this has not been confirmed. Version 2.0.0.2 is vulnerable; other versions may also be affected. RETIRED: This BID is being retired because it's a duplicate of the issue discussed in BID 22671 (VeriSign Configuration Checker ActiveX Control Remote Buffer Overflow Vulnerability). 16. VeriSign Configuration Checker ActiveX Control Remote Buffer Overflow Vulnerability BugTraq ID: 22671 Remote: Yes Date Published: 2007-02-22 Relevant URL: http://www.securityfocus.com/bid/22671 Summary: VeriSign Managed PKI Configuration Checker ActiveX control is prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input prior to copying it to insufficiently sized memory buffers. Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of applications that employ the vulnerable controls (typically Microsoft Internet Explorer). 17. Microsoft Windows ReadDirectoryChangesW Information Disclosure Vulnerability BugTraq ID: 22664 Remote: No Date Published: 2007-02-22 Relevant URL: http://www.securityfocus.com/bid/22664 Summary: Microsoft Windows is prone to a local information-disclosure vulnerability. A local attacker may leverage this issue to gain access to potentially sensitive information about user permissions and accessed files. Information gained may aid in further attacks against the affected computer. 18. Trend Micro ServerProtect Session ID Authentication Bypass Vulnerability BugTraq ID: 22662 Remote: Yes Date Published: 2007-02-21 Relevant URL: http://www.securityfocus.com/bid/22662 Summary: Trend Micro ServerProtect is prone to an authentication-bypass vulnerability. A successful attack can allow an unauthorized attacker to bypass authentication routines and access the application as any logged-in user. The attacker may then carry out other attacks against the vulnerable computer or database. Note that this vulnerability is not present in any of the Microsoft Windows versions of Trend Micro ServerProtect. 19. NewsBin Pro NBI File Remote Buffer Overflow Vulnerabilities BugTraq ID: 22652 Remote: Yes Date Published: 2007-02-21 Relevant URL: http://www.securityfocus.com/bid/22652 Summary: NewsBin Pro is prone to two remote buffer-overflow vulnerabilities because the application fails to properly sanitize user-supplied input prior to copying it to insufficiently sized memory buffers. A remote attacker may exploit these vulnerabilities to execute arbitrary code. Failed exploit attempts will crash the affected application, denying service to legitimate users. 20. BrowseDialog ActiveX Control CCRPBDS6.DLL Multiple Buffer Overflow Vulnerabilities BugTraq ID: 22645 Remote: Yes Date Published: 2007-02-21 Relevant URL: http://www.securityfocus.com/bid/22645 Summary: The BrowseDialog ActiveX control is prone to multiple buffer-overflow vulnerabilities because the software fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer. A remote attacker may exploit these vulnerabilities by presenting a malicious file to a victim user and enticing them to open it with the vulnerable application. Successful attacks can cause denial-of-service conditions in Internet Explorer or other applications that use the vulnerable ActiveX control. Arbitrary code execution may also be possible, but this has not been confirmed. 21. FTP Explorer PWD Parameter Denial Of Service Vulnerability BugTraq ID: 22640 Remote: Yes Date Published: 2007-02-20 Relevant URL: http://www.securityfocus.com/bid/22640 Summary: FTP Explorer is prone to a denial-of-service vulnerability because the application fails to properly handle overly long PWD responses. Exploiting this issue will cause 100% CPU exhaustion, resulting in a denial-of-service condition. Due to the nature of this vulnerability, attackers may be able to execute arbitrary machine code in the context of the affected application. This issue affects version 1.0.1 Build 047; other versions may also be affected. 22. FTP Voyager CWD Parameter Stack Buffer Overflow Vulnerability BugTraq ID: 22637 Remote: Yes Date Published: 2007-02-20 Relevant URL: http://www.securityfocus.com/bid/22637 Summary: FTP Voyager is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue may allow attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition. This issue affects version 14.0.0.3.; other versions may also be affected. 23. Microsoft Internet Explorer Local File Access Weakness BugTraq ID: 22621 Remote: Yes Date Published: 2007-02-20 Relevant URL: http://www.securityfocus.com/bid/22621 Summary: Microsoft Internet Explorer is reportedly prone to multiple local file access weaknesses because the application fails to properly handle HTML tags. These issues are triggered when an attacker entices a victim user to visit a malicious website. It was initially reported that remote attackers may exploit these issues to gain access to local system files via Internet Explorer. This would aid attackers in the theft of confidential information and in launching further attacks. This attack would occur in the context of the user visiting the malicious site. New conflicting reports indicate that these issues only result in verifying the existence of files on a vulnerable system. These issues affect Internet Explorer version 6 on a fully patched Windows XP SP2 system; previous versions and operating systems may also be vulnerable. 24. Multiple Newsreader Applications .NZB File Remote Heap Overflow Vulnerability BugTraq ID: 22620 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22620 Summary: NewsReactor and NewsBin Pro are prone to a remote heap-based buffer-overflow because they fail to perform sufficient boundary checks on user-supplied data before copying it to a buffer. An attacker could leverage this issue to execute arbitrary code with administrative privileges. A successful exploit could result in the complete compromise of the affected system. 25. Grabit Field Handling Denial of Service Vulnerability BugTraq ID: 22619 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22619 Summary: Grabit is prone to denial-of-service vulnerability because the application fails to handle exceptional conditions. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. This issue affects version 4.1.0.1; other versions may also be affected. 26. News Rover Subject Line Stack Buffer Overflow Vulnerability BugTraq ID: 22618 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22618 Summary: News Rover is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attackers to execute arbitrary machine code in the context of the affected application. This issue affects version 4.1.0.1; other versions may also be affected. 27. News File Grabber Subject Line Stack Buffer Overflow Vulnerability BugTraq ID: 22617 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22617 Summary: News File Grabber is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attackers to execute arbitrary machine code in the context of the affected application. This issue affects version 4.1.0.1; other versions may also be affected. 28. Snort/Sourcefire DCE/RPC Packet Reassembly Stack Buffer Overflow Vulnerability BugTraq ID: 22616 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22616 Summary: Snort IDS and Sourcefire Intrusion Sensor are prone to a stack-based buffer-overflow vulnerability because the network intrusion detection (NID) systems fail to handle specially crafted 'DCE' and 'RPC' network packets. An attacker can exploit this issue to execute malicious code in the context of the user running the affected application. Failed attempts will likely cause these applications to crash. 29. Apple iTunes XML Parsing Remote Memory Corruption Vulnerability BugTraq ID: 22615 Remote: Yes Date Published: 2007-02-19 Relevant URL: http://www.securityfocus.com/bid/22615 Summary: Apple iTunes is prone to a remote memory-corruption vulnerability because the application fails to handle malformed XML playlist files. An attacker can exploit this issue to corrupt memory and may be able to execute arbitrary code within the context of the application. Failed exploit attempts will likely trigger a denial-of-service condition. Apple iTunes version 7.0.2 for Intel and PowerPC are vulnerable to this issue; other versions may also be affected. 30. VicFTPS Remote Buffer Overflow Vulnerability BugTraq ID: 22608 Remote: Yes Date Published: 2007-02-18 Relevant URL: http://www.securityfocus.com/bid/22608 Summary: A remote buffer-overflow vulnerability is reported in VicFTPS. This issue occurs because the application fails to properly validate the length of user-supplied strings prior to copying them into finite-sized process buffers. An attacker can exploit this issue to cause the affected server to crash and may be able to execute arbitrary code in the context of the server process. VicFTPS versions prior to 5.0 are vulnerable to this issue. 31. SupportSoft ActiveX Controls Remote Buffer Overflow Vulnerabilities BugTraq ID: 22564 Remote: Yes Date Published: 2007-02-22 Relevant URL: http://www.securityfocus.com/bid/22564 Summary: SupportSoft ActiveX controls are prone to multiple remote buffer-overflow vulnerabilities because the software fails to properly bounds-check user-supplied input prior to copying it to insufficiently sized memory buffers. Exploiting these issues allows remote attackers to execute arbitrary machine code in the context of applications that employ the vulnerable controls (typically Microsoft Internet Explorer). The affected software component is included in several third-party applications. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. IIS 5 http://www.securityfocus.com/archive/88/461417 2. AD Global Security group with an email address behavior. http://www.securityfocus.com/archive/88/461303 3. Vista "complaints" http://www.securityfocus.com/archive/88/461046 4. App FW for isa2K4 2K6 http://www.securityfocus.com/archive/88/460880 5. Prevent users/admin from installing softwares. http://www.securityfocus.com/archive/88/460879 6. SecurityFocus Microsoft Newsletter #330 http://www.securityfocus.com/archive/88/460755 IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This Issue is Sponsored by: SPI Dynamics While Ajax can greatly improve the usability of a Web application, it can also create several opportunities for possible attack if the application is not designed with security in mind. Download this SPI Dynamics white paper. https://download.spidynamics.com/1/ad/AJAX.asp?Campaign_ID=70160000000Cj51
