SecurityFocus Microsoft Newsletter #351 ----------------------------------------
This Issue is Sponsored by: Black Hat Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com SECURITY BLOGS SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks. http://www.securityfocus.com/blogs ------------------------------------------------------------------ I. FRONT AND CENTER 1. Security conferences versus practical knowledge 2. Achtung! New German Laws on Cybercrime II. MICROSOFT VULNERABILITY SUMMARY 1. Data Dynamics ActiveBar Actbar3.OCX ActiveX Control Multiple Insecure Methods Vulnerabilities 2. QuickerSite Default.ASP Cross-Site Scripting Vulnerability 3. Marshal MailMarshal SMTP Spam Quarantine Interface User Password Change Vulnerability 4. Trend Micro OfficeScan Management Console Authentication Bypass Vulnerability 5. InterActual Player IAMCE and IAKey Remote Buffer Overflow Vulnerabilities 6. Microsoft Internet Explorer OnBeforeUnload Javascript Browser Entrapment Vulnerability 7. Zenturi ProgramChecker SASATL.DLL ActiveX Control DebugMsgLog Method Buffer Overflow Vulnerability 8. EldoS SecureBlackbox PGPBBox.dll ActiveX Control Arbitrary File Overwrite Vulnerability 9. Apple QuickTime Information Disclosure and Multiple Code Execution Vulnerabilities 10. QuarkXPress Word Document Text-Import Font Handling Stack Buffer Overflow Vulnerability 11. AVG Anti-Virus Local Privilege Escalation Vulnerability 12. Multiple Vendors RAR Handling Remote Null Pointer Dereference Vulnerability 13. Adobe Flash Player SWF File Handling Remote Code Execution Vulnerability 14. CenterICQ Multiple Remote Buffer Overflow Vulnerabilities 15. Sun Java System Server XSLT Processing Remote Java Method Execution Vulnerability 16. Microsoft Excel Unspecified Security Vulnerability 17. Microsoft Internet Explorer Multiple Browser URI Handler Command Injection Vulnerability 18. Innovasys DockStudioXP InnovaDSXP2.OCX ActiveX Control Denial of Service Vulnerability 19. Media Player Classic .FLV Remote Denial Of Service Vulnerability 20. Eltima Software Virtual Serial Port VSPort.DLL ActiveX Control Denial of Service Vulnerabilities 21. Symantec Norton Ghost FileBackup.DLL Multiple Denial of Service Vulnerabilities 22. Symantec Norton Ghost RemoteCommand.DLL Buffer Overflow Vulnerability 23. Microsoft Windows Vista Kernel Unspecified Remote Denial Of Service Vulnerability 24. Microsoft .NET Framework JIT Compiler Remote Buffer Overflow Vulnerability 25. Symantec AntiVirus Corporate Edition Local Privilege Escalation Vulnerability 26. Microsoft Windows Active Directory LDAP Request Validation Remote Code Execution Vulnerability 27. Microsoft Windows Active Directory LDAP Request Validation Remote Denial Of Service Vulnerability 28. Microsoft Windows Vista Teredo Interface Firewall Bypass Vulnerability 29. Microsoft .NET Framework PE Loader Remote Buffer Overflow Vulnerability 30. Symantec AntiVirus Malformed CAB and RAR Compression Remote Vulnerabilities 31. Symantec Veritas Backup Exec for Windows Server RPC Heap Buffer Overflow Vulnerability III. MICROSOFT FOCUS LIST SUMMARY 1. Sync Domain Account password and Local Account password 2. Restrict access IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1. Security conferences versus practical knowledge By Don Parker While the training industry as a whole has evolved rather well to suit the needs of their clients, the computer conference - specifically the computer security conference - has declined in relevance to the everyday sys-admin and network security practitioners. http://www.securityfocus.com/columnists/449 2. Achtung! New German Laws on Cybercrime By Federico Biancuzzi Germany is passing some new laws regarding cybercrime that might affect security professionals. Federico Biancuzzi interviewed Marco Gercke, one of the experts that was invited to the parliamentary hearing, to learn more about this delicate subject. They discussed what is covered by the new laws, which areas remain in the dark, and how they might affect vulnerability disclosure and the use of common tools, such as nmap. http://www.securityfocus.com/columnists/448 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. Data Dynamics ActiveBar Actbar3.OCX ActiveX Control Multiple Insecure Methods Vulnerabilities BugTraq ID: 24959 Remote: Yes Date Published: 2007-07-18 Relevant URL: http://www.securityfocus.com/bid/24959 Summary: Data Dynamics ActiveBar ActiveX control is prone to multiple vulnerabilities caused by insecure methods. The problem stems from a design error in the affected application. An attacker can exploit this issue to overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in a denial-of-service condition. These issues affect version 3.1; other versions may also be affected. 2. QuickerSite Default.ASP Cross-Site Scripting Vulnerability BugTraq ID: 24948 Remote: Yes Date Published: 2007-07-18 Relevant URL: http://www.securityfocus.com/bid/24948 Summary: QuickerSite is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks. 3. Marshal MailMarshal SMTP Spam Quarantine Interface User Password Change Vulnerability BugTraq ID: 24936 Remote: Yes Date Published: 2007-07-17 Relevant URL: http://www.securityfocus.com/bid/24936 Summary: Marshal MailMarshal SMTP is prone to a vulnerability that may permit attackers to change arbitrary passwords. Exploiting this issue may allow an attacker to change an arbitrary user's password, bypass the authentication mechanism, and gain unauthorized access to the affected application. This may lead to other attacks. Versions prior to MailMarshal SMTP6.2.1 are vulnerable. 4. Trend Micro OfficeScan Management Console Authentication Bypass Vulnerability BugTraq ID: 24935 Remote: Yes Date Published: 2007-07-17 Relevant URL: http://www.securityfocus.com/bid/24935 Summary: Trend Micro OfficeScan is prone to an authentication-bypass vulnerability because it fails to adequately handle user-supplied input. Attackers can exploit this issue to gain unauthorized access to the application's web-based management console. Successful attacks will compromise the application. OfficeScan 7.3 is vulnerable; other versions may also be affected. 5. InterActual Player IAMCE and IAKey Remote Buffer Overflow Vulnerabilities BugTraq ID: 24919 Remote: Yes Date Published: 2007-07-16 Relevant URL: http://www.securityfocus.com/bid/24919 Summary: InterActual Player contains multiple ActiveX controls that are prone to buffer-overflow vulnerabilities because it fails to properly bounds-check user-supplied input before copying it to insufficiently sized memory buffers. An attacker could exploit these issues by creating a malicious web page that would initialize the affected ActiveX controllers and execute arbitrary code within the context of the user. Exploiting this issue could allow an attacker to execute arbitrary code. These issues affect InterActual Player 2.60.12.0717; other versions may be vulnerable as well. 6. Microsoft Internet Explorer OnBeforeUnload Javascript Browser Entrapment Vulnerability BugTraq ID: 24911 Remote: Yes Date Published: 2007-07-14 Relevant URL: http://www.securityfocus.com/bid/24911 Summary: Microsoft Internet Explorer is prone to a vulnerability that allows attackers to trap users at a particular webpage and spoof page transitions. Attackers may exploit this via a malicious page to spoof the contents and origin of a page that the victim may trust. This vulnerability may be useful in phishing or other attacks that rely on content spoofing. Internet Explorer 7 is vulnerable to this issue; other versions may also be affected. 7. Zenturi ProgramChecker SASATL.DLL ActiveX Control DebugMsgLog Method Buffer Overflow Vulnerability BugTraq ID: 24883 Remote: Yes Date Published: 2007-07-12 Relevant URL: http://www.securityfocus.com/bid/24883 Summary: The Zenturi ProgramChecker 'sasatl.dll' ActiveX control is prone to a buffer-overflow vulnerability because it fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions. 8. EldoS SecureBlackbox PGPBBox.dll ActiveX Control Arbitrary File Overwrite Vulnerability BugTraq ID: 24882 Remote: Yes Date Published: 2007-07-12 Relevant URL: http://www.securityfocus.com/bid/24882 Summary: SecureBlackbox ActiveX control is prone to a vulnerability that could permit an attacker to overwrite arbitrary files. The attacker can exploit this issue to overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer). This may cause denial-of-service conditions and may also allow the attacker to execute arbitrary code on the victim's computer, which may facilitate a remote compromise. 9. Apple QuickTime Information Disclosure and Multiple Code Execution Vulnerabilities BugTraq ID: 24873 Remote: Yes Date Published: 2007-07-11 Relevant URL: http://www.securityfocus.com/bid/24873 Summary: Apple QuickTime is prone to an information-disclosure and multiple remote code-execution vulnerabilities. Remote attackers may exploit these issues by enticing victims into opening maliciously crafted files or visiting maliciously crafted websites. Successful exploits may allow attackers to execute arbitrary code in the context of a user running the vulnerable application or to obtain sensitive information. Failed exploit attempts of remote code-execution issues may result in denial-of-service conditions. Successful exploits of the information-disclosure issue may lead to further attacks. 10. QuarkXPress Word Document Text-Import Font Handling Stack Buffer Overflow Vulnerability BugTraq ID: 24872 Remote: Yes Date Published: 2007-07-11 Relevant URL: http://www.securityfocus.com/bid/24872 Summary: QuarkXPress is prone to a remote stack-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Remote attackers may exploit this issue by enticing victims into opening maliciously crafted Word (.doc) files. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service. This issue affects QuarkXpress 7.2 for Microsoft Windows. Other versions may also be affected. 11. AVG Anti-Virus Local Privilege Escalation Vulnerability BugTraq ID: 24870 Remote: No Date Published: 2007-07-11 Relevant URL: http://www.securityfocus.com/bid/24870 Summary: AVG Anti-Virus is prone to a local privilege-escalation vulnerability because the application fails to properly limit unprivileged users from functionality that allows them to write arbitrary data to arbitrary kernel memory. Successfully exploiting this issue allows local attackers to gain SYSTEM-level privileges, facilitating the complete compromise of affected computers. AVG Anti-Virus Free Edition 7.5.446 and AVG Anti-Virus 7.5.438 are vulnerable; other versions may also be affected. 12. Multiple Vendors RAR Handling Remote Null Pointer Dereference Vulnerability BugTraq ID: 24866 Remote: Yes Date Published: 2007-07-11 Relevant URL: http://www.securityfocus.com/bid/24866 Summary: Multiple applications using RAR are prone to a NULL-pointer dereference vulnerability. A successful attack will result in denial-of-service conditions. Attackers may also be able to exploit this issue to execute arbitrary code, but this has not been confirmed. This issue affects the following: ClamAV prior to 0.91 'UnRAR' 3.70; other versions may also be vulnerable. Other applications using the vulnerabile 'UnRAR' utility are affected by this issue. We will update this BID as more information emerges. 13. Adobe Flash Player SWF File Handling Remote Code Execution Vulnerability BugTraq ID: 24856 Remote: Yes Date Published: 2007-07-10 Relevant URL: http://www.securityfocus.com/bid/24856 Summary: Adobe Flash Player is prone to a remote code-execution vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the victim running the vulnerable application. Adobe Flash Player 9.0.45.0 and earlier, 8.0.34.0 and earlier, and 7.0.69.0 and earlier are affected. 14. CenterICQ Multiple Remote Buffer Overflow Vulnerabilities BugTraq ID: 24854 Remote: Yes Date Published: 2007-07-10 Relevant URL: http://www.securityfocus.com/bid/24854 Summary: Centericq is prone to multiple remote buffer-overflow vulnerabilities because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service. 15. Sun Java System Server XSLT Processing Remote Java Method Execution Vulnerability BugTraq ID: 24850 Remote: Yes Date Published: 2007-07-10 Relevant URL: http://www.securityfocus.com/bid/24850 Summary: Sun Java System Web Servers and Application Servers are prone to a vulnerability that lets attackers execute arbitrary Java methods. This issue occurs because the application fails to securely process XSLT stylesheets. Successfully exploiting this issue may allow remote attackers to execute arbitrary Java methods, aiding them in further attacks. Sun Java System Web Server 7.0 for the following operating systems is affected: - Sun Solaris SPARC and x86 platforms - Linux - Microsoft Windows - HP-UX Sun Java System Application Server Platform and Enterprise Editions 8.2 and Platform Edition 9.0 for the following operating systems are also affected: - Sun Solaris SPARC and x86 platforms - Linux - Microsoft Windows 16. Microsoft Excel Unspecified Security Vulnerability BugTraq ID: 24843 Remote: Yes Date Published: 2007-07-10 Relevant URL: http://www.securityfocus.com/bid/24843 Summary: Microsoft Excel is prone to an unspecified security vulnerability. Very little information is currently available regarding this issue. We will update this BID as more information emerges. 17. Microsoft Internet Explorer Multiple Browser URI Handler Command Injection Vulnerability BugTraq ID: 24837 Remote: Yes Date Published: 2007-07-10 Relevant URL: http://www.securityfocus.com/bid/24837 Summary: Microsoft Internet Explorer is prone to a vulnerability that lets attackers inject commands through the 'firefoxurl' and 'navigatorurl' protocol handlers. Exploiting these issues allows remote attackers to pass and execute arbitrary commands and arguments through the 'firefox.exe' and 'navigator.exe' processes by employing the 'firefoxurl' and 'navigatorurl' handlers. An attacker can also employ these issues to carry out cross-browser scripting attacks by using the '-chrome' argument. This can allow the attacker to run JavaScript code with the privileges of trusted Chrome context and gain full access to Firefox and Netscape Navigator's resources. Exploiting these issues would permit remote attackers to influence command options that can be called through the 'firefoxurl' and 'navigatorurl' handlers and therefore execute commands and script code with the privileges of a user running the applications. Successful attacks may result in a variety of consequences, including remote unauthorized access. 18. Innovasys DockStudioXP InnovaDSXP2.OCX ActiveX Control Denial of Service Vulnerability BugTraq ID: 24834 Remote: Yes Date Published: 2007-07-09 Relevant URL: http://www.securityfocus.com/bid/24834 Summary: Innovasys DockStudioXP ActiveX control is prone to a denial-of-service vulnerability. An attacker may exploit this issue by enticing victims into opening a malicious webpage or HTML email that invokes the affected control. The attacker can exploit this issue to cause denial-of-service conditions in Internet Explorer or other applications that use the vulnerable ActiveX control. 19. Media Player Classic .FLV Remote Denial Of Service Vulnerability BugTraq ID: 24830 Remote: Yes Date Published: 2007-07-09 Relevant URL: http://www.securityfocus.com/bid/24830 Summary: Media Player Classic is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to crash the application. Reports indicate that remote code execution may also be possible, but this has not been confirmed. Media Player Classic 6.4.9.0 is vulnerable; other versions may also be affected. 20. Eltima Software Virtual Serial Port VSPort.DLL ActiveX Control Denial of Service Vulnerabilities BugTraq ID: 24827 Remote: Yes Date Published: 2007-07-09 Relevant URL: http://www.securityfocus.com/bid/24827 Summary: Eltima Software Virtual Serial Port ActiveX control is prone to multiple denial-of-service vulnerabilities. Exploiting these issues allows remote attackers to crash applications that employ the vulnerable control (typically Microsoft Internet Explorer). Virtual Serial Port 5.0 is vulnerable; other versions may also be affected. 21. Symantec Norton Ghost FileBackup.DLL Multiple Denial of Service Vulnerabilities BugTraq ID: 24826 Remote: Yes Date Published: 2007-07-09 Relevant URL: http://www.securityfocus.com/bid/24826 Summary: Norton Ghost is prone to multiple denial-of-service vulnerabilities. Successful exploits may allow an attacker to cause denial-of-service conditions. 22. Symantec Norton Ghost RemoteCommand.DLL Buffer Overflow Vulnerability BugTraq ID: 24825 Remote: Yes Date Published: 2007-07-09 Relevant URL: http://www.securityfocus.com/bid/24825 Summary: Symantec Norton Ghost is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects Symantec Ghost 12.0; other versions may also be affected. 23. Microsoft Windows Vista Kernel Unspecified Remote Denial Of Service Vulnerability BugTraq ID: 24816 Remote: Yes Date Published: 2007-07-09 Relevant URL: http://www.securityfocus.com/bid/24816 Summary: Microsoft Windows Vista is prone to an unspecified remote denial-of-service vulnerability. Attackers may exploit this issue to crash the affected operating system, denying further service to legitimate users. Remote code-execution may be possible, but this has not been confirmed. 24. Microsoft .NET Framework JIT Compiler Remote Buffer Overflow Vulnerability BugTraq ID: 24811 Remote: Yes Date Published: 2007-07-10 Relevant URL: http://www.securityfocus.com/bid/24811 Summary: Microsoft .NET Framework is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code in the context of a user running the application. Successful exploits can result in the complete compromise of affected computers. Failed attacks will likely result in denial-of-service conditions. 25. Symantec AntiVirus Corporate Edition Local Privilege Escalation Vulnerability BugTraq ID: 24810 Remote: No Date Published: 2007-07-11 Relevant URL: http://www.securityfocus.com/bid/24810 Summary: Symantec AntiVirus Corporate Edition is prone to a local privilege-escalation vulnerability because the application fails to properly drop privileges. A local attacker can exploit this issue to elevate privileges to the SYSTEM level. This could facilitate a complete compromise of the affected computer. 26. Microsoft Windows Active Directory LDAP Request Validation Remote Code Execution Vulnerability BugTraq ID: 24800 Remote: Yes Date Published: 2007-07-10 Relevant URL: http://www.securityfocus.com/bid/24800 Summary: Microsoft Windows is prone to a remote code-execution vulnerability because Microsoft Active Directory fails to handle specially crafted user-supplied Lightweight Directory Access Protocol (LDAP) requests. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. 27. Microsoft Windows Active Directory LDAP Request Validation Remote Denial Of Service Vulnerability BugTraq ID: 24796 Remote: Yes Date Published: 2007-07-10 Relevant URL: http://www.securityfocus.com/bid/24796 Summary: Microsoft Windows is prone to a remote denial-of-service vulnerability because Microsoft Active Directory fails to handle specially crafted Lightweight Directory Access Protocol (LDAP) requests. An attacker can exploit this issue to cause the affected application to stop responding, denying further service to legitimate users. 28. Microsoft Windows Vista Teredo Interface Firewall Bypass Vulnerability BugTraq ID: 24779 Remote: Yes Date Published: 2007-07-10 Relevant URL: http://www.securityfocus.com/bid/24779 Summary: Windows Firewall for Windows Vista is prone to a vulnerability that may permit a bypass of existing firewall rules. An attacker may trigger this vulnerability by sending malicious network data through the Teredo network transport system to obtain sensitive information; other attacks are also possible. Note that Windows Vista systems configured with a 'Public' network profile are not vulnerable to this issue. 29. Microsoft .NET Framework PE Loader Remote Buffer Overflow Vulnerability BugTraq ID: 24778 Remote: Yes Date Published: 2007-07-10 Relevant URL: http://www.securityfocus.com/bid/24778 Summary: Microsoft .NET Framework is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code in the context of a user running the application. Successful exploits can result in the complete compromise of affected computers. Failed attacks will likely result in denial-of-service conditions. 30. Symantec AntiVirus Malformed CAB and RAR Compression Remote Vulnerabilities BugTraq ID: 24282 Remote: Yes Date Published: 2007-07-11 Relevant URL: http://www.securityfocus.com/bid/24282 Summary: Symantec AntiVirus products that include the Symantec Decomposer are prone to multiple remote vulnerabilities related to the handling of CAB and RAR archives. These issues include a denial-of-service vulnerability and a buffer-overflow vulnerability. Successfully exploiting these issues allows remote attackers to execute arbitrary machine code with SYSTEM-level privileges or to cause the affected application to enter an infinite loop, resulting in a denial-of-service condition. 31. Symantec Veritas Backup Exec for Windows Server RPC Heap Buffer Overflow Vulnerability BugTraq ID: 23897 Remote: Yes Date Published: 2007-07-11 Relevant URL: http://www.securityfocus.com/bid/23897 Summary: Symantec Veritas Backup Exec for Windows Server is prone to a heap-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. Sync Domain Account password and Local Account password http://www.securityfocus.com/archive/88/473988 2. Restrict access http://www.securityfocus.com/archive/88/473787 IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This Issue is Sponsored by: Black Hat Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com
