SecurityFocus Microsoft Newsletter #371 ----------------------------------------
This issue is Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701700000009400 SECURITY BLOGS SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks. http://www.securityfocus.com/blogs ------------------------------------------------------------------ I. FRONT AND CENTER 1.The Man in the Machine 2.Aye, Robot, or Can Computers Contract? II. MICROSOFT VULNERABILITY SUMMARY 1. avast! Home/Professional TAR File Handling Unspecified Vulnerability 2. Microsoft Optical Desktop Wireless Keyboard Weak Encryption Information Disclosure Vulnerability 3. Microsoft Web Proxy Auto-Discovery Proxy Spoofing Vulnerability 4. Apple QuickTime Unspecified Remote Vulnerability 5. Microsoft Windows Media Player AIFF Parsing Divide-By-Zero Denial of Service Vulnerability 6. Tencent QQ LaunchP2PShare Multiple Stack Buffer Overflow Vulnerabilities 7. VanDyke VShell Unspecified Denial Of Service Vulnerability 8. Samhain Labs Samhain Insecure Random Number Generator Information Disclosure Weakness 9. Skype Technologies Skype Voicemail URI Handler Remote Denial of Service Vulnerability III. MICROSOFT FOCUS LIST SUMMARY 1. SecurityFocus Microsoft Newsletter #370 IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1.The Man in the Machine By Federico Biancuzzi In April 2007, when two security researchers demonstrated a flaw in the next-generation IPv6 routing scheme that would allow attackers to significantly amplify any denial-of-service attack by a factor of at least 80, networking expert Jun-ichiro "Itojun" Hagino worked to get Internet engineers to take the threat seriously. http://www.securityfocus.com/columnists/459 2.Aye, Robot, or Can Computers Contract? By Mark Rasch A contract is usually described as a "meeting of the minds." One person makes an offer for goods or services; another person sees the offer and negotiates terms; the parties enter into an agreement of the offer; and some form of consideration is given in return for the provision of something of value. At least that's what I remember from first year law school contracts class. http://www.securityfocus.com/columnists/458 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. avast! Home/Professional TAR File Handling Unspecified Vulnerability BugTraq ID: 26702 Remote: Yes Date Published: 2007-12-04 Relevant URL: http://www.securityfocus.com/bid/26702 Summary: avast! is prone to an unspecified vulnerability. This issue occurs when the application handles a TAR file. Versions of avast! Home and Professional prior to 4.7.1098 are affected. 2. Microsoft Optical Desktop Wireless Keyboard Weak Encryption Information Disclosure Vulnerability BugTraq ID: 26693 Remote: Yes Date Published: 2007-12-04 Relevant URL: http://www.securityfocus.com/bid/26693 Summary: Microsoft Optical Desktop is prone to an information-disclosure vulnerability. Successfully exploiting this issue will allow an attacker to obtain sensitive information that may lead to other attacks. This issue affects Microsoft Optical Desktop 1000 and 2000; other versions may also be affected. 3. Microsoft Web Proxy Auto-Discovery Proxy Spoofing Vulnerability BugTraq ID: 26686 Remote: Yes Date Published: 2007-12-03 Relevant URL: http://www.securityfocus.com/bid/26686 Summary: Microsoft Web Proxy Auto-Discovery is prone to a vulnerability that may allow attackers to obtain sensitive information that may lead to further attacks. 4. Apple QuickTime Unspecified Remote Vulnerability BugTraq ID: 26682 Remote: Yes Date Published: 2007-12-03 Relevant URL: http://www.securityfocus.com/bid/26682 Summary: Apple QuickTime is prone to an unspecified remote vulnerability. Very few technical details are currently available. We will update this BID as more information emerges. This issue affects Apple QuickTime 7.2 for Microsoft Windows XP; other versions may also be affected. 5. Microsoft Windows Media Player AIFF Parsing Divide-By-Zero Denial of Service Vulnerability BugTraq ID: 26648 Remote: Yes Date Published: 2007-11-30 Relevant URL: http://www.securityfocus.com/bid/26648 Summary: Microsoft Windows Media Player is prone to a denial-of-service vulnerability when processing a malformed AIFF file. A remote attacker can exploit this issue to crash the affected application, denying service to legitimate users. This issue affects Microsoft Windows Media Player 11; other versions may also be affected. 6. Tencent QQ LaunchP2PShare Multiple Stack Buffer Overflow Vulnerabilities BugTraq ID: 26613 Remote: Yes Date Published: 2007-11-27 Relevant URL: http://www.securityfocus.com/bid/26613 Summary: Tencent QQ is prone to multiple stack-based buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data. Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions. These issues affect Tencent QQ 2006 and prior versions. 7. VanDyke VShell Unspecified Denial Of Service Vulnerability BugTraq ID: 26602 Remote: Yes Date Published: 2007-11-27 Relevant URL: http://www.securityfocus.com/bid/26602 Summary: VanDyke VShell is prone to a denial-of-service vulnerability. Very few technical details are currently available. We will update this BID as more information emerges. An attacker can exploit this issue to deny access to legitimate users. VShell 3.0.1 is vulnerable; other versions may also be affected. 8. Samhain Labs Samhain Insecure Random Number Generator Information Disclosure Weakness BugTraq ID: 26597 Remote: Yes Date Published: 2007-11-26 Relevant URL: http://www.securityfocus.com/bid/26597 Summary: Samhain Labs Samhain is prone to an information-disclosure weakness because of an error in the use of the random number generator. An attacker can exploit this issue to weaken encryption and other security-related algorithms, which may aid in further attacks. The issue affects Samhain 2.4.0 and 2.4.0a. Note that versions prior to 2.4.0 are not vulnerable to this issue. 9. Skype Technologies Skype Voicemail URI Handler Remote Denial of Service Vulnerability BugTraq ID: 26588 Remote: Yes Date Published: 2007-11-26 Relevant URL: http://www.securityfocus.com/bid/26588 Summary: Skype is prone to a remote denial-of-service vulnerability because of a NULL-pointer dereference flaw. Successfully exploiting this issue allows remote attackers to crash the application, denying service to legitimate users. Skype 3.6.0.216 for Microsoft Windows is vulnerable to this issue; other versions may also be affected. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. SecurityFocus Microsoft Newsletter #370 http://www.securityfocus.com/archive/88/484378 IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This issue is Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701700000009400
