SecurityFocus Microsoft Newsletter #422 ----------------------------------------
This issue is Sponsored by Verisign Learn how to protect your online customers with SSL technology that not only keeps their information safe, but also lets them know your site is secure - Extended Validation (EV) SSL. This new technology turns the address bar green in high security browsers. http://ad.doubleclick.net/clk;208565397;30663982;v SECURITY BLOGS SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks. http://www.securityfocus.com/blogs ------------------------------------------------------------------ I. FRONT AND CENTER 1. Standing on Other's Shoulders 2. Just Encase It's Not a Search II. MICROSOFT VULNERABILITY SUMMARY 1. Microsoft December 2008 Advance Notification Multiple Vulnerabilities 2. RadASM '.rap' Project File Buffer Overflow Vulnerability 3. Apple iTunes/QuickTime Malformed '.mov' File Buffer Overflow Vulnerability 4. MemeCode Software i.Scribe Remote Format String Vulnerability III. MICROSOFT FOCUS LIST SUMMARY 1. SecurityFocus Microsoft Newsletter #421 IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1.Standing on Other's Shoulders By Chris Wysopal "If I have seen a little further it is by standing on the shoulders of Giants," Issac Netwon once wrote to describe how he felt that his scientific work was an extension of the work of those who went before him. In the scientific realm it is dishonorable not to credit those upon whose work you build. http://www.securityfocus.com/columnists/486 2.Just Encase It's Not a Search By Mark Rasch When is a search not really a search? If it's done by computer, according to U.S. government lawyers. http://www.securityfocus.com/columnists/485 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. Microsoft December 2008 Advance Notification Multiple Vulnerabilities BugTraq ID: 32632 Remote: Yes Date Published: 2008-12-04 Relevant URL: http://www.securityfocus.com/bid/32632 Summary: Microsoft has released advance notification that the vendor will be releasing eight security bulletins on December 9, 2008. The highest severity rating for these issues is 'Critical'. Successfully exploiting these issues may allow remote or local attackers to compromise affected computers. Individual records will be created for the issues when the bulletins are released. 2. RadASM '.rap' Project File Buffer Overflow Vulnerability BugTraq ID: 32617 Remote: Yes Date Published: 2008-12-03 Relevant URL: http://www.securityfocus.com/bid/32617 Summary: RadASM is prone to a buffer-overflow vulnerability because it fails to perform adequate checks on user-supplied input. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. RadASM 2.2.1.4 is vulnerable; other versions may also be affected. 3. Apple iTunes/QuickTime Malformed '.mov' File Buffer Overflow Vulnerability BugTraq ID: 32540 Remote: Yes Date Published: 2008-11-30 Relevant URL: http://www.securityfocus.com/bid/32540 Summary: Apple iTunes and QuickTime are prone to a buffer-overflow vulnerability because the applications fail to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects the following: iTunes 8.0.2.20 QuickTime 7.5.5 4. MemeCode Software i.Scribe Remote Format String Vulnerability BugTraq ID: 32497 Remote: Yes Date Published: 2008-11-27 Relevant URL: http://www.securityfocus.com/bid/32497 Summary: MemeCode Software i.Scribe is prone to a remote format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition. i.Scribe 1.88 and 2.00 beta are vulnerable; other versions may also be affected. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. SecurityFocus Microsoft Newsletter #421 http://www.securityfocus.com/archive/88/498758 IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This issue is Sponsored by Verisign Learn how to protect your online customers with SSL technology that not only keeps their information safe, but also lets them know your site is secure - Extended Validation (EV) SSL. This new technology turns the address bar green in high security browsers. http://ad.doubleclick.net/clk;208565397;30663982;v
