SecurityFocus Microsoft Newsletter #89

From: Marc Fossi (mfossi@securityfocus.com)
Date: 06/03/02


Date: Mon, 3 Jun 2002 14:53:29 -0600 (MDT)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #89
--------------------------------------

This issue sponsored by: Aladdin's eSafe.

Introducing eSafe Mail 3.1, the industry's first triple protection for
your Exchange Server:

-Inspects and cleans MAPI, VSAPI, and SMTP traffic
-Cleans internal mail messages and mailboxes
-Content inspection and quarantine: anti-spam, anti-virus, and anti-relay
-Advanced heuristics: Prevent the NEXT Klez, Nimda, Melissa?

Buy eSafe Mail for Exchange 3.1 and get eSafe Mail for SMTP absolutely
FREE (for a limited time only)

Visit us at: http://www.ealaddin.com/esafe/mail/index.asp?cf=tl
eSafe.us@eAladdin.com
1-800-562-2543

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Securing Privacy Part Four: Internet Issues
     2. Black Hat Briefings
     3. Secure i-World
II. MICROSOFT VULNERABILITY SUMMARY
     1. Ethereal DNS Dissector Infinite Loop Denial of Service...
     2. Ethereal GIOP Dissector Memory Exhaustion Vulnerability
     3. SSH Communications Secure Shell Server AllowedAuthentications...
     4. Ethereal Server Message Block Dissector Malformed Packet...
     5. ViewCVS Cross-Site Scripting Vulnerability
     6. OpenBB BBCode Cross Agent HTML Injection Vulnerability
     7. OpenBB Unauthorized Moderator Access Vulnerability
     9. CVS Daemon RCS Off By One Local Buffer Overflow Vulnerability
     10. Microsoft Active Directory Zero Page Length Query Vulnerability
     11. OpenBB Cross-Site Scripting Vulnerability
     12. BlueFace Falcon Web Server File Disclosure Vulnerability
     13. Trend Micro Interscan Viruswall SMTP Header Removal Vulnerability
     14. Microsoft Active Data Objects Buffer Overflow Vulnerability
     15. LocalWEB2000 File Disclosure Vulnerability
     16. Microsoft Excel 2002 XML Stylesheet Arbitrary Code Execution...
     17. NetScreen ScreenOS Remote Reboot Vulnerability
     18. Microsoft IIS 5.0 Denial Of Service Vulnerability
     19. Ipswitch WS_FTP Pro Buffer Overflow Vulnerability
     20. Microsoft Windows 2000 Remote Access Service Buffer Overflow...
     21. Microsoft IIS HTR ISAPI Extension Heap Overflow Vulnerability
     22. PHPBB2 Image Tag HTML Injection Vulnerability
     23. Microsoft SQL Server 2000 Multiple Vulnerabilities
     24. Microsoft Commerce Server 2000 Remote Buffer Overflow...
     25. Microsoft Windows HTML Help ActiveX Control Multiple...
     26. DataWizard FtpXQ Buffer Overflow Vulnerability
     27. Macromedia JRun Host Header Field Buffer Overflow Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
     1. Help with XP Hotfixes and Patches (Thread)
     2. Need free app for viewing metadata in Word documents (Thread)
     3. restrict software installation (Thread)
     4. Permissions on files (Thread)
     5. Wingate Replacement (Thread)
     6. SecurityFocus Microsoft Newsletter #88 (Thread)
     7. Dial up access problem - not a (solution) (Thread)
     8. How to disable WebDAV (Thread)
     9. Problem - Using IPSec to secure Windows Messenger Traffic (Thread)
     10. MS-SQL Blank Password Enumeration (Thread)
     11. Dial up access problem solution (Thread)
     12. About ping request? (Thread)
     13. Why does XP establish HTTP connection when browsing network
     14. Dialup access controls (Thread)
     15. Why does XP establish HTTP connection: ADDITIONALLY, (Thread)
     16. Question Regarding Securing Critical Executables (Thread)
     17. Reinstallation of Hotfixes (Thread)
IV. MICROSOFT PRODUCTS
     1. KillDisk
     2. InTether Desktop
     3. PoliVec Builder
V. MICROSOFT TOOLS
     1. DreamSys Server Monitor v3.1
     2. EGADS v0.9
     3. DSCMD - DataSAFE Command Line Encryptor v2.0
     4. Bouncer v1.0.RC6
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. Securing Privacy Part Four: Internet Issues
By Scott Granneman

This is the fourth and final installment in a series devoted to protecting
users' privacy on the Internet. In this article, we will look more
generally at our usage of the Internet. The Internet offers all of us
unparalleled access to information, but it also brings with it unique
threats to our privacy. This article will examine some of the ways you can
protect yourself.

http://online.securityfocus.com/infocus/1585

2. Black Hat Briefings

Attend Black Hat Briefings & Training, July 29 - August 1, Las Vegas, the
world's premier technical security event! 8 tracks, 12 training sessions,
Richard Clarke keynote, 500 delegates from 30 nations, with a near cult
following of both CSOs and "underground" security experts. See for
yourself what the buzz is all about.

http://www.blackhat.com

3. Secure i-World
August 19-21, 2002, San Diego, CA
Optional Workshops August 17, 18, 21, & 22
Vendor Expo August 19 & 20

WebSec 2002, Online Privacy Conference, Secure i-World Expo…two innovative
conferences and one outstanding expo, all in one blockbuster event.

http://www.secureiworld.com/06/sw02nl18inf.html

II. BUGTRAQ SUMMARY
-------------------
1. Ethereal DNS Dissector Infinite Loop Denial of Service Vulnerability
BugTraq ID: 4807
Remote: Yes
Date Published: May 23 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4807
Summary:

Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.

The Ethereal DNS dissector is a mechanism for decoding the DNS protocol.
A condition exists where the DNS dissector routine may enter an infinite
loop while processing a request. This may be triggered by a maliciously
constructed DNS query transmitted across the network. A remote attacker
may exploit this vulnerability to prevent Ethereal from functioning.

Successful exploitation may result in data loss and evasion of detection
by Ethereal.

2. Ethereal GIOP Dissector Memory Exhaustion Vulnerability
BugTraq ID: 4808
Remote: Yes
Date Published: May 23 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4808
Summary:

Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.

The Ethereal GIOP dissector is a mechanism for decoding the General
Inter-ORB Protocol (GIOP). A condition exists that may result in
exhaustion of available memory. A specially constructed packet may cause
allocation of a large amount of memory. Attackers may exploit this
vulnerability to cause an exhaustion of available memory.

Successful exploitation may result in Ethereal failing or crashing.

3. SSH Communications Secure Shell Server AllowedAuthentications Configuration Overriding Vulnerability
BugTraq ID: 4810
Remote: Yes
Date Published: May 23 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4810
Summary:

Secure Shell is the commercial SSH implementation distributed and
maintained by SSH Communications. It is available for the Unix, Linux,
and Microsoft Windows platforms.

A problem with some SSH servers may allow remote users to authentication
using arbitrary methods. The problem is in the handling of authentication
types specified via configuration.

SSH Servers allow an administrator to specify modes of authentication via
the server configuration file. Through the "AllowedAuthentications"
parameter, an administrator may limit the means of authentication used by
remote users.

Under some circumstances, it may be possible for a remote user to bypass
the "AllowedAuthentications" specified in the server configuration. This
could allow a user to authenticate using a different or weaker means, such
as a password. In such a situation where stronger authentication
protocols are in place, and system user accounts have been secured with
weak passwords, an attacker may be able to gain access to the system using
the weak password, rather than the strong authentcation scheme.

This problem makes it possible for remote users to circumvent
authentication mechanisms and, potentially, use a weaker method of
authentication.

4. Ethereal Server Message Block Dissector Malformed Packet Denial Of Service Vulnerability
BugTraq ID: 4806
Remote: Yes
Date Published: May 23 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4806
Summary:

Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.

The Ethereal Server Message Block (SMB) dissector is a mechanism for
decoding the Microsoft SMB protocol. A problem with this portion of
Ethereal could make it possible for a remote attacker to deny service to
an Ethereal user.

Two conditions exists that may result in attempts to dereference NULL
pointers. The conditions may be triggered by a specially constructed SMB
packet transmitted across the network by the attacker. By transmitting
such a packet while a session of Ethereal is running, Ethereal could be
made to dereference a NULL pointer, resulting in a crash of the
application.

Successful exploitation may result in Ethereal crashing due to an access
violation, resulting in a denial of service.

5. ViewCVS Cross-Site Scripting Vulnerability
BugTraq ID: 4818
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4818
Summary:

ViewCVS is an open-source web interface for CVS. It is available for most
Unix and Linux variants as well as Microsoft Windows operating systems.

ViewCVS does not filter HTML tags from certain URL parameters, making it
prone to cross-site scripting attacks.

An attacker may exploit this by constructing a malicious link with script
code to a site running ViewCVS and sending it to a legitimate user of the
site. When the legitimate user follows the link, the attacker's script
code is executed in their web client in the security context of the
website running ViewCVS.

The attacker may be able to steal cookie-based authentication credentials
or hijack web content as a result of this vulnerability.

6. OpenBB BBCode Cross Agent HTML Injection Vulnerability
BugTraq ID: 4819
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4819
Summary:

OpenBB is web forum software written in PHP. It will run on most Linux and
Unix variants, in addition to Microsoft Windows operating systems.

This vulnerability is similar to the issue discussed in BugTraq ID 4171.
The vulnerability discussed in BugTraq ID 4171 was fixed in OpenBB 1.0.0
RC3, however this issue bypasses the fix provided in 1.0.0 RC3.

OpenBB version 1.0.0 RC3 is reportedly vulnerable to HTML injection
attacks. The vulnerability occurs in the file lib/codeparse.php which
replaces HTML code with BBCodes.

OpenBB uses 'BBCodes' in the place of HTML code to include images, links
etc. This is meant for HTML functionality without being suceptible to
malicious users. However, HTML tags are not adequately replaced with
BBCodes. It is possible to inject arbitrary HTML code into forum messages.
As a result, OpenBB is prone to cross-agent scripting attacks. Script code
will be executed in the browser of the user viewing the forum message and
may allow an attacker to steal cookie-based authentication credentials.

7. OpenBB Unauthorized Moderator Access Vulnerability
BugTraq ID: 4823
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4823
Summary:

OpenBB is web forum software written in PHP. It will run on most Linux and
Unix variants, in addition to Microsoft Windows operating systems.

OpenBB is reported to be vulnerable to a condition that will allow an
unauthorized user to gain moderator or administrative access to forums.

The attacker can only change a few options as follows:

- Open or close a forum
- To toggle sticky mode status of a forum
- To toggle significant mode status of a forum

This will allow an attacker to effectively cause significant, if not all,
parts of the forum to be closed.

8. Microsoft MSN Messenger Malformed Invite Request Denial of Service
BugTraq ID: 4827
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4827
Summary:

MSN Messenger is an instant messenging client for Microsoft Windows
systems, based on the Passport system.

A vulnerability has been reported in some versions of MSN Messenger. Under
some circumstances, it may be possible to crash a target client when it
receives a malformed invite request. By including a number of
HTML-encoded space characters (%20) in the Invitation-Cookie field, and
sending the header to a remote user, it is reportedly possible to crash a
remote user's client.

Exploitation of this vulnerability may result in a denial of MSN service.
The possibility of other consequences, such as code execution, has not yet
been ruled out. This record will be updated as more information becomes
available.

9. CVS Daemon RCS Off By One Local Buffer Overflow Vulnerability
BugTraq ID: 4829
Remote: No
Date Published: May 25 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4829
Summary:

CVS is the concurrent versioning system. CVS is a freely available, open
source software development package for the Unix, Linux, and Microsoft
Windows platforms.

A problem with the software could make it possible for an attacker to gain
elevated privileges.

Due to a boundry condition error, it may be possible for a local attacker
to execute arbitrary code. The rcs.c file contains an off-by-one error
that could result in an attacker overwriting portions of stack memory, and
executing arbitrary code.

This problem could result in an attacker gaining access to the CVS
archives with the privileges of the CVS user. This could allow an
attacker to alter source code within the CVS archive, and potentially
backdoor source code.

10. Microsoft Active Directory Zero Page Length Query Vulnerability
BugTraq ID: 4804
Remote: Yes
Date Published: May 23 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4804
Summary:

Microsoft Active Directory is reportedly vulnerable to a query that will
result in Active Directory to no longer respond.

The vulnerability has been reported for querying Active Directory servers
using Kerberos V authentication via GSS-API (Generic Security Standard
Application Programming Interface).

Active Directory servers, by default, return as many entries as possible
when responding to requests. A LDAP client is able to specify the number
of entries to be retrieved by setting page length to a smaller number.
The reported vulnerability occurs when the page length value is set to
zero and the client makes a large request. This will cause the vulnerable
Active Directory server to hang causing a denial of service to occur.

11. OpenBB Cross-Site Scripting Vulnerability
BugTraq ID: 4824
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4824
Summary:

OpenBB is web forum software written in PHP. It will run on most Linux and
Unix variants, in addition to Microsoft Windows operating systems.

It has been reported that OpenBB is vulnerable to a cross-site scripting
attack.

The vulnerability is present in the 'myhome.php' script. OpenBB does not
properly santize client-supplied value of certain parameters prior to
output. Attackers are able to circumvent existing measures to protect
against cross- site scripting attacks with the use of '<form>' tags
followed by arbitrary HTML.

Attackers may exploit this vulnerability by constructing a link to one of
these scripts containing malicious script code. If the link is sent to an
OpenBB user and clicked on, the attacker-supplied script code will run in
the context of the user's OpenBB session. The script code may obtain
cookie values or perform unauthorized actions as the victim user.

12. BlueFace Falcon Web Server File Disclosure Vulnerability
BugTraq ID: 4833
Remote: Yes
Date Published: May 27 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4833
Summary:

Falcon Web Server is a small web server that runs on several Microsoft
Windows platforms. It is mainly intended for small to medium sized
businesses.

Password protected files residing on the Falcon Web Server may be
disclosed to unauthorized users. The user would have to know the name of
the file in order to access it.

The file could be accessed simply by requesting a URL in the following
format from the web server: http://host/protectedfolder./

13. Trend Micro Interscan Viruswall SMTP Header Removal Vulnerability
BugTraq ID: 4830
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4830
Summary:

Interscan Viruswall is a mail gateway solution distributed and maintained
by Trend Micro. This problem affects versions running on the Microsoft
Windows platform.

A flaw in Viruswall may make it possible to hide the origins of email.
The problem is in the editing of headers by the product.

When a mail is sent to a site using Interscan Viruswall, it is passed
first through the Viruswall software. After processing by the Viruswall
package, if it clears the check it is passed on to the mail transport
agent (MTA) on the system, typically running on a different port.

Viruswall does not preserve headers from email when email is passed to the
MTA running on the system. This problem makes it possible for outside
users to obscure the origins of mail sent to the server. An attacker
could take advantage of this vulnerability to spam the host without the
risk of being traced. This vulnerability could also be exploited to send
misinformation through the host, appearing to come from a local user of
the mail system.

It should be noted that the origins of email is logged by Interscan
Viruswall only when a virus is discovered.

14. Microsoft Active Data Objects Buffer Overflow Vulnerability
BugTraq ID: 4849
Remote: Yes
Date Published: May 27 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4849
Summary:

A reliable source has reported an exploitable buffer overflow condition in
Microsoft Active Data Objects (ADO).

Microsoft ADO are an Active-X object that handles data from the server to
the web client. Microsoft ADO support any ODBC database. ADO ships as a
part of MDAC (Microsoft Data Access Components).

This vulnerability may pose a risk for users of Microsoft Internet
Explorer, but is not present in the default configuration of the web
browser. This issue is only present if the browser is configured to allow
access to datasources across domains.

Under some circumstances, there also may be a risk for Microsoft IIS
servers, in the case that the server is being used to host content which
may come from an untrusted source. The attacker must be able to upload an
ASP page and execute it to exploit this issue in Microsoft IIS servers.
If the attacker has the ability to do this, then many other avenues of
attack exist.

15. LocalWEB2000 File Disclosure Vulnerability
BugTraq ID: 4820
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4820
Summary:

LocalWEB2000 is a web server for Microsoft Windows operating systems.

A vulnerability exists in LocalWEB2000 related to content password
protection. It is possible to have LocalWEB2000 treat files as
unprotected by requesting them as files within the '.' (current)
directory. If the file http://server/file.txt is set to be password
protected, the protection will be bypassed if a request is made for
http://server/./file.txt. This is likely due to a design error in the
protection component.

This vulnerability was reported for LocalWEB2000 Standard Version 2.1.0.
Other versions (such as the Professional Edition) may also be affected by
this issue.

16. Microsoft Excel 2002 XML Stylesheet Arbitrary Code Execution Vulnerability
BugTraq ID: 4821
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4821
Summary:

A vulnerability exists in the handling of XML stylesheets in Microsoft
Excel documents. This vulnerability may result in script contained in an
XML stylesheet to execute on a user's system.

With Microsoft Excel 2002, it is possible to include XML stylesheets with
XML documents. When such a document is loaded, the user is given the
choice to load the associated stylesheet or not. If the XML stylesheet
contains script (ie.Javascript & VBscript modules), and the user chooses
to apply the stylesheet when viewing the .xls file, the script will run.
There is no indication to the user that embedded script will execute. By
default, the XML stylesheet is not loaded.

Successful exploitation of this vulnerability could lead to the execution
or malicious code on a user's system.

17. NetScreen ScreenOS Remote Reboot Vulnerability
BugTraq ID: 4842
Remote: Yes
Date Published: May 27 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4842
Summary:

NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.

It is possible for remote attackers to cause the device to reboot by
sending an overly long username to the web interface. An attacker may
create a prolonged denial of service condition by repeatedly causing the
device to reboot.

This condition may be the result of an unchecked buffer, which may
potentially allow the attacker to execute arbitrary code. This
possibility has not been confirmed.

18. Microsoft IIS 5.0 Denial Of Service Vulnerability
BugTraq ID: 4846
Remote: Yes
Date Published: May 27 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4846
Summary:

A remotely exploitable denial of service condition in Microsoft IIS 5.0
has reported by a reliable source.

The denial of service is caused by resource exhaustion.

Additional technical details will be added to this vulnerability record
when they become available.

19. Ipswitch WS_FTP Pro Buffer Overflow Vulnerability
BugTraq ID: 4850
Remote: Yes
Date Published: May 27 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4850
Summary:

Ipswitch WS_FTP Pro is a FTP client for Microsoft Windows systems. A
buffer overflow condition has been reported in WS_FTP Pro. Precise
details are not currently available, however it is believed that it may be
exploitable by a malicious server.

Successful exploitation of this vulnerability may result in remote
attackers gaining access to vulnerable client hosts.

This record will be updated as more information becomes available.

20. Microsoft Windows 2000 Remote Access Service Buffer Overflow Vulnerability
BugTraq ID: 4852
Remote: No
Date Published: May 27 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4852
Summary:

Remote Access Service (RAS) is a service included in Microsoft Windows
2000 to allow users to connect to a corporate intranet or the Internet
from a remote computer.

It has been reported that the RAS service included in Windows 2000 is
vulnerable to a buffer overflow condition. Details of this vulnerability
are scarce, however, successful exploitation could result in a denial of
service or possibly execution of arbitrary code.

This record will be updated as more information becomes available.

21. Microsoft IIS HTR ISAPI Extension Heap Overflow Vulnerability
BugTraq ID: 4855
Remote: Yes
Date Published: May 27 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4855
Summary:

It has been reported that the HTR ISAPI extension for Microsoft IIS is
vulnerable to a heap overflow condition.

HTR is a scripting technology for IIS that has been largely superseded by
ASP (Active Server Pages). A condition exists in the HTR ISAPI extension
that may allow a remote attacker to overwrite locations in memory with
attacker-supplied data.

This condition affects IIS 5.0 and may be effectively mitigated by
disabling the extension.

Exploitation of this vulnerability may result in a denial of service or
allow for a remote attacker to execute arbitrary instructions on the
victim host.

22. PHPBB2 Image Tag HTML Injection Vulnerability
BugTraq ID: 4858
Remote: Yes
Date Published: May 26 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4858
Summary:

phpBB2 is free, open-source web forums software that is written in PHP and
backended by MySQL. It will run on most Unix and Linux variants, as well
as Microsoft Windows operating systems.

BBCode is a feature which allows users to include HTML-style formatting
elements in their forum messages.

It is possible to inject arbitrary HTML into phpBB2 forum messages via the
use of BBCode image tags. A similar issue is described in Bugtraq ID 4379
"PHPBB Image Tag User-Embedded Scripting Vulnerability". However, phpBB2
was found to not be vulnerable to this previous issue.

When the image tag is translated into HTML, the following code is used:

<img src="$user_provided" border="0" />

phpBB2 checks to ensure that the user-provided image source is prepended
with "http://", which restricts the user from injecting arbitrary HTML as
the image source. However, it has been reported that this measure may be
circumvented by using a double-quotation (") character to close the image
source tag. The attacker may then include arbitrary HTML after the
double-quotation.

The attacker may exploit this issue to inject script code into forum
messages. When such messages are displayed by a web user, the attacker's
script code will execute in their browser in the context of the website.
If the web user is an authenticated user of the phpBB2 forum, then the
attacker may exploit this condition to steal cookie-based authentication
credentials from the user.

phpBB versions prior to the phpBB2 series may also be affected by this
vulnerability.

23. Microsoft SQL Server 2000 Multiple Vulnerabilities
BugTraq ID: 4847
Remote: Yes
Date Published: May 27 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4847
Summary:

SQL Server 2000 is a commercially available enterprise level database
product from Microsoft.

Microsoft SQL Server 2000 has been reported to contain multiple
vulnerabilities. These include heap and stack buffer overflows and
service/network denial of services attacks.

Details of this vulnerability are currently scarce, this record will be
updated as more information becomes available.

24. Microsoft Commerce Server 2000 Remote Buffer Overflow Vulnerabilities
BugTraq ID: 4853
Remote: Yes
Date Published: May 27 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4853
Summary:

A reliable source has reported that a number of remotely exploitable
buffer overflows exist in Microsoft Commerce Server 2000. These
conditions may be exploited to execute arbitrary attacker-supplied
instructions with the privileges of the Microsoft Commerce Server 2000
process.

Additional technical details will be added to this vulnerability record
when they become available.

25. Microsoft Windows HTML Help ActiveX Control Multiple Vulnerabilities
BugTraq ID: 4857
Remote: Yes
Date Published: May 27 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4857
Summary:

HTML Help ActiveX control (Hhctrl.ocx) ships as part of Microsoft HTML
Help, and is designed to work with Internet Explorer to provide
functionality for help systems.

The HTML Help ActiveX control can be used to exploit stack and heap based
overflow attacks. It may be possible for remote users to execute arbitrary
code on a user's system.

This problem may allow an attacker to overwrite stack and heap variables
including the return address, possibly to execute arbitrary code. The
attacker may also crash the service by sending excessive amounts of data
that has not specifically been designed to cause code execution.

Details of this vulnerability are currently unavailable, this record will
be updated as more information becomes available.

It should be noted that Windows ships with HTML Help.

26. DataWizard FtpXQ Buffer Overflow Vulnerability
BugTraq ID: 4862
Remote: Yes
Date Published: May 27 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4862
Summary:

FtpXQ is a ftp daemon designed to provide ftp services for Microsoft
Operating Systems. The software package has been written for Microsoft
Windows 95/98/NT/2000. It is maintained and distributed by Datawizard
Technologies.

FtpXQ is contains a buffer overflow which can result in a denial of
services if exploited. Creating a directory with a name longer than 254
characters will cause the server to crash.

It is also believed that attackers can cause arbirtary code to be executed
on target servers, however this is not confirmed.

27. Macromedia JRun Host Header Field Buffer Overflow Vulnerability
BugTraq ID: 4873
Remote: Yes
Date Published: May 29 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4873
Summary:

Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application
server for use with IIS (Internet Information Server) 4/5 on the Microsoft
Windows operating systems.

A vulnerability has been reported in Macromedia JRun version 3.1. It is
reportedly possible to cause a buffer overflow condition in JRun if an
excessively long HTTP host header field is transmitted by the client.

JRun server will install itself as a ISAPI (Internet Server Application
Programming Interface) filter/application in the '/scripts' virtual
directory of the webserver. When a '.jsp' page is requested, the JRun
filter is invoked. The overflow will occur if a client makes a request
for a .jsp file with an overly long HTTP host header field.

This condition may be exploited by attackers to execute arbitrary code on
the vulnerable system in the security context of IIS.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Help with XP Hotfixes and Patches (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/002d01c2077f$b3a03fe0$fdfea8c0@dellydoo

2. Need free app for viewing metadata in Word documents (Thread)
Relevant URL:

20020529174935.91347.qmail@web20501.mail.yahoo.com">http://online.securityfocus.com/archive/88/20020529174935.91347.qmail@web20501.mail.yahoo.com

3. restrict software installation (Thread)
Relevant URL:

OE33JAr3XdE6FZHAgSY00003d54@hotmail.com">http://online.securityfocus.com/archive/88/OE33JAr3XdE6FZHAgSY00003d54@hotmail.com

4. Permissions on files (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/000b01c206da$431bd590$3200a8c0@laptop

5. Wingate Replacement (Thread)
Relevant URL:

9D884881F5E1F24FB845967851720FC3045FF0B4@red-msg-12.redmond.corp.microsoft.com">http://online.securityfocus.com/archive/88/9D884881F5E1F24FB845967851720FC3045FF0B4@red-msg-12.redmond.corp.microsoft.com

6. SecurityFocus Microsoft Newsletter #88 (Thread)
Relevant URL:

Pine.LNX.4.43.0205281307360.22057-100000@mail.securityfocus.com">http://online.securityfocus.com/archive/88/Pine.LNX.4.43.0205281307360.22057-100000@mail.securityfocus.com

7. Dial up access problem - not a (solution) (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/001301c2065d$9bdca8d0$0101a8c0@brucenew

8. How to disable WebDAV (Thread)
Relevant URL:

F87C6154AA439B459A220AD2CDF93DA3D5E3@hermes.matrix.net">http://online.securityfocus.com/archive/88/F87C6154AA439B459A220AD2CDF93DA3D5E3@hermes.matrix.net

9. Problem - Using IPSec to secure Windows Messenger Traffic (Thread)
Relevant URL:

7b04a8c0@internet.netsec.gov.tr">http://online.securityfocus.com/archive/88/000701c20648$d8720c00$7b04a8c0@internet.netsec.gov.tr

10. MS-SQL Blank Password Enumeration (Thread)
Relevant URL:

1961728C54D822408201A22F84D170032FF5D2@USAPGHEVS01.fmkt.freemarkets.com">http://online.securityfocus.com/archive/88/1961728C54D822408201A22F84D170032FF5D2@USAPGHEVS01.fmkt.freemarkets.com

11. Dial up access problem solution (Thread)
Relevant URL:

0E01AD27.4779A0BC.00A1734E@netscape.net">http://online.securityfocus.com/archive/88/0E01AD27.4779A0BC.00A1734E@netscape.net

12. About ping request? (Thread)
Relevant URL:

20020527215756.GM10171@wilshire.com">http://online.securityfocus.com/archive/88/20020527215756.GM10171@wilshire.com

13. Why does XP establish HTTP connection when browsing network shares? (Thread)
Relevant URL:

2335F28384FC3241BCB30ADECBD2D490592706@cheeseball.external.osr.com">http://online.securityfocus.com/archive/88/2335F28384FC3241BCB30ADECBD2D490592706@cheeseball.external.osr.com

14. Dialup access controls (Thread)
Relevant URL:

0E32C50E5E204A46A3905C92F9BA7A2869768C@mail.internal.mba-cpa.com">http://online.securityfocus.com/archive/88/0E32C50E5E204A46A3905C92F9BA7A2869768C@mail.internal.mba-cpa.com

15. Why does XP establish HTTP connection: ADDITIONALLY, (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/p04330100b917fcad6b80@[144.96.241.96]

16. Question Regarding Securing Critical Executables (Thread)
Relevant URL:

20020527062219.58268.qmail@web20501.mail.yahoo.com">http://online.securityfocus.com/archive/88/20020527062219.58268.qmail@web20501.mail.yahoo.com

17. Reinstallation of Hotfixes (Thread)
Relevant URL:

F11zQIyS6uqo4kPlpvz00009504@hotmail.com">http://online.securityfocus.com/archive/88/F11zQIyS6uqo4kPlpvz00009504@hotmail.com

IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. KillDisk
by LSoft Technologies Inc.
Platforms: DOS, Linux, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL:
http://www.killdisk.com/eraser.htm
Summary:

Active@ Kill Disk is disk eraser software for secure formatting of hard
drives without any possibility of following data recovery. DOS appication
can be run from floppy boot disk. Eraser uses access to drive's data on
physical level via BIOS bypassing logical drive structure organization,
thus it formats disk bypassing operating systems and file systems located
on IBM PC. DoD 5220.22-M compatible.

2. InTether Desktop
by Infraworks, Corp.
Platforms: Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.infraworks.com/p2p.html
Summary:

Infraworks' InTether technology safeguards digital property from
unauthorized use and redistribution by preventing copying, printing,
saving, screen capturing and forwarding. InTether Desktop product is a
desktop application that allows the owner or sender of digital information
to control the recipient's use of the file. InTether Desktop allows you to
control exactly who has access to a file, the length of time they have to
view it, and when the file will self-destruct. It's simple to use and
works with virtually any file type. For the first time, you have complete
control over what happens to digital information after you send it to
someone else.

3. PoliVec Builder
by PoliVec Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.polivec.com/polivecbuilder.html
Summary:

PoliVec Builder gives IT professionals the ability to design, develop, and
implement a comprehensive IT security policy. It also generates operating
system-specific implementation standards that provide the IT staff with
step-by-step instructions to ensure systems are configured in compliance
with the policy. A "best practice" policy template, complete with
rationale text, is provided to guide users through the policy development
process.

V. MICROSOFT TOOLS
-------------------
1. DreamSys Server Monitor v3.1
by DreamSys Software
Relevant URL:
http://www.mikersoft.com/servermonitor/
Platforms: Windows 2000, Windows NT, Windows XP
Summary:

Monitor servers over a network or the Internet. Connect, Receive, or Send
& Receive tests on TCP connections. Simple Ping tests. Test services on
remote machines, and restart services if necessary. Quick and Easy to use
Windows interface. Save/Load host lists as separate documents.

2. EGADS v0.9
by Secure Software Solutions
Relevant URL:
http://www.securesw.com/egads/
Platforms: UNIX, Windows 2000
Summary:

EGADS is a system service and library for providing secure random numbers.
It contains an implementation of the Tiny pseudo-random number generator
and the Tiny entropy gateway. Tiny is an evolution of Yarrow, and was
designed by John Kelsey (an original designer of Yarrow) and John Viega.
We are currently preparing a white paper on the Tiny algorithm.

EGADS provides the same kind of functionality as /dev/random and
/dev/urandom on Linux systems, but works on Windows, and as a portable
Unix program.

EGADS is available as a portable user-level daemon for Unix systems, and
as a service for Windows 2000 machines. An XP-compatible version will be
available shortly.

3. DSCMD - DataSAFE Command Line Encryptor v2.0
by Regnoc Software
Relevant URL:
http://www.regnoc.com
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

DSCMD allows you to encrypt source files for secure storage, transmission
via the Internet, and e-mail attachments. Only someone who knows the
eight-character locking combination can recover the contents of the
encrypted file. DSCMD is completely command-line driven, and simple to
integrate into your programs and scripts on both Windows NT and Linux
servers.

4. Bouncer v1.0.RC6
by Chris Mason chris@r00t3d.org.uk
Relevant URL:
http://www.r00t3d.org.uk/bin/
Platforms: FreeBSD, Linux, OpenBSD, Solaris, Windows 2000, Windows NT
Summary:

Bouncer is a network tool which allows you to bypass proxy restrictions
and obtain outside connections from an internal LAN. It uses SSL
tunneling, which allows you to obtain a constant streaming connection out
of a proxy. If you are restricted behind a proxy and can access secure
online ordering sites, then you can get out to whatever host on whatever
port you want. It also supports a lot of other features including socks 5,
basic authentication, access control lists, and Web-based administration,
and will run on Windows, Linux, and FreeBSD.

VI. SPONSORSHIP INFORMATION
---------------------------
This issue sponsored by: Aladdin's eSafe.

Introducing eSafe Mail 3.1, the industry's first triple protection for
your Exchange Server:

-Inspects and cleans MAPI, VSAPI, and SMTP traffic
-Cleans internal mail messages and mailboxes
-Content inspection and quarantine: anti-spam, anti-virus, and anti-relay
-Advanced heuristics: Prevent the NEXT Klez, Nimda, Melissa?

Buy eSafe Mail for Exchange 3.1 and get eSafe Mail for SMTP absolutely
FREE (for a limited time only)

Visit us at: http://www.ealaddin.com/esafe/mail/index.asp?cf=tl
eSafe.us@eAladdin.com
1-800-562-2543

-------------------------------------------------------------------------------



Relevant Pages

  • SecurityFocus Microsoft Newsletter # 150
    ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #142
    ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #76
    ... MICROSOFT VULNERABILITY SUMMARY ... Working Resources BadBlue Cross Site Scripting Vulnerability ... Microsoft Commerce Server 2000 ISAPI Buffer Overflow Vulnerability ... Essentia Web Server Long URL Denial Of Service Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #99
    ... MICROSOFT VULNERABILITY SUMMARY ... Multiple Microsoft Content Management Server 2001 Vulnerabilities ... Microsoft Windows 2000 Insecure Default File Permissions... ... ArGoSoft Mail Server Pro Mail Loop Denial of Service Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #159
    ... The newest web app vulnerability... ... MICROSOFT VULNERABILITY SUMMARY ... Rit Research Labs TinyWeb Server Remote Denial of Service Vu... ... mIRC DCC SEND Buffer Overflow Vulnerability ...
    (Focus-Microsoft)