SecurityFocus Microsoft Newsletter #148

• Previous message: Hayes, Bill: "MS broadening its efforts to warn customers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 4 Aug 2003 14:31:29 -0600 (MDT)
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #148
---------------------------------------

This Issue is Sponsored by: SPI Dynamics

NEW ALERT:
"How a Hacker Launches a LDAP Injection Attack Step-by-Step"
It's as simple as placing additional LDAP query commands into a
Web form input box giving hackers complete access to all your
backend systems! Firewalls and IDS will not stop such attacks
because LDAP Injections are seen as valid data.
Download this *FREE* white paper from SPI Dynamics for a complete guide to
protection!
http://www.securityfocus.com/SPIDynamics-ms-secnews7
--------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Maintaining System Integrity During Forensics
     2. Firewall Evolution - Deep Packet Inspection
     3. Betting on Malware
II. MICROSOFT VULNERABILITY SUMMARY
     1. Gallery Search Engine Cross-Site Scripting Vulnerability
     2. Microsoft Outlook Express Script Execution Weakness
     3. EFSoftware EF Commander FTP Banner Buffer Overflow Vulnerability
     4. NetScreen ScreenOS TCP Window Size Remote Denial Of Service...
III. MICROSOFT FOCUS LIST SUMMARY
     1. DCOM RPC exploit as a virus/trojan? (Thread)
     2. change NT passwords Kerberos (Thread)
     3. How to silently deploy DirectX9b? (Thread)
     4. Windows XP "write attributes" permission for Users (Thread)
     5. IAS as a RADIUS server (Thread)
     6. HTASploit (Thread)
     7. ISA Server and Win2k3 standard OS (Thread)
     8. SecurityFocus Microsoft Newsletter #147 (Thread)
     9. monitor folders (Thread)
     10. Tracking down a user in a large AD network (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
     1. iomart NetIntelligence
     2. N2H2 Sentian
     3. Realtime-Spy
V. NEW TOOLS FOR MICROSOFT PLATFORMS
     1. Nikto v1.30
     2. SaveMyModem v1.0pre4
     3. LibTomCrypt v0.87
VI. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Maintaining System Integrity During Forensics
By Jamie Morris

This article discusses best practices for maintaining system integrity
during forensic examinations.

http://www.securityfocus.com/infocus/1717

2. Firewall Evolution - Deep Packet Inspection
By Ido Dubrawsky

Deep Packet Inspection can be seen as the integration of Intrusion
Detection (IDS) and Intrusion Prevention (IPS) capabilities with
traditional stateful firewall technology.

http://www.securityfocus.com/infocus/1716

3. Betting on Malware
By George Smith

DARPA's plan to create a futures market for terrorist activities is dead,
but the concept is a natural for predicting viruses and worms.

http://www.securityfocus.com/columnists/176

II. BUGTRAQ SUMMARY
-------------------
1. Gallery Search Engine Cross-Site Scripting Vulnerability
BugTraq ID: 8288
Remote: Yes
Date Published: Jul 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8288
Summary:

Gallery is a web-based photo album. It is written in PHP and is available
for Linux and Unix variants as well as Microsoft Windows operating
systems.

Gallery is prone to a cross-site scripting vulnerability. This issue is
present in the search engine (search.php) facility provided by the
software. Input supplied to the search engine via URI parameters is not
sufficiently sanitized of HTML or script code before being echoed back to
users, allowing for cross-site scripting attacks.

An attacker could exploit this issue by constructing a malicious link to
the search engine that contains hostile HTML and script code.
Welcome to the SecurityFocus.com 'week in review' newsletter issue
Attacker-supplied code could be rendered in the browser of a user who
follows such a link. This would occur in the security context of the site
hosting the vulnerable software.

2. Microsoft Outlook Express Script Execution Weakness
BugTraq ID: 8281
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8281
Summary:

It has been reported that a weakness may have been re-introduced into
Microsoft Outlook Express. According to the source, the issue described
in Bugtraq ID 3334 had been fixed by Microsoft but appears to have
resurfaced.

The original report (BID 3334) described behavior where script code
included in a message set as type "text/plain" in its content-type header
field would be parsed and executed. A reliable source has indicated that
this condition appears to have returned after being fixed.

This is unsafe behavior as the client should treat all messages of this
type as plain text and not execute any script or render any HTML.
Furthermore, these messages may bypass filters designed to block messages
that contain HTML/script code based on the content-type field.

It should be noted that Symantec has no record of the original issue being
fixed. This record will be updated as more information becomes available.

3. EFSoftware EF Commander FTP Banner Buffer Overflow Vulnerability
BugTraq ID: 8285
Remote: Yes
Date Published: Jul 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8285
Summary:

EF Commander is a commercially available FTP client distributed by
EFSoftware. It is available for the Microsoft Windows platform.

A problem with EF Commander could result in the execution of arbitrary
code.

It has been reported that a memory corruption bug exists in EF Commander.
Under some circumstances, when an FTP client connects to a malicious FTP
server it may be possible for the server to exploit a boundary condition
error.

The problem is in the handling of FTP banners in EF Commander. When EF
Commander receives a FTP banner of excessive length, it becomes unstable.
It has been reported that this vulnerability can be reproduced by sending
an FTP banner of 520 or more bytes to a vulnerable client. It is possible
that this vulnerability is an exploitable buffer overflow, and could
result in the execution of attacker-supplied code. Any code executed would
be with the permissions of the EF Commander client user.

4. NetScreen ScreenOS TCP Window Size Remote Denial Of Service Vulnerability
BugTraq ID: 8302
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8302
Summary:

NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.

NetScreen ScreenOS has been reported prone to a vulnerability that may
allow a remote user to trigger a denial of service condition in an
affected appliance.

It has been reported that by modifying system configuration values that
control the TCP window size, an attacker may trigger a denial of service
in a remote appliance, by connecting to the target appliance.

It has been reported that the issue only affects NetScreen appliances that
are configured to use management services. For example HTTP, SSH or
Telnet.

This issue only affects some ScreenOS 4.0.1rx and 4.0.3rx releases.
NetScreen IDP, NetScreen Firewall/VPN products running ScreenOS 3.x and
earlier, 4.0.0, and 4.0.2 are not vulnerable. The vendor has supplied
upgrades for affected versions.

IV. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. DCOM RPC exploit as a virus/trojan? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/331422

2. change NT passwords Kerberos (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/331421

3. How to silently deploy DirectX9b? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/331419

4. Windows XP "write attributes" permission for Users (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/331275

5. IAS as a RADIUS server (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/331114

6. HTASploit (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/331021

7. ISA Server and Win2k3 standard OS (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/330884

8. SecurityFocus Microsoft Newsletter #147 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/330740

9. monitor folders (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/330728

10. Tracking down a user in a large AD network (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/330724

IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. iomart NetIntelligence
by iomart
Platforms: AIX, Linux, Netware, Solaris, Windows 2000, Windows 95/98,
Windows NT, Windows XP
Relevant URL:
http://www.netintelligence.com/
Summary:

The NetIntelligence product consists of a main reports interface which is
supported by easy to use administration tools. NetIntelligence has a
deployment application which is purpose built for straightforward rollout
of the product. Thereafter the main technical interface is via the
administration console which allows the administrator to establish
policies, user and machine groups- and delegate reporting authority to
specified users within the organisation. Custom content allows bespoke
fingerprinting as required. Web-blocking gives policy control over
Internet Usage.

2. N2H2 Sentian
by N2H2
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.n2h2.com/products/sentian_home.php
Summary:

Sentian filtering software works with a wide variety of implementations to
meet the needs of organizations both large and small. Whichever device you
prefer, every Sentian product uses the categorized filtering database
recognized as the most effective available.

3. Realtime-Spy
by SpyTech
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.realtime-spy.com/
Summary:

Realtime-Spy is the latest in high-tech surveillance software that allows
you to remotely install the monitoring system and access the activity logs
from Aanywhere via you own personal Realtime-Spy Webspace.

V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. Nikto v1.30
by CIRT.net
Relevant URL:
http://www.cirt.net/code/nikto.shtml
Platforms: Perl (any system supporting perl), UNIX, Windows 2000, Windows
95/98, Windows NT, Windows XP
Summary:

Nikto is a PERL, open source web server scanner which supports SSL. Based
on LibWhisker, it has features which Whisker 1.4 lacks, including proxy
support, host authentication, and SSL. Nikto checks for (and if possible
attempts to exploit) remote web server vulnerabilities and
misconfigurations. It also looks for outdated software and modules, warns
of any version specific problems, supports scans through proxies (with
authentication), host Basic authentication and more. Data is kept in CSV
format databases for easy maintenance, and supports the ability to
automatically update local databases with current versions on the Nikto
web site.Nikto is a PERL, open source web server scanner which supports
SSL. Based on LibWhisker, it has features which Whisker 1.4 lacks,
including proxy support, host authentication, and SSL. Nikto checks for
(and if possible attempts to exploit) remote web server vulnerabilities
and misconfigurations. It also looks for outdated software and modules,
warns of any version specific problems, supports scans through proxies
(with authentication), host Basic authentication and more. Data is kept in
CSV format databases for easy maintenance, and supports the ability to
automatically update local databases with current versions on the Nikto
web site.

2. SaveMyModem v1.0pre4
by gareuselesinge
Relevant URL:
http://savemymodem.sourceforge.net
Platforms: POSIX, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:

SaveMyModem is an anti-spam, mail-shaping, and delete-on-server mail tool.
It is designed for users with slow dialup connections, who are tired of
downloading large amounts of spam and worm and virus attachments.

3. LibTomCrypt v0.87
by Tom St Denis tomstdenis@iahu.ca
Relevant URL:
http://www.libtomcrypt.org
Platforms: Linux, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:

LibTomCrypt is a comprehensive, modular, and portable cryptographic
toolkit that provides developers with a vast array of well known published
block ciphers, one-way hash functions, chaining modes, pseudo- random
number generators, public key cryptography, and a plethora of other
routines. It has been designed from the ground up to be very simple to
use. It has a modular and standard API that allows new ciphers, hashes,
and PRNGs to be added or removed without change to the overall end
application. It features easy to use functions and a complete user manual
which has many source snippet examples.

VI. SPONSOR INFORMATION
-----------------------

This Issue is Sponsored by: SPI Dynamics

NEW ALERT:
"How a Hacker Launches a LDAP Injection Attack Step-by-Step"
It's as simple as placing additional LDAP query commands into a
Web form input box giving hackers complete access to all your
backend systems! Firewalls and IDS will not stop such attacks
because LDAP Injections are seen as valid data.
Download this *FREE* white paper from SPI Dynamics for a complete guide to
protection!
http://www.securityfocus.com/SPIDynamics-ms-secnews7
--------------------------------------------------------------------------

---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------

• Previous message: Hayes, Bill: "MS broadening its efforts to warn customers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]