SecurityFocus Microsoft Newsletter #175

From: Marc Fossi (mfossi_at_securityfocus.com)
Date: 02/09/04

Next message: Guillaume Lavoix: "RE: Looking for SQL security details"

Previous message: Sarbjit Singh Gill: "Looking for SQL security details (Version 2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 9 Feb 2004 15:50:17 -0700 (MST)
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #175
----------------------------------------

This issue sponsored by: Astaro

Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO. - Firewall -
Virus protection - Spam protection - URL blocking - VPN - Wireless
security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_ms-secnews_040209
------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Nessus, Part 3: Analysing Reports
     2. We are pleased to announce a new search engine on SecurityFocus.
II. MICROSOFT VULNERABILITY SUMMARY
     1. MiniHTTPServer WebForums Forum HTML Injection Vulnerability
     2. Open Text Corporation FirstClass Malicious File Execution Vu...
     3. Microsoft Internet Explorer NavigateAndFind() Cross-Zone Pol...
     4. Multiple RealPlayer/RealOne Player Supported File Type Buffe...
     5. RealPlayer/RealOne Player RMP File Handler Unspecified Code ...
     6. Multiple Check Point Firewall-1 HTTP Security Server Remote ...
     7. Check Point VPN-1/SecuRemote ISAKMP Large Certificate Reques...
     8. XLight FTP Server Long Directory Request Remote Denial Of Se...
III. MICROSOFT FOCUS LIST SUMMARY
     1. Looking for SQL security details (Thread)
     2. Tightening up security for quarantine script (Thread)
     3. Encrypt data - SQL Server 2000 (Thread)
     4. Need free app for viewing metadata in Word documents (Thread)
     5. MS 2000 DUN Connection Name issue (Thread)
     6. Controlling Admin Access (Thread)
     7. SecurityFocus Microsoft Newsletter #174 (Thread)
     8. SMTP Service in private DMZ OK? (Thread)
     9. Article Announcement: Faith No More (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
     1. Proactive Windows Security Explorer
     2. Outpost Personal Firewall Pro 2.0
     3. Dekart Logon
     4. AppSentry
     5. AppDefend
     6. Airscanner Mobile AntiVirus Pro
V. NEW TOOLS FOR MICROSOFT PLATFORMS
     1. Enigmail v0.83.2
     2. cosign v1.5
     3. Jacksum v1.4.0
     4. MUTE File Sharing v0.2.2
     5. Airscanner Mobile AntiVirus Pro v1.4
     6. WinRelay v2.0
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Nessus, Part 3: Analysing Reports
By Harry Anderson

This article, the last in the series about Nessus, will endeavor to
explain a Nessus report and how to analyze it. Nessus is a vulnerability
scanner, a program that looks for security bugs in software.

http://www.securityfocus.com/infocus/1759

2. We are pleased to announce a new search engine on SecurityFocus,
offering faster and more intuitive results. Features include site wide or
section specific searching by author, headline or entire document and
sorting by date, headline or URL. We have also added "email a friend"
functionality to allow users to share content that they feel is relevant
to others.

II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. MiniHTTPServer WebForums Forum HTML Injection Vulnerability
BugTraq ID: 9545
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9545
Summary:
MiniHTTPServer WebForums Server is a commercially-available HTTP server.
It is available for the Microsoft Windows platform.

MiniHTTPServer WebForums Forum has been reported prone to a HTML Injection
Vulnerability. A malicious remote attacker may use the "File Description:"
field when posting a file to the forum to inject arbitrary HTML into
dynamically generated content. This issue is due to a lack of sufficient
sanitization performed on the affected form field.

An attacker may exploit this vulnerability to execute arbitrary HTML and
script code in the browser of an unsuspecting user who views the malicious
forum post. Code execution will occur in the context of the vulnerable
site. This issue may be exploited to steal cookie based credentials. Other
attacks are also possible. It has been reported that this issue can
successfully exploited to gain access to login/password and session IDs of
any user.

MiniHTTPServer WebForums Forum versions 1.6 and prior have been reported
to be affected by this issue.

2. Open Text Corporation FirstClass Malicious File Execution Vu...
BugTraq ID: 9551
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9551
Summary:
FirstClass is a mail user agent distributed and maintained by the Open
Text Corporation. It is available for the Microsoft Windows platform.

A vulnerability has been reported to exist in the software that may allow
an attacker to execute arbitrary applications on a vulnerable system.
FirstClass client displays a warning prompt before a file is executed. It
has been reported due to improper sanitization of user-supplied file
names, malicious files with specially crafted names may be executed
without a warning prompt being displayed. This issue may be exploited by
placing special characters such as <>\/?*" at the end of the file
extension such as:

test.exe<

Reportedly, the file is then downloaded and executed on the vulnerable
system. This issue may allow an attacker to execute arbitrary files on a
vulnerable system in the context of the user.

FirstClass version 7.1 has been reported to be prone to this issue.

3. Microsoft Internet Explorer NavigateAndFind() Cross-Zone Pol...
BugTraq ID: 9568
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9568
Summary:
A vulnerability has been reported in Microsoft Internet Explorer. Because
of this, an attacker may be able to violate cross-zone policy.

It has been reported that the issue presents itself due to a failure by
Internet Explorer to remove JavaScript URIs from the browser history list
in some circumstances.

It has been demonstrated that a JavaScript URI consisting of the following
method can be embedded in the Browser history list:
external.NavigateAndFind('res:','','')

(where the "res:" URI is a redirect to the Local Machine security zone)

This could be further employed by an attacker to have malicious Active
Content executed in the context of the Local Machine security zone. Code
execution will occur if the "Back Button" on the affected browser is
selected.

This issue is similar in nature to the vulnerability described in BID
9109.

4. Multiple RealPlayer/RealOne Player Supported File Type Buffe...
BugTraq ID: 9579
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9579
Summary:
RealPlayer/RealOne Player are media players that are available for various
operating systems, including Microsoft Windows and Mac OS.

It has been reported that various RealPlayer/RealOne Player releases are
prone to multiple exploitable stack and heap overrun vulnerabilities.
This is due to insufficient bounds checking when handling malformed files
of various supported file types (.RP, .RT, .RAM, .RPM and .SMIL). When
the player loads such a file, stack or heap memory may be corrupted with
embedded data in the file, possibly allowing for sensitive variables in
memory to be overwritten. In this manner, it would be possible to execute
arbitrary code on the client system in the context of the user invoking
the vulnerable player.

This issue could be exploited by forcing a user to visit a malicious
website that is hosting the file, causing it to be automatically invoked.
File attachments also provide an attack vector, but would require the user
to interactively upon the malformed file (with the exception of .RPM
files, which may automatically open).

5. RealPlayer/RealOne Player RMP File Handler Unspecified Code ...
BugTraq ID: 9580
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9580
Summary:
RealPlayer/RealOne Player are media players that are available for various
operating systems, including Microsoft Windows and Mac OS.

RealPlayer/RealOne Players have been reported prone to an unspecified code
execution vulnerability. The issue occurs within the RMP file processing
routines of affected versions of the player.

Although unconfirmed it has been conjectured that arbitrary code execution
may occur when a malicious RMP file is processed. This will reportedly
cause malicious code to be downloaded and executed. Code execution would
occur in the context of the user who is running the affected player.

This BID will be updated as further details regarding this vulnerability
are disclosed.

6. Multiple Check Point Firewall-1 HTTP Security Server Remote ...
BugTraq ID: 9581
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9581
Summary:
Firewall-1 is a commercially available enterprise firewall software
package. It is distributed by Check Point, and available for the Unix,
Linux, and Microsoft Windows platforms.

Problems in the handling of some types of HTTP requests from remote users
have been identified in Check Point Firewall-1 HTTP Application
Intelligence and HTTP Security Server. Because of this, it is possible
for a remote attacker to gain unauthorized access to a vulnerable system
with administrative privileges.

It has been reported that several occurrences of format string
vulnerabilities exist in the HTTP Application Intelligence and HTTP
Security Server components of Firewall-1. One disclosed example cites
placing an invalid scheme in a URI and submitting it to the vulnerable
component, resulting an attacker passing an arbitrary format string to an
sprintf() call.

Other format string issues may result in heap corruption attacks. Since
the Firewall-1 software is most often executed as the administrative user
on systems, this issue has the potential to result in complete compromise
of an affected host.

7. Check Point VPN-1/SecuRemote ISAKMP Large Certificate Reques...
BugTraq ID: 9582
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9582
Summary:
VPN-1, SecuRemote, and SecureClient are secure remote access components
distributed and maintained by Check Point Software. They are available
for the Unix, Linux, and Microsoft Windows platforms.

A problem has been identified in the handling of large Certificate Request
payload exchanges in Check Point VPN-1, SecuRemote, and SecureClient.
Because of this, it is possible for a remote attacker to gain unauthorized
access to vulnerable systems.

During the establishing of an ISAKMP session, it is possible for one
system to send to another a Certificate Request payload to solicit
credentials. However, bounds checking is not adequately performed on
received Certificate Request payload packets by clients or servers in the
Check Point implementations.

An attacker could take advantage of this issue to exploit a buffer
overflow in the client and server implementations, resulting in the
execution of attacker-supplied code with the privileges of the software,
run as the administrative user it typical configurations.

8. XLight FTP Server Long Directory Request Remote Denial Of Se...
BugTraq ID: 9585
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9585
Summary:
XLight FTP Server is a commercially available FTP server. It is available
for the Microsoft Windows platform.

A problem in the handling of large requests has been reported to result in
service instability in XLight FTP Server under some circumstances.
Because of this, it may be possible for a remote attacker to deny service
to legitimate users of the software.

The problem is in the handling of requests by authenticated users that are
of excessive length. When the "Enable Log To Screen" option is enabled on
a vulnerable server (not the default configuration), and a server
administrator attempts to look at an FTP log in the main FTP server
window, the server crashes.

It is conjectured that this could be a boundary condition error with the
potential for exploitation. However, no conclusive proof exists.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Looking for SQL security details (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/353139

2. Tightening up security for quarantine script (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/353138

3. Encrypt data - SQL Server 2000 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/353137

4. Need free app for viewing metadata in Word documents (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/353136

5. MS 2000 DUN Connection Name issue (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/352885

6. Controlling Admin Access (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/352834

7. SecurityFocus Microsoft Newsletter #174 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/352808

8. SMTP Service in private DMZ OK? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/352581

9. Article Announcement: Faith No More (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/352240

IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Proactive Windows Security Explorer
By: Elcomsoft Co. Ltd.
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.elcomsoft.com/pwsex.html#
Summary:

Proactive Windows Security Explorer (PWSEX) is a password security test
tool that's designed to allow Windows NT, Windows 2000, and Windows
XP-based systems administrators to identify and close security holes in
their networks. Proactive Windows Security Explorer helps secure networks
by executing an audit of account passwords, and exposing insecure account
passwords. If it is possible to recover the password within a reasonable
time, the password is considered insecure.

An administrator can also use it to recover any lost password and access a
user's Windows account. Proactive Windows Security Explorer works by
analyzing user password hashes and recovering plain-text passwords.

2. Outpost Personal Firewall Pro 2.0
By: Agnitum
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.outpost.uk.com
Summary:

New Outpost Personal Firewall Pro 2.0 outdistances the award-winning
Outpost Personal Firewall Pro 1.0 on multiple levels, from enhanced
privacy features to ease-of-use. As the foremost security application for
personal computers, Outpost Personal Firewall Pro 2.0 gives you the latest
in personal firewall technology, making version 2.0 the clear security
choice for your system.

3. Dekart Logon
By:
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.dekart.com/products/authentication_access/logon/
Summary:

Dekart Logon is a solution designed to provide an additional level of
security for the Microsoft Windows operating system. Access to the Windows
environment can only be gained after inserting a USB key or smart card
into the appropriate slot and by entering the correct PIN code.

Dekart Logon offers a number of security options: you can select to have
Windows access blocked once the key is removed, during a screen saver
timeout or other user assigned prompts. This flexibility automatically
reduces the possibility of human error by maintaining predefined security
levels even if the user leaves their PC unattended.

4. AppSentry
By: Integrigy
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.integrigy.com/appsentry.htm
Summary:

AppSentry is a new generation of security scanner and vulnerability
assessment tool. Unlike other security scanners, AppSentry knows the
application it is validating ? its technology and data model. The security
audits and checks are written specifically for the application being
tested. Hackers and mischievous employees often exploit security issues at
different layers of the technology stack, thus only a complete and
comprehensive security validation will uncover all risks in a multi-tiered
environment.

The advantage of AppSentry is now you don't have to seperate tools for the
operating system, web server, and database. AppSentry is a single tool
that can validate and audit the security of the entire application
technology stack from operating system to application layer.

AppSentry is available for the following applications -

Oracle E-Business Suite (11i)
Oracle Database (8.x, 8i, 9i, 10g)
Oracle Application Server (9iAS, 10g)
SAP
PeopleSoft
Microsoft SQL Server

5. AppDefend
By: Integrigy
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.integrigy.com/appdefend.htm
Summary:

AppDefend is a new concept in Intrusion Prevention - direct application
protection. AppDefend protects the application from attacks and intrusions
by blocking attacks before they reach the application.

AppDefend is designed specifically for the application it is protecting.
Thus, when implementing for the Oracle E-Business Suite, there is no
analysis or other configuration required to provide maximum protection for
the application. Integrigy has already performed all this work for you --
all modules, all versions.

AppDefend is designed to be simple to install and easy to maintain. A
straight-forward, yet robust, implementation takes only 15 minutes. No
complex configuration or analysis of the application is required.

6. Airscanner Mobile AntiVirus Pro
By: Airscanner Corp.
Platforms: Windows CE
Relevant URL: http://airscanner.com/downloads/av/av.html
Summary:

Airscanner Mobile AntiVirus Pro will quarantine or eradicate embedded
viruses and malware, has fast, optimized scanning speed based on patent
pending technology, has automatic, online updates of virus signatures and
scanning engine as well as support for PocketPC 2003/Windows Mobile 2003
and easy online updates.

In addition to an accurate virus scanner, Airscanner Mobile AntiVirus
includes these powerful tools for debugging Trojan horses:
- Intercept memory resident viruses with an advanced process discovery
tool.
- Debug Trojan hacks with an easy-to-use registry viewer.
- Uncover denial of service attacks with a rapid system analyzer.
- Enter your own custom virus signatures (for experts).
- Perform fast, recursive, and flexibly multithreaded filesystem
scanning.

V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Enigmail v0.83.2
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:

Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.

2. cosign v1.5
By: UMich Web Team
Relevant URL: http://weblogin.org/
Platforms: UNIX, Windows 2000, Windows NT
Summary:

cosign is a Web single sign on system that allows users to authenticate
once per session and access any protected Web resources at the
institution. If used, passwords are sent only to a single, central URL.
Sessions have both idle and hard timeouts, and users can logout of all
protected services by visiting a single URL. The use of public key
cryptography ensures that a compromise of a protected Web server has no
impact on the security of other participating servers.

3. Jacksum v1.4.0
By: jonelo
Relevant URL: http://www.jonelo.de/java/jacksum/index.html
Platforms: Linux, MacOS, Os Independent, OS/2, POSIX, Solaris, SunOS,
UNIX, Windows 2000, Windows 95/98, Windows NT
Summary:

Jacksum is a free checksum utility entirely written in Java. It supports
most common checksum algorithms (Adler32, BSD sum, POSIX cksum, CRC-16,
CRC-32, MD2, MD5, SHA, and Unix System V sum).

4. MUTE File Sharing v0.2.2
By: Jason Rohrer
Relevant URL: http://mute-net.sourceforge.net/
Platforms: Linux, MacOS, Os Independent, Windows 2000, Windows 95/98
Summary:

MUTE File Sharing is an anonymous, decentralized search-and-download file
sharing system. Several people have described MUTE as the "third
generation file sharing network" (From Napster to Gnutella to MUTE, with
each generation getting less centralized and more anonymous). MUTE uses
algorithms inspired by ant behavior to route all messages, include file
transfers, through a mesh network of neighbor connections.

5. Airscanner Mobile AntiVirus Pro v1.4
By: Airscanner Corp
Relevant URL: http://airscanner.com/downloads/av/av.html
Platforms: Windows CE
Summary:

Airscanner Corporation is the most trusted name in helping to defend your
mobile device from "airborne" computer viruses. From the company that
wrote the best-selling technical book Maximum Wireless Security comes a
professional strength virus scanner for the Pocket PC.

With the increased wireless connectivity of PDAs and Smartphones comes an
increased threat from virus attacks. Save money, time, and data by
protecting your valuable Pocket PC now with Airscanner Mobile AntiVirus
Pro.

6. WinRelay v2.0
By: Arne Vidstrom <arne.vidstrom@ntsecurity.nu>
Relevant URL: http://www.ntsecurity.nu/toolbox/winrelay/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

WinRelay is a TCP/UDP forwarder/redirector. You can choose the port and IP
it will listen on, the source port and IP that it will connect from, and
the port and IP that it will connect to.

VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and
ask to be manually removed.

VII. SPONSOR INFORMATION
-----------------------
This issue sponsored by: Astaro

Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_ms-secnews_040209
------------------------------------------------------------------------

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
---------------------------------------------------------------------------

Next message: Guillaume Lavoix: "RE: Looking for SQL security details"

Previous message: Sarbjit Singh Gill: "Looking for SQL security details (Version 2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]