SecurityFocus Microsoft Newsletter #190

From: Marc Fossi (mfossi_at_securityfocus.com)
Date: 05/26/04

  • Next message: Nicolas RUFF (lists): "Re: Relative Security Provided by Cached Domain Credentials?"
    Date: Wed, 26 May 2004 09:49:11 -0600 (MDT)
    To: Focus-MS <focus-ms@securityfocus.com>
    
    

    SecurityFocus Microsoft Newsletter #190
    ----------------------------------------

    This Issue is Sponsored By: SecurityFocus

    Want to keep up on the latest security vulnerabilities? Don't have time to
    visit a myriad of mailing lists and websites to read the news? Just add
    the new SecurityFocus RSS feeds to your freeware RSS reader, and see all
    the latest posts for Bugtraq and the SF Vulnernability database in one
    convenient place. Or, pull in the latest news, columnists and feature
    articles in the SecurityFocus aggregated news feed, and stay on top of
    what's happening in the community!

    http://www.securityfocus.com/rss/index.shtml

    ------------------------------------------------------------------------
    I. FRONT AND CENTER
         1. Malware Analysis for Administrators
         2. Protecting Road Warriors: Managing Security for Mobile Users (Part Two)
         3. Weighing Profits against Peril
    II. MICROSOFT VULNERABILITY SUMMARY
         1. NetChat Web Server Remote Buffer Overflow Vulnerability
         2. VBulletin Index.PHP Remote File Include Vulnerability
         3. Microsoft Windows XP Self-Executing Folder Vulnerability
         4. PHP-Nuke Modpath Parameter Potential File Include Vulnerabil...
         5. Alt-N MDaemon Remote Status Command Buffer Overflow Vulnerab...
         6. PHP-Nuke Multiple Input Validation Vulnerabilities
         7. Microsoft Outlook 2003 Media File Script Execution Vulnerabi...
         8. Omnicron OmniHTTPD Get Request Buffer Overflow Vulnerability
         9. Zen Cart Login.PHP SQL Injection Vulnerability
         10. DSM Light Explorer.EXE Directory Traversal Vulnerability
         11. Microsoft Internet Explorer CSS Style Sheet Memory Corruptio...
         12. CVS Malformed Entry Modified and Unchanged Flag Insertion He...
         13. Subversion Date Parsing Function Buffer Overflow Vulnerabili...
         14. Netscape Navigator Embedded Image URI Obfuscation Weakness
         15. Hummingbird Exceed Xconfig Access Validation Vulnerability
    III. MICROSOFT FOCUS LIST SUMMARY
         1. Workstation service deletes itself?? (Thread)
         2. Search NTFS share permissions (Thread)
         3. Article Announcement: Busted (Thread)
         4. SV: Search NTFS share permissions (Thread)
    IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
         1. SP I-NET
         2. East-Tec Eraser 2004
         3. secure2trust
         4. N-Stealth Security Scanner
         5. Softros LAN Messenger
         6. Network Time System
    V. NEW TOOLS FOR MICROSOFT PLATFORMS
         1. Ettercap v0.7.0 pre2
         2. Syhunt TS Security Scanner 6.7 Build 96
         3. yaSSL 0.1.0
         4. Password Spyer 2k 2.4
         5. FTimes v3.4.0
         6. Socks via HTTP v1.0.1
    VI. UNSUBSCRIBE INSTRUCTIONS
    VII. SPONSOR INFORMATION

    I. FRONT AND CENTER
    -------------------
    1. Malware Analysis for Administrators
    By S. G. Masood

    The purpose of this article is to help administrators and power users use
    behavioral analysis to determine if a binary is harmful malware, by
    analyzing it in a lab environment without the use of anti-virus software,
    debuggers, or code disassembly.

    http://www.securityfocus.com/infocus/1780

    2. Protecting Road Warriors: Managing Security for Mobile Users (Part Two)
    By Bob Rudis

    This is the second of a two-part series that focuses on the centralized
    management of security for mobile users. Part two completes the
    discussion by presenting additional layers of defence to help protect
    valuable, mobile data.

    http://www.securityfocus.com/infocus/1781

    3. Weighing Profits against Peril
    By Mark Rasch

    Denying XP pirates the SP2 upgrade would hurt the Internet to protect
    Microsoft's bottom line.

    http://www.securityfocus.com/columnists/243

    II. MICROSOFT VULNERABILITY SUMMARY
    -----------------------------------
    1. NetChat Web Server Remote Buffer Overflow Vulnerability
    BugTraq ID: 10353
    Remote: Yes
    Date Published: May 15 2004
    Relevant URL: http://www.securityfocus.com/bid/10353
    Summary:
    The NetChat web server implementation is affected by a stack-based buffer overflow vulnerability. This issue is due to a failure of the application to properly validate the size of network-based user input when transferring it to process memory.

    This issue could be leveraged to manipulate process memory, allowing an attacker to execute arbitrary code in the security context of the affected process and resulting in a user level compromise.

    2. VBulletin Index.PHP Remote File Include Vulnerability
    BugTraq ID: 10362
    Remote: Yes
    Date Published: May 17 2004
    Relevant URL: http://www.securityfocus.com/bid/10362
    Summary:
    A vulnerability has been reported to exist in the software that may allow an attacker to include malicious files containing arbitrary code to be executed on a vulnerable system. The issue exists due to improper validation of user-supplied data. The problem exists in the 'loc' parameter of 'index.php' script.

    3. Microsoft Windows XP Self-Executing Folder Vulnerability
    BugTraq ID: 10363
    Remote: Yes
    Date Published: May 17 2004
    Relevant URL: http://www.securityfocus.com/bid/10363
    Summary:
    A vulnerability has been reported in Microsoft Windows XP that may result in execution of malicious code in the context of the currently logged in user. The flaw exists in Windows Explorer and may allow for executable content that is referenced from inside of a folder to be executed automatically when the folder is accessed.

    This vulnerability poses a security risk since it is assumed that opening a folder is a safe action and that executable content cannot be run when a folder is accessed. Additionally, it has been reported that this issue may be exploitable remotely if the malicious folder is accessed from an SMB share.

    A proof of concept exploit has been provided that executes NetMeeting and installs a keylogger on a vulnerable system.

    4. PHP-Nuke Modpath Parameter Potential File Include Vulnerabil...
    BugTraq ID: 10365
    Remote: Yes
    Date Published: May 17 2004
    Relevant URL: http://www.securityfocus.com/bid/10365
    Summary:
    PHP-Nuke is prone to a potential file include vulnerability. This issue could allow a remote attacker to include malicious files containing aribtrary code to be executed on a vulnerable system. This issue can be exploited via the 'modpath' parameter.

    If successful, the malicious script supplied by the attacker will be executed in the context of the web server hosting the vulnerable software.

    5. Alt-N MDaemon Remote Status Command Buffer Overflow Vulnerab...
    BugTraq ID: 10366
    Remote: Yes
    Date Published: May 17 2004
    Relevant URL: http://www.securityfocus.com/bid/10366
    Summary:
    Alt-N MDaemon is reportedly prone to a remote stack-based buffer overflow vulnerability. This vulnerability is due to a failure of the application to properly validate buffer sizes when processing input.

    It should be noted that this issue can only be exploited by clients authenticated to the affected IMAP server; any user with an email account can leverage this issue.

    This issue can be leveraged to cause the affected process to crash, denying service to legitimate users. It has been reported that this issue can also be leveraged to execute arbitrary code with the privileges of the user running the server on an affected computer.

    6. PHP-Nuke Multiple Input Validation Vulnerabilities
    BugTraq ID: 10367
    Remote: Yes
    Date Published: May 17 2004
    Relevant URL: http://www.securityfocus.com/bid/10367
    Summary:
    PHP-Nuke is prone to multiple vulnerabilities. The issues result from insufficient sanitization of user-supplied data. An attacker can carry out cross-site scripting and path disclosure attacks.

    7. Microsoft Outlook 2003 Media File Script Execution Vulnerabi...
    BugTraq ID: 10369
    Remote: Yes
    Date Published: May 17 2004
    Relevant URL: http://www.securityfocus.com/bid/10369
    Summary:
    Microsoft Outlook is reportedly prone to a media file script execution vulnerability. This issue is due to a design error that would allow for the execution of scripts located in media files regardless of security settings.

    This issue might allow an attacker to execute arbitrary files on the affected computer. Leveraging other issues, such as the Microsoft Outlook 2003 Predictable File Location Weakness (BID 10307), it might be possible for an attacker to execute arbitrary, attacker-supplied code.

    8. Omnicron OmniHTTPD Get Request Buffer Overflow Vulnerability
    BugTraq ID: 10376
    Remote: Yes
    Date Published: May 18 2004
    Relevant URL: http://www.securityfocus.com/bid/10376
    Summary:
    Reportedly OmniHTTPD is affected by a GET request buffer overflow vulnerability. This issue is due to a failure of the application to properly validate string sizes when processing user input.

    This issue could allow an attacker to execute arbitrary code with the privileges of the affected web server.

    9. Zen Cart Login.PHP SQL Injection Vulnerability
    BugTraq ID: 10378
    Remote: Yes
    Date Published: May 18 2004
    Relevant URL: http://www.securityfocus.com/bid/10378
    Summary:
    Zen Cart has been reported prone to an SQL injection vulnerability. This is due to an input validation error that fails to validate user input before using it in SQL queries.

    This issue may allow a remote attacker to manipulate query logic, potentially leading to unauthorized access to sensitive information such as the administrator password hash or corruption of database data. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.

    10. DSM Light Explorer.EXE Directory Traversal Vulnerability
    BugTraq ID: 10381
    Remote: Yes
    Date Published: May 18 2004
    Relevant URL: http://www.securityfocus.com/bid/10381
    Summary:
    DSM Light has been reported to be prone to a directory traversal vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI input.

    This issue would allow an attacker to view arbitrary, web-readable files on the affected computer. This may aid an attacker in conducting further attacks against the vulnerable computer.

    11. Microsoft Internet Explorer CSS Style Sheet Memory Corruptio...
    BugTraq ID: 10382
    Remote: Yes
    Date Published: May 18 2004
    Relevant URL: http://www.securityfocus.com/bid/10382
    Summary:
    A vulnerability identified in Internet Explorer may allow an attacker to cause the application to crash. The issue presents itself when the browser attempts to process an HTML page containing a table and loads a css style sheet from a file.

    This issue could be exploited by a remote attacker to cause a denial of service condition in the browser.

    12. CVS Malformed Entry Modified and Unchanged Flag Insertion He...
    BugTraq ID: 10384
    Remote: Yes
    Date Published: May 19 2004
    Relevant URL: http://www.securityfocus.com/bid/10384
    Summary:
    CVS is prone to a remote heap overflow vulnerability. This issue presents itself during the handling of user-supplied input for entry lines with 'modified' and 'unchanged' flags. This vulnerability can allow an attacker to overflow a vulnerable buffer on the heap, possibly leading to arbitrary code execution.

    CVS versions 1.11.15 and prior and CVS feature versions 1.12.7 and prior are prone to this issue.

    13. Subversion Date Parsing Function Buffer Overflow Vulnerabili...
    BugTraq ID: 10386
    Remote: Yes
    Date Published: May 19 2004
    Relevant URL: http://www.securityfocus.com/bid/10386
    Summary:
    Subversion is prone to a buffer overflow vulnerability. This issue exists in one of the data parsing functions of the application. Specifically, Subversion calls an sscanf() function when converting data strings to different formats. This causes user-supplied data to be copied into an unspecified buffer without proper boundary checks performed by the application.

    Subversion versions 1.0.2 and prior are prone to this issue.

    14. Netscape Navigator Embedded Image URI Obfuscation Weakness
    BugTraq ID: 10389
    Remote: Yes
    Date Published: May 19 2004
    Relevant URL: http://www.securityfocus.com/bid/10389
    Summary:
    It is reported that Netscape Navigator is prone to a URI obfuscation weakness that may hide the true contents of a URI link. The issue occurs when an image is contained within a properly formatted HREF tag.

    This weakness could be employed to trick a user into following a malicious link.

    An attacker can exploit this issue by supplying a malicious image that appears to be a URI link pointing to a page designed to mimic that of a trusted site. If an unsuspecting victim is to mouseover the link in an attempt to verify the authenticity of where it references, they may be deceived into believing that the link references the actual trusted site.

    15. Hummingbird Exceed Xconfig Access Validation Vulnerability
    BugTraq ID: 10393
    Remote: No
    Date Published: May 21 2004
    Relevant URL: http://www.securityfocus.com/bid/10393
    Summary:
    Exceed is prone to a vulnerability that can allow a local attacker to bypass certain access restrictions and edit various configuration settings. The issue occurs as an attacker can bypass restrictions on 'xconfig.exe' program.

    A successful attack may allow an attacker to modify configuration settings that can lead to further attacks against the application or the computer.

    This issue presents itself in the 'xconfig' application supplied with Exceed 9.0.0.

    III. MICROSOFT FOCUS LIST SUMMARY
    ---------------------------------
    1. Workstation service deletes itself?? (Thread)
    Relevant URL:

    http://www.securityfocus.com/archive/88/364134

    2. Search NTFS share permissions (Thread)
    Relevant URL:

    http://www.securityfocus.com/archive/88/364128

    3. Article Announcement: Busted (Thread)
    Relevant URL:

    http://www.securityfocus.com/archive/88/363868

    4. SV: Search NTFS share permissions (Thread)
    Relevant URL:

    http://www.securityfocus.com/archive/88/363811

    IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
    ----------------------------------------
    1. SP I-NET
    By: Unisys
    Platforms: Windows 95/98, Windows NT
    Relevant URL: http://www.unisys.com/sp-security
    Summary:

    Designed for business-to-business communications requiring trusted relationships, SP I-NET ensures confidentiality of data, authenticates the identity of the involved parties, and ensures the privacy of their communication.

    2. East-Tec Eraser 2004
    By: EAST Technologies
    Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
    Relevant URL: http://www.east-tec.com/eraser/index.htm
    Summary:

    East-Tec Eraser ("Eraser" in short) is an advanced security application for Windows 95/98/Me/NT/2000/XP designed to help you completely eliminate sensitive data from your computer and protect your computer and Internet privacy.

    Eraser introduces a new meaning for the verb TO ERASE. Erasing a file now means wiping its contents beyond recovery, scrambling its name and dates and finally removing it from disk. When you want to get rid of sensitive files or folders beyond recovery, add them to the Eraser list of doomed files and ask Eraser to do the job. Eraser offers tight integration with the Windows shell, so you can drag files and folders from Explorer and drop them in Eraser, or you can erase them directly from Explorer by selecting Erase beyond recovery from the context menu.

    3. secure2trust
    By: Avoco Secure
    Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
    Relevant URL: http://www.avocosecure.com/html_pages/products_service.html
    Summary:

    secure2trust gives you the power to create documents that remain under your corporate control throughout their entire existence. Even if you allow another party to have a copy of your original document you can be sure that the copy will always have your original controls as part of its properties. The digital rights options which will control printing, copying, viewing, etc give you persistent and secure digital asset protection and intellectual property control. Digital rights mechanisms are the only way to ensure document integrity in a persistent way for both inter and intra company communications.

    4. N-Stealth Security Scanner
    By: N-Stalker
    Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
    Relevant URL: http://www.nstalker.com/products/nstealth/
    Summary:

    N-Stealth is a vulnerability-assessment product that scans web servers to identify security problems and weaknesses that might allow an attacker to gain privileged access. The software comes with an extensive database of over 30,000 vulnerabilities and exploits. N-Stealth® is more actively maintained than the network security scanners and consequently has a larger database of vulnerabilities.

    5. Softros LAN Messenger
    By: Softros Systems Inc.
    Platforms: Windows 2000, Windows NT, Windows XP
    Relevant URL: http://messenger.softros.com
    Summary:

    Softros Messenger is a secure network messaging software application for corporate LANs (local area networks). It does not require a server and is very easy to install and use. Softros Messenger comes with a variety of handy features, like message notification alarms, personal or group messaging, and intuitive interface. Softros Messenger offers strong encryption options for all incoming and outgoing messages, guaranteeing no unauthorized person ever reads personal correspondence. The program is very stable when running under any Windows operating system and in any TCP/IP network, regardless of its size. Also Softros Messenger correctly identifies and works under Windows NT/2000/XP limited user accounts (without administrative privileges).

    6. Network Time System
    By: Softros Systems Inc.
    Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
    Relevant URL: http://nts.softros.com/
    Summary:

    Network Time System - Secure, fast and accurate time sync software across entire network.

    V. NEW TOOLS FOR MICROSOFT PLATFORMS
    ------------------------------------
    1. Ettercap v0.7.0 pre2
    By: ALoR <alor@users.sourceforge.net>
    Relevant URL: http://ettercap.sourceforge.net/
    Platforms: FreeBSD, Linux, MacOS, NetBSD, Windows 2000, Windows NT, Windows XP
    Summary:

    Ettercap is a network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like SSH and HTTPS). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

    2. Syhunt TS Security Scanner 6.7 Build 96
    By: Syhunt
    Relevant URL: http://www.syhunt.com/section.php?id=scanner
    Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
    Summary:

    Syhunt TS Security Scanner is able to find the unfindable, not only known vulnerabilities, but also potential new ones. The new version can identify and exploit vulnerabilities in a matter of minutes and is a key tool for security professionals and administrators.

    3. yaSSL 0.1.0
    By: tao51
    Relevant URL: http://freshmeat.net/projects/yassl/?branch_id=48050&release_id=160245
    Platforms: Linux, POSIX, Windows 2000, Windows NT, Windows XP
    Summary:

    The yaSSL software package is a fast, dual-licensed implementation of SSL. It includes SSL client libraries and an SSL server implementation. It supports multiple APIs, including those defined by SSL and TLS. It also supports an OpenSSL compatibility interface.

    4. Password Spyer 2k 2.4
    By: Maro's Tools
    Relevant URL: http://www.maros-tools.com/products/spyer/
    Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
    Summary:

    Password Spyer 2k is a password recovery tool for windows. Password Spyer 2k reveals passwords hidden by asterkis (***) in all windows version (including 2000 and XP). You can use it to recover lost or forgotten passwords in most windows applications such as outlook, cute ftp, ws ftp, ICQ and others. You can use it to also reveal saved web passwords. Password Spyer 2k supports two methods for revealing passwords for better password retrieval.

    5. FTimes v3.4.0
    By: Klayton Monroe
    Relevant URL: http://ftimes.sourceforge.net/FTimes/
    Platforms: AIX, FreeBSD, Linux, MacOS, POSIX, Solaris, SunOS, Windows 2000, Windows NT
    Summary:

    FTimes is a system baselining and evidence collection tool. Its primary purpose is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis. It was designed to support the following initiatives: content integrity monitoring, incident response, intrusion analysis, and computer forensics.

    6. Socks via HTTP v1.0.1
    By: Florent Cueto
    Relevant URL: http://cqs.dyndns.org/socks/
    Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
    Summary:

    Socks via HTTP is a program to tunnel socks via HTTP. It is entirely written in Java.

    VI. UNSUBSCRIBE INSTRUCTIONS
    ----------------------------
    To unsubscribe send an e-mail message to ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

    If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

    VII. SPONSOR INFORMATION
    -----------------------

    This Issue is Sponsored By: SecurityFocus

    Want to keep up on the latest security vulnerabilities? Don't have time to
    visit a myriad of mailing lists and websites to read the news? Just add
    the new SecurityFocus RSS feeds to your freeware RSS reader, and see all
    the latest posts for Bugtraq and the SF Vulnernability database in one
    convenient place. Or, pull in the latest news, columnists and feature
    articles in the SecurityFocus aggregated news feed, and stay on top of
    what's happening in the community!

    http://www.securityfocus.com/rss/index.shtml

    ------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Nicolas RUFF (lists): "Re: Relative Security Provided by Cached Domain Credentials?"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #187
      ... Want to keep up on the latest security vulnerabilities? ... OpenBB Private Message Disclosure Vulnerability ... Relevant URL: http://www.securityfocus.com/bid/10199 ... Immediate consequences of exploit attempts may result in the web browser instance, and all windows spawned from it, crashing when the malicious site is viewed. ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #61
      ... Cisco 12000 Series Internet Router Denial Of Service Vulnerability ... Microsoft Windows 2000 RunAs Service Named Pipe Hijacking... ... Reach the LARGEST audience of security professionals with SecurityFocus ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #186
      ... Want to keep up on the latest security vulnerabilities? ... WinSCP Long URI Handling Memory Corruption Vulnerability ... Relevant URL: http://www.securityfocus.com/bid/10160 ... Windows 2000, Windows 95/98, Windows NT, Windows XP ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #242
      ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
      (Focus-Microsoft)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)