SecurityFocus Microsoft Newsletter #218
From: Marc Fossi (mfossi_at_securityfocus.com)
Date: 12/07/04
- Previous message: Wozny, Scott (US - New York): "RE: Disable Network ID and Change button"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 7 Dec 2004 15:09:49 -0700 (MST) To: Focus-MS <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #218
----------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Detecting Complex Viruses
2. Lycos Goes Straight
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft Internet Explorer Drag and Drop Vulnerability
2. Ipswitch WS_FTP Multiple Remote Buffer Overflow Vulnerabilit...
3. 21-6 Productions Orbz Remote Buffer Overflow Vulnerability
4. Mercury Mail Multiple Remote IMAP Stack Buffer Overflow Vuln...
5. GlobalScape CuteFTP Multiple Command Response Buffer Overflo...
6. FreeImage Interleaved Bitmap Image Buffer Overflow Vulnerabi...
7. JanaServer 2 Multiple Remote Denial Of Service Vulnerabiliti...
8. OpenSSH-portable PAM Authentication Remote Information Discl...
9. Mercury Mail Multiple Remote IMAP Buffer Overflow Vulnerabil...
10. S9Y Serendipity Remote Cross-Site Scripting Vulnerability
11. Cisco CNS Network Registrar DNS and DHCP Server Remote Denia...
12. PHProjekt Unspecified Authentication Bypass Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Disable Network ID and Change button (Thread)
2. XP SP2 & GPO controlled firewall gets activated for ... (Thread)
3. SecurityFocus Microsoft Newsletter #217 (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. CoreGuard Core Security System
2. KeyCaptor Keylogger
3. SpyBuster
4. FreezeX
5. NeoExec for Active Directory
6. Secrets Protector v2.03
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. IDS Policy Manager v1.5
2. PatchLink Update 6.01.78
3. Dekart Private Disk 2.03
4. Remote Process Watcher 1.0
5. Rkdscan 1.0
6. Spybot-S&D 1.3
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Detecting Complex Viruses
By Peter Ferrie and Frederic Perriot
The purpose of this paper is to examine the difficulties of detecting
complex viruses, including polymorphic, metamorphic and entry-point
obscuring viruses. Whether or not an anti-virus (AV) technology can detect
these viruses can be a useful metric to consider when evaluating AV products.
http://www.securityfocus.com/infocus/1813
2. Lycos Goes Straight
By Mark Rasch
After a week of well-deserved criticism, Lycos is abandoning its scheme to
launch denial-of-service attacks against spammy websites. Did the company
reform in time to avoid criminal prosecution?
http://www.securityfocus.com/columnists/282
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Microsoft Internet Explorer Drag and Drop Vulnerability
BugTraq ID: 11770
Remote: Yes
Date Published: Nov 28 2004
Relevant URL: http://www.securityfocus.com/bid/11770
Summary:
A security researcher has reported a simpler variant of the vulnerability described in BID 11466. In that vulnerability, it was theoretically possible for external and untrustworthy HTML / script code to be executed if a maliciously constructed file were "dragged and dropped" and then clicked on. This process involved the victim user manually clicking the file to open it. The author of this report has stated that the new variant removes the step of manually clicking the file. This may allow for automatic compromise if the user will "drag and drop" a malicious file.
2. Ipswitch WS_FTP Multiple Remote Buffer Overflow Vulnerabilit...
BugTraq ID: 11772
Remote: Yes
Date Published: Nov 29 2004
Relevant URL: http://www.securityfocus.com/bid/11772
Summary:
Multiple remote buffer overflow vulnerabilities are reported in the Ipswitch WS_FTP server. These issues are due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into finite process buffers.
An attacker may exploit these issues to cause the affected server to crash. It is likely that execution of arbitrary code with the privileges of the user who activated the vulnerable application is also possible.
3. 21-6 Productions Orbz Remote Buffer Overflow Vulnerability
BugTraq ID: 11774
Remote: Yes
Date Published: Nov 29 2004
Relevant URL: http://www.securityfocus.com/bid/11774
Summary:
A remote buffer overflow vulnerability has been reported in 21-6 Productions Orbz. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into finite process buffers.
An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.
4. Mercury Mail Multiple Remote IMAP Stack Buffer Overflow Vuln...
BugTraq ID: 11775
Remote: Yes
Date Published: Nov 29 2004
Relevant URL: http://www.securityfocus.com/bid/11775
Summary:
Mercury Mail is reported susceptible to multiple stack-based buffer overflow vulnerabilities in its IMAP server implementation. These issues are due to a failure of the application to properly bounds check user-supplied input prior to copying it to a finite-sized memory buffer.
These vulnerabilities allow authenticated, remote attackers to execute arbitrary machine code in the context of the affected server process.
Versions prior to 4.01a of Mercury Mail is reportedly affected by these vulnerabilities. Other versions may also be affected.
Note: BID 11788 has been consolidated with this BID. It is determined that they actually represent the same issues.
5. GlobalScape CuteFTP Multiple Command Response Buffer Overflo...
BugTraq ID: 11776
Remote: Yes
Date Published: Nov 30 2004
Relevant URL: http://www.securityfocus.com/bid/11776
Summary:
Multiple remote buffer overflow vulnerabilities reportedly affect the command response functionality of GlobalScape CuteFTP. These issues are due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into finite process buffers.
A remote attacker may leverage these issues to cause the affected client to crash; code execution may also be possible. Any code execution would take place with the privileges of the user that activated the vulnerable application.
6. FreeImage Interleaved Bitmap Image Buffer Overflow Vulnerabi...
BugTraq ID: 11778
Remote: Yes
Date Published: Nov 26 2004
Relevant URL: http://www.securityfocus.com/bid/11778
Summary:
A buffer overflow vulnerability exists in FreeImage. This issue is due to a boundary condition error that is presented when the library handles malformed Interleaved Bitmap (ILBM) images.
This issue could potentially be exploited to execute arbitrary code in the context of an application that uses the library.
7. JanaServer 2 Multiple Remote Denial Of Service Vulnerabiliti...
BugTraq ID: 11780
Remote: Yes
Date Published: Nov 30 2004
Relevant URL: http://www.securityfocus.com/bid/11780
Summary:
JanaServer 2 is a commercially available proxy server designed for the Microsoft Windows platform. It contains support for services such as HTTP, FTP, email, and RealPlayer streaming.
Multiple remote denial of service vulnerabilities affect JanaServer 2. These issues are due to a failure of the application to handle malformed network communications.
The first issue presents itself when malformed HTTP requests are made to the affected application. The second issue presents itself when the application attempts to process malformed RealPlayer streaming data.
An attacker may leverage these issues to cause the affected proxy server to hang, effectively denying service to legitimate users.
8. OpenSSH-portable PAM Authentication Remote Information Discl...
BugTraq ID: 11781
Remote: Yes
Date Published: Nov 30 2004
Relevant URL: http://www.securityfocus.com/bid/11781
Summary:
It is reported that OpenSSH contains an information disclosure vulnerability. This issue exists in the portable version of OpenSSH. The portable version is the version that is distributed for operating systems other than its native OpenBSD platform.
This issue is related to BID 7467. It is reported that the previous fix for BID 7476 was insufficient to completely fix the issue. It is not confirmed at this time, but this current issue may involve differing code paths in PAM, resulting in a new vulnerability.
This vulnerability allows remote users to test for the existence of valid usernames. Knowledge of usernames may aid them in further attacks.
9. Mercury Mail Multiple Remote IMAP Buffer Overflow Vulnerabil...
BugTraq ID: 11788
Remote: Yes
Date Published: Dec 01 2004
Relevant URL: http://www.securityfocus.com/bid/11788
Summary:
Mercury Mail is reported susceptible to multiple buffer overflow vulnerabilities in its IMAP server implementation. These issues are due to a failure of the application to properly bounds check user-supplied input prior to copying it to a finite-sized memory buffer.
These vulnerabilities allow authenticated, remote attackers to deny service to legitimate users. It is also conjectured that they may be able to execute arbitrary machine code in the context of the affected server process.
Version 4.01 of Mercury Mail is reportedly affected by these vulnerabilities. Other versions may also be affected.
Note: This BID has been consolidated to BID 11775, as it has been determined that this BID is a duplicate. This BID will be retired shortly.
10. S9Y Serendipity Remote Cross-Site Scripting Vulnerability
BugTraq ID: 11790
Remote: Yes
Date Published: Dec 02 2004
Relevant URL: http://www.securityfocus.com/bid/11790
Summary:
A cross-site scripting vulnerability affects S9Y Serendipity. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage this issue to have arbitrary HTML and script code rendered and executed in the browser of an unsuspecting user. This may facilitate theft of cookie-based authentication credentials as well as other attacks.
11. Cisco CNS Network Registrar DNS and DHCP Server Remote Denia...
BugTraq ID: 11793
Remote: Yes
Date Published: Dec 02 2004
Relevant URL: http://www.securityfocus.com/bid/11793
Summary:
Cisco CNS Network Registrar is a DNS/DHCP server offered by Cisco. It is available for Microsoft Windows, UNIX, and Linux platforms.
Cisco CNS Network Registrar is reported prone to multiple remote denial of service vulnerabilities. These issues affect the Domain Name Service and Dynamic Host Configuration Protocol server components of the CNS Network Registrar. It is reported that an attacker may cause a crash by sending a specially crafted packet sequence to an affected server.
These vulnerabilities only affect Cisco CNS Network Registrar for the Microsoft Windows platform. The first issue affects CNS Network Registrar versions 6.0 upto and including 6.1.1.3 and the second issue affects all versions including 6.1.1.3.
12. PHProjekt Unspecified Authentication Bypass Vulnerability
BugTraq ID: 11797
Remote: Yes
Date Published: Dec 02 2004
Relevant URL: http://www.securityfocus.com/bid/11797
Summary:
PHPProject is reported prone to an unspecified authentication bypass vulnerability. Reports indicate that the vulnerability is present in the 'setup.php' source file and may be exploited by a remote attacker to gain access to the 'setup.php' file without requiring authentication.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Disable Network ID and Change button (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/383559
2. XP SP2 & GPO controlled firewall gets activated for ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/383417
3. SecurityFocus Microsoft Newsletter #217 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/382844
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. KeyCaptor Keylogger
By: Keylogger Software
Platforms: MacOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keylogger-software.com/keylogger/keylogger.htm
Summary:
KeyCaptor is your solution for recording ALL keystrokes of ALL users on your computer! Now you have the power to record emails, websites, documents, chats, instant messages, usernames, passwords, and MUCH MORE!
With our advanced stealth technology, KeyCaptor will not show in your processes list and cannot be stopped from running unless you say so!
3. SpyBuster
By: Remove Spyware
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.remove-spyware.com/spybuster.htm
Summary:
Our award winning spyware / adware scanner and removal software, SpyBuster will scan your computer for over 4,000 known spyware and adware applications. SpyBuster protects your computer from data stealing programs that can expose your personal information.
SpyBuster scanning technology allows for a quick and easy sweep, so you can resume your work in minutes.
4. FreezeX
By: Faronics Technologies USA Inc
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.faronics.com/html/Freezex.asp
Summary:
FreezeX prevents all unauthorized programs, including viruses, keyloggers and spy ware from executing. Powerful and secure, FreezeX ensures that any new executable, program, or application that is downloaded, introduced via removable media or the network will never install
5. NeoExec for Active Directory
By: NeoValens
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.neovalens.com
Summary:
NeoExec® is an operating system extension for Windows 2000/XP that allows the setting of privileges at the application level rather than at the user level.
NeoExec® is the ideal solution for applications that require elevated privileges to run as the privileges are granted to the application, not the user.
NeoExec® is the only solution on the market capable of modifying at runtime the processes' security context -- without requiring a second account as with RunAs and RunAs-derived products.
6. Secrets Protector v2.03
By: E-CRONIS
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.e-cronis.com/download/sp.exe
Summary:
It's the end of your worries about top-secret data of your company, your confidential files or the pictures from the last party. All these will be hidden beyond the reach of ANY intruder and you will be the only one able to handle them. And what you want to delete will be DELETED. It is the ultimate security tool to protect your sensitive information on PC, meeting the three most important security issues: Integrity, Confidentiality and Availability. This product gives you the features of a "folder locker" and a "secure eraser".
Your secret information is available only trough this software and there is no other mean to access it. The information is protected at file system level and it cannot be accidentally deleted or overwritten neither in Safe mode nor in other operating system. This program doesn't make your operating system unstable as other related product do and protects your information from being seen, altered or deleted by an unauthorized user with or without his wish. The program allows you to permanently erase your sensitive data using secure wiping methods leaving no trace of your information. Depending on the selected wiping method your data is unrecoverable using software or even hardware recovery techniques.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. IDS Policy Manager v1.5
By: ActiveWorx
Relevant URL: http://www.activeworx.org
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
IDS Policy Manager was designed to manage Snort IDS sensors in a distributed environment. This is done by having the ability to take the textconfiguration and rule files and allow you to modify them with an easy touse graphical interface. With the added ability to merge new rule sets,manage preprocessors, control output modules and scp rules to sensors, thistool makes managing snort easy for most security professionals.
2. PatchLink Update 6.01.78
By: PatchLink Corporation
Relevant URL: http://www.patchlink.com/products_services/plu_evaluationrequest.html
Platforms: AIX, DG-UX, Digital UNIX/Alpha, DOS, HP-UX, Java, Linux, MacOS, Net, NetBSD, Netware, OpenVMS, PalmOS, POSIX, SecureBSD, SINIX, Solaris, SunOS, True64 UN, True64 UNIX, Ultrix, UNICOS, UNIX, Unixware, Windows 2000, Windows 95/98, Windows CE, Windows NT, Windows XP
Summary:
With PATCHLINK UPDATE, patch management is the secure, proactive, and preventative process it should be. PATCHLINK UPDATE scans networks for security holes and closes them with the click of a mouse, no matter the operating system, the vendor applications, the mix, or the size of the environment. From 5K nodes to 20+K nodes, PATCHLINK UPDATE works quickly, accurately and safely to ensure desktops and servers are patched correctly and completely the first time around.
3. Dekart Private Disk 2.03
By: Dekart
Relevant URL: http://www.private-disk.net/
Platforms: Windows XP
Summary:
Private Disk - is an easy-to-use, reliable, user-friendly and smart program that lets you create encrypted disk partitions (drive letters) to keep your private and confidential data secure. Uses 256-bit AES encryption.
4. Remote Process Watcher 1.0
By: Fitsec Tmi
Relevant URL: http://www.fitsec.com/downloads
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
A Java based software that watches processes running on the computers inside a domain. Gives out warnings when it spots a process that it doesn't recognize or processes that have been marked on the warning list. It is also able to autokill processes marked as critical.
5. Rkdscan 1.0
By: Andres Tarasco - www.sia.es
Relevant URL: http://cyruxnet.org/download/rkdscan.rar
Platforms: Windows 2000
Summary:
Rkdscan is able to remotely detect if NT based Computers are compromised With "Hacker Defender" Rootkit
6. Spybot-S&D 1.3
By: Patrick M. Kolla
Relevant URL: http://www.spybot.info/en/index.html
Platforms: Windows XP
Summary:
Spybot - Search & Destroy can detect and remove spyware of different kinds
from your computer. Spyware is a relatively new kind of threat that
common anti-virus applications do not yet cover. If you see new toolbars in
your Internet Explorer that you didn't intentionally install, if your browser
crashes, or if you browser start page has changed without your knowing, you
most probably have spyware. But even if you don't see anything, you may be
infected.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.
If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Wozny, Scott (US - New York): "RE: Disable Network ID and Change button"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
