SecurityFocus Microsoft Newsletter #224
From: Marc Fossi (mfossi_at_securityfocus.com)
Date: 01/19/05
- Previous message: Danny: "Re: IIS6 on W2k3 DCs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Jan 2005 08:30:01 -0700 (MST) To: Focus-MS <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #224
----------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. A New Tool In The Spam War
2. The Perils of Deep Packet Inspection
II. MICROSOFT VULNERABILITY SUMMARY
1. JohnyTech Encrypted Messenger Plug-In Remote Denial Of Servi...
2. RhinoSoft Serv-U FTP Server Resource Exhaustion Denial Of Se...
3. Microsoft Office Encrypted Documents RC4 Initialization Vect...
4. Microsoft Windows Indexing Service Buffer Overflow Vulnerabi...
5. Microsoft Windows User32.DLL ANI File Header Handling Stack-...
6. Apple ITunes Playlist Buffer Overflow Vulnerability
7. Nullsoft Winamp Multiple Unspecified Vulnerabilities
8. IlohaMail Insecure Default Installation Information Disclosu...
9. Vim TCLTags and VimSpell.sh Scripts Insecure Temporary File ...
10. Brat Designs Breed Remote Denial of Service Vulnerability
11. Microsoft Internet Explorer Dynamic IFRAME File Download Sec...
12. MPM Guestbook Header Input Validation Vulnerability
13. Multiple Vendor Anti-Virus Gateway Failure To Decode Base64 ...
III. MICROSOFT FOCUS LIST SUMMARY
1. local admin vs group policy and apps... (Thread)
2. IIS6 on W2k3 DCs (Thread)
3. PGP and Outlook (Thread)
4. Automatic Updates and Users/Power Users (Thread)
5. Anti-spyware Beta from Microsoft available (Thread)
6. NTFS Security (Thread)
7. XP SP2 Blind install (Thread)
8. SecurityFocus Microsoft Newsletter #223 (Thread)
9. suggestions for proxy server to run on w2003 box.. (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. CoreGuard Core Security System
2. KeyCaptor Keylogger
3. SpyBuster
4. FreezeX
5. NeoExec for Active Directory
6. Secrets Protector v2.03
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Network Equipment Performance Monitor 2.2
2. Etherchange v1.0
3. IPFront 1.0
4. Azure Web Log 1.5
5. Interface Traffic Indicator 1.2.3
6. Colasoft Capsa 4.05
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. A New Tool In The Spam War
Arbitration is part of the next wave of security measures, and can be
effective against spammers who illegally harvest email addresses from a
honeypot on your website.
http://www.securityfocus.com/columnists/291
2. The Perils of Deep Packet Inspection
By Dr. Thomas Porter
This paper looks at the evolution of firewall technology towards Deep
Packet Inspection, and then discusses some of the security issues with
this
evolving technology.
http://www.securityfocus.com/infocus/1817
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. JohnyTech Encrypted Messenger Plug-In Remote Denial Of Servi...
BugTraq ID: 12211
Remote: Yes
Date Published: Jan 10 2005
Relevant URL: http://www.securityfocus.com/bid/12211
Summary:
JohnyTech Encrypted Messenger Plug-in is reported prone to a remote denial
of service vulnerability. The vulnerability presents itself when certain
strings are processed by the vulnerable library.
A remote attacker may exploit this condition to deny service to legitimate
users.
2. RhinoSoft Serv-U FTP Server Resource Exhaustion Denial Of Se...
BugTraq ID: 12213
Remote: Yes
Date Published: Jan 10 2005
Relevant URL: http://www.securityfocus.com/bid/12213
Summary:
Serv-U FTP Server is reported prone to a remote denial of service
vulnerability. This issue may allow remote attackers to crash an affected
server.
It is reported that the vulnerable service does not properly handle
multiple connection attempts. Successful exploitation can deny service to
legitimate users.
Serv-U FTP 2.5 is reported prone to this vulnerability.
3. Microsoft Office Encrypted Documents RC4 Initialization Vect...
BugTraq ID: 12223
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12223
Summary:
Microsoft Office Word and Excel applications are reported prone to a
security vulnerability. It is reported that the functionality that
provides for password protecting confidential documents is flawed;
specifically the RC4 stream cipher that is employed to obfuscate protected
documents is implemented incorrectly.
An attacker that can retrieve an original encrypted document and
subsequent encrypted modifications of said document may employ
cryptanalysis techniques to potentially reveal portions of the target
document.
Information gathered by exploiting this vulnerability may be used to aid
in further attacks launched against a target victim.
4. Microsoft Windows Indexing Service Buffer Overflow Vulnerabi...
BugTraq ID: 12228
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12228
Summary:
Microsoft Indexing Service is reported prone to a buffer overflow
vulnerability. This issue results from insufficient boundary checks
performed by the application when copying user-supplied data in to
sensitive process buffers. A remote or local attacker may execute
arbitrary code on a vulnerable computer, which could ultimately allow the
attacker to gain unauthorized access to the computer or gain elevated
privileges.
This issue can be exploited by sending a malformed query to the Indexing
Service. It is reported that issue may be locally and remotely
exploited, if Indexing Service is enabled on a vulnerable computer.
5. Microsoft Windows User32.DLL ANI File Header Handling Stack-...
BugTraq ID: 12233
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12233
Summary:
A stack-based buffer overflow vulnerability is reported to affect the ANI
(animated cursor files) handler on Microsoft Windows operating systems.
The vulnerability exists in the ANI file header handling routines
contained in the 'user32.dll' library.
Ultimately the issue may be leveraged to force the execution of
attacker-supplied instructions. It has been reported that this
vulnerability affects any application that employs the vulnerable Internet
Explorer component, for example:
Microsoft Internet Explorer, Word, Excel, PowerPoint, Outlook, Outlook
Express and the Windows Shell.
Other applications are also affected.
6. Apple ITunes Playlist Buffer Overflow Vulnerability
BugTraq ID: 12238
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12238
Summary:
Apple iTunes is prone to a buffer overflow vulnerability. This issue is
exposed when the application parses 'm3u' and 'pls' playlist files. As
these files may originate from an external source, this issue is
considered remotely exploitable.
If the vulnerability is successfully exploited, it will result in
execution of arbitrary code in the context of the user running the
application.
7. Nullsoft Winamp Multiple Unspecified Vulnerabilities
BugTraq ID: 12245
Remote: Yes
Date Published: Jan 12 2005
Relevant URL: http://www.securityfocus.com/bid/12245
Summary:
Winamp is a freely available media player from Nullsoft. It is available
for the Microsoft Windows platform.
Multiple unspecified vulnerabilities affect Nullsoft's Winamp. The
underlying causes of most of these issues are unknown, however one of the
issues is due to a buffer overflow.
Further information surrounding these issues is not available. This BID
will be updated immediately upon the release of more details.
It is likely that a remote attacker may leverage these issues by
distributing malicious files and enticing unsuspecting users to process
them. This may facilitate privilege escalation and unauthorized access.
8. IlohaMail Insecure Default Installation Information Disclosu...
BugTraq ID: 12252
Remote: Yes
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12252
Summary:
An insecure default installation information disclosure issue affects
IlohaMail. This issue is due to a failure of the application to install
sensitive files securely.
An attacker may leverage this issue to gain access to sensitive
information, potentially including user names and passwords. Sensitive
information disclosed in this way may lead to a compromise of email
accounts and other attacks.
9. Vim TCLTags and VimSpell.sh Scripts Insecure Temporary File ...
BugTraq ID: 12253
Remote: No
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12253
Summary:
Multiple Vim scripts are reported prone to an insecure temporary file
creation vulnerability. It is reported that the Vim 'tcltags' and
'vimspell.sh' scripts create temporary files in an insecure manner.
An attacker that has local interactive access to a system may exploit this
issue to corrupt arbitrary files with the privileges of the user that is
invoking the vulnerable application.
10. Brat Designs Breed Remote Denial of Service Vulnerability
BugTraq ID: 12262
Remote: Yes
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12262
Summary:
Breed is reported prone to a remote denial of service vulnerability.
It is reported that a game server may be crashed by sending an empty UDP
packet.
All versions up to and including Breed patch 1 are reported prone to this
issue.
11. Microsoft Internet Explorer Dynamic IFRAME File Download Sec...
BugTraq ID: 12264
Remote: Yes
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12264
Summary:
Microsoft Internet Explorer is reported prone to a file download security
warning bypass weakness. This issue may be exploited to download a
malicious file to the client system.
It is reported that this security warning can be bypassed by creating a
document containing a specially crafted HTML BODY tag and a dynamic
IFRAME.
By enticing a user to visit a site, the attacker can potentially plant
malicious files on vulnerable systems in order to execute malicious code.
It should be noted that although no security warning appears, the standard
download confirmation widnow still appears and requires the user to
confirm the download prior to any files being placed on the unsuspecting
user's computer.
This vulnerability may be combined with other issues in the browser or the
affected computer to aid in various attacks.
It should also be noted that Symantec has been unable to replicate this
issue. Furthermore Microsoft has stated that this is not a vulnerability.
This BID will be updated when further information becomes available.
Internet Explorer 6.0 running on Microsoft Windows XP SP2 is reported to
be affected by this vulnerability. It is conjectured that other versions
of Internet Explorer are vulnerable as well. This BID will be updated
when more information about affected packages is available.
12. MPM Guestbook Header Input Validation Vulnerability
BugTraq ID: 12266
Remote: Yes
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12266
Summary:
MPM Guestbook is reported prone to an input validation vulnerability that
may lead to remote command execution or arbitrary file content disclosure.
The issue is due to a lack of sufficient sanitization performed on
user-supplied 'header' URI parameter data.
An attacker may leverage this issue to execute arbitrary PHP code in the
context of the web server process or disclose the contents of web server
readable files.
It should be noted that although this vulnerability is reported to affect
MPM Guestbook version 1.05, other versions might also be affected.
13. Multiple Vendor Anti-Virus Gateway Failure To Decode Base64 ...
BugTraq ID: 12269
Remote: Yes
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12269
Summary:
Multiple vendor anti-virus gateway products are reported prone to a
security weakness that could lead to a false sense of security. It is
reported that the affected anti-virus gateways do not decode
base64-encoded images that are contained in 'data' URIs.
A malicious image that is obfuscated in this manner will bypass the
affected anti-virus scanner; the image will be rendered in the browser of
a target user when the malicious page is viewed. It is reported that
because Microsoft Internet Explorer does not support the 'data' URI,
Internet Explorer cannot be used as an attack vector to exploit this
weakness.
This weakness may lead to a false sense of security where a network
administrator believes that the affected product will detect malicious
images designed to trigger a target vulnerability. In reality, the images
may be obfuscated by an attacker and may not be detected.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. local admin vs group policy and apps... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/387497
2. IIS6 on W2k3 DCs (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/387495
3. PGP and Outlook (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/387494
4. Automatic Updates and Users/Power Users (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/387224
5. Anti-spyware Beta from Microsoft available (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/387014
6. NTFS Security (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/387013
7. XP SP2 Blind install (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/386949
8. SecurityFocus Microsoft Newsletter #223 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/386891
9. suggestions for proxy server to run on w2003 box.. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/386882
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. KeyCaptor Keylogger
By: Keylogger Software
Platforms: MacOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keylogger-software.com/keylogger/keylogger.htm
Summary:
KeyCaptor is your solution for recording ALL keystrokes of ALL users on
your computer! Now you have the power to record emails, websites,
documents, chats, instant messages, usernames, passwords, and MUCH MORE!
With our advanced stealth technology, KeyCaptor will not show in your
processes list and cannot be stopped from running unless you say so!
3. SpyBuster
By: Remove Spyware
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.remove-spyware.com/spybuster.htm
Summary:
Our award winning spyware / adware scanner and removal software, SpyBuster
will scan your computer for over 4,000 known spyware and adware
applications. SpyBuster protects your computer from data stealing programs
that can expose your personal information.
SpyBuster scanning technology allows for a quick and easy sweep, so you
can resume your work in minutes.
4. FreezeX
By: Faronics Technologies USA Inc
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.faronics.com/html/Freezex.asp
Summary:
FreezeX prevents all unauthorized programs, including viruses, keyloggers
and spy ware from executing. Powerful and secure, FreezeX ensures that any
new executable, program, or application that is downloaded, introduced via
removable media or the network will never install
5. NeoExec for Active Directory
By: NeoValens
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.neovalens.com
Summary:
NeoExec® is an operating system extension for Windows 2000/XP that allows
the setting of privileges at the application level rather than at the user
level.
NeoExec® is the ideal solution for applications that require elevated
privileges to run as the privileges are granted to the application, not
the user.
NeoExec® is the only solution on the market capable of modifying at
runtime the processes' security context -- without requiring a second
account as with RunAs and RunAs-derived products.
6. Secrets Protector v2.03
By: E-CRONIS
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.e-cronis.com/download/sp.exe
Summary:
It's the end of your worries about top-secret data of your company, your
confidential files or the pictures from the last party. All these will be
hidden beyond the reach of ANY intruder and you will be the only one able
to handle them. And what you want to delete will be DELETED. It is the
ultimate security tool to protect your sensitive information on PC,
meeting the three most important security issues: Integrity,
Confidentiality and Availability. This product gives you the features of a
"folder locker" and a "secure eraser".
Your secret information is available only trough this software and there
is no other mean to access it. The information is protected at file system
level and it cannot be accidentally deleted or overwritten neither in Safe
mode nor in other operating system. This program doesn't make your
operating system unstable as other related product do and protects your
information from being seen, altered or deleted by an unauthorized user
with or without his wish. The program allows you to permanently erase your
sensitive data using secure wiping methods leaving no trace of your
information. Depending on the selected wiping method your data is
unrecoverable using software or even hardware recovery techniques.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Network Equipment Performance Monitor 2.2
By: Nova Software, Inc.
Relevant URL: http://www.nepm.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, Solaris, True64 UNIX, UNIX, Windows
2000, Windows NT, Windows XP
Summary:
NEPM is a very general, highly configurable, two part software system that
monitors any type of logged data from IP networked equipment and reports
it via E-mail and web pages. Current conditions and history from systems
based on Windows NT/2000 and UNIX can be tracked and reported. Most major
server, switch and router systems can be monitored, without running agents
on the target systems.
2. Etherchange v1.0
By: Arne Vidstrom
Relevant URL: http://www.ntsecurity.nu/toolbox/etherchange/
Platforms: Windows 2000, Windows XP
Summary:
EtherChange can change the Ethernet address of the network adapters in
Windows 2000 / XP.
3. IPFront 1.0
By: Hernán M. Racciatti
Relevant URL: http://www.hernanracciatti.com.ar/ipfront/
Platforms: Windows 2000
Summary:
IPFront is a small tool named which enables users to generate IPSec rules
easily. It really speeds-up the process of hardening Windows 2000/2003 in
Bastion Host Environment.
Additionally, it allows to set-up IPSec exceptions, and enables a couple
of TCP/IP Stack protections against DoSes.
So, IPFront is nothing more than a small Frontend/GUI that writes small
scripts that one can later execute from within IPFront, or externally, as
simple script files, in other servers,
4. Azure Web Log 1.5
By: Azure Desktop
Relevant URL: http://www.azuredesktop.com/download/awlog.zip
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Log analyzer tells you all you want about your web site: What are the most
popular pages and files on your site? How many visitors are there and
where are they from? What browsers and OS they use? What is your sites
traffic? Special features:Statistics for a year. Separate statistics for
every page or file - daily hits for two last months, monthly hits for a
year, referring site for particular page or file. Multiple site statistics
support.
5. Interface Traffic Indicator 1.2.3
By: Carsten Schmidt
Relevant URL: http://software.ccschmidt.de/#inftraffic
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
Interface Traffic Indicator, a graph utility to measure incoming and
outgoing traffic on an interface in bits/sec, bytes/sec or utilization.
Works on all SNMP-capable devices (computers, NICs, switches, routers,
etc.) with adjustable poll intervall down to three seconds. You can use
this programm in a professional network environment to monitor selected
network interfaces (even backplane ports if the device provides the
information) or you can monitor your home network or
6. Colasoft Capsa 4.05
By: Roy Luo
Relevant URL: http://www.colasoft.com/
Platforms: Windows 2000, Windows 95/98, Windows XP
Summary:
Capsa is a powerful but easy to use network monitor and analyzer designed
for packet decoding and network diagnosis. With the abilities of real time
monitoring and data analyzing, you can capture and decode network traffic
transmitted over local host and local network. Capsa has Packet Analysis
Module and three advanced analysis modules: Email Analysis Module, Web
Analysis Module and Transaction Analysis Module.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin@securityfocus.com and
ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Danny: "Re: IIS6 on W2k3 DCs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
