SecurityFocus Microsoft Newsletter #245

• Previous message: minichaz: "Re: Disclaimer on Active/active clustered exchange servers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 21 Jun 2005 14:39:47 -0600 (MDT)
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #245
----------------------------------------

This Issue is Sponsored By: Black Hat

Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in Las
Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 29 hands-on training courses and 10 conference tracks, networking opportunities with over 2,000 delegates from 30+ nations.

http://www.securityfocus.com/sponsor/BlackHat_sf-news_050621

------------------------------------------------------------------
I. FRONT AND CENTER
       1. Interview with Marcus Ranum
       2. Your fingerprints are everywhere
       3. Software Firewalls: Made of Straw? Part 2 of 2
II. MICROSOFT VULNERABILITY SUMMARY
       1. Multiple Vendor Telnet Client Remote Information Disclosure Vulnerability
       2. Microsoft Internet Explorer PNG Image Rendering Buffer Overflow Vulnerability
       3. Microsoft Incoming SMB Packet Validation Remote Buffer Overflow Vulnerability
       4. Microsoft Internet Explorer XML Redirect Information Disclosure Vulnerability
       5. Microsoft Step-By-Step Interactive Training Bookmark Link Buffer Overflow Vulnerability
       6. Microsoft Internet Explorer Unspecified DigWebX ActiveX Control Vulnerability
       7. Microsoft Internet Explorer Unspecified GIF And BMP Denial Of Service Vulnerability
       8. Microsoft Agent Trusted Content Spoofing Vulnerability
       9. Microsoft Windows Web Client Service Remote Code Execution Vulnerability
       10. Microsoft Outlook Express NNTP Response Parsing Buffer Overflow Vulnerability
       11. Microsoft Exchange Server Outlook Web Access HTML Injection Vulnerability
       12. Microsoft Windows HTML Help Remote Code Execution Vulnerability
       13. Microsoft ISA Server NetBIOS Predefined Filter Policy Bypass Vulnerability
       14. Microsoft ISA Server HTTP/HTTPS Service Basic Auth Information Disclosure Vulnerability
       15. Microsoft ISA Server HTTP Request Smuggling Vulnerability
       16. Sun Java Runtime Environment Unspecified Privilege Escalation Vulnerability
       17. Finjan SurfinGate ASCII File Extension File Filter Circumvention Vulnerability
       18. Adobe Acrobat/Adobe Reader File Existence Disclosure Vulnerability
       19. Mambo Open Source Com_Contents SQL Injection Vulnerability
       20. PAFileDB Multiple Input Validation Vulnerabilities
       21. Opera Web Browser Cross-Site Scripting Local File Disclosure Vulnerability
       22. Opera Web Browser XMLHttpRequest Object Cross-Domain Access Vulnerability
       23. JBoss Malformed HTTP Request Remote Information Disclosure Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
       1. Imaging question for MS OS.
       2. Disclaimer on Active/active clustered exchange servers
       3. WSUS/Reboot
       4. IE in Kiosk mode
       5. Windows Server 2K Lockdown Baseline
       6. SecurityFocus Microsoft Newsletter #244
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Interview with Marcus Ranum
By Federico Biancuzzi
Could you introduce yourself?
http://www.securityfocus.com/columnists/334

2. Your fingerprints are everywhere
By Scott Granneman
How much do you trust your government? That's a question that all of us have to ask, perhaps the more often the better.
http://www.securityfocus.com/columnists/333

3. Software Firewalls: Made of Straw? Part 2 of 2
By Israel G. Lugo, Don Parker
In part two we look at how easily the firewall's operation can be circumvented by inserting a malicious Trojan into the network stack itself.
http://www.securityfocus.com/infocus/1840

II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Multiple Vendor Telnet Client Remote Information Disclosure Vulnerability
BugTraq ID: 13940
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13940
Summary:
Telnet clients provided by multiple vendors are susceptible to a remote information disclosure vulnerability.

Any information stored in the environment of clients utilizing the affected telnet application is available for attackers to retrieve. The contents of the environment variables may be sensitive in nature, allowing attackers to gain information that may aid them in further system compromise.

2. Microsoft Internet Explorer PNG Image Rendering Buffer Overflow Vulnerability
BugTraq ID: 13941
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13941
Summary:
Microsoft Internet Explorer is prone to a buffer overflow vulnerability. This issue exists in the PNG image rendering library used by the browser.

Successful exploitation will result in execution of arbitrary code in the context of the currently logged in user.

This issue is present in the PNG image rendering library, so it is possible that other applications that use the library are affected. This is not confirmed and Symantec is not aware of any such applications.

3. Microsoft Incoming SMB Packet Validation Remote Buffer Overflow Vulnerability
BugTraq ID: 13942
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13942
Summary:
Microsoft SMB is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer.

Remote attackers may exploit this vulnerability to execute arbitrary machine code in the context of the kernel containing the vulnerable code. Microsoft has stated that other attack vectors may exist, in the form of passing malicious parameters to the affected component, either locally or remotely.

Failed exploit attempts will likely crash the affected computer, denying service to legitimate users.

4. Microsoft Internet Explorer XML Redirect Information Disclosure Vulnerability
BugTraq ID: 13943
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13943
Summary:
Microsoft Internet Explorer is prone to an information disclosure vulnerability. Specifically, it may be possible for remote users to read XML data from an affected computer via a malicious Web page.

This issue is a variant of BID 5560. This variant was not addressed with the release of MS02-047. Microsoft has released a new security bulletin to provide fixes for this variant. Microsoft has stated that Windows Server 2003 with the Enhanced Security Configuration enabled is not affected.

5. Microsoft Step-By-Step Interactive Training Bookmark Link Buffer Overflow Vulnerability
BugTraq ID: 13944
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13944
Summary:
Microsoft Step-By-Step Interactive Training is prone to a buffer overflow vulnerability. This is due to a boundary condition error related to validation of data in bookmark link files. As bookmark link files may originate from an external source, this issue may be remotely exploitable.

Successful exploitation will result in execution of arbitrary code in the context of the currently logged in user.

A number of third-party providers may supply the Step-by-Step Interactive training program as a part of their products. There is not a conclusive list of products that may have installed this software.

6. Microsoft Internet Explorer Unspecified DigWebX ActiveX Control Vulnerability
BugTraq ID: 13946
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13946
Summary:
Microsoft Internet Explorer is prone to an unspecified vulnerability in the DigWebX ActiveX control.

The vendor has not released any further information about this vulnerability other than to state the "kill bit" has been set on unsupported versions of the control.

7. Microsoft Internet Explorer Unspecified GIF And BMP Denial Of Service Vulnerability
BugTraq ID: 13947
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13947
Summary:
Microsoft Internet Explorer is prone to a denial of service vulnerability when rendering malformed GIF and BMP images. Malformed images for other file formats may also cause a similar condition, though the vendor has not provided any further information.

The vendor has not released any further information about this issue other than to state that it is addressed by the Cumulative Security Update For Internet Explorer.

8. Microsoft Agent Trusted Content Spoofing Vulnerability
BugTraq ID: 13948
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13948
Summary:
Microsoft Agent is prone to a vulnerability that could allow a malicious Web site to spoof trusted content. This could result in a user downloading and executing malicious files thinking they are safe.

9. Microsoft Windows Web Client Service Remote Code Execution Vulnerability
BugTraq ID: 13950
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13950
Summary:
Microsoft Windows Web Client Service is affected by a remote code execution vulnerability. This is due to a buffer overflow in the affected component.

A remote authenticated attacker can exploit this issue by sending a malformed message to the Web Client Service. This can lead to arbitrary code execution resulting in privilege escalation.

An attacker may also exploit this issue through another application that passes data to the vulnerable component.

Web Client Service is disabled on Windows Server 2003 by default.

10. Microsoft Outlook Express NNTP Response Parsing Buffer Overflow Vulnerability
BugTraq ID: 13951
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13951
Summary:
Microsoft Outlook Express is prone to a buffer overflow when parsing NNTP responses. Successful exploitation could allow arbitrary code execution in the context of the user running the application.

11. Microsoft Exchange Server Outlook Web Access HTML Injection Vulnerability
BugTraq ID: 13952
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13952
Summary:
Outlook Web Access is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the affected application of an unsuspecting user in the context of the affected user.

This issue is reported to affect Outlook Web Access for Exchange Server 5.5.

12. Microsoft Windows HTML Help Remote Code Execution Vulnerability
BugTraq ID: 13953
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13953
Summary:
Microsoft Windows HTML Help is affected by a remote code execution vulnerability.

The vulnerability presents itself when the application handles malformed data through the InfoTech protocol (ms-its, its, mk:@msitstore).

An attacker may exploit this issue from a malicious Web page or through HTML email to execute arbitrary code with the privileges of the currently logged in user.

This vulnerability affects any application that utilizes the Windows Help component of Internet Explorer.

13. Microsoft ISA Server NetBIOS Predefined Filter Policy Bypass Vulnerability
BugTraq ID: 13954
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13954
Summary:
Microsoft Internet Security and Acceleration (ISA) server is prone to a policy bypass vulnerability. Reports indicate that the issue manifests when a Microsoft ISA server is utilizing the 'NetBIOS (all)' predefined filter.

A remote attacker may leverage this vulnerability to successfully make NetBIOS connections to NetBIOS based services that exist on a target ISA server.

14. Microsoft ISA Server HTTP/HTTPS Service Basic Auth Information Disclosure Vulnerability
BugTraq ID: 13955
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13955
Summary:
Microsoft Internet Security and Acceleration (ISA) server is prone to an information disclosure vulnerability. Reports indicate that the issue manifests when an ISA server is publishing a Web service that has Basic authentication enabled, but the Web publishing rules that process the request are configured as 'SSL required'.

An attacker that has the ability to intercept network communications between the ISA server and a client may leverage this issue to obtain Web site authentication credentials.

15. Microsoft ISA Server HTTP Request Smuggling Vulnerability
BugTraq ID: 13956
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13956
Summary:
Microsoft Internet Security and Acceleration (ISA) server is reported prone to a HTTP request smuggling attack.

The vendor reports that Microsoft ISA server fails to correctly handle an invalid HTTP request that contains multiple 'Content-Length' values in an invalid HTTP header.

A remote attacker may exploit this issue to launch cache poisoning or content-restriction bypass attacks against the affected server.

16. Sun Java Runtime Environment Unspecified Privilege Escalation Vulnerability
BugTraq ID: 13958
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13958
Summary:
Sun Java Runtime Environment is susceptible to an unspecified privilege escalation vulnerability.

This vulnerability allows remote, untrusted Java applications to gain elevated privileges. This allows them to read or write local files, or to execute arbitrary local applications. These actions are normally forbidden for untrusted applications running in the Java virtual machine.

Further details are not available at this time. This BID will be updated as further information is disclosed.

17. Finjan SurfinGate ASCII File Extension File Filter Circumvention Vulnerability
BugTraq ID: 13959
Remote: Yes
Date Published: 2005-06-14
Relevant URL: http://www.securityfocus.com/bid/13959
Summary:
SurfinGate may allow an attacker to circumvent file filters.

It has been reported that an attacker may bypass SurfinGate file filtering rules by using ASCII encoding in the file name.

SurfinGate version 7.0 SP2 and 7.0 SP3 are reportedly vulnerable. Other versions may be affected as well.

18. Adobe Acrobat/Adobe Reader File Existence Disclosure Vulnerability
BugTraq ID: 13962
Remote: Yes
Date Published: 2005-06-15
Relevant URL: http://www.securityfocus.com/bid/13962
Summary:
Adobe Acrobat and Adobe Reader may allow remote attackers to determine the existence of files on a vulnerable computer.

Information gathered through the exploitation of this vulnerability may aid in other attacks.

19. Mambo Open Source Com_Contents SQL Injection Vulnerability
BugTraq ID: 13966
Remote: Yes
Date Published: 2005-06-15
Relevant URL: http://www.securityfocus.com/bid/13966
Summary:
Mambo 'com_contents' component is prone to an SQL injection vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI input.

As a result of this, a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue.

20. PAFileDB Multiple Input Validation Vulnerabilities
BugTraq ID: 13967
Remote: Yes
Date Published: 2005-06-15
Relevant URL: http://www.securityfocus.com/bid/13967
Summary:
paFileDB is prone to multiple input validation vulnerabilities. The following issues are reported:

Multiple SQL injection issues exist in paFileDB.

The impact of these issues will vary depending on features supported by the database implementation but may be limited due to the nature of affected queries.

Multiple cross-site scripting issues are also reported when passing user-supplied arguments to the 'sortby', 'filelist', and 'pages' parameters of the 'pafiledb.php' script.

Exploitation of these issues may allow for compromise of the software, session hijacking, or attacks against the underlying database.

Finally, paFileDB is prone to a file disclosure vulnerability. The 'action' parameter of the 'pafiledb.php' script is affected by the vulnerability.

21. Opera Web Browser Cross-Site Scripting Local File Disclosure Vulnerability
BugTraq ID: 13969
Remote: Yes
Date Published: 2005-06-16
Relevant URL: http://www.securityfocus.com/bid/13969
Summary:
Opera Web Browser is affected by a cross-site scripting vulnerability that can be leveraged to disclose local files as well.

Attackers may steal cookie-based authentication credentials, disclose local files in the context of the browser and carry out other attacks.

Opera Web Browser version 8.0 is prone to this issue.

22. Opera Web Browser XMLHttpRequest Object Cross-Domain Access Vulnerability
BugTraq ID: 13970
Remote: Yes
Date Published: 2005-06-16
Relevant URL: http://www.securityfocus.com/bid/13970
Summary:
Opera Web Browser is prone to an issue that allows a violation of the cross-domain security model.

This issue arises due to an access validation error affecting the 'XMLHttpRequest' object.

Successful exploitation may result in cookie theft, content manipulation, information disclosure or other attacks.

Opera Web Browser version 8.0 is prone to this issue.

23. JBoss Malformed HTTP Request Remote Information Disclosure Vulnerability
BugTraq ID: 13985
Remote: Yes
Date Published: 2005-06-17
Relevant URL: http://www.securityfocus.com/bid/13985
Summary:
JBoss is prone to a remote information disclosure vulnerability. The issue exists in the 'org.jboss.web.WebServer' class and is due to a lack of sufficient sanitization of user-supplied request data.

Information that is harvested through leveraging of this issue may be used to aid in further attacks that are launched against the affected service.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Imaging question for MS OS.
http://www.securityfocus.com/archive/88/402892

2. Disclaimer on Active/active clustered exchange servers
http://www.securityfocus.com/archive/88/402785

3. WSUS/Reboot
http://www.securityfocus.com/archive/88/402572

4. IE in Kiosk mode
http://www.securityfocus.com/archive/88/402477

5. Windows Server 2K Lockdown Baseline
http://www.securityfocus.com/archive/88/402321

6. SecurityFocus Microsoft Newsletter #244
http://www.securityfocus.com/archive/88/402299

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to focus-ms-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored By: Black Hat

Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in Las
Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 29 hands-on training courses and 10 conference tracks, networking opportunities with over 2,000 delegates from 30+ nations.

http://www.securityfocus.com/sponsor/BlackHat_sf-news_050621

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: minichaz: "Re: Disclaimer on Active/active clustered exchange servers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]