SecurityFocus Microsoft Newsletter #260

• Previous message: Bart Seresia: "Authentication History Windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 12 Oct 2005 07:28:56 -0600 (MDT)
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #260
----------------------------------------

This Issue is Sponsored By: Qualys

Test your Network Security with QualysGuard
Testing and improving your network security has never been easier. Requiring NO
software, QualysGuard will safely and accurately audit your network and provide
you with the necessary fixes to proactively guard your network. Try QualysGuard
Risk Free with No Obligation.

http://altfarm.mediaplex.com/ad/ck/6148-32572-6929-1

------------------------------------------------------------------
I. FRONT AND CENTER
       1. Can writing software be a crime?
       2. Reducing browser privileges
II. MICROSOFT VULNERABILITY SUMMARY
       1. Bugzilla config.cgi Information Disclosure Vulnerability
       2. Bugzilla User-Matching Information Disclosure Vulnerability
       3. Symantec AntiVirus Scan Engine Web Service Administrative Interface
Buffer Overflow Vulnerability
       4. MailEnable W3C Logging Buffer Overflow Vulnerability
       5. Microsoft Windows Wireless Zero Configuration Service Information
Disclosure Vulnerability
       6. ALTools ALZip Multiple Archive Formats File Name Buffer Overflow
Vulnerability
       7. Sun ONE Directory Server Unspecified Remote Vulnerability
       8. Webroot Software Desktop Firewall Multiple Local Vulnerabilities
       9. Microsoft October Advance Notification Unspecified Security
Vulnerabilities
       10. MediaWiki HTML Inline Style Attributes Unspecified Cross-Site
Scripting Vulnerability
       11. Multiple Vendor Antivirus Products Malformed Archives Scan Evasion
Vulnerability
       12. PHPMyAdmin Local File Include Vulnerability
       13. Kaspersky Anti-Virus Engine CHM File Parser Remote Buffer Overflow
Vulnerability
       14. Microsoft Windows MSDTC Memory Corruption Vulnerability
       15. Microsoft MSDTC COM+ Remote Code Execution Vulnerability
       16. Microsoft MSDTC TIP Denial Of Service Vulnerability
       17. Microsoft MSDTC TIP Distributed Denial Of Service Vulnerability
       18. Microsoft Internet Explorer COM Object Instantiation Variant
Vulnerability
       19. RARLAB WinRAR Multiple Remote Vulnerabilities
       20. Microsoft DirectX DirectShow AVI Processing Buffer Overflow
Vulnerability
       21. Microsoft Windows Explorer Web View Script Injection Vulnerability
       22. Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer
Overflow Vulnerability
       23. Microsoft Windows Client Service For Netware Buffer Overflow
Vulnerability
       24. Microsoft Collaboration Data Objects Remote Buffer Overflow
Vulnerability
       25. Microsoft Windows Malicious Shortcut Handling Remote Code Execution
Vulnerability
       26. Microsoft Windows Malicious Shortcut Handling Remote Code Execution
Variant Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
       1. SecurityFocus Microsoft Newsletter #259
       2. windows secure copy
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Can writing software be a crime?
By Mark Rasch
Can writing software be a crime? A recent indictment in San Diego, California
indicates that the answer to that question may be yes.
http://www.securityfocus.com/columnists/360

2. Reducing browser privileges
By Mark Squire
Security companies and researchers have made careers out of identifying the
latest bugs in Internet Explorer.
http://www.securityfocus.com/infocus/1848

II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Bugzilla config.cgi Information Disclosure Vulnerability
BugTraq ID: 14995
Remote: Yes
Date Published: 2005-10-01
Relevant URL: http://www.securityfocus.com/bid/14995
Summary:
Bugzilla is prone to an information disclosure issue exposed through
config.cgi. This may allow an unauthorized user to access product names that
are supposed to be confidential.

Bugzilla versions 2.18rc1 to 2.18.3, 2.19 to 2.20rc2, and 2.21 are affected.

2. Bugzilla User-Matching Information Disclosure Vulnerability
BugTraq ID: 14996
Remote: Yes
Date Published: 2005-10-01
Relevant URL: http://www.securityfocus.com/bid/14996
Summary:
Bugzilla is prone to an information disclosure vulnerability when user-matching
is turned on. This could allow an attacker to enumerate usernames on the
system.

Bugzilla 2.19.1 to 2.20rc2 and 2.21 are prone to this vulnerability.

3. Symantec AntiVirus Scan Engine Web Service Administrative Interface Buffer
Overflow Vulnerability
BugTraq ID: 15001
Remote: Yes
Date Published: 2005-10-03
Relevant URL: http://www.securityfocus.com/bid/15001
Summary:
A buffer overflow vulnerability exists in the Web-based administrative
interface of the Symantec Antivirus Scan Engine. This issue is due to improper
bound checking of user-supplied data prior to copying it into an insufficiently
sized memory buffer.

This vulnerability allows attackers to execute arbitrary machine code in the
context of the affected application. This allows remote attackers to gain
privileged remote access to computers running the affected application.

4. MailEnable W3C Logging Buffer Overflow Vulnerability
BugTraq ID: 15006
Remote: Yes
Date Published: 2005-10-03
Relevant URL: http://www.securityfocus.com/bid/15006
Summary:
MailEnable is prone to a buffer overflow vulnerability.

This issue arises when the application processes W3C logging and may allow an
attacker to execute arbitrary code on a vulnerable computer with SYSTEM
privileges.

MailEnable Professional version 1.6 and prior and MailEnable Enterprise version
1.1 and prior are affected.

5. Microsoft Windows Wireless Zero Configuration Service Information Disclosure
Vulnerability
BugTraq ID: 15008
Remote: Unknown
Date Published: 2005-10-04
Relevant URL: http://www.securityfocus.com/bid/15008
Summary:
WZCSVC is affected by an information disclosure vulnerability.
Reportedly, the Pairwise Master Key (PMK) of the Wi-Fi Protected Access (WPA)
preshared key authentication and the WEP keys of the interface may be obtained
by a local unauthorized attacker.

A successful attack can allow an attacker to obtain the keys and subsequently
gain unauthorized access to a device. This attack would likely present itself
in a multi-user environment with restricted or temporary wireless access such
as an Internet cafe, where an attacker could return at a later time and gain
unauthorized access.

Microsoft Windows XP SP2 was reported to be vulnerable, however, it is possible
that other versions are affected as well.

6. ALTools ALZip Multiple Archive Formats File Name Buffer Overflow
Vulnerability
BugTraq ID: 15010
Remote: Yes
Date Published: 2005-10-05
Relevant URL: http://www.securityfocus.com/bid/15010
Summary:
ALZip is prone to a buffer overflow when handling various archive formats.

Long file names can be copied into a finite stack-based buffer without adequate
limitations on the size of the source data resulting in corruption of adjacent
regions of stack-based memory.
This issue could be exploited to execute arbitrary code facilitating a remote
compromise.

7. Sun ONE Directory Server Unspecified Remote Vulnerability
BugTraq ID: 15013
Remote: Yes
Date Published: 2005-10-06
Relevant URL: http://www.securityfocus.com/bid/15013
Summary:
Sun ONE Directory Server is prone to an unspecified remote vulnerability.

The cause of this issue was not specified, however, it was reported that this
issue can allow attackers to remotely compromise a vulnerable computer.

Sun ONE Directory Server 5.2 patch 3 and prior versions are affected by this
issue. It is possible that Sun Java System Directory Server is vulnerable as
well.

Due to a lack of details, further information is not available at the moment.
This BID will be updated when more details become available.

8. Webroot Software Desktop Firewall Multiple Local Vulnerabilities
BugTraq ID: 15016
Remote: No
Date Published: 2005-10-06
Relevant URL: http://www.securityfocus.com/bid/15016
Summary:
Webroot Software Desktop Firewall is susceptible to multiple local
vulnerabilities.

The first issue is a buffer overflow vulnerability, due to a failure of the
application to properly bounds check user-supplied data prior to copying it to
an insufficiently sized memory buffer.

Local attackers may exploit this first issue to execute arbitrary machine code
with SYSTEM privileges. Attackers require the ability to modify the firewall's
list of allowed applications.

The second issue is an authentication bypass vulnerability. This issue is due
to a failure of the firewall to properly enforce built-in password protection,
allowing local attackers to disable the firewall.

Local attackers may exploit the second issue to disable the firewall, aiding
them in further attacks.

These issues may only be exploited by local attackers with privileges allowing
them to utilize 'DeviceIoControl()' to send commands to the firewall driver.

These issues are reported to exist in version 1.3.0.43. Other versions may also
be affected.

9. Microsoft October Advance Notification Unspecified Security Vulnerabilities
BugTraq ID: 15020
Remote: Unknown
Date Published: 2005-10-06
Relevant URL: http://www.securityfocus.com/bid/15020
Summary:
Microsoft has released advanced notification for nine security bulletins that
will be released on October 11, 2005.

Eight of these security bulletins affect Microsoft Windows and one affects
Microsoft Exchange and Microsoft Windows.

10. MediaWiki HTML Inline Style Attributes Unspecified Cross-Site Scripting
Vulnerability
BugTraq ID: 15024
Remote: Yes
Date Published: 2005-10-06
Relevant URL: http://www.securityfocus.com/bid/15024
Summary:
MediaWiki is prone to a cross-site scripting vulnerability. This issue is due
to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in
the browser of an unsuspecting user in the context of the affected site. This
may facilitate the theft of cookie-based authentication credentials as well as
other attacks.

11. Multiple Vendor Antivirus Products Malformed Archives Scan Evasion
Vulnerability
BugTraq ID: 15046
Remote: Yes
Date Published: 2005-10-08
Relevant URL: http://www.securityfocus.com/bid/15046
Summary:
Multiple antivirus products from various vendors are reported prone to a
vulnerability that may allow malformed archive files to bypass detection.

This issue arises when an affected application processes a specially altered
archive file that contains a fake, misleading MS-DOS executable MZ header.

This issue could result in malicious archives bypassing detection and allowing
the contents to be opened by a recipient.

It should be noted that specific information regarding affected packages and
versions is currently unavailable. The reporter of this issue used the EICAR
test message stored in multiple different malformed archives. It may be
possible that some of the reportedly affected packages may actually be immune
to this issue.

This BID will be updated as further information is disclosed.

12. PHPMyAdmin Local File Include Vulnerability
BugTraq ID: 15053
Remote: Yes
Date Published: 2005-10-10
Relevant URL: http://www.securityfocus.com/bid/15053
Summary:
phpMyAdmin is prone to a local file include vulnerability.

An attacker may leverage this issue to execute arbitrary server-side script
code that resides on an affected computer with the privileges of the Web server
process. This may potentially facilitate unauthorized access.
phpMyAdmin 2.6.4-pl1 is reported to be vulnerable. Other versions may be
affected as well.

13. Kaspersky Anti-Virus Engine CHM File Parser Remote Buffer Overflow
Vulnerability
BugTraq ID: 15054
Remote: Yes
Date Published: 2005-10-10
Relevant URL: http://www.securityfocus.com/bid/15054
Summary:
Kaspersky Anti-Virus Engine is prone to a remote buffer overflow vulnerability.

This issue presents itself when an attacker sends a maliciously crafted CHM
file to an affected computer and this file is processed by Kaspersky's CHM file
parser.

This vulnerability allows attackers to execute arbitrary machine code in the
context of the affected application. Attackers may gain privileged remote
access to computers running the affected application.

14. Microsoft Windows MSDTC Memory Corruption Vulnerability
BugTraq ID: 15056
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15056
Summary:
The Microsoft Windows MSDTC (Microsoft Distribution Transaction Coordinator)
service is prone to a memory corruption vulnerability. This issue could allow
for execution of arbitrary code in the context of the service. The
vulnerability may be remotely exploitable in some circumstances, but will also
permit local privilege escalation.

This issue is remotely exploitable on Windows 2000 platforms, since the Network
DTC is enabled by default on this platform. On Windows XP, this issue may be
remotely exploitable if a local user has started the service. On Windows
Server 2003, this vulnerability is limited to local privilege escalation unless
Network DTC has been explicitly enabled by an administrator. This issue is not
present on Windows XP SP2 and Windows Server 2003 SP1.

15. Microsoft MSDTC COM+ Remote Code Execution Vulnerability
BugTraq ID: 15057
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15057
Summary:
Microsoft Windows is prone to a vulnerability in the COM+ (Component Object
Model) functionality of the MSDTC (Microsoft Distribution Transaction
Coordinator) service. This issue may permit remote and local attackers to
execute arbitrary code in the context of the service.

This issue may be exploited by remote anonymous attackers on Windows 2000
platforms. On Windows XP versions up to and including SP1, the attacker must
authenticate as the Guest or another account prior to exploitation. On Windows
XP SP2 and all Windows Server 2003 operating systems, this issue is limited to
local privilege escalation.

16. Microsoft MSDTC TIP Denial Of Service Vulnerability
BugTraq ID: 15058
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15058
Summary:
The Microsoft Windows MSDTC (Microsoft Distribution Transaction Coordinator)
service is prone to a denial of service vulnerability.
The vulnerability exists in the TIP (Transaction Internet Protocol)
functionality that is provided by MSDTC. This vulnerability may be exploited
by a remote attacker to deny the availability of services that depend on MSDTC.

This issue only exists on operating systems that have support for the TIP
protocol enabled. This vulnerability is remotely exploitable on default
configurations on Windows 2000. TIP is not enabled by default on Windows XP
and Windows Server 2003 even if the MSDTC service is running.

17. Microsoft MSDTC TIP Distributed Denial Of Service Vulnerability
BugTraq ID: 15059
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15059
Summary:
The Microsoft MSDTC (Microsoft Distribution Transaction Coordinator) service is
prone to a vulnerability that may permit denial of service attacks against the
service or facilitate distributed denial of service attacks against other
computers.

The vulnerability exists in the TIP (Transaction Internet Protocol)
functionality that is provided by MSDTC.
This issue only exists on operating systems that have support for the TIP
protocol enabled. This vulnerability is remotely exploitable on default
configurations on Windows 2000. TIP is not enabled by default on Windows XP
and Windows Server 2003 even if the MSDTC service is running.

18. Microsoft Internet Explorer COM Object Instantiation Variant Vulnerability
BugTraq ID: 15061
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15061
Summary:
Microsoft Internet Explorer is prone to a buffer overflow vulnerability that is
related to instantiation of COM objects.

Successful exploitation could let remote attackers execute arbitrary code in
the context of the currently logged in user on the affected computer.

This is a variant of the vulnerability described in BID 14511 Microsoft
Internet Explorer COM Object Instantiation Buffer Overflow Vulnerability. The
difference between this issue and BID 14511 is that a different set of COM
objects are affected that were not addressed in the previous BID.

19. RARLAB WinRAR Multiple Remote Vulnerabilities
BugTraq ID: 15062
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15062
Summary:
WinRAR is prone to multiple remote vulnerabilities. These issues include a
format string and a buffer overflow vulnerability. Successful exploitation may
allow an attacker to execute arbitrary code on a vulnerable computer.

WinRAR 3.50 and prior versions are vulnerable to these issues.

20. Microsoft DirectX DirectShow AVI Processing Buffer Overflow Vulnerability
BugTraq ID: 15063
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15063
Summary:
A buffer overflow vulnerability exists in the Microsoft Windows DirectX
component. This issue is related to processing of .AVI (Audio Visual
Interleave) media files. The specific vulnerability exists in DirectShow and
could be exposed through applications that employ DirectShow to process .AVI
files.

Successful exploitation will permit execution of arbitrary code in the context
of the user who opens a malicious .AVI file.

This issue could be exploited through any means that will allow the attacker to
deliver a malicious .AVI file to a victim user. In Web-based attack scenarios,
exploitation could occur automatically if the malicious Web page can cause the
.AVI file to be loaded automatically by Windows Media Player. Other attack
vectors such as email or instant messaging may require the victim user to
manually open the malicious .AVI.

It is not known if third-party applications rely on DirectShow to process .AVI
files. If so, these applications could also present an attack vector.

21. Microsoft Windows Explorer Web View Script Injection Vulnerability
BugTraq ID: 15064
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15064
Summary:
Microsoft Windows Explorer Web View is affected by an arbitrary script
injection vulnerability.
An attacker can exploit this issue by crafting a malicious file and placing it
on a Web site or sending it to a user through email followed by enticing them
to preview it in Windows Explorer.

A successful attack can result in a remote compromise in the context of the
vulnerable user.

22. Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow
Vulnerability
BugTraq ID: 15065
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15065
Summary:
Microsoft Windows Plug and Play is prone to a buffer overflow vulnerability.
This issue is due to a failure of the service to properly bounds check
user-supplied data prior to copying it to an insufficiently sized memory
buffer.

This issue takes place when the PnP service handles malformed messages
containing excessive data.
This vulnerability facilitates local privilege escalation and unauthorized
remote access depending on the underlying operating system. A successful attack
may result in arbitrary code execution resulting in an attacker gaining SYSTEM
privileges.

This issue is unrelated to the one documented in BID 14513, "Microsoft Windows
Plug and Play Buffer Overflow Vulnerability", but they both have similar attack
scenarios and affects.

23. Microsoft Windows Client Service For Netware Buffer Overflow Vulnerability
BugTraq ID: 15066
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15066
Summary:
Microsoft Client Service for Netware is prone to a buffer overflow
vulnerability that could permit the execution of arbitrary remote code.

A remote attacker can exploit this vulnerability to execute arbitrary code and
completely compromise the computer. This issue could also be exploited by
local attackers to gain elevated privileges.

It should be noted that the Client Service for Netware is not installed by
default on any affected operating system. Microsoft Windows XP Home is not
affected by this vulnerability at all.

24. Microsoft Collaboration Data Objects Remote Buffer Overflow Vulnerability
BugTraq ID: 15067
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15067
Summary:
Microsoft CDO is susceptible to a remote buffer overflow vulnerability. This
issue is due to a failure of the library to properly bounds check user-supplied
data prior to copying it to an insufficiently sized memory buffer.

This issue presents itself when an attacker sends a specifically crafted email
message to an email server utilizing the affected library.

Further details are not currently available. This BID will be updated as more
information is disclosed.

This issue allows remote attackers to execute arbitrary machine code in the
context of the application utilizing the library.

25. Microsoft Windows Malicious Shortcut Handling Remote Code Execution
Vulnerability
BugTraq ID: 15069
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15069
Summary:
Microsoft Windows is prone to a remote code execution vulnerability when
handling a malicious shortcut (.lnk) file.
An attacker can exploit this issue by crafting a malicious file and placing it
on a Web site or sending it to a user through email followed by enticing them
to open it and view the file's properties.
This issue also poses a local threat as a local unprivileged attacker could
exploit this issue without user interaction to gain elevated privileges.

This vulnerability can facilitate arbitrary code execution with SYSTEM
privileges.

This BID is related to the issue described in BID 15070 (Microsoft Windows
Malicious Shortcut Handling Remote Code Execution Variant Vulnerability).

26. Microsoft Windows Malicious Shortcut Handling Remote Code Execution Variant
Vulnerability
BugTraq ID: 15070
Remote: Yes
Date Published: 2005-10-11
Relevant URL: http://www.securityfocus.com/bid/15070
Summary:
Microsoft Windows is prone to a remote code execution vulnerability when
handling a malicious shortcut (.lnk) file.
An attacker can exploit this issue by crafting a malicious file and placing it
on a Web site or sending it to a user through email followed by enticing them
to open it and view the file's properties.
This issue also poses a local threat as a local unprivileged attacker could
exploit this issue without user interaction to gain elevated privileges.

This vulnerability can facilitate arbitrary code execution with SYSTEM
privileges.

This BID is related to the issue described in BID 15069 (Microsoft Windows
Malicious Shortcut Handling Remote Code Execution Vulnerability).

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #259
http://www.securityfocus.com/archive/88/412498

2. windows secure copy
http://www.securityfocus.com/archive/88/412368

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
the website.

If your email address has changed email listadmin@securityfocus.com and ask to
be manually removed.

V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored By: Qualys

Test your Network Security with QualysGuard
Testing and improving your network security has never been easier. Requiring NO
software, QualysGuard will safely and accurately audit your network and provide
you with the necessary fixes to proactively guard your network. Try QualysGuard
Risk Free with No Obligation.

http://altfarm.mediaplex.com/ad/ck/6148-32572-6929-1

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Bart Seresia: "Authentication History Windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]