SecurityFocus Microsoft Newsletter #265

From: Marc Fossi (mfossi_at_securityfocus.com)
Date: 11/16/05

  • Next message: M. Burnett: "More... On the topic of Windows Hardening"
    Date: Tue, 15 Nov 2005 20:52:41 -0700 (MST)
    To: Focus-MS <focus-ms@securityfocus.com>
    
    

    SecurityFocus Microsoft Newsletter #265
    ----------------------------------------

    Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
    is a free service that gives you the ability to track and manage attacks.
    Analyzer automatically correlates attacks from various Firewall and network
    based Intrusion Detection Systems, giving you a comprehensive view of your
    computer or general network. Sign up today!

    http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

    ------------------------------------------------------------------
    I. FRONT AND CENTER
           1. Sony's legal issues
    II. MICROSOFT VULNERABILITY SUMMARY
           1. Macromedia Flash Array Index Memory Access Vulnerability
           2. Macromedia Flash ActionDefineFunction Memory Access Vulnerability
           3. Jed Wing CHM Lib LZX Decompression Method Buffer Overflow
    Vulnerability
           4. Zone Labs Zone Alarm Advance Program Control Bypass Weakness
           5. PHPList Multiple Input Validation Vulnerabilities
           6. Microsoft Windows Graphics Rendering Engine WMF/EMF Format Code
    Execution Vulnerability
           7. Microsoft Windows Graphics Rendering Engine WMF Format Code Execution
    Vulnerability
           8. YaBB Image Upload HTML Injection Vulnerability
           9. Google Talk Email Notification Denial Of Service Vulnerability
           10. IBM DB2 Content Manager Multiple Denial of Service Vulnerabilities
           11. RealNetworks RealOne Player/RealPlayer RM File Remote Stack Based
    Buffer Overflow Vulnerability
           12. RealNetworks RealPlayer DUNZIP32.DLL Heap Overflow Vulnerability
    13. Kerio WinRoute Firewall RTSP Stream Denial of Service Vulnerability
           14. Kerio WinRoute Firewall Disabled Account Bypass Vulnerability
           15. Lynx URI Handlers Arbitrary Command Execution Vulnerability
           16. RealNetworks RealPlayer Unspecified Malformed Image Skin File Buffer
    Overflow Vulnerability
           17. PHPMyAdmin Header_HTTP_Inc.PHP HTTP Response Splitting Vulnerability
           18. Multiple Vendor Antivirus Products Obscured File Name Scan Evasion
    Vulnerability
    III. MICROSOFT FOCUS LIST SUMMARY
           1. Renaming Administrator account
           2. ISA Server or Firewall Appliance?
           3. break in?
           4. On the topic of Windows Hardening
           5. Deny Logon by Domain Admin account to specific PC's or deny to all BUT
    specific PC's
           6. What server hardening are you doing these days?
           7. SecurityFocus Microsoft Newsletter #264
           8. Setup MD5 Checksum for FTP downloads on Win2000 Server OS
    IV. UNSUBSCRIBE INSTRUCTIONS
    V. SPONSOR INFORMATION

    I. FRONT AND CENTER
    ---------------------
    1. Sony's legal issues
    By Mark Rasch
    Sony is in the spotlight over the rootkit they distribute on some of their
    music CDs, and it brings up interesting legal issues relating to EULAs and
    enforcement by the FTC.
    http://www.securityfocus.com/columnists/369

    II. MICROSOFT VULNERABILITY SUMMARY
    ------------------------------------
    1. Macromedia Flash Array Index Memory Access Vulnerability
    BugTraq ID: 15332
    Remote: Yes
    Date Published: 2005-11-05
    Relevant URL: http://www.securityfocus.com/bid/15332
    Summary:
    The Flash plug-in is vulnerable to an input validation error that can be
    reliably exploited to execute arbitrary code. The vulnerability is due to an
    input validation error for a critical array index value.
    An attacker can exploit this vulnerability to execute arbitrary code. The most
    likely vector of attack is through a malicious SWF file designed to trigger the
    vulnerability that has been placed on a web site.

    Macromedia Flash 6 and 7 are reported affected.

    2. Macromedia Flash ActionDefineFunction Memory Access Vulnerability
    BugTraq ID: 15334
    Remote: Yes
    Date Published: 2005-11-07
    Relevant URL: http://www.securityfocus.com/bid/15334
    Summary:
    The Macromedia Flash plug-in is vulnerable to an input validation error that
    may be exploited to execute arbitrary code or carry out a denial of service
    attack. The vulnerability is due to an input validation error for a critical
    array index value.
    An attacker can exploit this vulnerability to execute arbitrary code. The most
    likely vector of attack is through a malicious SWF file designed to trigger the
    vulnerability that has been placed on a Web site.

    Macromedia Flash 6 and 7 are reported affected.

    It should be noted that this issue similar to the vulnerability described in
    BID 15332 (Macromedia Flash Array Index Memory Access Vulnerability), however,
    this issue affects a different function.

    3. Jed Wing CHM Lib LZX Decompression Method Buffer Overflow Vulnerability
    BugTraq ID: 15338
    Remote: Yes
    Date Published: 2005-11-07
    Relevant URL: http://www.securityfocus.com/bid/15338
    Summary:
    CHM lib is susceptible to a buffer overflow vulnerability.

    Reports indicate that this issue affects the LZX decompression method. It is
    conjectured that the vulnerability is remote in nature and allows attackers to
    execute arbitrary machine code in the context of the application that utilizes
    the CHM lib library.
    Further details are not available at the moment. This BID will be updated when
    more information becomes available.

    4. Zone Labs Zone Alarm Advance Program Control Bypass Weakness
    BugTraq ID: 15347
    Remote: No
    Date Published: 2005-11-07
    Relevant URL: http://www.securityfocus.com/bid/15347
    Summary:
    Zone Labs Zone Alarm is prone to a weakness that permits the bypassing of the
    Advanced Program Control protection.

    Reports indicate that applications can create a modal dialog box displaying
    HTML, which can then be redirected to a remote site.

    This would allow a malicious program to bypass Advanced Program Control
    protection and send data to a remote attacker from a compromised computer.

    It should be noted that this issue only presents itself if the Advanced Program
    Control setting has been enabled and the browser has been authorized to access
    the Internet.

    5. PHPList Multiple Input Validation Vulnerabilities
    BugTraq ID: 15350
    Remote: Yes
    Date Published: 2005-11-07
    Relevant URL: http://www.securityfocus.com/bid/15350
    Summary:
    PHPList is prone to multiple input validation vulnerabilities. These issues
    are due to a failure in the application to properly santize user-supplied
    input.

    The application is prone to multiple cross-site scripting, HTTP injection, SQL
    injection and directory traversal vulnerabilities.

    6. Microsoft Windows Graphics Rendering Engine WMF/EMF Format Code Execution
    Vulnerability
    BugTraq ID: 15352
    Remote: Yes
    Date Published: 2005-11-08
    Relevant URL: http://www.securityfocus.com/bid/15352
    Summary:
    Microsoft Windows WMF/EMF graphics rendering engine is affected by a remote
    code execution vulnerability.

    The problem presents itself when a user views a malicious WMF or EMF formatted
    file causing the affected engine to attempt to parse it. Exploitation of this
    issue can trigger an integer overflow that may facilitate heap memory
    corruption and arbitrary code execution.

    Any code execution that occurs will be with SYSTEM privileges due to the nature
    of the affected engine. Successful exploitation can facilitate a remote
    compromise or local privilege escalation.

    7. Microsoft Windows Graphics Rendering Engine WMF Format Code Execution
    Vulnerability
    BugTraq ID: 15356
    Remote: Yes
    Date Published: 2005-11-08
    Relevant URL: http://www.securityfocus.com/bid/15356
    Summary:
    Microsoft Windows WMF graphics rendering engine is affected by a remote code
    execution vulnerability.

    The problem presents itself when a user views a malicious WMF formatted file,
    triggering the vulnerability when the engine attempts to parse the file. A
    malicious file can cause an integer overflow that may facilitate heap memory
    corruption and arbitrary code execution.

    Any code execution that occurs will be with SYSTEM privileges due to the nature
    of the affected engine. Successful exploitation can facilitate a remote
    compromise or local privilege escalation.

    8. YaBB Image Upload HTML Injection Vulnerability
    BugTraq ID: 15368
    Remote: Yes
    Date Published: 2005-11-09
    Relevant URL: http://www.securityfocus.com/bid/15368
    Summary:
    YaBB is prone to an HTML injection vulnerability. This is due to a lack of
    proper sanitization of user-supplied input before using it in dynamically
    generated content.
    Attacker-supplied HTML and script code would be executed in the context of the
    affected Web site, potentially allowing for theft of cookie-based
    authentication credentials. An attacker could also exploit this issue to
    control how the site is rendered to the user; other attacks are also possible.

    This issue is only present when using the Microsoft Internet Explorer Web
    browser.

    9. Google Talk Email Notification Denial Of Service Vulnerability
    BugTraq ID: 15369
    Remote: Yes
    Date Published: 2005-11-09
    Relevant URL: http://www.securityfocus.com/bid/15369
    Summary:
    Google Talk is prone to a denial of service vulnerability. This is due to a
    programming error in which exceptional conditions cause the victim to have to
    interact and close multiple error popup windows.

    Specially crafted email messages may be repeatedly sent by an attacker to deny
    service to the client application user.

    10. IBM DB2 Content Manager Multiple Denial of Service Vulnerabilities
    BugTraq ID: 15376
    Remote: Yes
    Date Published: 2005-11-10
    Relevant URL: http://www.securityfocus.com/bid/15376
    Summary:
    IBM DB2 Content Manager is prone to multiple vulnerabilities. These issues may
    allow attackers to carry out denial of service attacks.

    The vulnerabilities affect versions prior to Content Manager Version 8.2 Fix
    Pack 10.
    11. RealNetworks RealOne Player/RealPlayer RM File Remote Stack Based Buffer
    Overflow Vulnerability
    BugTraq ID: 15381
    Remote: Yes
    Date Published: 2005-11-10
    Relevant URL: http://www.securityfocus.com/bid/15381
    Summary:
    RealNetworks RealPlayer and RealOne Player are reported prone to a remote stack
    based buffer overflow vulnerability. The issue exists due to a lack of
    boundary checks performed by the application when parsing RM (Real Media)
    files. A remote attacker may execute arbitrary code on a vulnerable computer
    to gain unauthorized access.

    This vulnerability is reported to exist in RealNetworks products for Microsoft
    Windows, Linux, and Apple Mac platforms.

    12. RealNetworks RealPlayer DUNZIP32.DLL Heap Overflow Vulnerability BugTraq
    ID: 15382
    Remote: Yes
    Date Published: 2005-11-10
    Relevant URL: http://www.securityfocus.com/bid/15382
    Summary:
    A heap overflow vulnerability exists in RealPlayer on Windows platforms.

    The issue arises when 'DUNZIP32.DLL' is called to handle a malformed file.

    A successful attack can allow the attacker to gain unauthorized access to a
    vulnerable computer.

    13. Kerio WinRoute Firewall RTSP Stream Denial of Service Vulnerability
    BugTraq ID: 15387
    Remote: Yes
    Date Published: 2005-11-11
    Relevant URL: http://www.securityfocus.com/bid/15387
    Summary:
    Kerio WinRoute Firewall is prone to a remote denial of service vulnerability.

    A remote attacker can exploit this vulnerability to crash the affected service,
    effectively disabling the firewall. This may aid in further attacks.

    14. Kerio WinRoute Firewall Disabled Account Bypass Vulnerability
    BugTraq ID: 15388
    Remote: Yes
    Date Published: 2005-11-11
    Relevant URL: http://www.securityfocus.com/bid/15388
    Summary:
    Kerio WinRoute Firewall is prone to a vulnerability that could permit disabled
    accounts access. This issue is most likely due to an authentication error
    within the application.

    Due to an unspecified error, disabled accounts can still authenticate to a
    vulnerable system. This may lead to a false sense of security.

    15. Lynx URI Handlers Arbitrary Command Execution Vulnerability
    BugTraq ID: 15395
    Remote: Yes
    Date Published: 2005-11-11
    Relevant URL: http://www.securityfocus.com/bid/15395
    Summary:
    Lynx is prone to an arbitrary command execution vulnerability. This issue is
    due to a failure in the application to properly sanitize user-supplied input.

    A remote attacker can exploit this vulnerability by tricking a victim user to
    follow a malicious link, thus enabling the attacker to execute arbitrary
    commands in the context of the victim user.

    16. RealNetworks RealPlayer Unspecified Malformed Image Skin File Buffer
    Overflow Vulnerability
    BugTraq ID: 15398
    Remote: Yes
    Date Published: 2005-11-12
    Relevant URL: http://www.securityfocus.com/bid/15398
    Summary:
    RealNetworks RealPlayer is prone to an unspecified vulnerability that may let
    remote attackers execute arbitrary code.
    This issue may be triggered by a malformed image in a skin file. The cause of
    the issue is reportedly a stack-based buffer overflow. It is possible to
    exploit this issue by enticing a victim user to open a malicious skin file
    containing a malformed image.

    This affects some RealPlayer 10/10.5 releases on Windows platforms.

    17. PHPMyAdmin Header_HTTP_Inc.PHP HTTP Response Splitting Vulnerability
    BugTraq ID: 15422
    Remote: Yes
    Date Published: 2005-11-09
    Relevant URL: http://www.securityfocus.com/bid/15422
    Summary:
    phpMyAdmin is prone to an HTTP response splitting vulnerability. This issue is
    due to a failure in the application to properly sanitize user-supplied input.

    A remote attacker may exploit this vulnerability to influence or misrepresent
    how Web content is served, cached or interpreted. This could aid in various
    attacks that attempt to entice client users into a false sense of trust.

    This issue is reported to affect phpMyAdmin version 2.7.0-beta1; other versions
    may also be vulnerable.

    18. Multiple Vendor Antivirus Products Obscured File Name Scan Evasion
    Vulnerability
    BugTraq ID: 15423
    Remote: Yes
    Date Published: 2005-11-15
    Relevant URL: http://www.securityfocus.com/bid/15423
    Summary:
    Multiple antivirus products from various vendors are reported prone to a
    vulnerability that may allow malicious files to bypass detection.

    This issue arises when an affected application processes a file with an
    obscured file name.

    This issue could result in malicious files bypassing detection and allowing
    them to be opened by a recipient.

    III. MICROSOFT FOCUS LIST SUMMARY
    ---------------------------------
    1. Renaming Administrator account
    http://www.securityfocus.com/archive/88/416718

    2. ISA Server or Firewall Appliance?
    http://www.securityfocus.com/archive/88/416700

    3. break in?
    http://www.securityfocus.com/archive/88/416473

    4. On the topic of Windows Hardening
    http://www.securityfocus.com/archive/88/416471

    5. Deny Logon by Domain Admin account to specific PC's or deny to all BUT
    specific PC's
    http://www.securityfocus.com/archive/88/416327

    6. What server hardening are you doing these days?
    http://www.securityfocus.com/archive/88/416232

    7. SecurityFocus Microsoft Newsletter #264
    http://www.securityfocus.com/archive/88/416122

    8. Setup MD5 Checksum for FTP downloads on Win2000 Server OS
    http://www.securityfocus.com/archive/88/416121

    IV. UNSUBSCRIBE INSTRUCTIONS
    -----------------------------
    To unsubscribe send an e-mail message to
    ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The
    contents of the subject or message body do not matter. You will receive a
    confirmation request message to which you will have to answer. Alternatively
    you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
    the website.

    If your email address has changed email listadmin@securityfocus.com and ask to
    be manually removed.

    V. SPONSOR INFORMATION
    ------------------------
    Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
    is a free service that gives you the ability to track and manage attacks.
    Analyzer automatically correlates attacks from various Firewall and network
    based Intrusion Detection Systems, giving you a comprehensive view of your
    computer or general network. Sign up today!

    http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: M. Burnett: "More... On the topic of Windows Hardening"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #260
      ... MICROSOFT VULNERABILITY SUMMARY ... Remote: Yes ... attacker to execute arbitrary code on a vulnerable computer with SYSTEM ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #255
      ... MICROSOFT VULNERABILITY SUMMARY ... FUDforum is prone to a remote arbitrary PHP file upload vulnerability. ... A local attacker can subsequently access the file and disclose authentication ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #256
      ... MICROSOFT VULNERABILITY SUMMARY ... Remote: Yes ... An attacker may exploit this vulnerability to gain unauthorized remote access ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #182
      ... Introducing the world's first and only complete Internal Security Gateway: ... Microsoft Windows XP Explorer.EXE Remote Denial of Service V... ... Apache Error Log Escape Sequence Injection Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #259
      ... MICROSOFT VULNERABILITY SUMMARY ... FL Studio FLP File Processing Heap Overflow Vulnerability 4. ... wzdftpd is affected by a remote arbitrary command execution vulnerability. ... allowing a remote attacker to supply format specifiers ...
      (Focus-Microsoft)