SecurityFocus Microsoft Newsletter #286



SecurityFocus Microsoft Newsletter #286
----------------------------------------

This Issue is Sponsored By: SPI Dynamics

ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step"!"- White Paper Blind SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/bsq.asp?Campaign_ID=70130000000CGKl

------------------------------------------------------------------
I. FRONT AND CENTER
1. This Means Warcraft!
2. Two attacks against VoIP
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft Internet Explorer HTML Tag Memory Corruption Vulnerability
2. Microsoft Windows Shell COM Object Remote Code Execution Vulnerability
3. Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability
4. Microsoft Internet Explorer Persistent Window Content Address Bar Spoofing Vulnerability
5. Microsoft Outlook Express Windows Address Book File Parsing Buffer Overflow Vulnerability
6. Microsoft Internet Explorer Popup Cross-Domain Information Disclosure Vulnerability
7. Microsoft Internet Explorer Erroneous IOleClientSite Data Zone Bypass Vulnerability
8. Microsoft Internet Explorer Double Byte Character Memory Corruption Vulnerability
9. Microsoft Internet Explorer COM Object Instantiation Code Execution Vulnerability
10. Microsoft FrontPage Server Extensions Cross-Site Scripting Vulnerability
11. Microsoft Internet Explorer Invalid HTML Parsing Code Execution Vulnerability
12. TUGZip Remote Directory Traversal Vulnerability
13. PHPList Index.PHP Local File Include Vulnerability
14. TalentSoft Web+ Shop Deptname Parameter Cross-Site Scripting Vulnerability
15. Microsoft Internet Explorer Address Bar Spoofing Vulnerability
16. GlobalSCAPE Secure FTP Server Remote Denial of Service Vulnerability
17. Microsoft April Advance Notification Multiple Vulnerabilities
18. PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
19. Clam AntiVirus ClamAV Multiple Vulnerabilities
20. Eset Software NOD32 Antivirus Local Arbitrary File Creation Vulnerability
21. HP Color LaserJet 2500/4600 Toolbox Directory Traversal Vulnerability
22. PHP PHPInfo Large Input Cross-Site Scripting Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Adding Users via Web Interface
2. SecurityFocus Microsoft Newsletter #285
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. This Means Warcraft!
By Mark Rasch
A recent World of Warcraft case involved a WoW book by Brian Knopp that was being sold on eBay. It resulted in automated takedown notices by "lawyerbots" and shows how the legal process today can end up silencing legitimate uses of trademarks and copyrights.
http://www.securityfocus.com/columnists/396

2. Two attacks against VoIP
By Peter Thermos
This purpose of this article is to discuss two of the most well known attacks that can be carried out in current VoIP deployments. The first attack demonstrates the ability to hijack a user's VoIP Subscription and subsequent communications. The second attack looks at the ability to eavesdrop in to VoIP communications.
http://www.securityfocus.com/infocus/1862


SecurityFocus is looking for the best technical articles from the community. In addition to becoming instantly famous, publication of your research, technical work, installation guide or security HOWTO will benefit the community as a whole. Interested parties should consult the submission guidelines below and review some recent Infocus articles. Start with an idea and a one-page outline. Submit your article idea now!
http://www.securityfocus.com/static/submissions.html


II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Microsoft Internet Explorer HTML Tag Memory Corruption Vulnerability
BugTraq ID: 17468
Remote: Yes
Date Published: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17468
Summary:
Microsoft Internet Explorer is prone to a memory corruption vulnerability. This is related to the handling of certain HTML tags.

This issue could be exploited by a malicious web page to execute arbitrary code in the context of the currently logged in user. The issue could also be exploited through HTML email.

2. Microsoft Windows Shell COM Object Remote Code Execution Vulnerability
BugTraq ID: 17464
Remote: Yes
Date Published: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17464
Summary:
Microsoft Windows Shell is susceptible to a remote code execution vulnerability. This issue is due to a flaw in its handling of remote COM objects.

This issue may be exploited by remote attackers to execute arbitrary machine code in the context of the targeted user. This may facilitate the remote compromise of affected computers.

This issue is described as a variant of the one described in BID 10363 (Microsoft Windows XP Self-Executing Folder Vulnerability).

3. Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability
BugTraq ID: 17462
Remote: Yes
Date Published: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17462
Summary:
The Microsoft MDAC RDS.Dataspace ActiveX control is vulnerable to remote code execution. An attacker could exploit this issue to execute code in the context of the user visiting a malicious web page.

4. Microsoft Internet Explorer Persistent Window Content Address Bar Spoofing Vulnerability
BugTraq ID: 17460
Remote: Yes
Date Published: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17460
Summary:
Microsoft Internet Explorer is prone to an address bar spoofing vulnerability.

This issue may be exploited by a malicious web page to spoof the contents of a page that the victim of the attack may trust. This vulnerability may be useful in phishing or other attacks that rely on content spoofing.

5. Microsoft Outlook Express Windows Address Book File Parsing Buffer Overflow Vulnerability
BugTraq ID: 17459
Remote: Yes
Date Published: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17459
Summary:
Microsoft Outlook Express is prone to a remote buffer-overflow vulnerability.

This vulnerability presets itself when the application processes a specially crafted Windows Address Book (.wab) file.

An attacker may exploit this issue to execute arbitrary code in the context of a user running the vulnerable application. This may result in a remote compromise.

6. Microsoft Internet Explorer Popup Cross-Domain Information Disclosure Vulnerability
BugTraq ID: 17457
Remote: Yes
Date Published: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17457
Summary:
Microsoft Internet Explorer is prone to a cross-domain information disclosure vulnerability.

This vulnerability may let a malicious web site access properties of a site in an arbitrary external domain. This could be exploited to gain access to sensitive information that is associated with the external domain, such as cookies associated with a userâ??s session on the external web site.

7. Microsoft Internet Explorer Erroneous IOleClientSite Data Zone Bypass Vulnerability
BugTraq ID: 17455
Remote: Yes
Date Published: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17455
Summary:
Microsoft Internet Explorer is prone to a zone bypass vulnerability. This issue is due to the browser returning erroneous IOleClientSite when dynamically creating an embedded object. This could cause malicious script code to be executed in a security zone with fewer restrictions than the zone that the content originates from.

This issue may be exploited to execute arbitrary code in the context of the currently logged in user on the affected computer. It may also be possible to execute malicious script code in the context of a site that exists in another domain. The issue could be exploited through a malicious web page.

8. Microsoft Internet Explorer Double Byte Character Memory Corruption Vulnerability
BugTraq ID: 17454
Remote: Yes
Date Published: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17454
Summary:
Microsoft Internet Explorer is prone to a memory corruption vulnerability. This is related to an error in how double byte character set (DBCS) characters are handled in IP addresses from rendered HTML content.

This issue could be exploited by a malicious web page to execute arbitrary code in the context of the currently logged in user. The issue could also be exploited through HTML email.

Microsoft has stated that this issue is not applicable to Internet Explorer 6.0 on Windows Server 2003 SP1.

9. Microsoft Internet Explorer COM Object Instantiation Code Execution Vulnerability
BugTraq ID: 17453
Remote: Yes
Date Published: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17453
Summary:
Microsoft Internet Explorer is prone to a memory corruption vulnerability that is related to the instantiation of COM objects. This issue results from a design error.

The vulnerability arises because of the way Internet Explorer attempts to instantiate certain COM objects as ActiveX controls, resulting in arbitrary code execution. The affected objects are not intended to be instantiated through Internet Explorer.

This BID is related to the issues described in BID 14511 (Microsoft Internet Explorer COM Object Instantiation Buffer Overflow Vulnerability) and BID 15061 Microsoft Internet Explorer COM Object Instantiation Variant Vulnerability), however, a different set of COM objects are affected that were not addressed in the previous BIDs.

10. Microsoft FrontPage Server Extensions Cross-Site Scripting Vulnerability
BugTraq ID: 17452
Remote: Yes
Date Published: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17452
Summary:
Microsoft FrontPage Server Extensions are prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before it is rendered to other users.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user, with the privileges of the victim userâ??s account. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

11. Microsoft Internet Explorer Invalid HTML Parsing Code Execution Vulnerability
BugTraq ID: 17450
Remote: Yes
Date Published: 2006-04-11
Relevant URL: http://www.securityfocus.com/bid/17450
Summary:
Microsoft Internet Explorer is prone to a vulnerability that may permit remote attackers to execute arbitrary code. This vulnerability occurs when the browser parses invalid HTML.

This vulnerability could be exploited through a malicious web page or HTML email.

12. TUGZip Remote Directory Traversal Vulnerability
BugTraq ID: 17432
Remote: Yes
Date Published: 2006-04-10
Relevant URL: http://www.securityfocus.com/bid/17432
Summary:
Reportedly, an attacker can carry out attacks similar to directory traversals. These issues present themselves when the application processes malicious archives.

A successful attack can allow the attacker to place potentially malicious files and overwrite files on a computer in the context of the user running the affected application. Successful exploitation may aid in further attacks.

13. PHPList Index.PHP Local File Include Vulnerability
BugTraq ID: 17429
Remote: Yes
Date Published: 2006-04-10
Relevant URL: http://www.securityfocus.com/bid/17429
Summary:
PHPList is prone to a local file-include vulnerability. This may facilitate the unauthorized viewing of files and unauthorized execution of local scripts.

Attackers may exploit this issue to execute arbitrary code by manipulating log files.

14. TalentSoft Web+ Shop Deptname Parameter Cross-Site Scripting Vulnerability
BugTraq ID: 17418
Remote: Yes
Date Published: 2006-04-07
Relevant URL: http://www.securityfocus.com/bid/17418
Summary:
Web+ Shop is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

15. Microsoft Internet Explorer Address Bar Spoofing Vulnerability
BugTraq ID: 17404
Remote: Yes
Date Published: 2006-04-03
Relevant URL: http://www.securityfocus.com/bid/17404
Summary:
Internet Explorer is prone to address-bar spoofing.

An attacker can exploit this issue to display the URI of a trusted and known site in the address bar, while running an attacker-supplied Macromedia Flash application. This may aid in phishing-style attacks and possibly allow access to properties of the trusted domain.

16. GlobalSCAPE Secure FTP Server Remote Denial of Service Vulnerability
BugTraq ID: 17398
Remote: Yes
Date Published: 2006-04-06
Relevant URL: http://www.securityfocus.com/bid/17398
Summary:
GlobalSCAPE Secure FTP Server is susceptible to a remote denial-of-service vulnerability. This issue is due to the application's failure to properly handle unexpected input.

This vulnerability allows remote attackers to crash affected servers, denying service to legitimate users.

Versions of Secure FTP Server prior to 3.1.4 Build 01.10.2006 are affected by this issue.

17. Microsoft April Advance Notification Multiple Vulnerabilities
BugTraq ID: 17397
Remote: Yes
Date Published: 2006-04-06
Relevant URL: http://www.securityfocus.com/bid/17397
Summary:
Microsoft has released advance notification that they will be releasing five security bulletins for Windows on April 11, 2006. The highest severity rating for these issues is Critical.

Further details about these issues are not currently available. Individual BIDs will be created and this record will be removed when the security bulletins are released.

18. PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 17390
Remote: Yes
Date Published: 2006-04-06
Relevant URL: http://www.securityfocus.com/bid/17390
Summary:
phpMyAdmin is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

These issues may be related to BID 17142 (PHPMyAdmin Set_Theme Cross-Site Scripting Vulnerability).

19. Clam AntiVirus ClamAV Multiple Vulnerabilities
BugTraq ID: 17388
Remote: Yes
Date Published: 2006-04-05
Relevant URL: http://www.securityfocus.com/bid/17388
Summary:
ClamAV is prone to multiple vulnerabilities:

- An integer-overflow vulnerability.
- A format-string vulnerability.
- A denial-of-service vulnerability.

The first two issues may permit attackers to execute arbitrary code, which can facilitate a compromise of an affected computer.

If an attacker can successfully exploit the denial-of-service issue, this may crash the affected application, which may aid an attacker in further attacks if the antivirus software no longer works.

20. Eset Software NOD32 Antivirus Local Arbitrary File Creation Vulnerability
BugTraq ID: 17374
Remote: No
Date Published: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/17374
Summary:
NOD32 Antivirus is affected by a local arbitrary file-creation vulnerability. This issue is due to the application's failure to properly drop SYSTEM privileges when performing operations on behalf of a local user. Attackers cannot overwrite already-existing files by exploiting this issue.

This issue allows local attackers to create files in arbitrary locations with SYSTEM-level privileges. This may allow then them to execute arbitrary code with elevated privileges, facilitating the compromise of affected computers.

Versions prior to 2.51.26 are affected by this issue.

21. HP Color LaserJet 2500/4600 Toolbox Directory Traversal Vulnerability
BugTraq ID: 17367
Remote: Yes
Date Published: 2006-04-04
Relevant URL: http://www.securityfocus.com/bid/17367
Summary:
The HP Color LaserJet 2500/4600 Toolbox is prone to a directory-traversal vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the affected application. Information obtained may aid attackers in further attacks.

22. PHP PHPInfo Large Input Cross-Site Scripting Vulnerability
BugTraq ID: 17362
Remote: Yes
Date Published: 2006-04-03
Relevant URL: http://www.securityfocus.com/bid/17362
Summary:
PHP is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Adding Users via Web Interface
http://www.securityfocus.com/archive/88/430662

2. SecurityFocus Microsoft Newsletter #285
http://www.securityfocus.com/archive/88/430424

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe@xxxxxxxxxxxxxxxxx from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@xxxxxxxxxxxxxxxxx and ask to be manually removed.

V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored By: SPI Dynamics

ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step"!"- White Paper Blind SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/bsq.asp?Campaign_ID=70130000000CGKl



---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • SecurityFocus Microsoft Newsletter #260
    ... MICROSOFT VULNERABILITY SUMMARY ... Remote: Yes ... attacker to execute arbitrary code on a vulnerable computer with SYSTEM ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #341
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Terminal Services Remote Security Restriction Bypass Vulnerability ... Microsoft Windows Media Server MDSAuth.DLL ActiveX Control Remote Code Execution Vulnerability ... An attacker can exploit this issue to execute arbitrary code in the context of the user running the application. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #411
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft SQL Server 2000 'sqlvdir.dll' ActiveX Buffer Overflow Vulnerability ... Apple QuickTime Movie/PICT/QTVR Multiple Remote Vulnerabilities ... Remote attackers may leverage this issue to execute arbitrary code with SYSTEM-level privileges and allow the attacker to gain complete access to the vulnerable computer. ...
    (Focus-Microsoft)
  • [NT] Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (MS03-044)
    ... Get your security news from a reliable source. ... A security vulnerability exists in the Help and Support Center function ... *Microsoft Windows Millennium Edition ... An attacker could exploit the vulnerability by constructing a URL that, ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #381
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Publisher Memory Index Code Execution Vulnerability ... Microsoft Publisher Invalid Memory Reference Remote Code Execution Vulnerability ... An attacker may exploit these issues to execute arbitrary code within the context of application that invoked the ActiveX control. ...
    (Focus-Microsoft)