SecurityFocus Microsoft Newsletter #325



SecurityFocus Microsoft Newsletter #325
----------------------------------------

This Issue is Sponsored by: Black Hat

Black Hat Europe, March 27-30 in Amsterdam, is Europe's premier technical event for ICT security experts.
Featuring 10 hands-on training courses and 30 Briefings presentations with lots of new content-the best of Black Hat focused on Europe's infosec challenges.
Network with 400 delegates from 25 nations, and see solutions from major sponsors.

http://www.blackhat.com

------------------------------------------------------------------
I. FRONT AND CENTER
1. Interview with Bill Cheswick
2. Wireless Forensics: Tapping the Air - Part Two
II. MICROSOFT VULNERABILITY SUMMARY
1. Outpost Firewall PRO Local Privilege Escalation Vulnerability
2. Remedy Action Request System Username Enumeration Vulnerability
3. Ipswitch WS_FTP 2007 Professional WSFTPURL.EXE Local Memory Corruption Vulnerability
4. Kaspersky Labs Anti-Virus Local Privilege Escalation Vulnerability
5. KarjaSoft Sami FTP Server Multiple Buffer Overflow Vulnerabilities
6. BolinTech Dream FTP Server USER Remote Buffer Overflow Vulnerability
7. Total Commander Arbitrary File Deletion Vulnerability
8. WinZip Command Line Remote Buffer Overflow Vulnerability
9. Computer Associates BrightStor ARCserve Backup MediaSVR.EXE Variant Buffer Overflow Vulnerability
10. Computer Associates BrightStor ARCserve Backup MediaSVR.EXE Remote Buffer Overflow Vulnerability
11. CA BrightStor ARCserve Backup Tape Engine TCP 6502 Remote Buffer Overflow Vulnerability
12. CA BrightStor ARCserve Backup Message Engine/Tape Engine Remote Buffer Overflow Vulnerability
13. Snort GRE Packet Decoding Integer Underflow Vulnerability
14. EIQ Networks Security Analyzer Null Pointer Dereference Client Denial of Service Vulnerability
15. Microsoft Windows Explorer WMF File Denial of Service Vulnerability
16. Snort Backtracking Denial of Service Vulnerability
17. EF Commander ISO File Remote Buffer Overflow Vulnerability
18. Microsoft Excel Opcode Handling Unspecified Remote Code Execution Vulnerability
19. Microsoft Office Brazilian Portuguese Grammar Checker Remote Code Execution Vulnerability
20. Camouflage Security Password Bypass Vulnerability
21. SecureKit Steganography Carrier File Password Security Bypass Vulnerability
22. Microsoft Outlook Malformed Email Header Remote Denial of Service Vulnerability
23. Microsoft Outlook Advanced Find Remote Code Execution Vulnerability
24. CenterICQ IJHook.CC Remote Buffer Overflow Vulnerability
25. Microsoft Outlook VEVENT Record Remote Code Execution Vulnerability
26. Microsoft Windows Vector Markup Language Buffer Overrun Vulnerability
27. Microsoft Excel Malformed Column Record Remote Code Execution Vulnerability
28. Microsoft Excel Malformed Palette Record Remote Code Execution Vulnerability
29. Microsoft Excel Malformed String Remote Code Execution Vulnerability
30. Microsoft Excel IMDATA Record Remote Code Execution Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. SoX & Share Permissions?
2. EFS - new recovery agent
3. SecurityFocus Microsoft Newsletter #324
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Interview with Bill Cheswick
By Federico Biancuzzi
Many people have seen Internet maps on walls and in various publications over the years. Federico Biancuzzi interviewed Bill Cheswick, who started the Internet Mapping Project that grew into software to map corporate and government networks. They discussed firewalling, logging, NIDS and IPS, how to fight DDoS, and the future of BGP and DNS.
http://www.securityfocus.com/columnists/429

2. Wireless Forensics: Tapping the Air - Part Two
By Raul Siles, GSE
This two-part series looks at the issues associated with collecting and analyzing network traffic from wireless networks in an accurate and comprehensive way; a discipline known as wireless forensics. Part two focuses on the technical challenges for wireless traffic analysis, advanced anti-forensic techniques that could thwart a forensic investigation, and some legal considerations for both the U.S. and Europe.
http://www.securityfocus.com/infocus/1885


II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Outpost Firewall PRO Local Privilege Escalation Vulnerability
BugTraq ID: 22069
Remote: No
Date Published: 2007-01-15
Relevant URL: http://www.securityfocus.com/bid/22069
Summary:
Outpost Firewall PRO is prone to a local privilege-escalation vulnerability because it fails to perform adequate SSDT (System Service Descriptor Table) hooking on files in its installation directory.

A local attacker can exploit this issue to elevate their privileges, which can lead to the complete compromise of an affected computer.

Outpost Firewall PRO 4.0 is vulnerable; other versions may also be affected.

2. Remedy Action Request System Username Enumeration Vulnerability
BugTraq ID: 22066
Remote: Yes
Date Published: 2007-01-15
Relevant URL: http://www.securityfocus.com/bid/22066
Summary:
Remedy Action Request System is prone to a username-enumeration vulnerability because of a design error in the application when verifying user-supplied input.

Attackers may exploit this vulnerability to discern valid usernames. This may aid them in brute-force password cracking or other attacks.

Version 5.01.02 is vulnerable; other versions may also be affected.

3. Ipswitch WS_FTP 2007 Professional WSFTPURL.EXE Local Memory Corruption Vulnerability
BugTraq ID: 22062
Remote: No
Date Published: 2007-01-15
Relevant URL: http://www.securityfocus.com/bid/22062
Summary:
Ipswitch WS_FTP 2007 Professional is prone to a local memory-corruption vulnerability. This issue occurs when the 'wsbho2k0.dll' library fails to handle specially crafted arguments.

Due to the nature of this issue, an attacker may be able to execute arbitrary machine code in the context of the affected kernel, but this has not been confirmed. Failed exploit attempts result in kernel panics, denying service to legitimate users.

Ipswitch WS_FTP 2007 Professional is vulnerable to this issue; other versions may also be affected.

4. Kaspersky Labs Anti-Virus Local Privilege Escalation Vulnerability
BugTraq ID: 22061
Remote: No
Date Published: 2007-01-15
Relevant URL: http://www.securityfocus.com/bid/22061
Summary:
Kaspersky Labs Anti-Virus is prone to a local privilege-escalation vulnerability.

A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. This may facilitate a complete compromise of the affected computer.

5. KarjaSoft Sami FTP Server Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 22045
Remote: Yes
Date Published: 2007-01-15
Relevant URL: http://www.securityfocus.com/bid/22045
Summary:
Sami FTP Server is prone to multiple stack-overflow vulnerabilities.

A successful exploit may lead to remote arbitrary code execution with the privileges of the server, facilitating remote compromise of affected computers.

Sami FTP Server version 2.0.2 is vulnerable to these issues; other versions may also be affected.

6. BolinTech Dream FTP Server USER Remote Buffer Overflow Vulnerability
BugTraq ID: 22044
Remote: Yes
Date Published: 2007-01-14
Relevant URL: http://www.securityfocus.com/bid/22044
Summary:
A remote buffer-overflow vulnerability is reported in BolinTech Dream FTP Server. This issue occurs because the application fails to properly validate the length of user-supplied strings prior to copying them into finite process buffers.

An attacker can exploit this issue to cause the affected server to crash and may be able to execute arbitrary code in the context of the process.

7. Total Commander Arbitrary File Deletion Vulnerability
BugTraq ID: 22033
Remote: Yes
Date Published: 2007-01-12
Relevant URL: http://www.securityfocus.com/bid/22033
Summary:
Total Commander is affected by an arbitrary file-deletion vulnerability because of input-validation errors that allow an attacker to delete arbitrary files and corrupt the filesystem on the affected computer.

An attacker can exploit these issues to cause a denial-of-service condition.

Total Commander versions prior to 6.5.6 are affected by this issue.

8. WinZip Command Line Remote Buffer Overflow Vulnerability
BugTraq ID: 22020
Remote: Yes
Date Published: 2007-01-12
Relevant URL: http://www.securityfocus.com/bid/22020
Summary:
WinZip is prone to a remote buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input before copying it into an insufficiently sized buffer.

An attacker may exploit this issue to cause denial-of-service conditions and possibly to execute arbitrary code within the context of the affected application, but this has not been confirmed.

This issue affects version 9.0 SR1; other versions may also be vulnerable.

9. Computer Associates BrightStor ARCserve Backup MediaSVR.EXE Variant Buffer Overflow Vulnerability
BugTraq ID: 22016
Remote: Yes
Date Published: 2007-01-11
Relevant URL: http://www.securityfocus.com/bid/22016
Summary:
Computer Associates BrightStor ARCserve Backup is affected by a remote stack-based buffer-overflow vulnerability because the application fails to perform proper bounds-checking on data supplied to the application.

A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. Failed exploit attempts may cause denial-of-service conditions.

NOTE: User interaction is not required to exploit this vulnerability.

Although this BID closely resembles BID 22015, it is a separate vulnerability.

10. Computer Associates BrightStor ARCserve Backup MediaSVR.EXE Remote Buffer Overflow Vulnerability
BugTraq ID: 22015
Remote: Yes
Date Published: 2007-01-11
Relevant URL: http://www.securityfocus.com/bid/22015
Summary:
Computer Associates BrightStor ARCserve Backup is affected by a remote stack-based buffer-overflow vulnerability because the application fails to perform proper bounds-checking on data supplied to the application.

A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. Failed exploit attempts may cause denial-of-service conditions.

NOTE: User interaction is not required to exploit this vulnerability.

11. CA BrightStor ARCserve Backup Tape Engine TCP 6502 Remote Buffer Overflow Vulnerability
BugTraq ID: 22006
Remote: Yes
Date Published: 2007-01-11
Relevant URL: http://www.securityfocus.com/bid/22006
Summary:
Computer Associates BrightStor ARCserve Backup is affected by a remote buffer-overflow vulnerability because the application fails to perform proper bounds-checking on data supplied to the application.

A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. Failed exploit attempts may cause denial-of-service conditions.

12. CA BrightStor ARCserve Backup Message Engine/Tape Engine Remote Buffer Overflow Vulnerability
BugTraq ID: 22005
Remote: Yes
Date Published: 2007-01-11
Relevant URL: http://www.securityfocus.com/bid/22005
Summary:
Computer Associates BrightStor ARCserve Backup is affected by a remote buffer-overflow vulnerability because the application fails to perform proper bounds-checking on data supplied to the application.

A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. Failed exploit attempts may cause denial-of-service conditions. Successful exploits can lead to a complete compromise of affected computers.

This issue affects multiple BrightStor ARCserve Backup application agents and the base product.

13. Snort GRE Packet Decoding Integer Underflow Vulnerability
BugTraq ID: 22004
Remote: Yes
Date Published: 2007-01-11
Relevant URL: http://www.securityfocus.com/bid/22004
Summary:
Snort is prone to a denial-of-service vulnerability because the network intrusion detection (NID) system fails to handle specially crafted network packets.

An attacker can exploit this issue to corrupt the application's log files and possibly to crash the application (depending on its memory layout).

14. EIQ Networks Security Analyzer Null Pointer Dereference Client Denial of Service Vulnerability
BugTraq ID: 21994
Remote: Yes
Date Published: 2007-01-10
Relevant URL: http://www.securityfocus.com/bid/21994
Summary:
EIQ Networks Security Analyzer is prone to a denial-of-service vulnerability.

A malicious server could cause a vulnerable client application to crash, effectively denying service.

15. Microsoft Windows Explorer WMF File Denial of Service Vulnerability
BugTraq ID: 21992
Remote: Yes
Date Published: 2007-01-10
Relevant URL: http://www.securityfocus.com/bid/21992
Summary:
Microsoft Windows Explorer is prone to a denial-of-service vulnerability.

A remote attacker may exploit this vulnerability by presenting a malicious file to a victim user and enticing them to open it with the vulnerable application. Users that simply browse folders containing the malicious file will also trigger this issue.

A successful exploit will crash the vulnerable application, effectively denying service.

This issue may be related to BID 19365: Microsoft Windows GDI32.DLL WMF Remote Denial of Service Vulnerability.

16. Snort Backtracking Denial of Service Vulnerability
BugTraq ID: 21991
Remote: Yes
Date Published: 2007-01-10
Relevant URL: http://www.securityfocus.com/bid/21991
Summary:
Snort is prone to a denial-of-service vulnerability because the network intrusion detection (NID) system fails to handle specially crafted network packets.

An attacker can exploit this issue to cause the affected NID system to consume 100% CPU resources, allowing malicious network traffic to avoid detection.

This issue affects versions prior to 2.6.1.

17. EF Commander ISO File Remote Buffer Overflow Vulnerability
BugTraq ID: 21969
Remote: Yes
Date Published: 2007-01-09
Relevant URL: http://www.securityfocus.com/bid/21969
Summary:
EF Commander is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data prior to using it in a finite-sized buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the user running the affected application.

This issue affects version 5.75; other versions may also be vulnerable.

18. Microsoft Excel Opcode Handling Unspecified Remote Code Execution Vulnerability
BugTraq ID: 21952
Remote: Yes
Date Published: 2007-01-09
Relevant URL: http://www.securityfocus.com/bid/21952
Summary:
Microsoft Excel is reportedly prone to an unspecified remote code-execution vulnerability.

Successfully exploiting this issue allows attackers to execute arbitrary code in the context of targeted users.

Note that Microsoft Office applications include functionality to embed Office files as objects contained in other Office files. As an example, Microsoft Word files may contain embedded malicious Microsoft Excel files, making Word and other Office documents another possible attack vector.

Insufficient details are currently available to elaborate further.

19. Microsoft Office Brazilian Portuguese Grammar Checker Remote Code Execution Vulnerability
BugTraq ID: 21942
Remote: Yes
Date Published: 2007-01-09
Relevant URL: http://www.securityfocus.com/bid/21942
Summary:
Microsoft Office is prone to a remote code-execution vulnerability. This issue occurs when the application processes certain Office files.

Note that this issue may not be exploited automatically through email. For an attack to succeed, a victim must manually open an attachment sent by email or obtained through other means.

An attacker may exploit this issue to execute arbitrary code in the context of the currently logged-in user.

This issue affects the Microsoft Office 2003 Brazilian Grammar Checker application used in various Microsoft applications that have Brazilian Portuguese language support.

20. Camouflage Security Password Bypass Vulnerability
BugTraq ID: 21939
Remote: Yes
Date Published: 2007-01-08
Relevant URL: http://www.securityfocus.com/bid/21939
Summary:
Camouflage is prone to a security-bypass vulnerability due to a design error.

An attacker can exploit this issue to gain access to data 'hidden' by the application. Information gained could aid in further attacks.

Version 1.2.1 is vulnerable; other versions may also be affected.

21. SecureKit Steganography Carrier File Password Security Bypass Vulnerability
BugTraq ID: 21938
Remote: No
Date Published: 2007-01-08
Relevant URL: http://www.securityfocus.com/bid/21938
Summary:
SecureKit Stenanography is prone to a security-bypass vulnerability because of a design flaw when encrypting sensitive information.

Successful exploits allow local attackers to bypass the security restriction to obtain sensitive information that may lead to other attacks.

This issue affects versions 1.8 and 1.71; other versions may also be affected.

22. Microsoft Outlook Malformed Email Header Remote Denial of Service Vulnerability
BugTraq ID: 21937
Remote: Yes
Date Published: 2007-01-09
Relevant URL: http://www.securityfocus.com/bid/21937
Summary:
Microsoft Outlook is prone to a remote denial-of-service vulnerability because the application fails to properly handle malformed email messages.

A remote attacker can exploit this issue to crash affected email clients. This issue will persist as long as the email message resides on the mail server, creating a prolonged denial-of-service condition.

23. Microsoft Outlook Advanced Find Remote Code Execution Vulnerability
BugTraq ID: 21936
Remote: Yes
Date Published: 2007-01-09
Relevant URL: http://www.securityfocus.com/bid/21936
Summary:
Microsoft Outlook is prone to a remote code-execution vulnerability because the application fails to properly handle malformed saved search files.

A remote attacker can exploit this issue to execute arbitrary code with the privileges of unsuspecting users. A successful exploit may aid in the remote compromise of the underlying computer.

24. CenterICQ IJHook.CC Remote Buffer Overflow Vulnerability
BugTraq ID: 21932
Remote: Yes
Date Published: 2007-01-08
Relevant URL: http://www.securityfocus.com/bid/21932
Summary:
CenterICQ is prone to a remote buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

This issue affects versions 4.9.11 up to 4.21.0.

25. Microsoft Outlook VEVENT Record Remote Code Execution Vulnerability
BugTraq ID: 21931
Remote: Yes
Date Published: 2007-01-09
Relevant URL: http://www.securityfocus.com/bid/21931
Summary:
Microsoft Outlook is prone to a remote code-execution vulnerability because the application fails to properly handle malformed iCal requests.

A remote attacker can exploit this issue to execute arbitrary code with the privileges of unsuspecting users. A successful exploit may aid in the remote compromise of the underlying computer.

26. Microsoft Windows Vector Markup Language Buffer Overrun Vulnerability
BugTraq ID: 21930
Remote: Yes
Date Published: 2007-01-09
Relevant URL: http://www.securityfocus.com/bid/21930
Summary:
Microsoft Windows is prone to a buffer-overrun vulnerability that arises because of an error in the processing of Vector Markup Language documents.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application.

27. Microsoft Excel Malformed Column Record Remote Code Execution Vulnerability
BugTraq ID: 21925
Remote: Yes
Date Published: 2007-01-09
Relevant URL: http://www.securityfocus.com/bid/21925
Summary:
Microsoft Excel is prone to a remote code-execution vulnerability.

An attacker could exploit this issue to execute arbitrary code with the privileges of the user running the application. The attacker could leverage the issue to compromise affected computers.

28. Microsoft Excel Malformed Palette Record Remote Code Execution Vulnerability
BugTraq ID: 21922
Remote: Yes
Date Published: 2007-01-09
Relevant URL: http://www.securityfocus.com/bid/21922
Summary:
Microsoft Excel is prone to a remote code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application, which can result in the compromise of affected computers.

29. Microsoft Excel Malformed String Remote Code Execution Vulnerability
BugTraq ID: 21877
Remote: Yes
Date Published: 2007-01-09
Relevant URL: http://www.securityfocus.com/bid/21877
Summary:
Microsoft Excel is prone to a remote code-execution vulnerability.

Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the affected application, which could result in the compromise of affected computers.

30. Microsoft Excel IMDATA Record Remote Code Execution Vulnerability
BugTraq ID: 21856
Remote: Yes
Date Published: 2007-01-09
Relevant URL: http://www.securityfocus.com/bid/21856
Summary:
Microsoft Excel is prone to a remote code-execution vulnerability.

Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application, which can result in the compromise of affected computers.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SoX & Share Permissions?
http://www.securityfocus.com/archive/88/456972

2. EFS - new recovery agent
http://www.securityfocus.com/archive/88/456961

3. SecurityFocus Microsoft Newsletter #324
http://www.securityfocus.com/archive/88/456552

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe@xxxxxxxxxxxxxxxxx from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@xxxxxxxxxxxxxxxxx and ask to be manually removed.

V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: Black Hat

Black Hat Europe, March 27-30 in Amsterdam, is Europe's premier technical event for ICT security experts.
Featuring 10 hands-on training courses and 30 Briefings presentations with lots of new content-the best of Black Hat focused on Europe's infosec challenges.
Network with 400 delegates from 25 nations, and see solutions from major sponsors.

http://www.blackhat.com



Relevant Pages

  • SecurityFocus Microsoft Newsletter #131
    ... MICROSOFT VULNERABILITY SUMMARY ... Advanced Poll Remote Information Disclosure Vulnerability ... PHPNuke News Module Article.PHP SQL Injection Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #211
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Kernel Local Denial of Service Vulnerabili... ... OCPortal Content Management System Remote File Include Vulne... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #229
    ... Windows NTFS Alternate Data Streams ... MICROSOFT VULNERABILITY SUMMARY ... VBulletin Forumdisplay.PHP Remote Command Execution Vulnerab... ... AWStats Debug Remote Information Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #237
    ... MICROSOFT VULNERABILITY SUMMARY ... JPortal Banner.PHP SQL Injection Vulnerability ... Microsoft Windows Kernel Object Management Denial Of Service... ... Microsoft Windows Message Queuing Remote Buffer Overflow Vul... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #260
    ... MICROSOFT VULNERABILITY SUMMARY ... Remote: Yes ... attacker to execute arbitrary code on a vulnerable computer with SYSTEM ...
    (Focus-Microsoft)