SecurityFocus Microsoft Newsletter #347




SecurityFocus Microsoft Newsletter #347
----------------------------------------

This Issue is Sponsored by: VeriSign

Increase customer confidence at transaction time with the latest breakthrough in online security - Extended Validation SSL from VeriSign. Extended Validation triggers a green address bar in Microsoft IE7, which proves site identity. Learn more at:

http://clk.atdmt.com/SFI/go/srv0890000047sfi/direct/01/


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1. Embedded Problems
2. Security Analogies
II. MICROSOFT VULNERABILITY SUMMARY
1. Avaya 4602SW SIP Phone Security Bypass Vulnerability
2. Avaya One-X Desktop Edition SIP Header Denial Of Service Vulnerability
3. Avaya 4602SW SIP Phone Cnonce Parameter Authentication Spoofing Vulnerability
4. Nortel Networks PC Client Soft Phone SIP Message Parsing Module Denial of Service Vulnerability
5. RealNetworks GameHouse GHDLCTL.DLL ActiveX Control Multiple Buffer Overflow Vulnerabilities
6. AOL Instant Messenger SIP Invite Message Denial of Service Vulnerability
7. Nortel Networks PC Client Soft Phone Message Parsing Module Buffer Overflow Vulnerability
8. Avaya One-X Desktop Edition Phone SIP Remote Buffer Overflow Vulnerability
9. Cerulean Studios Trillian Word Wrapping UTF-8 Encoded String Heap Buffer Overflow Vulnerability
10. Kaspersky Internet Security 6 SSDT Hooks Multiple Local Vulnerabilities
11. Microsoft Office MSODataSourceControl ActiveX Control Buffer Overflow Vulnerability
12. OpenOffice RTF File Parser Buffer Overflow Vulnerability
13. RETIRED: Microsoft Internet Explorer Navigation Cancel Webpage Spoofing Vulnerability
14. Apple Safari for Windows Unspecified SVG Parse Engine Multiple Unspecified Vulnerabilities
15. Microsoft Windows CE .NET Compact Framework Components Multiple Vulnerabilities
16. TEC-IT TBarCode OCX ActiveX Control Arbitrary File Overwrite Vulnerability
17. Microsoft Internet Explorer Language Pack Installation Remote Code Execution Vulnerability
18. Microsoft Windows CE MSXML Multiple Vulnerabilities
19. Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerabilities
20. Microsoft Internet Explorer CSS Tag Memory Corruption Vulnerability
21. Microsoft Internet Explorer Prototype Variable Uninitialized Memory Corruption Vulnerability
22. Microsoft Windows SChannel Security Remote Code Execution Vulnerability
23. Microsoft Windows Vista Permissive User Information Store ACLs Information Disclosure Vulnerability
24. Microsoft Outlook Express Content Disposition Parsing Information Disclosure Vulnerability
25. Microsoft Outlook Express MHTML URL Parsing Information Disclosure Vulnerability
26. Microsoft Visio Packed Objects Remote Code Execution Vulnerability
27. Microsoft Internet Explorer URLMON.DLL COM Object Instantiation Remote Code Execution Vulnerability
28. Microsoft Visio Version Number Remote Code Execution Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #346
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Embedded Problems
By Federico Biancuzzi
Federico Biancuzzi interviews Barnaby Jack to discuss the vector rewrite attack, which architectures are vulnerable, how to defend the integrity of the exception vector table, some firmware extraction methods, and what bad things you can do on a cheap SOHO router.
http://www.securityfocus.com/columnists/446

2. Security Analogies
By Scott Granneman
Scott Granneman discusses security analogies and their function in educating the masses on security concepts.
http://www.securityfocus.com/columnists/445


II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Avaya 4602SW SIP Phone Security Bypass Vulnerability
BugTraq ID: 24544
Remote: Yes
Date Published: 2007-06-19
Relevant URL: http://www.securityfocus.com/bid/24544
Summary:
The Avaya 4602SW SIP Phone is prone to a security-bypass vulnerability because it accepts SIP requests from random source IP addresses.

An attacker can exploit this issue to bypass security restrictions. The attacker may then be able to transmit malicious messages to the device.

This issue affects The Avaya 4602 SW IP Phone (Model 4602D02A).

2. Avaya One-X Desktop Edition SIP Header Denial Of Service Vulnerability
BugTraq ID: 24541
Remote: Yes
Date Published: 2007-06-19
Relevant URL: http://www.securityfocus.com/bid/24541
Summary:
Avaya one-X Desktop Edition phone is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to crash the phone, denying service to legitimate users.

Versions 2.1.0.70 and prior are vulnerable.

3. Avaya 4602SW SIP Phone Cnonce Parameter Authentication Spoofing Vulnerability
BugTraq ID: 24539
Remote: Yes
Date Published: 2007-06-19
Relevant URL: http://www.securityfocus.com/bid/24539
Summary:
The Avaya 4602SW SIP Phone and SIP call server is prone to an authentication spoofing vulnerability.

This allows an attacker to impersonate a SIP call server, compromising the confidentiality of a victim's phone conversations.

4. Nortel Networks PC Client Soft Phone SIP Message Parsing Module Denial of Service Vulnerability
BugTraq ID: 24536
Remote: Yes
Date Published: 2007-06-19
Relevant URL: http://www.securityfocus.com/bid/24536
Summary:
Nortel Networks PC Client Soft Phone is prone to a remote denial-of-service vulnerability, because the application fails to properly handle malformed data.

Successful exploits can allow remote attackers to crash the affected application, denying further service to legitimate users.

5. RealNetworks GameHouse GHDLCTL.DLL ActiveX Control Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 24534
Remote: Yes
Date Published: 2007-06-19
Relevant URL: http://www.securityfocus.com/bid/24534
Summary:
The RealNetworks GameHouse dldisplay ActiveX Control is prone to multiple buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the Gamehouse application. Failed exploit attempts will likely result in denial-of-service conditions.

An attacker may exploit these issues by enticing victims into visiting a maliciously crafted web page.

6. AOL Instant Messenger SIP Invite Message Denial of Service Vulnerability
BugTraq ID: 24533
Remote: Yes
Date Published: 2007-06-19
Relevant URL: http://www.securityfocus.com/bid/24533
Summary:
AOL Instant Messenger is prone to a denial-of-service vulnerability because the application fails to handle specially crafted SIP messages.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

This issue affects AOL Instant Messenger 6.1.32.1; prior versions may also be affected.

7. Nortel Networks PC Client Soft Phone Message Parsing Module Buffer Overflow Vulnerability
BugTraq ID: 24531
Remote: Yes
Date Published: 2007-06-19
Relevant URL: http://www.securityfocus.com/bid/24531
Summary:
Nortel Networks PC Client soft phone is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

Successful exploits can allow remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

8. Avaya One-X Desktop Edition Phone SIP Remote Buffer Overflow Vulnerability
BugTraq ID: 24530
Remote: Yes
Date Published: 2007-06-19
Relevant URL: http://www.securityfocus.com/bid/24530
Summary:
Avaya One-X Desktop Edition phone is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

An attacker can exploit this issue to disable the call receiving functionality of affected phones.

Versions 2.1.0.70 and prior are vulnerable.

9. Cerulean Studios Trillian Word Wrapping UTF-8 Encoded String Heap Buffer Overflow Vulnerability
BugTraq ID: 24523
Remote: Yes
Date Published: 2007-06-18
Relevant URL: http://www.securityfocus.com/bid/24523
Summary:
Trillian is prone to a heap-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code with the privileges of the currently logged-in user. Failed exploit attempts will result in a denial of service.

This issue affects Trillian 3.1.5.1; prior versions may also be affected.

10. Kaspersky Internet Security 6 SSDT Hooks Multiple Local Vulnerabilities
BugTraq ID: 24491
Remote: No
Date Published: 2007-06-15
Relevant URL: http://www.securityfocus.com/bid/24491
Summary:
Kaspersky Internet Security 6 is prone to multiple local vulnerabilities.

Exploiting these vulnerabilities allows local attackers to crash affected computers, denying service to legitimate users. Attackers might also be able to gain elevated privileges by executing arbitrary machine code in the context of the kernel, but this has not been confirmed.

Kaspersky Internet Security 6.0.2.614 and 6.0.2.621 are vulnerable; other versions may also be affected.

NOTE: These issues may be related to BID 23326 (Kaspersky Internet Security Suite Klif.SYS Drive Local Heap Overflow Vulnerability), but this has not been confirmed. If we find that this BID is a duplicate, we will retire it and merge its information into BID 23326.

11. Microsoft Office MSODataSourceControl ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 24462
Remote: Yes
Date Published: 2007-06-13
Relevant URL: http://www.securityfocus.com/bid/24462
Summary:
Microsoft Office MSODataSourceControl ActiveX Control is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions.

12. OpenOffice RTF File Parser Buffer Overflow Vulnerability
BugTraq ID: 24450
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24450
Summary:
OpenOffice is prone to a remote heap-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Remote attackers may exploit this issue by enticing victims into opening maliciously crafted RTF files.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

13. RETIRED: Microsoft Internet Explorer Navigation Cancel Webpage Spoofing Vulnerability
BugTraq ID: 24448
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24448
Summary:
Microsoft Internet Explorer is prone to a webpage-spoofing vulnerability.

Attackers may exploit this vulnerability via a malicious webpage to spoof the contents of the Navigation canceled page. This may assist in phishing or other attacks that rely on content spoofing.

NOTE: This BID is being retired because this issue was previously reported in BID 22966: Microsoft Internet Explorer NavCancel.HTM Cross-Site Scripting Vulnerability.

14. Apple Safari for Windows Unspecified SVG Parse Engine Multiple Unspecified Vulnerabilities
BugTraq ID: 24446
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24446
Summary:
Apple Safari for Microsoft Windows is prone to multiple unspecified vulnerabilities.

Few technical details are currently available. We will update this BID as more information emerges.

Safari 3 public beta for Windows is reported vulnerable.

15. Microsoft Windows CE .NET Compact Framework Components Multiple Vulnerabilities
BugTraq ID: 24444
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24444
Summary:
Components of the .NET Compact Framework for Microsoft Windows CE are prone to multiple vulnerabilities.

Exploiting these issues may allow remote attackers to cause denial-of-service conditions, corrupt memory, or execute arbitrary machine code in the context of the affected application. This facilitates the remote compromise of affected computers. Other attacks are also possible.

16. TEC-IT TBarCode OCX ActiveX Control Arbitrary File Overwrite Vulnerability
BugTraq ID: 24440
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24440
Summary:
TBarCode ActiveX control is prone to a vulnerability that could permit an attacker to overwrite arbitrary files.

The attacker can exploit this issue to overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).

17. Microsoft Internet Explorer Language Pack Installation Remote Code Execution Vulnerability
BugTraq ID: 24429
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24429
Summary:
Microsoft Internet Explorer is prone to remote code-execution vulnerability because of a race-condition in its language-pack installation support.

A remote attacker can exploit this issue to execute arbitrary code in the context of the user running the vulnerable application.

18. Microsoft Windows CE MSXML Multiple Vulnerabilities
BugTraq ID: 24428
Remote: Yes
Date Published: 2007-06-11
Relevant URL: http://www.securityfocus.com/bid/24428
Summary:
Microsoft Windows CE is prone to multiple denial-of-service vulnerabilities and a cross-site scripting vulnerability.

An attacker can exploit these issues to cause infinite-loop conditions and denial-of-service conditions or to run arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

19. Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerabilities
BugTraq ID: 24426
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24426
Summary:
Microsoft Internet Explorer is prone to multiple buffer-overflow vulnerabilities when instantiating certain COM objects.

An attacker may exploit these issues by enticing victims into opening a maliciously crafted webpage.

Successfully exploiting these issues allows remote attackers to execute arbitrary machine code in the context of the affected application, facilitating the remote compromise of affected computers.

20. Microsoft Internet Explorer CSS Tag Memory Corruption Vulnerability
BugTraq ID: 24423
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24423
Summary:
Microsoft Internet Explorer is prone to a remote code-execution vulnerability because the application fails to properly handle certain CSS data.

A remote attacker can exploit this issue to execute arbitrary code in the context of the user running the vulnerable application.

21. Microsoft Internet Explorer Prototype Variable Uninitialized Memory Corruption Vulnerability
BugTraq ID: 24418
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24418
Summary:
Microsoft Internet Explorer is prone to a memory-corruption vulnerability when accessing objects that are improperly instantiated or deleted.

An attacker may exploit this issue by enticing victims into opening a maliciously crafted webpage.

Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the affected application, facilitating the remote compromise of affected computers.

22. Microsoft Windows SChannel Security Remote Code Execution Vulnerability
BugTraq ID: 24416
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24416
Summary:
The Microsoft Windows Schannel security package is prone to a remote code-execution vulnerability.

This vulnerability occurs when processing and validating server-sent digital signatures by the client application.

A remote attacker could exploit this issue by convincing a victim to visit a malicious website. Remote code execution is possible, but may be extremely difficult. In most cases, denial-of-service conditions will occur.

23. Microsoft Windows Vista Permissive User Information Store ACLs Information Disclosure Vulnerability
BugTraq ID: 24411
Remote: No
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24411
Summary:
Microsoft Windows Vista is prone to a local information-disclosure vulnerability.

Local attackers can exploit this issue to obtain sensitive information that may allow them to gain unauthorized access to the affected computer.

24. Microsoft Outlook Express Content Disposition Parsing Information Disclosure Vulnerability
BugTraq ID: 24410
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24410
Summary:
Outlook Express is prone to a cross-domain information-disclosure vulnerability.

This vulnerability may let a malicious website access properties of a site in an arbitrary external domain in the context of the victim's browser. Attackers could exploit this issue to access sensitive information (such as cookies or passwords) that is associated with the external domain.

25. Microsoft Outlook Express MHTML URL Parsing Information Disclosure Vulnerability
BugTraq ID: 24392
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24392
Summary:
Outlook Express is prone to a cross-domain information-disclosure vulnerability.

This vulnerability may let a malicious website access properties of a site in an arbitrary external domain in the context of the victim user's browser. Attackers could exploit this issue to gain access to sensitive information (such as cookies or passwords) that is associated with the external domain.

26. Microsoft Visio Packed Objects Remote Code Execution Vulnerability
BugTraq ID: 24384
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24384
Summary:
Microsoft Visio is prone to a remote code-execution vulnerability because it fails to adequately handle user-supplied data.

Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Failed exploit attempts will result in a denial-of-service condition.

27. Microsoft Internet Explorer URLMON.DLL COM Object Instantiation Remote Code Execution Vulnerability
BugTraq ID: 24372
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24372
Summary:
Microsoft Internet Explorer is prone to remote code-execution vulnerability.

A remote attacker can exploit this issue to execute arbitrary code in the context of the user running the vulnerable application.

28. Microsoft Visio Version Number Remote Code Execution Vulnerability
BugTraq ID: 24349
Remote: Yes
Date Published: 2007-06-12
Relevant URL: http://www.securityfocus.com/bid/24349
Summary:
Microsoft Visio is prone to a remote code-execution vulnerability because it fails to adequately validate user-supplied data.

Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Failed attempts will result in denial-of-service conditions.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #346
http://www.securityfocus.com/archive/88/471449

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe@xxxxxxxxxxxxxxxxx from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@xxxxxxxxxxxxxxxxx and ask to be manually removed.

V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: VeriSign

Increase customer confidence at transaction time with the latest breakthrough in online security - Extended Validation SSL from VeriSign. Extended Validation triggers a green address bar in Microsoft IE7, which proves site identity. Learn more at:

http://clk.atdmt.com/SFI/go/srv0890000047sfi/direct/01/



Relevant Pages

  • SecurityFocus Microsoft Newsletter #146
    ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Multiple Trend Micro HouseCall ActiveX Control Remote Buffer... ... PHPForum Mainfile.PHP Remote File Include Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #131
    ... MICROSOFT VULNERABILITY SUMMARY ... Advanced Poll Remote Information Disclosure Vulnerability ... PHPNuke News Module Article.PHP SQL Injection Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #211
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Kernel Local Denial of Service Vulnerabili... ... OCPortal Content Management System Remote File Include Vulne... ...
    (Focus-Microsoft)