SecurityFocus Microsoft Newsletter #357




SecurityFocus Microsoft Newsletter #357
----------------------------------------

This Issue is Sponsored by: SPI Dynamics

XPATH Injection Attacks- Web Hackers New Trick: White Paper
One particular form of injection attack, XPath Injection, is rapidly gaining in popularity due to the spread of AJAX applications and their inherent use of XML to store data.
XPath Injection can be just as dangerous as SQL Injection, and can be even easier to exploit. Learn how to identify XPath Injection vulnerabilities and which methods of recourse to take to prevent them. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/XP.asp?Campaign_ID=70160000000D1rX


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1. Virtualized rootkits - Part 2
2. Virtualized rootkits - Part 1
II. MICROSOFT VULNERABILITY SUMMARY
1. Oracle JInitiator ActiveX Control Multiple Buffer Overflow Vulnerabilities
2. Entrust ESP Certificate Path Verification Vulnerability
3. Subversion for Windows Remote Directory Traversal Vulnerability
4. Microsoft MSN Messenger Video Conversation Buffer Overflow Vulnerability
5. Motorola Timbuktu Pro for Windows Multiple Remote Buffer Overflow Vulnerabilities
6. Motorola Timbuktu Pro Directory Traversal Vulnerability
7. BufferZone Redlight.SYS Driver Buffer Overflow Vulnerability
8. Media Player Classic FLI File Remote Buffer Overflow Vulnerability
9. Soldat Multiple Remote Denial of Service Vulnerabilities
10. Bugzilla Multiple Remote Vulnerabilities
11. Skulltag Huffman Packet Decompression Remote Heap Based Buffer Overflow Vulnerability
12. Unreal Commander Malformed Archives Multiple Remote Vulnerabilities
13. IBM Lotus Notes NTMulti.EXE Local Privilege Escalation Vulnerability
14. Clam AntiVirus ClamAV Multiple Remote Denial of Service Vulnerabilities
15. Trend Micro Anti-Spyware And PC-cillin SSAPI Engine Local Stack Buffer Overflow Vulnerability
16. Check Point Zone Labs Multiple Products Local Privilege Escalation Vulnerabilities
III. MICROSOFT FOCUS LIST SUMMARY
1. Software smart-card emulation
2. SecurityFocus Microsoft Newsletter #356
3. NTFS default special permissions
4. Password complexity - improvement
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Virtualized rootkits - Part 2
By Federico Biancuzzi
There has been a lot of buzz around the topic of virtualized rootkits. Joanna Rutkowska has been working on a new version of Blue-Pill, her proof of concept invisible rootkit, while a team made by three prominent security experts (Thomas Ptacek, Nate Lawson, Peter Ferrie) challenged her that there is not an "invisible" rootkit, and that they were going to present at BlackHat conference various techniques to detect Blue-Pill. Federico Biancuzzi interviewed both sides to learn more. Part 2 of 2
http://www.securityfocus.com/columnists/452


2. Virtualized rootkits - Part 1
By Federico Biancuzzi
There has been a lot of buzz around the topic of virtualized rootkits. Joanna Rutkowska has been working on a new version of Blue-Pill, her proof of concept invisible rootkit, while a team made by three prominent security experts (Thomas Ptacek, Nate Lawson, Peter Ferrie) challenged her that there is not an "invisible" rootkit, and that they were going to present at BlackHat conference various techniques to detect Blue-Pill. Federico Biancuzzi interviewed both sides to learn more. Part 1 of 2
http://www.securityfocus.com/columnists/451


II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Oracle JInitiator ActiveX Control Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 25473
Remote: Yes
Date Published: 2007-08-28
Relevant URL: http://www.securityfocus.com/bid/25473
Summary:
Oracle JInitiator is prone to multiple remote buffer-overflow vulnerabilities because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

Exploiting these issues allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX control and to compromise affected computers. Failed attempts will likely result in denial-of-service conditions.

These issues affect Oracle JInitiator version 1.1.8.16; other versions may also be affected.

2. Entrust ESP Certificate Path Verification Vulnerability
BugTraq ID: 25471
Remote: Yes
Date Published: 2007-08-28
Relevant URL: http://www.securityfocus.com/bid/25471
Summary:
Entrust ESP is prone to a certificate path verification vulnerability. This issue is due to a failure of the application to properly validate certificate chains.

Successfully exploiting this issue may allow attackers to utilize invalid security certificates, possibly aiding in further attacks.

Entrust Entelligence Security Provider 8 is vulnerable to this issue. Other versions may also be affected.

3. Subversion for Windows Remote Directory Traversal Vulnerability
BugTraq ID: 25468
Remote: Yes
Date Published: 2007-08-28
Relevant URL: http://www.securityfocus.com/bid/25468
Summary:
Subversion is prone to a remote directory-traversal vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input.

Successfully exploiting this issue allows attackers to write arbitrary data to arbitrary locations on unsuspecting users' computers.

This issue affects Subversion running on the Microsoft Windows platforms, and on any other platform where directory separator characters are '\' or characters other than '/'.

Subversion versions prior to 1.4.5 are vulnerable to this issue.

4. Microsoft MSN Messenger Video Conversation Buffer Overflow Vulnerability
BugTraq ID: 25461
Remote: Yes
Date Published: 2007-08-28
Relevant URL: http://www.securityfocus.com/bid/25461
Summary:
Microsoft MSN Messenger is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will likely result in denial of service conditions.

Microsoft MSN Messenger version 7 is considered vulnerable; other versions may also be prone to this issue.

5. Motorola Timbuktu Pro for Windows Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 25454
Remote: Yes
Date Published: 2007-08-27
Relevant URL: http://www.securityfocus.com/bid/25454
Summary:
Motorola Timbuktu Pro is prone to multiple remote buffer-overflow vulnerabilities. These issues are due to a failure of the software to properly bounds-check user-supplied input.

Successfully exploiting these issues allows remote attackers to execute arbitrary machine code with SYSTEM-level privileges. This facilitates the complete remote compromise of affected computers. Failed exploit attempts likely result in denial-of-service conditions.

Timbuktu Pro version 8.6.3.1367 for Microsoft Windows is vulnerable to these issues. Other versions and platforms may also be affected.

6. Motorola Timbuktu Pro Directory Traversal Vulnerability
BugTraq ID: 25453
Remote: Yes
Date Published: 2007-08-27
Relevant URL: http://www.securityfocus.com/bid/25453
Summary:
Motorola Timbuktu Pro is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to delete or create arbitrary files with SYSTEM-level privileges. This could completely compromise affected computers.

Timbuktu Pro for Windows version 8.6.3.1367 is vulnerable; other versions and platforms may also be affected.

7. BufferZone Redlight.SYS Driver Buffer Overflow Vulnerability
BugTraq ID: 25442
Remote: No
Date Published: 2007-08-25
Relevant URL: http://www.securityfocus.com/bid/25442
Summary:
BufferZone is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

This issue affects BufferZone version 2.5; prior versions may also be affected.

8. Media Player Classic FLI File Remote Buffer Overflow Vulnerability
BugTraq ID: 25437
Remote: Yes
Date Published: 2007-08-24
Relevant URL: http://www.securityfocus.com/bid/25437
Summary:
Media Player Classic is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data.

Attackers may attempt to exploit this issue by coercing users to access malicious FLI files.

Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the user running the affected application. This facilitates the remote compromise of affected computers.

Media Player Classic version 6.4.9.0 is vulnerable; other versions may also be affected.

9. Soldat Multiple Remote Denial of Service Vulnerabilities
BugTraq ID: 25426
Remote: Yes
Date Published: 2007-08-23
Relevant URL: http://www.securityfocus.com/bid/25426
Summary:
Soldat is prone to multiple remote denial-of-service vulnerabilities. These issues are due to failures of the game software when handling unexpected input.

Successfully exploiting these issues allows remote attackers to crash game servers and clients, or to block arbitrary IP addresses from connecting to game servers.

Soldat version 1.4.2 and Soldat dedicated server version 2.6.2 are vulnerable to these issues; other versions may also be affected.

10. Bugzilla Multiple Remote Vulnerabilities
BugTraq ID: 25425
Remote: Yes
Date Published: 2007-08-23
Relevant URL: http://www.securityfocus.com/bid/25425
Summary:
Bugzilla is prone to multiple remote vulnerabilities. These issues include an HTML-injection vulnerability, a remote-command injection vulnerability and an information-disclosure vulnerability.

An attacker can exploit this issue to execute arbitrary code and commands with the privileges of the webserver process, steal cookie-based authentication credentials and disclose sensitive information.

This issue affects Bugzilla 2.20.4, 2.22.2, 3.0, 3.1; prior versions of the 2.20 and 2.22 branches are also affected.

11. Skulltag Huffman Packet Decompression Remote Heap Based Buffer Overflow Vulnerability
BugTraq ID: 25423
Remote: Yes
Date Published: 2007-08-23
Relevant URL: http://www.securityfocus.com/bid/25423
Summary:
Skulltag is prone to a remote heap-based buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied input.

Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application. Successful exploits may compromise affected computers. Failed attacks will likely cause denial-of-service conditions.

Skulltag version 0.97d-beta4.1 is vulnerable; other versions may also be affected.

12. Unreal Commander Malformed Archives Multiple Remote Vulnerabilities
BugTraq ID: 25419
Remote: Yes
Date Published: 2007-08-23
Relevant URL: http://www.securityfocus.com/bid/25419
Summary:
Unreal Commander is prone to multiple remote vulnerabilities when handling malformed ZIP and RAR archives. These vulnerabilities include a directory-traversal vulnerability, an information-disclosure vulnerability and a file-name spoofing vulnerability.

An attacker can exploit these issues to compromise the affected computer, overwrite arbitrary files and disclose sensitive information. These issues may lead to other attacks.

Unreal Commander version 0.92 (build 565) and version 0.92 (build 573) are vulnerable; prior versions may also be affected.

13. IBM Lotus Notes NTMulti.EXE Local Privilege Escalation Vulnerability
BugTraq ID: 25401
Remote: No
Date Published: 2007-08-22
Relevant URL: http://www.securityfocus.com/bid/25401
Summary:
IBM Lotus Notes is prone to a local privilege-escalation vulnerability because it fails to assigned proper file permissions during installation.

Attackers can exploit this issue to run arbitrary applications with SYSTEM-level privileges. Successful attacks will completely compromise affected computers.

NOTE: This issue may be related to the one covered under BID 20612. This has not been confirmed. This BID will be updated as further information becomes available.

14. Clam AntiVirus ClamAV Multiple Remote Denial of Service Vulnerabilities
BugTraq ID: 25398
Remote: Yes
Date Published: 2007-08-21
Relevant URL: http://www.securityfocus.com/bid/25398
Summary:
ClamAV is prone to multiple denial-of-service vulnerabilities.

A successful attack may allow an attacker to crash the application and deny service to users.

ClamAV versions prior to 0.91.2 are vulnerable to these issues.

15. Trend Micro Anti-Spyware And PC-cillin SSAPI Engine Local Stack Buffer Overflow Vulnerability
BugTraq ID: 25388
Remote: No
Date Published: 2007-08-21
Relevant URL: http://www.securityfocus.com/bid/25388
Summary:
Trend Micro Anti-Spyware and PC-cillin Internet Security are prone to a local stack buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

This issue affects a library in Trend Micro's SSAPI Engine.

Successful exploits may allow an attacker to execute arbitrary code with SYSTEM-level privileges. This may facilitate a complete compromise of vulnerable servers. Failed exploit attempts will likely result in denial-of-service conditions.

Trend Micro Anti-Spyware for Consumer version 3.5 and PC-cillin Internet Security 2007 are vulnerable.

16. Check Point Zone Labs Multiple Products Local Privilege Escalation Vulnerabilities
BugTraq ID: 25365
Remote: No
Date Published: 2007-08-20
Relevant URL: http://www.securityfocus.com/bid/25365
Summary:
Multiple Check Point ZoneLabs products are prone to multiple local privilege-escalation vulnerabilities.

Successfully exploiting these issues allows local attackers to execute arbitrary code with elevated privileges, facilitating the complete compromise of affected computers.

ZoneAlarm versions prior to 7.0.362 are vulnerable, as well as ZoneLabs products that include 'vsdatant.sys' version 6.5.737.0.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Software smart-card emulation
http://www.securityfocus.com/archive/88/478049

2. SecurityFocus Microsoft Newsletter #356
http://www.securityfocus.com/archive/88/477495

3. NTFS default special permissions
http://www.securityfocus.com/archive/88/477517

4. Password complexity - improvement
http://www.securityfocus.com/archive/88/476610

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe@xxxxxxxxxxxxxxxxx from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@xxxxxxxxxxxxxxxxx and ask to be manually removed.

V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: SPI Dynamics

XPATH Injection Attacks- Web Hackers New Trick: White Paper
One particular form of injection attack, XPath Injection, is rapidly gaining in popularity due to the spread of AJAX applications and their inherent use of XML to store data.
XPath Injection can be just as dangerous as SQL Injection, and can be even easier to exploit. Learn how to identify XPath Injection vulnerabilities and which methods of recourse to take to prevent them. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/XP.asp?Campaign_ID=70160000000D1rX



Relevant Pages

  • SecurityFocus Microsoft Newsletter #355
    ... MICROSOFT VULNERABILITY SUMMARY ... EDraw Office Viewer Component ActiveX Control Arbitrary File Overwrite Vulnerability ... EFS Software Easy Chat Server Authentication Request Handling Remote Denial Of Service Vulnerability ... Successfully exploiting these issues allows attackers with local, interactive access to affected computers to gain SYSTEM-level privileges. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #443
    ... Sorinara Streaming Audio Player '.m3u' File Remote Stack Buffer Overflow Vulnerability ... Attackers may leverage this issue to execute arbitrary code in the context of the application. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #291
    ... MICROSOFT VULNERABILITY SUMMARY ... Caucho Resin Viewfile Information Disclosure Vulnerability ... Raydium Multiple Remote Buffer Overflow and Denial Of Service Vulnerabilities ... Attackers exploiting latent vulnerabilities in services running with these low-privilege accounts may take advantage of this weakness to gain elevated privileges. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #359
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Visual Studio VB To VSI Support Library ActiveX Arbitrary File Overwrite Vulnerability ... Microsoft Visual Basic 6.0 VBP_Open Project File Handling Buffer Overflow Vulnerability ... Microsoft Visual Studio VB To VSI Support Library ActiveX Control is prone to a vulnerability that lets attackers overwrite arbitrary files. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #366
    ... CSI 2007, November 3-9 in Washington, DC, is the only conference that delivers a business-focused overview of enterprise security. ... Mono System.Math BigInteger Buffer Overflow Vulnerability ... Ipswitch IMail SMTP Server IMail Client Remote Buffer Overflow Vulnerability ... Successfully exploiting this issue could allow attackers to execute arbitrary code in the context of the user running an affected application. ...
    (Focus-Microsoft)