SecurityFocus Microsoft Newsletter #102

From: John Boletta (jboletta@securityfocus.com)
Date: 09/04/02


Date: Wed, 4 Sep 2002 08:55:53 -0600 (MDT)
From: John Boletta <jboletta@securityfocus.com>
To: ms-secnews@securityfocus.com


SecurityFocus Microsoft Newsletter #102
---------------------------------------

This Issue Is Sponsored By: SpiDynamics

Aberdeen Alert! FREE Research Report on Web App Attacks Using ports 80 and
443 as expressways through network firewalls, hackers are free to probe
and breach web applications! 75% of today's successful system hacks
involve Web Application vulnerabilities, not network security flaws.

Download this FREE Aberdeen Research Report!

http://www.spidynamics.com/mktg/aberdeen21/
-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Justifying the Expense of IDS, Part Two: Calculating ROI for IDS
     2. When Feds are the Crackers
     3. SecurityFocus DPP Program
     4. InforwarCon 2002
II. MICROSOFT VULNERABILITY SUMMARY
     1. Microsoft Windows Media Player File Attachment Script Execution...
     2. Abyss Web Server Administrative Console Unauthorized Access...
     3. Microsoft TSAC ActiveX Control Buffer Overflow Vulnerability
     4. Microsoft Network Share Provider SMB Request Buffer Overflow...
     5. Multiple Microsoft Internet Explorer Vulnerabilities
     6. Abyss Web Server Malicious HTTP Request Information Disclosure...
     7. Microsoft Internet Explorer Legacy Text Formatting ActiveX...
     8. Microsoft Internet Explorer Download Dialogue File Source...
     9. Microsoft Internet Explorer XML Redirect File Disclosure...
     10. PHPReactor Style Attribute HTML Injection Vulnerability
     11. Kerio Personal Firewall Multiple SYN Packet Denial...
     12. Abyss Web Server Encoded Backslash Directory Traversal...
     13. Blazix Special Character Handling Server Side Script...
     14. Blazix Password Protected Directory Information Disclosure...
     15. OmniHTTPD Sample Scripts Cross Site Scripting Vulnerabilities
     16. OmniHTTPD Sample Application URL Encoded Newline HTML...
     17. mIRC Scripting ASCTime Buffer Overflow Vulnerability
     18. Ultimate PHP Board Second 'admin' Account Vulnerability
     20. Microsoft Word INCLUDETEXT Document Sharing File Disclosure...
III. MICROSOFT FOCUS LIST SUMMARY
     1. Windows 2000 Application log corruption (Thread)
     2. IIS and Frontpage Extensions Vulnerability. (Thread)
     3. SecureIIS (Thread)
     4. Internet Explore lock up software! (Thread)
     5. MS02-042 Patch on win2k pro kills capability to map to defaul...
     6. Password Change Utility (Thread)
     7. MS02-042 Patch on win2k pro kills capability to map to default...
     8. SecurityFocus Microsoft Newsletter #101 (Thread)
     9. MS02-042 Patch on win2k pro kills capability to map to...
IV. MICROSOFT PRODUCTS
     1. Sygate® Personal Firewall
     2. Tumbleweed Secure Archive
     3. VirusMD Personal Firewall
V. MICROSOFT TOOLS
     1. l0stat v1.1
     2. Absolute Log Analyzer v1.1
     3. Security Filter v1.0-b3
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. Justifying the Expense of IDS, Part Two: Calculating ROI for IDS
by David Kinn and Kevin Timm

This article is the second of a two-part series exploring ways to justify
the financial investment in IDS protection. In part one of this series we
discussed general IDS types and expanded on the impact that the logical
location of a company's critical networked assets could have on the risk
equations. To this end we introduced the Cascading Threat Multiplier (CTM)
to expand on the Single Loss Expectancy (SLE) equation. We also reviewed
implementation and management costs based on various support profiles and
reviewed the commonly accepted risk equations. Finally, we left off with
the basic formula for calculating ROI for security, otherwise commonly
known as Return on Security Investment (ROSI).

http://online.securityfocus.com/infocus/1621

2. When Feds are the Crackers
By Mark Rasch

In medieval times, attackers would use a bell-shaped metal grenade or
"petard" to break enemy defenses. These unreliable devices frequently went
off unexpectedly, destroying not only the enemy, but the attacker. As
Shakespeare noted, "'tis the sport to have the enginer Hoist with his owne
petar."

http://online.securityfocus.com/columnists/105

3. SecurityFocus DPP Program

Attention Non-profit Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

4. InforwarCon 2002

InforwarCon 2002: Homeland Defense and Cyber-Terrorism, Washington, DC
September 4-5, 2002, optional workshops September 3 & 6. Presented by MIS
Training Institute and Interpact, Inc. Proven strategies for protecting
against threats to critical infrastructures and government systems.

Visit us at:
http://www.misti.com/08/iw02nl26inf.html

II. BUGTRAQ SUMMARY
-------------------
1. Microsoft Windows Media Player File Attachment Script Execution Vulnerability
BugTraq ID: 5543
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5543
Summary:

Microsoft Windows Media Player is distributed with multiple versions of
the Microsoft Windows Operating System.

Reportedly, Microsoft Windows Media Player may allow malicious file
attachments to execute arbitrary code in the context of the local system.
Specifically the vulnerability is due to incorrect validation of WMD
(*.wmd) files. WMD (Windows Media Download) packages are used by Media
Player to store files in a user's known Virtual Music directory.

When downloaded, WMD packages will create a folder with the same name as
the downloaded package and store it in the default "Virtual Music" folder.
This folder typically resides in My Documents\My Music\Virtual Albums\.

It is possible for an attacker to compose a malicious WMD file consisting
of a malicious .ASX and .ASF file and have Media Player extract these
files into a known location. The ASX enables a user to play streaming
media residing on an intranet or external site.

Windows Media Player runs in the security context of the user currently
logged on, therefore arbitrary code would be run at the privilege level of
that particular user.

2. Abyss Web Server Administrative Console Unauthorized Access Vulnerability
BugTraq ID: 5548
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5548
Summary:

Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.

A vulnerability has been reported for Abyss Web Server for both the Linux
and Microsoft Windows operating environments. Reportedly, it is possible
for an attacker to obtain access to Abyss Web Server's administrative
console without any need for authentication.

An attacker can exploit this vulnerability to change any, and all,
configuration parameters of Abyss Web Server, including the administrative
password. It will also enable the remote attacker to stop and restart the
Web server.

3. Microsoft TSAC ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 5554
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5554
Summary:

Microsoft offers Terminal Services client functionality over the web
through the Terminal Services Advanced Client (TSAC) ActiveX control. It
is an optional component that can be installed by end-users.

A buffer overflow vulnerability has been reported in the TSAC control.
The condition occurs when the invoking parameters are of excessive length.
This may be exploited by remote attackers to execute arbitrary
instructions on the affected client host. In particular, this issue has
been reported in the server name field accepted by the vulnerable control.

As ActiveX objects are invoked through HTML, exploitation may occur if
victims visit malicious websites. Attacks through malicious HTML e-mail
may also be possible if the victim is using versions of Outlook and
Outlook Express prior to 2002 and 6.0 respectively, without having added
the Outlook Email Security Update.

The TSAC control is not shipped with Windows or MSIE by default. It is an
optional component that may be added if a client connects to a webserver
with Terminal Services. To determine if the control is present,
users/administrators should open MSIE and perform the following
operations:

- select the "Tools" menu-bar option
 - select "Internet Options"
  - click on the "General" tab
   - click on "Settings"
    - click on "View Objects"
      Check the list for the following program files:
      "Microsoft Terminal Services Client Control"
      "Microsoft RDP Client Control"
      If they are not present, the control is not installed.
      If they are present, right click on them and view their
      properties. If the following IDs are listed, a vulnerable version
      of the TSAC control is installed:

      {1fb464c8-09bb-4017-a2f5-eb742f04392f}
      {791fa017-2de3-492e-acc5-53c67a2b94d0}

Servers hosting the TSAC control should install the patch to ensure that
vulnerable versions are not installed by users.

4. Microsoft Network Share Provider SMB Request Buffer Overflow Vulnerability
BugTraq ID: 5556
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5556
Summary:

Microsoft Windows operating systems use the Server Message Block (SMB)
protocol to support services such as file and printer sharing. A buffer
overflow vulnerability has been reporting in the handling of some
malformed SMB requests.

A remote attacker able to connect to a vulnerable system may send a
specially constructed SMB request packet in order to exploit this
vulnerability. Maliciously formatted packets requesting the
NetServerEnum2, NetServerEnum3 or NetShareEnum transaction, may corrupt
heap memory, causing the system to crash. A reboot is required in order to
regain normal functionality.

This problem occurs when messages are received with the fields 'Max Param
Count' or 'Max Data Count' set to zero. In both cases, insufficient heap
memory is allocated to store some data from the packet. This error leads
to the eventual corruption of control data used for adjacent blocks of
heap memory. In turn, heap manipulation functions will be led to access
invalid memory locations, causing the system to crash.

Due to the nature of this vulnerability, it is possible that careful
exploitation could lead to the execution of arbitrary code. In this case,
an attacker may gain local access to the vulnerable system, possibly with
privileges. However, the ability to execute arbitrary code through
exploitation of this issue has not yet been confirmed.

This vulnerability may be exploited both as an authenticated user, and
with anonymous access to the service. Reportedly, anonymous access is
enabled by default on some systems.

It has been reported, by "Fabio Pietrosanti \(naif\)" <naif@blackhats.it>,
that disabling the NetBIOS Null Session will prevent exploitation of this
vulnerablity.

5. Multiple Microsoft Internet Explorer Vulnerabilities
BugTraq ID: 5557
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5557
Summary:

Microsoft has released a security bulletin describing multiple
vulnerabilities in Internet Explorer 5.01, 5.5 and 6.0.

The first issue is a buffer overflow in the Gopher protocol handler.
This vulnerability was previously alerted on and is described in further
detail in Bugtraq ID 4930 "Multiple Microsoft Product Gopher Client Buffer
Overflow Vulnerability". Exploitation will allow arbitrary code to be
executed with the privileges that the affected product is run with.

The second issue is described to be a buffer overflow in an ActiveX
component used to display specially formatted text. This issue in the
Legacy Text Formatting component may enable a remote attacker to execute
code on a client system with the privileges of the user running the
affected client. The vulnerable component is reportedly not installed by
default in current versions of Internet Explorer and was removed from the
Microsoft website when the vendor first learned of the issue.

The third issue reportedly allows a remote attacker to exploit the browser
to read XML data that is located in a known location. The source of the
issue is apparently due to how Internet Explorer handles HTTP redirects.
An attacker may exploit this issue via a malicious webpage that redirects
the browser to access resources on the local filesystem of the client
machine.

The fourth issue is in how Internet Explorer displays download dialogues
to users. It is possible to exploit this condition to misrepresent the
source of a file being downloaded to appear as though it is coming from a
trusted source, when in fact it originates from an untrusted source. The
user must still interactively execute the file that was misrepresented via
the download dialogue.

The fifth issue appears to be an issue that was previously alerted on.
Further details can be found in the vulnerability record Bugtraq ID 5196
"Microsoft Internet Explorer OBJECT Tag Same Origin Policy Violation
Vulnerability". This may allow remote attackers to gain unauthorized
access to local resources on client systems and perform actions such as
the execution of local binaries. The attacker would not be able to pass
parameters to local executables invoked in this manner. The attacker must
know the name and location of the local resource to exploit this issue.

The sixth issue is a variant of the issue described in Microsoft Security
Bulletin MS02-023 and Bugtraq ID 4754 Microsoft Internet Explorer Cookie
Content Disclosure Vulnerability. It may potentially allow an attacker to
cause malicious script code and HTML to execute with the relaxed
restrictions associated with the Local Computer Zone.

** At the earliest possible convenience, this record will be divided up
into new vulnerability records where it is appropriate. Existing records
will also be updated to reflect the information contained in the Microsoft
Security Bulletin.

6. Abyss Web Server Malicious HTTP Request Information Disclosure Vulnerability
BugTraq ID: 5549
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5549
Summary:

Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.

Reportedly, it is possible for attackers to obtain the contents of files
by appending a special character to HTTP requests to Abyss Web Server.

An attacker can exploit this vulnerability to obtain access to contents of
potentially sensitive files. Reportedly, by appending the '+' character,
Abyss Web Server will disclose the contents of some files to remote
attackers.

It has been reported possible to exploit this vulnerability to view the
contents of '.chl' files used for remote administration of the server. It
may be possible to view the contents of other executable files intended to
serve CGI requests. This has not, however, been confirmed.

This vulnerability has been reported for Abyss Web Server 1.0.3. It is not
known whether other versions are affected.

7. Microsoft Internet Explorer Legacy Text Formatting ActiveX Component Buffer Overflow Vulnerability
BugTraq ID: 5558
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5558
Summary:

A buffer overflow vulnerability has been reported in Microsoft Internet
Explorer's Legacy Text Formatting ActiveX control. This issue affects
Microsoft Internet Explorer 5.0.1 to 6.0.

The Legacy Text Formatting ActiveX control is used by Internet Explorer to
display specially formatted text. Reportedly, the ActiveX control is
vulnerable to a buffer overflow condition.

Microsoft has reported that the specific ActiveX control is not installed
by default as part of Internet Explorer. The control, however, will be
downloaded as it is needed from a Microsoft Web Site. The control was
retained by Microsoft for backward compatibility and has since been
removed from the Web site.

An attacker can exploit this vulnerability by creating a Web site that
will call the ActiveX control with some specially crafted arguments. An
overly long argument to the 'Caption' parameter when calling the ActiveX
control will create the buffer overflow condition. This will cause the
ActiveX control to overwrite a saved return address stored on the stack
allowing an attacker to gain control of Internet Explorer's path of
execution. Thus an attacker is able to cause Internet Explorer to execute
malicious attacker-supplied code. The malicious code will execute with the
privileges of the user running the vulnerable client.

This issue was originally described in BID 5557, Multiple Microsoft
Internet Explorer Vulnerabilities, and is now being assigned its own
BugTraq ID.

8. Microsoft Internet Explorer Download Dialogue File Source Obfuscation Vulnerability
BugTraq ID: 5559
Remote: Yes
Date Published: Aug 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5559
Summary:

A vulnerability has been reported for Microsoft Internet Explorer in how
download dialogues are displayed to users. This issue affects Microsoft
Internet Explorer 5.0.1 to 6.0.

Reportedly, Internet Explorer may misrepresent the origin of a file in the
File Download Dialogue box. An attacker can exploit this flaw to trick
unsuspecting users into downloading a file from a supposedly trusted
source when, in fact, it may originate from an attacker controlled source.

The vulnerability is the result of Internet Explorer failing to process
malformed URL links when displaying information in a File Download
Dialogue box. If the Internet Explorer File Download dialogue encounters
certain special characters, it will not be able to display the proper
download location.

An attacker exploiting this flaw may create a false sense of trust which
results in the victim user downloading and installing files that originate
from an untrustworthy source. The user must still interactively download
and execute the misrepresented file.

This issue was originally described in BID 5557, Multiple Microsoft
Internet Explorer Vulnerabilities, and is now being assigned its own
BugTraq ID.

9. Microsoft Internet Explorer XML Redirect File Disclosure Vulnerability
BugTraq ID: 5560
Remote: Yes
Date Published: Aug 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5560
Summary:

A flaw in Microsoft Internet Explorer may reveal the entire contents of
XML files and partial contents of other files to attackers . This issue
affects Microsoft Internet Explorer 5.0.1 to 6.0.

This vulnerability allows an attacker to read the entire contents of XML
files, and fragments of other files, existing in a known location, from a
victim user's system.

This vulnerability is due to Internet Explorer improperly handling an HTML
directive to display XML data. The directive is not correctly checked to
ensure that a referenced XML data source is not redirected to a data
source in a different domain. By using the <script> tag and assigning a
URL to the "src" attribute, to redirect the HTTP request a local or remote
location, will result in the XML engine processing and displaying the
contents of that location.

This vulnerability can be exploited via a malicious webpage or via
malicious HTML e-mail. Other applications that use the Internet Explorer
engine are affected as well (Outlook, MSN Explorer, etc.).

This issue was originally described in BID 5557, Multiple Microsoft
Internet Explorer Vulnerabilities, and is now being assigned its own
BugTraq ID.

10. PHPReactor Style Attribute HTML Injection Vulnerability
BugTraq ID: 5569
Remote: Yes
Date Published: Aug 24 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5569
Summary:

php(Reactor) is an integrated system of web applications designed for
website maintenance. It will run on most Linux and Unix variants, in
addition to Microsoft Windows operating systems.

php(Reactor) does not sufficiently sanitize HTML from various fields (such
as in the body of a message or in profile fields). It is possible to
inject arbitrary HTML and script code into these fields. In particular,
the "STYLE" attribute in an arbitrary HTML tag is not properly sanitized.
Arbitrary HTML and script code injected in this manner will be displayed
to other users who visit the vulnerable website.

An attacker may potentially exploit this situation to cause arbitrary HTML
and script code to execute in the web client of a user of a vulnerable
website. The attacker-supplied code will execute in the context of the
vulnerable website.

11. Kerio Personal Firewall Multiple SYN Packet Denial Of Service Vulnerability
BugTraq ID: 5570
Remote: Yes
Date Published: Aug 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5570
Summary:

Kerio Personal Firewall (KPF) is a personal firewall product for the
Microsoft Windows operating system.

A denial of service vulnerability has been reported in some versions of
KPF. When a large number of SYN packets are recieved from a single source,
the firewall process will consume all available CPU time, and eventually
hang the vulnerable system. A reboot may be required in order to regain
normal functionality.

Reportedly, this attack is possible regardless of the configured behavior
of the firewall. It has been reported that between 300 and 500 SYN packets
is sufficient to exploit this condition in laboratory conditions.

12. Abyss Web Server Encoded Backslash Directory Traversal Vulnerability
BugTraq ID: 5547
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5547
Summary:

Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.

A directory traversal vulnerability has been reported for Abyss Web
Server. The issue is related to the failure to properly process the
backslash '\', encoded as '%5c', character, which may be used as a
directory delimiter under these platforms. By using the URL encoded
sequence '%2e%2e%5c', the web root may be escaped.

Exploitation can result in arbitrary system files being sent to a remote
attacker. This information may be of value in attempting further attacks
against the vulnerable system.

The directory traversal vulnerability was reported for Abyss Web Server
for both the Microsoft Windows and Linux operating environment. In a Linux
environment, it is only possible to escape immediately out of the web root
directory and into the Abyss folder; it is not possible for an attacker to
view files residing outside of the Abyss installation folder. However, in
a Windows environment the attacker is able to traverse outside of the
webroot and into all areas of the filesystem.

13. Blazix Special Character Handling Server Side Script Information Disclosure Vulnerability
BugTraq ID: 5566
Remote: Yes
Date Published: Aug 24 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5566
Summary:

Blazix is a freely available, open source web server written in Java. It
is available for Linux and Microsoft Windows operating systems.

A problem with Blazix may make it possible for a remote user to gain
access to sensitive information.

Blazix does not properly handle some special characters when appended to
requests. By passing a special character with a request to the web
server, it is possible for a user to gain access to the source of
server-side scripts. This could result in information disclosure, and
could potentially be used to gain intelligence in launching an attack
against a system.

When a user passes a request to the web server that ends in either a plus
(+) or backslash (\), the web server may react unpredictably. This type
of character appended to the name of a .jsp file has been reported to
reveal the contents of the .jsp file.

14. Blazix Password Protected Directory Information Disclosure Vulnerability
BugTraq ID: 5567
Remote: Yes
Date Published: Aug 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5567
Summary:

Blazix is a freely available, open source web server written in Java. It
is available for Linux and Microsoft Windows operating systems.

A problem with Blazix may make it possible for a remote user to gain
access to sensitive information.

Blazix does not properly handle some special characters when appended to
requests. By passing a special character with a request to the web
server, it is possible for a user to gain access to a listing of a
password protected directory. This could result in information
disclosure, and could potentially be used to gain intelligence in
launching an attack against a system.

When a user passes a request to the web server that ends in either a plus
(+) or backslash (\), the web server may react unpredictably. This type
of character appended to the name of a password-protected directory has
been reported to reveal the contents of the directory.

15. OmniHTTPD Sample Scripts Cross Site Scripting Vulnerabilities
BugTraq ID: 5568
Remote: Yes
Date Published: Aug 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5568
Summary:

OmniHTTPD is a webserver for Microsoft Windows operating systems.
OmniHTTPD supports a number of extensions which provide dynamic content,
including server side includes (SSI) and PHP CGI scripts.

Cross site scripting vulnerabilities have been reported in multiple sample
scripts including with OmniHTTPD. In particular, test.shtml and test.php
contain errors.

An attacker may exploit this vulnerability by causing a victim user to
follow a malicious link to one of the vulnerable scripts.
Attacker-supplied code may execute within the context of the site hosting
the vulnerable software when the malicious link is visited.

This type of vulnerability may be used to steal cookies or perform other
web-based attacks.

16. OmniHTTPD Sample Application URL Encoded Newline HTML Injection Vulnerability
BugTraq ID: 5572
Remote: Yes
Date Published: Aug 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5572
Summary:

OmniHTTPD is a webserver for Microsoft Windows operating systems.
OmniHTTPD supports a number of CGI extensions which provide dynamic
content.

Cross site scripting vulnerabilities have been reported in the
'/cgi-bin/redir.exe' sample CGI included with OmniHTTPD. Reportedly, it is
possible for an attacker to URL encode the newline character (%0D) and
insert malicious HTML code. A vulnerable server receiving a malformed
request will return a 302 redirect HTTP response containing the malicious
attacker-supplied code.

An attacker may exploit this vulnerability by causing a victim user to
follow a malicious link to the vulnerable CGI. Attacker-supplied code may
execute within the context of the site hosting the vulnerable software
when the malicious link is visited.

This type of vulnerability may be used to steal cookies or perform other
web-based attacks.

17. mIRC Scripting ASCTime Buffer Overflow Vulnerability
BugTraq ID: 5576
Remote: Yes
Date Published: Aug 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5576
Summary:

mIRC is a chat client for the IRC protocol, designed for Microsoft Windows
based operating systems. mIRC includes support for a scripting language.

A buffer overflow vulnerability has been reported in the $asctime
identifier, a function in the mIRC scripting language. If an oversized
format specifier is passed to this function, process memory will be
corrupted. It has been reported possible to exploit this vulnerability to
execute arbitrary code with the privileges of the user running mIRC.

Exploitation will rely on a script passing untrusted output to the
vulnerable function. Reportedly, default scripts included with mIRC do not
use the $asctime function in a manner which allows exploitation. It is
possible, however, that third party scripts may provide possibilities for
attackers.

18. Ultimate PHP Board Second 'admin' Account Vulnerability
BugTraq ID: 5580
Remote: Yes
Date Published: Aug 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5580
Summary:

Ultimate PHP Board is a freely available, open source PHP bulletin board.
It is available for Unix, Linux, and Microsoft Operating Systems.

Ultimate PHP Board does not prevent the registration of names that could
be potentially confusing to users.

Under some circumstances, it may be possible to register an account that
could be confused with the 'Admin' user of the board. Ultimate PHP Board
does not prevent the registration of the 'admin' account. While the
'admin' account is a regular board member account, and the 'Admin' account
is that of the board administrator, it may be possible for a user to use
the account in a social engineering scenario to impersonate the
administrative user.

19. Yahoo Instant Messenger Signed Content Weakness
BugTraq ID: 5579
Remote: Yes
Date Published: Aug 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5579
Summary:

Yahoo Instant Messenger is an instant messenger client distributed by
Yahoo. It is available for Microsoft Windows sytems.

A weakness has been reported in the Yahoo Instant Messenger installer
where an attacker may use the installer to install malicious software on
the vulnerable system. The Yahoo Instant Messenger Installer uses HTTP,
and though it uses signed content for the installer, does not verify the
signature of packages downloaded from Yahoo.

In order to exploit this weakness, the attacker must control the machine
located at a19.g.a.yimg.com, from the perspective of the vulnerable
client. It may be possible to create this condition through some known
techniques, including DNS cache poisoning and DNS spoofing.

20. Microsoft Word INCLUDETEXT Document Sharing File Disclosure Vulnerability
BugTraq ID: 5586
Remote: Yes
Date Published: Aug 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5586
Summary:

Microsoft Word has a feature entitled Field Codes which enables other
documents and resources on the local system to be referenced inside of a
Word document. The INCLUDETEXT Field Code may be used to insert an
arbitrary local file into a document. The INCLUDETEXT Field Code is
reported to, under some circumstances, present a security threat.

If the INCLUDETEXT Field Code is included in a document and references a
file on the local system of the recipient, then the file will also be
included when the document is sent out. It is possible for an attacker to
abuse this functionality in a situation where documents are constantly
being shared and updated.

Under normal circumstances, the recipient of a document with Field Codes
must manually update the fields for the file to be imported to the
document with INCLUDETEXT. However, it has been reported that Microsoft
Word automatically updates the fields if a DATE field is included in the
INCLUDETEXT statement and it is the last DATE field in the document.
Furthermore, it is possible to obfuscate the INCLUDETEXT Field Code so
that the recipient of the document may not be aware that it is attempting
to import sensitive local files to the document.

The recipient of the malicious document must still pass along the updated
version of the document for the attacker to receive the imported local
file.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Windows 2000 Application log corruption (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/289938

2. IIS and Frontpage Extensions Vulnerability. (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/289937

3. SecureIIS (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/289657

4. Internet Explore lock up software! (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/289440

5. MS02-042 Patch on win2k pro kills capability to map to defaul t sh ares (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/289333

6. Password Change Utility (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/289334

7. MS02-042 Patch on win2k pro kills capability to map to default sh ares (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/289242

8. SecurityFocus Microsoft Newsletter #101 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/289246

9. MS02-042 Patch on win2k pro kills capability to map to default sh ares (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/289172

IV. MICROSOFT PRODUCTS
----------------------
1. Sygate Personal Firewall
by Sygate Technologies, Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.sygate.com/products/shield_ov.htm
Summary:

Sygate Personal Firewall delivers unobtrusive configurable security by
constantly operating in the background of your PC or server. Whether
you're working, banking, gamming or chatting, Sygate Personal Firewall is
protecting your computer by actively looking for hostile intruders and
Trojan Horse applications. If an intrusion attempt is detected, Sygate
Personal Firewall immediately notifies you and, with your approval,
adjusts your Internet connection to prohibit further attacks. Likewise, if
an unauthorized application on your system attempts to access the
Internet, Sygate Personal Firewall advises you of the situation and waits
for your approval before proceeding further.

2. Tumbleweed Secure Archive
by Tumbleweed Communications
Platforms: Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.tumbleweed.com/en/products/solutions/protect_enterprise/archive.html
Summary:

Tumbleweed Secure Archive provides oganizations with a comprehensive set
of archiving, monitoring and reporting capabilities that help them meet
corporate, government and regulatory guidelines. It provides an indexed
database for quick retrieval of messages and its browser-based interface
and tiered reviewer structure allow supervisors, compliance officers and
auditors to review and act on email messages.

3. VirusMD Personal Firewall
by VirusMD
Platforms: Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.virusmd.com/softintro.htm
Summary:

VirusMD Personal Firewall is the tool of choice to protect home users from
hackers. When combined with an updated virus scanner, VirusMD Personal
Firewall will help keep you and your family safe from intrusion. VirusMD
Personal Firewall is the world's easiest-to-use personal firewall, and it
comes with the world's most polite and expert customer service. Also
available for download for a free 30 day trial period.

V. MICROSOFT TOOLS
-------------------
1. l0stat v1.1
by DLC Sistemas
Relevant URL:
http://www.dlcsistemas.com/html/l0stat.html
Platforms: Windows 2000, Windows 95/98, Windows NT
Summary:

L0stat generates an statistical report of strength of NT accounts and
passwords.

This utility gets the L0phtCrack* result files or the LC3 exported text
results file and treats the data to give the NT or security administrator
a global view of security of their SAM database.

As a way to discover NT passwords, L0phtCrack are LC3 great tools.

But if you don't want to know the passwords themselves but the global
security view of passwords quality, you should go one step beyond. For
example, how you can evaluate the security level of an NT entreprise's
database with 1000 accounts ?

There is the place for L0stat. L0stat doesn't replaces L0phtCrack. L0stat
is a reporting tool of data retrieved with L0phtCrack or LC3.

2. Absolute Log Analyzer v1.1
by BitStrike Software
Relevant URL:
http://www.bitstrike.com/analyzer/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

Absolute Log Analyzer is easy to use, powerful, database driven log
analysis solution for single-server web sites. It can download your log
files and collect all data to the database so you will not need to process
already parsed log files again. With Absolute Log Analyzer you will be
able to get complete information about site visitors, referrers,
bandwidth, search engines, spiders and much more.

3. Security Filter v1.0-b3
by Max Cooper
Relevant URL:
http://securityfilter.sourceforge.net/
Platforms: Os Independent
Summary:

SecurityFilter is intended for use by Java Web application developers. It
provides robust security and automatic authentication services for Web
applications. It mimics the behavior and configuration format of
container-managed security, but has several important advantages that make
it an ideal solution for single-context, public Web sites, or when it is
necessary or simply desirable to avoid the server configuration hassles
and portability issues associated with container-managed security.

VI. SPONSORSHIP INFORMATION
---------------------------
This Issue Is Sponsored By: SpiDynamics

Aberdeen Alert! FREE Research Report on Web App Attacks Using ports 80 and
443 as expressways through network firewalls, hackers are free to probe
and breach web applications! 75% of today’s successful system hacks
involve Web Application vulnerabilities, not network security flaws.

Download this FREE Aberdeen Research Report!

http://www.spidynamics.com/mktg/aberdeen21/
-------------------------------------------------------------------------------