SecurityFocus Microsoft Newsletter #162
----------------------------------------
This Issue is Sponsored by: SpiDynamics
ALERT! "Outsmart Web Application Hackers"-FREE Product Trial
------------------------------------------------------------
Test your Web Applications for over 4000 vulnerabilities! FREE Web App
Security Test via our 15 Day Product Trial that delivers a comprehensive
vulnerability report. Secure your critical assets today!
http://www.securityfocus.com/sponsor/SPIDynamics_ms-secnews_031110
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Wireless Intrusion Detection Systems
II. MICROSOFT VULNERABILITY SUMMARY
1. Citrix Metaframe XP Cross-site Scripting Vulnerability
2. Plug and Play Web Server Remote Denial of Service Vulnerabil...
3. BRS WebWeaver httpd `User-Agent` Remote Denial of Service Vu...
4. HTTP Commander Directory Traversal Vulnerability
5. Bugzilla Multiple Vulnerabilities
6. Nullsoft SHOUTcast icy-name/icy-url Memory Corruption Vulner...
7. Synthetic Reality SymPoll Cross-Site Scripting Vulnerability
8. MPM Guestbook Cross-Site Scripting Vulnerability
9. PHPKit Include.PHP Cross-Site Scripting Vulnerability
10. PHPRecipeBook Unspecified Cross-Site Scripting/HTML Injectio...
11. IA WebMail Server Long GET Request Buffer Overrun Vulnerabil...
12. NIPrint LPD-LPR Print Server Remote Buffer Overrun Vulnerabi...
13. Network Instruments NIPrint LDP-LPR Privilege Escalation Vul...
14. OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulne...
15. Perception LiteServe Server Log Buffer Overflow Vulnerabilit...
16. Microsoft Internet Explorer Double Slash Cache Zone Bypass V...
17. Microsoft Internet Explorer Self Executing HTML Arbitrary Co...
III. MICROSOFT FOCUS LIST SUMMARY
1. IIS 6 features (Thread)
2. IIS 6 features- loooong response (Thread)
3. Event Log messages for failed logon attempts (Thread)
4. Notable "Windows Postulates" from Linux Gurus (Thread)
5. ICF Firewall - How can I do it? (Thread)
6. SecurityFocus Microsoft Newsletter #161 (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. EnCase Enterprise Edition
2. SafeGuard PDA
3. The CyberAngel Security Software
4. Cyber-Ark Inter-Business Vault
5. EnCase Forensic Edition
6. OverflowGuard
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Glub Tech Secure FTP v2.0.11
2. Enigmail v0.82.0
3. GPA (GNU Privacy Assistant) v0.7.0
4. Anti-Spam SMTP Proxy v1.0.6
5. PipeACL tools v1.0
6. Libnids 1.18
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Wireless Intrusion Detection Systems
By Jamil Farshchi
This paper will describe the need for wireless intrusion detection,
provide an explanation of wireless intrusion detection systems, and
identify the benefits and drawbacks of a wireless intrusion detection
solution.
http://www.securityfocus.com/infocus/1742
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Citrix Metaframe XP Cross-site Scripting Vulnerability
BugTraq ID: 8939
Remote: Yes
Date Published: Oct 31 2003
Relevant URL: http://www.securityfocus.com/bid/8939
Summary:
Metaframe is a remote desktop software package distributed by Citrix. This
issue affects Metaframe on the Microsoft Windows platform. The application
can be configured to require authentication credentials before granting
desktop access to a user.
A vulnerability has been discovered in Citrix Metaframe XP, specifically
during the authentication phase. When invalid authentication credentials
are supplied to the application, an error message is returned to the user.
The contents of this message are included within the URI. As a result, it
would be possible to include malicious script code within the page
contents location of the URI, specifically within the NFuse_Message URI
parameter.
This vulnerability occurs due to the Metaframe application failing to
carry out sufficient sanitization of URI parameters. An attacker could
potentially exploit this condition to execute arbitrary script code within
the context of a victims browser. Ultimately, this could lead to the theft
of cookie-based authentication credentials or other attacks.
2. Plug and Play Web Server Remote Denial of Service Vulnerabil...
BugTraq ID: 8941
Remote: Yes
Date Published: Oct 31 2003
Relevant URL: http://www.securityfocus.com/bid/8941
Summary:
Plug and Play Web Server is a Microsoft Windows based application package
that provides users with the ability to create and maintain dynamic
websites. The software also supports SSL.
A vulnerability has been reported in the software that may allow a remote
attacker to cause a denial of service condition in the server. The issue
presents itself when an attacker sends a malformed HTTP GET request to the
server for: "GET /asdf.? HTTP/1.0". The problem leads to a halt of the
proxy service followed by this error message: "Runtime Error 12001 -
Parameter 1 of the method used is invalid or not appropriate".
Successful exploitation of this issue may allow an attacker to cause the
software to act in an unstable manner leading to a crash or hang.
Plug and Play version 1.0002c has been reported to be prone to this issue,
however other versions may be vulnerable as well.
3. BRS WebWeaver httpd `User-Agent` Remote Denial of Service Vu...
BugTraq ID: 8947
Remote: Yes
Date Published: Nov 01 2003
Relevant URL: http://www.securityfocus.com/bid/8947
Summary:
BRS WebWeaver is a small personal web server available for the Microsoft
Windows operating systems.
A denial of service vulnerability has been discovered BRS WebWeaver. The
problem occurs when a request is made containing a large string value for
the `User-Agent` parameter. This issue may cause the software to behave
in an unstable manner leading to a crash.
Successful exploitation of this issue may allow an attacker to cause the
software to crash or hang.
BRS WebWeaver versions 1.06 and prior have been reported to be prone to
this issue.
4. HTTP Commander Directory Traversal Vulnerability
BugTraq ID: 8948
Remote: Yes
Date Published: Nov 01 2003
Relevant URL: http://www.securityfocus.com/bid/8948
Summary:
HTTP Commander is a web based file management system used for Microsoft
ISS web server. HTTP Commander is written in ASP.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to access information outside the server root directory.
The problem exists due to insufficient sanitization of user-supplied data.
The issue may allow a remote attacker to traverse outside the server root
directory by using '../' character sequences.
Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.
HTTP Commander version 4.0 is reported to be prone to this issue, however
other versions may be affected as well.
5. Bugzilla Multiple Vulnerabilities
BugTraq ID: 8953
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8953
Summary:
Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Windows operating systems.
Multiple vulnerabilities has been reported to exist in the software. The
issues include SQL injection, unauthorized privileges, and information
disclosure.
A SQL injection issue has been reported to be present in the nightly
statistics cron job called collectstats.pl. A user with 'editproducts'
privileges which are usually granted to administrators may be to carry out
SQL injection attacks. This issue affects Bugzilla versions 2.16.3 and
earlier.
Another SQL injection vulnerability has been reported that may allow a
user with 'editkeywords' privileges which are usually granted to
administrators. An attacker may be able to inject arbitrary SQL code in
the underlying database through the URL used to edit an existing keyword.
This issue affects Bugzilla versions 2.16.3 and earlier and 2.17.1 through
2.17.4.
A vulnerability has been reported that may allow users to retain
privileges that were previously granted. This issue may occur when
products are being deleted. If the 'usebuggroups' parameter was selected,
users may still be able to add others to the group that is being deleted.
If another group is created that reuses the group id from the group being
deleted, they may automatically inherit privileges granted to the group.
This vulnerability only allows users that had those privileges before to
retain them. This issue affects Bugzilla versions 2.16.3 and earlier.
An information disclosure issue has been reported that may allow an
attacker to view restricted bugs stored in the database. It has been
reported that if an attacker knows the e-mail address of a user who has
voted on a secure or restricted bug they may be able to view the summary
of the bug without having sufficient permissions. This issue affects
Bugzilla versions 2.16.3 and earlier and 2.17.1 through 2.17.4.
Another information disclosure issue has been reported that may allow an
attacker to disclose component descriptions for a product without proper
authorization. This issue affects Bugzilla versions 2.17.3 and 2.17.4.
6. Nullsoft SHOUTcast icy-name/icy-url Memory Corruption Vulner...
BugTraq ID: 8954
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8954
Summary:
Nullsoft SHOUTCast Server is used to broadcast Shoutcast music. It is
available for Unix and Linux operating systems, as well as Microsoft
Windows.
Nullsoft SHOUTcast Server is prone to a memory corruption vulnerability
that may lead to denial of service attacks or code execution.
Insufficient bounds checking of the icy-name and icy-url server commands
may allow a remote authenticated user to corrupt memory. It has been
reported that the attacker must issue overly long arguments for both these
commands during a connection to the server. Doing so will cause adjacent
regions of memory to be corrupted, which will mostly likely result in a
denial of service but could potentially be exploited to execute arbitrary
code.
This issue was reported in SHOUTcast 1.9.2 on Windows platforms. Other
versions and platforms may also be affected.
7. Synthetic Reality SymPoll Cross-Site Scripting Vulnerability
BugTraq ID: 8956
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8956
Summary:
Sympoll is web-based voting booth software. It is implemented in PHP and
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.
A cross-site scripting vulnerability has been reported in the software.
The problem is reported to exist due to improper handling of user-supplied
data through the 'vo' parameter. HTML and script code will be rendered in
a user's browser, therefore making it possible for an attacker to a
construct a malicious link containing HTML or script code that may be
rendered in a user's browser upon visiting that link. This attack would
occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication information that could be used to launch
further attacks.
Sympoll version 1.5 is reported to be prone to this issue, however other
versions may be affected as well.
8. MPM Guestbook Cross-Site Scripting Vulnerability
BugTraq ID: 8958
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8958
Summary:
MPM Guestbook is a freely available web application. It is implemented in
PHP and available for Unix/Linux variants as well as Microsoft Windows
platforms.
MPM Guestbook is reported to be prone to a cross-site scripting
vulnerability. This is due to insufficient sanitization of HTML from URI
parameters, which will be displayed in web pages that are dynamically
generated by the software. In particular, the 'lng' URI parameter is not
filtered.
An attacker could exploit this issue by enticing a victim user to follow a
malicious link that includes HTML and script code as a value for the
vulnerable URI parameter. The attacker-supplied code could be rendered in
the victim's browser in the context of the site hosting the software.
This could theoretically allow for theft of cookie-based authentication
credentials. The attacker may also influence how the guestbook is
rendered to the user following the link, allowing for a variety of other
attacks.
9. PHPKit Include.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 8960
Remote: Yes
Date Published: Nov 02 2003
Relevant URL: http://www.securityfocus.com/bid/8960
Summary:
PHPKIT is content management software. It is implemented in PHP and
available for Unix/Linux variants as well as Microsoft Windows.
PHPKIT is reported to be prone to a cross-site scripting vulnerability.
This is due to insufficient sanitization of HTML from URI parameters,
which will be displayed in web pages that are dynamically generated by the
software. The issue exists in the 'include.php' script and is specific to
the 'contact_email' URI parameter.
An attacker could exploit this issue by enticing a victim user to follow a
malicious link that includes HTML and script code as a value for the
vulnerable URI parameter. The attacker-supplied code could be rendered in
the victim's browser in the context of the site hosting the software.
This could theoretically allow for theft of cookie-based authentication
credentials. The attacker may also influence how the site is rendered to
the user following the link, allowing for a variety of other attacks.
10. PHPRecipeBook Unspecified Cross-Site Scripting/HTML Injectio...
BugTraq ID: 8963
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8963
Summary:
PHPRecipeBook is a web application for managing recipes. It is
implemented in PHP and available for Unix/Linux and Microsoft Windows.
PHPRecipeBook 2.18 has been released to address an unspecified cross-site
scripting vulnerability. This issue is likely due to insufficient
sanitization of HTML from URI parameters, which will be displayed in web
pages that are dynamically generated by the software.
An attacker could exploit this issue by enticing a user to follow a
malicious link. This could theoretically allow for theft of cookie-based
authentication credentials or other attacks.
An attacker could possibly exploit this issue by enticing a victim user to
follow a malicious link that includes HTML and script code as a value for
the vulnerable URI parameter. The attacker-supplied code could be
rendered in the victim's browser in the context of the site hosting the
software. This could theoretically allow for theft of cookie-based
authentication credentials. The attacker may also influence how the site
is rendered to the user following the link, allowing for a variety of
other attacks.
It should also be noted that the vendor has reported that HTML and script
code will now be sanitized (as of version 2.18) before being included in
recipes as a measure to mitigate against potential HTML injection attacks.
This could allow users to inject hostile HTML into a PHPRecipeBook site if
successfully exploited.
11. IA WebMail Server Long GET Request Buffer Overrun Vulnerabil...
BugTraq ID: 8965
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8965
Summary:
IA WebMail Server is a web server available for the Microsoft Windows
operating system.
It has been reported that IA WebMail is prone to a buffer overrun
vulnerability. The problem occurs due to insufficient bounds checking when
handling GET requests. Specifically, making a GET request including
approximately 1044 bytes of data will effectively overrun the bounds of
the internal memory buffer used for its storage.
As a result, an attacker may be capable of corrupting sensitive data such
as a return address, and effectively control the execution flow of the
program. This would ultimately allow for the execution of arbitrary code.
This vulnerability is said to affect all versions of IA WebMail Server up
to 3.1.
12. NIPrint LPD-LPR Print Server Remote Buffer Overrun Vulnerabi...
BugTraq ID: 8968
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8968
Summary:
NIPrint LPD-LPR Print Server is a product for the Microsoft Windows
operating system designed to allow bi-directional LPD/LPR services using
Winsock. The application is developed and maintained by Network
Instruments.
It has been reported that NIPrint LPD-LPR Print Server is prone to a
remotely exploitable buffer overrun condition. The problem occurs due to
insufficient bounds checking when handling data received over the printer
port (515). Specifically, transmitting approximately 60 bytes of data to
the service is said to overrun the allocated storage buffer. As a result,
a remote attacker may be capable of corrupting process memory in such a
way that arbitrary code may be executed.
This vulnerability is said to affect all versions of NIPrint LPD-LPR Print
Server.
13. Network Instruments NIPrint LDP-LPR Privilege Escalation Vul...
BugTraq ID: 8969
Remote: No
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8969
Summary:
NIPrint LPD-LPR Print Server is a product for the Microsoft Windows
operating system designed to allow bi-directional LPD/LPR services using
Winsock. The application is developed and maintained by Network
Instruments. It has been reported that a flaw in NIPrint can be exploited
by malicious local users to gain administrative privileges on affected
servers.
NIPrint runs as a service, with SYSTEM privileges, by default. It is
accessible to all users locally through an icon in the taskbar. According
to the report, the "help" system used by NIPrint can invoke Explorer as
SYSTEM. An attacker can, in turn, use Explorer to run commands with
administrative privileges.
This vulnerability may be an instance of the general issue described in
BID 8884.
14. OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulne...
BugTraq ID: 8970
Remote: Yes
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8970
Summary:
OpenSSL is a freely available, open source implementation of Secure Socket
Layer tools. It is available for the Unix, Linux, and Microsoft
platforms.
A problem has been identified in OpenSSL when handling specific types of
ASN.1 requests. This may result in remote attackers creating a denial of
service condition.
The problem is in the handling of specific types of requests when handling
ASN.1 data that causes large recursion. Though specifics of how this
occurs are not available, it has been reported that this can result in a
crash of OpenSSL. This could potentially lead to an attacker crashing a
service that uses an implementation of the vulnerable software.
This issue is also known to affect numerous Cisco products. It is
possible that other vendors will also be acknowledging this issue and
providing fixes.
15. Perception LiteServe Server Log Buffer Overflow Vulnerabilit...
BugTraq ID: 8971
Remote: Yes
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8971
Summary:
Perception LiteServe provides web, email, and ftp server functionality. It
is available for the Microsoft Windows operating system.
A vulnerability has been reported to exist in the software due to
insufficient boundary checking. This problem may allow a remote attacker
to execute arbitrary code on a vulnerable host in order to gain
unauthorized access. The vulnerability occurs when the web server
attempts to process malformed GET requests specifically when processing
overly long GET requests consisting of character sequences between 1000
and 3000 in length. A buffer overflow will occur when the a user
encounters the GET request in a server log and clicks on it using the
LiteServe Interface.
An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing the
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in order to gain unauthorized access to a vulnerable system.
LiteServe versions 2.2 and prior have been reported to be prone to this
issue.
16. Microsoft Internet Explorer Double Slash Cache Zone Bypass V...
BugTraq ID: 8980
Remote: Yes
Date Published: Nov 05 2003
Relevant URL: http://www.securityfocus.com/bid/8980
Summary:
A vulnerability has been reported in Internet Explorer that may allow
cached Internet content to be rendered in the My Computer zone. Normally,
cached content should be limited to the Internet Zone, where the default
security restrictions on the content are much stricter and the affects of
malicious script code should be limited. However, due to this
vulnerability, it is possible to cause this content to be treated as
though it were in the My Computer Zone. It is possible to exploit this
issue by including an extra slash when referencing cached content from
within a web page, for example:
[SysDrive]:\\Documents and Settings\[user_name]\Local Settings\Temporary
Internet Files\Content.IE5
The extra slash prior to "Documents and Settings" will cause the
referenced content to be handled in the context of the My Computer zone.
Combined with other vulnerabilities, this issue could lead to execution of
arbitrary code on the client system. A proof-of-concept has been released
to demonstrate this issue may be exploited with other issues to cause
execution of arbitrary code in the context of the client user. Analysis
of the proof-of-concept is currently underway to determine which
vulnerabilities are exploited. When analysis is complete, the appropriate
BIDs will be updated with information about the proof-of-concept.
17. Microsoft Internet Explorer Self Executing HTML Arbitrary Co...
BugTraq ID: 8984
Remote: Yes
Date Published: Nov 05 2003
Relevant URL: http://www.securityfocus.com/bid/8984
Summary:
Microsoft Internet Explorer has been reported prone to an arbitrary code
execution vulnerability.
The issue presents itself when Internet Explorer is rendering malicious
self-executing HTML pages that contain executables that are embedded in a
specific manner. It has been demonstrated that an attacker may exploit
this vulnerability to execute arbitrary code by crafting a malicious web
page that contains visual basic script designed to point to and invoke an
executable that is embedded as a string array in the same malicious web
page. When this page is rendered the script is interpreted and the
embedded executable is crafted and invoked with the privileges of the user
running the vulnerable web browser.
It should be noted that while this issue has been reported to affect
Internet Explorer versions 5.5 and 6.0, other versions might also be
affected.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. IIS 6 features (Thread)
Relevant URL:
4. Notable "Windows Postulates" from Linux Gurus (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/343758
5. ICF Firewall - How can I do it? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/343660
6. SecurityFocus Microsoft Newsletter #161 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/343315
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. EnCase Enterprise Edition
By: Guidance Software Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.guidancesoftware.com/frame_encase.html
Summary:
EnCase, a computer forensic tool, is Windows- based and fully integrated.
A tool that allows an investigator to conduct a complete, non-invasive
forensic investigation from start to finish. This tool is used by law
enforcement and has been accepted and authenticated in hundreds of court
cases.
2. SafeGuard PDA
By: Utimaco
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.utimaco.com/content_products/sg_pda.html
Summary:
SafeGuard PDA is a powerful solution to protect your Personal Digital
Assistant and the data stored on it against unauthorized access. Whether
the Pocket PC is for private use or a part of the company network, it
requires at least the same degree of protection as notebooks and
workstations. Since overall security is only as strong as the weakest
link, SafeGuard PDA is the next logical step towards securing your mobile
work force. Innovative authentication mechanisms such as biometric
signature recognition or Symbol PIN offer optimal user convenience, the
strong encryption protects your data while stored or in transit over the
Internet, the centrally enforceable security policy keeps your environment
consistently protected.
3. The CyberAngel Security Software
By: CyberAngel Security Solutions, Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.thecyberangel.com/ca-secure.html
Summary:
The CyberAngel Security Software, a comprehensive approach to providing
security for your laptop or desktop computer.
The CyberAngel Security Software utilizes our patented technology to
Alert, Lock and Locate in the event of an unauthorized access of a
computer.
4. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
5. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features for
computer forensics and investigations. With an intuitive GUI and superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields completely
non-invasive computer forensic investigations while allowing examiners to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.
The integrated functionality of EnCase allows the examiner to perform all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
6. OverflowGuard
By: DATA Security Software
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.datasecuritysoftware.com/index.html
Summary:
OverflowGuard provides stack and heap buffer overflow protetion for
services running under Windows NT4, 2000, XP and 2003.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Glub Tech Secure FTP v2.0.11
By: glub
Relevant URL: http://secureftp.glub.com
Platforms: MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
Glub Tech Secure FTP is a command-line utility that allows FTP connections
to be made using SSL.
2. Enigmail v0.82.0
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.
3. GPA (GNU Privacy Assistant) v0.7.0
By: Bernhard Reiter
Relevant URL: http://www.gnupg.org/(en)/related_software/gpa/index.html
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
The GNU Privacy Assistant is a graphical frontend to GnuPG and may be used
to manage the keys and encrypt/decrypt/sign/check files. It is much like
Seahorse.
4. Anti-Spam SMTP Proxy v1.0.6
By: John Hanna
Relevant URL: http://assp.sourceforge.net/
Platforms: BSDI, Linux, MacOS, Os Independent, OS/2, Perl (any system
supporting perl), POSIX, Windows 2000, Windows NT
Summary:
The Anti-Spam SMTP Proxy (ASSP) Server project aims to create an open
source platform independent SMTP Proxy server which implements whitelists
and Bayesian filtering to help stop unsolicited commercial email (UCE).
Anti-spam tools should be adaptive to new spam and customized for each
site's email patterns. This easy to use tool works with any mail transport
and achieves these goals requiring no operator intervention after the
initial setup phase.
5. PipeACL tools v1.0
By: Bindview <info (at) razor.bindview (dot) com [email concealed]>
Relevant URL:
http://razor.bindview.com/tools/desc/pipeacltools1.0-readme.html
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
The PipeACL tools package contains two separate tools for viewing and
configuring Win32 named pipe ACLs (Access Control Lists). The pipeacl
untility allows you to dump various settings of a named pipe, including
the Owner, Group, Sacls (System access control lists), and Dacls
(Discretionary access control lists). The pipeaclui untility allows you to
view and apply permissions to a specified named pipe. These changes are
made in the Dacls of the named pipe itself.
6. Libnids 1.18
By: Rafal Wojtczuk, nergal (at) avet.com (dot) pl [email concealed]
Relevant URL: http://www.packetfactory.net/Projects/Libnids/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, Windows 2000, Windows NT
Summary:
Libnids is an implementation of an E-component of Network Intrusion
Detection Systems. It emulates the IP stack of Linux 2.0.x. Libnids offers
IP defragmentation, TCP stream reassembly, and TCP port scan detection.
The most valuable feature of libnids is reliability. A number of tests
were conducted which proved that libnids predicts behaviour of protected
Linux hosts as closely as possible. Libnids is highly configurable in
run-time and offers a convenient interface. Currently it compiles on Linux
glibc systems and *BSD. Using libnids, one has convenient access to data
carried by a TCP stream, no matter how artfully obscured by an attack.
Added support to capture packets on all interfaces, including loopback,
added ability to refrain from setting promisc flag, added ability to
disable tcp processing, libc5 support, alpha platform support, and bug
fixes.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SpiDynamics
ALERT! "Outsmart Web Application Hackers"-FREE Product Trial
------------------------------------------------------------
Test your Web Applications for over 4000 vulnerabilities! FREE Web App
Security Test via our 15 Day Product Trial that delivers a comprehensive
vulnerability report. Secure your critical assets today!
http://www.securityfocus.com/sponsor/SPIDynamics_ms-secnews_031110
------------------------------------------------------------------------
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---
----------------------------------------
This Issue is Sponsored by: SpiDynamics
ALERT! "Outsmart Web Application Hackers"-FREE Product Trial
------------------------------------------------------------
Test your Web Applications for over 4000 vulnerabilities! FREE Web App
Security Test via our 15 Day Product Trial that delivers a comprehensive
vulnerability report. Secure your critical assets today!
http://www.securityfocus.com/sponsor/SPIDynamics_ms-secnews_031110
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Wireless Intrusion Detection Systems
II. MICROSOFT VULNERABILITY SUMMARY
1. Citrix Metaframe XP Cross-site Scripting Vulnerability
2. Plug and Play Web Server Remote Denial of Service Vulnerabil...
3. BRS WebWeaver httpd `User-Agent` Remote Denial of Service Vu...
4. HTTP Commander Directory Traversal Vulnerability
5. Bugzilla Multiple Vulnerabilities
6. Nullsoft SHOUTcast icy-name/icy-url Memory Corruption Vulner...
7. Synthetic Reality SymPoll Cross-Site Scripting Vulnerability
8. MPM Guestbook Cross-Site Scripting Vulnerability
9. PHPKit Include.PHP Cross-Site Scripting Vulnerability
10. PHPRecipeBook Unspecified Cross-Site Scripting/HTML Injectio...
11. IA WebMail Server Long GET Request Buffer Overrun Vulnerabil...
12. NIPrint LPD-LPR Print Server Remote Buffer Overrun Vulnerabi...
13. Network Instruments NIPrint LDP-LPR Privilege Escalation Vul...
14. OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulne...
15. Perception LiteServe Server Log Buffer Overflow Vulnerabilit...
16. Microsoft Internet Explorer Double Slash Cache Zone Bypass V...
17. Microsoft Internet Explorer Self Executing HTML Arbitrary Co...
III. MICROSOFT FOCUS LIST SUMMARY
1. IIS 6 features (Thread)
2. IIS 6 features- loooong response (Thread)
3. Event Log messages for failed logon attempts (Thread)
4. Notable "Windows Postulates" from Linux Gurus (Thread)
5. ICF Firewall - How can I do it? (Thread)
6. SecurityFocus Microsoft Newsletter #161 (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. EnCase Enterprise Edition
2. SafeGuard PDA
3. The CyberAngel Security Software
4. Cyber-Ark Inter-Business Vault
5. EnCase Forensic Edition
6. OverflowGuard
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Glub Tech Secure FTP v2.0.11
2. Enigmail v0.82.0
3. GPA (GNU Privacy Assistant) v0.7.0
4. Anti-Spam SMTP Proxy v1.0.6
5. PipeACL tools v1.0
6. Libnids 1.18
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Wireless Intrusion Detection Systems
By Jamil Farshchi
This paper will describe the need for wireless intrusion detection,
provide an explanation of wireless intrusion detection systems, and
identify the benefits and drawbacks of a wireless intrusion detection
solution.
http://www.securityfocus.com/infocus/1742
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Citrix Metaframe XP Cross-site Scripting Vulnerability
BugTraq ID: 8939
Remote: Yes
Date Published: Oct 31 2003
Relevant URL: http://www.securityfocus.com/bid/8939
Summary:
Metaframe is a remote desktop software package distributed by Citrix. This
issue affects Metaframe on the Microsoft Windows platform. The application
can be configured to require authentication credentials before granting
desktop access to a user.
A vulnerability has been discovered in Citrix Metaframe XP, specifically
during the authentication phase. When invalid authentication credentials
are supplied to the application, an error message is returned to the user.
The contents of this message are included within the URI. As a result, it
would be possible to include malicious script code within the page
contents location of the URI, specifically within the NFuse_Message URI
parameter.
This vulnerability occurs due to the Metaframe application failing to
carry out sufficient sanitization of URI parameters. An attacker could
potentially exploit this condition to execute arbitrary script code within
the context of a victims browser. Ultimately, this could lead to the theft
of cookie-based authentication credentials or other attacks.
2. Plug and Play Web Server Remote Denial of Service Vulnerabil...
BugTraq ID: 8941
Remote: Yes
Date Published: Oct 31 2003
Relevant URL: http://www.securityfocus.com/bid/8941
Summary:
Plug and Play Web Server is a Microsoft Windows based application package
that provides users with the ability to create and maintain dynamic
websites. The software also supports SSL.
A vulnerability has been reported in the software that may allow a remote
attacker to cause a denial of service condition in the server. The issue
presents itself when an attacker sends a malformed HTTP GET request to the
server for: "GET /asdf.? HTTP/1.0". The problem leads to a halt of the
proxy service followed by this error message: "Runtime Error 12001 -
Parameter 1 of the method used is invalid or not appropriate".
Successful exploitation of this issue may allow an attacker to cause the
software to act in an unstable manner leading to a crash or hang.
Plug and Play version 1.0002c has been reported to be prone to this issue,
however other versions may be vulnerable as well.
3. BRS WebWeaver httpd `User-Agent` Remote Denial of Service Vu...
BugTraq ID: 8947
Remote: Yes
Date Published: Nov 01 2003
Relevant URL: http://www.securityfocus.com/bid/8947
Summary:
BRS WebWeaver is a small personal web server available for the Microsoft
Windows operating systems.
A denial of service vulnerability has been discovered BRS WebWeaver. The
problem occurs when a request is made containing a large string value for
the `User-Agent` parameter. This issue may cause the software to behave
in an unstable manner leading to a crash.
Successful exploitation of this issue may allow an attacker to cause the
software to crash or hang.
BRS WebWeaver versions 1.06 and prior have been reported to be prone to
this issue.
4. HTTP Commander Directory Traversal Vulnerability
BugTraq ID: 8948
Remote: Yes
Date Published: Nov 01 2003
Relevant URL: http://www.securityfocus.com/bid/8948
Summary:
HTTP Commander is a web based file management system used for Microsoft
ISS web server. HTTP Commander is written in ASP.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to access information outside the server root directory.
The problem exists due to insufficient sanitization of user-supplied data.
The issue may allow a remote attacker to traverse outside the server root
directory by using '../' character sequences.
Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.
HTTP Commander version 4.0 is reported to be prone to this issue, however
other versions may be affected as well.
5. Bugzilla Multiple Vulnerabilities
BugTraq ID: 8953
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8953
Summary:
Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Windows operating systems.
Multiple vulnerabilities has been reported to exist in the software. The
issues include SQL injection, unauthorized privileges, and information
disclosure.
A SQL injection issue has been reported to be present in the nightly
statistics cron job called collectstats.pl. A user with 'editproducts'
privileges which are usually granted to administrators may be to carry out
SQL injection attacks. This issue affects Bugzilla versions 2.16.3 and
earlier.
Another SQL injection vulnerability has been reported that may allow a
user with 'editkeywords' privileges which are usually granted to
administrators. An attacker may be able to inject arbitrary SQL code in
the underlying database through the URL used to edit an existing keyword.
This issue affects Bugzilla versions 2.16.3 and earlier and 2.17.1 through
2.17.4.
A vulnerability has been reported that may allow users to retain
privileges that were previously granted. This issue may occur when
products are being deleted. If the 'usebuggroups' parameter was selected,
users may still be able to add others to the group that is being deleted.
If another group is created that reuses the group id from the group being
deleted, they may automatically inherit privileges granted to the group.
This vulnerability only allows users that had those privileges before to
retain them. This issue affects Bugzilla versions 2.16.3 and earlier.
An information disclosure issue has been reported that may allow an
attacker to view restricted bugs stored in the database. It has been
reported that if an attacker knows the e-mail address of a user who has
voted on a secure or restricted bug they may be able to view the summary
of the bug without having sufficient permissions. This issue affects
Bugzilla versions 2.16.3 and earlier and 2.17.1 through 2.17.4.
Another information disclosure issue has been reported that may allow an
attacker to disclose component descriptions for a product without proper
authorization. This issue affects Bugzilla versions 2.17.3 and 2.17.4.
6. Nullsoft SHOUTcast icy-name/icy-url Memory Corruption Vulner...
BugTraq ID: 8954
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8954
Summary:
Nullsoft SHOUTCast Server is used to broadcast Shoutcast music. It is
available for Unix and Linux operating systems, as well as Microsoft
Windows.
Nullsoft SHOUTcast Server is prone to a memory corruption vulnerability
that may lead to denial of service attacks or code execution.
Insufficient bounds checking of the icy-name and icy-url server commands
may allow a remote authenticated user to corrupt memory. It has been
reported that the attacker must issue overly long arguments for both these
commands during a connection to the server. Doing so will cause adjacent
regions of memory to be corrupted, which will mostly likely result in a
denial of service but could potentially be exploited to execute arbitrary
code.
This issue was reported in SHOUTcast 1.9.2 on Windows platforms. Other
versions and platforms may also be affected.
7. Synthetic Reality SymPoll Cross-Site Scripting Vulnerability
BugTraq ID: 8956
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8956
Summary:
Sympoll is web-based voting booth software. It is implemented in PHP and
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.
A cross-site scripting vulnerability has been reported in the software.
The problem is reported to exist due to improper handling of user-supplied
data through the 'vo' parameter. HTML and script code will be rendered in
a user's browser, therefore making it possible for an attacker to a
construct a malicious link containing HTML or script code that may be
rendered in a user's browser upon visiting that link. This attack would
occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication information that could be used to launch
further attacks.
Sympoll version 1.5 is reported to be prone to this issue, however other
versions may be affected as well.
8. MPM Guestbook Cross-Site Scripting Vulnerability
BugTraq ID: 8958
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8958
Summary:
MPM Guestbook is a freely available web application. It is implemented in
PHP and available for Unix/Linux variants as well as Microsoft Windows
platforms.
MPM Guestbook is reported to be prone to a cross-site scripting
vulnerability. This is due to insufficient sanitization of HTML from URI
parameters, which will be displayed in web pages that are dynamically
generated by the software. In particular, the 'lng' URI parameter is not
filtered.
An attacker could exploit this issue by enticing a victim user to follow a
malicious link that includes HTML and script code as a value for the
vulnerable URI parameter. The attacker-supplied code could be rendered in
the victim's browser in the context of the site hosting the software.
This could theoretically allow for theft of cookie-based authentication
credentials. The attacker may also influence how the guestbook is
rendered to the user following the link, allowing for a variety of other
attacks.
9. PHPKit Include.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 8960
Remote: Yes
Date Published: Nov 02 2003
Relevant URL: http://www.securityfocus.com/bid/8960
Summary:
PHPKIT is content management software. It is implemented in PHP and
available for Unix/Linux variants as well as Microsoft Windows.
PHPKIT is reported to be prone to a cross-site scripting vulnerability.
This is due to insufficient sanitization of HTML from URI parameters,
which will be displayed in web pages that are dynamically generated by the
software. The issue exists in the 'include.php' script and is specific to
the 'contact_email' URI parameter.
An attacker could exploit this issue by enticing a victim user to follow a
malicious link that includes HTML and script code as a value for the
vulnerable URI parameter. The attacker-supplied code could be rendered in
the victim's browser in the context of the site hosting the software.
This could theoretically allow for theft of cookie-based authentication
credentials. The attacker may also influence how the site is rendered to
the user following the link, allowing for a variety of other attacks.
10. PHPRecipeBook Unspecified Cross-Site Scripting/HTML Injectio...
BugTraq ID: 8963
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8963
Summary:
PHPRecipeBook is a web application for managing recipes. It is
implemented in PHP and available for Unix/Linux and Microsoft Windows.
PHPRecipeBook 2.18 has been released to address an unspecified cross-site
scripting vulnerability. This issue is likely due to insufficient
sanitization of HTML from URI parameters, which will be displayed in web
pages that are dynamically generated by the software.
An attacker could exploit this issue by enticing a user to follow a
malicious link. This could theoretically allow for theft of cookie-based
authentication credentials or other attacks.
An attacker could possibly exploit this issue by enticing a victim user to
follow a malicious link that includes HTML and script code as a value for
the vulnerable URI parameter. The attacker-supplied code could be
rendered in the victim's browser in the context of the site hosting the
software. This could theoretically allow for theft of cookie-based
authentication credentials. The attacker may also influence how the site
is rendered to the user following the link, allowing for a variety of
other attacks.
It should also be noted that the vendor has reported that HTML and script
code will now be sanitized (as of version 2.18) before being included in
recipes as a measure to mitigate against potential HTML injection attacks.
This could allow users to inject hostile HTML into a PHPRecipeBook site if
successfully exploited.
11. IA WebMail Server Long GET Request Buffer Overrun Vulnerabil...
BugTraq ID: 8965
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8965
Summary:
IA WebMail Server is a web server available for the Microsoft Windows
operating system.
It has been reported that IA WebMail is prone to a buffer overrun
vulnerability. The problem occurs due to insufficient bounds checking when
handling GET requests. Specifically, making a GET request including
approximately 1044 bytes of data will effectively overrun the bounds of
the internal memory buffer used for its storage.
As a result, an attacker may be capable of corrupting sensitive data such
as a return address, and effectively control the execution flow of the
program. This would ultimately allow for the execution of arbitrary code.
This vulnerability is said to affect all versions of IA WebMail Server up
to 3.1.
12. NIPrint LPD-LPR Print Server Remote Buffer Overrun Vulnerabi...
BugTraq ID: 8968
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8968
Summary:
NIPrint LPD-LPR Print Server is a product for the Microsoft Windows
operating system designed to allow bi-directional LPD/LPR services using
Winsock. The application is developed and maintained by Network
Instruments.
It has been reported that NIPrint LPD-LPR Print Server is prone to a
remotely exploitable buffer overrun condition. The problem occurs due to
insufficient bounds checking when handling data received over the printer
port (515). Specifically, transmitting approximately 60 bytes of data to
the service is said to overrun the allocated storage buffer. As a result,
a remote attacker may be capable of corrupting process memory in such a
way that arbitrary code may be executed.
This vulnerability is said to affect all versions of NIPrint LPD-LPR Print
Server.
13. Network Instruments NIPrint LDP-LPR Privilege Escalation Vul...
BugTraq ID: 8969
Remote: No
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8969
Summary:
NIPrint LPD-LPR Print Server is a product for the Microsoft Windows
operating system designed to allow bi-directional LPD/LPR services using
Winsock. The application is developed and maintained by Network
Instruments. It has been reported that a flaw in NIPrint can be exploited
by malicious local users to gain administrative privileges on affected
servers.
NIPrint runs as a service, with SYSTEM privileges, by default. It is
accessible to all users locally through an icon in the taskbar. According
to the report, the "help" system used by NIPrint can invoke Explorer as
SYSTEM. An attacker can, in turn, use Explorer to run commands with
administrative privileges.
This vulnerability may be an instance of the general issue described in
BID 8884.
14. OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulne...
BugTraq ID: 8970
Remote: Yes
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8970
Summary:
OpenSSL is a freely available, open source implementation of Secure Socket
Layer tools. It is available for the Unix, Linux, and Microsoft
platforms.
A problem has been identified in OpenSSL when handling specific types of
ASN.1 requests. This may result in remote attackers creating a denial of
service condition.
The problem is in the handling of specific types of requests when handling
ASN.1 data that causes large recursion. Though specifics of how this
occurs are not available, it has been reported that this can result in a
crash of OpenSSL. This could potentially lead to an attacker crashing a
service that uses an implementation of the vulnerable software.
This issue is also known to affect numerous Cisco products. It is
possible that other vendors will also be acknowledging this issue and
providing fixes.
15. Perception LiteServe Server Log Buffer Overflow Vulnerabilit...
BugTraq ID: 8971
Remote: Yes
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8971
Summary:
Perception LiteServe provides web, email, and ftp server functionality. It
is available for the Microsoft Windows operating system.
A vulnerability has been reported to exist in the software due to
insufficient boundary checking. This problem may allow a remote attacker
to execute arbitrary code on a vulnerable host in order to gain
unauthorized access. The vulnerability occurs when the web server
attempts to process malformed GET requests specifically when processing
overly long GET requests consisting of character sequences between 1000
and 3000 in length. A buffer overflow will occur when the a user
encounters the GET request in a server log and clicks on it using the
LiteServe Interface.
An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing the
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in order to gain unauthorized access to a vulnerable system.
LiteServe versions 2.2 and prior have been reported to be prone to this
issue.
16. Microsoft Internet Explorer Double Slash Cache Zone Bypass V...
BugTraq ID: 8980
Remote: Yes
Date Published: Nov 05 2003
Relevant URL: http://www.securityfocus.com/bid/8980
Summary:
A vulnerability has been reported in Internet Explorer that may allow
cached Internet content to be rendered in the My Computer zone. Normally,
cached content should be limited to the Internet Zone, where the default
security restrictions on the content are much stricter and the affects of
malicious script code should be limited. However, due to this
vulnerability, it is possible to cause this content to be treated as
though it were in the My Computer Zone. It is possible to exploit this
issue by including an extra slash when referencing cached content from
within a web page, for example:
[SysDrive]:\\Documents and Settings\[user_name]\Local Settings\Temporary
Internet Files\Content.IE5
The extra slash prior to "Documents and Settings" will cause the
referenced content to be handled in the context of the My Computer zone.
Combined with other vulnerabilities, this issue could lead to execution of
arbitrary code on the client system. A proof-of-concept has been released
to demonstrate this issue may be exploited with other issues to cause
execution of arbitrary code in the context of the client user. Analysis
of the proof-of-concept is currently underway to determine which
vulnerabilities are exploited. When analysis is complete, the appropriate
BIDs will be updated with information about the proof-of-concept.
17. Microsoft Internet Explorer Self Executing HTML Arbitrary Co...
BugTraq ID: 8984
Remote: Yes
Date Published: Nov 05 2003
Relevant URL: http://www.securityfocus.com/bid/8984
Summary:
Microsoft Internet Explorer has been reported prone to an arbitrary code
execution vulnerability.
The issue presents itself when Internet Explorer is rendering malicious
self-executing HTML pages that contain executables that are embedded in a
specific manner. It has been demonstrated that an attacker may exploit
this vulnerability to execute arbitrary code by crafting a malicious web
page that contains visual basic script designed to point to and invoke an
executable that is embedded as a string array in the same malicious web
page. When this page is rendered the script is interpreted and the
embedded executable is crafted and invoked with the privileges of the user
running the vulnerable web browser.
It should be noted that while this issue has been reported to affect
Internet Explorer versions 5.5 and 6.0, other versions might also be
affected.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. IIS 6 features (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/344000
2. IIS 6 features- loooong response (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/343999
3. Event Log messages for failed logon attempts (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/343759
4. Notable "Windows Postulates" from Linux Gurus (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/343758
5. ICF Firewall - How can I do it? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/343660
6. SecurityFocus Microsoft Newsletter #161 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/343315
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. EnCase Enterprise Edition
By: Guidance Software Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.guidancesoftware.com/frame_encase.html
Summary:
EnCase, a computer forensic tool, is Windows- based and fully integrated.
A tool that allows an investigator to conduct a complete, non-invasive
forensic investigation from start to finish. This tool is used by law
enforcement and has been accepted and authenticated in hundreds of court
cases.
2. SafeGuard PDA
By: Utimaco
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.utimaco.com/content_products/sg_pda.html
Summary:
SafeGuard PDA is a powerful solution to protect your Personal Digital
Assistant and the data stored on it against unauthorized access. Whether
the Pocket PC is for private use or a part of the company network, it
requires at least the same degree of protection as notebooks and
workstations. Since overall security is only as strong as the weakest
link, SafeGuard PDA is the next logical step towards securing your mobile
work force. Innovative authentication mechanisms such as biometric
signature recognition or Symbol PIN offer optimal user convenience, the
strong encryption protects your data while stored or in transit over the
Internet, the centrally enforceable security policy keeps your environment
consistently protected.
3. The CyberAngel Security Software
By: CyberAngel Security Solutions, Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.thecyberangel.com/ca-secure.html
Summary:
The CyberAngel Security Software, a comprehensive approach to providing
security for your laptop or desktop computer.
The CyberAngel Security Software utilizes our patented technology to
Alert, Lock and Locate in the event of an unauthorized access of a
computer.
4. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
5. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features for
computer forensics and investigations. With an intuitive GUI and superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields completely
non-invasive computer forensic investigations while allowing examiners to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.
The integrated functionality of EnCase allows the examiner to perform all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
6. OverflowGuard
By: DATA Security Software
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.datasecuritysoftware.com/index.html
Summary:
OverflowGuard provides stack and heap buffer overflow protetion for
services running under Windows NT4, 2000, XP and 2003.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Glub Tech Secure FTP v2.0.11
By: glub
Relevant URL: http://secureftp.glub.com
Platforms: MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
Glub Tech Secure FTP is a command-line utility that allows FTP connections
to be made using SSL.
2. Enigmail v0.82.0
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.
3. GPA (GNU Privacy Assistant) v0.7.0
By: Bernhard Reiter
Relevant URL: http://www.gnupg.org/(en)/related_software/gpa/index.html
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
The GNU Privacy Assistant is a graphical frontend to GnuPG and may be used
to manage the keys and encrypt/decrypt/sign/check files. It is much like
Seahorse.
4. Anti-Spam SMTP Proxy v1.0.6
By: John Hanna
Relevant URL: http://assp.sourceforge.net/
Platforms: BSDI, Linux, MacOS, Os Independent, OS/2, Perl (any system
supporting perl), POSIX, Windows 2000, Windows NT
Summary:
The Anti-Spam SMTP Proxy (ASSP) Server project aims to create an open
source platform independent SMTP Proxy server which implements whitelists
and Bayesian filtering to help stop unsolicited commercial email (UCE).
Anti-spam tools should be adaptive to new spam and customized for each
site's email patterns. This easy to use tool works with any mail transport
and achieves these goals requiring no operator intervention after the
initial setup phase.
5. PipeACL tools v1.0
By: Bindview <info (at) razor.bindview (dot) com [email concealed]>
Relevant URL:
http://razor.bindview.com/tools/desc/pipeacltools1.0-readme.html
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
The PipeACL tools package contains two separate tools for viewing and
configuring Win32 named pipe ACLs (Access Control Lists). The pipeacl
untility allows you to dump various settings of a named pipe, including
the Owner, Group, Sacls (System access control lists), and Dacls
(Discretionary access control lists). The pipeaclui untility allows you to
view and apply permissions to a specified named pipe. These changes are
made in the Dacls of the named pipe itself.
6. Libnids 1.18
By: Rafal Wojtczuk, nergal (at) avet.com (dot) pl [email concealed]
Relevant URL: http://www.packetfactory.net/Projects/Libnids/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, Windows 2000, Windows NT
Summary:
Libnids is an implementation of an E-component of Network Intrusion
Detection Systems. It emulates the IP stack of Linux 2.0.x. Libnids offers
IP defragmentation, TCP stream reassembly, and TCP port scan detection.
The most valuable feature of libnids is reliability. A number of tests
were conducted which proved that libnids predicts behaviour of protected
Linux hosts as closely as possible. Libnids is highly configurable in
run-time and offers a convenient interface. Currently it compiles on Linux
glibc systems and *BSD. Using libnids, one has convenient access to data
carried by a TCP stream, no matter how artfully obscured by an attack.
Added support to capture packets on all interfaces, including loopback,
added ability to refrain from setting promisc flag, added ability to
disable tcp processing, libc5 support, alpha platform support, and bug
fixes.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SpiDynamics
ALERT! "Outsmart Web Application Hackers"-FREE Product Trial
------------------------------------------------------------
Test your Web Applications for over 4000 vulnerabilities! FREE Web App
Security Test via our 15 Day Product Trial that delivers a comprehensive
vulnerability report. Secure your critical assets today!
http://www.securityfocus.com/sponsor/SPIDynamics_ms-secnews_031110
------------------------------------------------------------------------
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---
[ reply ]