SecurityFocus Microsoft Newsletter #234
----------------------------------------
This Issue is Sponsored By: Wireless Security Conference
WIRELESS SECURITY CONFERENCE & EXPO is the nation's leading event for
corporate wireless security strategies and solutions. Learn everything you
need to help your company secure your corporate wireless networks and
mobile devices. Includes hands-on workshops, live hacking sessions, top
keynotes and more. Join hundreds of your colleagues, over 25 of the world's
top wireless security experts and our technology solutions expo. Expo pass
is free or use priority code WSCSFC to save $100 off conference rates.
April 19-21, 2005, Hyatt Regency Cambridge, Cambridge, MA. Conference
website is: www.wireless-security-conference.com
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
I. FRONT AND CENTER
1. Owning A New Phone
2. Practical Certifications
II. MICROSOFT VULNERABILITY SUMMARY
1. Icecast XSL Parser Multiple Vulnerabilities
2. OllyDbg Library Module Name Denial Of Service Vulnerability
3. Proview Disassembler Long File Name Handling Denial of Servi...
4. Code Ocean Ocean FTP Server Remote Denial of Service Vulnera...
5. FileZilla FTP Server Multiple Remote Denial Of Service Vulne...
6. NetWin SurgeMail Multiple Remote HTML Injection and File Upl...
7. Phorum HTTP Response Splitting Vulnerability
8. Microsoft Windows Local Denial Of Service Vulnerability
9. Nortel Contivity VPN Client Local Password Disclosure Weakne...
10. ImageMagick SGI Parser Heap Overflow Vulnerability
11. ImageMagick TIFF Image File Unspecified Denial Of Service Vu...
12. ImageMagick TIFF Image Tag Denial Of Service Vulnerability
13. Imagemagick Photoshop Document Parsing Unspecified Denial of...
14. Invision Power Board HTML Injection Vulnerability
15. Microsoft Windows XP TSShutdn.exe Remote Denial of Service V...
16. Cerulean Studios Trillian Multiple Remote HTTP Response Buff...
17. CDRTools CDRecord Local Insecure File Creation Vulnerability
18. Maxthon Web Browser Search Bar Information Disclosure Vulner...
III. MICROSOFT FOCUS LIST SUMMARY
1. quarantine vpn clients (Thread)
2. New Malware Approach - Any Experience With / Opinion... (Thread)
3. Citrix vs Terminal Services? (Thread)
4. Windows firewall scopes for notebook users ex office... (Thread)
5. SecurityFocus Microsoft Newsletter #233 (Thread)
6. RADIUS authentication from GINA Windows logon? (Thread)
7. SQLRecon released by Special Ops Labs!!! (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. CoreGuard Core Security System
2. KeyCaptor Keylogger
3. SpyBuster
4. FreezeX
5. NeoExec for Active Directory
6. Secrets Protector v2.03
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. TextKeeper 5.0
2. DeSPAM Tunnel 3.0.0
3. Mac Makeup 1.71d
4. Healthmonitor 2.1
5. Kr4ck3r 1.0.0
6. WinArpSpoofer 0.5.3
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Owning A New Phone
By Scott Granneman
Recent mobile phone and Bluetooth hacks, and the public's response to them,
show us how the average person really looks at security.
http://www.securityfocus.com/columnists/310
2. Practical Certifications
By Don Parker
Recent changes to the GIAC makes one question the value of certification
for the security industry.
http://www.securityfocus.com/columnists/311
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Icecast XSL Parser Multiple Vulnerabilities
BugTraq ID: 12849
Remote: Yes
Date Published: Mar 18 2005
Relevant URL: http://www.securityfocus.com/bid/12849
Summary:
Icecast is reported prone to multiple vulnerabilities. The following individual issues are reported:
Icecast XSL parser is reported to be prone to a buffer overflow vulnerability. This issue exists due to a lack of sufficient boundary checks performed on certain XSL tag values before copying these values into a finite buffer in process memory. It is reported that the vulnerability manifests when a malicious XSL file is parsed by the affected software.
This issue may potentially be exploited to deny service for legitimate users or potentially execute arbitrary code in the context of the user that is running the affected software. This is not confirmed.
It is reported that the Icecast XSL parser is prone to an information disclosure vulnerability. It is reported that the parser fails to parse XSL files when a request for such a file is appended with a dot '.' character.
A remote attacker may exploit this vulnerability to disclose the contents of XSL files that can be requested publicly.
These vulnerabilities are reported to affect Icecast version 2.20, other versions might also be affected.
2. OllyDbg Library Module Name Denial Of Service Vulnerability
BugTraq ID: 12850
Remote: Yes
Date Published: Mar 19 2005
Relevant URL: http://www.securityfocus.com/bid/12850
Summary:
OllyDbg is reported prone to a denial of service vulnerability. It is reported that the issue manifests when a target process that is being debugged attempts to load a library module that has a superfluous filename.
An attacker may exploit this vulnerability to deny service to OllyDbg users.
This vulnerability is reported to affect OllyDbg version 1.10 (final version) and prior versions.
3. Proview Disassembler Long File Name Handling Denial of Servi...
BugTraq ID: 12856
Remote: Yes
Date Published: Mar 21 2005
Relevant URL: http://www.securityfocus.com/bid/12856
Summary:
Proview Disassembler (PVDasm) is reported prone to a remote denial of service vulnerability.
The issue presents itself when the application handles a file with a long name.
Reportedly, this can cause PVDasm to crash resulting in a denial of service condition.
It is not known whether this vulnerability can be leveraged to execute arbitrary code. This BID will be updated when more information becomes available.
PVDasm 1.6b Beta and prior versions are affected by this issue.
4. Code Ocean Ocean FTP Server Remote Denial of Service Vulnera...
BugTraq ID: 12859
Remote: Yes
Date Published: Mar 21 2005
Relevant URL: http://www.securityfocus.com/bid/12859
Summary:
Ocean FTP Server is reported prone to a remote denial of service vulnerability.
It is reported that an attacker may cause the server to crash by establishing an excessive number of simultaneous connections. This may result in a crash or hang due to resource exhaustion.
Ocean FTP Server 1.0 is reported vulnerable. It is possible that other versions are affected as well.
5. FileZilla FTP Server Multiple Remote Denial Of Service Vulne...
BugTraq ID: 12865
Remote: Yes
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12865
Summary:
The FileZilla FTP server is reported prone to multiple remote denial of service vulnerabilities. The following individual issues are reported:
It is reported that FileZilla fails to gracefully handle FTP requests that contain reserved MS-DOS device names. A remote authenticated attacker may exploit this vulnerability to deny service for legitimate users.
Finally, it is reported that the FileZilla FTP server may be influenced into entering an infinite loop. A remote authenticated attacker may exploit this vulnerability to deny service for legitimate users.
6. NetWin SurgeMail Multiple Remote HTML Injection and File Upl...
BugTraq ID: 12866
Remote: Yes
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12866
Summary:
Multiple remote file upload and HTML injection vulnerabilities affect NetWin SurgeMail. The underlying causes of these issues are a failure ot sanitize user-supplied input and a failure to securely handle the file upload functionality.
These issues may be leverage to upload arbitrary files into arbitrary locations writable to the affected application and carry out HTML injection attacks against the SurgeMail administrator. This may facilitate theft of credentials and potentially compromise of the email server.
7. Phorum HTTP Response Splitting Vulnerability
BugTraq ID: 12869
Remote: Yes
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12869
Summary:
A remote HTTP response splitting vulnerability reportedly affects Phorum. This issue is due to a failure of the application to properly sanitize user-supplied input.
A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached or interpreted.
This issue was reported to affect Phorum version 5.0.14a; other versions might also be affected.
8. Microsoft Windows Local Denial Of Service Vulnerability
BugTraq ID: 12870
Remote: No
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12870
Summary:
It is reported that Microsoft Windows XP Service Pack 1 is prone to a local denial of service vulnerability.
The issue is reported to manifest when a raw IP over IP socket is created and data is transferred over the newly created socket.
It is reported that this operation causes the kernel of the Windows computer to crash, resulting in the computer rebooting. If this issue can be triggered reliably, a local attacker may exploit the issue to deny service for legitimate users.
Further investigation into this issue is ongoing; this BID will be updated as soon as more details are available.
9. Nortel Contivity VPN Client Local Password Disclosure Weakne...
BugTraq ID: 12871
Remote: No
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12871
Summary:
Nortel Contivity VPN Client for Microsoft Windows platforms is reported prone to a local pre-shared key (password) disclosure weakness. It is reported that the VPN user and group password is stored in the memory image of the process in plain-text format.
Credentials that are harvested through the exploitation of this weakness may then be used to aid in further attacks.
This weakness is reported to affect Nortel Contivity VPN Client version 5.01 for Microsoft Windows, versions for the Linux platform are not reported to be vulnerable. Other versions might also be affected.
10. ImageMagick SGI Parser Heap Overflow Vulnerability
BugTraq ID: 12873
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12873
Summary:
ImageMagick is prone to a heap-based buffer overflow vulnerability. This vulnerability exists in the SGI image file parser.
Successful exploitation may result in execution of arbitrary code. This issue may potentially be exploited through the ImageMagick application or in other applications that import the SGI image file parser component.
It is noted that the SGI codec is enabled by default in ImageMagick.
11. ImageMagick TIFF Image File Unspecified Denial Of Service Vu...
BugTraq ID: 12874
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12874
Summary:
A remote, client-side denial of service vulnerability affects ImageMagick. This issue is likely due to a failure of the application to handle malformed TIFF image files.
A remote attacker may leverage this issue to cause the affected application to crash, potentially causing a loss of data denying service to legitimate users.
12. ImageMagick TIFF Image Tag Denial Of Service Vulnerability
BugTraq ID: 12875
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12875
Summary:
A remote, client-side denial of service vulnerability affects ImageMagick. This issue is likely due to a failure of the application to handle malformed TIFF image files.
A remote attacker may leverage this issue to cause the affected application to crash, potentially causing a loss of data, and denying service to legitimate users.
13. Imagemagick Photoshop Document Parsing Unspecified Denial of...
BugTraq ID: 12876
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12876
Summary:
A remote, client-side denial of service vulnerability affects ImageMagick. This issue is likely due to a failure of the application to handle malformed PSD files.
A remote attacker may leverage this issue to cause the affected application to crash, potentially causing a loss of data denying service to legitimate users.
14. Invision Power Board HTML Injection Vulnerability
BugTraq ID: 12888
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12888
Summary:
Invision Power Board is reported prone to an HTML injection vulnerability. This issue arises due to insufficient sanitization of user-supplied data.
It is reported that due to a lack of filtering of HTML tags, an attacker can inject an IFRAME through an HTTP POST request.
All version of Invision Power Board are considered vulnerable at the moment.
This BID will be updated when more information is available.
15. Microsoft Windows XP TSShutdn.exe Remote Denial of Service V...
BugTraq ID: 12889
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12889
Summary:
Microsoft Windows XP is prone to a remote denial of service vulnerability. This issue can allow a remote unauthorized user to shutdown an affected computer.
A remote attacker uses the TSShutdn.exe command to restart or shutdown a computer.
It should be noted that the exploitation of this vulnerability may require the attacker to be part of the same domain. This BID will be updated when more information is available.
Microsoft Windows XP Service Pack 1 is affected by this issue.
16. Cerulean Studios Trillian Multiple Remote HTTP Response Buff...
BugTraq ID: 12890
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12890
Summary:
It is reported that Trillian is susceptible to multiple remote HTTP response buffer overflow vulnerabilities. These issues are due to a failure of the application to properly bounds check user-supplied data prior to copying it into fixed-sized memory buffers.
It is reported that multiple Trillian modules likely share the same code for making HTTP requests, and therefore multiple modules are vulnerable to the same attack.
Remote attackers may exploit these vulnerabilities to execute arbitrary machine code in the context of vulnerable Trillian clients.
Several of these vulnerabilities are reportedly fixed in version 3.0 of Trillian. Versions 3.0 and 3.1 remain affected by multiple issues in its Yahoo! component. Versions 2.0 up to, but not including 3.0 are reported to be affected in multiple components.
17. CDRTools CDRecord Local Insecure File Creation Vulnerability
BugTraq ID: 12891
Remote: No
Date Published: Mar 24 2005
Relevant URL: http://www.securityfocus.com/bid/12891
Summary:
A local insecure file creation vulnerability affects cdrtools cdrecord. This issue is due to a failure of the application to securely create and write to various files.
An attacker may leverage this issue to corrupt arbitrary files with the privileges of an unsuspecting user that activates the application.
18. Maxthon Web Browser Search Bar Information Disclosure Vulner...
BugTraq ID: 12898
Remote: Yes
Date Published: Mar 25 2005
Relevant URL: http://www.securityfocus.com/bid/12898
Summary:
Maxthon Web Browser is reported prone to an information disclosure vulnerability. This issue may allow an attacker to disclose search bar contents from an affected browser.
Information disclosed through the exploitation of this vulnerability may aid an attacker in carrying out other attacks against a vulnerable computer.
Maxthon Web Browser 1.2.0 is reported to be vulnerable to this issue. Prior versions may be affected as well.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. quarantine vpn clients (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394402
2. New Malware Approach - Any Experience With / Opinion... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394346
3. Citrix vs Terminal Services? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394345
4. Windows firewall scopes for notebook users ex office... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394343
5. SecurityFocus Microsoft Newsletter #233 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394041
6. RADIUS authentication from GINA Windows logon? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394039
7. SQLRecon released by Special Ops Labs!!! (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/393911
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. KeyCaptor Keylogger
By: Keylogger Software
Platforms: MacOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keylogger-software.com/keylogger/keylogger.htm
Summary:
KeyCaptor is your solution for recording ALL keystrokes of ALL users on your computer! Now you have the power to record emails, websites, documents, chats, instant messages, usernames, passwords, and MUCH MORE!
With our advanced stealth technology, KeyCaptor will not show in your processes list and cannot be stopped from running unless you say so!
3. SpyBuster
By: Remove Spyware
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.remove-spyware.com/spybuster.htm
Summary:
Our award winning spyware / adware scanner and removal software, SpyBuster will scan your computer for over 4,000 known spyware and adware applications. SpyBuster protects your computer from data stealing programs that can expose your personal information.
SpyBuster scanning technology allows for a quick and easy sweep, so you can resume your work in minutes.
4. FreezeX
By: Faronics Technologies USA Inc
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.faronics.com/html/Freezex.asp
Summary:
FreezeX prevents all unauthorized programs, including viruses, keyloggers and spy ware from executing. Powerful and secure, FreezeX ensures that any new executable, program, or application that is downloaded, introduced via removable media or the network will never install
5. NeoExec for Active Directory
By: NeoValens
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.neovalens.com
Summary:
NeoExec® is an operating system extension for Windows 2000/XP that allows the setting of privileges at the application level rather than at the user level.
NeoExec® is the ideal solution for applications that require elevated privileges to run as the privileges are granted to the application, not the user.
NeoExec® is the only solution on the market capable of modifying at runtime the processes' security context -- without requiring a second account as with RunAs and RunAs-derived products.
6. Secrets Protector v2.03
By: E-CRONIS
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.e-cronis.com/download/sp.exe
Summary:
It's the end of your worries about top-secret data of your company, your confidential files or the pictures from the last party. All these will be hidden beyond the reach of ANY intruder and you will be the only one able to handle them. And what you want to delete will be DELETED. It is the ultimate security tool to protect your sensitive information on PC, meeting the three most important security issues: Integrity, Confidentiality and Availability. This product gives you the features of a "folder locker" and a "secure eraser".
Your secret information is available only trough this software and there is no other mean to access it. The information is protected at file system level and it cannot be accidentally deleted or overwritten neither in Safe mode nor in other operating system. This program doesn't make your operating system unstable as other related product do and protects your information from being seen, altered or deleted by an unauthorized user with or without his wish. The program allows you to permanently erase your sensitive data using secure wiping methods leaving no trace of your information. Depending on the selected wiping method your data is unrecoverable using software or even hardware recovery techniques.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. TextKeeper 5.0
By: HardwareCrasher
Relevant URL: http://members.lycos.co.uk/textkeeper/tkup.zip
Platforms: Windows 2000, Windows 95/98, Windows XP
Summary:
Encrypts text using numeric combinations and two algorithms, One of the algorithms uses 5 different numeric combinations.
2. DeSPAM Tunnel 3.0.0
By: The German Computer Freaks (Du-Nu)
Relevant URL: http://www.gcf.de/projects/despam.zip
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
This program is a tunnel for pop3 connections and filters spam during the pop3-download of emails automatically. To determine whether an email is UCE it evaluates the content of each email that passes the tunnel statistically. Its intelligent wordparsing filter "backMatch" even matches buzzwords that contain characters which have been replaced by similar looking special chars to avoid being filtered.
3. Mac Makeup 1.71d
By: Marcello Gorlani
Relevant URL: http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp
Platforms: Windows 2000, Windows XP
Summary:
Did you ever get bored with your old MAC address? If you did, this is the solution! Mac MakeUp let?s you change the MAC address of any of the interfaces present on your Windows 2000/XP/2003 box.
Sometimes this is referred as MAC address spoofing.
4. Healthmonitor 2.1
By: Vittorio Pavesi
Relevant URL: http://healthmonitor.sourceforge.net
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
HealthMonitor is a free powerful and featureful monitoring tool for Windows.
It works as a Windows Service and check system status (event viewer, disk free space, services status, performance....) and notify the administration by E-Mail, SMS and by NET SEND; a database logging feature is also available. It is under constant development, and releases are usually frequent. The latest news regarding HealthMonitor can be found on Sourceforge.
5. Kr4ck3r 1.0.0
By: Black List Software
Relevant URL: http://hackinoutthebox.com/sub4.index.php
Platforms: Windows XP
Summary:
This is the ultimate MD5 cracker having both a built-in brute-force and dictionary attack functionality.
6. WinArpSpoofer 0.5.3
By: Gordon Ahn
Relevant URL: http://www.nextsecurity.net/downloads/winarpspoof/WinArpSpoof.zip
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
Windows ARP Spoofer (WinArpSpoof) is a program that can scan the computers including network devices and can spoof their ARP tables on local area network and can act as a router while pulling all packets on LAN. In addition, traffic information through this program is measured.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: Wireless Security Conference
WIRELESS SECURITY CONFERENCE & EXPO is the nation's leading event for
corporate wireless security strategies and solutions. Learn everything you
need to help your company secure your corporate wireless networks and
mobile devices. Includes hands-on workshops, live hacking sessions, top
keynotes and more. Join hundreds of your colleagues, over 25 of the world's
top wireless security experts and our technology solutions expo. Expo pass
is free or use priority code WSCSFC to save $100 off conference rates.
April 19-21, 2005, Hyatt Regency Cambridge, Cambridge, MA. Conference
website is: www.wireless-security-conference.com
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
----------------------------------------
This Issue is Sponsored By: Wireless Security Conference
WIRELESS SECURITY CONFERENCE & EXPO is the nation's leading event for
corporate wireless security strategies and solutions. Learn everything you
need to help your company secure your corporate wireless networks and
mobile devices. Includes hands-on workshops, live hacking sessions, top
keynotes and more. Join hundreds of your colleagues, over 25 of the world's
top wireless security experts and our technology solutions expo. Expo pass
is free or use priority code WSCSFC to save $100 off conference rates.
April 19-21, 2005, Hyatt Regency Cambridge, Cambridge, MA. Conference
website is: www.wireless-security-conference.com
http://www.securityfocus.com/sponsor/WirelessSecurityConference_ms-secne
ws_050329
------------------------------------------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Owning A New Phone
2. Practical Certifications
II. MICROSOFT VULNERABILITY SUMMARY
1. Icecast XSL Parser Multiple Vulnerabilities
2. OllyDbg Library Module Name Denial Of Service Vulnerability
3. Proview Disassembler Long File Name Handling Denial of Servi...
4. Code Ocean Ocean FTP Server Remote Denial of Service Vulnera...
5. FileZilla FTP Server Multiple Remote Denial Of Service Vulne...
6. NetWin SurgeMail Multiple Remote HTML Injection and File Upl...
7. Phorum HTTP Response Splitting Vulnerability
8. Microsoft Windows Local Denial Of Service Vulnerability
9. Nortel Contivity VPN Client Local Password Disclosure Weakne...
10. ImageMagick SGI Parser Heap Overflow Vulnerability
11. ImageMagick TIFF Image File Unspecified Denial Of Service Vu...
12. ImageMagick TIFF Image Tag Denial Of Service Vulnerability
13. Imagemagick Photoshop Document Parsing Unspecified Denial of...
14. Invision Power Board HTML Injection Vulnerability
15. Microsoft Windows XP TSShutdn.exe Remote Denial of Service V...
16. Cerulean Studios Trillian Multiple Remote HTTP Response Buff...
17. CDRTools CDRecord Local Insecure File Creation Vulnerability
18. Maxthon Web Browser Search Bar Information Disclosure Vulner...
III. MICROSOFT FOCUS LIST SUMMARY
1. quarantine vpn clients (Thread)
2. New Malware Approach - Any Experience With / Opinion... (Thread)
3. Citrix vs Terminal Services? (Thread)
4. Windows firewall scopes for notebook users ex office... (Thread)
5. SecurityFocus Microsoft Newsletter #233 (Thread)
6. RADIUS authentication from GINA Windows logon? (Thread)
7. SQLRecon released by Special Ops Labs!!! (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. CoreGuard Core Security System
2. KeyCaptor Keylogger
3. SpyBuster
4. FreezeX
5. NeoExec for Active Directory
6. Secrets Protector v2.03
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. TextKeeper 5.0
2. DeSPAM Tunnel 3.0.0
3. Mac Makeup 1.71d
4. Healthmonitor 2.1
5. Kr4ck3r 1.0.0
6. WinArpSpoofer 0.5.3
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Owning A New Phone
By Scott Granneman
Recent mobile phone and Bluetooth hacks, and the public's response to them,
show us how the average person really looks at security.
http://www.securityfocus.com/columnists/310
2. Practical Certifications
By Don Parker
Recent changes to the GIAC makes one question the value of certification
for the security industry.
http://www.securityfocus.com/columnists/311
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Icecast XSL Parser Multiple Vulnerabilities
BugTraq ID: 12849
Remote: Yes
Date Published: Mar 18 2005
Relevant URL: http://www.securityfocus.com/bid/12849
Summary:
Icecast is reported prone to multiple vulnerabilities. The following individual issues are reported:
Icecast XSL parser is reported to be prone to a buffer overflow vulnerability. This issue exists due to a lack of sufficient boundary checks performed on certain XSL tag values before copying these values into a finite buffer in process memory. It is reported that the vulnerability manifests when a malicious XSL file is parsed by the affected software.
This issue may potentially be exploited to deny service for legitimate users or potentially execute arbitrary code in the context of the user that is running the affected software. This is not confirmed.
It is reported that the Icecast XSL parser is prone to an information disclosure vulnerability. It is reported that the parser fails to parse XSL files when a request for such a file is appended with a dot '.' character.
A remote attacker may exploit this vulnerability to disclose the contents of XSL files that can be requested publicly.
These vulnerabilities are reported to affect Icecast version 2.20, other versions might also be affected.
2. OllyDbg Library Module Name Denial Of Service Vulnerability
BugTraq ID: 12850
Remote: Yes
Date Published: Mar 19 2005
Relevant URL: http://www.securityfocus.com/bid/12850
Summary:
OllyDbg is reported prone to a denial of service vulnerability. It is reported that the issue manifests when a target process that is being debugged attempts to load a library module that has a superfluous filename.
An attacker may exploit this vulnerability to deny service to OllyDbg users.
This vulnerability is reported to affect OllyDbg version 1.10 (final version) and prior versions.
3. Proview Disassembler Long File Name Handling Denial of Servi...
BugTraq ID: 12856
Remote: Yes
Date Published: Mar 21 2005
Relevant URL: http://www.securityfocus.com/bid/12856
Summary:
Proview Disassembler (PVDasm) is reported prone to a remote denial of service vulnerability.
The issue presents itself when the application handles a file with a long name.
Reportedly, this can cause PVDasm to crash resulting in a denial of service condition.
It is not known whether this vulnerability can be leveraged to execute arbitrary code. This BID will be updated when more information becomes available.
PVDasm 1.6b Beta and prior versions are affected by this issue.
4. Code Ocean Ocean FTP Server Remote Denial of Service Vulnera...
BugTraq ID: 12859
Remote: Yes
Date Published: Mar 21 2005
Relevant URL: http://www.securityfocus.com/bid/12859
Summary:
Ocean FTP Server is reported prone to a remote denial of service vulnerability.
It is reported that an attacker may cause the server to crash by establishing an excessive number of simultaneous connections. This may result in a crash or hang due to resource exhaustion.
Ocean FTP Server 1.0 is reported vulnerable. It is possible that other versions are affected as well.
5. FileZilla FTP Server Multiple Remote Denial Of Service Vulne...
BugTraq ID: 12865
Remote: Yes
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12865
Summary:
The FileZilla FTP server is reported prone to multiple remote denial of service vulnerabilities. The following individual issues are reported:
It is reported that FileZilla fails to gracefully handle FTP requests that contain reserved MS-DOS device names. A remote authenticated attacker may exploit this vulnerability to deny service for legitimate users.
Finally, it is reported that the FileZilla FTP server may be influenced into entering an infinite loop. A remote authenticated attacker may exploit this vulnerability to deny service for legitimate users.
6. NetWin SurgeMail Multiple Remote HTML Injection and File Upl...
BugTraq ID: 12866
Remote: Yes
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12866
Summary:
Multiple remote file upload and HTML injection vulnerabilities affect NetWin SurgeMail. The underlying causes of these issues are a failure ot sanitize user-supplied input and a failure to securely handle the file upload functionality.
These issues may be leverage to upload arbitrary files into arbitrary locations writable to the affected application and carry out HTML injection attacks against the SurgeMail administrator. This may facilitate theft of credentials and potentially compromise of the email server.
7. Phorum HTTP Response Splitting Vulnerability
BugTraq ID: 12869
Remote: Yes
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12869
Summary:
A remote HTTP response splitting vulnerability reportedly affects Phorum. This issue is due to a failure of the application to properly sanitize user-supplied input.
A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached or interpreted.
This issue was reported to affect Phorum version 5.0.14a; other versions might also be affected.
8. Microsoft Windows Local Denial Of Service Vulnerability
BugTraq ID: 12870
Remote: No
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12870
Summary:
It is reported that Microsoft Windows XP Service Pack 1 is prone to a local denial of service vulnerability.
The issue is reported to manifest when a raw IP over IP socket is created and data is transferred over the newly created socket.
It is reported that this operation causes the kernel of the Windows computer to crash, resulting in the computer rebooting. If this issue can be triggered reliably, a local attacker may exploit the issue to deny service for legitimate users.
Further investigation into this issue is ongoing; this BID will be updated as soon as more details are available.
9. Nortel Contivity VPN Client Local Password Disclosure Weakne...
BugTraq ID: 12871
Remote: No
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12871
Summary:
Nortel Contivity VPN Client for Microsoft Windows platforms is reported prone to a local pre-shared key (password) disclosure weakness. It is reported that the VPN user and group password is stored in the memory image of the process in plain-text format.
Credentials that are harvested through the exploitation of this weakness may then be used to aid in further attacks.
This weakness is reported to affect Nortel Contivity VPN Client version 5.01 for Microsoft Windows, versions for the Linux platform are not reported to be vulnerable. Other versions might also be affected.
10. ImageMagick SGI Parser Heap Overflow Vulnerability
BugTraq ID: 12873
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12873
Summary:
ImageMagick is prone to a heap-based buffer overflow vulnerability. This vulnerability exists in the SGI image file parser.
Successful exploitation may result in execution of arbitrary code. This issue may potentially be exploited through the ImageMagick application or in other applications that import the SGI image file parser component.
It is noted that the SGI codec is enabled by default in ImageMagick.
11. ImageMagick TIFF Image File Unspecified Denial Of Service Vu...
BugTraq ID: 12874
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12874
Summary:
A remote, client-side denial of service vulnerability affects ImageMagick. This issue is likely due to a failure of the application to handle malformed TIFF image files.
A remote attacker may leverage this issue to cause the affected application to crash, potentially causing a loss of data denying service to legitimate users.
12. ImageMagick TIFF Image Tag Denial Of Service Vulnerability
BugTraq ID: 12875
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12875
Summary:
A remote, client-side denial of service vulnerability affects ImageMagick. This issue is likely due to a failure of the application to handle malformed TIFF image files.
A remote attacker may leverage this issue to cause the affected application to crash, potentially causing a loss of data, and denying service to legitimate users.
13. Imagemagick Photoshop Document Parsing Unspecified Denial of...
BugTraq ID: 12876
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12876
Summary:
A remote, client-side denial of service vulnerability affects ImageMagick. This issue is likely due to a failure of the application to handle malformed PSD files.
A remote attacker may leverage this issue to cause the affected application to crash, potentially causing a loss of data denying service to legitimate users.
14. Invision Power Board HTML Injection Vulnerability
BugTraq ID: 12888
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12888
Summary:
Invision Power Board is reported prone to an HTML injection vulnerability. This issue arises due to insufficient sanitization of user-supplied data.
It is reported that due to a lack of filtering of HTML tags, an attacker can inject an IFRAME through an HTTP POST request.
All version of Invision Power Board are considered vulnerable at the moment.
This BID will be updated when more information is available.
15. Microsoft Windows XP TSShutdn.exe Remote Denial of Service V...
BugTraq ID: 12889
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12889
Summary:
Microsoft Windows XP is prone to a remote denial of service vulnerability. This issue can allow a remote unauthorized user to shutdown an affected computer.
A remote attacker uses the TSShutdn.exe command to restart or shutdown a computer.
It should be noted that the exploitation of this vulnerability may require the attacker to be part of the same domain. This BID will be updated when more information is available.
Microsoft Windows XP Service Pack 1 is affected by this issue.
16. Cerulean Studios Trillian Multiple Remote HTTP Response Buff...
BugTraq ID: 12890
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12890
Summary:
It is reported that Trillian is susceptible to multiple remote HTTP response buffer overflow vulnerabilities. These issues are due to a failure of the application to properly bounds check user-supplied data prior to copying it into fixed-sized memory buffers.
It is reported that multiple Trillian modules likely share the same code for making HTTP requests, and therefore multiple modules are vulnerable to the same attack.
Remote attackers may exploit these vulnerabilities to execute arbitrary machine code in the context of vulnerable Trillian clients.
Several of these vulnerabilities are reportedly fixed in version 3.0 of Trillian. Versions 3.0 and 3.1 remain affected by multiple issues in its Yahoo! component. Versions 2.0 up to, but not including 3.0 are reported to be affected in multiple components.
17. CDRTools CDRecord Local Insecure File Creation Vulnerability
BugTraq ID: 12891
Remote: No
Date Published: Mar 24 2005
Relevant URL: http://www.securityfocus.com/bid/12891
Summary:
A local insecure file creation vulnerability affects cdrtools cdrecord. This issue is due to a failure of the application to securely create and write to various files.
An attacker may leverage this issue to corrupt arbitrary files with the privileges of an unsuspecting user that activates the application.
18. Maxthon Web Browser Search Bar Information Disclosure Vulner...
BugTraq ID: 12898
Remote: Yes
Date Published: Mar 25 2005
Relevant URL: http://www.securityfocus.com/bid/12898
Summary:
Maxthon Web Browser is reported prone to an information disclosure vulnerability. This issue may allow an attacker to disclose search bar contents from an affected browser.
Information disclosed through the exploitation of this vulnerability may aid an attacker in carrying out other attacks against a vulnerable computer.
Maxthon Web Browser 1.2.0 is reported to be vulnerable to this issue. Prior versions may be affected as well.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. quarantine vpn clients (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394402
2. New Malware Approach - Any Experience With / Opinion... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394346
3. Citrix vs Terminal Services? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394345
4. Windows firewall scopes for notebook users ex office... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394343
5. SecurityFocus Microsoft Newsletter #233 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394041
6. RADIUS authentication from GINA Windows logon? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394039
7. SQLRecon released by Special Ops Labs!!! (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/393911
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. KeyCaptor Keylogger
By: Keylogger Software
Platforms: MacOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keylogger-software.com/keylogger/keylogger.htm
Summary:
KeyCaptor is your solution for recording ALL keystrokes of ALL users on your computer! Now you have the power to record emails, websites, documents, chats, instant messages, usernames, passwords, and MUCH MORE!
With our advanced stealth technology, KeyCaptor will not show in your processes list and cannot be stopped from running unless you say so!
3. SpyBuster
By: Remove Spyware
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.remove-spyware.com/spybuster.htm
Summary:
Our award winning spyware / adware scanner and removal software, SpyBuster will scan your computer for over 4,000 known spyware and adware applications. SpyBuster protects your computer from data stealing programs that can expose your personal information.
SpyBuster scanning technology allows for a quick and easy sweep, so you can resume your work in minutes.
4. FreezeX
By: Faronics Technologies USA Inc
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.faronics.com/html/Freezex.asp
Summary:
FreezeX prevents all unauthorized programs, including viruses, keyloggers and spy ware from executing. Powerful and secure, FreezeX ensures that any new executable, program, or application that is downloaded, introduced via removable media or the network will never install
5. NeoExec for Active Directory
By: NeoValens
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.neovalens.com
Summary:
NeoExec® is an operating system extension for Windows 2000/XP that allows the setting of privileges at the application level rather than at the user level.
NeoExec® is the ideal solution for applications that require elevated privileges to run as the privileges are granted to the application, not the user.
NeoExec® is the only solution on the market capable of modifying at runtime the processes' security context -- without requiring a second account as with RunAs and RunAs-derived products.
6. Secrets Protector v2.03
By: E-CRONIS
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.e-cronis.com/download/sp.exe
Summary:
It's the end of your worries about top-secret data of your company, your confidential files or the pictures from the last party. All these will be hidden beyond the reach of ANY intruder and you will be the only one able to handle them. And what you want to delete will be DELETED. It is the ultimate security tool to protect your sensitive information on PC, meeting the three most important security issues: Integrity, Confidentiality and Availability. This product gives you the features of a "folder locker" and a "secure eraser".
Your secret information is available only trough this software and there is no other mean to access it. The information is protected at file system level and it cannot be accidentally deleted or overwritten neither in Safe mode nor in other operating system. This program doesn't make your operating system unstable as other related product do and protects your information from being seen, altered or deleted by an unauthorized user with or without his wish. The program allows you to permanently erase your sensitive data using secure wiping methods leaving no trace of your information. Depending on the selected wiping method your data is unrecoverable using software or even hardware recovery techniques.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. TextKeeper 5.0
By: HardwareCrasher
Relevant URL: http://members.lycos.co.uk/textkeeper/tkup.zip
Platforms: Windows 2000, Windows 95/98, Windows XP
Summary:
Encrypts text using numeric combinations and two algorithms, One of the algorithms uses 5 different numeric combinations.
2. DeSPAM Tunnel 3.0.0
By: The German Computer Freaks (Du-Nu)
Relevant URL: http://www.gcf.de/projects/despam.zip
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
This program is a tunnel for pop3 connections and filters spam during the pop3-download of emails automatically. To determine whether an email is UCE it evaluates the content of each email that passes the tunnel statistically. Its intelligent wordparsing filter "backMatch" even matches buzzwords that contain characters which have been replaced by similar looking special chars to avoid being filtered.
3. Mac Makeup 1.71d
By: Marcello Gorlani
Relevant URL: http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp
Platforms: Windows 2000, Windows XP
Summary:
Did you ever get bored with your old MAC address? If you did, this is the solution! Mac MakeUp let?s you change the MAC address of any of the interfaces present on your Windows 2000/XP/2003 box.
Sometimes this is referred as MAC address spoofing.
4. Healthmonitor 2.1
By: Vittorio Pavesi
Relevant URL: http://healthmonitor.sourceforge.net
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
HealthMonitor is a free powerful and featureful monitoring tool for Windows.
It works as a Windows Service and check system status (event viewer, disk free space, services status, performance....) and notify the administration by E-Mail, SMS and by NET SEND; a database logging feature is also available. It is under constant development, and releases are usually frequent. The latest news regarding HealthMonitor can be found on Sourceforge.
5. Kr4ck3r 1.0.0
By: Black List Software
Relevant URL: http://hackinoutthebox.com/sub4.index.php
Platforms: Windows XP
Summary:
This is the ultimate MD5 cracker having both a built-in brute-force and dictionary attack functionality.
6. WinArpSpoofer 0.5.3
By: Gordon Ahn
Relevant URL: http://www.nextsecurity.net/downloads/winarpspoof/WinArpSpoof.zip
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
Windows ARP Spoofer (WinArpSpoof) is a program that can scan the computers including network devices and can spoof their ARP tables on local area network and can act as a router while pulling all packets on LAN. In addition, traffic information through this program is measured.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: Wireless Security Conference
WIRELESS SECURITY CONFERENCE & EXPO is the nation's leading event for
corporate wireless security strategies and solutions. Learn everything you
need to help your company secure your corporate wireless networks and
mobile devices. Includes hands-on workshops, live hacking sessions, top
keynotes and more. Join hundreds of your colleagues, over 25 of the world's
top wireless security experts and our technology solutions expo. Expo pass
is free or use priority code WSCSFC to save $100 off conference rates.
April 19-21, 2005, Hyatt Regency Cambridge, Cambridge, MA. Conference
website is: www.wireless-security-conference.com
http://www.securityfocus.com/sponsor/WirelessSecurityConference_ms-secne
ws_050329
------------------------------------------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]