Focus on Microsoft
SecurityFocus Microsoft Newsletter #422 Dec 05 2008 04:08PM
rkeith securityfocus com

SecurityFocus Microsoft Newsletter #422
----------------------------------------

This issue is Sponsored by Verisign

Learn how to protect your online customers with SSL technology that not only keeps their information safe, but also lets them know your site is secure - Extended Validation (EV) SSL.
This new technology turns the address bar green in high security browsers.
http://ad.doubleclick.net/clk;208565397;30663982;v

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1. Standing on Other's Shoulders
2. Just Encase It's Not a Search
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft December 2008 Advance Notification Multiple Vulnerabilities
2. RadASM '.rap' Project File Buffer Overflow Vulnerability
3. Apple iTunes/QuickTime Malformed '.mov' File Buffer Overflow Vulnerability
4. MemeCode Software i.Scribe Remote Format String Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #421
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Standing on Other's Shoulders
By Chris Wysopal
"If I have seen a little further it is by standing on the shoulders of Giants," Issac Netwon once wrote to describe how he felt that his scientific work was an extension of the work of those who went before him. In the scientific realm it is dishonorable not to credit those upon whose work you build.
http://www.securityfocus.com/columnists/486

2.Just Encase It's Not a Search
By Mark Rasch
When is a search not really a search? If it's done by computer, according to U.S. government lawyers.
http://www.securityfocus.com/columnists/485

II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Microsoft December 2008 Advance Notification Multiple Vulnerabilities
BugTraq ID: 32632
Remote: Yes
Date Published: 2008-12-04
Relevant URL: http://www.securityfocus.com/bid/32632
Summary:
Microsoft has released advance notification that the vendor will be releasing eight security bulletins on December 9, 2008. The highest severity rating for these issues is 'Critical'.

Successfully exploiting these issues may allow remote or local attackers to compromise affected computers.

Individual records will be created for the issues when the bulletins are released.

2. RadASM '.rap' Project File Buffer Overflow Vulnerability
BugTraq ID: 32617
Remote: Yes
Date Published: 2008-12-03
Relevant URL: http://www.securityfocus.com/bid/32617
Summary:
RadASM is prone to a buffer-overflow vulnerability because it fails to perform adequate checks on user-supplied input.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

RadASM 2.2.1.4 is vulnerable; other versions may also be affected.

3. Apple iTunes/QuickTime Malformed '.mov' File Buffer Overflow Vulnerability
BugTraq ID: 32540
Remote: Yes
Date Published: 2008-11-30
Relevant URL: http://www.securityfocus.com/bid/32540
Summary:
Apple iTunes and QuickTime are prone to a buffer-overflow vulnerability because the applications fail to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

This issue affects the following:

iTunes 8.0.2.20
QuickTime 7.5.5

4. MemeCode Software i.Scribe Remote Format String Vulnerability
BugTraq ID: 32497
Remote: Yes
Date Published: 2008-11-27
Relevant URL: http://www.securityfocus.com/bid/32497
Summary:
MemeCode Software i.Scribe is prone to a remote format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.

An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.

i.Scribe 1.88 and 2.00 beta are vulnerable; other versions may also be affected.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #421
http://www.securityfocus.com/archive/88/498758

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and ask to be manually removed.

V. SPONSOR INFORMATION
------------------------
This issue is Sponsored by Verisign

Learn how to protect your online customers with SSL technology that not only keeps their information safe, but also lets them know your site is secure - Extended Validation (EV) SSL.
This new technology turns the address bar green in high security browsers.
http://ad.doubleclick.net/clk;208565397;30663982;v

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus