From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Sep 11 2003 - 17:37:06 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 036 (03.36)
                  Thursday, September 11, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.

************************* Begin Advertisement ************************

This issue is sponsored by Mercury Interactive.
Join Network Computing for a FREE on-demand TechWebCast
on the impact Business Technology Optimization can
have on IT infrastructure and application management.
BTO is Revolutionizing IT Business Practices. REGISTER NOW.
http://www.techweb.com/tecwebcasts/bto0803nwc

************************** End Advertisement *************************

Just when we've finally gotten on top of the Microsoft DCOM bug, another
one surfaces! Actually, a few more surfaced. And they are just as easily
exploitable as the first one. Given the similarity to the previous bug,
we should be prepared to see a worm in very short notice. The official
bulletin is reported in item {03.36.019} in the Windows category.

While on the subject of Microsoft, the company last week released
patches for essentially every version of Word/Office. If you run
Microsoft desktop products, you will want to update. Don't forget:
Office updates are not handled by windowsupdate.microsoft.com. You will
need to go to the separate Office update site to get your patches. More
information is available in items {03.36.004}, {03.36.005}, {03.36.009}
and {03.36.012} in the Windows category.

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{03.36.002} Win - ISS Server Sensor IIS/SSL DoS
{03.36.003} Win - MS03-034: NetBIOS name service info disclosure
{03.36.004} Win - MS03-035: Word macros may run automatically
{03.36.005} Win - MS03-037: VBA document properties buffer overflow
{03.36.006} Win - FTP Desktop server response overflows
{03.36.008} Win - RogerWilco multiple vulnerabilities
{03.36.009} Win - MS03-036: WordPerfect convertor buffer overflow
{03.36.010} Win - Winamp MIDI track size overflow
{03.36.011} Win - FoxWeb CGI long request overflow
{03.36.012} Win - MS03-038: MS Access Snapshot Viewer parameter overflow
{03.36.013} Win - Go2Call malformed packet DoS
{03.36.019} Win - MS03-039: RPCSS DCOM buffer overflow
{03.36.021} Win - ws_ftp server QUOTE command overflow
{03.36.022} Win - fetchnews/leafnode blocking read DoS
{03.36.001} Linux - Updated patches for previous vulnerabilities
{03.36.016} Linux - Asterisk SIP protocol integer overflow
{03.36.017} HP-UX - Updated patches for previous vulnerabilities
{03.36.007} Cross - Apache::Gallery insecure temp file handling
{03.36.015} Cross - mah-jong server overflow and DoS
{03.36.018} Cross - IkonBoard CGI file include command exec
{03.36.020} Cross - gtkhtml null dereference DoS
{03.36.023} Cross - Stunnel file descriptor leak
{03.36.014} Tru64 - Updated patches for previous vulnerabilities

- --- Windows News -------------------------------------------------------

*** {03.36.002} Win - ISS Server Sensor IIS/SSL DoS

ISS Server Sensor version 7.0 shuts down the Microsoft IIS service when
a particular Unicode-based request is received over SSL.

This vulnerability is confirmed and fixed in xpu 20.19.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0082.html

*** {03.36.003} Win - MS03-034: NetBIOS name service info disclosure

Microsoft released MS03-034 ("NetBIOS name service info disclosure").
The NetBIOS Name Service discloses the contents of random memory in the
data stream, possibly revealing sensitive information.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-034.asp

Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0018.html

*** {03.36.004} Win - MS03-035: Word macros may run automatically

Microsoft released MS03-035 ("Word macros may run automatically"). Most
versions of Word are vulnerable to a flaw that lets a malicious document
circumvent the macro security model and automatically execute macros
upon document opening.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-035.asp

Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0020.html

*** {03.36.005} Win - MS03-037: VBA document properties buffer overflow

Microsoft released MS03-037 ("VBA document properties buffer overflow").
The Visual Basic for Applications engine, included with many Microsoft
desktop applications, contains a buffer overflow in the handling of
document properties that allows a malicious document to execute
arbitrary code on the system.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-037.asp

Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0017.html

*** {03.36.006} Win - FTP Desktop server response overflows

FTP Desktop version 3.5 contains multiple buffer overflows in the
handling of FTP server responses, thereby allowing a malicious FTP
server to execute arbitrary code on the system.

The advisory indicates vendor confirmation.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0113.html

*** {03.36.008} Win - RogerWilco multiple vulnerabilities

The RogerWilco communication suite reportedly contains multiple remotely
exploitable buffer overflows in the handling of malformed client data,
potentially allowing the execution of arbitrary code.

These vulnerabilities are not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0109.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0119.html

*** {03.36.009} Win - MS03-036: WordPerfect convertor buffer overflow

Microsoft released MS03-036 ("WordPerfect convertor buffer overflow").
A malicious WordPerfect document could trigger a buffer overflow during
the conversion process, leading to the execution of arbitrary code.
Various versions of Microsoft Word, Office, FrontPage, Works and
Publisher are affected.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-036.asp

Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0021.html

*** {03.36.010} Win - Winamp MIDI track size overflow

Winamp versions 2.x and 3.x reportedly contain a buffer overflow in the
literal handling of the track size header value in a malicious MIDI
file, thereby allowing the file to execute arbitrary code on the local
system.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0117.html

*** {03.36.011} Win - FoxWeb CGI long request overflow

FoxWeb CGI suite version 2.5 contains a buffer overflow in the handling
of large HTTP requests, potentially allowing the execution of arbitrary
code.

The advisory indicates vendor confirmation.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0096.html

*** {03.36.012} Win - MS03-038: MS Access Snapshot Viewer parameter
                overflow

Microsoft released MS03-038 ("MS Access Snapshot Viewer parameter
overflow"). The MS Access Snapshot Viewer ActiveX control does not
properly handle large parameters, thereby leading to a buffer overflow
vulnerability.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-038.asp

Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0019.html

*** {03.36.013} Win - Go2Call malformed packet DoS

The Go2Call application crashes when it receives a particularly large
malformed packet on UDP port 5000, thereby leading to a denial of
service vulnerability.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0023.html

*** {03.36.019} Win - MS03-039: RPCSS DCOM buffer overflow

Microsoft released MS03-039 ("RPCSS DCOM buffer overflow"). The RPCSS
service contains multiple buffer overflows in the DCOM activation code,
thereby allowing a remote attacker to execute arbitrary code.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0022.html

*** {03.36.021} Win - ws_ftp server QUOTE command overflow

ws_ftp server version 4.3 reportedly crashes when a remote attacker
submits a large QUOTE.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0090.html

*** {03.36.022} Win - fetchnews/leafnode blocking read DoS

The fetchnews application included with leafnode versions prior to
1.9.42 waits for incoming data, essentially causing the service to hang,
thus leading to a denial of service.

This vulnerability is confirmed and fixed in version 1.9.42.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0094.html

- --- Linux News ---------------------------------------------------------

*** {03.36.001} Linux - Updated patches for previous vulnerabilities

The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.

- --- Red Hat:

RHSA-2003:240-01: httpd
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0031.html

- --- Conectiva:

CLA-2003:734: pam_smb
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0037.html

CLA-2003:735: exim
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0038.html

CLA-2003:736: stunnel
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0039.html

- --- Debian:

DSA-376-2: exim
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0470.html

DSA-377-1: wu-ftpd
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0449.html

- --- SuSE:

SuSE-SA:2003:036: pam_smb
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0637.html

- --- Mandrake:

MDKSA-2003:088: pam_ldap
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0134.html

Source: Red Hat, Conectiva, Debian, SuSE, Mandrake
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0031.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0037.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0038.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0039.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0470.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0449.html
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0637.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0134.html

*** {03.36.016} Linux - Asterisk SIP protocol integer overflow

The Asterisk PBX suite contains an integer overflow in the handling of
certain SIP packets that allows a remote attacker to execute arbitrary
code on the target system.

This vulnerability is confirmed and fixed in CVS.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0095.html

- --- HP-UX News ---------------------------------------------------------

*** {03.36.017} HP-UX - Updated patches for previous vulnerabilities

The following is a list of HP-UX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.

HPSBUX0309-277: wu-ftpd
http://archives.neohapsis.com/archives/hp/2003-q3/0047.html

HPSBUX0309-276: DCE
http://archives.neohapsis.com/archives/hp/2003-q3/0047.html

HPSBUX0212-233: BIND
http://archives.neohapsis.com/archives/hp/2003-q3/0047.html

HPSBUX0307-269: apache
http://archives.neohapsis.com/archives/hp/2003-q3/0048.html

HPSBUX0304-255: openssl
http://archives.neohapsis.com/archives/hp/2003-q3/0048.html

HPSBUX0309-278: apache
http://archives.neohapsis.com/archives/hp/2003-q3/0049.html

HPSBUX0309-279: apache
http://archives.neohapsis.com/archives/hp/2003-q3/0053.html

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q3/0047.html
http://archives.neohapsis.com/archives/hp/2003-q3/0048.html
http://archives.neohapsis.com/archives/hp/2003-q3/0049.html
http://archives.neohapsis.com/archives/hp/2003-q3/0053.html

- --- Cross-Platform News ------------------------------------------------

*** {03.36.007} Cross - Apache::Gallery insecure temp file handling

The Apache::Gallery CGI suite insecurely uses temporary directories,
thereby allowing a local attacker to potentially substitute arbitrary
code libraries that will be executed under the privileges of the Web
server.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0099.html

*** {03.36.015} Cross - mah-jong server overflow and DoS

The mah-jong network game contains two vulnerabilities in the game
server: a buffer overflow that allows the remote execution of arbitrary
code and a denial of service attack that causes the service to become
unresponsive.

Debian confirmed these vulnerabilities and released updated DEBs,
located at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0473.html

*** {03.36.018} Cross - IkonBoard CGI file include command exec

IkonBoard version 3.1.2a reportedly does not properly filter the 'lang'
cookie before using it in a file open operation, thereby allowing a
remote attacker to execute arbitrary command-line commands under the
privileges of the Web server.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0102.html

*** {03.36.020} Cross - gtkhtml null dereference DoS

Applications using the gtkhtml library can be caused to crash by forcing
a null pointer dereference, thereby leading to a denial of service.

This vulnerability is confirmed. Red Hat released updated RPMs, listed
at the reference URL below.

Source: Red Hat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-09/0127.html

*** {03.36.023} Cross - Stunnel file descriptor leak

Stunnel versions prior to 3.26 and 4.04 leak the incoming socket file
descriptor to child processes, potentially allowing an attacker to
hijack incoming service connections.

This vulnerability is confirmed and fixed in versions 3.26 and 4.04.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0029.html

- --- Tru64 News ---------------------------------------------------------

*** {03.36.014} Tru64 - Updated patches for previous vulnerabilities

The following is a list of Tru64 vendor patches for vulnerabilities
previously reported in Security Alert Consensus.

SSRT360: wu-ftpd
http://archives.neohapsis.com/archives/compaq/2003-q3/0009.html

Source: Compaq/HP
http://archives.neohapsis.com/archives/compaq/2003-q3/0009.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/YOGV+LUG5KFpTkYRAh2mAJ97hZbrhGUeoLR7f5ItRERDPjF1wQCfdlY8
igJe1VFgq8G1xgd4bcTlaJg=
=qtvL
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

************************* Begin Advertisement ************************

This issue is sponsored by Mercury Interactive.
Join Network Computing for a FREE on-demand TechWebCast
on the impact Business Technology Optimization can
have on IT infrastructure and application management.
BTO is Revolutionizing IT Business Practices. REGISTER NOW.
http://www.techweb.com/tecwebcasts/bto0803nwc

************************** End Advertisement *************************

Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org

We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org

Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]