|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Bill Mote (bill.mote
mem.com)Date: Fri Jan 04 2002 - 12:40:28 CST
<snipped from www.the-ctrl-alt-del.com>
Microsoft's Security Patch Opens New Vulnerability
Did you patch your Internet Explorer 5.5 or 6.0 to fix the last security
vulnerability? Good... kinda. That patch you installed opened up a new hole
in IE. This browser needs more patches than a nicotine addict trying to quit
smoking.
"This bug is in the Microsoft GetObject JScript function, and could allow a
hacker to read local files on an affected user's computer, according to
Guniski. By placing specially crafted script into a Web page or e-mail, a
malicious user could then execute arbitrary programmes on the compromised
system, said Guninski.
I'm also sorry to say that Microsoft has not commented about the security
hole, although they have been notified 3 weeks ago. There is not even a
security bulletin, unfortunately meaning there is also no updated patch
available at this time.
Read the details at ZDNet news here.
Posted by no carrier on Friday, January 04 18:39:47 CET (0 reads)
( comments? | )
-----Original Message-----
From: Marc Fossi [mailto:mfossisecurityfocus.com]
Sent: Thursday, January 03, 2002 11:11 AM
To: Focus-MS
Subject: SecurityFocus Microsoft Newsletter #67
SecurityFocus Microsoft Newsletter #67
--------------------------------------
This Issue is sponsored by: Surfcontrol, Inc.
WHAT'S THE BIGGEST SECURITY PROBLEM FOR IT MANAGERS?
"Users opening up infected email attachments." Unfortunately anti-virus
software alone, is only half the solution. SuperScout Email Filter allows
you to set up rules to effectively block the "Goners" and "BadTrans" of
the cyber world. FREE
30-Day Trial: http://www.surfcontrol.com/offer/zsfms1231
<http://www.surfcontrol.com/offer/zsfms1231>
----------------------------------------------------------------------------
---I. FRONT AND CENTER 1. Advertising Information 2. Chasing the Wind, Episode Thirteen: Cabbages and Kings II. MICROSOFT VULNERABILITY SUMMARY 1. Microsoft UPnP NOTIFY Buffer Overflow Vulnerability 2. Microsoft Internet Explorer Refresh Denial of Service... 3. Microsoft IE for Solaris X Server Denial of Service Vulnerability 4. Microsoft SQL-Server Buffer Overflow Vulnerability 5. Microsoft Universal Plug and Play Simple Service Discovery... 6. Microsoft Windows C Runtime Library Format String Vulnerability III. MICROSOFT FOCUS LIST SUMMARY 1. Taking control of ones machine (Thread) 2. sshd configuration on windows (Thread) 3. Recent Mac/Win interop threads (Thread) 4. domain authentication (Thread) 5. SecurityFocus Microsoft Newsletter #66 (Thread) 6. Re : Microsoft IIS False Content-Length Field DoS Vulnerability... 7. IE headers w patch level (Thread) 8. Posting sensitive info, was => Re: Taking control of one... 9. Microsoft MS01-059, Universal Plug-n-Play vulnerability... 10. NTLM v2 implementation (Thread) 11. mac client password changes (Thread) 12. Pocket PC based password safes (Thread) 13. question regarding SAM file / l0phtcrack / pwdump2 (Thread) 14. Windows XP Update possible BUG [ Was: RE: RE: MS01-058... 15. MS01-058 patch (Thread) IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS 1. Transcend Secure VPN Manager 2. Security Analyzer 3. ActiveSentry V. NEW TOOLS FOR MICROSOFT PLATFORMS 1. Stunnel v3.22 2. Big Brother 1.8d2 3. Anubis v1.1.0 4. NTLM Authorization Proxy Server v0.9.7 VI. SPONSORSHIP INFORMATION
I. FRONT AND CENTER ------------------- 1. Advertising Information
Reach the LARGEST audience of security professionals with SecurityFocus direct e-marketing NOW!
SecurityFocus is the Web's most successful security intelligence site, with more than 200,000 unique monthly visitors (September 2001), and growing rapidly each week. Leverage the security portal of unrivaled credibility and influence in your next direct marketing campaign.
To find out how SecurityFocus Web marketing and opt-in email newsletter sponsorships can drive your company's success, contact us at adsales
2. Episode Thirteen: Cabbages and Kings by Robert G. Ferrell
Jake sat at the incarcerated Merv's terminal and scratched his head. The military security people had told him that this box was sending bursts of (presumed) classified data to an undisclosed location in another country. Okay, except that this segment of the network had no physical attachment to the secured net. In fact, the segment into which this box was plugged wasn't even on his network map. That was a little disturbing, but not entirely surprising , since the data telecomm documentation he'd inherited from his predecessor was a little on the skimpy side.
http://www.securityfocus.com/infocus/1529
II. BUGTRAQ SUMMARY ------------------- 1. Microsoft UPnP NOTIFY Buffer Overflow Vulnerability BugTraq ID: 3723 Remote: Yes Date Published: Dec 20 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3723 Summary:
Universal Plug and Play, or UPnP, is a service that allows for hosts to locate and use devices on the local network. UPnP support ships with Windows XP and ME. For Windows 98 and 98SE, it is available with Windows XP's Internet Connection Sharing client.
When a new device is installed, it will broadcast a UDP NOTIFY packet to all devices on the UPnP network specifying the address and port for all other devices to download its description from. This information is stored in the location field, one of several comprising the NOTIFY message.
When processing the location field in a NOTIFY directive, UPnP server process memory can be overwritten by data that originated in the packet. If the IP address, port and filename components are of excessive length, access violations will occur when the server attempts to dereference pointers overwritten with data from the packet.
This condition may be exploitable in a number of different ways, depending on what is overwritten by attackers. An attacker may be able to overwrite a function pointer with a pointer to shellcode also supplied in the request. An attacker may also be able to replace a pointer that is written to, and the value that is written. This could allow for code execution through replacement of return addresses, function pointers, etc.
It should be noted that the service listens on broadcast and multicast interfaces. This could permit an attacker to exploit a number of systems without knowing their individual IP addresses.
The UPnP service runs in the SYSTEM security context. An attacker who successfully exploits this vulnerability could gain control over the target host.
2. Microsoft Internet Explorer Refresh Denial of Service Vulnerability BugTraq ID: 3730 Remote: Yes Date Published: Dec 20 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3730 Summary:
A malicious web site operator could design a web page that, when visited by an IE user, will cause IE to crash.
If a webpage containing Javascript designed to cause a continuous refresh via 'self.location = self.location' is viewed, IE will crash.
A restart of the application is required in order to gain normal functionality.
3. Microsoft IE for Solaris X Server Denial of Service Vulnerability BugTraq ID: 3729 Remote: No Date Published: Dec 20 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3729 Summary:
It has been reported that in some situations, Internet Explorer 5.0 SP1 for Solaris is able to crash the X server. In particular, this has been reported with Chinese versions of the software.
If a chinese language web page is displayed, and the IE window is rapidly scrolled up and down, it is possible to end the user session, returning the CDE session to dtlogin. This may also happen if the IE window is maximized.
If this procedure is repeated several times, the X server may crash altogether. At this point, the local user is simply presented with a text login prompt, and the following message:
can not start x server
This problem can result in a denial of service to all X users.
4. Microsoft SQL-Server Buffer Overflow Vulnerability BugTraq ID: 3733 Remote: Yes Date Published: Dec 20 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3733 Summary:
Microsoft SQL Server contains buffer overflows in several built-in text formatting and printing functions. Two of the affected functions are 'raiserror()' and 'xp_sprintf()', both vulnerable to overflows due to inadequate bounds checking of externally supplied data prior to memory copy operations. If the amount of data supplied exceeds the size of the buffer where it is to be copied, the excessive data will overwrite neighbouring memory. If critical data such as the function return address on the stack is overwritten, the flow of program execution can be altered.
If an attacker can invoke the affected procedures with custom arguments, or insert/modify arguments for legitimate invocations, arbitrary code can be executed. This can be accomplished by replacing the affected function return address with a pointer to supplied shellcode.
It may be possible for malicious users to exploit this vulnerability through applications that interact with the database, such as CGI scripts or Java programs. Public domain CGI scripts are notoriously ridden with input validation vulnerabilities that may allow for attacker insertion of exploit code into SQL queries.
This vulnerability makes it possible for an attacker to execute arbitrary code in the security context of the server process. An attacker can also exploit this vulnerability to crash the server.
5. Microsoft Universal Plug and Play Simple Service Discovery Protocol Denial of Service Vulnerability BugTraq ID: 3724 Remote: Yes Date Published: Dec 20 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3724 Summary:
Universal Plug and Play, or UPnP, is a service that allows for hosts to locate and use devices on the local network. UPnP support ships with Windows XP and ME. For Windows 98 and 98SE, it is available with Windows XP's Internet Connection Sharing client.
The Simple Service Discovery Protocol (SSDP) is a component of UPnP that allows a system to enumerate the resources of a newly installed network device on a UPnP network. When a new device is installed, it will broadcast a UDP NOTIFY packet to all devices on the UPnP network specifying the address and port for all other devices to download its description from.
It is possible to construct a UDP NOTIFY packet that will direct UPnP devices to download the description from a port on a system which echoes the requests, the requesting UPnP systems could enter an endless download cycle. The system could be manually restarted to exit this condition.
It has been reported that in some situations, Internet Explorer 5.0 SP1 for Solaris is able to crash the X server. In particular, this has been reported with Chinese versions of the software.
It could also be possible to use this technique to initiate a distributed denial of service attack on a third party. By constructing a NOTIFY packet which directs a large number of UPnP devices to the address of a third party server, the responding UPnP devices could flood the server with requests.
For both scenarios, the NOTIFY packet could be directed to a broadcast or multicast domain which would affect all the UPnP systems within earshot with a single packet.
6. Microsoft Windows C Runtime Library Format String Vulnerability BugTraq ID: 3732 Remote: Unknown Date Published: Dec 20 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3732 Summary:
The Windows C Runtime Library is a shared library containing instructions for the standard C library functions. It is used by almost all Windows programs compiled from C or C++ source code.
There exists a format string vulnerability in the Windows C Runtime Library that may be exploitable through programs that use the affected functions.
Format string vulnerabilities typically occur in applications that pass user input to library functions supporting *printf string formatting as the format string argument. When users can control the format string, special format specifiers such as '%n' can be used to write almost arbitrary values to attacker-supplied locations in memory.
In existing format string vulnerabilities, the problem is that the application fails to properly sanitize data before passing it to the *printf function. This vulnerability is different, and lies in the library code rather than in a specific application.
It is reportedly possible for attackers who can pass data to the affected functions in programs using them to exploit this vulnerability.
It has been confirmed that this vulnerability is exploitable through SQL Server, however the only possible consequence of a successful attack is a denial of service (code execution is reportedly not possible).
III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. Taking control of ones machine (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=000b01c18f3e$9baa5 420$fdfea8c0
2. sshd configuration on windows (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=243C47087E9A9E4A86 A2650B4E454EC1990D
3. Recent Mac/Win interop threads (Thread) Relevant URL:
y">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=3C2B862C.4050709
4. domain authentication (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=E00ECDED326C0B4288 A0B4F7F02DE2DD276B
5. SecurityFocus Microsoft Newsletter #66 (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.GSO.4.30.0112 261746430.26047-100000
6. Re : Microsoft IIS False Content-Length Field DoS Vulnerability (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=421320D23C15B749B1 2A0A54CC203C04080139
7. IE headers w patch level (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=!~!UENERkVCMDkAAQA CAAAAAAAAAAAAAAAAABgAAAAAAAAAWCgHqRA%2b%2f0S4RTIdGDuMgcKAAAAQAAAA8vQIg5tIt0m NUvESGlq2hgEAAAAA
8. Posting sensitive info, was => Re: Taking control of ones machine (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=3C240E2A.F5C9246C
9. Microsoft MS01-059, Universal Plug-n-Play vulnerability. (Thread) Relevant URL:
y">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=3C23C05B.6020208
10. NTLM v2 implementation (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=028501c18a41$75a10 a00$488cea9e
11. mac client password changes (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=OF5524A90E.2A1D439 8-ON85256B29.0076144D
12. Pocket PC based password safes (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=51F912F2A6CDD11181 0A00600811BA42024D82A8
13. question regarding SAM file / l0phtcrack / pwdump2 (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=E0390A21F9C3D41191 FC00A0C95FF4B982B5CC
14. Windows XP Update possible BUG [ Was: RE: RE: MS01-058 patch ] (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=!~!UENERkVCMDkAAQA CAAAAAAAAAAAAAAAAABgAAAAAAAAAWCgHqRA%2b%2f0S4RTIdGDuMgcKAAAAQAAAA2trUlNlNY0W Kp92W6lOD7wEAAAAA
15. MS01-058 patch (Thread) Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=7400546A8E39414EB4 AA7A8193047E840834AA
IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS ---------------------------------------- 1. Transcend Secure VPN Manager by 3com Platforms: Windows NT Relevant URL: http://www.3com.com/products/dsheets/400506.html Summary:
Designed for simple, real-time VPN monitoring, Transcend Secure VPN Manager software Version 2.2 for Windows NT software provides a Web-based client-server system with an easy-to-read graphical interface. This robust monitoring and diagnostic tool lets you collect and display information on tunnel and session utilization, as well as security associations and violations on VPN tunnels terminated by 3Com VPN devices such as NETBuilder® routers or PathBuilder™ tunnel switches. Monitoring capabilities include industry-standard Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).
2. Security Analyzer by NetIQ Platforms: Linux, Solaris, Windows 95/98, Windows NT, Windows 2000 Relevant URL: http://www.netiq.com/products/sa/default.asp Summary:
NetIQ's Security Analyzer helps you secure your corporate systems and networks by automatically detecting the latest known security vulnerabilities and providing extensive reports and guidance on how to address them.
3. ActiveSentry by Intranode Platforms: N/A Relevant URL: https://activesentry.intranode.com/ Summary:
ActiveSentry, published by Intranode, is an extremely powerful proactive Internet security management solution based on automatic recurrent security audits launched from a remote platform. Each audit generates an exhaustive executive analysis report specifying the vulnerabilities detected and the counter measures to implement.
V. NEW TOOLS FOR MICROSOFT PLATFORMS ------------------------------------ 1. Stunnel v3.22 by Michal Trojnara, Michal.Trojnara
The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. It will negotiate an SSL connection using the OpenSSL or SSLeay libraries. It calls the underlying crypto libraries, so stunnel supports whatever cryptographic algorithms you compiled into your crypto package. This release includes a timeout for the transfer() function, and a fix for a coredump on exit with active threads.
2. Big Brother 1.8d2 by Sean MacGuire, sean
Big Brother is a combination of monitoring methods. Unlike SNMP where information is just collected and devices polled, Big Brother is designed in such a way that each local system broadcasts its own information to a central location. Simultaneously, Big Brother also polls all networked systems from a central location. This creates a highly efficient and redundant method for proactive network monitoring.
3. Anubis v1.1.0 by The Anubis Team ghostface
Anubis is an anonymous email sender for Unix, BeOS, Win32, and AmigaOS. It supports WinGates, encrypted TLS/SSL connections, remailers, anonymous news posting, and more.
4. NTLM Authorization Proxy Server v0.9.7 by Dmitry Rozmanov Relevant URL: http://www.geocities.com/rozmanov/ntlm/ Platforms: Windows 95/98, Windows NT Summary:
'NTLM Authorization Proxy Server' is a proxy software that allows you to authenticate via an MS Proxy Server using the proprietary NTLM protocol. It can change arbitrary values in your client's request header so that those requests will look like they were created by MS IE. It is written in Python v1.5.2 language.
VI. SPONSORSHIP INFORMATION --------------------------- This Issue is sponsored by: Surfcontrol, Inc.
WHAT'S THE BIGGEST SECURITY PROBLEM FOR IT MANAGERS?
"Users opening up infected email attachments." Unfortunately anti-virus software alone, is only half the solution. SuperScout Email Filter allows you to set up rules to effectively block the "Goners" and "BadTrans" of the cyber world. FREE
30-Day Trial: http://www.surfcontrol.com/offer/zsfms1231 <http://www.surfcontrol.com/offer/zsfms1231>
---------------------------------------------------------------------------- ---
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]