SecurityFocus Microsoft Newsletter #270

Wed, 21 Dec 2005 10:31:34 -0800 

SecurityFocus Microsoft Newsletter #270
----------------------------------------

This Issue is Sponsored By: SpiDynamics
ALERT: Learn to Think Like a Hacker- Simulate a Hacker Breaking into Your Web Apps The speed with which Web Applications are developed make them prime targets for attackers, often these applications were developed so quickly that they are not coded properly or subjected to any security testing. Hackers know this and use it as their weapon. Download this *FREE* test guide from SPI Dynamics to check for Web application vulnerabilities. 

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003P6V

------------------------------------------------------------------
I.   FRONT AND CENTER
      1. OpenSSH cutting edge
      2. Demystifying Denial-Of-Service attacks, part one
II.  MICROSOFT VULNERABILITY SUMMARY
      1. My Album Online Unspecified Directory Traversal Vulnerability
      2. LogiSphere Multiple Directory Traversal Vulnerabilities
3. Sights 'N Sounds Streaming Media Server SWS.EXE Buffer Overflow Vulnerability 4. Opera Web Browser Long Title Element Bookmark Denial of Service Vulnerability 
      5. Microsoft Internet Explorer Dialog Manipulation Vulnerability
6. Microsoft Internet Explorer HTTPS Proxy Information Disclosure Vulnerability 7. Microsoft Windows Asynchronous Procedure Call Local Privilege Escalation Vulnerability 8. Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability 9. Opera Web Browser Download Dialog Manipulation File Execution Vulnerability 
      10. AppServ Open Project Remote Denial of Service Vulnerability
      11. Trend Micro ServerProtect ISANVWRequest Heap Overflow Vulnerability
      12. Trend Micro ServerProtect Relay Heap Overflow Vulnerability
13. Trend Micro ServerProtect EarthAgent Daemon Denial of Service Vulnerability 14. Trend Micro PC-Cillin Internet Security Local Insecure Permissions Vulnerability 
      15. Watchfire AppScan QA Remote Buffer Overflow Vulnerability
      16. Soft4e ECW-Cart Multiple Cross-Site Scripting Vulnerabilities
17. SSH Tectia Server Host Authentication Authorization Bypass Vulnerability 
      18. Macromedia Cold Fusion MX Multiple Vulnerabilities
      19. Macromedia JRun Multiple Vulnerabilities
20. Microsoft Internet Information Server 5.1 DLL Request Denial of Service Vulnerability 
      21. Microsoft Excel Unspecified Memory Corruption Vulnerabilities
      22. Acuity CMS ASP Search Module Cross-Site Scripting Vulnerability
      23. Allinta CMS Multiple Cross-Site Scripting Vulnerabilities
24. Symantec Antivirus Library RAR Decompression Heap Overflow Vulnerabilities 
      25. Pegasus Mail Multiple Remote Code Execution Vulnerabilities
26. Extensis Portfolio Netpublish Server Server.NP Directory Traversal Vulnerability 
      27. Qualcomm WorldMail IMAPD Buffer Overflow Vulnerability
28. Blender BlenLoader File Processing Integer Overflow Vulnerability 29. McAfee VirusScan Security Center ActiveX Control Arbitrary File Overwrite Vulnerability 
III. MICROSOFT FOCUS LIST SUMMARY
      1. sober resurfacing
      2. SecurityFocus Microsoft Newsletter #269
IV.  UNSUBSCRIBE INSTRUCTIONS
V.   SPONSOR INFORMATION

I.   FRONT AND CENTER
---------------------
1. OpenSSH cutting edge
By Federico Biancuzzi
Federico Biancuzzi interviews OpenSSH developer Damien Miller to discuss features included in the upcoming version 4.3, public key crypto protocols details, timing based attacks and anti-worm measures. 
http://www.securityfocus.com/columnists/375

2. Demystifying Denial-Of-Service attacks, part one
By Abhishek Singh, CISSP
This paper provides an introduction to Denial of Service (DoS) attacks, their methodologies, common prevention techniques, and how they differ from Distributed Denial of Service (DDoS) Attacks. This article is intended to be a broad overview for the beginner or intermediate-level administrator on the different types of DoS attacks. 
http://www.securityfocus.com/infocus/1853


II.  MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. My Album Online Unspecified Directory Traversal Vulnerability
BugTraq ID: 15800
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15800
Summary:
My Album Online is prone to an unspecified directory traversal vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the Web server process. Information obtained may aid in further attacks; other attacks are also possible. 

2. LogiSphere Multiple Directory Traversal Vulnerabilities
BugTraq ID: 15807
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15807
Summary:
LogiSphere is prone to multiple directory traversal vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the Web server process. Information obtained may aid in further attacks; other attacks are also possible.
3. Sights 'N Sounds Streaming Media Server SWS.EXE Buffer Overflow Vulnerability 
BugTraq ID: 15809
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15809
Summary:
Sights 'n Sounds Streaming Media Server is prone to a buffer overflow vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
Successful exploitation will likely result in a crash of the 'SWS.exe' application, denying service to legitimate users. Arbitrary code execution may also be possible, this may facilitate privilege escalation to SYSTEM level. 

Sights 'n Sounds Streaming Media Server version 2.0.3.b is affected.
4. Opera Web Browser Long Title Element Bookmark Denial of Service Vulnerability 
BugTraq ID: 15813
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15813
Summary:
Opera Web browser is prone to a denial of service vulnerability when a Web page with a long title element is bookmarked. If this occurs, the browser will not be able to restart after it is closed.
This issue affects Opera running on Windows and Mac OS X. It also affects Japanese users and any users utilizing IME for text input. 


5. Microsoft Internet Explorer Dialog Manipulation Vulnerability
BugTraq ID: 15823
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15823
Summary:
Internet Explorer is prone to a remote code execution vulnerability through manipulation of custom dialog boxes. Keystrokes entered while one of these dialogs is displayed may be buffered and passed to a download dialog, allowing attacker-supplied code to be executed. 

6. Microsoft Internet Explorer HTTPS Proxy Information Disclosure Vulnerability
BugTraq ID: 15825
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15825
Summary:
Microsoft Internet Explorer is prone to an information disclosure vulnerability when using an authenticating proxy server for HTTPS communications. Exploitation of this issue could result in an attacker gaining a user's authentication credentials. 

This issue only exists when the authenticating proxy uses Basic Authentication.
7. Microsoft Windows Asynchronous Procedure Call Local Privilege Escalation Vulnerability 
BugTraq ID: 15826
Remote: No
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15826
Summary:
Microsoft Windows is susceptible to a local privilege escalation vulnerability. This issue is due to a flaw in the Asynchronous Procedure Calls implementation in Microsoft Windows.
This issue allows local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.
8. Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability 
BugTraq ID: 15827
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15827
Summary:
Microsoft Internet Explorer is prone to a memory corruption vulnerability that is related to the instantiation of COM objects. COM objects may corrupt system memory and facilitate arbitrary code execution in the context of the currently logged in user on the affected computer. 


9. Opera Web Browser Download Dialog Manipulation File Execution Vulnerability
BugTraq ID: 15835
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15835
Summary:
Opera Web Browser is prone to a remote code execution vulnerability through manipulation of dialog boxes.
An attacker can hide a 'File Download' dialog box underneath a new browser window and entice a user into double clicking a specific area in the window. 

This may result in the execution of arbitrary files.

10. AppServ Open Project Remote Denial of Service Vulnerability
BugTraq ID: 15851
Remote: Yes
Date Published: 2005-12-14
Relevant URL: http://www.securityfocus.com/bid/15851
Summary:
AppServ Open Project is reportedly affected by a remote denial of service vulnerability.
AppServ 2.5.3 running on Microsoft Windows platforms was reported to be vulnerable. Other versions may be affected as well. 

11. Trend Micro ServerProtect ISANVWRequest Heap Overflow Vulnerability
BugTraq ID: 15865
Remote: Yes
Date Published: 2005-12-14
Relevant URL: http://www.securityfocus.com/bid/15865
Summary:
A remotely exploitable heap-based buffer overflow vulnerability is present in the Trend Micro ServerProtect 'isaNVWRequest.dll' ISAPI component of the Management Console.
An attacker could exploit this issue to execute arbitrary code in the context of the underlying Web server. 

This issue is reported to affected ServerProtect 5.58 for Windows running with
Trend Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup Server 1.1. Other versions and platforms may be affected as well. It is also possible that other Trend Micro products such as InterScan eManager, InterScan Web Protect, OfficeScan, and Control Manager could be impacted as well.
It is noted that the vulnerability may actually be present in the MFC (Microsoft Foundation Class) ISAPI libraries. This issue may be related to BID 9963 "Microsoft Visual C++ MFC ISAPI Extension Denial Of Service Vulnerability". 


12. Trend Micro ServerProtect Relay Heap Overflow Vulnerability
BugTraq ID: 15866
Remote: Yes
Date Published: 2005-12-14
Relevant URL: http://www.securityfocus.com/bid/15866
Summary:
A remotely exploitable heap-based buffer overflow vulnerability is present in the Trend Micro ServerProtect 'relay.dll' component in the Management Console.
An attacker could exploit this issue to execute arbitrary code in the context of the underlying Web server. 

This issue is reported to affect ServerProtect 5.58 for Windows running with
Trend Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup Server 1.1. Other versions and platforms may be affected as well. It is also possible that other Trend Micro products such as InterScan eManager, InterScan Web Protect, OfficeScan, and Control Manager could be impacted as well.
It is noted that the vulnerability may actually be present in the MFC (Microsoft Foundation Class) ISAPI libraries. This issue may be related to BID 9963 "Microsoft Visual C++ MFC ISAPI Extension Denial Of Service Vulnerability". 


13. Trend Micro ServerProtect EarthAgent Daemon Denial of Service Vulnerability
BugTraq ID: 15868
Remote: Yes
Date Published: 2005-12-14
Relevant URL: http://www.securityfocus.com/bid/15868
Summary:
Trend Micro ServerProtect is prone to a remote denial of service vulnerability when the EarthAgent Daemon processes a malicious packet. This causes the process to consume a large amount of CPU and memory resources, potentially causing the underlying operating system to fail.
This issue affects Trend Micro ServerProtect version 5.58, however, earlier versions may also be affected.
14. Trend Micro PC-Cillin Internet Security Local Insecure Permissions Vulnerability 
BugTraq ID: 15872
Remote: No
Date Published: 2005-12-14
Relevant URL: http://www.securityfocus.com/bid/15872
Summary:
Trend Micro PC-Cillin Internet Security is a commercial antivirus and network security package for Microsoft Windows operating systems.
Trend Micro PC-Cillin Internet Security is susceptible to a local insecure permissions vulnerability. This issue is due to a failure of the application to ensure that secure permissions are applied to its application and data files.
This issue allows local unprivileged attackers to disable the security features of the affected application, aiding them in further attacks. They may also overwrite arbitrary binaries that will subsequently be executed with SYSTEM level privileges facilitating the complete compromise of affected computers.
Trend Micro PC-Cillin Internet Security 2005 version 12.00 build 1244 is vulnerable to this issue. Other versions may also be affected. 

15. Watchfire AppScan QA Remote Buffer Overflow Vulnerability
BugTraq ID: 15873
Remote: Yes
Date Published: 2005-12-15
Relevant URL: http://www.securityfocus.com/bid/15873
Summary:
AppScan QA is prone to a buffer overflow vulnerability.
The vulnerability presents itself when the application handles a malformed HTTP 401 (Unauthorized) response.
A successful attack may facilitate arbitrary code execution. Exploitation of this vulnerability may allow an attacker to gain unauthorized access to the computer in the context of the application. AppScan QA 5.0.609 Subscription 7 and 5.0.134 were reported to be vulnerable. Other versions may be affected as well. 

16. Soft4e ECW-Cart Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 15890
Remote: Yes
Date Published: 2005-12-15
Relevant URL: http://www.securityfocus.com/bid/15890
Summary:
ECW-Cart is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. 

17. SSH Tectia Server Host Authentication Authorization Bypass Vulnerability
BugTraq ID: 15903
Remote: Yes
Date Published: 2005-12-15
Relevant URL: http://www.securityfocus.com/bid/15903
Summary:
SSH Tectia Server is susceptible to an authorization bypass vulnerability. This issue is due to a failure of the application to properly validate login credentials when using host-based authentication. Successful host-based authentication is required to exploit this issue, limiting the sources of attack to computers already configured to connect to the server. Host-based authentication is disabled by default in vulnerable servers.
This issue allows remote attackers to logon to computers using the vulnerable application with illegitimate credentials. Privilege escalation and unauthorized access may be possible. 

18. Macromedia Cold Fusion MX Multiple Vulnerabilities
BugTraq ID: 15904
Remote: Yes
Date Published: 2005-12-15
Relevant URL: http://www.securityfocus.com/bid/15904
Summary:
Macromedia ColdFusion MX is affect by multiple vulnerabilities.

The following four issues were reported:
- A security vulnerabilty related to the JRun clustered sandbox. This issue affects Macromedia ColdFusion MX 6.0, 6.1. 6.1 with JRun, and 7.0.
- An input validation vulnerability related to the CFMAIL tag. This issue affects Macromedia ColdFusion MX 6.0, 6.1. 6.1 with JRun, and 7.0.
- A security vulnerability related to the CFOBJECT/CreateObject sandbox security setting. This issue affects ColdFusion MX 7.0.
- A security vulnerability that could expose the ColdFusion Administrator password hash to unauthorized parties. This issue affects ColdFusion MX 7.0. 

19. Macromedia JRun Multiple Vulnerabilities
BugTraq ID: 15905
Remote: Yes
Date Published: 2005-12-15
Relevant URL: http://www.securityfocus.com/bid/15905
Summary:
Macromedia JRun is affected by multiple security vulnerabilities. The following issues were reported:
- Multiple vulnerabilities that let remote users gain unauthorized access to Web application source code. 

- A denial of service vulnerability in the JRun Web Server component.
20. Microsoft Internet Information Server 5.1 DLL Request Denial of Service Vulnerability 
BugTraq ID: 15921
Remote: Yes
Date Published: 2005-12-17
Relevant URL: http://www.securityfocus.com/bid/15921
Summary:
It has been reported that a remotely exploitable denial of service vulnerability exists in Microsoft Internet Information Server 5.1. According to the author, versions 5.0 and 6.0 are not affected. 

21. Microsoft Excel Unspecified Memory Corruption Vulnerabilities
BugTraq ID: 15926
Remote: Yes
Date Published: 2005-12-19
Relevant URL: http://www.securityfocus.com/bid/15926
Summary:
Microsoft Excel is susceptible to two unspecified memory corruption vulnerabilities. The issues present themselves when Microsoft Excel attempts to process malformed or corrupted XLS files.
Attackers may exploit these issues to crash the affected application. The possibility to execute arbitrary machine code through these issues has not currently been ruled out.
This BID will be updated, and potentially split into separate records as further information is disclosed. 

22. Acuity CMS ASP Search Module Cross-Site Scripting Vulnerability
BugTraq ID: 15934
Remote: Yes
Date Published: 2005-12-19
Relevant URL: http://www.securityfocus.com/bid/15934
Summary:
Acuity CMS ASP is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Acuity CMS ASP 2.6.2 is affected by this issue. Other versions may also be vulnerable. 


23. Allinta CMS Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 15935
Remote: Yes
Date Published: 2005-12-19
Relevant URL: http://www.securityfocus.com/bid/15935
Summary:
Allinta CMS is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Allinta versions 2.3.2 and earlier are reportedly affected by this vulnerability. 


24. Symantec Antivirus Library RAR Decompression Heap Overflow Vulnerabilities
BugTraq ID: 15971
Remote: Yes
Date Published: 2005-12-20
Relevant URL: http://www.securityfocus.com/bid/15971
Summary:
The Symantec antivirus library is prone to multiple heap-based buffer overflow vulnerabilities.
This vulnerability could be exploited to compromise computers running applications that utilize the affected library. The issue exists in the RAR archive decompression routines. The issue may affect all platforms running applications that include the library, including Microsoft Windows and Mac OS X releases of the applications.
Symantec is currently investigating this issue. A conclusive list of affected products is not available at this time. This BID will be updated upon further investigation. It is noted that the issue could affect third-party applications that include the library. 

25. Pegasus Mail Multiple Remote Code Execution Vulnerabilities
BugTraq ID: 15973
Remote: Yes
Date Published: 2005-12-20
Relevant URL: http://www.securityfocus.com/bid/15973
Summary:
Pegasus Mail is prone to multiple remote code execution vulnerabilities. The following specific vulnerabilities were identified:
A buffer overflow vulnerability arises when the application handles a malformed POP3 reply from a server.
An off-by-one buffer overflow vulnerability arises when the application handles a malicious email message.
Pegasus Mail 4.21c and 4.30PB1 are reportedly vulnerable. Other versions may be affected as well.
26. Extensis Portfolio Netpublish Server Server.NP Directory Traversal Vulnerability 
BugTraq ID: 15974
Remote: Yes
Date Published: 2005-12-20
Relevant URL: http://www.securityfocus.com/bid/15974
Summary:
Portfolio Netpublish Server is prone to a directory traversal vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit this issue to retrieve arbitrary files in the context of the affected application. Information obtained may aid in further attacks against the underlying system; other attacks are also possible. 

Netpublish Server 7 is vulnerable; other versions may also be affected.


27. Qualcomm WorldMail IMAPD Buffer Overflow Vulnerability
BugTraq ID: 15980
Remote: Yes
Date Published: 2005-12-20
Relevant URL: http://www.securityfocus.com/bid/15980
Summary:
WorldMail IMAPd service is prone to a remote buffer overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in finite sized buffers.
An attacker can exploit this issue to crash the server resulting in a denial of service to legitimate users. Arbitrary code execution may also be possible; this may facilitate a compromise of the underlying system.
This issue is reported to affect IMAPd service version 6.1.19.0 of WorldMail 3.0; other versions may also be vulnerable.
28. Blender BlenLoader File Processing Integer Overflow Vulnerability BugTraq ID: 15981 
Remote: Yes
Date Published: 2005-12-20
Relevant URL: http://www.securityfocus.com/bid/15981
Summary:
Blender is susceptible to an integer overflow vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input prior to using it in a memory allocation and copy operation.
This issue allows attackers to execute arbitrary machine code in the context of the user running the affected application.
29. McAfee VirusScan Security Center ActiveX Control Arbitrary File Overwrite Vulnerability 
BugTraq ID: 15986
Remote: Yes
Date Published: 2005-12-20
Relevant URL: http://www.securityfocus.com/bid/15986
Summary:
McAfee VirusScan Security Center is prone to an arbitrary file overwrite vulnerability. Attackers are able to create and modify arbitrary files.
Successful exploitation can lead to various attacks including potential arbitrary code execution and remote unauthorized access. 

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. sober resurfacing
http://www.securityfocus.com/archive/88/419567

2. SecurityFocus Microsoft Newsletter #269
http://www.securityfocus.com/archive/88/419434

IV.  UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.
If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. 

V.   SPONSOR INFORMATION
------------------------
This Issue is Sponsored By: SpiDynamics
ALERT: Learn to Think Like a Hacker- Simulate a Hacker Breaking into Your Web Apps The speed with which Web Applications are developed make them prime targets for attackers, often these applications were developed so quickly that they are not coded properly or subjected to any security testing. Hackers know this and use it as their weapon. Download this *FREE* test guide from SPI Dynamics to check for Web application vulnerabilities. 

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003P6V





---------------------------------------------------------------------------
---------------------------------------------------------------------------

Reply via email to