SecurityFocus Microsoft Newsletter #336 ----------------------------------------
This Issue is Sponsored by: SPI Dynamics ALERT: "How a Hacker Launches a SQL Injection Attack!"- SPI Dynamics White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CkvN SECURITY BLOGS SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks. http://www.securityfocus.com/blogs ------------------------------------------------------------------ I. FRONT AND CENTER 1. Metasploit 3.0 day 2. Blanket Discovery for Stolen Laptops II. MICROSOFT VULNERABILITY SUMMARY 1. Microsoft April 2007 Advance Notification Multiple Vulnerabilities 2. Microsoft Windows Unspecified Remote Code Execution Vulnerability 3. Kaspersky Internet Security Suite Klif.SYS Driver Local Heap Overflow Vulnerability 4. Kaspersky AntiVirus SysInfo ActiveX Control Arbitrary File Exfiltration Vulnerability 5. VMware Unspecified Double Free Memory Corruption Vulnerability 6. Microsoft Windows Explorer BMP Image Denial of Service Vulnerability 7. IrfanView Multiple BMP Denial of Service Vulnerabilities 8. ACDSee 9.0 Photo Manager Multiple BMP Denial of Service Vulnerabilities 9. FastStone Image Viewer Multiple BMP Denial of Service Vulnerabilities 10. Microsoft Windows Vista Teredo UDP Nonce Spoofing Weakness 11. ImageMagick XGetPixel/XInitImage Multiple Integer Overflow Vulnerabilities 12. Microsoft Windows Vista Neighbor Discovery Spoofing Vulnerability 13. Microsoft Vista Spoof On Bridge HELLO Packet Security Restriction Bypass Vulnerability 14. Microsoft Vista Spoofed LLTD HELLO Packet Security Restriction Bypass Vulnerability 15. Microsoft Windows Graphics Rendering Engine EMF File Privilege Escalation Vulnerability 16. Microsoft Windows GDI Invalid Window Size Local Privilege Escalation Vulnerability 17. Microsoft Windows Graphics Device Interface Font Rasterizer Local Privilege Escalation Vulnerability 18. Microsoft Windows GDI WMF Remote Denial of Service Vulnerability 19. Microsoft Windows Graphics Rendering Engine GDI Local Privilege Escalation Vulnerability 20. Microsoft Windows Vista LLTD Mapper EMIT Packet Remote Denial Of Service Vulnerability 21. Microsoft Windows Vista Teredo Protocol Insecure Connection Weakness 22. Microsoft Windows Vista ARP table Entries Denial of Service Vulnerability 23. Microsoft Windows Vista LLTD Responder Discovery Packet Spoofing Vulnerability 24. Ipswitch WS_FTP Long Site Command Buffer Overflow Vulnerability 25. RETIRED: Microsoft Windows SVCHost.EXE Remote Buffer Overflow Vulnerability 26. ImageMagic Multiple Integer Overflow Vulnerabilities 27. FastStone Image Viewer Unspecified Buffer Overflow Vulnerability 28. Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability 29. NaviCopa Web Server GET Request Buffer Overflow Vulnerability 30. Microsoft Internet Explorer HTML Denial of Service Vulnerability 31. Corel WordPerfect Office PRS Stack Buffer Overflow Vulnerability 32. IBM Lotus Domino Web Access Email Message HTML Injection Vulnerability 33. SignKorea SKCommAX ActiveX Control Remote Buffer Overflow Vulnerability III. MICROSOFT FOCUS LIST SUMMARY 1. Discovering Active Direcory users with blank passwords 2. SecurityFocus Microsoft Newsletter #335 (fwd) IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1. Metasploit 3.0 day By Federico Biancuzzi The Metasploit Framework is a development platform for creating security tools and exploits. Federico Biancuzzi interviewed H D Moore to discuss what's new in release 3.0, the new license of the framework, plans for features and exploits development, and the links among the bad guys and Metasploit and the law. http://www.securityfocus.com/columnists/439 2. Blanket Discovery for Stolen Laptops By Mark Rasch Mark Rasch discusses the legal issues behind the discovery and recovery of stolen laptops that use LoJack-style homing devices to announce their location, and the location of the thieves, anywhere in the world. http://www.securityfocus.com/columnists/438 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. Microsoft April 2007 Advance Notification Multiple Vulnerabilities BugTraq ID: 23335 Remote: Yes Date Published: 2007-04-05 Relevant URL: http://www.securityfocus.com/bid/23335 Summary: Microsoft has released advance notification that the vendor will be releasing five security bulletins on April 10, 2007. The highest severity rating for these issues is 'Critical'. Further details about these issues are not currently available. Individual BIDs will be created for each issue; this record will be removed when the security bulletins are released. 2. Microsoft Windows Unspecified Remote Code Execution Vulnerability BugTraq ID: 23332 Remote: Yes Date Published: 2007-04-05 Relevant URL: http://www.securityfocus.com/bid/23332 Summary: Microsoft Windows is prone to an unspecified remote code-execution vulnerability. Exploiting this issue reportedly requires minimal user interaction. Successfully exploiting this issue allows attackers to execute arbitrary code, facilitating the remote compromise of affected computers. Currently, little is known about this issue. This BID will be updated as more information becomes available. 3. Kaspersky Internet Security Suite Klif.SYS Driver Local Heap Overflow Vulnerability BugTraq ID: 23326 Remote: No Date Published: 2007-04-04 Relevant URL: http://www.securityfocus.com/bid/23326 Summary: Kaspersky Internet Security Suite is prone to a heap-overflow vulnerability because it fails to perform sufficient boundary checks on user-supplied data before copying it to a buffer. An attacker could leverage this issue to have arbitrary code execute with kernel level privileges. A successful exploit could result in the complete compromise of the affected system. Kaspersky Internet Security Suite version 6.0.1.411 for Microsoft Windows is reported vulnerable; previous versions may be vulnerable as well. 4. Kaspersky AntiVirus SysInfo ActiveX Control Arbitrary File Exfiltration Vulnerability BugTraq ID: 23325 Remote: Yes Date Published: 2007-04-05 Relevant URL: http://www.securityfocus.com/bid/23325 Summary: Kaspersky AntiVirus is prone to an arbitrary file exfiltration vulnerability. An attacker can exploit this issue to steal files from a victim machine. This issue affects Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0. 5. VMware Unspecified Double Free Memory Corruption Vulnerability BugTraq ID: 23323 Remote: Yes Date Published: 2007-04-03 Relevant URL: http://www.securityfocus.com/bid/23323 Summary: VMware is prone to a double-free memory-corruption vulnerability. An attacker can exploit this issue to access potentially sensitive information or to cause denial-of-service conditions. Presumably, this issue can be leveraged to execute arbitrary code, but this has not been confirmed. 6. Microsoft Windows Explorer BMP Image Denial of Service Vulnerability BugTraq ID: 23321 Remote: Yes Date Published: 2007-04-04 Relevant URL: http://www.securityfocus.com/bid/23321 Summary: Windows explorer is prone to a denial-of-service vulnerability. There are very few details regarding this issue. This BID will be updated as further information becomes available. An attacker could exploit this issue to cause denial-of-service conditions on a victim computer. It is conjectured that this issue may be the result of a buffer-overflow, however, this has not been confirmed. This issue affects Windows XP SP1; other operating systems and versions may be affected. 7. IrfanView Multiple BMP Denial of Service Vulnerabilities BugTraq ID: 23318 Remote: Yes Date Published: 2007-04-04 Relevant URL: http://www.securityfocus.com/bid/23318 Summary: IrfanView is prone to multiple denial-of-service vulnerabilities. These issues are due to a failure of the application to properly handle malformed BMP image files. Successfully exploiting these issues allows attackers to crash the affected application. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed. Version 3.99 of the application is affected, other versions may also be vulnerable. 8. ACDSee 9.0 Photo Manager Multiple BMP Denial of Service Vulnerabilities BugTraq ID: 23317 Remote: Yes Date Published: 2007-04-04 Relevant URL: http://www.securityfocus.com/bid/23317 Summary: ACDSee 9.0 Photo Manager is prone to multiple denial-of-service vulnerabilities because the application fails to properly handle malformed BMP image files. Successfully exploiting these issues allows attackers to crash the affected application. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed. Version 9.0 of the application is affected; other versions may also be vulnerable. 9. FastStone Image Viewer Multiple BMP Denial of Service Vulnerabilities BugTraq ID: 23312 Remote: Yes Date Published: 2007-04-04 Relevant URL: http://www.securityfocus.com/bid/23312 Summary: FastStone Image Viewer is prone to multiple denial-of-service vulnerabilities because the application fails to properly handle malformed BMP image files. Successfully exploiting these issues allows attackers to crash the affected application. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed. Version 2.9 of the application is affected; other versions may also be vulnerable. 10. Microsoft Windows Vista Teredo UDP Nonce Spoofing Weakness BugTraq ID: 23301 Remote: Yes Date Published: 2007-04-04 Relevant URL: http://www.securityfocus.com/bid/23301 Summary: Windows Vistsa Teredo server is prone to a nonce-spoofing weakness due to its use of a nonce during the lifetime of certain connections. This weakness can aid in attempts to spoof a Teredo server. 11. ImageMagick XGetPixel/XInitImage Multiple Integer Overflow Vulnerabilities BugTraq ID: 23300 Remote: Yes Date Published: 2007-04-04 Relevant URL: http://www.securityfocus.com/bid/23300 Summary: ImageMagick is prone to multiple integer-overflow vulnerabilities because it fails to properly validate user-supplied data. An attacker can exploit these issues to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions. 12. Microsoft Windows Vista Neighbor Discovery Spoofing Vulnerability BugTraq ID: 23293 Remote: Yes Date Published: 2007-04-03 Relevant URL: http://www.securityfocus.com/bid/23293 Summary: Microsoft Windows Vista is prone to a discovery-spoofing vulnerability. An attacker can exploit this issue to conduct redirect attacks on another host on the network. This may lead to further attacks. Note that to exploit this issue, the attacker must have access to the local network segment of a target computer. 13. Microsoft Vista Spoof On Bridge HELLO Packet Security Restriction Bypass Vulnerability BugTraq ID: 23280 Remote: Yes Date Published: 2007-04-03 Relevant URL: http://www.securityfocus.com/bid/23280 Summary: The Microsoft Vista operating system is prone to a security-restriction-bypass vulnerability because the software fails to properly sanitize user-supplied packet-level data. Attackers can exploit this issue to bypass the security restrictions and gain unauthorized access to restricted sites. This may allow attackers to bypass the security restrictions enforced by the Microsoft Vista operating system. 14. Microsoft Vista Spoofed LLTD HELLO Packet Security Restriction Bypass Vulnerability BugTraq ID: 23279 Remote: Yes Date Published: 2007-04-02 Relevant URL: http://www.securityfocus.com/bid/23279 Summary: The Microsoft Windows Vista operating system is prone to a security-restriction-bypass vulnerability because the software fails to properly sanitize user-supplied packet-level data. Attackers can exploit this issue to bypass the security restrictions and gain unauthorized access to restricted sites. This may allow attackers to bypass the security restrictions enforced by the Vista operating system. 15. Microsoft Windows Graphics Rendering Engine EMF File Privilege Escalation Vulnerability BugTraq ID: 23278 Remote: No Date Published: 2007-04-03 Relevant URL: http://www.securityfocus.com/bid/23278 Summary: Microsoft Windows Graphics Rendering Engine is prone to a local privilege-escalation vulnerability when rendering malformed EMF image files. An attacker may exploit this issue to execute arbitrary code with SYSTEM-level privileges, facilitating the complete compromise of affected computers. 16. Microsoft Windows GDI Invalid Window Size Local Privilege Escalation Vulnerability BugTraq ID: 23277 Remote: No Date Published: 2007-04-03 Relevant URL: http://www.securityfocus.com/bid/23277 Summary: Microsoft Windows is prone to a local privilege-escalation vulnerability. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. A successful exploit will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. 17. Microsoft Windows Graphics Device Interface Font Rasterizer Local Privilege Escalation Vulnerability BugTraq ID: 23276 Remote: No Date Published: 2007-04-03 Relevant URL: http://www.securityfocus.com/bid/23276 Summary: Microsoft Windows GDI Font Rasterizer is prone to a local privilege-escalation vulnerability. An attacker can exploit this issue to gain complete control of an affected computer. Failed attempts will likely cause the operating system to crash, resulting in denial-of-service conditions. 18. Microsoft Windows GDI WMF Remote Denial of Service Vulnerability BugTraq ID: 23275 Remote: Yes Date Published: 2007-04-03 Relevant URL: http://www.securityfocus.com/bid/23275 Summary: Microsoft Windows is prone to a remote denial-of-service vulnerability. This issue occurs because the application fails to handle malicious WMF files. This issue may cause Microsoft Windows to crash, denying service to legitimate users. 19. Microsoft Windows Graphics Rendering Engine GDI Local Privilege Escalation Vulnerability BugTraq ID: 23273 Remote: No Date Published: 2007-04-03 Relevant URL: http://www.securityfocus.com/bid/23273 Summary: Microsoft Windows Graphics Rendering Engine is prone to local privilege-escalation vulnerability. Successful exploits may result in a complete compromise of affected computers. 20. Microsoft Windows Vista LLTD Mapper EMIT Packet Remote Denial Of Service Vulnerability BugTraq ID: 23271 Remote: Yes Date Published: 2007-04-03 Relevant URL: http://www.securityfocus.com/bid/23271 Summary: Microsoft Windows Vista is prone to a remote denial-of-service vulnerability because the software fails to handle exceptional conditions. An attacker can exploit this issue to cause a mapping failure, denying further service to legitimate users. 21. Microsoft Windows Vista Teredo Protocol Insecure Connection Weakness BugTraq ID: 23267 Remote: No Date Published: 2007-04-02 Relevant URL: http://www.securityfocus.com/bid/23267 Summary: Microsoft Windows Vista is prone to a weakness that may result in a false sense of security. Teredo protocol can become activated without user interaction, which is contradictory to the documentation. As a result, an affected computer can become vulnerable to attacks that leverage latent Teredo protocol vulnerabilities. 22. Microsoft Windows Vista ARP table Entries Denial of Service Vulnerability BugTraq ID: 23266 Remote: Yes Date Published: 2007-04-02 Relevant URL: http://www.securityfocus.com/bid/23266 Summary: Microsoft Windows Vista is prone to a denial-of-service vulnerability. Remote attackers may exploit this issue by submitting malicious ARP requests to the vulnerable computer. To exploit this issue the attacker must have access to the local network segment of a target computer. A remote attacker can exploit this issue to cause the network interface to stop responding, denying further service to legitimate users. 23. Microsoft Windows Vista LLTD Responder Discovery Packet Spoofing Vulnerability BugTraq ID: 23263 Remote: Yes Date Published: 2007-04-02 Relevant URL: http://www.securityfocus.com/bid/23263 Summary: Microsoft Windows Vista is prone to a vulnerability that permits an attacker to spoof arbitrary hosts through a network-based race condition. An attacker can exploit this issue to impersonate another host on the network. This may lead to further attacks. 24. Ipswitch WS_FTP Long Site Command Buffer Overflow Vulnerability BugTraq ID: 23260 Remote: No Date Published: 2007-04-02 Relevant URL: http://www.securityfocus.com/bid/23260 Summary: Ipswitch WS_FTP is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker may exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service. This issue affects version 5.05; other versions may also be affected. 25. RETIRED: Microsoft Windows SVCHost.EXE Remote Buffer Overflow Vulnerability BugTraq ID: 23255 Remote: Yes Date Published: 2007-04-02 Relevant URL: http://www.securityfocus.com/bid/23255 Summary: Microsoft Windows is prone to a remote buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized buffer. A successful attack will result in denial-of-service conditions. Arbitrary code execution may also be possible, but this has not yet been confirmed. NOTE: This BID is being retired because the reporter has admitted that the issue is a hoax. 26. ImageMagic Multiple Integer Overflow Vulnerabilities BugTraq ID: 23252 Remote: Yes Date Published: 2007-04-02 Relevant URL: http://www.securityfocus.com/bid/23252 Summary: ImageMagic is prone to an integer-overflow vulnerability because it fails to properly validate user-supplied data. An attacker can exploit these issues to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions. 27. FastStone Image Viewer Unspecified Buffer Overflow Vulnerability BugTraq ID: 23196 Remote: Yes Date Published: 2007-03-29 Relevant URL: http://www.securityfocus.com/bid/23196 Summary: FastStone Image Viewer is prone to an unspecified buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will result in a denial of service. Currently, few details are available regarding this issue. This BID will be updated as more information emerges. This issue affects FastStone Image Viewer 2.8; other versions may also be affected. 28. Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability BugTraq ID: 23194 Remote: Yes Date Published: 2007-03-29 Relevant URL: http://www.securityfocus.com/bid/23194 Summary: Microsoft Windows is prone to a stack buffer-overflow vulnerability because of insufficient format validation that occurs when handling malformed ANI cursor or icon files. An attacker can exploit this issue to execute arbitrary code with the privileges of an unsuspecting user. A successful attack can result in the compromise of affected user accounts and computers. This issue affects Windows Vista, Windows XP SP2, and Windows Server 2003 SP1 when running Internet Explorer 6 and 7; other versions and client applications may also be affected. Microsoft has recently disclosed that Outlook 2007 is not vulnerable, that Windows Mail on Vista is vulnerable in replying to or forwarding emails containing malicious ANI files, and that Outlook Express is vulnerable to this issue. Third-party applications such as browsers that handle ANI files and call the ANI rendering functionality in GDI pose an attack vector for this vulnerability. 29. NaviCopa Web Server GET Request Buffer Overflow Vulnerability BugTraq ID: 23179 Remote: Yes Date Published: 2007-03-28 Relevant URL: http://www.securityfocus.com/bid/23179 Summary: NaviCOPA Web Server is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer. Attackers can exploit this issue to execute arbitrary code with the privileges of the application. Successful attacks will result in the compromise of the application. Failed attempts will likely cause denial-of-service conditions. Version 2.01 is vulnerable; prior versions may also be affected. 30. Microsoft Internet Explorer HTML Denial of Service Vulnerability BugTraq ID: 23178 Remote: Yes Date Published: 2007-03-28 Relevant URL: http://www.securityfocus.com/bid/23178 Summary: Microsoft Internet Explorer is prone to a denial-of-service vulnerability because the application fails to handle exceptional conditions. This issue is triggered when an attacker entices a victim user to visit a malicious website. Remote attackers may exploit this issue to crash Internet Explorer, effectively denying service to legitimate users. This issue affects Internet Explorer version 7. 31. Corel WordPerfect Office PRS Stack Buffer Overflow Vulnerability BugTraq ID: 23177 Remote: Yes Date Published: 2007-03-28 Relevant URL: http://www.securityfocus.com/bid/23177 Summary: Corel WordPerfect Office is prone to a stack-based buffer-overflow vulnerability because the software fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application. A successful attack can result in the compromise of the application. Failed attempts will likely result in denial-of-service conditions. WordPerfect X3 version 13.0.0.565 is vulnerable to this issue; other versions may also be affected. 32. IBM Lotus Domino Web Access Email Message HTML Injection Vulnerability BugTraq ID: 23173 Remote: Yes Date Published: 2007-03-28 Relevant URL: http://www.securityfocus.com/bid/23173 Summary: IBM Lotus Domino Web Access is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker could exploit this vulnerability to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 33. SignKorea SKCommAX ActiveX Control Remote Buffer Overflow Vulnerability BugTraq ID: 23149 Remote: Yes Date Published: 2007-03-26 Relevant URL: http://www.securityfocus.com/bid/23149 Summary: SignKorea SKCommAX ActiveX control is prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to insufficiently sized memory buffers. Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of applications that employ the vulnerable controls (typically Microsoft Internet Explorer). SignKorea SKCommAX ActiveX Control 7.2.0.2 and 6.6.0.1 are vulnerable to this issue; other versions may also be vulnerable. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. Discovering Active Direcory users with blank passwords http://www.securityfocus.com/archive/88/464483 2. SecurityFocus Microsoft Newsletter #335 (fwd) http://www.securityfocus.com/archive/88/464201 IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This Issue is Sponsored by: SPI Dynamics ALERT: "How a Hacker Launches a SQL Injection Attack!"- SPI Dynamics White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CkvN
