SecurityFocus Microsoft Newsletter #341 ----------------------------------------
This Issue is Sponsored by: SPI Dynamics ALERT: Ajax Security Dangers- How Hackers are attacking Ajax Web Apps While Ajax can greatly improve the usability of a Web application, it can also create several opportunities for possible attack if the application is not designed with security in mind. Download this SPI Dynamics white paper. https://download.spidynamics.com/1/ad/AJAX.asp?Campaign_ID=70160000000CoNe SECURITY BLOGS SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks. http://www.securityfocus.com/blogs ------------------------------------------------------------------ I. FRONT AND CENTER 1. Time for a new certification 2. 0wning Vista from the boot II. MICROSOFT VULNERABILITY SUMMARY 1. Microsoft Windows Terminal Services Remote Security Restriction Bypass Vulnerability 2. IBM DB2 Universal Database JDBC Applet Server Unspecified Code Execution Vulnerability 3. Microsoft Word RTF Parsing Remote Code Execution Vulnerability 4. Microsoft SharePoint Server Cross-Site Scripting Vulnerability 5. Microsoft Windows Media Server MDSAuth.DLL ActiveX Control Remote Code Execution Vulnerability 6. Microsoft Office Malformed Drawing Object Remote Code Execution Vulnerability 7. Office OCX OA.OCX Office Viewer ActiveX Denial of Service Vulnerabilities 8. Microsoft Exchange IMAP Command Processing Remote Denial of Service Vulnerability 9. Microsoft Exchange Base64 MIME Message Remote Code Execution Vulnerability 10. Microsoft Exchange iCal Request Remote Denial of Service Vulnerability 11. Microsoft Outlook Web Access Remote Script Injection Vulnerability 12. Microsoft Word Array Remote Code Execution Vulnerability 13. RETIRED: Microsoft May 2007 Advance Notification Multiple Vulnerabilities 14. Office OCX WordViewer.OCX Word Viewer ActiveX Denial of Service Vulnerabilities 15. Microsoft Capicom ActiveX Control Remote Code Execution Vulnerability 16. Cerulean Studios Trillian Pro Rendezvous XMPP HTML Decoding Heap Buffer Overflow Vulnerability 17. Microsoft Excel Filter Records Remote Code Execution Vulnerability 18. Microsoft Excel Set Font Remote Code Execution Vulnerability 19. Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability 20. Microsoft Internet Explorer Object Handling Remote Code Execution Vulnerability 21. Microsoft Internet Explorer HTML Objects Script Errors Variant Remote Code Execution Vulnerability 22. Microsoft Internet Explorer Property Method Remote Code Execution Vulnerability 23. Intervations MailCOPA Subject Parameter Remote Buffer Overflow Vulnerability 24. Microsoft Excel BIFF Record Remote Code Execution Vulnerability 25. EScan Product Agent Service MWAGENT.EXE Security Bypass Vulnerability 26. Atomix MP3 Malformed MP3 File Buffer Overflow Vulnerability 27. Office OCX ExcelViewer.OCX Excel Viewer ActiveX Denial of Service Vulnerabilities 28. ZoneAlarm VSdatant Driver Denial of Service Vulnerability 29. VMware Multiple Denial Of Service Vulnerabilities 30. Cerulean Studios Trillian Multiple IRC Module UTF-8 Vulnerabilities 31. Winamp MP4 File Parsing Buffer Overflow Vulnerability 32. Research In Motion Blackberry TeamOn Import Object ActiveX Control Buffer Overflow Vulnerability III. MICROSOFT FOCUS LIST SUMMARY IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1. Time for a new certification By Don Parker I wrote a column for Securityfocus some time ago that aired my concerns over GIAC dropping the practical portion of their certification process. That column resulted in a lot of feedback, with most agreeing about how GIAC bungled what was up till then, the best certification around. http://www.securityfocus.com/columnists/443 2. 0wning Vista from the boot By Federico Biancuzzi Federico Biancuzzi interviews Nitin and Vipin Kumar, authors of VBootkit, a rootkit that is able to load from Windows Vista boot-sectors. They discuss the "features" of their code, the support of the various versions of Vista, the possibility to place it inside the BIOS (it needs around 1500 bytes), and the chance to use it to bypass Vista's product activation or avoid DRM. http://www.securityfocus.com/columnists/442 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. Microsoft Windows Terminal Services Remote Security Restriction Bypass Vulnerability BugTraq ID: 23899 Remote: Yes Date Published: 2007-05-09 Relevant URL: http://www.securityfocus.com/bid/23899 Summary: Microsoft Windows Terminal Services is prone to a remote security-restriction bypass vulnerability. This issue is due to a failure of the server software to properly enforce encryption requirements. This issue allows users to connect to affected servers without utilizing encryption, bypassing security requirements configured by administrators. This may allow attackers to perform man-in-the-middle attacks, or to eavesdrop on RDP sessions. This issue affects Terminal Services installed on Windows 2003 Server; other versions may also be affected. 2. IBM DB2 Universal Database JDBC Applet Server Unspecified Code Execution Vulnerability BugTraq ID: 23890 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23890 Summary: IBM DB2 Universal Database is prone to an unspecified remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the user running the application. Successful attacks can result in the compromise of the application or can cause denial-of-service conditions. Few technical details are currently available. We will update this BID as more information emerges. 3. Microsoft Word RTF Parsing Remote Code Execution Vulnerability BugTraq ID: 23836 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23836 Summary: Microsoft Word is prone to a remote code-execution vulnerability. An attacker could exploit this issue by enticing a victim to open a malicious Word file. Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user. 4. Microsoft SharePoint Server Cross-Site Scripting Vulnerability BugTraq ID: 23832 Remote: Yes Date Published: 2007-05-04 Relevant URL: http://www.securityfocus.com/bid/23832 Summary: Microsoft SharePoint Server is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Note: Symantec has not confirmed that the issue is not specific to the Microsoft SharePoint test server. The most recent version is believed to be affected. This BID will be updated as more information emeges. 5. Microsoft Windows Media Server MDSAuth.DLL ActiveX Control Remote Code Execution Vulnerability BugTraq ID: 23827 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23827 Summary: The Microsoft Windows Media Server ActiveX control is prone to a remote code-execution vulnerability. An attacker may exploit this issue by enticing victims into opening a maliciously crafted HTML document. Successful exploits will allow attackers to overwrite certain files to execute arbitrary code. This will result in a complete compromise of affected computers. Failed exploit attempts will likely result in denial-of-service conditions. 6. Microsoft Office Malformed Drawing Object Remote Code Execution Vulnerability BugTraq ID: 23826 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23826 Summary: Microsoft Office is prone to a remote code-execution vulnerability. An attacker may exploit this issue by enticing a victim into opening a malicious Office file. Successful exploits will allow attackers to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions. 7. Office OCX OA.OCX Office Viewer ActiveX Denial of Service Vulnerabilities BugTraq ID: 23811 Remote: Yes Date Published: 2007-05-04 Relevant URL: http://www.securityfocus.com/bid/23811 Summary: Office Viewer ActiveX control is prone to multiple denial-of-service vulnerabilities. Exploiting these issues allows remote attackers to crash applications that employ the vulnerable control (typically Microsoft Internet Explorer). Office Viewer ActiveX Control 3.2.0.5 is reported vulnerable to these issues; other versions may also be affected. 8. Microsoft Exchange IMAP Command Processing Remote Denial of Service Vulnerability BugTraq ID: 23810 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23810 Summary: Microsoft Exchange is prone to a remote denial-of-service vulnerability because it fails to properly handle specially crafted IMAP commands. Successfully exploiting this issue allows remote attackers to cause targeted Exchange servers' mail service to stop responding, thus denying further email service for legitimate users. To recover from the denial-of-service condition, administrators must restart the IIS Admin Service service. 9. Microsoft Exchange Base64 MIME Message Remote Code Execution Vulnerability BugTraq ID: 23809 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23809 Summary: Microsoft Exchange is prone to a remote code-execution vulnerability because the application fails to properly decode specially crafted email messages. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the vulnerable application, which may lead to a complete compromise of affected computers. 10. Microsoft Exchange iCal Request Remote Denial of Service Vulnerability BugTraq ID: 23808 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23808 Summary: Microsoft Exchange is prone to a remote denial-of-service vulnerability because it fails to properly handle unexpected iCal message content. Successfully exploiting this issue allows remote attackers to cause targeted Exchange servers to stop responding to further requests for sending, receiving, or accessing email. As a result, denial-of-service conditions occur for legitimate users of affected servers. A denial-of-service condition will persist until an administrator restarts the Microsoft Exchange Information Store service. 11. Microsoft Outlook Web Access Remote Script Injection Vulnerability BugTraq ID: 23806 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23806 Summary: Microsoft Outlook Web Access is prone to a script-injection vulnerability because the application fails to properly handle specially crafted email attachments. To exploit this issue, attackers must send specially crafted files through email messages to users of the affected application. When users open the file, attacker-supplied script code will be executed in the context of the affected website. Successful exploits allow attackers to access Outlook Web Access sessions with the privileges of the targeted user. As a result, attackers may be able to obtain sensitive information and send, modify, or delete email; other attacks are also possible. 12. Microsoft Word Array Remote Code Execution Vulnerability BugTraq ID: 23804 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23804 Summary: Microsoft Word is prone to a remote code-execution vulnerability. An attacker could exploit this issue by enticing a victim to open a malicious Word file. Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user. 13. RETIRED: Microsoft May 2007 Advance Notification Multiple Vulnerabilities BugTraq ID: 23800 Remote: Yes Date Published: 2007-05-03 Relevant URL: http://www.securityfocus.com/bid/23800 Summary: Microsoft has released advance notification that the vendor will be releasing seven security bulletins on May 8, 2007. The highest severity rating for these issues is 'Critical'. Further details about these issues are not currently available. Individual BIDs will be created for each issue; this record will be removed when the security bulletins are released. These vulnerabilities have been assigned to the following BIDs: 23810 Microsoft Exchange IMAP Command Processing Remote Denial of Service Vulnerability 23780 Microsoft Excel Filter Records Remote Code Execution Vulnerability 23809 Microsoft Exchange Base64 MIME Message Remote Code Execution Vulnerability 23808 Microsoft Exchange iCal Request Remote Denial of Service Vulnerability 23806 Microsoft Outlook Web Access Remote Script Injection Vulnerability 23804 Microsoft Word Array Remote Code Execution Vulnerability 23779 Microsoft Excel Set Font Remote Code Execution Vulnerability 23760 Microsoft Excel BIFF Record Remote Code Execution Vulnerability 23771 Microsoft Internet Explorer Object Handling Remote Code Execution Vulnerability 23836 Microsoft Word RTF Parsing Remote Code Execution Vulnerability 23826 Microsoft Office Malformed Drawing Object Remote Code Execution Vulnerability 23827 Microsoft Windows Media Server MDSAuth.DLL ActiveX Control Remote Code Execution Vulnerability 23782 Microsoft Capicom ActiveX Control Remote Code Execution Vulnerability 23772 Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability 23770 Microsoft Internet Explorer HTML Objects Script Errors Variant Remote Code Execution Vulnerability 23769 Microsoft Internet Explorer Property Method Remote Code Execution Vulnerability 23470 Microsoft Windows DNS Server Escaped Zone Name Parameter Buffer Overflow Vulnerability 22567 Microsoft Word 2000/2002 Document Stream Remote Code Execution Vulnerability 19529 Microsoft Internet Explorer CHTSKDIC.DLL Arbitrary Code Execution Vulnerability 21207 Acer LunchApp.APlunch ActiveX Control Remote Code Execution Vulnerability 23331 Research In Motion Blackberry TeamOn Import Object ActiveX Control Buffer Overflow Vulnerability 14. Office OCX WordViewer.OCX Word Viewer ActiveX Denial of Service Vulnerabilities BugTraq ID: 23784 Remote: Yes Date Published: 2007-05-03 Relevant URL: http://www.securityfocus.com/bid/23784 Summary: Word Viewer ActiveX control is prone to multiple denial-of-service vulnerabilities. Exploiting these issues allows remote attackers to crash applications that employ the vulnerable control (typically Microsoft Internet Explorer). Word Viewer ActiveX Control 3.2.0.5 is reported vulnerable to these issues; other versions may also be affected. 15. Microsoft Capicom ActiveX Control Remote Code Execution Vulnerability BugTraq ID: 23782 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23782 Summary: The Microsoft CAPICOM ActiveX control is prone to a remote code-execution vulnerability. An attacker could exploit this issue to execute code in the context of the user visiting a malicious web page. 16. Cerulean Studios Trillian Pro Rendezvous XMPP HTML Decoding Heap Buffer Overflow Vulnerability BugTraq ID: 23781 Remote: Yes Date Published: 2007-05-02 Relevant URL: http://www.securityfocus.com/bid/23781 Summary: Trillian is prone to a heap-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service. This issue affects Trillian Pro 3.1 build 121 and prior versions. 17. Microsoft Excel Filter Records Remote Code Execution Vulnerability BugTraq ID: 23780 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23780 Summary: Microsoft Excel is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of a victim user running the application. A successful exploit will result in the compromise of the application and may aid in further attacks. 18. Microsoft Excel Set Font Remote Code Execution Vulnerability BugTraq ID: 23779 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23779 Summary: Microsoft Excel is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of a victim user running the application. A successful exploit will result in the compromise of the application and may aid in further attacks. 19. Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability BugTraq ID: 23772 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23772 Summary: Microsoft Internet Explorer is prone to a remote code-execution vulnerability. This vulnerability is related to how the browser handles script errors in certain situations. An attacker could exploit this issue to execute arbitrary code in the context of the user running the affected browser. This issue affects Internet Explorer 7 running on Windows XP SP2, Windows Server 2003 SP1 and SP2, and on Windows Vista. 20. Microsoft Internet Explorer Object Handling Remote Code Execution Vulnerability BugTraq ID: 23771 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23771 Summary: Microsoft Internet Explorer is prone to a remote code-execution vulnerability. This vulnerability is related to how the browser handles uninitialized or deleted objects. An attacker could exploit this issue to execute arbitrary code in the context of the user running the affected browser. 21. Microsoft Internet Explorer HTML Objects Script Errors Variant Remote Code Execution Vulnerability BugTraq ID: 23770 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23770 Summary: Microsoft Internet Explorer is prone to a remote code-execution vulnerability. This vulnerability is related to how the browser handles script errors in certain situations. An attacker could exploit this issue to execute arbitrary code in the context of the user running the affected browser. This issue affects Internet Explorer 7 running on Windows XP SP2, Windows Server 2003 SP1 and SP2, and on Windows Vista. Microsoft states that this vulnerability is a variant of the issue discussed in BID 23772 (Microsoft Internet Explorer HTML Objects Script Errors Remote Code Execution Vulnerability). 22. Microsoft Internet Explorer Property Method Remote Code Execution Vulnerability BugTraq ID: 23769 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23769 Summary: Microsoft Internet Explorer is prone to remote code-execution vulnerability. A remote attacker can exploit this issue to execute arbitrary code in the context of the user running the vulnerable application. 23. Intervations MailCOPA Subject Parameter Remote Buffer Overflow Vulnerability BugTraq ID: 23767 Remote: Yes Date Published: 2007-05-02 Relevant URL: http://www.securityfocus.com/bid/23767 Summary: MailCOPA is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. An attacker may exploit this issue by enticing victims into opening a malicious email link. Successful exploits may allow attackers to execute arbitrary code in the context of the application. Failed attempts may cause denial-of-service conditions. 24. Microsoft Excel BIFF Record Remote Code Execution Vulnerability BugTraq ID: 23760 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23760 Summary: Microsoft Excel is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of a victim user running the application. A successful exploit will result in the compromise of the application and may aid in further attacks. 25. EScan Product Agent Service MWAGENT.EXE Security Bypass Vulnerability BugTraq ID: 23759 Remote: Yes Date Published: 2007-05-02 Relevant URL: http://www.securityfocus.com/bid/23759 Summary: eScan is prone to a security-bypass vulnerability.. An attacker can exploit this issue to gain access to sensitive information and modify certain configurations in the affected application via arbitrary commands. An attacker with local access to the affected computer can exploit this issue to execute arbitrary commands with SYSTEM-level privileges. A successful local exploit of this issue would result in the complete compromise of affected computers. This issue affects eScan 8.0.671.1 and 9.0.714.1; other versions may also be affected. 26. Atomix MP3 Malformed MP3 File Buffer Overflow Vulnerability BugTraq ID: 23756 Remote: Yes Date Published: 2007-05-02 Relevant URL: http://www.securityfocus.com/bid/23756 Summary: Atomix MP3 is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker could exploit this issue by enticing a victim to load a malicious MP3 file. If successful, the attacker can execute arbitrary code in the context of the affected application. 27. Office OCX ExcelViewer.OCX Excel Viewer ActiveX Denial of Service Vulnerabilities BugTraq ID: 23755 Remote: Yes Date Published: 2007-05-02 Relevant URL: http://www.securityfocus.com/bid/23755 Summary: Excel Viewer ActiveX control is prone to multiple denial-of-service vulnerabilities. Exploiting these issues allows remote attackers to crash applications that employ the vulnerable control (typically Microsoft Internet Explorer). Excel Viewer ActiveX Control 3.1 is reported vulnerable to these issues; other versions may also be affected. 28. ZoneAlarm VSdatant Driver Denial of Service Vulnerability BugTraq ID: 23734 Remote: No Date Published: 2007-05-01 Relevant URL: http://www.securityfocus.com/bid/23734 Summary: ZoneAlarm is prone to a local denial-of-service vulnerability because the application fails to validate its input buffer. An attacker may exploit this issue to crash affected computers, denying service to legitimate users. Arbitrary code execution may be possible, this has not been confirmed. ZoneAlarm Pro 6.5.737.000 and 6.1.744.001 are prone to this issue; other versions may be affected as well. 29. VMware Multiple Denial Of Service Vulnerabilities BugTraq ID: 23732 Remote: Yes Date Published: 2007-05-01 Relevant URL: http://www.securityfocus.com/bid/23732 Summary: VMware is prone to multiple denial-of-service vulnerabilities. An attacker can exploit these issues to cause denial-of-service conditions. Versions prior to 5.5.4 Build 44386 are vulnerable to these issues. 30. Cerulean Studios Trillian Multiple IRC Module UTF-8 Vulnerabilities BugTraq ID: 23730 Remote: Yes Date Published: 2007-05-01 Relevant URL: http://www.securityfocus.com/bid/23730 Summary: Trillian is prone to multiple buffer-overflow issues and an information leak in its IRC module. These issues occur because the application fails to properly bounds-check user-supplied data before copying it into fixed-sized memory buffers and fails to respond properly to exceptional conditions. Remote attackers may exploit these vulnerabilities to execute arbitrary machine code in the context of vulnerable Trillian clients or to steal the contents of client-server communications. Trillian 3.1 is affected. Further reports suggest these issues also affect the MSN and ICQ modules; other modules may also be affected. This BID will be updated pending further investigation. 31. Winamp MP4 File Parsing Buffer Overflow Vulnerability BugTraq ID: 23723 Remote: Yes Date Published: 2007-04-30 Relevant URL: http://www.securityfocus.com/bid/23723 Summary: Winamp is prone to a buffer-overflow vulnerability when it attempts to process certain files. This issue occurs because the application fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized memory buffer. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions. This issue affects Winamp 5.02 through 5.34. UPDATE: The vendor states that this issue will be addressed in Winamp 5.35. 32. Research In Motion Blackberry TeamOn Import Object ActiveX Control Buffer Overflow Vulnerability BugTraq ID: 23331 Remote: Yes Date Published: 2007-05-08 Relevant URL: http://www.securityfocus.com/bid/23331 Summary: The Blackberry TeamOn Import Object ActiveX control is prone to a buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before using it in an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary machine-code on a vulnerable computer in the context of the victim running the affected application. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This Issue is Sponsored by: SPI Dynamics ALERT: Ajax Security Dangers- How Hackers are attacking Ajax Web Apps While Ajax can greatly improve the usability of a Web application, it can also create several opportunities for possible attack if the application is not designed with security in mind. Download this SPI Dynamics white paper. https://download.spidynamics.com/1/ad/AJAX.asp?Campaign_ID=70160000000CoNe
