SecurityFocus Microsoft Newsletter #347 ----------------------------------------
This Issue is Sponsored by: VeriSign Increase customer confidence at transaction time with the latest breakthrough in online security - Extended Validation SSL from VeriSign. Extended Validation triggers a green address bar in Microsoft IE7, which proves site identity. Learn more at: http://clk.atdmt.com/SFI/go/srv0890000047sfi/direct/01/ SECURITY BLOGS SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks. http://www.securityfocus.com/blogs ------------------------------------------------------------------ I. FRONT AND CENTER 1. Embedded Problems 2. Security Analogies II. MICROSOFT VULNERABILITY SUMMARY 1. Avaya 4602SW SIP Phone Security Bypass Vulnerability 2. Avaya One-X Desktop Edition SIP Header Denial Of Service Vulnerability 3. Avaya 4602SW SIP Phone Cnonce Parameter Authentication Spoofing Vulnerability 4. Nortel Networks PC Client Soft Phone SIP Message Parsing Module Denial of Service Vulnerability 5. RealNetworks GameHouse GHDLCTL.DLL ActiveX Control Multiple Buffer Overflow Vulnerabilities 6. AOL Instant Messenger SIP Invite Message Denial of Service Vulnerability 7. Nortel Networks PC Client Soft Phone Message Parsing Module Buffer Overflow Vulnerability 8. Avaya One-X Desktop Edition Phone SIP Remote Buffer Overflow Vulnerability 9. Cerulean Studios Trillian Word Wrapping UTF-8 Encoded String Heap Buffer Overflow Vulnerability 10. Kaspersky Internet Security 6 SSDT Hooks Multiple Local Vulnerabilities 11. Microsoft Office MSODataSourceControl ActiveX Control Buffer Overflow Vulnerability 12. OpenOffice RTF File Parser Buffer Overflow Vulnerability 13. RETIRED: Microsoft Internet Explorer Navigation Cancel Webpage Spoofing Vulnerability 14. Apple Safari for Windows Unspecified SVG Parse Engine Multiple Unspecified Vulnerabilities 15. Microsoft Windows CE .NET Compact Framework Components Multiple Vulnerabilities 16. TEC-IT TBarCode OCX ActiveX Control Arbitrary File Overwrite Vulnerability 17. Microsoft Internet Explorer Language Pack Installation Remote Code Execution Vulnerability 18. Microsoft Windows CE MSXML Multiple Vulnerabilities 19. Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerabilities 20. Microsoft Internet Explorer CSS Tag Memory Corruption Vulnerability 21. Microsoft Internet Explorer Prototype Variable Uninitialized Memory Corruption Vulnerability 22. Microsoft Windows SChannel Security Remote Code Execution Vulnerability 23. Microsoft Windows Vista Permissive User Information Store ACLs Information Disclosure Vulnerability 24. Microsoft Outlook Express Content Disposition Parsing Information Disclosure Vulnerability 25. Microsoft Outlook Express MHTML URL Parsing Information Disclosure Vulnerability 26. Microsoft Visio Packed Objects Remote Code Execution Vulnerability 27. Microsoft Internet Explorer URLMON.DLL COM Object Instantiation Remote Code Execution Vulnerability 28. Microsoft Visio Version Number Remote Code Execution Vulnerability III. MICROSOFT FOCUS LIST SUMMARY 1. SecurityFocus Microsoft Newsletter #346 IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1. Embedded Problems By Federico Biancuzzi Federico Biancuzzi interviews Barnaby Jack to discuss the vector rewrite attack, which architectures are vulnerable, how to defend the integrity of the exception vector table, some firmware extraction methods, and what bad things you can do on a cheap SOHO router. http://www.securityfocus.com/columnists/446 2. Security Analogies By Scott Granneman Scott Granneman discusses security analogies and their function in educating the masses on security concepts. http://www.securityfocus.com/columnists/445 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. Avaya 4602SW SIP Phone Security Bypass Vulnerability BugTraq ID: 24544 Remote: Yes Date Published: 2007-06-19 Relevant URL: http://www.securityfocus.com/bid/24544 Summary: The Avaya 4602SW SIP Phone is prone to a security-bypass vulnerability because it accepts SIP requests from random source IP addresses. An attacker can exploit this issue to bypass security restrictions. The attacker may then be able to transmit malicious messages to the device. This issue affects The Avaya 4602 SW IP Phone (Model 4602D02A). 2. Avaya One-X Desktop Edition SIP Header Denial Of Service Vulnerability BugTraq ID: 24541 Remote: Yes Date Published: 2007-06-19 Relevant URL: http://www.securityfocus.com/bid/24541 Summary: Avaya one-X Desktop Edition phone is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the phone, denying service to legitimate users. Versions 2.1.0.70 and prior are vulnerable. 3. Avaya 4602SW SIP Phone Cnonce Parameter Authentication Spoofing Vulnerability BugTraq ID: 24539 Remote: Yes Date Published: 2007-06-19 Relevant URL: http://www.securityfocus.com/bid/24539 Summary: The Avaya 4602SW SIP Phone and SIP call server is prone to an authentication spoofing vulnerability. This allows an attacker to impersonate a SIP call server, compromising the confidentiality of a victim's phone conversations. 4. Nortel Networks PC Client Soft Phone SIP Message Parsing Module Denial of Service Vulnerability BugTraq ID: 24536 Remote: Yes Date Published: 2007-06-19 Relevant URL: http://www.securityfocus.com/bid/24536 Summary: Nortel Networks PC Client Soft Phone is prone to a remote denial-of-service vulnerability, because the application fails to properly handle malformed data. Successful exploits can allow remote attackers to crash the affected application, denying further service to legitimate users. 5. RealNetworks GameHouse GHDLCTL.DLL ActiveX Control Multiple Buffer Overflow Vulnerabilities BugTraq ID: 24534 Remote: Yes Date Published: 2007-06-19 Relevant URL: http://www.securityfocus.com/bid/24534 Summary: The RealNetworks GameHouse dldisplay ActiveX Control is prone to multiple buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the Gamehouse application. Failed exploit attempts will likely result in denial-of-service conditions. An attacker may exploit these issues by enticing victims into visiting a maliciously crafted web page. 6. AOL Instant Messenger SIP Invite Message Denial of Service Vulnerability BugTraq ID: 24533 Remote: Yes Date Published: 2007-06-19 Relevant URL: http://www.securityfocus.com/bid/24533 Summary: AOL Instant Messenger is prone to a denial-of-service vulnerability because the application fails to handle specially crafted SIP messages. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. This issue affects AOL Instant Messenger 6.1.32.1; prior versions may also be affected. 7. Nortel Networks PC Client Soft Phone Message Parsing Module Buffer Overflow Vulnerability BugTraq ID: 24531 Remote: Yes Date Published: 2007-06-19 Relevant URL: http://www.securityfocus.com/bid/24531 Summary: Nortel Networks PC Client soft phone is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. Successful exploits can allow remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. 8. Avaya One-X Desktop Edition Phone SIP Remote Buffer Overflow Vulnerability BugTraq ID: 24530 Remote: Yes Date Published: 2007-06-19 Relevant URL: http://www.securityfocus.com/bid/24530 Summary: Avaya One-X Desktop Edition phone is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. An attacker can exploit this issue to disable the call receiving functionality of affected phones. Versions 2.1.0.70 and prior are vulnerable. 9. Cerulean Studios Trillian Word Wrapping UTF-8 Encoded String Heap Buffer Overflow Vulnerability BugTraq ID: 24523 Remote: Yes Date Published: 2007-06-18 Relevant URL: http://www.securityfocus.com/bid/24523 Summary: Trillian is prone to a heap-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code with the privileges of the currently logged-in user. Failed exploit attempts will result in a denial of service. This issue affects Trillian 3.1.5.1; prior versions may also be affected. 10. Kaspersky Internet Security 6 SSDT Hooks Multiple Local Vulnerabilities BugTraq ID: 24491 Remote: No Date Published: 2007-06-15 Relevant URL: http://www.securityfocus.com/bid/24491 Summary: Kaspersky Internet Security 6 is prone to multiple local vulnerabilities. Exploiting these vulnerabilities allows local attackers to crash affected computers, denying service to legitimate users. Attackers might also be able to gain elevated privileges by executing arbitrary machine code in the context of the kernel, but this has not been confirmed. Kaspersky Internet Security 6.0.2.614 and 6.0.2.621 are vulnerable; other versions may also be affected. NOTE: These issues may be related to BID 23326 (Kaspersky Internet Security Suite Klif.SYS Drive Local Heap Overflow Vulnerability), but this has not been confirmed. If we find that this BID is a duplicate, we will retire it and merge its information into BID 23326. 11. Microsoft Office MSODataSourceControl ActiveX Control Buffer Overflow Vulnerability BugTraq ID: 24462 Remote: Yes Date Published: 2007-06-13 Relevant URL: http://www.securityfocus.com/bid/24462 Summary: Microsoft Office MSODataSourceControl ActiveX Control is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions. 12. OpenOffice RTF File Parser Buffer Overflow Vulnerability BugTraq ID: 24450 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24450 Summary: OpenOffice is prone to a remote heap-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Remote attackers may exploit this issue by enticing victims into opening maliciously crafted RTF files. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service. 13. RETIRED: Microsoft Internet Explorer Navigation Cancel Webpage Spoofing Vulnerability BugTraq ID: 24448 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24448 Summary: Microsoft Internet Explorer is prone to a webpage-spoofing vulnerability. Attackers may exploit this vulnerability via a malicious webpage to spoof the contents of the Navigation canceled page. This may assist in phishing or other attacks that rely on content spoofing. NOTE: This BID is being retired because this issue was previously reported in BID 22966: Microsoft Internet Explorer NavCancel.HTM Cross-Site Scripting Vulnerability. 14. Apple Safari for Windows Unspecified SVG Parse Engine Multiple Unspecified Vulnerabilities BugTraq ID: 24446 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24446 Summary: Apple Safari for Microsoft Windows is prone to multiple unspecified vulnerabilities. Few technical details are currently available. We will update this BID as more information emerges. Safari 3 public beta for Windows is reported vulnerable. 15. Microsoft Windows CE .NET Compact Framework Components Multiple Vulnerabilities BugTraq ID: 24444 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24444 Summary: Components of the .NET Compact Framework for Microsoft Windows CE are prone to multiple vulnerabilities. Exploiting these issues may allow remote attackers to cause denial-of-service conditions, corrupt memory, or execute arbitrary machine code in the context of the affected application. This facilitates the remote compromise of affected computers. Other attacks are also possible. 16. TEC-IT TBarCode OCX ActiveX Control Arbitrary File Overwrite Vulnerability BugTraq ID: 24440 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24440 Summary: TBarCode ActiveX control is prone to a vulnerability that could permit an attacker to overwrite arbitrary files. The attacker can exploit this issue to overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer). 17. Microsoft Internet Explorer Language Pack Installation Remote Code Execution Vulnerability BugTraq ID: 24429 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24429 Summary: Microsoft Internet Explorer is prone to remote code-execution vulnerability because of a race-condition in its language-pack installation support. A remote attacker can exploit this issue to execute arbitrary code in the context of the user running the vulnerable application. 18. Microsoft Windows CE MSXML Multiple Vulnerabilities BugTraq ID: 24428 Remote: Yes Date Published: 2007-06-11 Relevant URL: http://www.securityfocus.com/bid/24428 Summary: Microsoft Windows CE is prone to multiple denial-of-service vulnerabilities and a cross-site scripting vulnerability. An attacker can exploit these issues to cause infinite-loop conditions and denial-of-service conditions or to run arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 19. Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerabilities BugTraq ID: 24426 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24426 Summary: Microsoft Internet Explorer is prone to multiple buffer-overflow vulnerabilities when instantiating certain COM objects. An attacker may exploit these issues by enticing victims into opening a maliciously crafted webpage. Successfully exploiting these issues allows remote attackers to execute arbitrary machine code in the context of the affected application, facilitating the remote compromise of affected computers. 20. Microsoft Internet Explorer CSS Tag Memory Corruption Vulnerability BugTraq ID: 24423 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24423 Summary: Microsoft Internet Explorer is prone to a remote code-execution vulnerability because the application fails to properly handle certain CSS data. A remote attacker can exploit this issue to execute arbitrary code in the context of the user running the vulnerable application. 21. Microsoft Internet Explorer Prototype Variable Uninitialized Memory Corruption Vulnerability BugTraq ID: 24418 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24418 Summary: Microsoft Internet Explorer is prone to a memory-corruption vulnerability when accessing objects that are improperly instantiated or deleted. An attacker may exploit this issue by enticing victims into opening a maliciously crafted webpage. Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the affected application, facilitating the remote compromise of affected computers. 22. Microsoft Windows SChannel Security Remote Code Execution Vulnerability BugTraq ID: 24416 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24416 Summary: The Microsoft Windows Schannel security package is prone to a remote code-execution vulnerability. This vulnerability occurs when processing and validating server-sent digital signatures by the client application. A remote attacker could exploit this issue by convincing a victim to visit a malicious website. Remote code execution is possible, but may be extremely difficult. In most cases, denial-of-service conditions will occur. 23. Microsoft Windows Vista Permissive User Information Store ACLs Information Disclosure Vulnerability BugTraq ID: 24411 Remote: No Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24411 Summary: Microsoft Windows Vista is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information that may allow them to gain unauthorized access to the affected computer. 24. Microsoft Outlook Express Content Disposition Parsing Information Disclosure Vulnerability BugTraq ID: 24410 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24410 Summary: Outlook Express is prone to a cross-domain information-disclosure vulnerability. This vulnerability may let a malicious website access properties of a site in an arbitrary external domain in the context of the victim's browser. Attackers could exploit this issue to access sensitive information (such as cookies or passwords) that is associated with the external domain. 25. Microsoft Outlook Express MHTML URL Parsing Information Disclosure Vulnerability BugTraq ID: 24392 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24392 Summary: Outlook Express is prone to a cross-domain information-disclosure vulnerability. This vulnerability may let a malicious website access properties of a site in an arbitrary external domain in the context of the victim user's browser. Attackers could exploit this issue to gain access to sensitive information (such as cookies or passwords) that is associated with the external domain. 26. Microsoft Visio Packed Objects Remote Code Execution Vulnerability BugTraq ID: 24384 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24384 Summary: Microsoft Visio is prone to a remote code-execution vulnerability because it fails to adequately handle user-supplied data. Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Failed exploit attempts will result in a denial-of-service condition. 27. Microsoft Internet Explorer URLMON.DLL COM Object Instantiation Remote Code Execution Vulnerability BugTraq ID: 24372 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24372 Summary: Microsoft Internet Explorer is prone to remote code-execution vulnerability. A remote attacker can exploit this issue to execute arbitrary code in the context of the user running the vulnerable application. 28. Microsoft Visio Version Number Remote Code Execution Vulnerability BugTraq ID: 24349 Remote: Yes Date Published: 2007-06-12 Relevant URL: http://www.securityfocus.com/bid/24349 Summary: Microsoft Visio is prone to a remote code-execution vulnerability because it fails to adequately validate user-supplied data. Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Failed attempts will result in denial-of-service conditions. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. SecurityFocus Microsoft Newsletter #346 http://www.securityfocus.com/archive/88/471449 IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This Issue is Sponsored by: VeriSign Increase customer confidence at transaction time with the latest breakthrough in online security - Extended Validation SSL from VeriSign. Extended Validation triggers a green address bar in Microsoft IE7, which proves site identity. Learn more at: http://clk.atdmt.com/SFI/go/srv0890000047sfi/direct/01/
