SecurityFocus Microsoft Newsletter #356 ----------------------------------------
This Issue is Sponsored by: EMC Register for live VMWare Management Webcast by EMC Learn best practices for leveraging and optimizing a VMware infrastructure with EMC ControlCenter. http://newsletter.industrybrains.com/c?fe;1;6dfcc;1a084;3c3;0;da4 SECURITY BLOGS SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks. http://www.securityfocus.com/blogs ------------------------------------------------------------------ I. FRONT AND CENTER 1. Virtualized rootkits - Part 1 2. Delete This! II. MICROSOFT VULNERABILITY SUMMARY 1. IBM Lotus Notes NTMulti.EXE Local Privilege Escalation Vulnerability 2. Clam AntiVirus ClamAV Multiple Remote Denial of Service Vulnerabilities 3. Trend Micro Anti-Spyware And PC-cillin SSAPI Engine Local Stack Buffer Overflow Vulnerability 4. Check Point Zone Labs Multiple Products Local Privilege Escalation Vulnerabilities 5. Toribash Multiple Vulnerabilities 6. rFactor Multiple Vulnerabilities 7. Mercury Mail Transport System AUTH CRAM-MD5 Buffer Overflow Vulnerability 8. Lhaz Unspecified Remote Code Execution Vulnerability 9. EDraw Office Viewer Component ActiveX Control Arbitrary File Overwrite Vulnerability 10. IBM DB2 Universal Database Multiple Unspecified Vulnerabilities 11. Symantec Enterprise Firewall Username Enumeration Weakness 12. Cisco VPN Client for Windows Multiple Local Privilege Escalation Vulnerabilities 13. RndLabs Babo Violent 2 Multiple Vulnerabilities 14. EFS Software Easy Chat Server Authentication Request Handling Remote Denial Of Service Vulnerability 15. Live For Speed Multiple Vulnerabilities 16. Zoidcom Malformed Packet Denial of Service Vulnerability 17. Drupal Content Construction Kit Nodereference Module Multiple HTML-injection Vulnerabilities 18. Diskeeper DKService.EXE Remote Information Disclosure Vulnerability 19. Microsoft Internet Explorer Vector Markup Language VGX.DLL Remote Buffer Overflow Vulnerability 20. Microsoft Windows Media Player Remote Skin Decompression Code Execution Vulnerability 21. Windows Vista Weather Gadget Remote Code Execution Vulnerability 22. Microsoft Windows Media Player Remote Skin Header Code Execution Vulnerability 23. Windows Vista Contacts Gadget Remote Code Execution Vulnerability 24. Qbik WinGate SMTP Service Command Format String Vulnerability 25. Microsoft Windows GDI Metafiles AttemptWrite Remote Code Execution Vulnerability 26. Microsoft XML Core Services SubstringData Integer Overflow Vulnerability 27. WengoPhone SIP Soft Phone Malformed Packet Denial of Service Vulnerability 28. CounterPath X-Lite SIP Soft Phone Malformed Packet Denial of Service Vulnerability 29. Microsoft Virtual PC and Virtual Server Heap Overflow Vulnerability 30. MS Visual Basic 6 Package and Deployment Wizard ActiveX Control Remote Code Execution Vulnerability 31. Microsoft Internet Explorer CSS Strings Memory Corruption Vulnerability 32. Windows Vista Feed Headlines Gadget Remote Code Execution Vulnerability 33. Microsoft OLE Automation SubstringData Function Integer Overflow Vulnerability 34. Microsoft Excel Worksheet Index Value Remote Code Execution Vulnerability 35. Symantec Altiris Deployment Solution Local Privilege Escalation Vulnerability III. MICROSOFT FOCUS LIST SUMMARY 1. SecurityFocus Microsoft Newsletter #355 2. Password complexity - improvement IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1. Virtualized rootkits - Part 1 By Federico Biancuzzi There has been a lot of buzz around the topic of virtualized rootkits. Joanna Rutkowska has been working on a new version of Blue-Pill, her proof of concept invisible rootkit, while a team made by three prominent security experts (Thomas Ptacek, Nate Lawson, Peter Ferrie) challenged her that there is not an "invisible" rootkit, and that they were going to present at BlackHat conference various techniques to detect Blue-Pill. Federico Biancuzzi interviewed both sides to learn more. Part 1 of 2 http://www.securityfocus.com/columnists/451 2. Delete This! By Mark Rasch A series of legal events means that companies that have no business reason to retain documents or records may be compelled to create and retain such records just so they can become available for discovery. http://www.securityfocus.com/columnists/450 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. IBM Lotus Notes NTMulti.EXE Local Privilege Escalation Vulnerability BugTraq ID: 25401 Remote: No Date Published: 2007-08-22 Relevant URL: http://www.securityfocus.com/bid/25401 Summary: IBM Lotus Notes is prone to a local privilege-escalation vulnerability because it fails to assigned proper file permissions during installation. Attackers can exploit this issue to run arbitrary applications with SYSTEM-level privileges. Successful attacks will completely compromise affected computers. NOTE: This issue may be related to the one covered under BID 20612. This has not been confirmed. This BID will be updated as further information becomes available. 2. Clam AntiVirus ClamAV Multiple Remote Denial of Service Vulnerabilities BugTraq ID: 25398 Remote: Yes Date Published: 2007-08-21 Relevant URL: http://www.securityfocus.com/bid/25398 Summary: ClamAV is prone to multiple denial-of-service vulnerabilities. A successful attack may allow an attacker to crash the application and deny service to users. ClamAV versions prior to 0.91.2 are vulnerable to these issues. 3. Trend Micro Anti-Spyware And PC-cillin SSAPI Engine Local Stack Buffer Overflow Vulnerability BugTraq ID: 25388 Remote: No Date Published: 2007-08-21 Relevant URL: http://www.securityfocus.com/bid/25388 Summary: Trend Micro Anti-Spyware and PC-cillin Internet Security are prone to a local stack buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. This issue affects a library in Trend Micro's SSAPI Engine. Successful exploits may allow an attacker to execute arbitrary code with SYSTEM-level privileges. This may facilitate a complete compromise of vulnerable servers. Failed exploit attempts will likely result in denial-of-service conditions. Trend Micro Anti-Spyware for Consumer version 3.5 and PC-cillin Internet Security 2007 are vulnerable. 4. Check Point Zone Labs Multiple Products Local Privilege Escalation Vulnerabilities BugTraq ID: 25365 Remote: No Date Published: 2007-08-20 Relevant URL: http://www.securityfocus.com/bid/25365 Summary: Multiple Check Point ZoneLabs products are prone to multiple local privilege-escalation vulnerabilities. Successfully exploiting these issues allows local attackers to execute arbitrary code with elevated privileges, facilitating the complete compromise of affected computers. ZoneAlarm versions prior to 7.0.362 are vulnerable, as well as ZoneLabs products that include 'vsdatant.sys' version 6.5.737.0. 5. Toribash Multiple Vulnerabilities BugTraq ID: 25359 Remote: Yes Date Published: 2007-08-18 Relevant URL: http://www.securityfocus.com/bid/25359 Summary: Toribash is prone to multiple remote code execution and denial of service vulnerabilities that affect game servers and clients. A total of seven vulnerabilties were reported. These vulnerabilities may be exploited to execute arbitrary code in the content of the game server and game client or deny service to both servers and clients. 6. rFactor Multiple Vulnerabilities BugTraq ID: 25358 Remote: Yes Date Published: 2007-08-18 Relevant URL: http://www.securityfocus.com/bid/25358 Summary: rFactor is prone to multiple code execution and denial of service vulnerabilities. Four vulnerabilities were reported. This vulnerabilities may be triggered by malicious client requests. Successful exploits could crash the game server or let remote attackers execute arbitrary code on the computer hosting the affected software. 7. Mercury Mail Transport System AUTH CRAM-MD5 Buffer Overflow Vulnerability BugTraq ID: 25357 Remote: Yes Date Published: 2007-08-18 Relevant URL: http://www.securityfocus.com/bid/25357 Summary: Mercury Mail Transport System is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on when handling AUTH CRAM-MD5 requests. Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application. Successful exploits will compromise the computer. Failed exploit attempts will result in a denial of service. Versions prior to Mercury/32 v4.52 and Mercury/NLM v1.49 are vulnerable. 8. Lhaz Unspecified Remote Code Execution Vulnerability BugTraq ID: 25351 Remote: Yes Date Published: 2007-08-17 Relevant URL: http://www.securityfocus.com/bid/25351 Summary: Lhaz is prone to an unspecified remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. This issue affects Lhaz version 1.33; other versions may also be affected. 9. EDraw Office Viewer Component ActiveX Control Arbitrary File Overwrite Vulnerability BugTraq ID: 25344 Remote: Yes Date Published: 2007-08-16 Relevant URL: http://www.securityfocus.com/bid/25344 Summary: The EDraw Office Viewer Component ActiveX Control is prone to an arbitrary file-overwrite vulnerability. An attacker can exploit this issue to overwrite files with arbitrary, attacker-controlled content. This will aid in further attacks. Version 5.1 of the control is vulnerable to this issue; other versions may also be affected. 10. IBM DB2 Universal Database Multiple Unspecified Vulnerabilities BugTraq ID: 25339 Remote: Yes Date Published: 2007-08-16 Relevant URL: http://www.securityfocus.com/bid/25339 Summary: IBM DB2 is prone to multiple vulnerabilities that may allow an attacker to carry out a variety of attacks. It is possible that some of these issues may permit an attacker to completely compromise a vulnerable computer. These issues affect DB2 9.1 and 8 running on all supported platforms. 11. Symantec Enterprise Firewall Username Enumeration Weakness BugTraq ID: 25338 Remote: Yes Date Published: 2007-08-16 Relevant URL: http://www.securityfocus.com/bid/25338 Summary: Symantec Enterprise Firewall is prone to a username-enumeration weakness. An attacker can exploit this issue to enumerate valid user names. This may aid in further attacks. 12. Cisco VPN Client for Windows Multiple Local Privilege Escalation Vulnerabilities BugTraq ID: 25332 Remote: No Date Published: 2007-08-15 Relevant URL: http://www.securityfocus.com/bid/25332 Summary: Cisco VPN Client for Windows is prone to multiple local privilege-escalation vulnerabilities. Successfully exploiting these issues allows attackers with local, interactive access to affected computers to gain SYSTEM-level privileges. This facilitates the complete compromise of affected computers. Versions prior to 4.8.02.0010 and 5.0.01.0600 of Cisco VPN Client for the Microsoft Windows platform are vulnerable to these issues. These issues are tracked as Cisco Bug IDs CSCse89550 and CSCsj00785. 13. RndLabs Babo Violent 2 Multiple Vulnerabilities BugTraq ID: 25329 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25329 Summary: Babo Violent 2 is prone to four vulnerabilities. These vulnerabilities include a format-string and three denial-of-service issues. Successful attacks could result in execution of arbitrary code or could crash game servers. 14. EFS Software Easy Chat Server Authentication Request Handling Remote Denial Of Service Vulnerability BugTraq ID: 25328 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25328 Summary: Easy Chat Server is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to crash the server, denying access to legitimate users. Easy Chat Server 2.2 is reported to be vulnerable; other versions may also be affected. 15. Live For Speed Multiple Vulnerabilities BugTraq ID: 25327 Remote: No Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25327 Summary: Live For Speed is prone to four vulnerabilities. These vulnerabilities include buffer overflows and denial of service issues. Successful exploits could result in execution of arbitrary code or could crash game servers. 16. Zoidcom Malformed Packet Denial of Service Vulnerability BugTraq ID: 25326 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25326 Summary: The Zoidcom network library is prone to a denial of service vulnerability when handling malformed packets. An attacker could exploit this to crash a network service that is implemented with the library. 17. Drupal Content Construction Kit Nodereference Module Multiple HTML-injection Vulnerabilities BugTraq ID: 25321 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25321 Summary: Drupal Content Construction Kit is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before displaying it in dynamically generated content. An attacker could exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 18. Diskeeper DKService.EXE Remote Information Disclosure Vulnerability BugTraq ID: 25320 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25320 Summary: Diskeeper is prone to an information-disclosure vulnerability because it fails to restrict access to a certain RPC function. This issue can be exploited to gain access to potentially sensitive information stored at arbitrary attacker-supplied memory addresses. Information gained could aid in further attacks. Supplying a bad memory address will cause denial-of-service conditions. Diskeeper 9 Professional, Diskeeper 10 Professional and Diskeeper 2007 Pro Premier are vulnerable; other versions may also be affected. 19. Microsoft Internet Explorer Vector Markup Language VGX.DLL Remote Buffer Overflow Vulnerability BugTraq ID: 25310 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25310 Summary: Microsoft Internet Explorer is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when rendering VML (Vector Markup Language) graphics. Attackers can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Successful attacks may facilitate the remote compromise of affected computers. Failed attacks will likely cause denial-of-service conditions. 20. Microsoft Windows Media Player Remote Skin Decompression Code Execution Vulnerability BugTraq ID: 25307 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25307 Summary: Microsoft Windows Media Player is prone to a remote code-execution vulnerability when handling specially crafted compressed skin files. Attackers exploit this issue by coercing unsuspecting users to download and open Windows Media Player skin files (WMZ or WMD files). Successful exploits allow attackers to execute arbitrary code in the context of the vulnerable application. This facilitates the remote compromise of affected computers. 21. Windows Vista Weather Gadget Remote Code Execution Vulnerability BugTraq ID: 25306 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25306 Summary: Windows Vista is prone to a remote code-execution vulnerability because it fails to adequately validate certain HTML attributes. Attackers can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Successful attacks may facilitate the remote compromise of affected computers. 22. Microsoft Windows Media Player Remote Skin Header Code Execution Vulnerability BugTraq ID: 25305 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25305 Summary: Microsoft Windows Media Player is prone to a remote code-execution vulnerability when handling specially crafted skin files. Attackers exploit this issue by coercing unsuspecting users to download and open Windows Media Player skin files (WMZ or WMD files). Note that users must attempt to apply the skin files. Successful exploits allow attackers to execute arbitrary code in the context of the vulnerable application. This facilitates the remote compromise of affected computers. 23. Windows Vista Contacts Gadget Remote Code Execution Vulnerability BugTraq ID: 25304 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25304 Summary: Windows Vista is prone to a remote code-execution vulnerability because it fails to adequately sanitize user-supplied data. Attackers exploit this issue by coercing unsuspecting users to add or import malicious contact files. Attackers can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Successful attacks may facilitate the remote compromise of affected computers. 24. Qbik WinGate SMTP Service Command Format String Vulnerability BugTraq ID: 25303 Remote: Yes Date Published: 2007-08-13 Relevant URL: http://www.securityfocus.com/bid/25303 Summary: Qbik WinGate is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function. A remote attacker may execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial of service. This issue affects Qbik WinGate 6.2.1; other versions may also be affected. 25. Microsoft Windows GDI Metafiles AttemptWrite Remote Code Execution Vulnerability BugTraq ID: 25302 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25302 Summary: Microsoft Windows is prone to a remote code-execution vulnerability because it fails to properly bounds-check user-supplied metafile data. Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of users viewing malicious files. This facilitates the remote compromise of affected computers. 26. Microsoft XML Core Services SubstringData Integer Overflow Vulnerability BugTraq ID: 25301 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25301 Summary: Microsoft XML Core Services is prone to an integer-overflow vulnerability. This issue occursw because the application fails to ensure that integer values are not overrun. Attackers can exploit this issue by enticing unsuspecting users to view malicious web content. Specially crafted scripts could issue requests to MSXML that trigger memory corruption. Successfully exploiting this issue allows remote attackers to corrupt heap-memory and execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. 27. WengoPhone SIP Soft Phone Malformed Packet Denial of Service Vulnerability BugTraq ID: 25300 Remote: Yes Date Published: 2007-08-13 Relevant URL: http://www.securityfocus.com/bid/25300 Summary: WengoPhone is prone to a denial-of-service vulnerability because the application fails to properly handle malformed data. Successful exploits can allow remote attackers to crash the application, resulting in denial-of-service conditions. This issue affects WengoPhone 2.1; other versions may also be affected. 28. CounterPath X-Lite SIP Soft Phone Malformed Packet Denial of Service Vulnerability BugTraq ID: 25299 Remote: Yes Date Published: 2007-08-13 Relevant URL: http://www.securityfocus.com/bid/25299 Summary: CounterPath X-Lite is prone to a denial-of-service vulnerability because the application fails to properly handle malformed data. Successful exploits can allow remote attackers to crash the application, resulting in denial-of-service conditions. This issue affects X-Lite 3.0; other versions may also be affected. 29. Microsoft Virtual PC and Virtual Server Heap Overflow Vulnerability BugTraq ID: 25298 Remote: No Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25298 Summary: Microsoft Virtual PC and Virtual Server are prone to a local heap-overflow vulnerability. To exploit this issue, attackers must have administrative privileges for the guest operating system. Attackers may exploit this issue to execute arbitrary code in the context of the host operating system or another guest operating system. Successful exploits can result in a compromise of vulnerable computers. 30. MS Visual Basic 6 Package and Deployment Wizard ActiveX Control Remote Code Execution Vulnerability BugTraq ID: 25295 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25295 Summary: The Microsoft Visual Basic 6 Package and Deployment Wizard ActiveX control is prone to a remote code-execution vulnerability. An attacker may exploit this issue by enticing victims into opening a maliciously crafted HTML document. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions. 31. Microsoft Internet Explorer CSS Strings Memory Corruption Vulnerability BugTraq ID: 25288 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25288 Summary: Microsoft Internet Explorer is prone to a remote code-execution vulnerability because the application fails to properly handle certain CSS data. An attacker may exploit this issue by enticing victims into opening a maliciously crafted HTML document. Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the vulnerable application. This issue affects Internet Explorer 5.01 SP4 running on Microsoft Windows 2000 SP4. 32. Windows Vista Feed Headlines Gadget Remote Code Execution Vulnerability BugTraq ID: 25287 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25287 Summary: Windows Vista is prone to a remote code-execution vulnerability because it fails to adequately sanitize user-supplied data. Attackers exploit this issue by coercing unsuspecting users to subscribe to a malicious RSS feed using the affected gadget. Attackers can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Successful attacks may facilitate the remote compromise of affected computers. 33. Microsoft OLE Automation SubstringData Function Integer Overflow Vulnerability BugTraq ID: 25282 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25282 Summary: Microsoft OLE Automation is prone to an integer-overflow vulnerability. this issue occurs because the application fails to ensure that integer values are not overrun. Successfully exploiting this issue allows remote attackers to corrupt heap memory and execute arbitrary in the context of the affeced application. Failed exploit attempts will result in a denial-of-service condition. 34. Microsoft Excel Worksheet Index Value Remote Code Execution Vulnerability BugTraq ID: 25280 Remote: Yes Date Published: 2007-08-14 Relevant URL: http://www.securityfocus.com/bid/25280 Summary: Microsoft Excel is prone to a remote code-execution vulnerability. Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel file (.xls). Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application. This may facilitate a compromise of vulnerable computers. 35. Symantec Altiris Deployment Solution Local Privilege Escalation Vulnerability BugTraq ID: 25232 Remote: No Date Published: 2007-08-13 Relevant URL: http://www.securityfocus.com/bid/25232 Summary: Symantec Altiris Deployment Solution is prone to a local privilege-escalation vulnerability. An attacker can exploit this issue to execute arbitrary commands with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. SecurityFocus Microsoft Newsletter #355 http://www.securityfocus.com/archive/88/477096 2. Password complexity - improvement http://www.securityfocus.com/archive/88/476610 IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This Issue is Sponsored by: EMC Register for live VMWare Management Webcast by EMC Learn best practices for leveraging and optimizing a VMware infrastructure with EMC ControlCenter. http://newsletter.industrybrains.com/c?fe;1;6dfcc;1a084;3c3;0;da4
