SecurityFocus Microsoft Newsletter #357 ----------------------------------------
This Issue is Sponsored by: SPI Dynamics XPATH Injection Attacks- Web Hackers New Trick: White Paper One particular form of injection attack, XPath Injection, is rapidly gaining in popularity due to the spread of AJAX applications and their inherent use of XML to store data. XPath Injection can be just as dangerous as SQL Injection, and can be even easier to exploit. Learn how to identify XPath Injection vulnerabilities and which methods of recourse to take to prevent them. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/XP.asp?Campaign_ID=70160000000D1rX SECURITY BLOGS SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks. http://www.securityfocus.com/blogs ------------------------------------------------------------------ I. FRONT AND CENTER 1. Virtualized rootkits - Part 2 2. Virtualized rootkits - Part 1 II. MICROSOFT VULNERABILITY SUMMARY 1. Oracle JInitiator ActiveX Control Multiple Buffer Overflow Vulnerabilities 2. Entrust ESP Certificate Path Verification Vulnerability 3. Subversion for Windows Remote Directory Traversal Vulnerability 4. Microsoft MSN Messenger Video Conversation Buffer Overflow Vulnerability 5. Motorola Timbuktu Pro for Windows Multiple Remote Buffer Overflow Vulnerabilities 6. Motorola Timbuktu Pro Directory Traversal Vulnerability 7. BufferZone Redlight.SYS Driver Buffer Overflow Vulnerability 8. Media Player Classic FLI File Remote Buffer Overflow Vulnerability 9. Soldat Multiple Remote Denial of Service Vulnerabilities 10. Bugzilla Multiple Remote Vulnerabilities 11. Skulltag Huffman Packet Decompression Remote Heap Based Buffer Overflow Vulnerability 12. Unreal Commander Malformed Archives Multiple Remote Vulnerabilities 13. IBM Lotus Notes NTMulti.EXE Local Privilege Escalation Vulnerability 14. Clam AntiVirus ClamAV Multiple Remote Denial of Service Vulnerabilities 15. Trend Micro Anti-Spyware And PC-cillin SSAPI Engine Local Stack Buffer Overflow Vulnerability 16. Check Point Zone Labs Multiple Products Local Privilege Escalation Vulnerabilities III. MICROSOFT FOCUS LIST SUMMARY 1. Software smart-card emulation 2. SecurityFocus Microsoft Newsletter #356 3. NTFS default special permissions 4. Password complexity - improvement IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1. Virtualized rootkits - Part 2 By Federico Biancuzzi There has been a lot of buzz around the topic of virtualized rootkits. Joanna Rutkowska has been working on a new version of Blue-Pill, her proof of concept invisible rootkit, while a team made by three prominent security experts (Thomas Ptacek, Nate Lawson, Peter Ferrie) challenged her that there is not an "invisible" rootkit, and that they were going to present at BlackHat conference various techniques to detect Blue-Pill. Federico Biancuzzi interviewed both sides to learn more. Part 2 of 2 http://www.securityfocus.com/columnists/452 2. Virtualized rootkits - Part 1 By Federico Biancuzzi There has been a lot of buzz around the topic of virtualized rootkits. Joanna Rutkowska has been working on a new version of Blue-Pill, her proof of concept invisible rootkit, while a team made by three prominent security experts (Thomas Ptacek, Nate Lawson, Peter Ferrie) challenged her that there is not an "invisible" rootkit, and that they were going to present at BlackHat conference various techniques to detect Blue-Pill. Federico Biancuzzi interviewed both sides to learn more. Part 1 of 2 http://www.securityfocus.com/columnists/451 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. Oracle JInitiator ActiveX Control Multiple Buffer Overflow Vulnerabilities BugTraq ID: 25473 Remote: Yes Date Published: 2007-08-28 Relevant URL: http://www.securityfocus.com/bid/25473 Summary: Oracle JInitiator is prone to multiple remote buffer-overflow vulnerabilities because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. Exploiting these issues allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX control and to compromise affected computers. Failed attempts will likely result in denial-of-service conditions. These issues affect Oracle JInitiator version 1.1.8.16; other versions may also be affected. 2. Entrust ESP Certificate Path Verification Vulnerability BugTraq ID: 25471 Remote: Yes Date Published: 2007-08-28 Relevant URL: http://www.securityfocus.com/bid/25471 Summary: Entrust ESP is prone to a certificate path verification vulnerability. This issue is due to a failure of the application to properly validate certificate chains. Successfully exploiting this issue may allow attackers to utilize invalid security certificates, possibly aiding in further attacks. Entrust Entelligence Security Provider 8 is vulnerable to this issue. Other versions may also be affected. 3. Subversion for Windows Remote Directory Traversal Vulnerability BugTraq ID: 25468 Remote: Yes Date Published: 2007-08-28 Relevant URL: http://www.securityfocus.com/bid/25468 Summary: Subversion is prone to a remote directory-traversal vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input. Successfully exploiting this issue allows attackers to write arbitrary data to arbitrary locations on unsuspecting users' computers. This issue affects Subversion running on the Microsoft Windows platforms, and on any other platform where directory separator characters are '\' or characters other than '/'. Subversion versions prior to 1.4.5 are vulnerable to this issue. 4. Microsoft MSN Messenger Video Conversation Buffer Overflow Vulnerability BugTraq ID: 25461 Remote: Yes Date Published: 2007-08-28 Relevant URL: http://www.securityfocus.com/bid/25461 Summary: Microsoft MSN Messenger is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will likely result in denial of service conditions. Microsoft MSN Messenger version 7 is considered vulnerable; other versions may also be prone to this issue. 5. Motorola Timbuktu Pro for Windows Multiple Remote Buffer Overflow Vulnerabilities BugTraq ID: 25454 Remote: Yes Date Published: 2007-08-27 Relevant URL: http://www.securityfocus.com/bid/25454 Summary: Motorola Timbuktu Pro is prone to multiple remote buffer-overflow vulnerabilities. These issues are due to a failure of the software to properly bounds-check user-supplied input. Successfully exploiting these issues allows remote attackers to execute arbitrary machine code with SYSTEM-level privileges. This facilitates the complete remote compromise of affected computers. Failed exploit attempts likely result in denial-of-service conditions. Timbuktu Pro version 8.6.3.1367 for Microsoft Windows is vulnerable to these issues. Other versions and platforms may also be affected. 6. Motorola Timbuktu Pro Directory Traversal Vulnerability BugTraq ID: 25453 Remote: Yes Date Published: 2007-08-27 Relevant URL: http://www.securityfocus.com/bid/25453 Summary: Motorola Timbuktu Pro is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. Exploiting this issue may allow an attacker to delete or create arbitrary files with SYSTEM-level privileges. This could completely compromise affected computers. Timbuktu Pro for Windows version 8.6.3.1367 is vulnerable; other versions and platforms may also be affected. 7. BufferZone Redlight.SYS Driver Buffer Overflow Vulnerability BugTraq ID: 25442 Remote: No Date Published: 2007-08-25 Relevant URL: http://www.securityfocus.com/bid/25442 Summary: BufferZone is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. This issue affects BufferZone version 2.5; prior versions may also be affected. 8. Media Player Classic FLI File Remote Buffer Overflow Vulnerability BugTraq ID: 25437 Remote: Yes Date Published: 2007-08-24 Relevant URL: http://www.securityfocus.com/bid/25437 Summary: Media Player Classic is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data. Attackers may attempt to exploit this issue by coercing users to access malicious FLI files. Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the user running the affected application. This facilitates the remote compromise of affected computers. Media Player Classic version 6.4.9.0 is vulnerable; other versions may also be affected. 9. Soldat Multiple Remote Denial of Service Vulnerabilities BugTraq ID: 25426 Remote: Yes Date Published: 2007-08-23 Relevant URL: http://www.securityfocus.com/bid/25426 Summary: Soldat is prone to multiple remote denial-of-service vulnerabilities. These issues are due to failures of the game software when handling unexpected input. Successfully exploiting these issues allows remote attackers to crash game servers and clients, or to block arbitrary IP addresses from connecting to game servers. Soldat version 1.4.2 and Soldat dedicated server version 2.6.2 are vulnerable to these issues; other versions may also be affected. 10. Bugzilla Multiple Remote Vulnerabilities BugTraq ID: 25425 Remote: Yes Date Published: 2007-08-23 Relevant URL: http://www.securityfocus.com/bid/25425 Summary: Bugzilla is prone to multiple remote vulnerabilities. These issues include an HTML-injection vulnerability, a remote-command injection vulnerability and an information-disclosure vulnerability. An attacker can exploit this issue to execute arbitrary code and commands with the privileges of the webserver process, steal cookie-based authentication credentials and disclose sensitive information. This issue affects Bugzilla 2.20.4, 2.22.2, 3.0, 3.1; prior versions of the 2.20 and 2.22 branches are also affected. 11. Skulltag Huffman Packet Decompression Remote Heap Based Buffer Overflow Vulnerability BugTraq ID: 25423 Remote: Yes Date Published: 2007-08-23 Relevant URL: http://www.securityfocus.com/bid/25423 Summary: Skulltag is prone to a remote heap-based buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied input. Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application. Successful exploits may compromise affected computers. Failed attacks will likely cause denial-of-service conditions. Skulltag version 0.97d-beta4.1 is vulnerable; other versions may also be affected. 12. Unreal Commander Malformed Archives Multiple Remote Vulnerabilities BugTraq ID: 25419 Remote: Yes Date Published: 2007-08-23 Relevant URL: http://www.securityfocus.com/bid/25419 Summary: Unreal Commander is prone to multiple remote vulnerabilities when handling malformed ZIP and RAR archives. These vulnerabilities include a directory-traversal vulnerability, an information-disclosure vulnerability and a file-name spoofing vulnerability. An attacker can exploit these issues to compromise the affected computer, overwrite arbitrary files and disclose sensitive information. These issues may lead to other attacks. Unreal Commander version 0.92 (build 565) and version 0.92 (build 573) are vulnerable; prior versions may also be affected. 13. IBM Lotus Notes NTMulti.EXE Local Privilege Escalation Vulnerability BugTraq ID: 25401 Remote: No Date Published: 2007-08-22 Relevant URL: http://www.securityfocus.com/bid/25401 Summary: IBM Lotus Notes is prone to a local privilege-escalation vulnerability because it fails to assigned proper file permissions during installation. Attackers can exploit this issue to run arbitrary applications with SYSTEM-level privileges. Successful attacks will completely compromise affected computers. NOTE: This issue may be related to the one covered under BID 20612. This has not been confirmed. This BID will be updated as further information becomes available. 14. Clam AntiVirus ClamAV Multiple Remote Denial of Service Vulnerabilities BugTraq ID: 25398 Remote: Yes Date Published: 2007-08-21 Relevant URL: http://www.securityfocus.com/bid/25398 Summary: ClamAV is prone to multiple denial-of-service vulnerabilities. A successful attack may allow an attacker to crash the application and deny service to users. ClamAV versions prior to 0.91.2 are vulnerable to these issues. 15. Trend Micro Anti-Spyware And PC-cillin SSAPI Engine Local Stack Buffer Overflow Vulnerability BugTraq ID: 25388 Remote: No Date Published: 2007-08-21 Relevant URL: http://www.securityfocus.com/bid/25388 Summary: Trend Micro Anti-Spyware and PC-cillin Internet Security are prone to a local stack buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. This issue affects a library in Trend Micro's SSAPI Engine. Successful exploits may allow an attacker to execute arbitrary code with SYSTEM-level privileges. This may facilitate a complete compromise of vulnerable servers. Failed exploit attempts will likely result in denial-of-service conditions. Trend Micro Anti-Spyware for Consumer version 3.5 and PC-cillin Internet Security 2007 are vulnerable. 16. Check Point Zone Labs Multiple Products Local Privilege Escalation Vulnerabilities BugTraq ID: 25365 Remote: No Date Published: 2007-08-20 Relevant URL: http://www.securityfocus.com/bid/25365 Summary: Multiple Check Point ZoneLabs products are prone to multiple local privilege-escalation vulnerabilities. Successfully exploiting these issues allows local attackers to execute arbitrary code with elevated privileges, facilitating the complete compromise of affected computers. ZoneAlarm versions prior to 7.0.362 are vulnerable, as well as ZoneLabs products that include 'vsdatant.sys' version 6.5.737.0. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. Software smart-card emulation http://www.securityfocus.com/archive/88/478049 2. SecurityFocus Microsoft Newsletter #356 http://www.securityfocus.com/archive/88/477495 3. NTFS default special permissions http://www.securityfocus.com/archive/88/477517 4. Password complexity - improvement http://www.securityfocus.com/archive/88/476610 IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This Issue is Sponsored by: SPI Dynamics XPATH Injection Attacks- Web Hackers New Trick: White Paper One particular form of injection attack, XPath Injection, is rapidly gaining in popularity due to the spread of AJAX applications and their inherent use of XML to store data. XPath Injection can be just as dangerous as SQL Injection, and can be even easier to exploit. Learn how to identify XPath Injection vulnerabilities and which methods of recourse to take to prevent them. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/XP.asp?Campaign_ID=70160000000D1rX
