SecurityFocus Microsoft Newsletter #373 ----------------------------------------
This issue is Sponsored by: The Computer Forensics Show Imangine the ability to view anything that ever appeared on almost any computer. The Computer Forensics Show is the "DON"T MISS" event of the year for IT professionals The Computer Forensics Show February 4-6, 2008 Washington Convention Center Washington D.C. www.computerforensicshow.com SECURITY BLOGS SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks. http://www.securityfocus.com/blogs ------------------------------------------------------------------ I. FRONT AND CENTER 1.Copyrights and Wrongs 2.The Man in the Machine II. MICROSOFT VULNERABILITY SUMMARY 1. Adobe Flash Player ActiveX Control 'navigateToURL' API Cross Domain Scripting Vulnerability 2. Adobe Flash Player 'asfunction' Cross Site Scripting Vulnerability 3. WFTPD Explorer Remote Buffer Overflow Vulnerability 4. Adobe Flash Player DNS Rebinding Vulnerability 5. Adobe Flash Player Multiple Security Vulnerabilities 6. ClamAV 'libclamav/pe.c' MEW Packed PE File Integer Overflow Vulnerability 7. iMesh 'IMWebControl' ActiveX Control Code Execution Vulnerability 8. Apple Safari Subframe Same Origin Policy Violation Vulnerability 9. RaidenHTTPD 'workspace.php' Directory Traversal Vulnerability 10. SurgeMail Malformed Host Header Denial of Service Vulnerability 11. Apple QuickTime QTL File Handling Remote Heap Buffer Overflow Vulnerability 12. Apple QuickTime Flash Media Player Multiple Unspecified Vulnerabilities 13. Microsoft Office Hyperlink Signing Weakness 14. QK SMTP Server Malformed Commands Multiple Remote Denial of Service Vulnerabilities 15. JustSystems Ichitaro JSGCI.DLL Unspecified Stack Buffer Overflow Vulnerability 16. Symantec Backup Exec for Windows Unspecified Remote Vulnerability 17. Microsoft Office Insecure Document Signing Weakness 18. BitDefender Antivirus 2008 bdelev.dll ActiveX Control Double Free Vulnerability 19. BitDefender Antivirus bdevel.dll ActiveX Control Multiple Arbitrary Code Execution Vulnerabilities 20. Intuit QuickBooks Online Edition ActiveX Controls Multiple Unspecified Vulnerabilities 21. Microsoft Internet Explorer Element Tags Remote Memory Corruption Vulnerability 22. Microsoft Internet Explorer cloneNode() and nodeValue() Remote Memory Corruption Vulnerability 23. Perforce P4Web Content-Length Header Remote Denial Of Service Vulnerability 24. Microsoft DirectX WAV and AVI File Parsing Remote Code Execution Vulnerability 25. Microsoft Message Queuing Service Stack Buffer Overflow Vulnerability 26. Microsoft DirectX SAMI File Parsing Stack Buffer Overflow Vulnerability 27. Microsoft Windows SMBv2 Code Signing Remote Code Execution Vulnerability 28. Microsoft Windows Media Format Runtime ASF File Remote Code Execution Vulnerability 29. Microsoft Windows Vista Kernel ALPC Local Privilege Escalation Vulnerability 30. Microsoft Internet Explorer mshtml.dll Remote Memory Corruption Vulnerability 31. Microsoft Internet Explorer DHTML Object Memory Corruption Vulnerability III. MICROSOFT FOCUS LIST SUMMARY IV. UNSUBSCRIBE INSTRUCTIONS V. SPONSOR INFORMATION I. FRONT AND CENTER --------------------- 1.Copyrights and Wrongs By Mark Rasch On October 1, 2007, Jammie Thomas -- a single mother living in Brainerd, Minnesota -- was sued in civil court for copyright infringement by the Recording Industry Association of America. Three days later, the jury returned the verdict; Ms. Thomas was liable for willfully infringing the copyrights on 24 songs. The fine: $222,000. http://www.securityfocus.com/columnists/460 2.The Man in the Machine By Federico Biancuzzi In April 2007, when two security researchers demonstrated a flaw in the next-generation IPv6 routing scheme that would allow attackers to significantly amplify any denial-of-service attack by a factor of at least 80, networking expert Jun-ichiro "Itojun" Hagino worked to get Internet engineers to take the threat seriously. http://www.securityfocus.com/columnists/459 II. MICROSOFT VULNERABILITY SUMMARY ------------------------------------ 1. Adobe Flash Player ActiveX Control 'navigateToURL' API Cross Domain Scripting Vulnerability BugTraq ID: 26960 Remote: Yes Date Published: 2007-12-18 Relevant URL: http://www.securityfocus.com/bid/26960 Summary: The Adobe Flash Player ActiveX control is prone to a cross-domain scripting vulnerability. An attacker may leverage this issue to execute arbitrary JavaScript in the context of another domain. This issue affects Adobe Flash Player 9.0.48.0, 8.0.35.0. 7.0.70.0 and prior. Note: This issue was previously disclosed in BID 26929 (Adobe Flash Player Multiple Security Vulnerabilities). However new technical details are available, therefore the issue has been assigned to this BID. 2. Adobe Flash Player 'asfunction' Cross Site Scripting Vulnerability BugTraq ID: 26949 Remote: Yes Date Published: 2007-12-18 Relevant URL: http://www.securityfocus.com/bid/26949 Summary: Adobe Flash Player is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 3. WFTPD Explorer Remote Buffer Overflow Vulnerability BugTraq ID: 26935 Remote: Yes Date Published: 2007-12-18 Relevant URL: http://www.securityfocus.com/bid/26935 Summary: WFTPD Explorer is prone to a remote heap-based buffer-overflow vulnerability. The issue arises when the client handles excessive string data. By exploiting this issue, a remote attacker may gain unauthorized access in the context of the user running the application. WFTPD Explorer 1.0 is reported vulnerable; other versions may be affected as well. 4. Adobe Flash Player DNS Rebinding Vulnerability BugTraq ID: 26930 Remote: Yes Date Published: 2007-12-18 Relevant URL: http://www.securityfocus.com/bid/26930 Summary: Adobe Flash Player is prone to a DNS rebinding vulnerability that allows remote attackers to establish arbitrary TCP sessions. An attacker can exploit this issue by enticing an unsuspecting victim to view a malicious SWF file. Successfully exploiting this issue allows the attacker to bypass the application's same-origin policy and set up connections to services on arbitrary computers. This may lead to other attacks. 5. Adobe Flash Player Multiple Security Vulnerabilities BugTraq ID: 26929 Remote: Yes Date Published: 2007-12-18 Relevant URL: http://www.securityfocus.com/bid/26929 Summary: Adobe Flash Player is prone to multiple security vulnerabilities, including: - A privilege-escalation issue - A cross-domain security-bypass issue - An HTTP request-splitting issue Attackers can exploit these vulnerabilities to compromise affected computers, execute arbitrary code and misrepresent how web content is served, cached, or interpreted. Other attacks are also possible. These issues affect Adobe Flash Player 9.0.48.0, 8.0.35.0, and 7.0.70.0 and prior. Notes: - The issues described in CVE-2007-6244 have been reassigned to BID 26949 and BID 26960. - The issue described in CVE-2007-6242 has been reassigned to BID 26951. 6. ClamAV 'libclamav/pe.c' MEW Packed PE File Integer Overflow Vulnerability BugTraq ID: 26927 Remote: Yes Date Published: 2007-12-18 Relevant URL: http://www.securityfocus.com/bid/26927 Summary: ClamAV is prone to an integer-overflow vulnerability because it fails to properly verify user-supplied data. Successful exploits of this vulnerability can allow remote attackers to execute arbitrary machine code in the context of applications using the 'libclamav' library. Failed exploits may crash the application. ClamAV 0.91.2 is vulnerable to this issue; other versions may also be affected. 7. iMesh 'IMWebControl' ActiveX Control Code Execution Vulnerability BugTraq ID: 26916 Remote: Yes Date Published: 2007-12-17 Relevant URL: http://www.securityfocus.com/bid/26916 Summary: iMesh is prone to a code-execution vulnerability because the application fails to sanitize user-supplied data, which can lead to memory corruption. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using an affected ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions. iMesh 7.1.0.37263 and prior versions are reported affected by this issue. 8. Apple Safari Subframe Same Origin Policy Violation Vulnerability BugTraq ID: 26911 Remote: Yes Date Published: 2007-12-17 Relevant URL: http://www.securityfocus.com/bid/26911 Summary: Apple Safari is prone to a vulnerability that allows attackers to violate the same-origin policy. This issue occurs because the application fails to properly enforce the same-origin policy for subframe access. An attacker may create a malicious webpage that can access the properties of another domain. This may allow the attacker to obtain sensitive information or launch other attacks against a user of the browser. Safari 3 for both Microsoft Windows and Apple Mac OS X platforms is vulnerable to this issue. 9. RaidenHTTPD 'workspace.php' Directory Traversal Vulnerability BugTraq ID: 26903 Remote: Yes Date Published: 2007-12-17 Relevant URL: http://www.securityfocus.com/bid/26903 Summary: RaidenHTTPD is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. Exploiting this issue may allow an attacker to access sensitive information that could aid in further attacks. RaidenHTTPD 2.0.19 is vulnerable; other versions may also be affected. 10. SurgeMail Malformed Host Header Denial of Service Vulnerability BugTraq ID: 26901 Remote: Yes Date Published: 2007-12-17 Relevant URL: http://www.securityfocus.com/bid/26901 Summary: SurgeMail is prone to a remote denial-of-service vulnerability because the application fails to handle specially crafted HTTP POST requests An attacker can exploit this issue to crash the affected application, denying service to legitimate users. SurgeMail 38k4 for Microsoft Windows is vulnerable; other versions running on different platforms may also be affected. 11. Apple QuickTime QTL File Handling Remote Heap Buffer Overflow Vulnerability BugTraq ID: 26868 Remote: Yes Date Published: 2007-12-13 Relevant URL: http://www.securityfocus.com/bid/26868 Summary: Apple QuickTime is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted QTL file. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions. This issue affects Apple QuickTime running on Microsoft Windows Vista, Microsoft Windows XP SP2, and Mac OS X. 12. Apple QuickTime Flash Media Player Multiple Unspecified Vulnerabilities BugTraq ID: 26866 Remote: Yes Date Published: 2007-12-13 Relevant URL: http://www.securityfocus.com/bid/26866 Summary: Apple QuickTime is prone to multiple unspecified vulnerabilities. The most serious issue will allow remote attackers to execute code. The remote-code execution issues involve processing '.swf' files. The 'Quicktime.qts' module uses the 'BitMapFormat' attribute of the 'Parser' object without validating its contents. An attacker can exploit some of these issues to execute arbitrary code with the privileges of the user running the affected application. The impact of the other issues has not been specified. These issues affect versions prior to QuickTime 7.3.1 for these platforms: Mac OS X v10.3.9 Mac OS X v10.4.9 or later Mac OS X v10.5 or later Microsoft Windows Vista Microsoft Windows XP SP2 13. Microsoft Office Hyperlink Signing Weakness BugTraq ID: 26857 Remote: Yes Date Published: 2007-12-13 Relevant URL: http://www.securityfocus.com/bid/26857 Summary: Microsoft Office fails to securely sign Office documents properly. Attackers can leverage this weakness to manipulate signed documents in a manner such that the signature remains intact. The weakness will result in a false sense of security and could help attackers exploit other latent vulnerabilities. Microsoft Office 2007 is vulnerable; other versions may also be affected. 14. QK SMTP Server Malformed Commands Multiple Remote Denial of Service Vulnerabilities BugTraq ID: 26856 Remote: Yes Date Published: 2007-12-13 Relevant URL: http://www.securityfocus.com/bid/26856 Summary: QK SMTP Server is prone to multiple remote denial-of-service vulnerabilities that occur when handling malformed SMTP commands. An attacker can exploit these issues to crash the affected application, denying service to legitimate users. These issues affects QK SMTP Server 3; other versions may also be affected. 15. JustSystems Ichitaro JSGCI.DLL Unspecified Stack Buffer Overflow Vulnerability BugTraq ID: 26846 Remote: Yes Date Published: 2007-12-13 Relevant URL: http://www.securityfocus.com/bid/26846 Summary: Ichitaro is prone to an unspecified stack-based buffer-overflow vulnerability. Successful exploits may allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed attempts will likely cause denial-of-service conditions. The issue affects Ichitaro 2005, 2006 and 2007; other versions may also be vulnerable. This issue is being exploited in the wild by Trojan.Tarodrop.F. Few details are available regarding this issue. We will update this BID as more information emerges. 16. Symantec Backup Exec for Windows Unspecified Remote Vulnerability BugTraq ID: 26837 Remote: Yes Date Published: 2007-12-12 Relevant URL: http://www.securityfocus.com/bid/26837 Summary: Symantec Backup Exec for Windows is prone to an unspecified remote vulnerability. Very few technical details are currently available. We will update this BID as more information emerges. This issue affects Backup Exec 11d for Windows Servers. 17. Microsoft Office Insecure Document Signing Weakness BugTraq ID: 26833 Remote: Yes Date Published: 2007-12-12 Relevant URL: http://www.securityfocus.com/bid/26833 Summary: Microsoft Office fails to securely sign XML-based documents. Attackers can leverage this weakness to manipulate signed documents to contain malicious data in a manner such that the signature remains intact. This weakness results in a false sense of security and could help the attacker exploit latent vulnerabilities. Microsoft Office 2007 is vulnerable; other versions may also be affected. 18. BitDefender Antivirus 2008 bdelev.dll ActiveX Control Double Free Vulnerability BugTraq ID: 26824 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26824 Summary: A BitDefender Antivirus 2008 ActiveX control is prone a double-free vulnerability because of a flaw in the way that the 'bdelev.dll' library handles certain object data prior to returning it. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions. 19. BitDefender Antivirus bdevel.dll ActiveX Control Multiple Arbitrary Code Execution Vulnerabilities BugTraq ID: 26820 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26820 Summary: A BitDefender Antivirus 2008 ActiveX control is prone to multiple vulnerabilities that allow remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions. 20. Intuit QuickBooks Online Edition ActiveX Controls Multiple Unspecified Vulnerabilities BugTraq ID: 26819 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26819 Summary: Multiple Intuit QuickBooks Online Edition ActiveX controls are prone to multiple unspecified vulnerabilities. Very few technical details are currently available. We will update this BID as more information emerges. Versions prior to QuickBooks Online Edition 10 are vulnerable. 21. Microsoft Internet Explorer Element Tags Remote Memory Corruption Vulnerability BugTraq ID: 26817 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26817 Summary: Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions. 22. Microsoft Internet Explorer cloneNode() and nodeValue() Remote Memory Corruption Vulnerability BugTraq ID: 26816 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26816 Summary: Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the user's account and possibly the underlying computer. Failed attacks will cause denial-of-service conditions. 23. Perforce P4Web Content-Length Header Remote Denial Of Service Vulnerability BugTraq ID: 26806 Remote: Yes Date Published: 2007-12-19 Relevant URL: http://www.securityfocus.com/bid/26806 Summary: Perforce P4Web is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted HTTP requests. An attacker can exploit this issue to cause the application to consume excessive CPU and memory resources. Successful attacks will deny service to legitimate users. P4Web 2006.2 and prior versions running on Windows are affected. 24. Microsoft DirectX WAV and AVI File Parsing Remote Code Execution Vulnerability BugTraq ID: 26804 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26804 Summary: Microsoft DirectX is prone to a remote code-execution vulnerability. An attacker could exploit this issue to execute arbitrary code with the privileges of the currently logged-in user. Failed exploit attempts may crash the application. 25. Microsoft Message Queuing Service Stack Buffer Overflow Vulnerability BugTraq ID: 26797 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26797 Summary: Microsoft Message Queuing (MSMQ) is prone to a stack-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges, facilitating the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. This issue is remotely exploitable on all Windows 2000 systems, and locally exploitable on Windows XP, provided the affected component installed. 26. Microsoft DirectX SAMI File Parsing Stack Buffer Overflow Vulnerability BugTraq ID: 26789 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26789 Summary: DirectX is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data An attacker could exploit this issue to execute arbitrary code within the privileges of the currently logged-in user. Failed exploit attempts may crash the application. Note: Windows Media Player 6.4 on Windows 2000 was previously stated as not being an attack vector. The vendor has updated this information to state it is a possible attack vector. 27. Microsoft Windows SMBv2 Code Signing Remote Code Execution Vulnerability BugTraq ID: 26777 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26777 Summary: Microsoft Windows is prone to a remote code-execution vulnerability because it fails to properly validate digital signatures. Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of logged-in users. This facilitates the remote compromise of affected computers. 28. Microsoft Windows Media Format Runtime ASF File Remote Code Execution Vulnerability BugTraq ID: 26776 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26776 Summary: Windows Media Player is prone to a remote code-execution vulnerability because it fails to properly handle malformed media files. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions. 29. Microsoft Windows Vista Kernel ALPC Local Privilege Escalation Vulnerability BugTraq ID: 26757 Remote: No Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26757 Summary: Microsoft Windows Vista is prone to a local privilege-escalation vulnerability. The vulnerability resides in the Windows Kernel. A locally logged-in user can exploit this issue to gain kernel-level access to the operating system. 30. Microsoft Internet Explorer mshtml.dll Remote Memory Corruption Vulnerability BugTraq ID: 26506 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26506 Summary: Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the user's account and possibly the underlying computer. Failed attacks will cause denial-of-service conditions. 31. Microsoft Internet Explorer DHTML Object Memory Corruption Vulnerability BugTraq ID: 26427 Remote: Yes Date Published: 2007-12-11 Relevant URL: http://www.securityfocus.com/bid/26427 Summary: Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability because it fails to adequately handle user-supplied input to certain DHTML object methods. Attackers can exploit this issue to execute arbitrary code in the context of a user running the application. Successful attacks would compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions. III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- IV. UNSUBSCRIBE INSTRUCTIONS ----------------------------- To unsubscribe send an e-mail message to [EMAIL PROTECTED] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website. If your email address has changed email [EMAIL PROTECTED] and ask to be manually removed. V. SPONSOR INFORMATION ------------------------ This issue is Sponsored by: The Computer Forensics Show Imangine the ability to view anything that ever appeared on almost any computer. The Computer Forensics Show is the "DON"T MISS" event of the year for IT professionals The Computer Forensics Show February 4-6, 2008 Washington Convention Center Washington D.C. www.computerforensicshow.com
