SecurityFocus Microsoft Newsletter #219
----------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Online Extortion Works
2. WEP:Dead Again, Part 1
II. MICROSOFT VULNERABILITY SUMMARY
1. IBM WebSphere Commerce Default User Information Disclosure V...
2. Microsoft Windows 2000 Resource Kit W3Who.DLL Multiple Remot...
3. Hosting Controller FilePath Parameter File Disclosure Vulner...
4. Microsoft Internet Explorer FTP URI Arbitrary FTP Server Com...
5. Microsoft Internet Explorer Sysimage Protocol Handler Local ...
6. Headlight Software GetRight DUNZIP32.dll Remote Buffer Overf...
7. Microsoft Internet Explorer Search Pane URI Obfuscation Vuln...
8. Microsoft Internet Explorer Remote Window Hijacking Vulnerab...
9. Kerio Personal Firewall Local Denial Of Service Vulnerabilit...
10. Microsoft Windows Multiple Unspecified Vulnerabilities
11. Kerio WinRoute Firewall Multiple Unspecified Remote Vulnerab...
12. Microsoft Office SharePoint Portal Server Local Information ...
III. MICROSOFT FOCUS LIST SUMMARY
1. Secondary Storage Device Policy (Thread)
2. iisadmpwd/UPN (Thread)
3. Group policy help needed!!! (Thread)
4. services running in windows domain (winXP clients) (Thread)
5. Modifying default behaviour of MS VPN client (Thread)
6. SecurityFocus Microsoft Newsletter #218 (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. CoreGuard Core Security System
2. KeyCaptor Keylogger
3. SpyBuster
4. FreezeX
5. NeoExec for Active Directory
6. Secrets Protector v2.03
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. IDS Policy Manager v1.5
2. PatchLink Update 6.01.78
3. Dekart Private Disk 2.03
4. Remote Process Watcher 1.0
5. Rkdscan 1.0
6. Spybot-S&D 1.3
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Online Extortion Works
By Scott Granneman
Online extortion is quietly affecting thousands of businesses, for a very
simple reason: it works. The big question then becomes, how will you and
your company decide to respond?
http://www.securityfocus.com/columnists/283
2. WEP:Dead Again, Part 1
By Michael Ossmann
This article is the first of a two-part series that looks at the new
generation of WEP cracking tools for WiFi networks, which offer
dramatically faster speeds for penetration testers over the previous
generation of tools. In many cases, a WEP key can be determined in seconds
or minutes.
http://www.securityfocus.com/infocus/1814
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. IBM WebSphere Commerce Default User Information Disclosure V...
BugTraq ID: 11816
Remote: Yes
Date Published: Dec 03 2004
Relevant URL: http://www.securityfocus.com/bid/11816
Summary:
It is reported that WebSphere Commerce is susceptible to an information
disclosure vulnerability.
This vulnerability may result in potentially sensitive customer data being
available to the default user, possibly allowing unintended users to gain
access to it.
This vulnerability is reported to affect versions 5.1, 5.4, 5.5, and 5.6.
2. Microsoft Windows 2000 Resource Kit W3Who.DLL Multiple Remot...
BugTraq ID: 11820
Remote: Yes
Date Published: Dec 06 2004
Relevant URL: http://www.securityfocus.com/bid/11820
Summary:
The Microsoft Windows 2000 Resource Kit supports many utilities designed for
diagnostic administration of the Windows platform. The w3who.dll library is a
utility designed to provide auditing of server configuration remotely through a
Web browser.
Multiple remote vulnerabilities affect the w3who.dll library of Microsoft's
Windows Resource Kit. These issues are due to a failure of the library to
properly sanitize and perform proper bounds checking on user-supplied input.
The first two issues are cross-site scripting vulnerabilities. The final issue
is a buffer overflow vulnerability.
These issues may be exploited to conduct cross-site scripting attacks and
execute arbitrary code with the privileges of the affected Web server. This may
facilitate theft of cookie based authentication credentials, unauthorized
access, privileges escalation other attacks.
3. Hosting Controller FilePath Parameter File Disclosure Vulner...
BugTraq ID: 11822
Remote: Yes
Date Published: Dec 06 2004
Relevant URL: http://www.securityfocus.com/bid/11822
Summary:
Multiple scripts of Hosting Controller are prone to an issue which may allow a
remote attacker to view the contents of arbitrary files and directories on the
local drive.
It is reported that a successful attack allows an attacker to view any file or
directory on the affected computer through a 'FilePath' parameter.
Hosting Controller version 6.1 Hotfix 1.4 and prior may be affected by this
issue.
4. Microsoft Internet Explorer FTP URI Arbitrary FTP Server Com...
BugTraq ID: 11826
Remote: Yes
Date Published: Dec 06 2004
Relevant URL: http://www.securityfocus.com/bid/11826
Summary:
Microsoft Internet Explorer is reported prone to an arbitrary FTP server
command execution vulnerability. This issue is due to a failure of the
application to properly sanitize user-supplied URI input prior to utilizing it
to execute FTP commands on remote servers.
This vulnerability allows attackers to embed arbitrary FTP server commands in
malicious URIs. Upon following this malicious URI, the victim users Web browser
will reportedly connect to the attacker-specified FTP server, and the malicious
commands will be sent to the server. This may allow malicious files to be
downloaded to the victims computer without their knowledge. Other attacks are
also likely possible.
5. Microsoft Internet Explorer Sysimage Protocol Handler Local ...
BugTraq ID: 11834
Remote: Yes
Date Published: Dec 07 2004
Relevant URL: http://www.securityfocus.com/bid/11834
Summary:
Microsoft Internet Explorer is reported prone to a vulnerability that may allow
a remote site to detect files on the local computer.
A remote attacker can exploit this issue through the ''sysimage://' protocol
handler to detect the existence of a file on the local computer of the Web
client viewing a malicious page. This could lead to a disclosure of sensitive
information to remote attackers.
6. Headlight Software GetRight DUNZIP32.dll Remote Buffer Overf...
BugTraq ID: 11836
Remote: Yes
Date Published: Dec 07 2004
Relevant URL: http://www.securityfocus.com/bid/11836
Summary:
GetRight is reported prone to a remote buffer overflow vulnerability when
handling specially crafted skin files. This issue presents itself due to
insufficient boundary checks performed by the application. It is reported that
this vulnerability occurs in the DUNZIP32.dll compression library.
It is conjectured that this issue results in a denial of service condition and
may be leveraged to execute arbitrary code on a vulnerable computer.
7. Microsoft Internet Explorer Search Pane URI Obfuscation Vuln...
BugTraq ID: 11851
Remote: Yes
Date Published: Dec 08 2004
Relevant URL: http://www.securityfocus.com/bid/11851
Summary:
A remote URI obfuscation vulnerability has been found in Internet Explorer's
search pane functionality. This issue is due to a failure of the application
to present the URI address of HTML and script code loaded into the search pane.
This issue may be leveraged by an attacker to display misleading information in
the address bar of the browser to an unsuspecting user while loading a third
party Web site in the search pane. This may allow an attacker to present web
pages to users that seem to originate from a trusted location. This may
facilitate phishing style attacks; other attacks may also be possible.
8. Microsoft Internet Explorer Remote Window Hijacking Vulnerab...
BugTraq ID: 11855
Remote: Yes
Date Published: Dec 08 2004
Relevant URL: http://www.securityfocus.com/bid/11855
Summary:
Microsoft Internet Explorer is reported prone to a vulnerability that may allow
a Web site to hijack the contents of a trusted window. This issue may allow a
remote attacker to carry out phishing style attacks.
This issue arises as a user visits a malicious site and follows a link to a
trusted site. Once the link to the trusted site is followed, the victim must
open a pop up window from the trusted site that can be influenced by the
attacker's site.
If successful, the contents of the target site's window can be spoofed
resulting in phishing style attacks.
9. Kerio Personal Firewall Local Denial Of Service Vulnerabilit...
BugTraq ID: 11859
Remote: No
Date Published: Dec 08 2004
Relevant URL: http://www.securityfocus.com/bid/11859
Summary:
It is reported that the Kerio Personal Firewall (KPF) driver does not
sufficiently sanitize API parameters that are received from API's that are
hooked by KPF. When the KPF API hook handles certain parameter data it will
fail. Reports indicate that this exception is not expected and as a result, the
Windows kernel crashes triggering a system wide denial of service.
A local attacker may exploit this vulnerability to deny service to legitimate
users.
10. Microsoft Windows Multiple Unspecified Vulnerabilities
BugTraq ID: 11867
Remote: Unknown
Date Published: Dec 09 2004
Relevant URL: http://www.securityfocus.com/bid/11867
Summary:
Microsoft has released advanced notification that they will be releasing five
security bulletins for Windows on December 14th, 2004.
No further information regarding the vulnerabilities addressed by these
security bulletins has been released at this time.
11. Kerio WinRoute Firewall Multiple Unspecified Remote Vulnerab...
BugTraq ID: 11870
Remote: Yes
Date Published: Dec 10 2004
Relevant URL: http://www.securityfocus.com/bid/11870
Summary:
Multiple unspecified remote vulnerabilities reportedly affect Kerio's WinRoute
Firewall. These issues are likely due to design errors and a failure or the
application to properly handle malformed network data, although this is not
verified.
The first issue is a remote denial of service that may cause the affected
computer to crash or hang. The second issue is a DNS cache poisoning
vulnerability. The final issue is an information disclosure vulnerability.
An attacker may exploit these issues to gain access to otherwise restricted
information and manipulate the DNS cache of the affected firewall, potentially
facilitating further attacks against the affected network. Also an attacker may
leverage these issues to cause the affected computer to crash or hang,
facilitating a denial of service condition.
12. Microsoft Office SharePoint Portal Server Local Information ...
BugTraq ID: 11878
Remote: No
Date Published: Dec 10 2004
Relevant URL: http://www.securityfocus.com/bid/11878
Summary:
Microsoft Office SharePoint Portal Server is reported prone to a local
information disclosure weakness. The vulnerability presents itself when
SharePoint Portal Server components are being installed by a user account that
employs a password credential containing a prefixed '-' character.
Under these circumstances the SharePoint Portal Server component installation
will fail and the password for the user account used to install the software
will be logged to the following file:
'%WinDir%\temp\STSADM.log-setup_{date} {time}.log'.
A local attacker may peruse the aforementioned log files in the hopes that they
contain the password of a target user.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Secondary Storage Device Policy (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/384405
2. iisadmpwd/UPN (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/384402
3. Group policy help needed!!! (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/384401
4. services running in windows domain (winXP clients) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/384397
5. Modifying default behaviour of MS VPN client (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/383892
6. SecurityFocus Microsoft Newsletter #218 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/383606
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. KeyCaptor Keylogger
By: Keylogger Software
Platforms: MacOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keylogger-software.com/keylogger/keylogger.htm
Summary:
KeyCaptor is your solution for recording ALL keystrokes of ALL users on your
computer! Now you have the power to record emails, websites, documents, chats,
instant messages, usernames, passwords, and MUCH MORE!
With our advanced stealth technology, KeyCaptor will not show in your processes
list and cannot be stopped from running unless you say so!
3. SpyBuster
By: Remove Spyware
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.remove-spyware.com/spybuster.htm
Summary:
Our award winning spyware / adware scanner and removal software, SpyBuster will
scan your computer for over 4,000 known spyware and adware applications.
SpyBuster protects your computer from data stealing programs that can expose
your personal information.
SpyBuster scanning technology allows for a quick and easy sweep, so you can
resume your work in minutes.
4. FreezeX
By: Faronics Technologies USA Inc
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.faronics.com/html/Freezex.asp
Summary:
FreezeX prevents all unauthorized programs, including viruses, keyloggers and
spy ware from executing. Powerful and secure, FreezeX ensures that any new
executable, program, or application that is downloaded, introduced via
removable media or the network will never install
5. NeoExec for Active Directory
By: NeoValens
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.neovalens.com
Summary:
NeoExec® is an operating system extension for Windows 2000/XP that allows the
setting of privileges at the application level rather than at the user level.
NeoExec® is the ideal solution for applications that require elevated
privileges to run as the privileges are granted to the application, not the
user.
NeoExec® is the only solution on the market capable of modifying at runtime the
processes' security context -- without requiring a second account as with RunAs
and RunAs-derived products.
6. Secrets Protector v2.03
By: E-CRONIS
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.e-cronis.com/download/sp.exe
Summary:
It's the end of your worries about top-secret data of your company, your
confidential files or the pictures from the last party. All these will be
hidden beyond the reach of ANY intruder and you will be the only one able to
handle them. And what you want to delete will be DELETED. It is the ultimate
security tool to protect your sensitive information on PC, meeting the three
most important security issues: Integrity, Confidentiality and Availability.
This product gives you the features of a "folder locker" and a "secure eraser".
Your secret information is available only trough this software and there is no
other mean to access it. The information is protected at file system level and
it cannot be accidentally deleted or overwritten neither in Safe mode nor in
other operating system. This program doesn't make your operating system
unstable as other related product do and protects your information from being
seen, altered or deleted by an unauthorized user with or without his wish. The
program allows you to permanently erase your sensitive data using secure wiping
methods leaving no trace of your information. Depending on the selected wiping
method your data is unrecoverable using software or even hardware recovery
techniques.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. IDS Policy Manager v1.5
By: ActiveWorx
Relevant URL: http://www.activeworx.org
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
IDS Policy Manager was designed to manage Snort IDS sensors in a distributed
environment. This is done by having the ability to take the textconfiguration
and rule files and allow you to modify them with an easy touse graphical
interface. With the added ability to merge new rule sets,manage preprocessors,
control output modules and scp rules to sensors, thistool makes managing snort
easy for most security professionals.
2. PatchLink Update 6.01.78
By: PatchLink Corporation
Relevant URL:
http://www.patchlink.com/products_services/plu_evaluationrequest.html
Platforms: AIX, DG-UX, Digital UNIX/Alpha, DOS, HP-UX, Java, Linux, MacOS, Net,
NetBSD, Netware, OpenVMS, PalmOS, POSIX, SecureBSD, SINIX, Solaris, SunOS,
True64 UN, True64 UNIX, Ultrix, UNICOS, UNIX, Unixware, Windows 2000, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
With PATCHLINK UPDATE, patch management is the secure, proactive, and
preventative process it should be. PATCHLINK UPDATE scans networks for security
holes and closes them with the click of a mouse, no matter the operating
system, the vendor applications, the mix, or the size of the environment. From
5K nodes to 20+K nodes, PATCHLINK UPDATE works quickly, accurately and safely
to ensure desktops and servers are patched correctly and completely the first
time around.
3. Dekart Private Disk 2.03
By: Dekart
Relevant URL: http://www.private-disk.net/
Platforms: Windows XP
Summary:
Private Disk - is an easy-to-use, reliable, user-friendly and smart program
that lets you create encrypted disk partitions (drive letters) to keep your
private and confidential data secure. Uses 256-bit AES encryption.
4. Remote Process Watcher 1.0
By: Fitsec Tmi
Relevant URL: http://www.fitsec.com/downloads
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
A Java based software that watches processes running on the computers inside a
domain. Gives out warnings when it spots a process that it doesn't recognize or
processes that have been marked on the warning list. It is also able to
autokill processes marked as critical.
5. Rkdscan 1.0
By: Andres Tarasco - www.sia.es
Relevant URL: http://cyruxnet.org/download/rkdscan.rar
Platforms: Windows 2000
Summary:
Rkdscan is able to remotely detect if NT based Computers are compromised With
"Hacker Defender" Rootkit
6. Spybot-S&D 1.3
By: Patrick M. Kolla
Relevant URL: http://www.spybot.info/en/index.html
Platforms: Windows XP
Summary:
Spybot - Search & Destroy can detect and remove spyware of different kinds
from your computer. Spyware is a relatively new kind of threat that
common anti-virus applications do not yet cover. If you see new toolbars in
your Internet Explorer that you didn't intentionally install, if your browser
crashes, or if you browser start page has changed without your knowing, you
most probably have spyware. But even if you don't see anything, you may be
infected.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
the website.
If your email address has changed email listadmin@securityfocus.com and ask to
be manually removed.
VII. SPONSOR INFORMATION
-----------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
