SecurityFocus Microsoft Newsletter #226
----------------------------------------
This Issue is Sponsored By: CrossTec
FREE Download - The Future in Desktop Firewalls is Available Now
NEW NetOp Desktop Firewall, the world's first driver-centric
firewall software - protecting your laptops and corporate PCs at
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_ms-secnews_050201
------------------------------------------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Mobile Viruses
2. Microsoft's Velvet Glove
II. MICROSOFT VULNERABILITY SUMMARY
1. Golden FTP Server Remote Buffer Overflow Vulnerability
2. Help Desk Reloaded Unspecified Remote Vulnerability
3. RinetD select() Bit-Array Remote Buffer Overflow Vulnerabili...
4. NEC Socks5 select() Bit-Array Remote Buffer Overflow Vulnera...
5. PEiD Malformed PE File Remote Buffer Overflow Vulnerability
6. Bribble Unspecified Remote Authentication Bypass Vulnerabili...
7. Comersus Cart Multiple Vulnerabilities
8. PHPEventCalendar Multiple Remote HTML Injection Vulnerabilit...
9. Nullsoft Winamp Variant IN_CDDA.dll Remote Buffer Overflow V...
10. War FTP Daemon Remote Denial Of Service Vulnerability
11. SnugServer FTP Service Directory Traversal Vulnerability
12. Magic Winmail Server Multiple Vulnerabilities
13. University Of Washington IMAP Server CRAM-MD5 Remote Authent...
14. VooDoo CIRCLE NET_SEND Unspecified Vulnerability
15. IceWarp Web Mail Multiple Remote Vulnerabilities
III. MICROSOFT FOCUS LIST SUMMARY
1. Domain logon without network connection + group poli... (Thread)
2. Preventing multiple logins in 2003 (Thread)
3. RESPONSE: Users "bypassing" Group Policy restriction... (Thread)
4. Users "bypassing" Group Policy restrictions (Thread)
5. Dhcp security (Thread)
6. DSQuery on active directory (Thread)
7. ISA server logs (Thread)
8. SecurityFocus Microsoft Newsletter #225 (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. CoreGuard Core Security System
2. KeyCaptor Keylogger
3. SpyBuster
4. FreezeX
5. NeoExec for Active Directory
6. Secrets Protector v2.03
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. PE Explorer 1.96
2. Network Equipment Performance Monitor 2.2
3. Etherchange v1.0
4. IPFront 1.0
5. Azure Web Log 1.5
6. Interface Traffic Indicator 1.2.3
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Mobile Viruses
By Kelly Martin
Mobile viruses that spread through mobile phones are starting to appear,
but the big mobile virus epidemic is still a long ways off.
http://www.securityfocus.com/columnists/294
2. Microsoft's Velvet Glove
By Mark Burnett
Redmond's plan to make you install Windows authentication software before
downloading vital security patches is a reasonable and gentle effort to
limit piracy.
http://www.securityfocus.com/columnists/295
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Golden FTP Server Remote Buffer Overflow Vulnerability
BugTraq ID: 12333
Remote: Yes
Date Published: Jan 22 2005
Relevant URL: http://www.securityfocus.com/bid/12333
Summary:
Golden FTP Server is reported susceptible to a remote buffer overflow
vulnerability. This issue is due to a failure of the application to properly
bounds check user-supplied input data prior to copying it to an insufficiently
sized memory buffer.
This vulnerability allows remote attackers to execute arbitrary machine code in
the context of the vulnerable server application.
Versions prior to 2.05b are reportedly affected by this vulnerability.
2. Help Desk Reloaded Unspecified Remote Vulnerability
BugTraq ID: 12339
Remote: Yes
Date Published: Jan 24 2005
Relevant URL: http://www.securityfocus.com/bid/12339
Summary:
A remote unspecified vulnerability affects Help Desk Reloaded. Although the
underlying issue causing this vulnerability is unknown, due to the nature of
the affected software it is likely due to input validation failure. It may
facilitate cross-site scripting, HTML injection, remote file include, or SQL
injection attacks. It should be noted that this is not confirmed.
This BID will be updated as more details are released.
3. RinetD select() Bit-Array Remote Buffer Overflow Vulnerabili...
BugTraq ID: 12345
Remote: Yes
Date Published: Jan 24 2005
Relevant URL: http://www.securityfocus.com/bid/12345
Summary:
rinetd is prone to a remote buffer overflow due to implementation of the
'select()' system call. This issue could be exploited to cause a denial of
service or potentially execute arbitrary code.
4. NEC Socks5 select() Bit-Array Remote Buffer Overflow Vulnera...
BugTraq ID: 12350
Remote: Yes
Date Published: Jan 24 2005
Relevant URL: http://www.securityfocus.com/bid/12350
Summary:
NEC Socks5 is prone to a remote buffer overflow due to implementation of the
'select()' system call. This issue could be exploited to cause a denial of
service or potentially execute arbitrary code.
5. PEiD Malformed PE File Remote Buffer Overflow Vulnerability
BugTraq ID: 12355
Remote: Yes
Date Published: Jan 25 2005
Relevant URL: http://www.securityfocus.com/bid/12355
Summary:
A remote buffer overflow vulnerability reportedly affects PEiD. This issue is
due to a failure of the application to properly validate the length of
user-supplied strings prior to copying them into static process buffers.
An attacker who entices an unsuspecting user to load a maliciously crafted
Portable Executable (PE) file with the affected utility may exploit this issue.
An attacker may exploit this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable application. This may
facilitate unauthorized access or privilege escalation.
6. Bribble Unspecified Remote Authentication Bypass Vulnerabili...
BugTraq ID: 12361
Remote: Yes
Date Published: Jan 25 2005
Relevant URL: http://www.securityfocus.com/bid/12361
Summary:
An unspecified remote authentication bypass vulnerability affects Bribble. The
underlying issue is currently unknown, however it is likely due to a design
error triggered during the authentication process.
An attacker can leverage this issue to gain administrator access to the
affected chat server.
7. Comersus Cart Multiple Vulnerabilities
BugTraq ID: 12362
Remote: Yes
Date Published: Jan 25 2005
Relevant URL: http://www.securityfocus.com/bid/12362
Summary:
Comersus Cart is reportedly affected by multiple vulnerabilities. There is a
possiblity of gaining administrator access due to a failure of the application
to remove an installation script after install. There is the possiblity of SQL
injection by passing a malicious HTTP referer header. There are also some
possible cross-site scripting issues.
The vendor has addressed these issues in Comersus Cart version 6.0.2; earlier
version are reportedly vulnerable.
8. PHPEventCalendar Multiple Remote HTML Injection Vulnerabilit...
BugTraq ID: 12363
Remote: Yes
Date Published: Jan 25 2005
Relevant URL: http://www.securityfocus.com/bid/12363
Summary:
Multiple remote HTML injection vulnerabilities affect phpEventCalendar. These
issues are due to a failure of the application to sanitize user supplied input
prior to including it in dynamically generated Web content.
An attacker may leverage these issues to execute arbitrary HTML and script code
in the browser of an unsuspecting user. This may facilitate the theft of
cookie-based authentication credentials as well as other attacks.
9. Nullsoft Winamp Variant IN_CDDA.dll Remote Buffer Overflow V...
BugTraq ID: 12381
Remote: Yes
Date Published: Jan 27 2005
Relevant URL: http://www.securityfocus.com/bid/12381
Summary:
A remote buffer overflow vulnerability affects the IN_CDDA.dll library of
Nullsoft's Winamp. This issue is due to a failure of the application to
properly validate the length of user-supplied strings prior to copying them
into finite process buffers. It should be noted that this issue is not related
to the issue outlined in BID 11730 (Nullsoft Winamp IN_CDDA.dll Remote Buffer
Overflow Vulnerability).
This issue will facilitate remote exploitation as an attacker may distribute
malicious play-list files and entice unsuspecting users to process them with
the affected application.
It should be noted that this issue was originally reported in BID 12245
(Nullsoft Winamp Multiple Unspecified Vulnerabilities). It has been assigned a
new BID due to the release of more information.
An attacker may exploit this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable application.
10. War FTP Daemon Remote Denial Of Service Vulnerability
BugTraq ID: 12384
Remote: Yes
Date Published: Jan 27 2005
Relevant URL: http://www.securityfocus.com/bid/12384
Summary:
War FTP Daemon is reported prone to a remote denial of service vulnerability.
This issue arises because the application fails to handle exceptional
conditions in a proper manner.
War FTP Daemon 1.82.00-RC9 is reported prone to this issue. It is likely that
previous versions are vulnerable as well.
11. SnugServer FTP Service Directory Traversal Vulnerability
BugTraq ID: 12387
Remote: Yes
Date Published: Jan 27 2005
Relevant URL: http://www.securityfocus.com/bid/12387
Summary:
It is reported that the SnugServer FTP Service is susceptible to a directory
traversal vulnerability.
It is conjectured that this vulnerability allows a remote attacker to read and
write files outside of the FTP document root directory. An attacker may read
and write files with the privileges of the FTP server process.
12. Magic Winmail Server Multiple Vulnerabilities
BugTraq ID: 12388
Remote: Yes
Date Published: Jan 27 2005
Relevant URL: http://www.securityfocus.com/bid/12388
Summary:
Magic Winmail Server is reportedly affected by multiple vulnerabilities.
There are two distinct directory traversal vulnerabilities in the Webmail
interface allowing both arbitrary file downloads and uploads. There is also a
HTML injection vulnerability in the Webmail interface that could lead to the
theft of the administrator's session cookie.
There are several directory traversal vulnerabilities in the IMAP service
commands which could permit a malicious user to read arbitrary emails, create
or delete arbitrary files on the server and possibly retrieve arbitrary files
from the server.
Magic Winmail Server's FTP service also reportedly fails to properly verify the
IP address supplied by a user in a PORT command.
Magic Winmail Server version 4.0 (Build 1112) is reportedly affected by these
issues; earlier versions may also be vulnerable.
13. University Of Washington IMAP Server CRAM-MD5 Remote Authent...
BugTraq ID: 12391
Remote: Yes
Date Published: Jan 28 2005
Relevant URL: http://www.securityfocus.com/bid/12391
Summary:
A remote authentication bypass vulnerability affects the CRAM-MD5
authentication functionality of the University of Washington IMAP server. This
issue is due to a logic error that fails to properly validate authentication
attempts.
It should be noted that this issue only affects servers with CRAM-MD5
authentication enabled, which is not the case by default.
A remote attacker may leverage this issue to authenticate to the affected
server as any user.
14. VooDoo CIRCLE NET_SEND Unspecified Vulnerability
BugTraq ID: 12393
Remote: Yes
Date Published: Jan 28 2005
Relevant URL: http://www.securityfocus.com/bid/12393
Summary:
An unspecified vulnerability affects the NET_SEND command of VooDoo cIRCle.
The underlying issue causing this vulnerability is currently unknown.
The details available surrounding this issue are insufficient to provide a
detailed technical description. Furthermore the impact of this issue is also
unknown. This BID will be updated when more information is released.
15. IceWarp Web Mail Multiple Remote Vulnerabilities
BugTraq ID: 12396
Remote: Yes
Date Published: Jan 28 2005
Relevant URL: http://www.securityfocus.com/bid/12396
Summary:
Multiple remote vulnerabilities reportedly affect IceWarp Web Mail. The
underlying issues are due to input and access validation errors.
Multiple cross-site scripting and HTML injection vulnerabilities affect the
vulnerable software. The product is also vulnerable to a file creation with
arbitrary data vulnerability. Finally it is possible for an authenticated
attacker to move and read arbitrary files on an affected computer with the
privileges of the affected application.
An attacker may leverage these issues to move arbitrary files with the
privileges of the affected server, to carry out cross-site scripting and HTML
injection attacks and to create a file with arbitrary content. These issues
may lead to system wide denial of service as well as other attacks.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Domain logon without network connection + group poli... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/389106
2. Preventing multiple logins in 2003 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/389010
3. RESPONSE: Users "bypassing" Group Policy restriction... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/389009
4. Users "bypassing" Group Policy restrictions (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/388879
5. Dhcp security (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/388871
6. DSQuery on active directory (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/388832
7. ISA server logs (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/388627
8. SecurityFocus Microsoft Newsletter #225 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/388596
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. KeyCaptor Keylogger
By: Keylogger Software
Platforms: MacOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keylogger-software.com/keylogger/keylogger.htm
Summary:
KeyCaptor is your solution for recording ALL keystrokes of ALL users on your
computer! Now you have the power to record emails, websites, documents, chats,
instant messages, usernames, passwords, and MUCH MORE!
With our advanced stealth technology, KeyCaptor will not show in your processes
list and cannot be stopped from running unless you say so!
3. SpyBuster
By: Remove Spyware
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.remove-spyware.com/spybuster.htm
Summary:
Our award winning spyware / adware scanner and removal software, SpyBuster will
scan your computer for over 4,000 known spyware and adware applications.
SpyBuster protects your computer from data stealing programs that can expose
your personal information.
SpyBuster scanning technology allows for a quick and easy sweep, so you can
resume your work in minutes.
4. FreezeX
By: Faronics Technologies USA Inc
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.faronics.com/html/Freezex.asp
Summary:
FreezeX prevents all unauthorized programs, including viruses, keyloggers and
spy ware from executing. Powerful and secure, FreezeX ensures that any new
executable, program, or application that is downloaded, introduced via
removable media or the network will never install
5. NeoExec for Active Directory
By: NeoValens
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.neovalens.com
Summary:
NeoExec® is an operating system extension for Windows 2000/XP that allows the
setting of privileges at the application level rather than at the user level.
NeoExec® is the ideal solution for applications that require elevated
privileges to run as the privileges are granted to the application, not the
user.
NeoExec® is the only solution on the market capable of modifying at runtime the
processes' security context -- without requiring a second account as with RunAs
and RunAs-derived products.
6. Secrets Protector v2.03
By: E-CRONIS
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.e-cronis.com/download/sp.exe
Summary:
It's the end of your worries about top-secret data of your company, your
confidential files or the pictures from the last party. All these will be
hidden beyond the reach of ANY intruder and you will be the only one able to
handle them. And what you want to delete will be DELETED. It is the ultimate
security tool to protect your sensitive information on PC, meeting the three
most important security issues: Integrity, Confidentiality and Availability.
This product gives you the features of a "folder locker" and a "secure eraser".
Your secret information is available only trough this software and there is no
other mean to access it. The information is protected at file system level and
it cannot be accidentally deleted or overwritten neither in Safe mode nor in
other operating system. This program doesn't make your operating system
unstable as other related product do and protects your information from being
seen, altered or deleted by an unauthorized user with or without his wish. The
program allows you to permanently erase your sensitive data using secure wiping
methods leaving no trace of your information. Depending on the selected wiping
method your data is unrecoverable using software or even hardware recovery
techniques.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. PE Explorer 1.96
By: Heaventools Software
Relevant URL: http://www.heaventools.com/overview.htm
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
PE Explorer is a tool for inspecting and editing the inner workings of Windows
32-bit executable files. It offers a look at PE file structure and all of the
resources in the file, and reports multiple details about a PE file (EXE, DLL,
ActiveX controls, and several other Windows executable formats). Once inside,
file structure can be analyzed and optimized, hostile code detected, spyware
tracked down, problems diagnosed, changes made and resources repaired.
2. Network Equipment Performance Monitor 2.2
By: Nova Software, Inc.
Relevant URL: http://www.nepm.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, Solaris, True64 UNIX, UNIX, Windows
2000, Windows NT, Windows XP
Summary:
NEPM is a very general, highly configurable, two part software system that
monitors any type of logged data from IP networked equipment and reports it via
E-mail and web pages. Current conditions and history from systems based on
Windows NT/2000 and UNIX can be tracked and reported. Most major server, switch
and router systems can be monitored, without running agents on the target
systems.
3. Etherchange v1.0
By: Arne Vidstrom
Relevant URL: http://www.ntsecurity.nu/toolbox/etherchange/
Platforms: Windows 2000, Windows XP
Summary:
EtherChange can change the Ethernet address of the network adapters in Windows
2000 / XP.
4. IPFront 1.0
By: Hernán M. Racciatti
Relevant URL: http://www.hernanracciatti.com.ar/ipfront/
Platforms: Windows 2000
Summary:
IPFront is a small tool named which enables users to generate IPSec rules
easily. It really speeds-up the process of hardening Windows 2000/2003 in
Bastion Host Environment.
Additionally, it allows to set-up IPSec exceptions, and enables a couple of
TCP/IP Stack protections against DoSes.
So, IPFront is nothing more than a small Frontend/GUI that writes small scripts
that one can later execute from within IPFront, or externally, as simple script
files, in other servers,
5. Azure Web Log 1.5
By: Azure Desktop
Relevant URL: http://www.azuredesktop.com/download/awlog.zip
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Log analyzer tells you all you want about your web site: What are the most
popular pages and files on your site? How many visitors are there and where are
they from? What browsers and OS they use? What is your sites traffic? Special
features:Statistics for a year. Separate statistics for every page or file -
daily hits for two last months, monthly hits for a year, referring site for
particular page or file. Multiple site statistics support.
6. Interface Traffic Indicator 1.2.3
By: Carsten Schmidt
Relevant URL: http://software.ccschmidt.de/#inftraffic
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
Interface Traffic Indicator, a graph utility to measure incoming and outgoing
traffic on an interface in bits/sec, bytes/sec or utilization. Works on all
SNMP-capable devices (computers, NICs, switches, routers, etc.) with adjustable
poll intervall down to three seconds. You can use this programm in a
professional network environment to monitor selected network interfaces (even
backplane ports if the device provides the information) or you can monitor your
home network or
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
the website.
If your email address has changed email listadmin@securityfocus.com and ask to
be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: CrossTec
FREE Download - The Future in Desktop Firewalls is Available Now
NEW NetOp Desktop Firewall, the world's first driver-centric
firewall software - protecting your laptops and corporate PCs at
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_ms-secnews_050201
------------------------------------------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
