SecurityFocus Microsoft Newsletter #234
----------------------------------------
This Issue is Sponsored By: Wireless Security Conference
WIRELESS SECURITY CONFERENCE & EXPO is the nation's leading event for
corporate wireless security strategies and solutions. Learn everything you
need to help your company secure your corporate wireless networks and
mobile devices. Includes hands-on workshops, live hacking sessions, top
keynotes and more. Join hundreds of your colleagues, over 25 of the world's
top wireless security experts and our technology solutions expo. Expo pass
is free or use priority code WSCSFC to save $100 off conference rates.
April 19-21, 2005, Hyatt Regency Cambridge, Cambridge, MA. Conference
website is: www.wireless-security-conference.com
http://www.securityfocus.com/sponsor/WirelessSecurityConference_ms-secnews_050329
------------------------------------------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Owning A New Phone
2. Practical Certifications
II. MICROSOFT VULNERABILITY SUMMARY
1. Icecast XSL Parser Multiple Vulnerabilities
2. OllyDbg Library Module Name Denial Of Service Vulnerability
3. Proview Disassembler Long File Name Handling Denial of Servi...
4. Code Ocean Ocean FTP Server Remote Denial of Service Vulnera...
5. FileZilla FTP Server Multiple Remote Denial Of Service Vulne...
6. NetWin SurgeMail Multiple Remote HTML Injection and File Upl...
7. Phorum HTTP Response Splitting Vulnerability
8. Microsoft Windows Local Denial Of Service Vulnerability
9. Nortel Contivity VPN Client Local Password Disclosure Weakne...
10. ImageMagick SGI Parser Heap Overflow Vulnerability
11. ImageMagick TIFF Image File Unspecified Denial Of Service Vu...
12. ImageMagick TIFF Image Tag Denial Of Service Vulnerability
13. Imagemagick Photoshop Document Parsing Unspecified Denial of...
14. Invision Power Board HTML Injection Vulnerability
15. Microsoft Windows XP TSShutdn.exe Remote Denial of Service V...
16. Cerulean Studios Trillian Multiple Remote HTTP Response Buff...
17. CDRTools CDRecord Local Insecure File Creation Vulnerability
18. Maxthon Web Browser Search Bar Information Disclosure Vulner...
III. MICROSOFT FOCUS LIST SUMMARY
1. quarantine vpn clients (Thread)
2. New Malware Approach - Any Experience With / Opinion... (Thread)
3. Citrix vs Terminal Services? (Thread)
4. Windows firewall scopes for notebook users ex office... (Thread)
5. SecurityFocus Microsoft Newsletter #233 (Thread)
6. RADIUS authentication from GINA Windows logon? (Thread)
7. SQLRecon released by Special Ops Labs!!! (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. CoreGuard Core Security System
2. KeyCaptor Keylogger
3. SpyBuster
4. FreezeX
5. NeoExec for Active Directory
6. Secrets Protector v2.03
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. TextKeeper 5.0
2. DeSPAM Tunnel 3.0.0
3. Mac Makeup 1.71d
4. Healthmonitor 2.1
5. Kr4ck3r 1.0.0
6. WinArpSpoofer 0.5.3
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Owning A New Phone
By Scott Granneman
Recent mobile phone and Bluetooth hacks, and the public's response to them,
show us how the average person really looks at security.
http://www.securityfocus.com/columnists/310
2. Practical Certifications
By Don Parker
Recent changes to the GIAC makes one question the value of certification
for the security industry.
http://www.securityfocus.com/columnists/311
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Icecast XSL Parser Multiple Vulnerabilities
BugTraq ID: 12849
Remote: Yes
Date Published: Mar 18 2005
Relevant URL: http://www.securityfocus.com/bid/12849
Summary:
Icecast is reported prone to multiple vulnerabilities. The following individual
issues are reported:
Icecast XSL parser is reported to be prone to a buffer overflow vulnerability.
This issue exists due to a lack of sufficient boundary checks performed on
certain XSL tag values before copying these values into a finite buffer in
process memory. It is reported that the vulnerability manifests when a
malicious XSL file is parsed by the affected software.
This issue may potentially be exploited to deny service for legitimate users or
potentially execute arbitrary code in the context of the user that is running
the affected software. This is not confirmed.
It is reported that the Icecast XSL parser is prone to an information
disclosure vulnerability. It is reported that the parser fails to parse XSL
files when a request for such a file is appended with a dot '.' character.
A remote attacker may exploit this vulnerability to disclose the contents of
XSL files that can be requested publicly.
These vulnerabilities are reported to affect Icecast version 2.20, other
versions might also be affected.
2. OllyDbg Library Module Name Denial Of Service Vulnerability
BugTraq ID: 12850
Remote: Yes
Date Published: Mar 19 2005
Relevant URL: http://www.securityfocus.com/bid/12850
Summary:
OllyDbg is reported prone to a denial of service vulnerability. It is reported
that the issue manifests when a target process that is being debugged attempts
to load a library module that has a superfluous filename.
An attacker may exploit this vulnerability to deny service to OllyDbg users.
This vulnerability is reported to affect OllyDbg version 1.10 (final version)
and prior versions.
3. Proview Disassembler Long File Name Handling Denial of Servi...
BugTraq ID: 12856
Remote: Yes
Date Published: Mar 21 2005
Relevant URL: http://www.securityfocus.com/bid/12856
Summary:
Proview Disassembler (PVDasm) is reported prone to a remote denial of service
vulnerability.
The issue presents itself when the application handles a file with a long name.
Reportedly, this can cause PVDasm to crash resulting in a denial of service
condition.
It is not known whether this vulnerability can be leveraged to execute
arbitrary code. This BID will be updated when more information becomes
available.
PVDasm 1.6b Beta and prior versions are affected by this issue.
4. Code Ocean Ocean FTP Server Remote Denial of Service Vulnera...
BugTraq ID: 12859
Remote: Yes
Date Published: Mar 21 2005
Relevant URL: http://www.securityfocus.com/bid/12859
Summary:
Ocean FTP Server is reported prone to a remote denial of service vulnerability.
It is reported that an attacker may cause the server to crash by establishing
an excessive number of simultaneous connections. This may result in a crash or
hang due to resource exhaustion.
Ocean FTP Server 1.0 is reported vulnerable. It is possible that other
versions are affected as well.
5. FileZilla FTP Server Multiple Remote Denial Of Service Vulne...
BugTraq ID: 12865
Remote: Yes
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12865
Summary:
The FileZilla FTP server is reported prone to multiple remote denial of service
vulnerabilities. The following individual issues are reported:
It is reported that FileZilla fails to gracefully handle FTP requests that
contain reserved MS-DOS device names. A remote authenticated attacker may
exploit this vulnerability to deny service for legitimate users.
Finally, it is reported that the FileZilla FTP server may be influenced into
entering an infinite loop. A remote authenticated attacker may exploit this
vulnerability to deny service for legitimate users.
6. NetWin SurgeMail Multiple Remote HTML Injection and File Upl...
BugTraq ID: 12866
Remote: Yes
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12866
Summary:
Multiple remote file upload and HTML injection vulnerabilities affect NetWin
SurgeMail. The underlying causes of these issues are a failure ot sanitize
user-supplied input and a failure to securely handle the file upload
functionality.
These issues may be leverage to upload arbitrary files into arbitrary locations
writable to the affected application and carry out HTML injection attacks
against the SurgeMail administrator. This may facilitate theft of credentials
and potentially compromise of the email server.
7. Phorum HTTP Response Splitting Vulnerability
BugTraq ID: 12869
Remote: Yes
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12869
Summary:
A remote HTTP response splitting vulnerability reportedly affects Phorum. This
issue is due to a failure of the application to properly sanitize user-supplied
input.
A remote attacker may exploit this vulnerability to influence or misrepresent
how web content is served, cached or interpreted.
This issue was reported to affect Phorum version 5.0.14a; other versions might
also be affected.
8. Microsoft Windows Local Denial Of Service Vulnerability
BugTraq ID: 12870
Remote: No
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12870
Summary:
It is reported that Microsoft Windows XP Service Pack 1 is prone to a local
denial of service vulnerability.
The issue is reported to manifest when a raw IP over IP socket is created and
data is transferred over the newly created socket.
It is reported that this operation causes the kernel of the Windows computer to
crash, resulting in the computer rebooting. If this issue can be triggered
reliably, a local attacker may exploit the issue to deny service for legitimate
users.
Further investigation into this issue is ongoing; this BID will be updated as
soon as more details are available.
9. Nortel Contivity VPN Client Local Password Disclosure Weakne...
BugTraq ID: 12871
Remote: No
Date Published: Mar 22 2005
Relevant URL: http://www.securityfocus.com/bid/12871
Summary:
Nortel Contivity VPN Client for Microsoft Windows platforms is reported prone
to a local pre-shared key (password) disclosure weakness. It is reported that
the VPN user and group password is stored in the memory image of the process in
plain-text format.
Credentials that are harvested through the exploitation of this weakness may
then be used to aid in further attacks.
This weakness is reported to affect Nortel Contivity VPN Client version 5.01
for Microsoft Windows, versions for the Linux platform are not reported to be
vulnerable. Other versions might also be affected.
10. ImageMagick SGI Parser Heap Overflow Vulnerability
BugTraq ID: 12873
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12873
Summary:
ImageMagick is prone to a heap-based buffer overflow vulnerability. This
vulnerability exists in the SGI image file parser.
Successful exploitation may result in execution of arbitrary code. This issue
may potentially be exploited through the ImageMagick application or in other
applications that import the SGI image file parser component.
It is noted that the SGI codec is enabled by default in ImageMagick.
11. ImageMagick TIFF Image File Unspecified Denial Of Service Vu...
BugTraq ID: 12874
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12874
Summary:
A remote, client-side denial of service vulnerability affects ImageMagick.
This issue is likely due to a failure of the application to handle malformed
TIFF image files.
A remote attacker may leverage this issue to cause the affected application to
crash, potentially causing a loss of data denying service to legitimate users.
12. ImageMagick TIFF Image Tag Denial Of Service Vulnerability
BugTraq ID: 12875
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12875
Summary:
A remote, client-side denial of service vulnerability affects ImageMagick.
This issue is likely due to a failure of the application to handle malformed
TIFF image files.
A remote attacker may leverage this issue to cause the affected application to
crash, potentially causing a loss of data, and denying service to legitimate
users.
13. Imagemagick Photoshop Document Parsing Unspecified Denial of...
BugTraq ID: 12876
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12876
Summary:
A remote, client-side denial of service vulnerability affects ImageMagick.
This issue is likely due to a failure of the application to handle malformed
PSD files.
A remote attacker may leverage this issue to cause the affected application to
crash, potentially causing a loss of data denying service to legitimate users.
14. Invision Power Board HTML Injection Vulnerability
BugTraq ID: 12888
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12888
Summary:
Invision Power Board is reported prone to an HTML injection vulnerability.
This issue arises due to insufficient sanitization of user-supplied data.
It is reported that due to a lack of filtering of HTML tags, an attacker can
inject an IFRAME through an HTTP POST request.
All version of Invision Power Board are considered vulnerable at the moment.
This BID will be updated when more information is available.
15. Microsoft Windows XP TSShutdn.exe Remote Denial of Service V...
BugTraq ID: 12889
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12889
Summary:
Microsoft Windows XP is prone to a remote denial of service vulnerability.
This issue can allow a remote unauthorized user to shutdown an affected
computer.
A remote attacker uses the TSShutdn.exe command to restart or shutdown a
computer.
It should be noted that the exploitation of this vulnerability may require the
attacker to be part of the same domain. This BID will be updated when more
information is available.
Microsoft Windows XP Service Pack 1 is affected by this issue.
16. Cerulean Studios Trillian Multiple Remote HTTP Response Buff...
BugTraq ID: 12890
Remote: Yes
Date Published: Mar 23 2005
Relevant URL: http://www.securityfocus.com/bid/12890
Summary:
It is reported that Trillian is susceptible to multiple remote HTTP response
buffer overflow vulnerabilities. These issues are due to a failure of the
application to properly bounds check user-supplied data prior to copying it
into fixed-sized memory buffers.
It is reported that multiple Trillian modules likely share the same code for
making HTTP requests, and therefore multiple modules are vulnerable to the same
attack.
Remote attackers may exploit these vulnerabilities to execute arbitrary machine
code in the context of vulnerable Trillian clients.
Several of these vulnerabilities are reportedly fixed in version 3.0 of
Trillian. Versions 3.0 and 3.1 remain affected by multiple issues in its Yahoo!
component. Versions 2.0 up to, but not including 3.0 are reported to be
affected in multiple components.
17. CDRTools CDRecord Local Insecure File Creation Vulnerability
BugTraq ID: 12891
Remote: No
Date Published: Mar 24 2005
Relevant URL: http://www.securityfocus.com/bid/12891
Summary:
A local insecure file creation vulnerability affects cdrtools cdrecord. This
issue is due to a failure of the application to securely create and write to
various files.
An attacker may leverage this issue to corrupt arbitrary files with the
privileges of an unsuspecting user that activates the application.
18. Maxthon Web Browser Search Bar Information Disclosure Vulner...
BugTraq ID: 12898
Remote: Yes
Date Published: Mar 25 2005
Relevant URL: http://www.securityfocus.com/bid/12898
Summary:
Maxthon Web Browser is reported prone to an information disclosure
vulnerability. This issue may allow an attacker to disclose search bar
contents from an affected browser.
Information disclosed through the exploitation of this vulnerability may aid an
attacker in carrying out other attacks against a vulnerable computer.
Maxthon Web Browser 1.2.0 is reported to be vulnerable to this issue. Prior
versions may be affected as well.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. quarantine vpn clients (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394402
2. New Malware Approach - Any Experience With / Opinion... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394346
3. Citrix vs Terminal Services? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394345
4. Windows firewall scopes for notebook users ex office... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394343
5. SecurityFocus Microsoft Newsletter #233 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394041
6. RADIUS authentication from GINA Windows logon? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/394039
7. SQLRecon released by Special Ops Labs!!! (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/393911
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. KeyCaptor Keylogger
By: Keylogger Software
Platforms: MacOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keylogger-software.com/keylogger/keylogger.htm
Summary:
KeyCaptor is your solution for recording ALL keystrokes of ALL users on your
computer! Now you have the power to record emails, websites, documents, chats,
instant messages, usernames, passwords, and MUCH MORE!
With our advanced stealth technology, KeyCaptor will not show in your processes
list and cannot be stopped from running unless you say so!
3. SpyBuster
By: Remove Spyware
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.remove-spyware.com/spybuster.htm
Summary:
Our award winning spyware / adware scanner and removal software, SpyBuster will
scan your computer for over 4,000 known spyware and adware applications.
SpyBuster protects your computer from data stealing programs that can expose
your personal information.
SpyBuster scanning technology allows for a quick and easy sweep, so you can
resume your work in minutes.
4. FreezeX
By: Faronics Technologies USA Inc
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.faronics.com/html/Freezex.asp
Summary:
FreezeX prevents all unauthorized programs, including viruses, keyloggers and
spy ware from executing. Powerful and secure, FreezeX ensures that any new
executable, program, or application that is downloaded, introduced via
removable media or the network will never install
5. NeoExec for Active Directory
By: NeoValens
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.neovalens.com
Summary:
NeoExec® is an operating system extension for Windows 2000/XP that allows the
setting of privileges at the application level rather than at the user level.
NeoExec® is the ideal solution for applications that require elevated
privileges to run as the privileges are granted to the application, not the
user.
NeoExec® is the only solution on the market capable of modifying at runtime the
processes' security context -- without requiring a second account as with RunAs
and RunAs-derived products.
6. Secrets Protector v2.03
By: E-CRONIS
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.e-cronis.com/download/sp.exe
Summary:
It's the end of your worries about top-secret data of your company, your
confidential files or the pictures from the last party. All these will be
hidden beyond the reach of ANY intruder and you will be the only one able to
handle them. And what you want to delete will be DELETED. It is the ultimate
security tool to protect your sensitive information on PC, meeting the three
most important security issues: Integrity, Confidentiality and Availability.
This product gives you the features of a "folder locker" and a "secure eraser".
Your secret information is available only trough this software and there is no
other mean to access it. The information is protected at file system level and
it cannot be accidentally deleted or overwritten neither in Safe mode nor in
other operating system. This program doesn't make your operating system
unstable as other related product do and protects your information from being
seen, altered or deleted by an unauthorized user with or without his wish. The
program allows you to permanently erase your sensitive data using secure wiping
methods leaving no trace of your information. Depending on the selected wiping
method your data is unrecoverable using software or even hardware recovery
techniques.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. TextKeeper 5.0
By: HardwareCrasher
Relevant URL: http://members.lycos.co.uk/textkeeper/tkup.zip
Platforms: Windows 2000, Windows 95/98, Windows XP
Summary:
Encrypts text using numeric combinations and two algorithms, One of the
algorithms uses 5 different numeric combinations.
2. DeSPAM Tunnel 3.0.0
By: The German Computer Freaks (Du-Nu)
Relevant URL: http://www.gcf.de/projects/despam.zip
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
This program is a tunnel for pop3 connections and filters spam during the
pop3-download of emails automatically. To determine whether an email is UCE it
evaluates the content of each email that passes the tunnel statistically. Its
intelligent wordparsing filter "backMatch" even matches buzzwords that contain
characters which have been replaced by similar looking special chars to avoid
being filtered.
3. Mac Makeup 1.71d
By: Marcello Gorlani
Relevant URL: http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp
Platforms: Windows 2000, Windows XP
Summary:
Did you ever get bored with your old MAC address? If you did, this is the
solution! Mac MakeUp let?s you change the MAC address of any of the interfaces
present on your Windows 2000/XP/2003 box.
Sometimes this is referred as MAC address spoofing.
4. Healthmonitor 2.1
By: Vittorio Pavesi
Relevant URL: http://healthmonitor.sourceforge.net
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
HealthMonitor is a free powerful and featureful monitoring tool for Windows.
It works as a Windows Service and check system status (event viewer, disk free
space, services status, performance....) and notify the administration by
E-Mail, SMS and by NET SEND; a database logging feature is also available. It
is under constant development, and releases are usually frequent. The latest
news regarding HealthMonitor can be found on Sourceforge.
5. Kr4ck3r 1.0.0
By: Black List Software
Relevant URL: http://hackinoutthebox.com/sub4.index.php
Platforms: Windows XP
Summary:
This is the ultimate MD5 cracker having both a built-in brute-force and
dictionary attack functionality.
6. WinArpSpoofer 0.5.3
By: Gordon Ahn
Relevant URL: http://www.nextsecurity.net/downloads/winarpspoof/WinArpSpoof.zip
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
Windows ARP Spoofer (WinArpSpoof) is a program that can scan the computers
including network devices and can spoof their ARP tables on local area network
and can act as a router while pulling all packets on LAN. In addition, traffic
information through this program is measured.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
the website.
If your email address has changed email listadmin@securityfocus.com and ask to
be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: Wireless Security Conference
WIRELESS SECURITY CONFERENCE & EXPO is the nation's leading event for
corporate wireless security strategies and solutions. Learn everything you
need to help your company secure your corporate wireless networks and
mobile devices. Includes hands-on workshops, live hacking sessions, top
keynotes and more. Join hundreds of your colleagues, over 25 of the world's
top wireless security experts and our technology solutions expo. Expo pass
is free or use priority code WSCSFC to save $100 off conference rates.
April 19-21, 2005, Hyatt Regency Cambridge, Cambridge, MA. Conference
website is: www.wireless-security-conference.com
http://www.securityfocus.com/sponsor/WirelessSecurityConference_ms-secnews_050329
------------------------------------------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
