SecurityFocus Microsoft Newsletter #242
----------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Is Deleting Spyware A Crime?
II. MICROSOFT VULNERABILITY SUMMARY
1. PostNuke Blocks Module Directory Traversal Vulnerability
2. MetaCart E-Shop ProductsByCategory.ASP Cross-Site Scripting ...
3. Mozilla Suite And Firefox Multiple Script Manager Security B...
4. Mozilla Suite And Firefox DOM Property Overrides Code Execut...
5. War Times Remote Game Server Denial Of Service Vulnerability
6. Fastream NETFile FTP/Web Server FTP Bounce Vulnerability
7. IgnitionServer Entry Deletion Access Validation Checking Vul...
8. IgnitionServer Locked Channel Protected Operator Lockout Vul...
9. Microsoft IPV6 TCPIP Loopback LAND Denial of Service Vulnera...
10. MySQL mysql_install_db Insecure Temporary File Creation Vuln...
11. Microsoft HTML Help Workshop HHC.EXE HHA.DLL HHC Path Memory...
12. Avast! Antivirus Unspecified Scan Evasion Vulnerability
13. Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service ...
14. Microsoft Outlook HTML Email URI Spoofing Vulnerability
15. Groove Networks Groove Virtual Office File Extension Obfusca...
16. Groove Networks Groove Virtual Office SharePoint Lists Arbit...
17. Groove Networks Groove Virtual Office COM Object Security By...
18. Microsoft Word MCW File Handler Buffer Overflow Vulnerabilit...
19. Groove Networks Groove Mobile Workspace SharePoint Lists Arb...
20. NetWin SurgeMail Multiple Unspecified Input Validation Vulne...
21. ImageMagick And GraphicsMagick XWD Decoder Denial Of Service...
III. MICROSOFT FOCUS LIST SUMMARY
1. Encrypting remote files with EFS (Thread)
2. SecurityFocus Microsoft Newsletter #241 (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. CoreGuard Core Security System
2. KeyCaptor Keylogger
3. SpyBuster
4. FreezeX
5. NeoExec for Active Directory
6. Secrets Protector v2.03
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. tcpdump for Windows 1.0 beta
2. Assimilator 1.0.0
3. Cenzic Hailstorm 2.0
4. VForce 2.1.008
5. Multiple Interface Watcher 1.0
6. LC 5 5
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Is Deleting Spyware A Crime?
By Mark Rasch
The murky waters that sustain the spyware companies may have a few
unpleasant surprises just beneath the surface.
http://www.securityfocus.com/columnists/329
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. PostNuke Blocks Module Directory Traversal Vulnerability
BugTraq ID: 13636
Remote: Yes
Date Published: May 16 2005
Relevant URL: http://www.securityfocus.com/bid/13636
Summary:
PostNuke Blocks module is affected by a directory traversal vulnerability.
The problem presents itself when an attacker passes a name for a target file,
along with directory traversal sequences, to the affected application.
An attacker may leverage this issue to disclose arbitrary files on an affected
computer. It was also reported that an attacker can supply NULL bytes with a
target file name. This may aid in other attacks such as crashing the server.
2. MetaCart E-Shop ProductsByCategory.ASP Cross-Site Scripting ...
BugTraq ID: 13639
Remote: Yes
Date Published: May 16 2005
Relevant URL: http://www.securityfocus.com/bid/13639
Summary:
MetaCart e-Shop is prone to a cross-site scripting vulnerability. This issue
is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in
the browser of an unsuspecting user. This may facilitate the theft of
cookie-based authentication credentials as well as other attacks.
3. Mozilla Suite And Firefox Multiple Script Manager Security B...
BugTraq ID: 13641
Remote: Yes
Date Published: May 16 2005
Relevant URL: http://www.securityfocus.com/bid/13641
Summary:
Multiple issues exist in Mozilla Suite and Firefox. These issues allow
attackers to bypass security checks in the script security manager.
Security checks in the script security manager are designed to prevent script
injection vulnerabilities.
An attacker sending certain undisclosed JavaScript in 'view-source:', and
'jar:' pseudo protocol URIs, may bypass these security checks.
An undisclosed, nested URI, as well as a variant of BID 13216 are reportedly
also able to bypass security checks.
These vulnerabilities allow remote attackers to execute script code with
elevated privileges, leading to the installation and execution of malicious
applications on an affected computer. Cross-site scripting, and other attacks
are also likely possible.
The vendor has not provided enough information to determine how many specific
instances of the issue were addressed, and has not clarified whether or not
they have addressed a single general vulnerability or multiple specific
vulnerabilities. This BID may be split into its separate issues as further
information is disclosed.
Further details are scheduled to be released in the future. This BID will be
updated at that time.
4. Mozilla Suite And Firefox DOM Property Overrides Code Execut...
BugTraq ID: 13645
Remote: Yes
Date Published: May 16 2005
Relevant URL: http://www.securityfocus.com/bid/13645
Summary:
Mozilla Suite and Mozilla Firefox are affected by a code execution
vulnerability. This issue is due to a failure in the application to properly
verify Document Object Model (DOM) property values.
An attacker may leverage this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable Web browser, ultimately
facilitating a compromise of the affected computer.
This issue is reportedly a variant of BID 13233. Further details are scheduled
to be released in the future, and this BID will be updated accordingly.
5. War Times Remote Game Server Denial Of Service Vulnerability
BugTraq ID: 13652
Remote: Yes
Date Published: May 17 2005
Relevant URL: http://www.securityfocus.com/bid/13652
Summary:
War Times is susceptible to a remote denial of service vulnerability. This
issue is due to a failure of the application to properly bounds check
user-supplied network data prior to copying it into a fixed-size memory buffer.
This vulnerability allows remote attackers to crash the game server, denying
service to legitimate users.
Version 1.03, and prior are affected by this issue.
6. Fastream NETFile FTP/Web Server FTP Bounce Vulnerability
BugTraq ID: 13653
Remote: Yes
Date Published: May 17 2005
Relevant URL: http://www.securityfocus.com/bid/13653
Summary:
NETFile FTP/Web Server is affected by an FTP Bounce issue that can allow remote
attackers to connect between the FTP server and an arbitrary port on another
computer.
This could result in the proxying of arbitrary requests by a user through the
system using the vulnerable FTP software.
This issue can allow attackers to bypass access controls and firewalls.
7. IgnitionServer Entry Deletion Access Validation Checking Vul...
BugTraq ID: 13654
Remote: Yes
Date Published: May 17 2005
Relevant URL: http://www.securityfocus.com/bid/13654
Summary:
ignitionServer is prone to an issue that allows hosts to delete access entries
created by owners. This occurs because access validation is never performed
when the host deletes the entry.
This issue was addressed in ignitionServer 0.3.6-P1.
8. IgnitionServer Locked Channel Protected Operator Lockout Vul...
BugTraq ID: 13656
Remote: Yes
Date Published: May 17 2005
Relevant URL: http://www.securityfocus.com/bid/13656
Summary:
ignitionServer is prone to an issue that can allow a user to lock a protected
operator out of an IRC channel. This issue occurs because a validation check
that should allow the protected operator to access the locked channel was not
included in the application.
This issue was addressed in ignitionServer 0.3.6-P1.
9. Microsoft IPV6 TCPIP Loopback LAND Denial of Service Vulnera...
BugTraq ID: 13658
Remote: Yes
Date Published: May 17 2005
Relevant URL: http://www.securityfocus.com/bid/13658
Summary:
The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition
initiated by sending a TCP packet with the "SYN" flag set and the source
address and port spoofed to equal the destination source and port.
When a packet of this type is handled, an infinite loop is initiated and the
affected system halts.
A remote attacker may exploit this issue to deny service for legitimate users.
This issue is reported to affect Microsoft Windows XP Service Pack 2, Windows
2003 Server Service Pack 1.
10. MySQL mysql_install_db Insecure Temporary File Creation Vuln...
BugTraq ID: 13660
Remote: No
Date Published: May 17 2005
Relevant URL: http://www.securityfocus.com/bid/13660
Summary:
MySQL is reportedly affected by a vulnerability that can allow local attackers
to gain unauthorized access to the database or gain elevated privileges. This
issue results from a design error due to the creation of temporary files in an
insecure manner.
The vulnerability affects the 'mysql_install_db' script.
Due to the nature of the script it may be possible to create database accounts
or gain elevated privileges.
MySQL versions prior to 4.0.12 and MySQL 5.x releases 5.0.4 and prior versions
are reported to be affected.
11. Microsoft HTML Help Workshop HHC.EXE HHA.DLL HHC Path Memory...
BugTraq ID: 13668
Remote: Yes
Date Published: May 17 2005
Relevant URL: http://www.securityfocus.com/bid/13668
Summary:
The Microsoft HTML Help Workshop compiler tool, 'hhc.exe', is prone to a memory
corruption vulnerability.
Immediate consequences of exploitation of this issue result in an application
crash; this would not be considered a vulnerability. However, it may be
possible to subtly manipulate the contents of the affected registers so that an
exploitable code path is reached. This has not been confirmed.
This BID will be updated or retired when further investigation of this issue is
completed.
12. Avast! Antivirus Unspecified Scan Evasion Vulnerability
BugTraq ID: 13671
Remote: Yes
Date Published: May 18 2005
Relevant URL: http://www.securityfocus.com/bid/13671
Summary:
Avast! Antivirus is prone to an unspecified scan evasion vulnerability. Reports
indicate that the issue manifests because the software fails to properly handle
certain unspecified types of files.
This issue could result in a malicious executable file bypassing detection and
being executed, based on a false sense of trust, by a recipient.
No further details are available in regard to this issue. However, this BID
will be updated as soon as further information is made public.
13. Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service ...
BugTraq ID: 13676
Remote: Yes
Date Published: May 18 2005
Relevant URL: http://www.securityfocus.com/bid/13676
Summary:
A denial of service vulnerability exists for the TCP RFC 1323. The issue exists
in the Protection Against Wrapped Sequence Numbers (PAWS) technique that was
included to increase overall TCP performance.
When TCP 'timestamps' are enabled, both hosts at the endpoints of a TCP
connection employ internal clocks to mark TCP headers with a 'time stamp' value.
When TCP PAWS is configured to employ timestamp values, this functionality
exposes TCP PAWS implementations to a denial of service vulnerability.
The issue manifests if an attacker transmits a sufficient TCP PAWS packet to a
vulnerable computer. A large value is set by the attacker as the packet
timestamp. When the target computer processes this packet, the internal timer
is updated to the large attacker supplied value. This causes all other valid
packets that are received subsequent to an attack to be dropped as they are
deemed to be too old, or invalid. This type of attack will effectively deny
service for a target connection.
14. Microsoft Outlook HTML Email URI Spoofing Vulnerability
BugTraq ID: 13677
Remote: Yes
Date Published: May 18 2005
Relevant URL: http://www.securityfocus.com/bid/13677
Summary:
Microsoft Outlook is reportedly affected by a URI spoofing vulnerability. This
issue allows a URI in an email message to be misrepresented.
An attacker can trick users into following links to untursted sites, which can
lead to various attacks.
All versions of Microsoft Outlook are reportedly vulnerable to this issue.
It appeared that this issue allowed for address bar spoofing in Microsoft
Outlook, however, further analysis has revealed that this is not correct. This
functionality is included in HTML. This BID is being retired.
15. Groove Networks Groove Virtual Office File Extension Obfusca...
BugTraq ID: 13682
Remote: Yes
Date Published: May 19 2005
Relevant URL: http://www.securityfocus.com/bid/13682
Summary:
Groove Virtual Office is affected by a vulnerability that allows remote
attackers to obfuscate file extensions of potentially malicious files.
The file extension of a specially crafted file may be obfuscated in a manner
that creates a false sense of security for a user.
The user may be inclined to open a malicious file that could lead to arbitrary
code execution. This may allow an attacker to gain unauthorized access to a
computer in the context of the vulnerable user.
16. Groove Networks Groove Virtual Office SharePoint Lists Arbit...
BugTraq ID: 13684
Remote: Yes
Date Published: May 19 2005
Relevant URL: http://www.securityfocus.com/bid/13684
Summary:
Groove Virtual Office is affected by an arbitrary script injection
vulnerability.
User-supplied data is not properly sanitized from SharePoint lists and is
copied into Groove Mobile Workspace. This can allow an attacker to inject and
execute script code in the context of the application, which can lead to
various attacks.
17. Groove Networks Groove Virtual Office COM Object Security By...
BugTraq ID: 13685
Remote: Yes
Date Published: May 19 2005
Relevant URL: http://www.securityfocus.com/bid/13685
Summary:
Groove Virtual Office is prone to a security bypass vulnerability with regards
to COM objects. Due to a failure in the application an attacker may be able to
bypass the security restrictions on COM objects and execute arbitrary code.
This issue has been addressed in Groove Virtual Office 3.1 build 2338, 3.1a
build 2364, and Groove Workspace Version 2.5n build 1871.
18. Microsoft Word MCW File Handler Buffer Overflow Vulnerabilit...
BugTraq ID: 13687
Remote: Yes
Date Published: May 19 2005
Relevant URL: http://www.securityfocus.com/bid/13687
Summary:
Microsoft Word is prone to a buffer overflow vulnerability. The issue manifests
when a '.mcw' (MacWrite II/MS Word for Macintosh) file is processed.
It is conjectured that this issue may be exploited to execute arbitrary code in
the context of a user that processes a malicious file with the affected
software.
19. Groove Networks Groove Mobile Workspace SharePoint Lists Arb...
BugTraq ID: 13688
Remote: Yes
Date Published: May 19 2005
Relevant URL: http://www.securityfocus.com/bid/13688
Summary:
Groove Virtual Office is affected by an arbitrary script injection
vulnerability.
User-supplied data is not properly sanitized from SharePoint lists and is
copied into Groove Mobile Workspace. This can allow an attacker to inject and
execute script code in the context of the application, which can lead to
various attacks.
20. NetWin SurgeMail Multiple Unspecified Input Validation Vulne...
BugTraq ID: 13689
Remote: Yes
Date Published: May 19 2005
Relevant URL: http://www.securityfocus.com/bid/13689
Summary:
Multiple unspecified vulnerabilities affect SurgeMail. Reportedly, these issues
are due to a failure of the application to properly sanitize user-supplied
input prior to employing it in critical locations including dynamic content. A
successful attack may allow attackers to execute arbitrary HTML and script code
in a user's browser.
SurgeMail 3.0c2 is reported to be affected by these issues. Other versions may
be vulnerable as well.
Due to a lack of details, further information cannot be provided at the moment.
This BID will be updated when more details are available.
21. ImageMagick And GraphicsMagick XWD Decoder Denial Of Service...
BugTraq ID: 13705
Remote: Yes
Date Published: May 21 2005
Relevant URL: http://www.securityfocus.com/bid/13705
Summary:
A remote, client-side denial of service vulnerability affects ImageMagick and
GraphicsMagick. This issue is due to a failure of the application to handle
malformed XWD image files.
A remote attacker may leverage this issue to cause the affected application to
enter into an infinite loop condition, consuming CPU resources on the affected
computer, denying service to legitimate users.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Encrypting remote files with EFS (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/398846
2. SecurityFocus Microsoft Newsletter #241 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/398515
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. KeyCaptor Keylogger
By: Keylogger Software
Platforms: MacOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keylogger-software.com/keylogger/keylogger.htm
Summary:
KeyCaptor is your solution for recording ALL keystrokes of ALL users on your
computer! Now you have the power to record emails, websites, documents, chats,
instant messages, usernames, passwords, and MUCH MORE!
With our advanced stealth technology, KeyCaptor will not show in your processes
list and cannot be stopped from running unless you say so!
3. SpyBuster
By: Remove Spyware
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.remove-spyware.com/spybuster.htm
Summary:
Our award winning spyware / adware scanner and removal software, SpyBuster will
scan your computer for over 4,000 known spyware and adware applications.
SpyBuster protects your computer from data stealing programs that can expose
your personal information.
SpyBuster scanning technology allows for a quick and easy sweep, so you can
resume your work in minutes.
4. FreezeX
By: Faronics Technologies USA Inc
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.faronics.com/html/Freezex.asp
Summary:
FreezeX prevents all unauthorized programs, including viruses, keyloggers and
spy ware from executing. Powerful and secure, FreezeX ensures that any new
executable, program, or application that is downloaded, introduced via
removable media or the network will never install
5. NeoExec for Active Directory
By: NeoValens
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.neovalens.com
Summary:
NeoExec® is an operating system extension for Windows 2000/XP that allows the
setting of privileges at the application level rather than at the user level.
NeoExec® is the ideal solution for applications that require elevated
privileges to run as the privileges are granted to the application, not the
user.
NeoExec® is the only solution on the market capable of modifying at runtime the
processes' security context -- without requiring a second account as with RunAs
and RunAs-derived products.
6. Secrets Protector v2.03
By: E-CRONIS
Platforms: Windows 2000, Windows XP
Relevant URL: http://www.e-cronis.com/download/sp.exe
Summary:
It's the end of your worries about top-secret data of your company, your
confidential files or the pictures from the last party. All these will be
hidden beyond the reach of ANY intruder and you will be the only one able to
handle them. And what you want to delete will be DELETED. It is the ultimate
security tool to protect your sensitive information on PC, meeting the three
most important security issues: Integrity, Confidentiality and Availability.
This product gives you the features of a "folder locker" and a "secure eraser".
Your secret information is available only trough this software and there is no
other mean to access it. The information is protected at file system level and
it cannot be accidentally deleted or overwritten neither in Safe mode nor in
other operating system. This program doesn't make your operating system
unstable as other related product do and protects your information from being
seen, altered or deleted by an unauthorized user with or without his wish. The
program allows you to permanently erase your sensitive data using secure wiping
methods leaving no trace of your information. Depending on the selected wiping
method your data is unrecoverable using software or even hardware recovery
techniques.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. tcpdump for Windows 1.0 beta
By: microOLAP Technologies
Relevant URL: http://microolap.com/products/network/tcpdump/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
MicroOLAP TCPDUMP for Windows accurately reproduces all features of
the original tcpdump by LBNL's Network Research Group , developed for the UNIX
systems. Since MicroOLAP TCPDUMP for Windows is compiled with the Packet
Sniffer SDK,
it has the following advantages:
- does not require any third-party preinstalled drivers;
- works from the single 300K .EXE file;
- supports 1Gbit networks.
2. Assimilator 1.0.0
By: Black List Software
Relevant URL: http://hackinoutthebox.com/sub5.index.php
Platforms: Windows XP
Summary:
Assimilation is the result of assimilating something which is dissimilated. In
other words, assimilation is the result of making two dissimilar things
similar. Assimilation can be based on a baseline. A baseline is a standard or
protocol which is in place for the sake of governing events. In the case of
Assimilator v1.0.0, our baseline is a replication of the good processes which
run locally on our computers.
3. Cenzic Hailstorm 2.0
By: Cenzic, Inc.
Relevant URL: http://www.cenzic.com/prod_application_security.html
Platforms: Windows XP
Summary:
Cenzic Hailstorm automates penetration testing for your web applications.
Cenzic Hailstorm provides various groups ? Information Security, QA, and
Developers ? throughout the enterprise an ability to test applications for
security vulnerabilities, for enforcement of internal security policies, and
for regulatory compliancecrafted policy library to address new and unique
vulnerabilities.
4. VForce 2.1.008
By: Virtual Forge
Relevant URL: http://solutions.virtualforge.net/sol_download_en.php
Platforms: Windows NT, Windows XP
Summary:
V-Force is an instrument with whose help attacks on web server or applications
can be simulated and the results logged and analyzed.
5. Multiple Interface Watcher 1.0
By: Carsten Schmidt
Relevant URL: http://software.ccschmidt.de/#MIW
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
Multiple Interface Watcher is a graph utility that shows the utilisation of up
to 10 different interfaces. The data is requested from the devices using SNMP.
MIW is an advanced development of Interface Traffic Indicator that focuses more
on the utilization overview of many interfaces than on much information of one
interface.
6. LC 5 5
By: @stake
Relevant URL: http://www.atstake.com/products/lc/
Platforms: Windows 2000, Windows 95/98, Windows NT
Summary:
LC 5 is the latest version of L0phtCrack, the award-winning password auditing
and recovery application used by thousands of companies worldwide.
Using multiple assessment methods, LC 5 reduces security risk by helping
administrators to:
* Identify and remediate security vulnerabilities that result from the use
of weak or easily guessed passwords
* Recover Windows and Unix account passwords to access user and
administrator accounts whose passwords are lost or to streamline migration of
users to another authentication system
* Rapidly process accounts using pre-computed password tables* that contain
trillions of passwords
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
the website.
If your email address has changed email listadmin@securityfocus.com and ask to
be manually removed.
VII. SPONSOR INFORMATION
-----------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
