Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Microsoft releases patches for 18 separate flaws

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Microsoft releases patches for 18 separate flaws
Date: Wed, 13 Apr 2005 05:16:42 -0500 (CDT) 
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,101033,00.html

By Jaikumar Vijayan 
APRIL 12, 2005 
COMPUTERWORLD

After a rare lull in March, Microsoft Corp. today released eight
security bulletins detailing fixes for 18 separate vulnerabilities
affecting a wide range of its software products.

Five of the patches released today under Microsoft's monthly patch
release program were for critical flaws, while the rest addressed less
serious issues in Microsoft's Windows, Internet Explorer, Exchange,
Messenger and Office products.

Among the more serious holes are those affecting Microsoft's IE Web
browser software, said Michael Sutton, director of vulnerability
research at iDefense Inc. a Reston, Va.-based security intelligence
firm that discovered two of the critical vulnerabilities disclosed
today.

One of the Internet Explorer flaws, described in Microsoft Security
Bulletin MS05-020 [1], results from the way in which IE handles
certain dynamic HTML objects, Sutton said. The flaw allows attackers
to construct a malicious Web page that could then be used to infect
the systems of those who visit the site.

"It is a condition that could result in the execution of arbitrary
code on a compromised system," Sutton said.

The other critical IE vulnerability, also detailed in Security
Bulletin MS05-020, results from the way Internet Explorer handles
certain URLs with very long host names. Host names over 250 characters
long can be used to trigger "input validation" errors that could allow
malicious hackers to take control of compromised systems. To exploit
this vulnerability, an attacker would need to either host a Web site
that contains a malicious Web page or compromise someone else's Web
site and have it display malicious content, according to Microsoft's
description of the flaw.

Though neither flaw is especially easy to exploit, iDefense has
developed proof-of-concept code in both instances, Sutton said.

Another of the critical vulnerabilities announced today affects
Microsoft's Exchange Server software, according to Security Bulletin
MS05-021 [2].

According to Microsoft, the flaw allows an attacker to connect to the
SMTP port on an Exchange server and issue a specially-crafted command
that could result in a denial-of-service attack or allow an attacker
to run malicious programs on the compromised system.

"The Exchange Server flaw is reasonably trivial to exploit," said Neel
Mehta, team lead for advanced research at Internet Security Systems
Inc.'s X-Force vulnerability research group in Atlanta.

"We are fairly concerned that an [exploit] could become available
soon" that takes advantage of the flaw, Mehta said.

Another vulnerability in MSN Messenger that could lead to remote code
execution was also rated as critical by Microsoft in Security Bulletin
MS05-022 [3].

[1] http://www.microsoft.com/technet/security/bulletin/MS05-020.mspx
[2] http://www.microsoft.com/technet/security/bulletin/MS05-021.mspx
[3] http://www.microsoft.com/technet/security/bulletin/MS05-022.mspx



_________________________________________
Network Security - http://www.auditmypc.com
Free vulnerability test - How secure is your computer?
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Microsoft releases patches for 18 separate flaws, InfoSec News <=
Previous by Date:  Re: [ISN] Linux report stirs hornets nest, InfoSec News
Next by Date:  [ISN] Clique and Dagger, InfoSec News
Previous by Thread:  [ISN] Security websites taken down by unhappy hackers, InfoSec News
Next by Thread:  [ISN] Clique and Dagger, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]