News

Thursday, April 05, 2007

SecurityFocus Microsoft Newsletter #336

SecurityFocus Microsoft Newsletter #336
----------------------------------------

This Issue is Sponsored by: SPI Dynamics

ALERT: "How a Hacker Launches a SQL Injection Attack!"- SPI Dynamics White Paper
It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CkvN


SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1. Metasploit 3.0 day
2. Blanket Discovery for Stolen Laptops
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft April 2007 Advance Notification Multiple Vulnerabilities
2. Microsoft Windows Unspecified Remote Code Execution Vulnerability
3. Kaspersky Internet Security Suite Klif.SYS Driver Local Heap Overflow Vulnerability
4. Kaspersky AntiVirus SysInfo ActiveX Control Arbitrary File Exfiltration Vulnerability
5. VMware Unspecified Double Free Memory Corruption Vulnerability
6. Microsoft Windows Explorer BMP Image Denial of Service Vulnerability
7. IrfanView Multiple BMP Denial of Service Vulnerabilities
8. ACDSee 9.0 Photo Manager Multiple BMP Denial of Service Vulnerabilities
9. FastStone Image Viewer Multiple BMP Denial of Service Vulnerabilities
10. Microsoft Windows Vista Teredo UDP Nonce Spoofing Weakness
11. ImageMagick XGetPixel/XInitImage Multiple Integer Overflow Vulnerabilities
12. Microsoft Windows Vista Neighbor Discovery Spoofing Vulnerability
13. Microsoft Vista Spoof On Bridge HELLO Packet Security Restriction Bypass Vulnerability
14. Microsoft Vista Spoofed LLTD HELLO Packet Security Restriction Bypass Vulnerability
15. Microsoft Windows Graphics Rendering Engine EMF File Privilege Escalation Vulnerability
16. Microsoft Windows GDI Invalid Window Size Local Privilege Escalation Vulnerability
17. Microsoft Windows Graphics Device Interface Font Rasterizer Local Privilege Escalation Vulnerability
18. Microsoft Windows GDI WMF Remote Denial of Service Vulnerability
19. Microsoft Windows Graphics Rendering Engine GDI Local Privilege Escalation Vulnerability
20. Microsoft Windows Vista LLTD Mapper EMIT Packet Remote Denial Of Service Vulnerability
21. Microsoft Windows Vista Teredo Protocol Insecure Connection Weakness
22. Microsoft Windows Vista ARP table Entries Denial of Service Vulnerability
23. Microsoft Windows Vista LLTD Responder Discovery Packet Spoofing Vulnerability
24. Ipswitch WS_FTP Long Site Command Buffer Overflow Vulnerability
25. RETIRED: Microsoft Windows SVCHost.EXE Remote Buffer Overflow Vulnerability
26. ImageMagic Multiple Integer Overflow Vulnerabilities
27. FastStone Image Viewer Unspecified Buffer Overflow Vulnerability
28. Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability
29. NaviCopa Web Server GET Request Buffer Overflow Vulnerability
30. Microsoft Internet Explorer HTML Denial of Service Vulnerability
31. Corel WordPerfect Office PRS Stack Buffer Overflow Vulnerability
32. IBM Lotus Domino Web Access Email Message HTML Injection Vulnerability
33. SignKorea SKCommAX ActiveX Control Remote Buffer Overflow Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Discovering Active Direcory users with blank passwords
2. SecurityFocus Microsoft Newsletter #335 (fwd)
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Metasploit 3.0 day
By Federico Biancuzzi
The Metasploit Framework is a development platform for creating security tools and exploits. Federico Biancuzzi interviewed H D Moore to discuss what's new in release 3.0, the new license of the framework, plans for features and exploits development, and the links among the bad guys and Metasploit and the law.
http://www.securityfocus.com/columnists/439

2. Blanket Discovery for Stolen Laptops
By Mark Rasch
Mark Rasch discusses the legal issues behind the discovery and recovery of stolen laptops that use LoJack-style homing devices to announce their location, and the location of the thieves, anywhere in the world.
http://www.securityfocus.com/columnists/438


II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Microsoft April 2007 Advance Notification Multiple Vulnerabilities
BugTraq ID: 23335
Remote: Yes
Date Published: 2007-04-05
Relevant URL: http://www.securityfocus.com/bid/23335
Summary:
Microsoft has released advance notification that the vendor will be releasing five security bulletins on April 10, 2007. The highest severity rating for these issues is 'Critical'.

Further details about these issues are not currently available. Individual BIDs will be created for each issue; this record will be removed when the security bulletins are released.

2. Microsoft Windows Unspecified Remote Code Execution Vulnerability
BugTraq ID: 23332
Remote: Yes
Date Published: 2007-04-05
Relevant URL: http://www.securityfocus.com/bid/23332
Summary:
Microsoft Windows is prone to an unspecified remote code-execution vulnerability. Exploiting this issue reportedly requires minimal user interaction.

Successfully exploiting this issue allows attackers to execute arbitrary code, facilitating the remote compromise of affected computers.

Currently, little is known about this issue. This BID will be updated as more information becomes available.

3. Kaspersky Internet Security Suite Klif.SYS Driver Local Heap Overflow Vulnerability
BugTraq ID: 23326
Remote: No
Date Published: 2007-04-04
Relevant URL: http://www.securityfocus.com/bid/23326
Summary:
Kaspersky Internet Security Suite is prone to a heap-overflow vulnerability because it fails to perform sufficient boundary checks on user-supplied data before copying it to a buffer.

An attacker could leverage this issue to have arbitrary code execute with kernel level privileges. A successful exploit could result in the complete compromise of the affected system.

Kaspersky Internet Security Suite version 6.0.1.411 for Microsoft Windows is reported vulnerable; previous versions may be vulnerable as well.

4. Kaspersky AntiVirus SysInfo ActiveX Control Arbitrary File Exfiltration Vulnerability
BugTraq ID: 23325
Remote: Yes
Date Published: 2007-04-05
Relevant URL: http://www.securityfocus.com/bid/23325
Summary:
Kaspersky AntiVirus is prone to an arbitrary file exfiltration vulnerability.

An attacker can exploit this issue to steal files from a victim machine.

This issue affects Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0.

5. VMware Unspecified Double Free Memory Corruption Vulnerability
BugTraq ID: 23323
Remote: Yes
Date Published: 2007-04-03
Relevant URL: http://www.securityfocus.com/bid/23323
Summary:
VMware is prone to a double-free memory-corruption vulnerability.

An attacker can exploit this issue to access potentially sensitive information or to cause denial-of-service conditions. Presumably, this issue can be leveraged to execute arbitrary code, but this has not been confirmed.

6. Microsoft Windows Explorer BMP Image Denial of Service Vulnerability
BugTraq ID: 23321
Remote: Yes
Date Published: 2007-04-04
Relevant URL: http://www.securityfocus.com/bid/23321
Summary:
Windows explorer is prone to a denial-of-service vulnerability.

There are very few details regarding this issue. This BID will be updated as further information becomes available.

An attacker could exploit this issue to cause denial-of-service conditions on a victim computer. It is conjectured that this issue may be the result of a buffer-overflow, however, this has not been confirmed.

This issue affects Windows XP SP1; other operating systems and versions may be affected.

7. IrfanView Multiple BMP Denial of Service Vulnerabilities
BugTraq ID: 23318
Remote: Yes
Date Published: 2007-04-04
Relevant URL: http://www.securityfocus.com/bid/23318
Summary:
IrfanView is prone to multiple denial-of-service vulnerabilities. These issues are due to a failure of the application to properly handle malformed BMP image files.

Successfully exploiting these issues allows attackers to crash the affected application. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.

Version 3.99 of the application is affected, other versions may also be vulnerable.

8. ACDSee 9.0 Photo Manager Multiple BMP Denial of Service Vulnerabilities
BugTraq ID: 23317
Remote: Yes
Date Published: 2007-04-04
Relevant URL: http://www.securityfocus.com/bid/23317
Summary:
ACDSee 9.0 Photo Manager is prone to multiple denial-of-service vulnerabilities because the application fails to properly handle malformed BMP image files.

Successfully exploiting these issues allows attackers to crash the affected application. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.

Version 9.0 of the application is affected; other versions may also be vulnerable.

9. FastStone Image Viewer Multiple BMP Denial of Service Vulnerabilities
BugTraq ID: 23312
Remote: Yes
Date Published: 2007-04-04
Relevant URL: http://www.securityfocus.com/bid/23312
Summary:
FastStone Image Viewer is prone to multiple denial-of-service vulnerabilities because the application fails to properly handle malformed BMP image files.

Successfully exploiting these issues allows attackers to crash the affected application. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.

Version 2.9 of the application is affected; other versions may also be vulnerable.

10. Microsoft Windows Vista Teredo UDP Nonce Spoofing Weakness
BugTraq ID: 23301
Remote: Yes
Date Published: 2007-04-04
Relevant URL: http://www.securityfocus.com/bid/23301
Summary:
Windows Vistsa Teredo server is prone to a nonce-spoofing weakness due to its use of a nonce during the lifetime of certain connections.

This weakness can aid in attempts to spoof a Teredo server.

11. ImageMagick XGetPixel/XInitImage Multiple Integer Overflow Vulnerabilities
BugTraq ID: 23300
Remote: Yes
Date Published: 2007-04-04
Relevant URL: http://www.securityfocus.com/bid/23300
Summary:
ImageMagick is prone to multiple integer-overflow vulnerabilities because it fails to properly validate user-supplied data.

An attacker can exploit these issues to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.

12. Microsoft Windows Vista Neighbor Discovery Spoofing Vulnerability
BugTraq ID: 23293
Remote: Yes
Date Published: 2007-04-03
Relevant URL: http://www.securityfocus.com/bid/23293
Summary:
Microsoft Windows Vista is prone to a discovery-spoofing vulnerability.

An attacker can exploit this issue to conduct redirect attacks on another host on the network. This may lead to further attacks.

Note that to exploit this issue, the attacker must have access to the local network segment of a target computer.

13. Microsoft Vista Spoof On Bridge HELLO Packet Security Restriction Bypass Vulnerability
BugTraq ID: 23280
Remote: Yes
Date Published: 2007-04-03
Relevant URL: http://www.securityfocus.com/bid/23280
Summary:
The Microsoft Vista operating system is prone to a security-restriction-bypass vulnerability because the software fails to properly sanitize user-supplied packet-level data.

Attackers can exploit this issue to bypass the security restrictions and gain unauthorized access to restricted sites. This may allow attackers to bypass the security restrictions enforced by the Microsoft Vista operating system.

14. Microsoft Vista Spoofed LLTD HELLO Packet Security Restriction Bypass Vulnerability
BugTraq ID: 23279
Remote: Yes
Date Published: 2007-04-02
Relevant URL: http://www.securityfocus.com/bid/23279
Summary:
The Microsoft Windows Vista operating system is prone to a security-restriction-bypass vulnerability because the software fails to properly sanitize user-supplied packet-level data.

Attackers can exploit this issue to bypass the security restrictions and gain unauthorized access to restricted sites. This may allow attackers to bypass the security restrictions enforced by the Vista operating system.

15. Microsoft Windows Graphics Rendering Engine EMF File Privilege Escalation Vulnerability
BugTraq ID: 23278
Remote: No
Date Published: 2007-04-03
Relevant URL: http://www.securityfocus.com/bid/23278
Summary:
Microsoft Windows Graphics Rendering Engine is prone to a local privilege-escalation vulnerability when rendering malformed EMF image files.

An attacker may exploit this issue to execute arbitrary code with SYSTEM-level privileges, facilitating the complete compromise of affected computers.

16. Microsoft Windows GDI Invalid Window Size Local Privilege Escalation Vulnerability
BugTraq ID: 23277
Remote: No
Date Published: 2007-04-03
Relevant URL: http://www.securityfocus.com/bid/23277
Summary:
Microsoft Windows is prone to a local privilege-escalation vulnerability.

An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. A successful exploit will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

17. Microsoft Windows Graphics Device Interface Font Rasterizer Local Privilege Escalation Vulnerability
BugTraq ID: 23276
Remote: No
Date Published: 2007-04-03
Relevant URL: http://www.securityfocus.com/bid/23276
Summary:
Microsoft Windows GDI Font Rasterizer is prone to a local privilege-escalation vulnerability.

An attacker can exploit this issue to gain complete control of an affected computer. Failed attempts will likely cause the operating system to crash, resulting in denial-of-service conditions.

18. Microsoft Windows GDI WMF Remote Denial of Service Vulnerability
BugTraq ID: 23275
Remote: Yes
Date Published: 2007-04-03
Relevant URL: http://www.securityfocus.com/bid/23275
Summary:
Microsoft Windows is prone to a remote denial-of-service vulnerability. This issue occurs because the application fails to handle malicious WMF files.

This issue may cause Microsoft Windows to crash, denying service to legitimate users.

19. Microsoft Windows Graphics Rendering Engine GDI Local Privilege Escalation Vulnerability
BugTraq ID: 23273
Remote: No
Date Published: 2007-04-03
Relevant URL: http://www.securityfocus.com/bid/23273
Summary:
Microsoft Windows Graphics Rendering Engine is prone to local privilege-escalation vulnerability.

Successful exploits may result in a complete compromise of affected computers.

20. Microsoft Windows Vista LLTD Mapper EMIT Packet Remote Denial Of Service Vulnerability
BugTraq ID: 23271
Remote: Yes
Date Published: 2007-04-03
Relevant URL: http://www.securityfocus.com/bid/23271
Summary:
Microsoft Windows Vista is prone to a remote denial-of-service vulnerability because the software fails to handle exceptional conditions.

An attacker can exploit this issue to cause a mapping failure, denying further service to legitimate users.

21. Microsoft Windows Vista Teredo Protocol Insecure Connection Weakness
BugTraq ID: 23267
Remote: No
Date Published: 2007-04-02
Relevant URL: http://www.securityfocus.com/bid/23267
Summary:
Microsoft Windows Vista is prone to a weakness that may result in a false sense of security.

Teredo protocol can become activated without user interaction, which is contradictory to the documentation.

As a result, an affected computer can become vulnerable to attacks that leverage latent Teredo protocol vulnerabilities.

22. Microsoft Windows Vista ARP table Entries Denial of Service Vulnerability
BugTraq ID: 23266
Remote: Yes
Date Published: 2007-04-02
Relevant URL: http://www.securityfocus.com/bid/23266
Summary:
Microsoft Windows Vista is prone to a denial-of-service vulnerability.

Remote attackers may exploit this issue by submitting malicious ARP requests to the vulnerable computer.
To exploit this issue the attacker must have access to the local network segment of a target computer.

A remote attacker can exploit this issue to cause the network interface to stop responding, denying further service to legitimate users.

23. Microsoft Windows Vista LLTD Responder Discovery Packet Spoofing Vulnerability
BugTraq ID: 23263
Remote: Yes
Date Published: 2007-04-02
Relevant URL: http://www.securityfocus.com/bid/23263
Summary:
Microsoft Windows Vista is prone to a vulnerability that permits an attacker to spoof arbitrary hosts through a network-based race condition.

An attacker can exploit this issue to impersonate another host on the network. This may lead to further attacks.

24. Ipswitch WS_FTP Long Site Command Buffer Overflow Vulnerability
BugTraq ID: 23260
Remote: No
Date Published: 2007-04-02
Relevant URL: http://www.securityfocus.com/bid/23260
Summary:
Ipswitch WS_FTP is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker may exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service.

This issue affects version 5.05; other versions may also be affected.

25. RETIRED: Microsoft Windows SVCHost.EXE Remote Buffer Overflow Vulnerability
BugTraq ID: 23255
Remote: Yes
Date Published: 2007-04-02
Relevant URL: http://www.securityfocus.com/bid/23255
Summary:
Microsoft Windows is prone to a remote buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized buffer.

A successful attack will result in denial-of-service conditions. Arbitrary code execution may also be possible, but this has not yet been confirmed.

NOTE: This BID is being retired because the reporter has admitted that the issue is a hoax.

26. ImageMagic Multiple Integer Overflow Vulnerabilities
BugTraq ID: 23252
Remote: Yes
Date Published: 2007-04-02
Relevant URL: http://www.securityfocus.com/bid/23252
Summary:
ImageMagic is prone to an integer-overflow vulnerability because it fails to properly validate user-supplied data.

An attacker can exploit these issues to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.

27. FastStone Image Viewer Unspecified Buffer Overflow Vulnerability
BugTraq ID: 23196
Remote: Yes
Date Published: 2007-03-29
Relevant URL: http://www.securityfocus.com/bid/23196
Summary:
FastStone Image Viewer is prone to an unspecified buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will result in a denial of service.

Currently, few details are available regarding this issue. This BID will be updated as more information emerges.

This issue affects FastStone Image Viewer 2.8; other versions may also be affected.

28. Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability
BugTraq ID: 23194
Remote: Yes
Date Published: 2007-03-29
Relevant URL: http://www.securityfocus.com/bid/23194
Summary:
Microsoft Windows is prone to a stack buffer-overflow vulnerability because of insufficient format validation that occurs when handling malformed ANI cursor or icon files.

An attacker can exploit this issue to execute arbitrary code with the privileges of an unsuspecting user. A successful attack can result in the compromise of affected user accounts and computers.

This issue affects Windows Vista, Windows XP SP2, and Windows Server 2003 SP1 when running Internet Explorer 6 and 7; other versions and client applications may also be affected.

Microsoft has recently disclosed that Outlook 2007 is not vulnerable, that Windows Mail on Vista is vulnerable in replying to or forwarding emails containing malicious ANI files, and that Outlook Express is vulnerable to this issue.

Third-party applications such as browsers that handle ANI files and call the ANI rendering functionality in GDI pose an attack vector for this vulnerability.

29. NaviCopa Web Server GET Request Buffer Overflow Vulnerability
BugTraq ID: 23179
Remote: Yes
Date Published: 2007-03-28
Relevant URL: http://www.securityfocus.com/bid/23179
Summary:
NaviCOPA Web Server is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

Attackers can exploit this issue to execute arbitrary code with the privileges of the application. Successful attacks will result in the compromise of the application. Failed attempts will likely cause denial-of-service conditions.

Version 2.01 is vulnerable; prior versions may also be affected.

30. Microsoft Internet Explorer HTML Denial of Service Vulnerability
BugTraq ID: 23178
Remote: Yes
Date Published: 2007-03-28
Relevant URL: http://www.securityfocus.com/bid/23178
Summary:
Microsoft Internet Explorer is prone to a denial-of-service vulnerability because the application fails to handle exceptional conditions.

This issue is triggered when an attacker entices a victim user to visit a malicious website.

Remote attackers may exploit this issue to crash Internet Explorer, effectively denying service to legitimate users.

This issue affects Internet Explorer version 7.

31. Corel WordPerfect Office PRS Stack Buffer Overflow Vulnerability
BugTraq ID: 23177
Remote: Yes
Date Published: 2007-03-28
Relevant URL: http://www.securityfocus.com/bid/23177
Summary:
Corel WordPerfect Office is prone to a stack-based buffer-overflow vulnerability because the software fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application. A successful attack can result in the compromise of the application. Failed attempts will likely result in denial-of-service conditions.

WordPerfect X3 version 13.0.0.565 is vulnerable to this issue; other versions may also be affected.

32. IBM Lotus Domino Web Access Email Message HTML Injection Vulnerability
BugTraq ID: 23173
Remote: Yes
Date Published: 2007-03-28
Relevant URL: http://www.securityfocus.com/bid/23173
Summary:
IBM Lotus Domino Web Access is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker could exploit this vulnerability to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

33. SignKorea SKCommAX ActiveX Control Remote Buffer Overflow Vulnerability
BugTraq ID: 23149
Remote: Yes
Date Published: 2007-03-26
Relevant URL: http://www.securityfocus.com/bid/23149
Summary:
SignKorea SKCommAX ActiveX control is prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to insufficiently sized memory buffers.

Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of applications that employ the vulnerable controls (typically Microsoft Internet Explorer).

SignKorea SKCommAX ActiveX Control 7.2.0.2 and 6.6.0.1 are vulnerable to this issue; other versions may also be vulnerable.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Discovering Active Direcory users with blank passwords
http://www.securityfocus.com/archive/88/464483

2. SecurityFocus Microsoft Newsletter #335 (fwd)
http://www.securityfocus.com/archive/88/464201

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored by: SPI Dynamics

ALERT: "How a Hacker Launches a SQL Injection Attack!"- SPI Dynamics White Paper
It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CkvN

No comments:

Blog Archive