rkeith | 2 May 15:25 2007
Picon

SecurityFocus Microsoft Newsletter #340


SecurityFocus Microsoft Newsletter #340
----------------------------------------

This Issue is Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of sensitive data - including
personal, medical and financial information - are exchanged, and stored. This paper examines a few
vulnerability detection methods - specifically comparing and contrasting manual penetration testing
with automated scanning tools. Download Watchfire's "Web Application Security: Automated Scanning or
Manual Penetration Testing?" whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008uPd

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our
community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I.   FRONT AND CENTER
        1. Time for a new certification
        2. 0wning Vista from the boot
II.  MICROSOFT VULNERABILITY SUMMARY
        1. ZoneAlarm VSdatant Driver Denial of Service Vulnerability
        2. VMware Multiple Denial Of Service Vulnerabilities
        3. Cerulean Studios Trillian Multiple IRC Module UTF-8 Vulnerabilities
        4. Winamp MP4 File Parsing Buffer Overflow Vulnerability
        5. IncrediMail IMMenuShellExt ActiveX Control Remote Buffer Overflow Vulnerability
        6. Multiple Web Browsers Digest Authentication HTTP Response Splitting Vulnerability
(Continue reading)

rkeith | 10 May 15:24 2007
Picon

SecurityFocus Microsoft Newsletter #341


SecurityFocus Microsoft Newsletter #341
----------------------------------------

This Issue is Sponsored by: SPI Dynamics

ALERT: Ajax Security Dangers- How Hackers are attacking Ajax Web Apps
While Ajax can greatly improve the usability of a Web application, it can also create several
opportunities for possible attack if the application is not designed with security in mind. Download
this SPI Dynamics white paper.

https://download.spidynamics.com/1/ad/AJAX.asp?Campaign_ID=70160000000CoNe

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our
community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I.   FRONT AND CENTER
        1. Time for a new certification
        2. 0wning Vista from the boot
II.  MICROSOFT VULNERABILITY SUMMARY
        1. Microsoft Windows Terminal Services Remote Security Restriction Bypass Vulnerability
        2. IBM DB2 Universal Database JDBC Applet Server Unspecified Code Execution Vulnerability
        3. Microsoft Word RTF Parsing Remote Code Execution Vulnerability
        4. Microsoft SharePoint Server Cross-Site Scripting Vulnerability
        5. Microsoft  Windows Media Server MDSAuth.DLL ActiveX Control Remote Code Execution Vulnerability
        6. Microsoft Office Malformed Drawing Object Remote Code Execution Vulnerability
        7. Office OCX OA.OCX Office Viewer ActiveX Denial of Service Vulnerabilities
(Continue reading)

rkeith | 16 May 17:01 2007
Picon

SecurityFocus Microsoft Newsletter #342


SecurityFocus Microsoft Newsletter #342
----------------------------------------

This Issue is Sponsored by: VeriSign

Increase customer confidence at transaction time with the latest breakthrough in online security -
Extended Validation SSL from VeriSign.
Extended Validation triggers a green address bar in Microsoft IE7, which proves site identity.
Learn more at:

http://clk.atdmt.com/SFI/go/srv0890000048sfi/direct/01/

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our
community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I.   FRONT AND CENTER
        1. Time for a new certification
        2. 0wning Vista from the boot
II.  MICROSOFT VULNERABILITY SUMMARY
        1. BitsCast PubDate Element Remote Denial Of Service Vulnerability
        2. Media Player Classic .MPA Div-By-Zero Denial of Service Vulnerability
        3. DeWizardX ActiveX Control Arbitrary File Overwrite Vulnerability
        4. Caucho Resin Multiple Information Disclosure Vulnerabilities
        5. PrecisionID Barcode PrecisionID_DataMatrix.DLL ActiveX Control Denial of Service Vulnerability
        6. ID Automation Linear Barcode IDAutomationLinear6.DLL ActiveX Control Denial of Service Vulnerability
        7. CommuniGate Pro Web Mail HTML Injection Vulnerability
(Continue reading)

James D. Stallard | 22 May 23:10 2007

Compromising the Windows Service or Driver failure event sink

Hey all

Back in December 2006 Harlan C, Thor HoG and I had an interesting
conversation about the possible use of a buffer overflow attack against the
explorer process that scans a new drive and processes the content of AutoRun
and .ICO files. I said at the time that I don't have the skills necessary to
write the exploit code, but I was pretty sure someone would.

For those interested, the subject line was "RE: U3 TEchnology was RE:
strange new virus"; for reasons that will become apparent to the reader :)

Sure enough, at the end of March 2007, someone thinking along the same lines
worked out "Microsoft Windows Cursor And Icon ANI Format Handling Remote
Code Execution Vulnerability", BuqTraq ID: 23194. I'm hoping that the same
will happen again here...

If a windows service or driver set to start at boot (ie "Automatic") fails
to start for whatever reason, a message is displayed at the console. The
message also appears on top of the logon prompt, and is therefore running in
the system context. The "service or driver failed to start" message is a
generic event sink for a variety of failures (including, oddly enough "file
not found").

It occurs to me that this event sink could probably be compromised, such
that it would drop your exploit code out to executable RAM, and in the
system context. System context under Windows 2003 is even more dangerous
than it was under NT/2000, as under certain circumstances it allows access
to the Active Directory Domain as well.

Thoughts?
(Continue reading)

James D. Stallard | 24 May 07:58 2007

RE: Compromising the Windows Service or Driver failure event sink

Harlan, et al

Indeed, it requires some access to the machine to start with, but I don't
think you'd need too much in the way of initial rights.

I compare it with the other well known way of compromising the logon prompt,
the "rename CMD.EXE for LOGON.SCR and wait around for 10 minutes for a LOCAL
SYSTEM context command line to appear". It struck me that since WFP arrived,
it might be easier to cause a service/driver to fail in any one of a variety
of ways and hit the event sink instead.

This isn't one of those "media darling" type attacks where some spotty oik
can own you in 4 seconds from his remote location, this is more your
escalation of rights by an in-house script kiddie or downloaded trojan - aka
"boring, but important".

If this was done by an automated trojan, then it could hide the MSGINA and
display it's own logon prompt then popup a "wrong password" message, exit
and display the real MSGINA while storing your username, password and domain
for later use or transmission. You think you typed your password in wrong
and are none the wiser.

Another good reason for looking at the event sink as a weak point is that
the sink has been around since the early days of NT, and as a non-primary
bit of code is less likely to have gone through the 2002 Trustworthy
Computing Initiative that delayed Windows 2003 by 6 months - and more likely
to be insecure.

Cheers

(Continue reading)

rkeith | 24 May 21:00 2007
Picon

SecurityFocus Microsoft Newsletter #343


SecurityFocus Microsoft Newsletter #343
----------------------------------------

This Issue is Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Cross-Site Scripting Attack"- White Paper
Cross-site scripting vulnerabilities in web apps allow hackers to compromise confidential
information, steal cookies and create requests that can be mistaken for those of a valid user!! Download
this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/xss.asp?Campaign_ID=70160000000CqBQ

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our
community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I.   FRONT AND CENTER
        1. Your Space, My Space, Everybody's Space
II.  MICROSOFT VULNERABILITY SUMMARY
        1. Microsoft VDT Database Designer VDT70.DLL ActiveX Control Denial Of Service Vulnerability
        2. Microsoft Office 2000 UA OUACTRL.OCX ActiveX Control Buffer Overflow Vulnerability
        3. EScan Agent Service MWAGENT.EXE Remote Buffer Overflow Vulnerability
        4. Microsoft Internet Information Server Hit Highlighting Authentication Bypass Vulnerability
        5. Dart ZipLite Compression DartZipLite.DLL ActiveX Control Buffer Overflow Vulnerability
        6. NOD32 Multiple Buffer Overflow Vulnerabilities
        7. GD Graphics Library PNG File Processing Denial of Service Vulnerability
        8. Opera Web Browser Torrent File Handling Buffer Overflow Vulnerability
(Continue reading)

Mario D | 29 May 04:05 2007
Picon

Reconstruction of MS terminal services sessions

All,

Let's say I have a full capture (both sides) of a
terminal services session and breaking the encryption
is not an issue.  Is there a tool out there that can
reconstruct and allow "play back" of the session?

Thanks,
phunt

____________________________________________________________________________________Luggage?
GPS? Comic books? 
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz

Ali, Saqib | 29 May 16:09 2007
Picon

Re: Reconstruction of MS terminal services sessions

depends on what you mean by play back? See:
http://www.colasoft.com/products/

saqib
http://www.full-disk-encryption.net

On 5/28/07, Mario D <phisher_hunter <at> yahoo.com> wrote:
> All,
>
> Let's say I have a full capture (both sides) of a
> terminal services session and breaking the encryption
> is not an issue.  Is there a tool out there that can
> reconstruct and allow "play back" of the session?
>
> Thanks,
> phunt
>
>
>
>
>
____________________________________________________________________________________Luggage?
GPS? Comic books?
> Check out fitting gifts for grads at Yahoo! Search
> http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
>

--

-- 
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net
(Continue reading)

rkeith | 31 May 17:04 2007
Picon

SecurityFocus Microsoft Newsletter #344


SecurityFocus Microsoft Newsletter #344
----------------------------------------

This Issue is Sponsored by: ByteCrusher

"Please come in and trash the place - I'll be back in 8 hours"
Fact: It can take up to 8 hours for anti-virus companies to fix a new security hole. WindowZones by
ByteCrusher protects your computer in that critical 8 hour period when your Anti-Virus is "out to lunch".
Learn More.

http://landing.bytecrusher.com/windowzones/sflanding1.aspx?Referrer=sf-A21sfMicro-wz1&cm_mmc=Security%20Focus-_-USA-_-Newsletter-_-Newsletter%3A%20Other%3A%20A21%3A%20sfMicro%3A%20wz1

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our
community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I.   FRONT AND CENTER
        1. Security Analogies
        2. Your Space, My Space, Everybody's Space
II.  MICROSOFT VULNERABILITY SUMMARY
        1. Avira Antivir Tar Archive Handling Remote Denial Of Service Vulnerability
        2. F-Secure Multiple Products Real-time Scanning Component Local Privilege Escalation Vulnerability
        3. F-Secure Anti-Virus LHA Processing Buffer Overflow Vulnerability
        4. EDraw Office Viewer Component ActiveX Control Arbitrary File Delete Vulnerability
        5. EDraw Office Viewer Component EDrawOfficeViewer.OCX ActiveX Control Buffer Overflow Vulnerability
        6. Zenturi ProgramChecker SASATL.DLL ActiveX Control Multiple Buffer Overflow Vulnerabilities
        7. Microsoft DirectX Media DXTMSFT.DLL ActiveX Control Denial of Service Vulnerability
(Continue reading)


Gmane