headers
Grimes, Roger | 1 Aug 2002 01:14

Re: IE ActiveX Protection

On a related side note, one of the annoying ActiveX security problems is
that although ActiveX controls often exist outside of IE (download and
run Microsoft's OLE Viewer to see the true scope of controls on your
PC), most ActiveX security options are controlled by IE, and IE-related
settings (configured in IEAK, registry settings, GPO's, etc.).

For example, if I set the "kill bit" on the Adobe Acrobat reader control
(i.e. HKLM\Software\Microsoft\Internet Explorer\ActiveX
Compatability\{CLASSID}\Compatibility Flag=400) so that it should not
launch, the kill bit only applies to PDF files executed
directly/remotely through the browser.  If you click on a locally stored
PDF file, Acrobat Reader will open up fine.  And this used to not be a
problem but so many exploits now routinely cross IE's Internet/local
security zone barrier that it is a problem.

All of this is to say that I can still launch many restricted controls
even if you restrict them in IE...and even launch them inside of IE.
I'm not sure how my message specifically applies to this particular
situation, but I'm fairly positive it has a direct bearing looking on
where the security is being set.  Like most security solutions, don't
assume blocking/restricting always works.  It doesn't, and it should be
part of a multi-level defense plan...with the security administrator
knowing that they haven't blocked everything.

Roger A. Grimes

************************************************************************
*Roger A. Grimes, VP of IT for GK/PHR Holding Company
*Gold Key Resorts and Professional Hospitality Resources
*email:  rogerg <at> goldkeyresorts.com
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andrew Wilson | 1 Aug 2002 05:17
Picon
Favicon

List of fixes - Win2000 sp3

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320853
Permalink | Reply | 0 comments |
headers
Grzegorz Tworek | 1 Aug 2002 10:00
Picon

Bug fixed in SP3

Some months ago I've informed MS about bug in WindowsNT and Windows2000.
They promised me to correct this bug in SP3 and they did it.

Bug is not very dangerous because needs admin rights.
Error in buffer size while sending socket causes BSOD immediately.

If you want to review CPP sources (1KB) or download compiled version (40KB)
you can visit http://gt-apps.w.interia.pl/bsod.htm

Note that NT 4.0 is still vulnerable. MS promised me appropriate patch but
they never sent it.

Regards,
Grzegorz Tworek
- - - - - - - - - - - - - - - - - - - - - -
Orion Instruments Polska
System Engineer, MCP, MCP+I, MCSE
http://www.orion.pl
Permalink | Reply | 0 comments |
headers
Steve | 2 Aug 2002 02:35

VulnWatch.Org Release

Las Vegas, August 1, 2002 - At the Black Hat and Defcon security
conferences, security community volunteers announce two important new
services for the security community and a new partnership for
community-based security information sources.
The first is the VulnDiscuss mailing list, a new full disclosure forum
that compliments the existing VulnWatch accouncement list. VulnDiscuss is
meant to foster the discussion of security issues and vulnerabilities by
providing a forum for recent security announcements to be discussed.
VulnDiscuss will be under moderator control to keep it topical, and access
is open to anyone who wishes to participate or observe.

The second is the Open Source Vulnerability Database (OSVDB). OSVDB - A
database built and maintained for the community, by the community. The
goal of the Open Source Vulnerability Database is to provide accurate,
technical, up to date, unbiased, and reliable vulnerability information to
the community for free.

The redundant time, effort and money that individual people and companies
put into maintaining proprietary databases will be cut by exorbitant
amounts by participating in a community that is working toward a common
goal. The database will have no commercial licensing restrictions,
allowing corporations, businesses, and individuals alike to use this
information in any way they wish without having to pay a dime.

The OSVDB project will be debuting with thousands of vulnerability entries
provided by databases donated by Digital Defense, Inc., and SensePost.
This will provide a strong base to start from, allowing OSVDB to
immediately track new vulnerabilities and provide quality data from the
start. The continued help of Farm9, NMRC, Neohapsis, Packetstorm,
VulnWatch, and many other industry experts is invaluable to this project.
(Continue reading)

Permalink | Reply | 0 comments |
headers
NGSSoftware Insight Security Research | 3 Aug 2002 02:55

Microsoft SQL Server 2000,7 OpenRowSet Buffer Overflow vulnerability (#NISR02072002)

NGSSoftware Insight Security Research Advisory

Name: OpenRowSet Buffer Overflows
Systems: Microsoft SQL Server 2000 and 7, all Service Packs
Severity: High Risk
Category: Remote Buffer Overrun Vulnerability
Vendor URL: http://www.microsoft.com/
Author: David Litchfield (david <at> ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/mssql-ors.txt
Date: 2nd July 2002
Advisory number: #NISR02072002
VNA reference : http://www.ngssoftware.com/vna/ms-sql.txt

This advisory covers the solution to one of the problems mentioned in the
above VNA URL.

Description
***********
Microsoft's database servers SQL Server 2000 and 7 have a remotely
exploitable buffer overrun vulnerability in the OpenRowSet function.
OpenRowSet allows users to run ad hoc queries on the server.

Details
*******
By passing overly parameters to certain Providers using the OpenRowSet
functions an attacker can overwrite program control data, such as saved
return addresses on the stack. This allows an attacker to gain control over
the SQL Server process and run arbitrary code. Any code provided by an
attacker will execute in the secuirty context of the account used to run SQL
Server. Often this is the powerful local SYSTEM account and in this case an
(Continue reading)

Permalink | Reply | 0 comments |
headers
qwerty qwerty | 3 Aug 2002 15:05
Picon

Free Hackers Manifest

|=-----------------------------=[ Judgment Day ]=-----------------------------=|
|=----------------------------------------------------------------------------=|
|=-------------------------=[ Free Hackers Manifest ]=------------------------=|

               Free Hackers versus "Ethical-Corporate-Hackers"

In respect  with  the  spirit  of  the  manifest  Authors  will  remain  forever
anonymous.  The  manifest  is  offered  to  the   community   under   the   Free
Documentation License (FDL) [http://www.gnu.org/copyleft/fdl.html].

--[ Contents

 0 - Facts

 1 - Accused, to whom the crime profits

   1.1 - Software Vendors
   1.2 - Security Service Firms
   1.3 - Fallacious "hackers"

 2 - Defendants, the rights at stake

   2.1 - User Land, hear my cry
   2.2 - Hacker Space, free as in freedom

 3 - Indictment

 4 - Verdict

 5 - Reference
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tiina Havana | 5 Aug 2002 16:53
Picon
Picon

Software vulnerability reporting survey

Dear NTBugtraqers,

Software vulnerability reporting process is a topic that is vividly
debated. Now you have an opportunity to share your experiences and express
your worries on the issue anonymously - by taking part in the OUSPG
research on vulnerability reporting. I am doing a survey that is targeted
to vendors who receive bug reports, to coordinators of the reporting
process (e.g. mailing list moderators and national CERTs), and to reporters
of software vulnerabilities. So, if you do any of these, you are the right
person to answer. Even if someone from your organization already has
answered or is going to answer to this survey, I would still appreciate
getting to know your personal opinions as well.

More information and the links to the questionnaires can be found at:
https://www.ee.oulu.fi/research/ouspg/reporting/q-form/

All answers are anonymous.

The results of the survey will be published on the OUSPG's WWW-pages by the
end of this year.

I cannot do this without your help! ;)

/Tiina Havana - OUSPG

PS: We maintain a link list about discussions on vulnerability reporting:
http://www.ee.oulu.fi/research/ouspg/sage/disclosure-tracking/
Permalink | Reply | 0 comments |
headers
3APA3A | 5 Aug 2002 17:52
Picon
Favicon

SECURITY.NNOV: Windows 2000 system partition weak default permissions

Title:                  Windows 2000 system partition weak default
                        permissions
Affected:               Windows 2000
Vendor:                 Microsoft
Author:                 ZARAZA <3APA3A <at> security.nnov.ru>
Date:                   August, 03 2002
Risk:                   High
Exploitable:            Yes
Remote:                 No
Vendor notified:        May, 17, 2002
SECURITY.NNOV URL:      http://www.security.nnov.ru
Advanced info:          http://www.security.nnov.ru/search/news.asp?binid=2205

I. Introduction:

To  protect  system  files  located  in  the  root  of  system partition
(boot.ini,  ntdetect.com,  ntldr, autoexec.bat etc) Windows 2000 applies
security template with NTFS permissions to only allow administrators and
advanced users to access this files.

II. Vulnerability:

System  partition  itself  has  Everyone/Full Control access permission.
Microsoft  (and  NIST  draft)  documents  also  recommend  Everyone/Full
Control or Authenticated Users/Full Control permissions.

III. Details:

For  POSIX  compatibility  user  with  Full  Control NTFS permission for
folder  may  delete  any  file  from  this  folder  regardless  of  file
(Continue reading)

Permalink | Reply | 1 comment |
headers
DONALD.MULLER | 6 Aug 2002 04:54
Picon

VMware GSX Server 2.0.1 Release and Security Alert

VMware has released a patch for buffer overflow conditions and other bug
fixes and improvements for their GSX Server version 2.0.0.

Dear VMware GSX Server Customer,

VMware has released VMware GSX Server 2.0.1 build 2129 for both
Windows and Linux platforms.  This release incorporates critical
security fixes.  We strongly urge all users of GSX Server 2.0 to
download and install the 2.0.1 update.

What is new in VMware GSX Server 2.0.1?
---------------------------------------

VMware GSX Server 2.0.1 includes:

 - A fix for the VMware Authorization Server buffer overflow
   vulnerability published to the BugTraq mailing list on July 24,
   2002 (see http://online.securityfocus.com/archive/1/284020).
   This vulnerability exists only in GSX Server 2.0.0 (for Windows)
   build 2050.  The vmware-authd.exe patch posted to our Web site on
   July 25, 2002 is incorporated into this release.
 - An updated version of OpenSSL with fixes for the buffer
   overflow vulnerabilities reported in CERT Advisory CA-2002-23
   (http://www.cert.org/advisories/CA-2002-23.html).  This
   vulnerability exists in the Windows and Linux versions of GSX
   Server 2.0.0 build 2050.
 - Improved VMware Scripting API sample scripts in the VmCOM and
   VmPerl API packages.
 - Corrections for issues with the vmware-cmd utility.
 - Fixes for a VMware Remote Console memory leak on exit that could
(Continue reading)

Permalink | Reply | 0 comments |
headers
Askgaard, Kim | 6 Aug 2002 10:07
Picon
Favicon

Re: SECURITY.NNOV: Windows 2000 system partition weak default permissions

Re: System partition itself has Everyone/Full Control access permission.

This may be true if the Windows installation is upgraded from a previous
operating system like WinNT. If the system disks on Windows systems are
re-formatted during Windows 2000 setup (i.e. clean-installed
workstations and servers) NTFS permissions will be hardened for the
system partition.

- Kim
Permalink | Reply | 0 comments |

Gmane