Russ | 1 Nov 19:08 2004
Picon

Re: New URL spoofing bug in Microsoft Internet Explorer

Well, code that is improperly formed may well cause user agents to try and figure out for themselves what
they should do. Code that isn't permitted, however, should IMO be handled differently.

For example, an A Element implicitly denies the inclusion of a Button or Form Element, and a Button Element
explicitly denies the inclusion of an A Element.

The following examples all work, regardless where you put your mouse. They all show microsoft.com in the
status bar, but when the text is click they all go to google.com. I contend they shouldn't. The fact that the
A Element is being allowed to function is what makes any/all of these potentially harmful. If stricter
interpretation rules applied to the A Element, a great deal of phishing might be avoided. Ken Grohs feels
this is all a moot point, he points out that you can do this by using onmouseover and onmouseout. I agree, but
he has to use script.

IMO, A Elements should be perfectly formed or not work as links, display in the status bar, or render as links
do (e.g. visited link color, etc...)

Credit to http-equiv for making the button disappear.

<form action="http://www.google.com" method="get">
<a href="http://www.microsoft.com/">
<button title="http://www.microsoft.com" type=submit style="BORDER: 0pt; CURSOR: hand; COLOR:
blue; BACKGROUND-COLOR: transparent; ">
http://www.microsoft.com
</button>
</a>
</form>

<form action="http://www.google.com" method="get">
<a href="http://www.microsoft.com/">
<button title="http://www.microsoft.com" type=submit style="BORDER: 0pt; CURSOR: hand; COLOR:
(Continue reading)

http-equiv@excite.com | 1 Nov 03:56 2004

p h i s h i n g p h o r p h u n p h o r p h u q u e s a k e


"bitlance winter's" magic dns is still yielding some interesting 
possibilities, some aspects were capped but still not enough:

[see: http://www.securityfocus.com/bid/10554 ]

http://www.malware.com/malwaresoft.html

--

-- 
http://www.malware.com

Mark Adler | 1 Nov 22:43 2004
Picon

zlib 1.2.2 released

Security guardians,

zlib 1.2.2 has been released, which remedies a vulnerability to a 
denial-of-service attack ( ).  You can get the latest release here:

     http://www.zlib.net/

Note that the "canonical" zlib site at http://www.zlib.org/ has yet to 
be updated by the owner, Jean-loup Gailly, and still shows zlib 1.2.1.  
You should go to the above site for the latest release.  My gpg 
signature on the zlib-1.2.2.tar.gz is attached below.

Mark Adler

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQBBYMGieD/Njli8r7oRAvHKAJ9zK6T7xrX/1pNSYAHWlyW4JRgC8gCg8omS
1EgmRUAJmthccZ3/ot8ceB0=
=1fnD
-----END PGP SIGNATURE-----

Mark Adler | 2 Nov 05:32 2004
Picon

zlib 1.2.2 released

(List moderators -- in the previous version of this email I sent you, I 
forgot to include a link to the vulnerability, corrected below.)

Security guardians,

zlib 1.2.2 has been released, which remedies a vulnerability to a 
denial-of-service attack ( http://www.kb.cert.org/vuls/id/238678 ).  
You can get the latest release here:

     http://www.zlib.net/

Note that the "canonical" zlib site at http://www.zlib.org/ has yet to 
be updated by the owner, Jean-loup Gailly, and still shows zlib 1.2.1.  
You should go to the above site for the latest release.  My gpg 
signature on the zlib-1.2.2.tar.gz is attached below.

Mark Adler

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQBBYMGieD/Njli8r7oRAvHKAJ9zK6T7xrX/1pNSYAHWlyW4JRgC8gCg8omS
1EgmRUAJmthccZ3/ot8ceB0=
=1fnD
-----END PGP SIGNATURE-----

offtopic | 5 Nov 07:34 2004
Picon

Re: Cross-Site-Scripting Vulnerability in Microsoft.com

Hmmm. Another one:

https://mocl.one.microsoft.com/cwdl/CW_Auth.asp?PartnerAction=pick&strErrorString=<script>alert()</script>

Vulnerability reported to the MS in September.
Published under RFPolicy. 

(c)oded by offtopic <at> mail.ru

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Turker Ugur Sokullu | 5 Nov 21:28 2004

Microsoft Security Bulletin Advance Notification

Starting this month, Microsoft is publishing a Security Bulletin Advance
Notification in Technet Security web site:

http://www.microsoft.com/technet/security/bulletin/advance.mspx

Turker Sokullu

--
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is
going to result in the message coming to the list, not to the individual who sent the message. This was done
to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to
the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--

Scott Lockington | 1 Nov 21:55 2004

Desktop.ini file ignored by Windows Encryption...

Hello All, 

In working with Windows EFS (i.e. 2000 sp4 and XP sp2) Any file named
"desktop.ini" is ignored when  encrypting the containing directory with EFS.
The contents of this file are not verified to be that of a valid desktop.ini
file, instead it can contain anything. Any file dropped named desktop.ini
could avoid requiring decryption at a later date. Abuses of such an exclusion
are left as an exercise for the reader.

Thank you

J. Scott Lockington
Security Administrator
slockington <at> vical.com

--
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is
going to result in the message coming to the list, not to the individual who sent the message. This was done
to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to
the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--

Russ Cooper | 9 Nov 18:53 2004
Picon

Alert: Microsoft Security Bulletin MS04-039 - Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)

Microsoft Security Bulletin MS04-039:
Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)

Bulletin URL:
<http://www.microsoft.com/technet/security/bulletin/MS04-039.mspx>

Version Number: 1.0
Issued Date: Tuesday, November 09, 2004
Impact of Vulnerability: Spoofing
Maximum Severity Rating: Important
Patch(es) Replaced: None
Caveats: None

Tested Software:
Affected Software:
------------------
* Microsoft Proxy Server 2.0 Service Pack 1
<http://tinyurl.com/65vb5>
* Microsoft Internet Security and Acceleration Server 2000 Service Pack 1 and Microsoft Internet
Security and Acceleration Server 2000 Service Pack 2 Note The following software programs include
Microsoft Internet Security and Acceleration Server 2000 (ISA Server 2000). Customers using these
software programs should install the provided ISA Server 2000 security update.
- Microsoft Small Business Server 2000
- Microsoft Small Business Server 2003 Premium Edition
<http://tinyurl.com/59pf4>

Technical Description:
----------------------
* Spoofing Vulnerability - CAN-2004-0892: This is a spoofing vulnerability that exists in the affected
products and that could enable an attacker to spoof trusted Internet content. Users could believe they
(Continue reading)

Marc Maiffret | 9 Nov 19:38 2004

EEYE: Kerio Personal Firewall Multiple IP Options Denial of Service

Kerio Personal Firewall Multiple IP Options Denial of Service

Release Date:
November 9, 2004

Date Reported:
October 30, 2004

Severity:
High (Remote Denial of Service)

Vendor:
Kerio

Systems Affected:
Kerio Personal Firewall 4.1.1 and prior

Overview:
eEye Digital Security has discovered a severe denial of service
vulnerability in the Kerio Personal Firewall product for Windows. The
vulnerability allows a remote attacker to reliably render a system
inoperative with one single packet. Physical access is required in order
to bring an affected system out of this "frozen" state. This specific
flaw exists within the component that performs low level processing of
TCP, UDP, and ICMP packets. 

Technical Details:
The vulnerability exists in FWDRV.SYS when trying to parse through the
IP Options in a TCP, UDP, or ICMP packet. When an attacker supplies a
single TCP, UDP, or ICMP packet with an IP Option followed by a length
(Continue reading)

Jeffrey Thomas | 9 Nov 16:28 2004

New MyDoom variants exploiting unpatched IFRAME exploit

Symantec writeup's here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ai <at> mm.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ah <at> mm.html

Maybe a patch today from Redmond?  This could become a mess fast.  Many of the AV folks are playing catchup on
signature updates to detect these.

JT

--
Editor's Note: The 43rd Most Powerful Person in Networking says...

Register today to take the TruSecure ICSA exam by 12/31/04  at
<http://www.2test.com> ,  use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
for international delivery.

Visit <https://ticsa.trusecure.com>  for complete details regarding the
TICSA credential and to take the free sample exam.

--


Gmane