|
| |
|
Our Security Alert
Page 2001
Here you will find
recent security alerts indexed by date.
For specific alerts on operating systems choose a button from
above. For recent security alerts & risks scroll down...
|
| July
18, 2001 |
|
Denial
of Service Condition in IBM DB2 Universal Database Server |
|
July
18, 2001 |
| |
|
| July
18, 2001 |
|
|
Denial
of Service in Cisco IOS PPTP |
|
| July
18, 2001 |
|
|
Unsafe
functionality exposure in MS Outlook |
|
| July
14, 2001 |
|
|
Multiple
Vulnerabilites in Cisco 5420 Storage Router |
|
| July
14, 2001 |
|
|
McAfee
ASaP Directory Traversal |
|
| July
14, 2001 |
|
|
|
|
| July
6, 2001 |
|
| Backdoor
in R.I Soft Systems 4th of July Screensaver A
back door exists in the 4th
of July Fireworks demo screensaver from Rhode Island Soft Systems.
By pressing the space bar on the keyboard, it's possible to circumvent
the screensaver's lock workstation function. A malicious user can make
the default Web browser appear with the Rhode Island Soft System Web
site by using the security context of the currently logged-on user. From
there, the attacker can run explorer.exe in the browser’s address
window to get the desktop and to run any other program under this
context. A malicious user can also exploit this vulnerability remotely
through Windows 2000 Terminal Services Advanced Client (formerly known
as Terminal Services Web Client).
Affected Software:
- Rhode
Island Soft Systems’ 4th of July Fireworks demo screensaver for
Windows 2000, Windows NT, and Windows 9x
Rhode Island Soft
Systems, was notified about this vulnerability, but doesn't intend
to release a fix for this issue. To work around this problem, a user can
uninstall the demo screensaver software.
|
|
| July
6, 2001 |
|
| SMTP
Vulnerability in Windows 2000 A
vulnerability exists in the default SMTP server that is installed with
these four versions of Win2K. An attacker can use a vulnerability in the
SMTP authentication process to successfully authenticate to the SMTP
service using incorrect credentials. A potential attacker exploiting
this vulnerability can gain user-level privileges on the SMTP service
and use the service to perform SMTP mail relaying. This vulnerability
affects only standalone machines, not DCs or Microsoft Exchange mail
servers running Win2K.
Affected Software:
Microsoft, has released
security bulletin MS01-037
for this vulnerability, and recommends that Win2K users immediately
apply the patch
mentioned in the bulletin. Patches for Win2K Datacenter are hardware
specific, and are available only through the original equipment
manufacturer.
|
|
| July
5, 2001 |
|
| Backdoor
in Rhode Island Soft Systems Living Waterfalls Screensaver A
back door exists in the Living Waterfalls demo screensaver from Rhode
Island (RI) Soft Systems. By pressing the space bar on the keyboard,
it's possible to circumvent the screensaver's lock workstation function.
A malicious user can make the default Web browser appear with the RI
Soft System Web site by using the security context of the currently
logged-on user. From there, the attacker can run explorer.exe in the
browser’s address window to get the desktop and to run any other
program under this context. A malicious user can also exploit this
vulnerability remotely through Windows 2000 Terminal Services Advanced
Client (formerly known as Terminal Services Web Client).
Affected Software:
- Rhode
Island Soft Systems’ Living Waterfalls demo screensaver for
Windows 2000, Windows NT, and Windows 9x
Rhode
Island Soft Systems, was notified and doesn't intend to release a
fix for this issue. To work around this vulnerability, a user can
uninstall the screensaver software.
|
|
| June
27, 2001 |
|
| Windows
2000 LDAP over SSL Password Change Vulnerability A
vulnerability exists involving a Lightweight Directory Access Protocol (LDAP)
function that is available only if the LDAP server has been configured
to support LDAP over Secure Socket Layer (SSL) sessions. The purpose of
this function is to let users change the data attributes of directory
principals. By design, the function should check the user's
authorizations before completing the request. However, the function
contains an error that manifests itself only when the directory
principal is a domain user and the data attribute is the domain
password. In this case, the function fails to check the requester's
permissions, resulting in the possibility that a malicious user can
change any other user’s domain logon password. By design, any
user who can connect to the LDAP server can also call the function
affected, including users who connect through anonymous sessions. As a
result, any user who can establish a connection with an affected server
can exploit the vulnerability.
Affected Software:
Microsoft
has released security bulletin MS01-036
for this vulnerability, and the company recommends that Win2K Server
and Win2K AS users immediately apply the patch
mentioned in the bulletin. Patches for Win2K Datacenter are hardware
specific, and are available only through the original equipment
manufacturer.
|
|
| June
22, 2001 |
|
| Malformed
Word Document may Enable Macro to Run Automatically A
vulnerability exists in Microsoft Word that lets an attacker modify a
Word document in a way that prevents the security scanner from
recognizing an embedded macro while still letting the macro execute.
This vulnerability lets an attacker run a macro automatically when a
user opens the document. Such a macro can take any action that the user
can take, including disabling the user’s Word security settings so
that the user can no longer check subsequently opened Word documents for
macros.
Affected Software:
- Microsoft Word 2002
- Microsoft Word 2000
- Microsoft Word 97
- Microsoft Word 98 (J)
- Microsoft Word 2001 for Macintosh
- Microsoft Word 98 for Macintosh
Microsoft,
has acknowledged this vulnerability and recommends that users
immediately apply the applicable patch contained in Security Bulletin MS01-034.
|
|
| June
22, 2001 |
|
| Microsoft
Visual Studio RAD Support in FrontPage Server Extensions A
buffer
overflow condition exists in the in the optional sub-component of
the FrontPage server extension called Visual Studio RAD (Remote
Application Deployment) Support. This sub-component contains an
unchecked buffer in a section that processes input information. An
attacker can exploit this vulnerability to execute code on the server by
sending a specially malformed packet to this component and can execute
this cocd under the IUSR_ machinename security context. Under the right
circumstances, the attacker can also run the code under the system’s
security context, letting the attacker take any desired action on the
server, including assuming full control of server. This optional
component of the FrontPage server extensions is not part of the default
installation.
Microsoft, has released security
bulletin MS01-035
for this vulnerability and recommends that users of this optional
component immediately apply the patch mentioned in the bulletin.
|
|
| June
20, 2001 |
|
| NSA
RELEASES WIN2K SECURITY RECOMMENDATION GUIDELINES
The US National Security Agency (NSA) has released a set of guidelines
and templates to help you secure Windows 2000 systems. The materials
contain 5 templates to use with Microsoft's Security Configuration
Editor, 17 guides to secure various aspects of the OS, and 3 supporting
documents with in-depth defense coverage and details about various
popular software packages.
Regarding the security of other OSs, the NSA announced in January
2001 that it had begun developing a more secure version of Linux that it
calls Security-Enhanced Linux. NSA has made the prototype and source
code available to the public at the NSA/CSS
INFOSEC Web site. |
|
| June
20, 2001 |
|
| IIS
BUFFER OVERFLOW CONDITION IN INDEX SERVER COMPONENT
eEye Digital Security has discovered that a vulnerability in Microsoft
Index Server can let an attacker execute code under the system security
context and take any action on the server, including assuming full
control of the server. This vulnerability stems from an unchecked buffer
in the Index Server Internet Server API (ISAPI) extension, idq.dll,
which supports administration scripts. The buffer overrun condition
occurs before any indexing is requested; therefore, the server remains
vulnerable even if the Index Service isn't running. If you have the
script mappings for .ida and .idq extensions in place, and users can
establish Web sessions to the server, you have a vulnerable server. The
company recommends that you remove script mappings for .ida and .idq
extensions under IIS if you're not using them as mentioned in the
security checklists for IIS 4.0 and IIS 5.0.
Microsoft,
has released security bulletin MS01-033
for this vulnerability and recommends that users immediately apply the
patch specified in the bulletin. The company further recommends that you
remove script mappings for .ida and .idq extensions under IIS if you're
not using them as mentioned in the security checklists for IIS
4.0 and IIS
5.0.
|
|
| June
20, 2001 |
|
| SQL
SERVER CACHED CREDENTIALS VULNERABILITY A
vulnerability in Microsoft SQL Server 2000 and SQL Server 7.0 can let an
attacker execute SQL queries using the systems administrator
security context. When a user terminates a client connection to a SQL
Server, the connection remains cached for a period of time because of
performance reasons. One SQL query method contains this cache
vulnerability, and an attacker can use the query to reuse a cached
connection that once belonged to the systems administrator account. An
attacker can then take actions on the database (e.g., running code), and
under the right conditions, can assume full control of the server.
Microsoft,
has released security bulletin MS01-032
for this vulnerability, and recommends that users immediately apply the
patch mentioned in Microsoft article "Query
Method Used to Access Data May Allow Rights that the Login Might Not
Normally Have."
|
|
| June
13, 2001 |
|
| SCRIPT
EXECUTION VULNERABILITY IN MICROSOFT EXCHANGE OWA
Joao Gouveia discovered a flaw in the interaction between Microsoft
Exchange Server Outlook Web Access (OWA) and Microsoft Internet Explorer
(IE) for message attachments. If an attachment contains HTML code that
includes script, the script will execute when the user opens the
attachment, regardless of the attachment type.
Microsoft has acknowledged
this vulnerability and recommends that users immediately apply the patch
mentioned in Security Bulletin MS01-030.
|
|
| June
13, 2001 |
|
| MULTIPLE
VULNERABILITIES IN MICROSOFT WINDOWS 2000 TELNET
Seven different vulnerabilities exist in the version of Telnet that
Microsoft ships with Windows 2000. Two of these vulnerabilities relate
to the way that Telnet handles the sessions that a user creates, and
escalate the user's privilege. Four of these vulnerabilities let an
attacker create Denial of Service (DoS) attacks, and the seventh
vulnerability involves information disclosure that lets an attacker
enumerate Guest accounts exposed by using the Telnet server. Guardent,
Peter Grundl, Richard Reiner, and BindView's Razor team discovered the
problems. For Windows 2000 Datacenter Server users, the patches are
hardware specific, and users should contact the OEM.
Microsoft acknowledges these vulnerabilities and recommends that
users immediately apply the patch
mentioned in Security Bulletin MS01-031.
For Windows 2000 Datacenter Server users, the patches are hardware
specific, and users should contact the original equipment manufacturer.
|
|
| June
6, 2001 |
|
| CISCO
WEBNS MANAGEMENT SOFTWARE ALLOWS UNAUTHENTICATED ACCESS
If users bookmark the URL that the Web management interface directs
users to after first authentication, users can access that URL anytime
in the future without having to reauthenticate. Cisco has issued an
advisory regarding this vulnerability. Cisco recommends that users
running WebNS management software upgrade to versions 4.01B29s or
4.10B17s, available through regular support channels. As a workaround,
Cisco recommends either disabling the Web management interface on the
switch or applying access control as specified in the documents linked
in the Web article below.
Cisco
has issued an advisory
regarding this vulnerability. Cisco recommends that users running the
above-listed WebNS software versions upgrade to versions 4.01B29s or
4.10B17s, available through regular support channels. As a workaround,
Cisco recommends either disabling the Web management interface on the
switch or applying access control as specified in the following
documents:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/profiles.htm
and
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/sgacleql.htm |
|
| June
6, 2001 |
|
| SCANNING
SOFTWARE VULNERABILITY CAN TRIGGER RELOAD OF CISCO IOS CONFIGURATION
A vulnerability exists in Cisco's Internetwork Operating System (IOS)
that can cause a configuration reload. Security scanning software making
a TCP connection to ports 3100-3999, 5100-5999, 7100-7999, and
10100-10999 causes the router to unexpectedly reload at the next
issuance of the commands "show running-config" or "write
memory" or during the next access of the configuration file. An
attacker can't configure Cisco IOS software to support any services that
might listen at these port addresses or accept connections on those
ports. However, connection attempts to these ports in the affected
version can cause memory corruption, leading to an unexpected reload.
Cisco has issued a notice regarding this vulnerability.
Cisco
has issued a notice
regarding this vulnerability.
|
|
| June
6, 2001 |
|
| FTP
VULNERABILITY IN CISCO ARROWPOINT SWITCHES A user
account that doesn't have administrative privileges can open an FTP
connection to a Cisco CSS 11000 series switch and use the GET and PUT
FTP commands with no user-level restrictions enforced. Cisco recommends
that users running the WebNS software versions listed in the article at
the URL (below) upgrade to versions 4.01B29s or 4.10B17s, available
through regular support channels. As a workaround, Cisco recommends that
users don't configure nonprivileged users on the switch, as the software
doesn't create any by default. Cisco also recommends using the RESTRICT
command to disable FTP access to the switch and applying access control
to FTP users as specified in the documents linked in the Web article
below.
Cisco
has issued an advisory
regarding this vulnerability. Cisco recommends that users running the
above-listed WebNS software versions upgrade to versions 4.01B29s or
4.10B17s, available through regular support channels. As a workaround,
Cisco recommends that users do not configure non-privileged users on the
switch, as the software does not create any by default. Cisco also
recommends using the RESTRICT command to disable FTP access to the
switch and applying access control to FTP users as specified in the
following documents:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/profiles.htm
and
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/sgacleql.htm |
|
| June
6, 2001 |
|
| DENIAL
OF SERVICE IN PI-SOFT SPOONFTP SERVER A
Denial of Service (DoS) condition in Pi-Soft SpoonFTP 1.0.0.12 can let
an attacker execute arbitrary code on the server. By establishing an FTP
connection to a vulnerable server and issuing the LIST or CWD command,
followed by 531 bytes of data or more, an attacker can cause the server
process to crash. In most cases, the computer kills the process before
passing any data to the stack, but the possibility still exists for an
attacker to overwrite the code's execution instruction point (EIP) and
execute the code. The vendor, Pi-Soft Consulting, has released version
1.0.0.13 to fix this vulnerability.
The
vendor, Pi-Soft Consulting, has
released version 1.0.0.13
to fix this vulnerability.
|
|
| May 29, 2001 |
|
| By embedding a macro in a template
and providing another user with a Rich Text Format (RTF) document that
links to the template, an attacker can cause macros to run
automatically when the user opens the RTF document. Microsoft has
released an FAQ and a patch to remedy this vulnerability.
Microsoft
has acknowledged this vulnerability and recommends that users
immediately apply the patch contained in Security Bulletin MS01-028. |
|
| May 29, 2001 |
|
| An unchecked buffer vulnerability in the
method Windows Media Player (WMP) uses to process Active Stream
Redirector (.asx) files can result in a buffer overflow. An attacker can
use the vulnerability to run code on the vulnerable computer under the
user's security context. Microsoft has acknowledged this vulnerability
and recommends that users of WMP 6.4 immediately apply the patch
contained in Security Bulletin MS01-029. For users of WMP 7.0, Microsoft
recommends an upgrade to version 7.1.
Microsoft, has acknowledged
this vulnerability and recommends that users of Windows Media Player 6.4
immediately apply the patch contained in Security Bulletin MS01-029.
For users of version 7.0, Microsoft recommends an upgrade to version
7.1. |
|
| May 29, 2001 |
|
| Multiple vulnerabilities exist in eEye's
SecureIIS 1.0.2. The first vulnerability involves the
keyword-checking feature: SecureIIS fails to decode escaped characters
in a request's query, which can lead to information disclosure. The
second involves a directory traversal vulnerability that lets an
attacker break out of the Web root directory. The third vulnerability
involves a buffer overrun condition caused by the way SecureIIS
processes HTTP header and large-character requests. The vendor, eEye
Digital Security, recommends that users upgrade to version 1.0.5, which
addresses these vulnerabilities.
The
vendor, eEye Digital Security, recommends that users upgrade to version
1.0.5, which addresses these vulnerabilities.
|
|
| May 23, 2001 |
|
| IE ALLOWS SPOOFING OF TRUSTED WEB
SITES Two newly discovered vulnerabilities in
Microsoft Internet Explorer (IE) 5.01 and 5.5 let an attacker spoof
trusted Web sites. The first vulnerability involves how IE validates
digital certificates sent from Web servers. The second vulnerability can
let a Web page display the URL from a different Web site in the IE
address bar. Microsoft has released a patch and FAQ and will make
article Q295106 available online soon.
The
vendor, Microsoft, has
acknowledged these vulnerabilities and recommends that users immediately
apply the patch contained in Security Bulletin MS01-027. |
|
| May 23, 2001 |
|
| NETSCAPE ENTERPRISE SERVER ALLOWS
REMOTE COMMAND EXECUTION A vulnerability in the Netscape
Enterprise Server 4.1 for Windows NT Web Publisher can give an attacker
system-level shell access on the server. By sending a large buffer
containing executable code and a new instruction pointer, an attacker
can gain remote system-level shell access to the vulnerable server. The
vendor, iPlanet, acknowledges this vulnerability and has released a
patch. iPlanet further recommends that users apply Service Pack 8 (SP8)
when iPlanet makes it available.
The
vendor, iPlanet, acknowledges this
vulnerability and has released an NSAPI
patch to correct this vulnerability. It's further recommended that
users apply Service Pack 8 (SP8) when iPlanet makes SP8 available.
|
|
| May 23, 2001 |
|
| IIS MIGHT ALLOW REMOTE COMMAND
EXECUTION Nsfocus discovered three vulnerabilities
in Microsoft's IIS 4.0 and 5.0 that can lead to a Denial of Service (DoS)
attack, remote code execution, and information disclosure. The DoS
vulnerability is in the function that processes wild-card service
requests for the FTP service. The remote code execution vulnerability
lets a potential attacker run scripts on the server by using the
security context of IUSR_machinename, which by default appears in the
Everyone group. The information disclosure vulnerability lets an
attacker find guest accounts that FTP inadvertently exposed. You can
find more detailed information about these vulnerabilities on
Microsoft’s Web
site. Microsoft has released an FAQ, patch, and articles
Q293826, Q295534, Q294370, and Q288855 to address these
matters.
The
vendor, Microsoft, has
acknowledged these vulnerabilities and recommends that users immediately
apply the patch contained in Security
Bulletin MS01-026. |
|
| May 23, 2001 |
|
| CARELLO E-COMMERCE SERVER ALLOWS
REMOTE COMMAND EXECUTION Peter Grundl discovered
that a vulnerability in Carello E-Commerce Server 1.2.1 for Windows NT
lets an attacker use the System Security context to run programs located
on the server. The carello.dll uses full physical paths to execute its
scripts instead of paths relative to the Web root.
The
vendor, Carello, acknowledges
this vulnerability and has released version
1.3 to correct this vulnerability.
|
|
| May 16, 2001 |
|
| NEW WORM CAUSES SOLARIS TO ATTACK
WINDOWS The Computer Emergency Response Team (CERT)
issued an advisory today detailing a new worm that causes a Sun
Microsystems Solaris system to attack a Windows system. The worm
exploits a vulnerability under Solaris to install a worm that attempts
to seek out and attack IIS-based systems. According to the advisory, the
problem stems from a 2-year-old buffer overflow condition in the
Solstice sadmind program and a 7-month-old directory traversal
vulnerability common to unpatched IIS 4.0 and 5.0 systems.
Sun issued Security Bulletin #00191
in response to the sadmind buffer problem in December 1999, and
Microsoft issued Security Bulletin MS00-078
in response to the IIS directory traversal problem in October 2000. CERT
maintains its own bulletins regarding the two problems with Solaris
and IIS
and advises all Windows 2000 and NT and Solaris users to patch their
systems against these long-known issues. |
|
| May 16, 2001 |
|
| CRUSH FTP RELATIVE PATH VULNERABILITY
Joe Testa discovered that a vulnerability in CrushFTP lets an attacker
break out of FTP root. For example, by connecting to a vulnerable host
and issuing the change directory (CD) command, an attacker can access
the root directory where the FTP server is running. An attacker can also
download files outside of the FTP root by using relative paths. Version
2.17 is now available and isn't vulnerable to this problem.
The
program author, Ben Spink, has released version
2.1.7, which is not subject to this
vulnerability.
|
|
| May 16, 2001 |
|
| DOS IN WFTPD FTP SERVER
Joe Testa discovered a Denial of Service (DoS) condition in Texis
Imperial Software's WFTPD program. If a potential attacker connects to
the FTP server and issues a change directory (CD) command targeted at
the 3.5" drive of the FTP server, the server processes this
request. The vendor will correct the problem in version 3.1. A
workaround is to disable the drive in the FTP server's BIOS.
Texas Imperial Software, will
correct this vulnerability in a future release, version 3.1. Meanwhile,
to work around the vulnerability, use the FTP server’s BIOS settings
to disable the floppy drive.
|
|
| May 16, 2001 |
|
| DOS IN WINDOWS 2000 KERBEROS SERVICE
Defcom Labs discovered that a Denial of Service (DoS) condition in the
Windows 2000 Kerberos and Kerberos password services can let an intruder
disrupt those services on a network.
Microsoft,
acknowledges this vulnerability and recommends that users apply the
patch contained in Security
Bulletin MS01-024. Users can also disallow access to Kerberos-related
TCP ports 88 and 464 from untrusted networks.
|
|
| May 16, 2001 |
|
| IIS MIGHT ALLOW REMOTE COMMAND
EXECUTION Three vulnerabilities were recently
discovered in Microsoft's IIS 4.0 and 5.0 that can lead to a Denial of
Service (DoS), remote code execution, and information disclosure. The
DoS vulnerability is in the function that processes wild-card service
requests for the FTP service. The remote code execution vulnerability
lets a potential attacker run scripts on the server by using the
security context of IUSR_machinename, which by default appears in the
Everyone group. The information disclosure vulnerability lets an
attacker find guest accounts that FTP inadvertently exposed.
Microsoft,
has acknowledged these vulnerabilities and recommends that users
immediately apply the patch contained in Security
Bulletin MS01-026.
|
|
| May 16, 2001 |
|
| Another security product is an
intrusion-detection system (IDS) called Snort, which is provided
free to everyone under the GNU General Public License scheme (as
published by the Free Software Foundation.) Snort was originally
designed by Martin Roesch to run on UNIX systems; however, Michael Davis
has graciously ported Snort to the Win32 platform so now it runs on
Windows.
Like other IDS systems, Snort works by comparing network traffic to a
database of known attack types and traffic patterns. Snort is very
flexible; users can write their own rules using fairly simple syntax, or
they can download any of several predefined attack signature databases
(called rules) for use within the product. The ability to define your
own attack signatures means that you don't have to wait for your IDS
vendor to produce them for you; you can protect yourself as soon as you
discover a new risk by writing your own rules.
Snort is easy to use, good at detecting attacks, runs on a variety of
OSs, and comes with a plethora of snap-ins and add-ons that further
extend its abilities. If you thought you couldn't afford a good IDS
system for your network, Snort is just what you need--and it's free! You
can thank the open-source community for that fact. You can get Snort and
the required WinPcap packet driver at the following URLs: http://www.snort.org
http://netgroup-serv.polito.it/winpcap |
|
| May 16, 2001 |
|
| Are you interested in biometric
security? BioLogon is a fingerprint logon mechanism for
Windows 2000, Windows NT, and Windows 9x systems that eliminates the
need for passwords. The unit comes as a PC card finger scanner. The product integrates into
the Windows security subsystem, and you can configure it in a variety of
ways, including fingerprint-only logons, where passwords aren't
allowed--no matter how the system is booted, a person can't log on
without the correct fingerprint. When combined with disk encryption,
BioLogon offers strong security, especially for mobile users who are
more susceptible to stolen or lost computer equipment. You can use
BioLogon as standalone security for one system, or you can integrate the
tool across a network with Identix's BioServer software. If you're
looking for fingerprint-based security technology, give BioLogon a close
look http://www.identix.com/itsecurity/products/biologonclient.html |
|
| May 10, 2001 |
|
| Defcom Labs discovered that a Denial of
Service (DoS) condition exists in the Windows 2000 Kerberos and Kerberos
password services that could let an intruder disrupt those services on a
network. Microsoft has released an FAQ and a patch to remedy this
vulnerability.
Microsoft,
acknowledges this vulnerability and recommends that users apply the
patch contained in Security
Bulletin MS01-024. Users can also disallow access to Kerberos-related
TCP ports 88 and 464 from untrusted networks. |
|
| May 9, 2001 |
|
|
|
|
| May 9, 2001 |
|
|
Securing Exchange Server
|
|
| May 9, 2001 |
|
| IIS FLAW DOGS MICROSOFT
A security flaw in the Microsoft IIS Web server for Windows 2000 lets
hackers use the software to gain control of those systems, Microsoft
admitted this week. Microsoft's disclosure of what it refers to as an
"extremely serious flaw" stands in stark contrast to the
silence that greeted earlier security problems.
For more information and the free download, visit the Microsoft
Web site. |
|
| May 9, 2001 |
|
| UNCHECKED BUFFER IN IIS 5.0
eEye Digital Security discovered a buffer overflow condition in IIS 5.0
that can let an attacker choose code to run under the system's security
context. This vulnerability stems from an unchecked buffer in the
Internet Server API (ISAPI) .printer extension that handles the input
parameters to support the Internet Printing Protocol (IPP). The overflow
condition occurs when a user sends approximately 420 bytes within the
HTTP Host: header for a .printer ISAPI request.
Microsoft
has issued security bulletin MS01-023
to address this vulnerability, and has also issued a hotfix
that fixes the unchecked buffer in the ISAPI extension that handles the
input parameters. Users who are unable to apply this hotfix should
remove the mapping for the Internet printing ISAPI extension.
Microsoft’s Secure
Internet Information Services 5 Checklist provides more information
on this procedure.
|
|
| May 9, 2001 |
|
| WEBXQ WEB SERVER RELATIVE PATH
VULNERABILITY Joe Testa discovered that a
vulnerability in WebXQ lets an attacker break out of the Web root to
traverse other directories by using relative paths. The vendor,
DataWizard Technologies, has released Version 2.1.205 to correct this
vulnerability.
DataWizard Technologies, has released Version
2.1.205 to correct this vulnerability.
|
|
| May 9, 2001 |
|
| ALEX FTP SERVER RELATIVE PATH
VULNERABILITY Joe Testa discovered a vulnerability in
Alex FTP Server 0.7 that lets an attacker break out of an FTP root. For
example, an attacker can access the root directory where the FTP server
is running by connecting to a vulnerable host and issuing the command
"cd..". An attacker can also use relative paths to download
files outside of an FTP root. The vendor has been notified; however, no
workaround or fix is currently available.
Alex Linde,
has been notified. However, no workaround or fix is currently available.
|
|
| May 9, 2001 |
|
| BRS WEBWEAVER WEB SERVER RELATIVE PATH
VULNERABILITY Joe Testa discovered a vulnerability in
BRS WebWeaver 0.63 that lets an attacker use relative paths to break out
of an FTP root using particular commands. In addition, an attacker can
cause the Web server to disclose the physical path of FTP root. No
solution exists for the FTP root disclosure vulnerability. However, you
can use a workaround while the vendor works on a fix. Visit our Web page
for workaround details and a demonstration of the problem.
No
solution exists for the FTP root disclosure vulnerability. However, you
can prevent the Web server root traversal vulnerability by removing all
user-defined aliases (e.g., syshelp and sysimages) as well as the
Internet Server API (ISAPI)/Common Gateway Interface (CGI) alias (e.g.,
scripts). The vendor, Blaine
R. Southam, has
been notified, but has not yet provided a fix.
|
|
| May 2, 2001 |
|
A war between two
nations' hackers?
Ramifications from the fallout over the China-US spy plane incident have
made themselves known.
Last Monday, the Chinese hacking group Honkers Union of China
("honker" is Chinese slang for "hacker") hacked and
defaced more than 80 sites. Among the US sites hacked were the National
Institutes of Health, the U.S. Navy, the California Department of
Energy, and the U.S. Department of Labor. On the other side of the coin,
pro-American hackers have defaced at least 100 Chinese sites.
The Chinese are extremely upset over the political standoff and have
promised to go on an all-out attack between April 30th and May 7th.
These days are significant to the Chinese people because of two major
holidays: Youth Day and International Workers Day. Additionally, the US
bombed the Chinese embassy in Belgrade a few years ago on May 7th.
Furthermore, since the Chinese use the Linux system to a greater degree
than the U.S., they have reportedly created the Adore worm, which
infiltrates Linux systems and sends the info back to China.
Sources:
http://news.cnet.com/news/0-1003-200-5773288.html
http://www.wired.com/news/politics/0,1283,42982,00.html
http://www.attrition.org/security/commentary/cn-us-war.html |
|
| May 2, 2001 |
|
| BUFFER OVERFLOW CONDITION IN IPSWITCH
IMAIL 6 eEye Digital Security discovered that a
vulnerability exists in the IPSwitch IMail 6.06 mail server that can let
a remote attacker gain system-level access to servers running the SMTP
daemon. This vulnerability exists because the IMail SMTP daemon doesn't
perform proper bounds checking on the input data that passes to the
IMail Mailing List handler code.
The
vendor, IPSwitch, has released a patch
to correct this vulnerability.
|
|
| May 2, 2001 |
|
| ROBTEX VIKING WEB/PROXY SERVER RELATIVE
PATH VULNERABILITY A vulnerability exists in the
RobTex Viking Web/Proxy Server that lets a attacker break out of
the Web root by using relative paths. For example, an attacker can gain
access to files outside of the Web root directory by connecting to a
vulnerable host and issuing the command http://<vulnerablehost>/\...\<file
outside of Web root>.
The
vendor, RobTex, has released build
378 that corrects this issue.
|
|
| April 30, 2001 |
|
| A person using the alias "Joe
Testa" discovered directory traversal vulnerabilities in three
software packages. A vulnerability exists in BRS WebWeaver 0.63 that
lets an attacker use relative paths to break out of an FTP root using
particular commands. In addition, an attacker can cause the Web server
to disclose the physical path of FTP root. No solution exists for the
FTP root disclosure vulnerability. However, you can use a workaround
while the vendor works on a fix for the problem. Visit our Web page for
workaround details as well as a demonstration of the problem.
No
solution exists for the FTP root disclosure vulnerability. However, you
can prevent the Web server root traversal vulnerability by removing all
user-defined aliases (e.g., syshelp and sysimages) as well as the
Internet Server API (ISAPI)/Common Gateway Interface (CGI) alias (e.g.,
scripts). The vendor, Blaine
R. Southam, has
been notified, but has not yet provided a fix.
A vulnerability exists in Alex's FTP Server 0.7 that lets an attacker
break out of an FTP root. For example, an attacker can access the root
directory where the FTP server is running by connecting to a vulnerable
host and issuing the command "cd". An attacker can also use
relative paths to download files outside of an FTP root. The vendor has
been notified, but no workaround or fix is currently available.
The
vendor, Alex Linde,
has been notified. However, no workaround or fix is currently available.
A vulnerability exists in WebXQ that lets an attacker break out of
the Web root to traverse other directories by using relative paths. The
vendor, DataWizard Technologies, has released Version 2.1.205 to correct
this vulnerability.
The
vendor, DataWizard Technologies, has released Version
2.1.205 to correct this vulnerability.
|
|
| April 25, 2001 |
|
| IMPLEMENTATION FLAW WITH MICROSOFT
WEBDAV Microsoft reported a flaw in its WWW Distributed Authoring
and Versioning (WebDAV) implementation that runs a script under the
user's security context. WebDAV should distinguish between a user's
request and the script that a Web browser runs, but Microsoft WebDAV
doesn't differentiate the two. An attacker can use this flaw to browse
the user's intranet or access Web-based email if the attacker knows
certain variables, such as server names, folder structures, and specific
user and network information.
Microsoft
has issued security bulletin MS01-022
to address this vulnerability, and has also issued a hotfix
that changes the WebDAV implementation to correctly process these
scripts.
DENIAL OF SERVICE CONDITION IN MICROSOFT ISA SERVER
SecureXpert Labs discovered that when you use Microsoft Internet
Security and Acceleration (ISA) Server 2000 Web Publishing to bridge
HTTP traffic to a Web server, a malicious attacker can use an invalid
Web request containing a certain malformed argument to cause an access
violation in the Web proxy service, denying service for legitimate
traffic. Microsoft disables this service by default.
Microsoft
has issued security bulletin MS01-021
to address this vulnerability and has also
issued a hotfix
that enables ISA’s Web proxy
service to correctly treat this request as invalid.
|
|
| April 18, 2001 |
|
| WINDOWS PGP ASCII ARMOR PARSER
VULNERABILITY @Stake reported that by using Pretty Good Privacy (PGP)
versions 5.0 to 7.0.3 (on Windows 2000, Windows NT, Windows Me, and
Windows 9x), a malicious attacker can wrap a specially formed ASCII
armored file around a file with arbitrary name and contents. After
parsing the armored file using PGP, the attacker can extract the binary
file. Because of how Windows OSs load the .dll files, if the extracted
file is a .dll file, the intruder can trick several applications into
loading the .dll files and executing potentially malicious code. The
vendor, Network Associates, has released several patches to correct this
vulnerability. The
vendor, Network Associates, Inc. (NAI),
has released several patches to correct this vulnerability:
|
|
| DENIAL OF SERVICE CONDITION IN LOTUS
DOMINO WEB SERVER R5 Defcom Labs reports that an HTTP
header-activated Denial of Service (DoS) condition exists in Lotus
Domino Web Server R5 versions earlier than 5.0.7. An attacker can
repeatedly request document root (/) with various accept fields (accept:
a, accept: aa, accept: aaa aso) that can cause the server to run out of
physical memory. The server might continue to run but won't accept any
new requests, or the server process can crash, requiring a server
restart. The vendor, Lotus Development, has acknowledged this
vulnerability and recommends that users upgrade to version 5.0.7. Users
can obtain a copy of this upgrade from the Notes.net Web site.
The
vendor, Lotus Development Corporation, has acknowledged this
vulnerability and has recommended that users upgrade to version 5.0.7.
Users can obtain a copy of this upgrade from the Notes.net
Web site.
|
|
| DENIAL OF SERVICE CONDITION IN COMPAQ
PRESARIO PCS Compaq provides customer support features through its
Knowledge Center and Back Web components for its Presario PCs running
Windows Me and Windows 98. Users use ActiveX controls to implement some
of Presario's custom support features. By using the ActiveX control
function LogDataListToFile, a malicious attacker can use a Web page to
write a specified file to the system's hard disk, creating a potential
Denial of Service (DoS) condition. The intruder can't modify the file's
content but can access the hardware and software configuration
information. The vendor, Compaq Computer, has released Softpaq 16629 to
correct this vulnerability.
The
vendor, Compaq Computer Corporation,
has released Softpaq
16629 to correct this vulnerability. |
|
| April 17, 2001 |
|
SecureXpert Labs reported a Denial of
Service (DoS) condition in Microsoft Internet Security and Acceleration
(ISA) Server 2000. When you use Web publishing to bridge HTTP traffic to
a Web server, a malicious attacker can use an invalid Web request
containing a certain malformed argument to cause an access violation in
the Web proxy service, denying service for legitimate traffic. Microsoft
disables this service by default.
Microsoft has issued a hotfix, FAQ, and security bulletin MS01-021
to
address this vulnerability. |
|
| April 11, 2001 |
|
| DOS CONDITION IN NAVISION'S FINANCIALS
SERVER 2.50 AND 2.60 Defcom Labs discovered a Denial of Service (DoS)
condition in Navision Financials Server versions 2.50 and 2.60 for
Windows 2000 and Windows NT that lets a remote attacker crash the server
service. By sending a null character followed by 30,000 bytes of the
character "A" to TCP port 2047, the attacker can cause a
buffer overflow that terminates the process server.exe. The
vendor, Navision, recommends
disallowing access to port 2047 from untrusted systems. Contact
Navision-Damgaard Support to obtain a patch for this issue.
|
|
| CAN YOU BREAK
WINDOWS XP SECURITY? |
|
| Microsoft quietly put a new test site
online March 31 to let hackers attempt to breach Windows XP's security.
Microsoft placed a version of Windows XP Home Edition online in a
configuration that resembles a typical user's home setup. The Web site
will help Microsoft determine configuration settings that it can
recommend to the new OS's potential users. Windows
XP test site |
|
| THREE MORE
SECURITY RISKS FOUND IN WEP PROTOCOL |
|
Researchers at the University of
Maryland's Computer Science Department have discovered three new
security risks in the Wired Equivalent Privacy (WEP) technology used in
the 802.11 standard. According to a report by William A. Arbaugh,
Narendar Shankar, and Y.C. Justin Wan, published March 30, the three
risks involve vulnerabilities in two access control mechanisms currently
used in Orinoco and in Lucent Technology's Wavelan PCMCIA cards. In
addition, the researchers identified an eavesdropping attack that an
intruder can leverage against WEP's shared-key authentication
mechanisms.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20577
|
|
|
April 11, 2001 |
|
| INCORRECT MIME HEADER CAN CAUSE IE TO
EXECUTE EMAIL
Juan Carlos Cuartango reported that a malicious user can alter the
MIME type header of an email message to make Internet Explorer (IE)
automatically launch file attachments. Microsoft has issued a patch,
FAQ, and security bulletin MS01-020
to address this vulnerability. |
|
* WINDOWS ME AND WINDOWS PLUS! 98
PASSWORDS FOR COMPRESSED FOLDERS ARE RECOVERABLE
Microsoft reported that the Compressed Folders option in Windows Me and
Windows Plus! 98 is flawed. Passwords for compressed folders are stored
in a file on the system where they could become available to intruders. Microsoft
has issued security bulletin MS01-019
to address this vulnerability. Microsoft has also provided patches that
you can download for Windows
98 and Windows
Me. |
|
* PATCH AVAILABLE FOR BOGUS VERISIGN
CERTIFICATES
Microsoft has also released patches for all supported Windows OSs that
eliminate the vulnerability caused by two erroneous VeriSign-issued
digital certificates. The problem is described in security bulletin MS01-017. |
|
| March 28, 2001 |
|
* ERRONEOUS VERISIGN-ISSUED DIGITAL
CERTIFICATES
On January 29 and 30, 2001, VeriSign erroneously issued two Class 3
code-signing certificates to someone claiming to be a Microsoft
employee. These certificates enable signing of macros, programs, ActiveX
controls, and executable content. A software update for this
vulnerability will be available soon from Microsoft. Meanwhile, the
company recommends that users perform the workaround steps in the
following article. |
|
* GORDANO'S NT MAIL VULNERABLE TO DOS
ATTACK
Defcom Labs reported that Gordano NTMail 6.0.3c for Windows 2000 and
Windows NT is subject to a Denial of Service (DoS) condition. By sending
a URL request greater than 255 characters to the server, a malicious
attacker can crash the server listening on ports 8000, 8025, 8080, 8888,
and 9000. The vendor has issued a patch to correct this vulnerability.
The
vendor, Gordano,
has issued a patch to correct this vulnerability. You can download it
from the Gordano
Web site.
|
|
CZECH CRYPTOLOGISTS DISCOVER SERIOUS
VULNERABILITY IN OPENPGP
Researchers at the Czech company ICZ have uncovered a serious
vulnerability in OpenPGP.
According to the company's findings, an attacker can make a slight
modification to the user's private key file to discover a user's private
keys. |
|
| |
|
|
