Information Security News

Monday, July 30, 2007

Cisco Multiple Products Wireless ARP Requests Denial of Service

Secunia Advisory: SA26161
Release Date: 2007-07-25
Last Update: 2007-07-27

Critical: Moderately critical
Impact: DoS
Where: From local network
Solution Status: Partial Fix

OS: Cisco 4400 Series Wireless LAN Controller
Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers

Software: Cisco Catalyst 6500 Series Wireless Service Module (WiSM)

CVE reference: CVE-2007-4011
CVE-2007-4012

Description:
Some vulnerabilities have been reported in multiple Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) Certain Cisco Wireless Lan Controllers (WLCs) do not correctly handle unicast ARP requests from MAC addresses that are unknown to the Layer-2 infrastructure, causing a second WLC to incorrectly re-forward the ARP request back into the network.

Successful exploitation allows to cause a DoS due to heavy network traffic, but requires that two WLCs are attached to the same set of Layer-2 VLANs and each have a context for the wireless client, e.g. if a guest WLAN (auto-anchor) is used or after a Layer-3 (cross-subnet) roam.

2) Broadcast ARP packets for the IP address of a known client context are not correctly handled and re-forwarded into the network.

Successful exploitation allows to cause a DoS due to heavy network traffic, but requires that more than 1 WLC is installed for the corresponding network and that the arpunicast feature is enabled.

Note: This affects version 4.1 only.

3) In certain Layer-3 (L3) roaming scenarios (e.g. when wireless clients move from one controller to another and the wireless LAN interfaces are configured on different controllers which are on different IP subnets), a foreign controller may send a unicast ARP request out to a local VLAN.

The vulnerabilities are reported in software versions 4.1, 4.0, 3.2, and prior in for the following products:
* Cisco 4100 Series Wireless LAN Controllers
* Cisco 4400 Series Wireless LAN Controllers
* Cisco Airespace 4000 Series Wireless LAN Controller
* Cisco Catalyst 6500 Series Wireless Services Module (WiSM)
* Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers

Solution:
Version 3.2:
Reportedly, an update will be available 27-July-2007.

Version 4.0:
Reportedly, an update will be available 27-July-2007.

Version 4.1:
Update to version 4.1.181.0.

Provided and/or discovered by:
Reported to the vendor by customers.

Changelog:
2007-07-27: Added CVE reference.

Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20070724-arp.shtml

Labels: Vulnerability, Wireless

Panda Software AdminSecure Agent Heap Overflow Vulnerability

CVE ID:
CVE-2007-3026

Affected Vendor:
Panda Software

Affected Products:
Panda AdminSecure 2006

Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Panda AdminSecure. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the AdminSecure agent which binds by default to TCP port 19226 or 19227. When processing traffic on the listening port, the agent trusts a user-supplied length value for a memory allocation. Specific size values can result in an integer overflow and subsequently insufficient allocation size. This results in a heap-based buffer overflow that can be leverage to execute arbitrary code.

Vendor Response:
Panda Software has issued an update to correct this vulnerability. More details can be found at:

http://www.pandasoftware.com/Download/tree/

Disclosure Timeline:
2006.11.15 - Vulnerability reported to vendor
2007.07.24 - Coordinated public release of advisory

Credit:
This vulnerability was discovered by Tenable Network Security.

Labels: Anti-Virus, Vulnerability

Friday, June 29, 2007

Intel Core 2 Security concerns

Theo de Raadt posts some concerns about Core 2 processors. Interesting quotes include:

"Various developers are busy implimenting (sic) workarounds for serious bugs
in Intel's Core 2 cpu.

These processors are buggy as hell, and some of these bugs don't just
cause development/debugging problems, but will *ASSUREDLY* be
exploitable from userland code."

and:

"Note that some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare
the hell out of us. Some of these are things that cannot be fixed in
running code, and some are things that every operating system will do
until about mid-2008.."

and:

"At this time, I cannot recommend purchase of any machines based on the
Intel Core 2 until these issues are dealt with (which I suspect will
take more than a year). Intel must be come more transparent.

(While here, I would like to say that AMD is becoming less helpful day
by day towards open source operating systems too, perhaps because
their serious errata lists are growing rapidly too)."

A good, easy to understand summary for normal people is here: http://www.geek.com/images/geeknews/2006Jan/core_duo_errata__2006_01_21__full.gif

Only one bug is listed due to be fixed by Intel. All others are to be fixed by BIOS or OS producers.

Labels: Bug, Hardware, Vulnerability

Thursday, May 17, 2007

Norton Personal Firewall ISAlertDataCOM ActiveX Control Buffer Overflow

Secunia Advisory: SA25290
Release Date: 2007-05-17

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: Symantec Norton Internet Security 2004
Symantec Norton Internet Security 2004 Professional
Symantec Norton Personal Firewall 2004

CVE reference: CVE-2007-1689

Description:
Will Dorman has reported a vulnerability in Norton Personal Firewall, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the ISAlertDataCOM ActiveX control (ISLAlert.dll) when handling the "Set()" and "Get()" methods. This can be exploited to cause a stack-based buffer overflow via an overly long argument.

Successful exploitation allows execution of arbitrary code.

Solution:
Product updates to correct the problem are available through LiveUpdate.

Provided and/or discovered by:
Will Dormann, CERT/CC.

Original Advisory:
Symantec: http://securityresponse.symantec.com/avcenter/security/Content/2007.05.16.html

US-CERT VU#983953: http://www.kb.cert.org/vuls/id/983953

Labels: Vulnerability

Sunday, April 22, 2007

Nortel VPN Router - Unauthorized Remote Access

http://secunia.com/advisories/24962/

Description:
A vulnerability and a security issue have been reported in Nortel VPN Routers, which can be exploited by malicious people to bypass certain security restrictions or manipulate certain data.

1) Two default user accounts ("FIPSecryptedtest1219" and "FIPSunecryptedtest1219") are configured on the VPN Router, which are not readily visible to the system manager. These can be exploited to gain unauthorized access to the private network.

2) Missing authentication checks within two template files of the web management tool can be exploited to e.g. modify certain router configurations.

An issue regarding same DES keys used to encrypt user's passwords has also been reported, which can facilitate brute-force attacks on user's passwords if the attacker were to gain access to the LDAP store.

The vulnerability and security issue reportedly affect the following products:
* Contivity 1000 VPN Switch
* Contivity 2000 VPN Switch
* Contivity 4000 VPN Switch
* VPN Router 5000
*VPN Router Portfolio

Solution:
Update to versions 6_05.140, 5_05.304, or 5_05.149.

Provided and/or discovered by:
The vendor credits Detack GmbH.

Labels: Advisory, Appliance, Backdoor, Insecurity, Vulnerability

Friday, April 20, 2007

Internet Explorer Drag and Drop Redeux [CVE-2005-3240] Race Condition

[Full-disclosure] Advisory: Internet Explorer Drag and Drop Redeux [CVE-2005-3240] (fwd)

From: Matthew Murphy (mattmurphy AT kc.rr.com)
Date: Mon Feb 13 2006 - 18:46:38 CST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

My apologies to those who are receiving this late or are otherwise
inconvenienced by the staggered release. I had unexpected, last-minute
travel issues that interfered somewhat with today's release.

Of note since the initial drafting of the advisory is that Microsoft has
released a blog post on the MSRC blog about the vulnerability report,
which can be read here:

http://blogs.technet.com/msrc/archive/2006/02/13/419439.aspx

The technical/strategic points about the exploit that are raised in the
post are indeed accurate (though it references MS05-014, when I believe
the correct reference is MS05-008/MS05-013). The exploit has a greater
dependence on timing than previous, related attacks. As such,
Microsoft's decision not to include this issue in a standalone patch is
seemingly justified at this point. However, the point of disagreement
with Microsoft remains the choice of release *timeline*.

I released the information about this issue to a trusted colleague (Gadi
Evron) for publication today, after what I felt was a reasonable time,
in light of my difficulties obtaining internet access.

Though there are disagreements between myself and Microsoft about the
nature of this vulnerability, I would like to thank Brian Schafer of the
MSRC for adhering to a high level of professionalism and technical
accuracy in that post and for continuing to work with me once it was
made clear that the issue would imminently become public.

Also of note is that there was a typo in the information I provided
originally to SecuriTeam. The proper candidate is CVE-2005-3240, not
*3840* as was originally reported by me. SecurityFocus has also
informed me that my original BID reservation was a casualty of a data
migration and that the proper BID associated with this vulnerability is
now BID 16352, which is public in full detail as of this writing.

There have also been some incorrect reports made to SecuriTeam that this
issue does not affect Windows XP Service Pack 2. These reports are not
correct -- my testing during this investigation was done exclusively on
current installations of Windows 2000 and Windows XP. These systems had
all service packs applied and all updates installed when tests were
performed.

Thanks to Gadi Evron for doing some of my bidding today and taking some
of the heat for my fat-fingers.

The final advisory, corrected with the now-accurate references is
attached with an armored-format PGP signature inline.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

-- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFD8Shufp4vUrVETTgRA/hpAJ9DobMIa4EH8otBMNlzIPK6RrMGUgCfcrrj
ZI9G00rer59rLkwI5uH0KGQ=
=DQ2a
-----END PGP SIGNATURE-----

Microsoft Internet Explorer Drag-and-Drop Redeux

I. SYNOPSIS

Affected Systems:
* Microsoft Internet Explorer 5.01
* Microsoft Internet Explorer 5.5
* Microsoft Internet Explorer 6.0
- Windows 98
- Windows 98 Second Edition
- Windows Millennium Edition
- Windows 2000
- Windows XP
- Windows Server 2003

Risk: Medium
Impact: Potential remote code execution with some user interaction
Status: Uncoordinated Release
Author: Matthew Murphy (mattmurphykc.rr.com)

II. VULNERABILITY OVERVIEW

Microsoft Internet Explorer suffers from a vulnerability in its handling of certain drag-and-drop events. As a result, it is possible for a malicious web site to predict and exploit the timing of a drag-and-drop operation such that any drag operation (including using scroll-bars) could potentially lead to the installation of arbitrary files in sensitive locations that may enable further system compromise.

III. TECHNICAL DESCRIPTION

As a result of recent updates to its drag-and-drop functionality, Internet Explorer now imposes a rigid set of restrictions on most drag-and-drop sources:

* Input to the browser from other applications is not permitted.
* Dragging an object from inside a frame is not permitted.
* Dragging an HTML element from a top-level window will produce a security warning.

However, certain objects not derived from an HTML document (specifically, file objects within a folder view) remain draggable. This gives rise to a potential race condition in the handling of user input. If an attacker can persuade a user to drag any object within the top-level window that his/her site is contained in, malicious script can redirect these inputs to other top-level windows, potentially resulting in an unintended consequence such as file installation.

Proof-of-concept code has been developed that utilizes a pop-under window pointing to a malicious file share. This window can be created using window.open() or other stealthier methods that are known to evade Internet Explorer's built-in pop-up blocking. Focus is then returned to the opening window, where the user is encouraged to drag an object (image, link, etc.) in a seemingly "safe" fashion.

Immediately prior to this object being dragged, a mouseOver event is triggered that enables the attacker to (with a varying degree of success) predict the imminent drag attempt. The pop-under can then be returned to focus by way of a window.blur() executed in the current window. If the timing of the transition is accurate to a margin of error within a user's reaction time threshold, the user will unwittingly initiate a drag of a file from the pop-under instead of the object originally used as a lure by the attacker.

As soon as it transfers focus, the window with the original interactive content may set a timer (via window.setTimeout()) that returns focus to the window with a simple window.focus() call. After a split-second delay, focus is returned to the interactive window. At this point, on-demand alteration of CSS attributes can be used to display previously-hidden objects (such as inline frames). These objects serve as "drop target" windows and will initiate the copying of the file dropped from the (presumably malicious) pop-under window.

While Internet Explorer blocks hiding or resizing of certain "suspect" objects (IFRAMEs, for instance), so-called container objects (DIV, SPAN, etc.) suffer no such restrictions, even when they contain one of the objects in the former category. The proof-of-concept code as developed simply stores a full-screen inline frame in a container initially marked with the "hidden" visibility style.

The pop-under window, in this instance, would be a folder on a malicious server. This could be accessed via SMB (\\HOSTILESERVER\SHARE), FTP (ftp://hostileserver/somedirectory) or even HTTP (web folders) using certain link behaviors in combination with the click() method of a hyperlink object. In the third case, the pop-under would be targeted to an HTML document initally, which would then open the web folder containing hostile content.

The path to the drop target (the hidden frame in the original window) requires a little more creativity. Particularly in Windows XP Service Pack 2, Microsoft has done a fairly good job of locking down access to local resources. The most interesting vector for the purposes of this attack is via the network redirector. By using the IP address or machine name of the local system (typically obtainable via any number of means), such as:

\\MACHINENAME\share

It becomes possible to access resources offered by the network redirector on the local system. Of most interest is the "Scheduled Tasks" folder:

\\MACHINENAME\Scheduled Tasks

Items dropped into this folder execute automatically at a system-determined time (3 AM local time in tests on Windows XP Professional Service Pack 2) each day as the user dropping the file. Also of interest are common shares such as the administrative shares (C$, D$, etc.) and typical share names like "SharedDocs" on Windows XP. In most cases, this is at least a partial functional equivalent to local file system access and is not subject to zone restrictions, even on Windows XP Service Pack 2.

IV. IMPACT

A malicious web site, with a minimum of social engineering, may be able to compromise user systems by triggering an unintended installation of malicious software. Typical defense-in-depth measures may mitigate this issue. For those who run Internet Explorer with administrative privileges, the impact of any successful exploitation is complete control of the affected system. A malicious web site could install software that would add or delete privileged user accounts, alter, destroy or disclose the content of personal or otherwise sensitive files, record personal information or any number of other activities.

Users who do not browse with such high levels of privilege would be at a significantly reduced risk from exploitation of this vulnerability. In the case of a user with limited privileges, this vulnerability could only be exploited by an attacker to install software that executes with the privileges of that user.

V. WORKAROUNDS

The following workarounds are believed at the time of this writing to be effective against the exploitation of this vulnerability in some form:

1. Set a Kill Bit on the Shell.Explorer Control
-----------------------------------------------

Setting a kill bit on this control will prevent Internet Explorer from displaying the rich folder view interface that gives rise to this attack. For more information about setting kill bits, please see Microsoft Knowledge Base Article 240797:

http://support.microsoft.com/kb/240797

The CLSID of this component as deployed on Windows XP is:

{8856F961-340A-11D0-A96B-00C04FD705A2}

Tools to automate the process of setting this kill bit have been provided at:

http://student.missouristate.edu/m/matthew007/tools/shellkill.zip
PGP signature: http://student.missouristate.edu/m/matthew007/tools/shellkill.zip.asc

Included in this archive are an Administrative Template (.adm) and a VBScript file (.vbs) which implement this setting. The Administrative Template also allows an administrator to work around a specific case of functionality loss caused by the implementation of this workaround. Instructions on using both files are contained within the readme file in the archive.

IMPACT: This workaround will cause Internet Explorer to no longer render folder views for local directories, network file shares, FTP directories and web folders by default. The ability to browse FTP directories in Internet Explorer can be restored by clearing the "Enable Folder View for FTP Sites" option in Internet Explorer's "Advanced" options. However, this countermeasure is known to expose another security vulnerability that does not appear to have been fixed as of this writing:

http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005321.html

For ordinary browsing purposes, the Windows Explorer tool is unaffected by this change. This defensive measure has been successfully implemented in at least one commercial software product and tested on a significant scale prior to the release of this advisory. Therefore, it is the belief of the author that potential loss of functionality *should* be minimal. As with all measures, you are encouraged to test the impact of this workaround prior to making any decision about deployment.

2. Prevent Automatic Navigation to Local Intranet Zone (Windows XP SP2, Windows Server 2003 SP1)
------------------------------------------------------------------------------------------------

This workaround will prevent internet content in Internet Explorer from automatically navigating to URLs within the Local Intranet Zone. This effectively prevents the introduction of malicious code to the local system via the network redirector. To implement this workaround, follow these steps:

1. In Internet Explorer's Tools menu, choose "Internet Options..."

2. Select the "Security" tab and choose "Local Intranet"

3. Click the "Custom Level" button

4. Set the "Web sites in less privileged content zone can navigate into this zone" setting to "Disable" or "Prompt".

5. Click OK to close any dialogs and optionally, close Internet Explorer.

IMPACT: This workaround will block or prompt before allowing any navigation to LAN resources from the Internet Zone. Direct access to LAN resources continues to function normally. As a result of this workaround, attempts to access local intranet content (for instance, web applications on corporate intranets) from web sites outside of the LAN will fail or produce prompts, depending upon the chosen setting.

3. Disable Active Scripting
---------------------------

This workaround will prevent internet content from executing script that could potentially cause the exploitation of this vulnerability. To implement this workaround, follow these steps:

1. In Internet Explorer's Tools menu, choose "Internet Options..."

2. Select the "Security" tab and choose "Internet"

3. Click the "Custom Level" button

4. Set the "Active scripting" option to "Prompt" or "Disable".

IMPACT: This workaround will block or prompt before allowing web sites to execute any script statement. Scripting in more-privileged zones (Local Intranet, Trusted Sites) continues to function normally. Setting this option to "Prompt" may cause a significant increase in the number of security prompts received while browsing and may be ineffective in closing this vulnerability for users not capable of making an assessment of a web site's relative trustworthiness.

VI. MITIGATION RECOMMENDATIONS

1. Limit Viewing to Trusted Web Sites
-------------------------------------

In some situations, browsing can be successfully limited to only trustworthy sites without significant loss of productivity. Users should be extremely cautious while browsing unknown or untrusted web sites, as such web sites are often able to introduce hostile code.

2. Run Exposed Applications With Reduced Privilege
--------------------------------------------------

Users who log on interactively without the privileges of powerful groups such as the "Administrators" or "Power Users" groups are at a much lower risk of damage from successful exploitation of software vulnerabilities in client applications. This mitigation step greatly reduces the likelihood of a successful malware installation if this vulnerability is exploited.

VII. VENDOR RESPONSE

Microsoft was informed of this vulnerability on August 3, 2005. Currently, the company has no plans to issue a security update to correct this vulnerability. Fixes for this issue are scheduled to be included in Service Pack 2 of Windows Server 2003 and Service Pack 3 of Windows XP. Of particular note is that Windows 2000 users will *NOT* receive an update to correct this vulnerability.

Microsoft's internal risk-assessment concluded that this issue was not sufficiently serious to be fixed in a security bulletin. This conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft. In particular, the drag-and-drop vulnerability patched by MS05-013 received an "Important" rating.

I disagree with the technical conclusion behind Microsoft's decision and I further find the timeframe of delivery and deployment for maintenance releases to be largely unsuitable for security fixes of any significant magnitude. I find the harm this decision could potentially inflict upon down-level users (most importantly, users of Windows 2000) to be unjustified by the technical concern Microsoft has raised to me. Microsoft also rejected a request that it consider the issue for inclusion in a later security update as a "Moderate" risk issue.

Due to Microsoft's noncommittal and generally unimpressive response to the issue, this advisory is being issued to inform users of this vulnerability such that defensive action may be taken as desired.

VIII. REFERENCES/STANDARDS

* CVE

The MITRE Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3840 to this issue. Status information and related references for this candidate may be found at:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3840

* OSVDB

The Open Source Vulnerability Database (OSVDB) project has assigned OSVDB vulnerability ID #2707 to this issue. Information will be available shortly after the publication of this advisory at the following URL:

http://www.osvdb.org/displayvuln.php?osvdb_id=2707

* SecurityTracker

SecurityTracker has pre-assigned an alert number in its internal database to reference this issue. Information will be available shortly after the publication of this advisory at the following URL:

http://www.securitytracker.com/id?1015049

* SecurityFocus

SecurityFocus has pre-assigned BugTraq ID #15089 to reference this issue. Information will be available shortly after the publication of this advisory at the following URL:

http://www.securityfocus.com/bid/15089

IX. ACKNOWLEDGEMENTS

* The Administrative Template file supplied in the workaround ZIP was authored by Steven Platt.

X. CONTACT

The author may be contacted via e-mail at mattmurphykc.rr.com

XI. LEGAL

This document is believed accurate based upon information available at the time it was written. However, the information offered is offered in an AS-IS condition, without warranty. By acting upon this information in any way you accept all responsibility for damage that may occur as a result.

This document may be reproduced in whole without limitation and in part provided that a full copy of the original document is readily accessible and the author of the document is duly acknowledged.

Labels: Advisory, http, Microsoft, Vulnerability

Thursday, April 12, 2007

Microsoft Agent URL Parsing Memory Corruption Vulnerability - agentdpv.dll

Secunia Advisory: SA22896
Release Date: 2007-04-10
Last Update: 2007-04-11

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2007-1205

Description:
Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in Microsoft Agent (agentdpv.dll) when processing specially crafted URLs passed as arguments to certain methods.

Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website with Internet Explorer.

Solution:
Apply patches.

Windows XP (requires SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=e16ededa-6e8c-40d6-a3c0-d61362411acc

Windows XP Professional x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=23909036-898f-41af-a3de-4a899a15d25d

Credits: discovered by JJ Reyes and Carsten Eiram, Secunia Research.

Changelog:
2007-04-11: Added link to US-CERT.

Original Advisory:
MS07-020 (KB932168):
http://www.microsoft.com/technet/security/Bulletin/MS07-020.mspx

Secunia Research:
http://secunia.com/secunia_research/2006-74/

Other References:
US-CERT VU#728057:
http://www.kb.cert.org/vuls/id/728057

Labels: Advisory, Critical, Microsoft, Vulnerability

Sunday, April 8, 2007

Symantec Enterprise Security Manager Remote Upgrade Missing Authentication

Secunia Advisory: SA24767
Release Date: 2007-04-06

Critical:
Moderately critical
Impact: System access
Where: From local network
Solution Status: Vendor Patch

Software: Symantec Enterprise Security Manager 5.x , Symantec Enterprise Security Manager 6.x

Description:
A vulnerability has been reported in Symantec Enterprise Security Manager (ESM), which can be exploited by malicious people to compromise a vulnerable system.

The problem is that the ESM agent remote upgrade interface does not authenticate the source of remote upgrade requests. This can be exploited to e.g. deploy a malicious program to a vulnerable system via a specially crafted ESM remote upgrade request.

All versions of ESM are reportedly affected, with the exception of ESM agents running on the following platforms since they do not support remote upgrade:
* NetWare 6.0
* NetWare 6.5
* OS/400 V5R2
* OS/400 V5R3
* OpenVMS AXP 7.2
* OpenVMS AXP 7.3

Solution:
Apply patches.
http://securityresponse.symantec.com/avcenter/security/Content/2007.04.05b.html

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2007.04.05d.html

Labels: Anti-Virus, Vulnerability

Kaspersky AntiVirus Engine ARJ Archive Parsing Heap Overflow Vulnerability

April 5, 2007

CVE ID:
CVE-2007-0445

Affected Vendor:
Kaspersky

Affected Products:
Anti-Virus 6.0
Internet Security 6.0
Anti-Virus for Workstation
File Server version 6.0

Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Kaspersky Anti-Virus Engine. User interaction is not required to exploit this vulnerability.

The specific flaw exists in the engine's handling of the ARJ archive format. The Kaspersky engine copies data from scanned archives into an unchecked heap-based buffer. This results in heap corruption when a malformed ARJ archive is processed by an application that utilizes the engine. This corruption can be exploited to execute arbitrary code.

Vendor Response:
Kaspersky has issued an update to correct this vulnerability. More details can be found at:

http://www.kaspersky.com/technews?id=203038693
http://www.kaspersky.com/technews?id=203038694

Disclosure Timeline:2006.11.09 - Vulnerability reported to vendor
2006.12.12 - Digital Vaccine released to TippingPoint customers
2007.04.05 - Coordinated public release of advisory

Credit:
This vulnerability was discovered by an anonymous researcher.

About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:

www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.

Labels: Anti-Virus, Vulnerability

Kaspersky AntiVirus SysInfo ActiveX Control Information Disclosure Vulnerability

I. BACKGROUND

Kaspersky AntiVirus offers comprehensive protection from computer viruses and malware threats. More information can be found on the vendors site at the following URL.
http://usa.kaspersky-labs.com/products/anti-virus.php

II. DESCRIPTION

Remote exploitation of a information disclosure vulnerability in Kaspersky AntiVirus 6 could allow malicious websites to steal files off of a user's machine.

The vulnerability specifically lays with in the following ActiveX Control:
ProgID: KL.SysInfo
Clsid: BA61606B-258C-4021-AD27-E07A3F3B91DB
File: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\AxKLSysInfo.dll
Version: 5.0.5.0

This control includes a method called "StartUploading" which allows malicious web scripts to perform an anonymous FTP transfer of any file they specify off of the victims machine.
III. ANALYSIS

Exploitation of this vulnerability allows attackers to steal files from a victim's computer.

This vulnerability can be triggered by a malicious website. Users would be required to have a vulnerable version of the target software installed and be lured to a malicious site.

No dialogs, warnings or user action is required to perform the transfer.

IV. DETECTION
iDefense has confirmed the existence of this vulnerability in version 6.0 of Kaspersky AntiVirus.

V. WORKAROUND
Setting the kill-bit for the target ActiveX control will prevent exploitation via Internet Explorer.

VI. VENDOR RESPONSE
Kaspersky has addressed this vulnerability by removing the vulnerable libraries upon installation of Maintenance Pack 2. More information is available from the vendor's advisory at the following URL.

http://www.kaspersky.com/technews?id=203038694

VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

VIII. DISCLOSURE TIMELINE

12/12/2006 Initial vendor notification
12/12/2006 Initial vendor response
04/04/2007 Coordinated public disclosure

IX. CREDIT
This vulnerability was reported to iDefense by Peter Vreugdenhil.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense.

Labels: Anti-Virus, Vulnerability

Thursday, April 5, 2007

Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow

Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow

Secunia Advisory: SA24742
Release Date: 2007-04-04

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: Yahoo! Messenger 5.x , Yahoo! Messenger 6.x , Yahoo! Messenger 7.x, Yahoo! Messenger 8.x
CVE reference: CVE-2007-1680

Description:
A vulnerability has been reported in Yahoo! Messenger, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the AudioConf ActiveX control (yacscom.dll) component of Yahoo! Messenger. This can be exploited to cause a stack-based buffer overflow by setting the "socksHostname" and "hostName" properties to an overly large string and then calling the "createAndJoinConference()" method.

Successful exploitation allows execution of arbitrary code when a user visits a malicious web site.

The vulnerability is reported in version 8.x. Other versions may also be affected.

Solution: Update to the latest version.
http://messenger.yahoo.com

Labels: Critical, Microsoft, Vulnerability

Friday, March 30, 2007

Microsoft Windows Animated Cursor Handling Vulnerability

".. any web page, email or content that can load an animated cursor can allow an attacker to take advantage of the vulnerability and run arbitrary code on the users system."

A short overview by SANS of how the different email clients are reacting to the animated cursor vulnerability.

An unofficial fix for the animated cursor vulnerability from Eeye.

Related Articles:
Microsoft confirms animated-cursor flaw: Microsoft confirmed on Thursday that attacker could take control of a user's system by exploiting a flaw in the way the company's Windows software handles animated-cursor files.

========================================
http://secunia.com/advisories/24659/
Microsoft Windows Animated Cursor Handling Vulnerability

Secunia Advisory: SA24659
Release Date: 2007-03-30

Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2007-0038

Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message.

Successful exploitation allows execution of arbitrary code.

NOTE: The vulnerability is currently being actively exploited.

Solution:
Do not browse untrusted sites or view untrusted e-mails.

Provided and/or discovered by:
Discovered as a 0-day.
Independently discovered by Determina Security Research.

Original Advisory:
Microsoft: http://www.microsoft.com/technet/security/advisory/935423.mspx
http://blogs.technet.com/msrc/archive...-security-advisory-935423-posted.aspx

Determina:
http://www.determina.com/security_cen...ries/securityadvisory_0day_032907.asp

Other References:
US-CERT VU#191609:
http://www.kb.cert.org/vuls/id/191609

================================================================

Labels: Advisory, Microsoft, Virus, Vulnerability

Tuesday, March 27, 2007

Windows Mail URL Bug Lets Remote Users Cause Execute Existing Code on the Target User's System to Be Executed

Windows Mail URL Bug Lets Remote Users Cause Execute Existing Code on the Target User's System to Be Executed
SecurityTracker Alert ID: 1017816
SecurityTracker URL: http://securitytracker.com/id?1017816
CVE Reference: CVE-2007-1658 (Links to External Site)
Date: Mar 26 2007
Impact: Execution of arbitrary code via network, User access via network
Exploit Included: Yes
Description: A vulnerability was reported in Windows Mail. A remote user can cause code to be executed on the target user's system without warning when the user clicks on a link.

A remote user can send an e-mail message containing a specially crafted link that, when loaded by the target user, will execute an arbitrary existing executable file located on the target user's system. The executable will run without warning and will run with the privileges of the target user.

Kingcope discovered this vulnerability.
Impact: A remote user can cause existing code located on the target user's system to be executed with the privileges of the target user when the user clicks on a specially crafted link.
Solution: No solution was available at the time of this entry.
Vendor URL: www.microsoft.com/
Cause: State error
Underlying OS: Windows (Vista)
Reported By: "Kingcope"

Labels: Advisory, Microsoft, Vulnerability

Thursday, March 22, 2007

Microsoft Excel Long Palette Heap Overflow Vulnerability

Microsoft Excel Long Palette Heap Overflow Vulnerability
I. BACKGROUND

Microsoft Excel is the spreadsheet application from the Microsoft Office System. More information is available at the following link:

http://office.microsoft.com/
II. DESCRIPTION

Remote exploitation of an heap-based buffer overflow vulnerability in Microsoft Corp.'s Excel spreadsheet application format could allow an attacker to execute arbitrary code in the context of the user who started Excel.

The vulnerability specifically exists in the handling of the PALETTE record in BIFF8 format spreadsheet files. By supplying a record with too many entries, an exploitable buffer overflow condition can occur.
III. ANALYSIS

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the user who opened the document. In order exploit this vulnerability, an attacker would need to convince the target to open an Excel spreadsheet file. Likely attack vectors include sending the file as an attachment in an email or linking to the file on a website.

Systems with a default install of Office 2000 will open Office documents, including Excel spreadsheet files, from websites without prompting the user. This allows an attacker to exploit this vulnerability without user interaction beyond visiting a website. Later versions of Office will not open these documents automatically unless the user has chosen this behavior.
IV. DETECTION

iDefense Labs have confirmed the existence of this vulnerability in Microsoft Excel 2003 with all service packs and security updates. Previous versions of Excel are also likely to be affected.
V. WORKAROUND

Do not follow links or open files from unknown sources or that you were not expecting to receive.
VI. VENDOR RESPONSE

Microsoft has addressed this vulnerability with Microsoft Security Bulletin MS07-002. A link to this bulletin can be found below.

http://www.microsoft.com/technet/security/bulletin/ms07-002.mspx
VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0031 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE

09/22/2006 Initial vendor notification
09/22/2006 Initial vendor response
01/09/2007 Coordinated public disclosure
IX. CREDIT

This vulnerability was discovered by Greg MacManus, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Labels: Microsoft, Vulnerability

Wednesday, March 21, 2007

F-Secure Anti-Virus Client Security Local Format String Vulnerability

Mar 19 2007 10:41AM
dh layereddefense com
=================================================
Layered Defense Research Advisory 18 March 2007
=================================================
1) Affected Software
F-Secure Anti-Virus Client Security Version 6.02
=================================================
2) Severity Rating:
Low risk
Impact: Local read write arbitrary memory, denial of service.
=================================================
3) Description of Vulnerability
A format string vulnerability was discovered within F-Secure Anti-Virus Client Security Version 6.02. The vulnerability is due to improper processing of format strings when processing Management Server name field. When special crafted format strings are entered into the Management Server name field under Communication settings an attacker can read/write arbitrary memory and at a minimum can cause a denial of service condition.
=================================================
4) Solution
Fix: http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-cs-hotfi
xes.shtml
=================================================
5) Time Table:
11/20/2006 Reported Vulnerability to Vendor.
11/29/2007 Vendor acknowledged the vulnerability
03/01/2007 Vendor published hot fix
=================================================
6) Credits Discovered by Deral Heiland, www.LayeredDefense.com
=================================================
7) Reference
=================================================
8) About Layered Defense Layered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com
=================================================

Labels: Anti-Virus, Microsoft, Vulnerability

Tuesday, March 20, 2007

Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability, Denial of Service

Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability

I. BACKGROUND

Trend Micro AntiVirus is an virus scanning engine included in a wide array of products by Trend Micro. Several examples of vulnerable products include PC-cillin and Internet Security Suite.

http://www.trendmicro.com/en/home/us/home.htm

II. DESCRIPTION

Remote exploitation of a divide by zero error in Trend Micro AntiVirus may allow attackers to cause a denial of service.

The vulnerability exists in the kernel driver, VsapiNT.sys. This driver is responsible for scanning various file formats for malicious content. The code that parses UPX files takes an integer value from an attacker supplied file and uses it as a divisor. This results in a divide by zero error in kernel mode. This causes a kernel fault resulting in a blue screen of death (BSOD).

III. ANALYSIS

Exploitation of this vulnerability results not only in a DOS of the Trend Micro process, but in an operating system crash.

There are several different attack vectors depending on which product is being targeted. Someone targeting a home user would need to convince a user to download a file from a website or an attachment from an email message. The user would then need to manually scan this file or save it and have the Trend Micro auto scan process scan it at some later time. If instead a mail gateway is being targeted this vulnerability can be exploited automatically by sending a malicious attachment through a gateway that uses Trend Micro to scan content.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Trend Micro AntiVirus version 14.10.1041, engine version 8.320.1003. Previous versions may also be affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

"To address this vulnerability, Trend Micro recommends customers to update to Virus Pattern File 4.335.00 or higher."

For more information, consult the Trend Micro Knowledge Base article at the link shown below.

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE

02/27/2007 Initial vendor notification
02/27/2007 Initial vendor response
03/14/2007 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Labels: Advisory, Anti-Virus, Microsoft, Vulnerability

Friday, March 16, 2007

Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources.

Phishing using IE7 local resource vulnerability

Summary
Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users.

Affected versions
• Windows Vista - Internet Explorer 7.0
• Windows XP - Internet Explorer 7.0

Technical Details
The navcancl.htm local resource is used by the browser when for some reason a navigation to a specific page is canceled.
When a navigation is canceled the URL of the specific page is provided to the navcancl.htm local resource after the # sign. For example: res://ieframe.dll/navcancl.htm#http://www.site.com. The navcancl.htm page then generates a script in the “Refresh the page.” link in order to reload the provided site again when the user clicks on this link.
It is possible to inject a script in the provided link which will be executed when the user clicks on the “Refresh the page.” link.
Luckily, Internet Explorer now runs most of its local resources (including navcancl.htm) in “Internet Zone”, so this vulnerability cannot be exploited to conduct a remote code execution.

Unfortunately, there is also a design flaw in IE7. The browser automatically removes the URL path of the local resource and leaves only the provided URL. For example: when the user visits res://ieframe.dll/navcancl.htm#http://www.site.com, IE7 will show http://www.site.com in the address bar.

To perform a phishing attack, an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site (e.g. bank, paypal, MySpace).
When the victim will open the link that was sent by the attacker, a “Navigation Canceled” page will be displayed. The victim will think that there was an error in the site or some kind of a network error and will try to refresh the page. Once he will click on the “Refresh the page.” link, The attacker’s provided content (e.g. fake login page) will be displayed and the victim will think that he’s within the trusted site, because the address bar shows the trusted site’s URL.

Proof-of-Concept
A CNN.com article spoofing proof-of-concept can be found here.
If you are not using IE7, you can watch a demonstration video here.

Workaround / Suggestion
Until Microsoft fixes this vulnerability, do not trust the “Navigation Canceled” page!

Labels: Exploit, http, Microsoft, Vulnerability

PHP phpinfo() Multiple Method User Supplied Array XSS

OSVDB ID: 32774
Disclosure Date: Mar 3, 2007

Description:

PHP contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not escape the content of user supplied arrays in GET, POST or COOKIE variables upon submission to phpinfo(). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Vulnerability Classification:
Remote/Network Access Required
Input Manipulation
Loss Of Integrity
Exploit Available

Products:
PHP PHP 4.4.3
PHP PHP 4.4.4
PHP PHP 4.4.5
PHP PHP 4.4.6

Solution:

Currently, there are no known upgrades, patches, or workarounds available to correct this issue. PHP scripts calling phpinfo() should not be publicly accessible on production systems.

External References:
CVE ID: 2007-1287
National Vulnerability Database: CVE-2007-1287
Bugtraq ID: 22803
Generic Exploit URL: http://www.php-security.org/MOPB/code/MOPB-08-2007.phpt
Secunia Advisory ID: 24356
Vendor URL: http://www.php.net/
Other Advisory URL: http://www.php-security.org/MOPB/MOPB-08-2007.html

Credit:
Stefan Esser - Hardened-PHP Project

Labels: Vulnerability

Thursday, March 15, 2007

Steal Browser History Without JavaScript

'We all know there are still people out there who think turning off JavaScript protects them from everything.'

See also : https://www.indiana.edu/~phishing/browser-recon/

Research by RSnake
----------------------------------
Well, the server is back up and running (big thanks to id - during our upgrade there was a drive failure causing us to have to switch machines), and to celebrate I didn’t want to come back with a boring post that would make you question why you read this site. So instead I decided to play around with some CSS tricks - bare with me for a minute. I don’t know why, but I really think CSS is going to get worse over time. Anyway, as I was poking around I happened across one of the missing pieces of the puzzle to solve a simple problem in using CSS to hack - the lack of conditional logic.

Jeremiah and I spent at least an hour on the phone several months back when he was coming up with browser port scanning without JavaScript. One of the key problems with that technique, which he later overcame, was that he was unable to find any good way to do conditional logic in CSS, so instead he leaned on a browser quirk that delays the rendering of images. Watching the timing differences can help an attacker derive which ports are open and which aren’t. While very cool, it’s caused some headaches and only solved one of our problems.

Before that Jeremiah also came up with the original CSS history hack as you may or may not remember. Later on pdp came up with another variant of the same issue using a very different technique (Firefox caching). Both of those techniques were cool, but both of them also required that you have JavaScript turned on. We all know there are still people out there who think turning off JavaScript protects them from everything.

Keeping this in mind it would be great if you could create a form of conditional logic in CSS. Well I finally figured out a way. Using a hybrid of a:visited and display: attribute you can detect that the user has visited a page and more importantly perform an action based on that fact. The actions are somewhat limited if you can’t use JavaScript, however, one action is enough. The reason being, when something is set to display:none it will actually cause the HTML tag that it references to not render. Setting the background: image attribute for the visible tag to use a URL of a logging CGI script allows you to send a request to a remote webserver based on the conditional logic as mentioned above.

Now, the only lacking part is the state management, and that can easily be tied together using a unique cookie, and/or an IP address in the QUERY_STRING or anything else you want to use to identify the user. In this way, the remote website can steal history information from the user without ever once using JavaScript, or any client side programming. Click here for a proof of concept of the CSS history theft without using JavaScript. This works nearly instantly, so it is far better than the JavaScript-less intranet hacking and pdp’s version of the JavaScript CSS history hack in terms of speed. The only latency is the time it takes your browser to request the images associated with each URL you’ve visited - which is nearly instant since I don’t return any data (and thanks to browser threading). The other nice thing about this is that it works beautifully in both Internet Explorer 7.0 and Firefox 2.0.0.2 (although it doesn’t work in Opera 9.22).

I haven’t experimented much with this yet, but I also believe this could be expanded to do another form of intranet port scanning as well. Using a series of iframes and forced browsing it may be possible to detect which pages the user can access. I’m not in love with this technique because the CSS will fire too quickly so you’d have to delay the CSS from loading or make it reload with a meta refresh or something equivalent, but I also haven’t put much thought into it yet.

The ramifications of the CSS history hacking stuff is that it allows the attacker to steal information about the client, which can be useful to identify a target, to find information about the user, for use in targeted attacks, to know trending information for use in targeted advertizements or other forms of private information theft.

So now we’ve eliminated the JavaScript pre-requisite from Intranet port scanning, cross site request forgeries, session riding and of course CSS history hacking. The only thing we can’t yet do without JavaScript is read cross domain (and I stress the word yet). What else is left? I don’t mean to sound ho-hum about this, but really, what else do we have to do? Are there any nay-sayers left?

Labels: Exploit, http, Vulnerability

Buffer Overflow Vulnerabilities in McAfee ePolicy Orchestrator

hi full-disclosure,

McAfee ePolicy Orchestrator Multiple Remote Buffer Overflow Vulnerabilities

by cocoruder of FSRT(Fortinet Security Research Team)
hfli_at_fortinet.com

Summary:

Multiple remote buffer overflow vulnerabilities exist in the ActiveX Control named "SiteManager.Dll" of McAfee ePolicy Orchestrator. A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system.

Affected Software Versions:

McAfee ePolicy Orchestrator 3.6.1
McAfee ePolicy Orchestrator 3.5 patch 6

Details:

1.Function "ExportSiteList()" educed by "SiteManager.dll" stack overflow.

InprocServer32: SiteManager.dll
ClassID : 4124FDF6-B540-44C5-96B4-A380CEE9826A
ProgID : SiteManager.SiteMgr.1
Function Name : ExportSiteList

When we set the parameter of "ExportSiteList" a long string, there will cause a stack base overflow. The following is the related code:
(SiteManager.dll,version=3.6.1.166)

.text:5262B1DE ; func_ExportSiteList
.text:5262B1DE ; Attributes: bp-based frame
.text:5262B1DE
.text:5262B1DE ; int __stdcall sub_5262B1DE(int,wchar_t *,int)
.text:5262B1DE sub_5262B1DE proc near ; DATA XREF: .rdata:5265B504o
.text:5262B1DE ; .rdata:5265B614o
.text:5262B1DE
.text:5262B1DE var_414 = word ptr -414h
.text:5262B1DE var_20E = word ptr -20Eh
.text:5262B1DE var_20C = word ptr -20Ch
.text:5262B1DE var_4 = dword ptr -4
.text:5262B1DE arg_0 = dword ptr 8
.text:5262B1DE arg_4 = dword ptr 0Ch
.text:5262B1DE arg_8 = dword ptr 10h
.text:5262B1DE
.text:5262B1DE push ebp
.text:5262B1DF mov ebp, esp
.text:5262B1E1 sub esp, 414h
.text:5262B1E7 mov eax, dword_52670218 ; set stack cookie
.text:5262B1EC push esi
.text:5262B1ED push [ebp+arg_4] ; lpSrcBuff
.text:5262B1F0 mov [ebp+var_4], eax
.text:5262B1F3 lea eax, [ebp+var_20C]
.text:5262B1F9 push eax ; lpDestBuff
.text:5262B1FA call ds:wcscpy ; stack overflow

2.Moreover, we think that the following "swprintf" function also has carried out the copy action without attestation, as follows:

.text:5262B257 push ebx
.text:5262B258 push edi
.text:5262B259 mov edi, offset aSitelist_xml ; "SiteList.xml"
.text:5262B25E push edi
.text:5262B25F lea eax, [ebp+var_20C]
.text:5262B265 push eax
.text:5262B266 lea eax, [ebp+var_414]
.text:5262B26C push offset aSS_0 ; "%s\\%s"
.text:5262B271 push eax ; lpSrcBuff
.text:5262B272 call ds:swprintf ; stack overflow

3.Function "VerifyPackageCatalog()" educed by "SiteManager.dll" stack overflow.

InprocServer32: SiteManager.dll
ClassID : 4124FDF6-B540-44C5-96B4-A380CEE9826A
ProgID : SiteManager.SiteMgr.1
Function Name : VerifyPackageCatalog

When we set the parameter of "VerifyPackageCatalog" a long string, there will cause a stack base overflow. The following is the related code:
(SiteManager.dll,version=3.6.1.166)

part1:

.text:5262CFAC func_VerifyPackageCatalog proc near
.text:5262CFAC
.text:5262CFAC mov eax, offset loc_52649F86
.text:5262CFB1 call __EH_prolog
...
.text:5262D00C lea eax, [ebp-28h]
.text:5262D00F push eax
.text:5262D010 push ebx
.text:5262D011 push esi
.text:5262D012 push offset loc_5263AD1A
.text:5262D017 push ebx
.text:5262D018 push ebx
.text:5262D019 call ds:_beginthreadex

part2:

.text:5263AD1A mov eax, offset loc_5264B221
.text:5263AD1F call __EH_prolog
.text:52637229 push ecx
.text:5263722A mov eax, 1774h
.text:5263722F call __alloca_probe ; int
.text:52637234 mov eax, dword_52670218
.text:52637239 mov [ebp-14h], eax ; set stack-cookie
...
.text:5263AD9A lea ecx, [ebp-23Ch]
.text:5263ADA0 push ecx
.text:5263ADA1 push eax
.text:5263ADA2 mov ecx, edi
.text:5263ADA4 call sub_5263721F
|
|_____ .text:5263721F mov eax, offset loc_5264AD1C
.text:52637224 call __EH_prolog
...
.text:5263731A push dword ptr [ebp+8] ; lpSrcBuff,"AAA..."
.text:5263731D lea eax, [ebp-62Ch]
.text:52637323 push eax ; lpDestBuff
.text:52637324 call ds:wcscpy ; stack overflow

Solution:

McAfee has released two patches and advisories which are available on:

https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612495
https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496

Disclosure Timeline:

2006.12.19 Submitted vul1 and vul2 via security-alerts at mcafee.com
2006.12.19 Vendor responded
2006.12.30 Submitted vul3 via security-alerts at mcafee.com
2006.12.30 Vendor responded
2007.03.12 Vendor noticed patches has been developed completely
2007.03.13 Coordinated public disclosure

Disclaimer:

Although Fortinet has attempted to provide accurate information in
these materials, Fortinet assumes no legal responsibility for the
accuracy or completeness of the information. More specific information
is available on request from Fortinet. Please note that Fortinet's
product information does not constitute or contain any guarantee,
warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.

Fortinet Security Research
secresearch at fortinet.com
http://www.fortinet.com

Best Regards,

¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡hfli
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡hfli at fortinet.com
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡2007-03-14

Labels: Anti-Virus, Exploit, Vulnerability

Thursday, March 8, 2007

Microsoft Excel Malformed String Handling Remote Code Execution

OSVDB ID: 31256
Disclosure Date: Jan 9, 2007

Description:

A memory corruption flaw exists in Excel. The program fails to validate file contents resulting in memory corruption when a malformed string is encountered. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Vulnerability Classification:
Local/Shell Access Required
Input Manipulation
Loss Of Integrity
Exploit Unknown
Verified

Products:
Microsoft Corporation Works Suite 2004
Microsoft Corporation Excel 2000
Microsoft Corporation Excel 2002
Microsoft Corporation Excel 2003
Microsoft Corporation Works Suite 2005
Microsoft Corporation Office for Mac 2004
Microsoft Corporation Office for Mac v. X

Solution:

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

External References:
CVE ID: 2007-0029
National Vulnerability Database: CVE-2007-0029
Bugtraq ID: 21877
Microsoft Security Bulletin: MS07-002
Related OSVDB ID: 31249
Related OSVDB ID: 31255
Related OSVDB ID: 31257
Related OSVDB ID: 31258
US-CERT Cyber Security Alert: TA07-009A
Security Tracker: 1017487
News Article: Eweek
FrSIRT Advisory: ADV-2007-0103

Credit:
NSFocus Security Team http://www.nsfocus.com/

Labels: Advisory, Microsoft, Vulnerability

Microsoft Excel Malformed String Handling Remote Code Execution

Labels: Advisory, Microsoft, Vulnerability

Tuesday, March 6, 2007

Microsoft Outlook VEVENT Record Handling Remote Code Execution

OSVDB ID: 31252
Disclosure Date: Jan 9, 2007

Description:

A remote memory corruption flaw exists in Outlook. The program fails to validate VEVENT records in .iCal meeting requests resulting in memory corruption. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Vulnerability Classification:
Remote/Network Access Required
Input Manipulation
Loss Of Integrity
Exploit Unknown
Verified

Products:
Microsoft Corporation Outlook 2002
Microsoft Corporation Outlook 2003

Solution:

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

External References:
CVE ID: 2007-0033
National Vulnerability Database: CVE-2007-0033
Bugtraq ID: 21931
Microsoft Security Bulletin: MS07-003
Related OSVDB ID: 31253
Related OSVDB ID: 31254
CERT VU: 476900
Secunia Advisory ID: 23674
Microsoft Knowledge Base Article: 925938
US-CERT Cyber Security Alert: TA07-009A
Mail List Post: http://www.securityfocus.com/archive/1/archive/1/457274/100/0/threaded
Security Tracker: 1017488
News Article: http://www.eweek.com/article2/0,1895,2081067,00.asp
FrSIRT Advisory: ADV-2007-0104

Credit:
Lurene Grenier - Sourcefire

Labels: Insecurity, Microsoft, Vulnerability

Microsoft Outlook Advanced Find - Remote Code Execution Microsoft Outlook Advanced Find - Remote Code Execution

Security Advisory : CT09-01-2007

Microsoft Outlook Advanced Find - Remote Code Execution
Severity: Critical
Impact: Remote System Access
Solution Status: Vendor Patch
CVE Reference: CVE-2007-0034
Advisory Date: 11th January 2007

Affected Software: Microsoft Outlook 2000
Microsoft Outlook 2002
Microsoft Outlook 2003

1. OVERVIEW

Microsoft Outlook is a popular personal communication manager that
provides end users with a unified place to manage e-mail, calendar
and contact information.

As part of its standard offering, Outlook also includes an Advanced
Search facility (Finder.exe) enabling end-users to query any aspect
of their repository information.

Unfortunately, it transpires that Outlook/Finder is susceptible to
a remote Buffer overflow vulnerability, when processing the contents
of a specially crafted Office Saved Search (.oss) file.

2. TECHNICAL NARRATIVE

The issue in question stems from a simple oversight in the design of
an intrinsic string manipulation function, which attempts to copy
1024 bytes of user supplied Unicode content, to a pre-allocated buffer
of only 512 bytes (even though sufficient length checks are invoked).

As the destination buffer is unable to accommodate the additional data,
the net result is that of a classic stack overflow condition, in which
Instruction Pointer (EIP) control is gained via one of several available
return addresses.

3. EXPLOITATION

As with most file parsing vulnerabilities, the aforementioned issue
will require a certain degree of social engineering to achieve successful
exploitation.

However, Office Saved Searches (.oss) file types share very similar
display characteristics to that of harmless looking e-mail icons.
As such, end-users could be fooled into thinking the attachment is
a non-threatening mail forward.

4. VENDOR RESPONSE

The vendor security bulletin and corresponding patches are available at the
following location:

http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx

5. DISCLOSURE ANALYSIS

12/05/2006 - Preliminary Vendor notification.
24/05/2006 - Vulnerability confirmed by Vendor
16/10/2006 - Public Disclosure Deferred by Vendor
09/01/2007 - Public release.

Total Time to Fix: 7 months 29 Days (243 days in total)

6. CREDIT

The vulnerability was discovered by Stuart Pearson

Computer Terrorism (UK) :: Incident Response Centre.

Labels: Bug, Email, Microsoft, Vulnerability

Microsoft Outlook Malformed Email Header Remote Denial of Service Vulnerability

Microsoft Outlook Malformed Email Header Remote Denial of Service Vulnerability
Bugtraq ID: 21937
Class: Failure to Handle Exceptional Conditions
CVE: CVE-2006-1305
Remote: Yes
Local: No
Published: Jan 09 2007 12:00AM
Updated: Jan 25 2007 04:26PM
Credit: The vendor disclosed this issue.

Microsoft Outlook is prone to a remote denial-of-service vulnerability because the application fails to properly handle malformed email messages.

A remote attacker can exploit this issue to crash affected email clients. This issue will persist as long as the email message resides on the mail server, creating a prolonged denial-of-service condition.

see http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx

Vulnerable: Microsoft Outlook 2003 SP2
+ Microsoft Office 2003 SP3
+ Microsoft Office 2003 SP2
+ Microsoft Office 2003 SP1
+ Microsoft Office 2003
Microsoft Outlook 2003 0
+ Microsoft Office 2003 SP3
+ Microsoft Office 2003 SP2
+ Microsoft Office 2003 SP1
+ Microsoft Office 2003
Microsoft Outlook 2002 SP3
+ Microsoft Office XP SP3
+ Microsoft Office XP SP3
Microsoft Outlook 2002 SP2
+ Microsoft Office XP SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Terminal Services SP3
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Outlook 2002 SP1
+ Microsoft Office XP SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Outlook 2002 0
+ Microsoft Office XP
+ Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Outlook 2000 SP3
+ Microsoft Office 2000 SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Outlook 2000 0
- Citrix ICA Client for Windows 4.0 SP6a
+ Microsoft Office 2000
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Outlook 2000 SR1
- Citrix ICA Client for Windows 4.0 SP6a
+ Microsoft Office 2000 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Outlook 2000 SP2
- Citrix ICA Client for Windows 4.0 SP6a
+ Microsoft Internet Explorer for Unix SP2
+ Microsoft Internet Explorer for Unix SP2
+ Microsoft Office 2000 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0