Aggregator

VB100% Award 受賞

Malware on MSRC
17 years 8 months ago
小野寺です。 イギリスの Virus Bulletin Ltd で定期的に VB100 と呼ばれるマルウェア対策ソフトの検出能力テストが行われていま

Microsoft Windows JPEG component buffer overflow

CISA News
21 years 2 months ago
Systems Affected

This vulnerability affects the following
Microsoft Windows operating systems by default:

  • Microsoft Windows XP and Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP 64-Bit Edition Service Pack 1
  • Microsoft Windows XP 64-Bit Edition Version 2003
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 64-Bit Edition

Other Microsoft Windows operating systems, including systems running
Microsoft Windows XP Service Pack 2, are not affected by default. However,
this vulnerability may affect all versions of the Microsoft Windows
operating systems if an application or update installs a vulnerable
version of the gdiplus.dll file onto the system.

Please note that this vulnerability affects any software that uses the
Microsoft Windows operating system or Microsoft's GDI+ library to render
JPEG graphics. Please see the Systems Affected
section of the vulnerability note to determine if third-party software
is affected. A list of affected Microsoft products is available in Appendix B, or for the complete list of affected and
non-affected Microsoft products, please see Microsoft Security
Bulletin MS04-028.

Overview

Microsoft's Graphic Device Interface Plus (GDI+) contains a
vulnerability in the processing of JPEG images. This vulnerability may
allow attackers to remotely execute arbitrary code on the affected
system. Exploitation may occur as the result of viewing a malicious web
site, reading an HTML-rendered email message, or opening a crafted JPEG
image in any vulnerable application. The privileges gained by a remote
attacker depend on the software component being attacked.

Description

Microsoft Security Bulletin MS04-028
describes a remotely exploitable buffer overflow vulnerability in
Microsoft's Graphic Device Interface Plus (GDI+) JPEG processing
component. Attackers can exploit this vulnerability by convincing a victim user to
visit a malicious web site, read an HTML-rendered email message, or
otherwise view a crafted JPEG image with a vulnerable application. No user
intervention is required beyond viewing an attacker-supplied JPEG
image.

Any applications (Microsoft or third-party) that use the GDI+ library
to render JPEG images may present additional attack vectors for this
vulnerability. While some applications use the Windows operating system
version of the GDI+ library, other applications may install and use
another version, which may also be vulnerable. Microsoft has created a
GDI+ Detection Tool to help detect products that may contain a vulnerable
version of the JPEG parsing component. Microsoft Knowledge Base
Article 873374 provides instructions on how to download and use this
tool.

In addition to running Microsoft's detection utility, we recommend
searching your system for "gdiplus.dll" to help determine what
third-party applications may be affected by this vulnerability. Also note
that applications may re-install a vulnerable version of the
GDI+ library if re-installed after a patch has been applied.

We are tracking this vulnerability in Vulnerability
Note VU#297462. This reference number corresponds to CVE candidate CAN-2004-0200.

Impact

Remote attackers exploiting the vulnerability described above may
execute arbitrary code with the privileges of the user running the
software components being attacked.

Solution Apply patches from Microsoft

Apply the appropriate patches as specified in Microsoft Security
Bulletin MS04-028.
Please note that this bulletin provides several updates to the operating
system and various applications that rely on GDI+ to render JPEG images.
Depending on your system's configuration, you may need to install multiple
patches.

In addition to releasing some patches on Windows Update, Microsoft
has released some patches on Office Update, and
developer tool patches are available from MS04-028.

Apply patches from third-party vendors

Third-party software that relies on GDI+ to render JPEG images may
also need to be updated. Apply the appropriate patches specified by
your vendor. Please see your vendor's site and the Systems Affected
section of the vulnerability note for more information. Depending on
your system's configuration, you may need to install multiple patches.

Follow Microsoft recommendations for workarounds

Microsoft provides several workarounds for this vulnerability.
Note that these workarounds do not remove the vulnerability from the
system, and they will limit functionality. Please consult the "Workarounds
for JPEG Vulnerability - CAN-2004-0200" section of Microsoft Security
Bulletin MS04-028.

Appendix A. References

Appendix B. Affected Microsoft Products

The following Microsoft Products are affected:

  • Microsoft Office XP Service Pack 3
  • Microsoft Office XP Service Pack 2
  • Microsoft Office XP Software:
    • Outlook 2002
    • Word 2002
    • Excel 2002
    • PowerPoint 2002
    • FrontPage 2002
    • Publisher 2002
  • Microsoft Office 2003
  • Microsoft Office 2003 Software:
    • Outlook 2003
    • Word 2003
    • Excel 2003
    • PowerPoint 2003
    • FrontPage 2003
    • Publisher 2003
    • InfoPath 2003
    • OneNote 2003
  • Microsoft Project 2002 Service Pack 1 (all versions)
  • Microsoft Project 2003 (all versions)
  • Microsoft Visio 2002 Service Pack 2 (all versions)
  • Microsoft Visio 2003 (all versions)
  • Microsoft Visual Studio .NET 2002
  • Microsoft Visual Studio .NET 2002 Software:
    • Visual Basic .NET Standard 2002
    • Visual C# .NET Standard 2002
    • Visual C++ .NET Standard 2002
  • Microsoft Visual Studio .NET 2003
  • Microsoft Visual Studio .NET 2003 Software:
    • Visual Basic .NET Standard 2003
    • Visual C# .NET Standard 2003
    • Visual C++ .NET Standard 2003
    • Visual J# .NET Standard 2003
  • The Microsoft .NET Framework version 1.0 SDK Service Pack 2
  • Microsoft Picture It! 2002 (all versions)
  • Microsoft Greetings 2002
  • Microsoft Picture It! version 7.0 (all versions)
  • Microsoft Digital Image Pro version 7.0
  • Microsoft Picture It! version 9 (all versions, including Picture It!
    Library)
  • Microsoft Digital Image Pro version 9
  • Microsoft Digital Image Suite version 9
  • Microsoft Producer for Microsoft Office PowerPoint (all versions)
  • Microsoft Platform SDK Redistributable: GDI+
  • Internet Explorer 6 Service Pack 1
  • The Microsoft .NET Framework version 1.0 Service Pack 2
  • The Microsoft .NET Framework version 1.1


Feedback can be directed to the US-CERT
Technical Staff.

Revision History

  • Sept 16, 2004: Initial release

    Last updated

CISA

Vulnerability in Microsoft Image Processing Component

CISA News
21 years 2 months ago
Systems Affected
  • Applications that process JPEG images on Microsoft Windows, including
    but not limited to
    • Internet Explorer
    • Microsoft Office
    • Microsoft Visual Studio
    • Picture It!
    • Applications from other vendors besides Microsoft
Overview

An attacker may be able to gain control of your computer by taking
advantage of the way some programs process the JPEG image format.

Solution Apply a patch

Microsoft has issued updates to address the problem. Obtain the
appropriate update from Windows Update and from Office Update.

Note: You may need to install multiple patches depending what
software you have on your computer.

Use caution with email attachments

Never open unexpected email attachments. Before opening an attachment,
save it to a disk and scan it with anti-virus software. Make sure to
turn off the option to automatically download attachments.

View email messages in plain text

Email programs like Outlook and Outlook Express interpret HTML code
the same way that Internet Explorer does. Attackers may be able to
take advantage of that by sending malicious HTML-formatted email
messages.

Maintain updated anti-virus software

It is important that you use anti-virus software and keep it up to
date. Most anti-virus software vendors frequently release updated
information, tools, or virus databases to help detect and recover from
virus infections. Many anti-virus packages support automatic updates
of virus definitions. US-CERT recommends using these automatic updates
when possible.

Description

Microsoft Windows Graphics Device Interface (GDI+) is used to display information on screens
and printers, including JPEG image files. An attacker could execute arbitrary code on a vulnerable system if the user opens a malicious JPEG file via applications such as a web browser, email program, internet chat program, or
via email attachment. Any application that uses GDI+ to process JPEG image files is vulnerable to this type of attack. This vulnerability also affects products from
companies
other than Microsoft.


References


Author: Mindi McDowell. Feedback
can be directed to US-CERT -->.

Copyright 2004 Carnegie Mellon University.
Terms of use

Revision History

  • September 14, 2004: Initial release

Last updated

CISA

Vulnerabilities in MIT Kerberos 5

CISA News
21 years 3 months ago
Systems Affected
  • MIT Kerberos 5 versions prior to krb5-1.3.5
  • Applications that use versions of MIT Kerberos 5 libraries prior to krb5-1.3.5
  • Applications that contain code derived from MIT Kerberos 5

Updated vendor information is available in the systems affected section of the individual vulnerability notes.

Overview

The MIT Kerberos 5 implementation contains several vulnerabilities, the most severe of which could allow an unauthenticated, remote attacker to execute arbitrary code on a Kerberos Distribution Center (KDC). This could result in the compromise of an entire Kerberos realm.

Description

There are several vulnerabilities in the MIT implementation of the Kerberos 5 protocol. With one exception (VU#550464), all of the vulnerabilities involve insecure deallocation of heap memory (double-free vulnerabilities) during error handling and Abstract Syntax Notation One (ASN.1) decoding. For further details, please see the following vulnerability notes:

VU#795632 - MIT Kerberos 5 ASN.1 decoding functions insecurely deallocate memory (double-free)

The MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in double-free vulnerabilities. An unauthenticated, remote attacker could execute arbitrary code on a KDC server, which could compromise an entire Kerberos realm. An attacker may also be able to execute arbitrary code on Kerberos clients, or cause a denial of service on KDCs or clients.


(Other resources: MITKRB5-SA-2004-002, CAN-2004-0642)

VU#866472 - MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred() insecurely deallocates memory (double-free)

The krb5_rd_cred() function in the MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in a double-free vulnerability. A remote, authenticated attacker could execute arbitrary code or cause a denial of service on any system running an application that calls krb5_rd_cred(). This includes Kerberos application servers and other applications that process Kerberos authentication via the MIT Kerberos 5 library, Generic Security Services Application Programming Interface (GSSAPI), and other libraries.


(Other resources: MITKRB5-SA-2004-002, CAN-2004-0643)

VU#350792 - MIT Kerberos krb524d insecurely deallocates memory (double-free)

The MIT Kerberos krb524d daemon does not securely deallocate heap memory when handling an error condition, resulting in a double-free vulnerability. An unauthenticated, remote attacker could execute arbitrary code on a system running krb524d, which in many cases is also a KDC. The compromise of a KDC system can lead to the compromise of an entire Kerberos realm. An attacker may also be able to cause a denial of service on a system running krb524d.


(Other resources: MITKRB5-SA-2004-002, CAN-2004-0772)

VU#550464 - MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail() does not properly terminate loop

The asn1buf_skiptail() function in the MIT Kerberos 5 library does not properly terminate a loop, allowing an unauthenticated, remote attacker to cause a denial of service in a KDC, application server, or Kerberos client.


(Other resources: MITKRB5-SA-2004-003, CAN-2004-0644)

Impact

The impacts of these vulnerabilities vary, but an attacker may be able to execute arbitrary code on KDCs, systems running krb524d (typically also KDCs), application servers, applications that use Kerberos libraries directly or via GSSAPI, and Kerberos clients. An attacker could also cause a denial of service on any of these systems.

The most severe vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on a KDC system. This could result in the compromise of both the KDC and an entire Kerberos realm.

Solution Apply a patch or upgrade

Check with your vendor(s) for patches or updates. For information about a specific vendor, please see the systems affected sections in the individual vulnerability notes or contact your vendor directly.

Alternatively, apply the appropriate source code patch(es) referenced in MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003 and recompile.

These vulnerabilities will be addressed in krb5-1.3.5.


Appendix A. References


Thanks to Tom Yu and the MIT Kerberos Development team for addressing these vulnerabilities and coordinating with vendors. MIT credits the following people: Will Fiveash, Joseph Galbraith, John Hawkinson, Marc Horowitz, and Nico Williams.

Revision History

  • September 3, 2004: Initial release

    Last updated

CISA

Multiple Vulnerabilities in Oracle Products

CISA News
21 years 3 months ago
Systems Affected

The following Oracle applications are affected:


  • Oracle Database 10g Release 1, version 10.1.0.2
  • Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
  • Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
  • Oracle8i Database Server Release 3, version 8.1.7.4
  • Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
  • Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
  • Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
  • Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
  • Oracle9i Application Server Release 1, version 1.0.2.2




Oracle's Collaboration Suite and E-Business Suite 11i contain some of the
vulnerable components and are also affected.

According to Oracle, the following product releases and versions, and
all future releases and versions are not affected:

  • Oracle Database 10g Release 1, version 10.1.0.3
  • Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3 (not yet
    available)
  • Oracle Application Server 10g (9.0.4), version 9.0.4.2 (not yet
    available)
Overview

Several vulnerabilities exist in the Oracle Database Server, Application
Server, and Enterprise Manager software. The most serious vulnerabilities
could allow a remote attacker to execute arbitrary code on an affected
system. Oracle's Collaboration Suite and E-Business Suite 11i contain the
vulnerable software and are affected as well.

Description

Several vulnerabilities have been reported in Oracle's Database Server,
Application Server, and Enterprise Manager software. According to reports,
several buffer overflow, format string, SQL injection and other types of
vulnerabilities were discovered and reported to Oracle.

Oracle has released Oracle
Security Alert #68 (pdf) to address these vulnerabilities.

We are tracking them as follows:

VU#170830 -
Oracle Enterprise Manager contains several vulnerabilities

VU#316206 -
Oracle Database Server contains several vulnerabilities

VU#435974 -
Oracle Application Server contains several vulnerabilities

As more information becomes available, we will update these
vulnerability notes as appropriate.

Impact

The impacts of the vulnerabilities described above are unclear.

According to credible reports, the impacts of these vulnerabilities
range from the remote, unauthenticated execution of arbitrary code to data
corruption or leakage.

Solution Apply a patch or upgrade

Apply the appropriate patch or upgrade as specified in the Oracle
Security Alert #68 (pdf).

Organizations that use Oracle's Collaboration Suite or E-Business Suite
11i should see Oracle
Security Alert #68 (pdf) for remediation instructions.

Appendix A. References


US-CERT thanks all the parties involved in researching and reporting these
vulnerabilities. Specifically, Oracle credits the people for discovering
these issues: Cesar Cerrudo, Pete Finnigan, Jonathan Gennick, Alexander
Kornbrust of Red Database Security, Stephen Kost of Integrigy, David
Litchfield of NGSS Limited, Matt Moore of PenTest Limited, Aaron Newman of
Application Security Inc., Andy Rees of QinetiQ, Christian Schaller of
Siemens CERT.

Feedback can be directed to the author:
Jason
A. Rafail.

Revision History

  • Sep 1, 2004: Initial release

    Sep 3, 2004: Updated Credits

    Last updated
CISA

Security Improvements in Windows XP Service Pack 2

CISA News
21 years 3 months ago
Systems Affected
  • Microsoft Windows XP
Overview

Microsoft Windows XP Service Pack 2 (SP2) significantly improves your computer's defenses against attacks and vulnerabilities.

Recommendation

To help protect your Windows XP computer from attacks and vulnerabilities, install Service Pack 2 using Windows Update or Automatic Updates.

Note: Service Pack 2 makes significant changes to improve the security of Windows XP, and these changes may have negative effects on some programs and Windows functionality. Before you install Service Pack 2, back up your important data and consult your computer manufacturer's web site for information about Service Pack 2.

Description

Windows XP Service Pack 2 is a major operating system update that contains a number of new security updates and features. Like other Microsoft Service Packs, Windows XP Service Pack 2 also includes previously released security fixes and other operating system updates. Following is a summary of the new security updates and features in Service Pack 2:

  • Windows Firewall

    Windows Firewall is enabled in almost all configurations, blocking network traffic coming into your computer. Blocking this traffic helps to protect you from worms and other malicious code that spread via the Internet.


  • Internet Explorer Local Machine Zone Lockdown

    New settings for Internet Explorer disable the execution of ActiveX controls and Active scripting in the Local Machine Zone. This protects you from attacks and vulnerabilties such as Download.Ject.


  • Additional Internet Explorer Security Changes

    Internet Explorer now includes a pop-up blocker, additional window restrictions, and changes in MIME type handling that better defend against social engineering and "phishing" attacks. A browser add-on management interface provides a way to identify and disable programs that run as part of Internet Explorer. Enhanced protection against security zone elevation and object caching vulnerabilities helps defend against malicious web scripts.


  • Email Handling Technologies

    Outlook Express now supports the ability to read and compose messages in plain text and to block external HTML content such as "web bugs." Security checks are now performed in a more consistent way to help prevent the execution of malicious attachments.


  • Security Center

    The Security Center "...provides a central location for changing security settings, learning more about security, and ensuring that [your] computer is up to date, with the essential security settings that are recommended by Microsoft."


  • Automatic Updates

    The update services and automatic update feature of Windows XP have been improved. US-CERT highly recommends that you enable Automatic Updates.


  • Data Execution Prevention

    Memory protection helps prevent attackers from executing code on your computer.

References


Authors: Art Manion and Mindi McDowell. Feedback can be directed to the US-CERT Technical Staff

.

Copyright 2004 Carnegie Mellon University.
Terms of use

Revision History

  • August 30, 2004: Initial release

    January 10, 2005: Updated IE links

Last updated

CISA

Multiple Vulnerabilities in libpng

CISA News
21 years 4 months ago
Systems Affected

Applications and systems that use the libpng library.

Overview

Several vulnerabilities exist in the libpng library, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.

Description

The Portable Network Graphics (PNG) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng is a popular reference library available for application developers to support the PNG image format.

Several vulnerabilities have been reported in the libpng library. Any application or system that uses this library may be affected. More detailed information is available in the individual vulnerability notes:

VU#388984 - libpng fails to properly check length of transparency chunk (tRNS) data

A buffer overflow vulnerability has been discovered in the way that libpng processes PNG images. This vulnerability could allow a remote attacker to execute arbitrary code on a vulnerable system by introducing a specially crafted PNG image.

(Other references: CAN-2004-0597)

VU#236656 - libpng png_handle_iCCP() NULL pointer dereference

Under some circumstances, a null pointer may be dereferenced during a memory allocation in the png_handle_iCCP() function. As a result, a PNG image with particular characteristics could cause the affected application to crash. Similar errors are reported to exist in other locations within libpng.

(Other references: CAN-2004-0598)

VU#160448 - libpng integer overflow in image height processing

An integer overflow error exists in the handling of PNG image height within the png_read_png() function. As a result, a PNG image with excessive height may cause an integer overflow during a memory allocation operation, which could cause the affected application to crash.

(Other references: CAN-2004-0599)

VU#477512 - libpng png_handle_sPLT() integer overflow

A potential integer overflow error exists during a memory allocation operation within the png_handle_sPLT() function. It is unclear what practical impact this error might have on applications using libpng.

(Other references: CAN-2004-0599)

VU#817368 - libpng png_handle_sBIT() performs insufficient bounds checking

A potentially insufficient bounds check exists within the png_handle_sBIT() function. A similar error exists in the png_handle_hIST() function. While the code that contains these errors could potentially permit a buffer overflow to occur during a subsequent png_crc_read() operation, it is unclear what practical vulnerabilities it might present in applications using libpng.

(Other references: CAN-2004-0597)

VU#286464 - libpng contains integer overflows in progressive display image reading

The libpng library provides the ability to display interlaced, or progressive display, PNG images. A number of potential integer overflow errors exist in libpng's handling of such progressive display images. While the code that contains these errors introduces dangerous conditions, it is unclear what practical vulnerabilities it might present in applications using libpng.

(Other references: CAN-2004-0599)

Impact

In the case of VU#388984, an attacker with the ability to introduce a malformed PNG image to a vulnerable application could cause the application to crash or could potentially execute arbitrary code with the privileges of the user running the affected application.

In the case of VU#236656 and VU#160448, an attacker with the ability to introduce a malformed PNG image to a vulnerable application could cause the application to crash.

The impacts of the other vulnerabilities described above are unclear.

A remote attacker could cause an application to crash or potentially execute arbitrary code by convincing a victim user to visit a malicious web site or view an email message containing a malformed image.

Solution Apply a patch or upgrade

Apply the appropriate patch or upgrade as specified by your vendor. For
vendor-specific responses, please see your vendor's web site or the individual vulnerability
notes.

For individuals who rely on the original source of libpng, these issues
have been resolved in libpng version 1.2.6rc1 (release
candidate 1).

Appendix A. References


US-CERT thanks Chris Evans for researching and reporting these vulnerabilities.

Feedback can be directed to the US-CERT Technical Staff.

Revision History

  • Aug 4, 2004: Initial release

    Last updated
CISA

Multiple Vulnerabilities in Systems Running Microsoft Windows

CISA News
21 years 4 months ago
Systems Affected  
  • Microsoft Windows systems; specifically, some versions of the following programs:
    • Microsoft Windows NT
    • Microsoft Windows 2000
    • Microsoft Windows XP
    • Microsoft Windows Server 2003
    • Microsoft Windows 98
    • Microsoft Windows Millennium Edition
    • Microsoft Internet Explorer 5
    • Microsoft Internet Explorer 6
  Overview  

Microsoft has reported two vulnerabilities in the way Internet Explorer processes certain types of images. Attackers may be able to gain control of your machine if you view a malicious image, visit a web page, or open an email message that contains these images.

Microsoft has also published an update to address the cross-domain vulnerability discussed in SA04-163A. This vulnerability may allow an attacker to alter a web site to point to a different location. If the attacker can convince you to visit the site, they may be able to gain control of your machine.

Solution Apply a patch

Microsoft has issued updates that resolve this problem. Obtain the appropriate update from Windows Update

Use caution with email attachments

Never open unexpected email attachments. Before opening an attachment, save it to a disk and scan it with anti-virus software. Make sure to turn off the option to automatically download attachments.

View email messages in plain text

Email programs like Outlook and Outlook Express interpret HTML code the same way that Internet Explorer does. Attackers may be able to take advantage of that by sending malicious HTML-formatted email messages.

Maintain updated anti-virus software

It is important that you use anti-virus software and keep it up to date. Most anti-virus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many anti-virus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

  Description  

In Microsoft Security Bulletin MS04-025, Microsoft describes a critical vulnerability in the way Internet Explorer processes .GIF and .BMP images. An attacker can use malicious images on a web page or in HTML-formatted email messages. If the attacker can convince a user to visit the web page, open the message, or otherwise view the image, the attacker may be able to gain control of the user's machine.

There is also a vulnerability in the way Internet Explorer processes scripts. An attacker may be able to take advantage of frames to redirect users to a malicious web site.

More technical information about this issue is available in TA04-212A and Microsoft Security Bulletin MS04-025.


 

References
  • Windows Security Updates for July 2004 - <http://www.microsoft.com/security/bulletins/200407_windows.mspx>
  • Multiple Remote Code Execution Vulnerabilities in Microsoft Internet Explorer - <http://www.us-cert.gov/cas/techalerts/TA04-212A.html>
  • Microsoft Security Bulletin MS04-025 - <http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx>
  • US-CERT Computer Virus Resources - <http://www.us-cert.gov/other_sources/viruses.html>
  • Understanding Anti-Virus Software - <http://www.us-cert.gov/cas/tips/ST04-005.html>
  • Using Caution with Email Attachments - <http://www.us-cert.gov/cas/tips/ST04-010.html>
  • Home Network Security - <http://www.cert.org/tech_tips/home_networks.html>
  • Home Computer Security - <http://www.cert.org/homeusers/HomeComputerSecurity/


 

Author: Mindi McDowell. Feedback can be directed to the US-CERT Technical Staff.

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History
  • July 30, 2004: Initial release
     

Last updated 

CISA

Critical Vulnerabilities in Microsoft Windows

CISA News
21 years 4 months ago
Systems Affected

These vulnerabilities affect the following versions of Microsoft
Internet Explorer:

  • Microsoft Internet Explorer 5.01 Service Pack 2
  • Microsoft Internet Explorer 5.01 Service Pack 3
  • Microsoft Internet Explorer 5.01 Service Pack 4
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 6
  • Microsoft Internet Explorer 6 Service Pack 1
  • Microsoft Internet Explorer 6 Service Pack 1 (64-Bit Edition)
  • Microsoft Internet Explorer 6 for Windows Server 2003
  • Microsoft Internet Explorer 6 for Windows Server 2003 (64-Bit Edition)

These vulnerabilities affect the following versions of the
Microsoft Windows operating system:

  • Microsoft Windows NT Workstation 4.0 Service Pack 6a
  • Microsoft Windows NT Server 4.0 Service Pack 6a
  • Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
  • Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP and Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP 64-Bit Edition Service Pack 1
  • Microsoft Windows XP 64-Bit Edition Version 2003
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 64-Bit Edition
  • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me)

Please note that these vulnerabilities my affect any software that
uses the Microsoft Windows operating system to render HTML or
graphics.

Overview

Microsoft Internet Explorer contains three vulnerabilities that may
allow arbitrary code to be executed. The privileges gained by a remote
attacker depend on the software component being attacked. For example,
a user browsing to an unsafe web page using Internet Explorer could
have code executed with the same privilege as the user. These
vulnerabilities have been reported to be relatively straightforward to
exploit; even vigilant users visiting a malicious website, viewing a
malformed image, or reading an HTML-rendered email message may be
affected.

Description

Microsoft Security Bulletin MS04-025
describes three vulnerabilities in Internet Explorer; more detailed
information is available in the individual vulnerability
notes. Note that in addition to Internet Explorer, any applications
that use the Internet Explorer HTML rendering engine to interpret HTML
documents may present additional attack vectors for these
vulnerabilities.

VU#266926 -
Microsoft Internet Explorer contains an integer overflow in the processing
of bitmap files

An integer overflow vulnerability has been discovered in the way that
Internet Explorer processes bitmap image files. This vulnerability could
allow a remote attacker to execute arbitrary code on a vulnerable system
by introducing a specially crafted bitmap file.

(Other resources: CAN-2004-0566)

VU#685364 -
Microsoft Internet Explorer contains a double-free vulnerability in the
processing of GIF files

A double-free vulnerability has been discovered in the way that
Internet Explorer processes GIF image files. When processing GIF image
files, the routine responsible for freeing memory may attempt to free the
same memory reference more than once. Deallocating the already freed
memory can lead to memory corruption, which could cause a
denial-of-service condition or potentially be leveraged by an attacker to
execute arbitrary code.

(Other resources: CAN-2003-1048)

VU#713878 -
Microsoft Internet Explorer does not properly validate source of
redirected frame Microsoft Internet Explorer does not properly display
URLs

As previously discussed in TA-163A,
Microsoft Internet Explorer does not adequately validate the security
context of a frame that has been redirected by a web server. An
attacker could exploit this vulnerability to evaluate script in
different security domains. By causing script to be evaluated in the
Local Machine Zone, the attacker could execute arbitrary code with the
privileges of the user running Internet Explorer. For a detailed
technical analysis of this vulnerability, please see VU#713878.

(Other resources: CAN-2004-0549)


Impact

Remote attackers exploiting the vulnerabilities described above may
execute arbitrary code with the privileges of the user running the
software components being attacked (e.g., Internet
Explorer). Attackers can exploit these vulnerabilities by convincing a
victim user to visit a malicious website, view a malformed image, or
read an HTML-rendered email message. No user intervention is required
beyond viewing an attacker-supplied HTML document or image. For
further details, please see the individual vulnerability
notes.

Solution Apply a patch from Microsoft

Apply the appropriate patch as specified by Microsoft Security
Bulletin MS04-025.
Please note that this bulletin provides a cumulative update that
replaces all previously released updates for Internet Explorer,
including those provided in MS04-004. However,
users who have applied hotfixes released after MS04-004
will need to install MS04-025. Please
see the FAQ section of Microsoft's advisory for more details.

Follow Microsoft recommendations for workarounds

Microsoft provides several workarounds for each of these vulnerabilities.
Please consult the appropriate section(s) of Microsoft Security Bulletin
MS04-025.

Appendix A. Vendor Information

This appendix contains information provided by vendors for this
advisory. As vendors report new information to US-CERT, we will update
this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.

Microsoft

Please see Microsoft Security Bulletin MS04-025.

Appendix B. References


Feedback can be directed to the US-CERT
Technical Staff.

Revision History

  • Jul 30, 2004: Initial release

    Last updated

CISA

New Variant of MyDoom Virus

CISA News
21 years 4 months ago
Systems Affected  
  • Microsoft Windows Systems
  Overview  

A new variant of the MyDoom virus is spreading through email. In addition to infecting your computer and emailing itself to other machines, the virus may open a backdoor that could make your machine vulnerable to future attacks.

Solution Avoid opening email attachments

Be sure you know the source of an attachment before opening it. Also remember that it is not enough that the mail originated from an email address you recognize. Many viruses spread precisely because they originate from a familiar email address.

Maintain updated anti-virus software

It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

  Description  

This variant of MyDoom (known as MyDoom.M or MyDoom.O) is significant because it seems to be conducting searches on addresses it harvests from infected computers. Therefore, not only is email activity affected, response times in many popular search engines may be dramatically slower.


 

References
  • MyDoom.B Virus - <http://www.us-cert.gov/cas/alerts/SA04-028A.html>
  • US-CERT Computer Virus Resources - <http://www.us-cert.gov/other_sources/viruses.html>
  • Understanding Anti-Virus Software - <http://www.us-cert.gov/cas/tips/ST04-005.html>
  • Using Caution with Email Attachments - <http://www.us-cert.gov/cas/tips/ST04-010.html>
  • Home Network Security - <http://www.cert.org/tech_tips/home_networks.html>
  • Home Computer Security - <http://www.cert.org/homeusers/HomeComputerSecurity/


 

Author: Mindi McDowell. Feedback can be directed to US-CERT -->.

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History
  • July 26, 2004: Initial release
     

Last updated 

CISA

Multiple Vulnerabilities in Microsoft Windows Components and Outlook Express

CISA News
21 years 4 months ago
Systems Affected  
  • Microsoft Windows Systems
  Overview  

Microsoft has released a Security Bulletin Summary for July, 2004. There are several security bulletins released in this summary.


 

  Description   I. Description

Microsoft's Security Bulletin Summary for July, 2004 includes summaries of several bulletins that address vulnerabilities in various Windows applications and components. For more technical information, see US-CERT Technical Alert TA04-196A.

II. Impact

An attacker may be able to control your computer if these vulnerabilities are exploited.

III. Solution Apply a patch

Microsoft has provided the patches for these vulnerabilities in the Security Bulletins and on Windows Update.

Do not follow unsolicited links

Do not click on unsolicited links received in email, instant messages, web forums, or chat rooms. While this is generally a good security practice, following this behavior will not prevent the exploitation of these vulnerabilities in all cases.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Update your anti-virus software. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Appendix A. Vendor Information

Specific information about the Security bulletins are available in the Security Bulletin Summary for July, 2004 and the US-CERT Vulnerability Notes for these issues. 
 

Appendix B. References


 

This alert was created by Jason A. Rafail. Feedback can be directed to the Vulnerability Note authors: Jason A. Rafail, Jeffrey P. Lanza, Chad R. Dougherty, Damon G. Morda, and Art Manion.

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History
  • July 14, 2004: Initial release
     

Last updated 

CISA

Multiple Vulnerabilities in Microsoft Windows Components and Outlook Express

CISA News
21 years 4 months ago
Systems Affected  
  • Microsoft Windows Systems
  Overview  

Microsoft has released a Security Bulletin Summary for July, 2004. This summary includes several bulletins that address vulnerabilities in various Windows applications and components. Exploitation of some vulnerabilities can result in the remote execution of arbitrary code by a remote attacker. Details of the vulnerabilities and their impacts are provided below.


 

  Description  

The table below provides a reference between Microsoft's Security Bulletins and the related US-CERT Vulnerability Notes. More information related to the vulnerabilities is available in these documents.

Microsoft Security Bulletin Related US-CERT Vulnerability Note(s) MS04-024: Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) VU#106324 Microsoft Windows contains a vulnerability in the way the Windows Shell launches applications MS04-023: Vulnerability in HTML Help Could Allow Code Execution (840315) VU#187196 Microsoft Windows fails to properly process showHelp URLs 
VU#920060 Microsoft Windows HTML Help component fails to properly validate input data MS04-022: Vulnerability in Task Scheduler Could Allow Code Execution (841873) VU#228028 Microsoft Windows Task Scheduler Buffer Overflow MS04-021: Security Update for IIS 4.0 (841373) VU#717748 Microsoft Internet Information Server (IIS) 4.0 contains a buffer overflow in the redirect function MS04-020: Vulnerability in POSIX Could Allow Code Execution (841872) VU#647436 Microsoft Windows contains a buffer overflow in the POSIX subsystem MS04-019: Vulnerability in Utility Manager Could Allow Code Execution (842526) VU#868580 Microsoft Windows Utility Manager launches applications with system privileges MS04-018: Cumulative Security Update for Outlook Express (823353) VU#869640 Microsoft Outlook Express fails to properly validate malformed e-mail headers

Impact

A remote, unauthenticated attacker may exploit VU#717748 to execute arbitrary code on an IIS 4.0 system.

Exploitation of VU#106324, VU#187196, VU#920060, and VU#228028, would permit a remote attacker to execute arbitrary code with the privileges of the current user. The attacker would have to convince a victim to view an HTML document (web page, HTML email) or click on a crafted URI link.

Vulnerabilities described in VU#647436 and VU#868580 permit a local user to gain elevated privileges on the local system.

Exploitation of VU#869640 can lead to a denial-of-service condition against Outlook Express.

Solution Apply a patch

Microsoft has provided the patches for these vulnerabilities in the Security Bulletins and on Windows Update.

Do not follow unsolicited links

It is generally a good practice not to click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels. However, this practice does not always prevent exploitation of these types vulnerabilities. For example, a trusted web site could be compromised and modified to deliver exploit script to unsuspecting clients.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts, but variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against these vulnerabilities. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.


Appendix A. Vendor Information

Specific information about these issue are available in the Security Bulletin Summary for July, 2004 and the US-CERT Vulnerability Notes. 
 

Appendix B. References


 

This alert was created by Jason A. Rafail. Feedback can be directed to the Vulnerability Note authors: Jason A. Rafail, Jeffrey P. Lanza, Chad R. Dougherty, Damon G. Morda, and Art Manion.

Revision History

  • July 14, 2004: Initial release
     

    Last updated 

CISA

Internet Explorer Update to Disable ADODB.Stream ActiveX Control

CISA News
21 years 5 months ago
Systems Affected  
  • Microsoft Windows systems
  Overview  

Microsoft has released a security update for Internet Explorer (IE) that disables the ADODB.Stream ActiveX control. This update reduces the impact of attacks against cross-domain vulnerabilities in IE.

  Description  

A class of vulnerabilities in IE allows malicious script from one domain to execute in a different domain which may also be in a different IE security zone. Attackers typically seek to execute script in the security context of the Local Machine Zone (LMZ). One such vulnerability (VU#713878) is described in US-CERT Technical Alert TA04-163A. Other cross-domain vulnerabilities have similar impacts.

After obtaining access to the LMZ through one or more of the vulnerabilities noted above, attackers typically attempt to download and run an executable file. Writing the executable to disk can be accomplished using the ADODB.Stream ActiveX control. In order to defeat this technique, Microsoft has released an update that disables the ADODB.Stream control. From Microsoft Knowledge Base Article 870669:

An ADO stream object contains methods for reading and writing binary files and text files. When an ADO stream object is combined with known security vulnerabilities in Internet Explorer, a Web site could execute scripts from the Local Machine zone. To help protect your computer from this kind of attack, you can manually modify your registry. 

 

It is important to note that there may be other ways for an attacker to write arbitrary data or to execute commands without relying on the ADODB.Stream control.

Further information is available from Microsoft in What You Should Know About Download.Ject. Instructions for securing IE and other web browsers against malicious web scripts are available in the Malicious Web Scripts FAQ.

Impact

By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.

Recent incident activity known as Download.Ject (also JS.Scob.Trojan, Scob, JS.Toofeer) uses cross-domain vulnerabilities and the ADODB.Stream control to install software that steals sensitive financial information.

Solution

Until a complete solution is available from Microsoft, consider the following workarounds.

Disable Active scripting and ActiveX controls

Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning. Instructions for disabling Active scripting in the Internet Zone can be found in the Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone. Also, Service Pack 2 for Windows XP (currently at RC2) includes these and other security enhancements for IE.
 

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases. For example, a trusted web site could be compromised and modified to deliver exploit script to unsuspecting clients.

Disable ADODB.Stream ActiveX control

One way to disable the ADODB.Stream control is to apply the update from the Microsoft Download Center (KB870669) or the Windows Update web site.

The ADODB.Stream control can also be disabled by modifying the Windows registry as described in Microsoft Knowledge Base Article 870669.

Both of these methods disable ADODB.Stream by setting the kill bit for the control in the Windows registry.

Note that disabling the ADODB.Stream control does not directly address any cross-domain vulnerabilities, nor does it prevent attacks. This workaround prevents a well-known and widely used technique for writing arbitrary data to disk after a cross-domain vulnerability has been exploited. There may be other ways for an attacker to write arbitrary data or execute commands.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Appendix A. Vendor Information

Microsoft Corporation

Please see What You Should Know About Download.Ject and Microsoft Knowledge Base Article 870669.


 

Appendix B. References
  • US-CERT Technical Alert TA04-163A - http://www.us-cert.gov/cas/techalerts/TA04-163A.html
  • US-CERT Vulnerability Note VU#713878 - http://www.kb.cert.org/vuls/id/713878
  • Malicious Web Scripts FAQ - http://www.cert.org/tech_tips/malicious_code_FAQ.html
  • Results of the Security in ActiveX Workshop (PDF) http://www.cert.org/reports/activeX_report.pdf
  • What You Should Know About Download.Ject - http://www.microsoft.com/security/incident/download_ject.mspx
  • Increase Your Browsing and E-Mail Safety - http://www.microsoft.com/security/incident/settings.mspx
  • Working with Internet Explorer 6 Security Settings - http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx
  • Microsoft Knowledge Base Article 870669 - http://support.microsoft.com/default.aspx?kbid=870669
  • Microsoft Knowledge Base Article 833633 - http://support.microsoft.com/default.aspx?kbid=833633
  • Microsoft Knowledge Base Article 182569 - http://support.microsoft.com/default.aspx?kbid=182569
  • Microsoft Knowledge Base Article 240797 - http://support.microsoft.com/default.aspx?kbid=240797
  • Windows XP Service Pack 2 Release Candidate 2 Preview - http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx


 

Feedback can be directed to the author: Art Manion

Revision History

  • July 2, 2004: Initial release
     

    Last updated 

CISA

Important Internet Explorer Update Available

CISA News
21 years 5 months ago
Systems Affected  

Systems running Internet Explorer and Microsoft Windows

  Overview  

Microsoft has released an important security update for Internet Explorer (IE). This update greatly reduces the impact of attacks against several vulnerabilities in IE.

  Description  

Several vulnerabilities in IE could allow a malicious web site or HTML email message to install software on your computer. This software could be used to steal sensitive financial information or perform other actions. Recent incident activity has been referred to as Download.Ject, JS.Scob.Trojan, Scob, and JS.Toofeer.

Microsoft has released a security update for IE that provides increased protection against this type of attack. Note that this update may not prevent attacks in all cases.

Resolution Install Critical Update

US-CERT recommends that users install the update from the Microsoft Download Center (KB870669) or the Windows Update web site.

Increase IE Security Settings

In addition, US-CERT strongly recommends that users modify IE security settings according to the instructions in the Malicious Web Scripts FAQ.

Further information is available from Microsoft in What You Should Know About Download.Ject.

References
  • US-CERT Technical Alert TA04-184A - <http://www.us-cert.gov/cas/techalerts/TA04-184A.html>
  • US-CERT Technical Alert TA04-163A - <http://www.us-cert.gov/cas/techalerts/TA04-163A.html>
  • US-CERT Vulnerability Note VU#713878 - <http://www.kb.cert.org/vuls/id/713878>
  • Malicious Web Scripts FAQ - <http://www.cert.org/tech_tips/malicious_code_FAQ.html>
  • What You Should Know About Download.Ject - <http://www.microsoft.com/security/incident/download_ject.mspx>
  • Increase Your Browsing and E-Mail Safety - <http://www.microsoft.com/security/incident/settings.mspx>
  • Working with Internet Explorer 6 Security Settings - <http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx>

Author: Art Manion

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History
  • July 2, 2004: Initial release
     

Last updated 

CISA

Multiple Vulnerabilities in ISC DHCP 3

CISA News
21 years 5 months ago
Systems Affected
  • ISC DHCP versions 3.0.1rc12 and 3.0.1rc13
Overview

Two vulnerabilities in the ISC DHCP allow a remote attacker to cause a
denial of the DHCP service on a vulnerable system. It may be possible to
exploit these vulnerabilities to execute arbitrary code on the system.

Description

As described in RFC
2131, "the Dynamic Host Configuration Protocol (DHCP) provides a
framework for passing configuration information to hosts on a TCP/IP
network." The Internet Systems Consortium's (ISC) Dynamic Host
Configuration Protocol (DHCP) 3 application contains two vulnerabilities
that present several potential buffer overflow conditions.

VU#317350 discusses
a buffer overflow vulnerability in the temporary storage of log lines.
In transactions, ISC DHCPD logs every DHCP packet along with several
pieces of descriptive information. The client's DISCOVER and the
resulting OFFER, REQUEST, ACK, and NAKs are all logged. In all of these
messages, if the client supplied a hostname, then it is also included
in the logged line. As part of the DHCP datagram format, a client may
specify multiple hostname options, up to 255 bytes per option. These
options are concatenated by the server. If the hostname and options
contain only ASCII characters, then the string will pass non-ASCII
character filters and be temporarily stored in 1024 byte fixed-length
buffers on the stack. If a client supplies enough hostname options, it
is possible to overflow the fixed-length buffer.

VU#654390 discusses C
include files for systems that do not support the bounds checking
vsnprintf() function. These files define the bounds checking vsnprintf()
to the non-bounds checking vsprintf() function. Since vsprintf() is a
function that does not check bounds, the size is discarded, creating the
potential for a buffer overflow when client data is supplied. Note that
the vsnprintf() statements are defined after the vulnerable code that is
discussed in VU#317350. Since the preconditions for this vulnerability
are similar to those required to exploit VU#317350, these buffer overflow
conditions occur sequentially in the code after the buffer overflow
vulnerability discussed in VU#317350, and these issues were discovered and
resolved at the same time, there is no known exploit path to exploit these
buffer overflow conditions caused by VU#654390. Note that VU#654390 was
discovered and exploitable once VU#317350 was resolved.

For both of the vulnerabilities, only ISC DHCP 3.0.1rc12 and ISC DHCP
3.0.1rc13 are believed to be vulnerable. VU#317350 is exploitable for all
operating systems and configurations. VU#654390 is only defined for the
following operating systems:

  • AIX
  • AlphaOS
  • Cygwin32
  • HP-UX
  • Irix
  • Linux
  • NextStep
  • SCO
  • SunOS 4
  • SunOS 5.5
  • Ultrix

All versions of ISC DCHP 3, including all snapshots, betas, and release
candidates, contain the flawed code. However, versions other than ISC DHCP
3.0.1rc12 and ISC DHCP 3.0.1rc13 discard all but the last hostname option
provided by the client, so it is not believed that these versions are
exploitable.

US-CERT is tracking these issues as VU#317350, which has been
assigned CVE CAN-2004-0460,
and VU#654390, which
has been assigned CVE CAN-2004-0461.

Impact

Exploitation of these vulnerabilities may cause a denial-of-service
condition to the DHCP daemon (DHCPD) and may permit a remote attacker to
execute arbitrary code on the system with the privileges of the DHCPD
process, typically root.

Solution

Apply patches or upgrade

These issues have been resolved in ISC DHCP 3.0.1rc14.
Your vendor may provide specific patches or updates. For vendor-specific
information, please see your vendor's site, or look for your
vendor infomation in VU#317350 and VU#654390. As
vendors report new information to US-CERT, we will update the
vulnerability notes.


Appendix A. References


US-CERT thanks Gregory Duchemin and Solar Designer for
discovering, reporting, and resolving this vulnerability. Thanks also to
David Hankins of ISC for notifying us of this vulnerability and the
technical information provided to create this document.

Feedback can be directed to the author: Jason
A. Rafail

Revision History

  • June 22, 2004: Initial release

    Last updated

CISA

Managed ad