Issue:
======
OWA is a service of Exchange 2000 Server that allows users to use a web browser to access their Exchange mailbox. However, a flaw exists in the interaction between OWA and IE for message attachments. If an attachment contains HTML code including script, the script will be executed when the attachment is opened, regardless of the attachment type. Because OWA requires that scripting be enabled in the zone where the OWA server is located, this script could take action against the user´s Exchange mailbox.
An attacker could use this flaw to construct an attachment containing malicious script code. The attacker could then send the attachment in a message to the user. If the user opened the attachment in OWA, the script would execute and could take action against the user´s mailbox as if it were the user, including, under certain circumstances, manipulation of messages or folders.
Download
======
OWA is a service of Exchange 2000 Server that allows users to use a web browser to access their Exchange mailbox. However, a flaw exists in the interaction between OWA and IE for message attachments. If an attachment contains HTML code including script, the script will be executed when the attachment is opened, regardless of the attachment type. Because OWA requires that scripting be enabled in the zone where the OWA server is located, this script could take action against the user´s Exchange mailbox.
An attacker could use this flaw to construct an attachment containing malicious script code. The attacker could then send the attachment in a message to the user. If the user opened the attachment in OWA, the script would execute and could take action against the user´s mailbox as if it were the user, including, under certain circumstances, manipulation of messages or folders.
Download
The HyperTerminal application is a communications utility that installs by default on all versions of Windows 98, 98SE, Windows ME, Windows NT 4.0, and Windows 2000. The product contains two unchecked buffers through which an attacker could potentially cause code of her choice to run on another user´s machine:
- One resides in a section of the code that processes Telnet URLs. If a user opened an HTML mail that contained a particular type of malformed Telnet URL, and HyperTerminal were configured as the default Telnet client, it would trigger the buffer overrun. HyperTerminal is the default Telnet client on Windows 98, 98SE and ME. It is not the default Telnet client on Windows 2000.
- The other resides in a section of the code that processes session files - files that enable HyperTerminal users to specify session parameters such as the connection method and the destination host. If a user opened a session file that contained a particular type of malformed information, it would trigger the buffer overrun.
Download
- One resides in a section of the code that processes Telnet URLs. If a user opened an HTML mail that contained a particular type of malformed Telnet URL, and HyperTerminal were configured as the default Telnet client, it would trigger the buffer overrun. HyperTerminal is the default Telnet client on Windows 98, 98SE and ME. It is not the default Telnet client on Windows 2000.
- The other resides in a section of the code that processes session files - files that enable HyperTerminal users to specify session parameters such as the connection method and the destination host. If a user opened a session file that contained a particular type of malformed information, it would trigger the buffer overrun.
Download
MooSoft has posted new trojan definitions for The Cleaner
Network ICE has released a new detection update for BlackICE Defender
This bulletin discusses two security vulnerabilities that are related
to each other only by the fact that they affect Windows Media Player.
We packaged them in a single patch for customers using Windows Media
Player 6.4 to make it more convenient for customers to apply. For
customers using Windows Media Player 7, both security vulnerabilities
are addressed by upgrading to Windows Media Player 7.1.
Read more
to each other only by the fact that they affect Windows Media Player.
We packaged them in a single patch for customers using Windows Media
Player 6.4 to make it more convenient for customers to apply. For
customers using Windows Media Player 7, both security vulnerabilities
are addressed by upgrading to Windows Media Player 7.1.
Read more
Symantec has released a new virus definitions update for Norton Antivirus.
Word, like other members of the Office product family, provides a security mechanism that requires user´s approval to run macros. By design, anytime a document is opened the user would be notified if
the document contains macros. In addition, this mechanism checks
secondary documents that the original document links to, such as templates, and warn if any of those contain macros. This feature works by scanning the document or template for the presence of macros, alerting the user of their presence, and then asking the user if he wants to allow the macros to run.
By embedding a macro in a template, and providing another user with
an RTF document that links to it, an attacker could cause a macro to run automatically when the RTF document was opened. The macro would be
able to take any action that the user herself could take. This could
include disabling the user´s Word security settings so that subsequently-opened Word documents would no longer be checked for macros.
Read more
the document contains macros. In addition, this mechanism checks
secondary documents that the original document links to, such as templates, and warn if any of those contain macros. This feature works by scanning the document or template for the presence of macros, alerting the user of their presence, and then asking the user if he wants to allow the macros to run.
By embedding a macro in a template, and providing another user with
an RTF document that links to it, an attacker could cause a macro to run automatically when the RTF document was opened. The macro would be
able to take any action that the user herself could take. This could
include disabling the user´s Word security settings so that subsequently-opened Word documents would no longer be checked for macros.
Read more
MooSoft has posted new trojan definitions for The Cleaner
Users are being warned about a new fast spreading virus that seems to be politically motivated. The Mawanella virus arrives in an email with the subject line ´Mawanella´. It carries an attachment ´mawanella.vbs´ and in the body has an ASCII art picture of a burning house.
Read more
Read more
A patch is available to eliminate two newly discovered vulnerabilities affecting Internet Explorer, both of which could enable an attacker to spoof trusted web sites. The first vulnerability involves how digital certificates from web servers are validated. When CRL checking for such certificates is enabled, it could be possible for any or all of the following checks to no longer be performed:
- Verification that the certificate has not expired
- Verification that the server name matches the name on the certificate
- Verification that the issuer of the certificate is trusted
Read more
- Verification that the certificate has not expired
- Verification that the server name matches the name on the certificate
- Verification that the issuer of the certificate is trusted
Read more
MooSoft has posted a new Trojan definitions update
Symantec has confirmed the existence of the worm, known as VBS.Hard.A@mm, VBS/Hard-A, or VBS/Hard@mm, and created software to detect it. So far, the virus has a low geographical distribution and has infected a small number of sites, according to a Symantec report published earlier this week.
The worm distributes itself--like several in the past, including Love Letter Homepage--as an attachment to an e-mail message. The message is called "FW: Symantec Anti-Virus Warning," and claims to contain a description of a non-existent worm in an attached file.
Read more
The worm distributes itself--like several in the past, including Love Letter Homepage--as an attachment to an e-mail message. The message is called "FW: Symantec Anti-Virus Warning," and claims to contain a description of a non-existent worm in an attached file.
Read more
Microsoft has released a new security patch for IIS 4.0 and 5.0
The patches provided in the bulletin address two security vulnerabilities that are unrelated to each other except in the sense that both affect Index Server 2.0. The first vulnerability is a buffer overrun vulnerability. Index Server 2.0 has an unchecked buffer in a function that processes search requests. If an overly long value were provided for a particular search parameter, it would overrun the buffer. If the buffer were overrun with random data, it would cause Index Server to fail. If it were overrun with carefully selected data, code of the attacker´s choice could be made to run on the server, in the Local System security context.
The second vulnerability affects both Index Server 2.0 and Indexing Service in Windows 2000, and is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006 ( http://www.microsoft.com/technet/security/bulletin/MS00-006.asp). The new variant has almost the same scope as the original vulnerability, but potentially exposes a new file type If an attacker provided an invalid search request, she could read "include" files residing on the web server. The new patch eliminates all known variants of the vulnerability.
Read more
The second vulnerability affects both Index Server 2.0 and Indexing Service in Windows 2000, and is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006 ( http://www.microsoft.com/technet/security/bulletin/MS00-006.asp). The new variant has almost the same scope as the original vulnerability, but potentially exposes a new file type If an attacker provided an invalid search request, she could read "include" files residing on the web server. The new patch eliminates all known variants of the vulnerability.
Read more
When SQL Server 7.0 Service Packs 1, 2, or 3 are installed on a
machine that is configured to perform authentication using Mixed Mode, the password for the SQL Server standard security System Administrator (sa) account is recorded in plaintext in the files %TEMP%sqlsp.log and %WINNT%setup.iss. The default permissions on the files would allow any user to read them who could log onto the server interactively.
The password is only recorded if Mixed Mode is used, and even then, only if the adminstrator chose to use SQL Server Authentication when installing the service pack. Microsoft has long recommended that SQL servers be configured to use the more secure Windows NT Authentication Mode, and customers who have followed this recommendation would not be affected. Even on affected machines, the password could not be compromised if, per normal security recommendations, normal users are prevented from logging onto the machine interactively.
Read more
machine that is configured to perform authentication using Mixed Mode, the password for the SQL Server standard security System Administrator (sa) account is recorded in plaintext in the files %TEMP%sqlsp.log and %WINNT%setup.iss. The default permissions on the files would allow any user to read them who could log onto the server interactively.
The password is only recorded if Mixed Mode is used, and even then, only if the adminstrator chose to use SQL Server Authentication when installing the service pack. Microsoft has long recommended that SQL servers be configured to use the more secure Windows NT Authentication Mode, and customers who have followed this recommendation would not be affected. Even on affected machines, the password could not be compromised if, per normal security recommendations, normal users are prevented from logging onto the machine interactively.
Read more
Less than 24 hours after the Homepage worm started spreading, the surge of e-mail created by the infectious computer code has started to subside, antivirus experts said Wednesday.
Read more
Read more
