Security 10967 Published by Philipp Esselbach 0

The IE security architecture provides a caching mechanism that is
used to store content that needs to be downloaded and processed on the user´s local machine. The purpose of the cache is to obfuscate the physical location of the cached content, in order to ensure that the web page or HTML e-mail will work through the IE security
architecture to access the information. This ensures that the uses of the information can be properly restricted.

A vulnerability exists because it is possible for a web page or HTML e- mail to learn the physical location of cached content. Armed with
this information, an attacker could cause the cached content to be opened in the Local Computer Zone. This would enable him to launch compiled HTML help (.CHM) files that contain shortcuts to executables, thereby enabling him to run the executables.

Read more

Security 10967 Published by Philipp Esselbach 0

An application called SMBRelay, written by cDc´s Sir Dystic, exploits a design flaw in the SMB (Server Message Block) protocol on Win NT/2K boxes, easily enabling an attacker to interpose himself between the client and the server.

Read more

Security 10967 Published by Philipp Esselbach 0

The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made
by a script running in the user´s browser. However, because of an
implementation flaw, it handles all requests in the security context
of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.

The specific actions an attacker could take via this vulnerability
would depend on the Web-based resources available to the user, and
the user´s privileges on them. However, it is likely that at a minimum, the attacker could browse the user´s intranet, and potentially access web-based e-mail as well.

Read more

Security 10967 Published by Philipp Esselbach 0

Because HTML e-mails are simply web pages, IE can render them and
open binary attachments in a way that is appropriate to their MIME types. However, a flaw exists in the type of processing that is specified for certain unusual MIME types. If an attacker created an HTML e-mail containing an executable attachment, then modified the MIME header information to specify that the attachment was one of the unusual MIME types that IE handles incorrectly, IE would launch the attachment automatically when it rendered the e-mail.

An attacker could use this vulnerability in either of two scenarios. She could host an affected HTML e-mail on a web site and try to persuade another user to visit it, at which point script on a web
page could open the mail and initiate the executable. Alternatively, she could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by user´s
permissions on the system.

Read more

Security 10967 Published by Philipp Esselbach 0

In mid-March 2001, VeriSign, Inc., advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run.

The certificates could be used to sign programs, ActiveX controls, Office macros, and other executable content. Of these, signed ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward. Both ActiveX controls and Word documents can be delivered via either web pages or HTML mails. ActiveX controls can be automatically invoked via script, and Word documents can be automatically opened via script unless the user has applied the Office Document Open Confirmation Tool.

Read more

Security 10967 Published by Philipp Esselbach 0

A computer virus that can infect PCs running either the ubiquitous Windows operating system or the increasingly popular Linux operating system emerged Tuesday, which its discoverers say is a world first.

The virus, dubbed "W32.Winux" by the company that first reported it, anti-virus firm Central Command, is not destructive and does not appear to have infected any computers yet.

Read more

Security 10967 Published by Philipp Esselbach 0

The VB-TSQL debugger object that ships with Visual Studio 6.0 Enterprise Edition has an unchecked buffer in the code that processes parameters for one of the object´s methods. The object can, by design, be programmatically accessed remotely. If the object were to be referenced by a program that contained specially malformed data within the parameter, eitherof two outcomes would result. In the less serious case, the attacker could cause the object to fail on the hosting machine. In the more serious case, the attacker could exploit the buffer overrun to run code of the attacker´s choice on the hosting machine.

The debugger object (vbsdicli.exe) is installed by default with Visual Studio 6.0 Enterprise Edition and runs in the context of the interactively logged-on user. The attacker could only execute a successful attack if he knew that a user had the component installed and that the user was logged in at the time of the attack.

Read more