December 2004 – Donna's SecurityFlash

Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise

Although hundreds of millions of dollars have been spent on securing SP2, perfection is impossible. Through the joint effort of Michael Evanchik and Paul from Greyhats Security, a very critical vulnerability has been developed that can compromise a user’s system without the need for user interaction besides visiting the malicious page. The vulnerability is not actually a vulnerability in itself, but rather it is uses multiple known holes in SP2 including Help ActiveX Control Related Topics Zone Security Bypass Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting Vulnerability. Vulnerable Systems: * Microsoft Internet Explorer 6.0 * Microsoft Windows XP Pro … Continue reading Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise

Browsers’ FTP Client can be Used to Send Mail

By donna

Both Internet Explorer and Konqueror can be tricked into sending mail through its FTP client without any more user interaction than loading a page. Vulnerable Systems: * Internet Explorer version 6 SP1 * Konqueror version 3.2 Immune Systems: * Mozilla Firefox version 1.0 Both Internet Explorer and Konqueror will accept %0a and %0d in URLs. In FTP URLs, it will accept them in the username part of the URL. Due to the similarity between the FTP and SMTP protocols, this can be used to send mail. Danger:Spammers could host websites that contain images causing website visitors to spam more people. There are probably … Continue reading Browsers’ FTP Client can be Used to Send Mail

Mozilla Buffer Overflow in Processing NNTP URLs Lets Remote Users Execute Arbitrary Code

By donna

Version(s): 1.7.3 Description: A heap overflow vulnerability was reported in Mozilla in the processing of NNTP URLs. A remote user can execute arbitrary code on the target system. Maurycy Prodeus of iSEC Security Research reported that a remote user can create a specially crafted ‘news://’ URL that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target user’s system. The code will run with the privileges of the target user. The flaw resides in the *MSG_UnEscapeSearchUrl() function in ‘nsNNTPProtocol.cpp’. The original advisory is available at: http://isec.pl/vulnerabilities/isec-0020-mozilla.txt Impact: A remote user can create … Continue reading Mozilla Buffer Overflow in Processing NNTP URLs Lets Remote Users Execute Arbitrary Code

Remote code execution with parameters without user interaction, even with XP SP2

By donna

ShredderSub7 SecExpert wrote: “——————Which systems are vulnerable?——–Any system running any Microsoft Windows XP edition with Internet Explorer 6 or higher, even with SP2 applied.Any system running any Microsoft Windows Server 2003 edition with Internet Explorer 6 or higher. ——————How does this exploit work?———–The problem with Internet Explorer is that it doesn’t set any restrictions on web pages that request opening a Windows Help file, compiled with HTML Help. Without a restriction, we can (in Internet Explorer) easily command to open any local web page stored on a victim’s computer, including web pages that are founded in Windows Help files (with … Continue reading Remote code execution with parameters without user interaction, even with XP SP2

Scripting Vulnerabilities in Indian Email Providers

By donna

The email services of several big Indian portals are susceptible to scripting attacks i.e., malicious code can be embedded by attackers into email messages, that, when received by unsuspecting users, can cause harmful effects. The services are Rediffmail.com, Indiatimes.com, Sify.com. The combined user base of these services runs into millions and all of these users are vulnerable. I’ve known about most of these vulnerabilities for years now and I am now releasing them because many are being massively exploited in the wild. All attempts to contact the vendors were unfruitful. Details It is possible to embed malicious scripts in an … Continue reading Scripting Vulnerabilities in Indian Email Providers

Lycos Free Email Cross-Site Scripting Vulnerability

By donna

Lycos’s Free Email service “allows users to have their own web based email account very much like Hotmail”. A cross site scripting vulnerability in Lycos’s Free Email service allows an attacker to steal a user’s cookie allowing him full access to his Lycos email account. Further, due to a flaw in the way Lycos handles cookies, even if the user being attacked changes his password, the attacker can still gain access to his account as the cookie will remain valid Proof of Concept was provided. http://www.securiteam.com/securitynews/6A00N20C1C.html

Netcraft Anti-Phishing Toolbar Available for Download

By donna

Another security program that is interesting to try and I think one feature that is attractive with this toolbar is… user can report a phished URL to help other people because once confirmed it is a phished URL, it will be blocked so other users will not become a victim Netcraft Anti-Phishing Toolbar Available for Download “The Netcraft Toolbar uses Netcraft’s enormous databases of web site information to show you all the attributes of each site you visit on the Web, including the sites’ hosting location, country, longevity and popularity. Toolbar features include: Clear display of sites’ hosting location at … Continue reading Netcraft Anti-Phishing Toolbar Available for Download

CleanCache Fails to Wipe Files

By donna

Impact: Disclosure of system information, Disclosure of user informationExploit Included: Yes Version(s): 2.19 A vulnerability was reported in CleanCache. A local user can obtain files that have ostensibly been wiped from the computer. WBG Links reported that a local user can invoke common data recovery tools to obtain files that should have been removed by CleanCache. The vendor has been notified. Impact: A local user can recover files that have ostensibly been deleted.Solution: No solution was available at the time of this entry. http://securitytracker.com/alerts/2004/Dec/1012701.html

Microsoft Statement on European Union Court of First Instance Order on Interim Measures

By donna

“Although the Court ruled against Microsoft’s request for interim measures, the company is encouraged by a number of aspects of the Court’s discussion of the merits of the case.” http://www.microsoft.com/presspass/press/2004/dec04/12-22CFIRulingPR.asp

New Santy-Worm attacks all PHP-scripts

By donna

Juergen Schmidt wrote in http://securityfocus.com/archive/1/385463/2004-12-22/2004-12-28/0 : The new santy version not only attacks phpBB. It uses the brasilian Google site to find all kinds of PHP skripts.It parses their URLs and overwrites variables with strings