Today Critical Security Flaws
Results 1 to 2 of 2

Thread: Today Critical Security Flaws

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Post Today Critical Security Flaws

    ----------------------------------------------------------------------
    Title: XMLHTTP Control Can Allow Access to Local Files
    Date: 21 February 2002
    Software: Microsoft XML Core Services
    Impact: Information disclosure
    Max Risk: Critical
    Bulletin: MS02-008

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/sec.../MS02-008.asp.
    - ----------------------------------------------------------------------

    Issue:
    ======
    Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX
    control, which allows web pages rendering in the browser to send or
    receive XML data via HTTP operations such as POST, GET, and PUT.
    The control provides security measures designed to restrict web
    pages so they can only use the control to request data from remote
    data sources.

    A flaw exists in how the XMLHTTP control applies IE security zone
    settings to a redirected data stream returned in response to a
    request for data from a web site. A vulnerability results because
    an attacker could seek to exploit this flaw and specify a data
    source that is on the user's local system. The attacker could
    then use this to return information from the local system to the
    attacker's web site.

    An attacker would have to entice the user to a site under his
    control to exploit this vulnerability. It cannot be exploited
    by HTML email. In addition, the attacker would have to know the
    full path and file name of any file he would attempt to read.
    Finally, this vulnerability does not give an attacker any
    ability to add, change or delete data.

    Mitigating Factors:
    ====================
    - The vulnerability can only be exploited via a web site.
    It would not be possible to exploit this vulnerability
    via HTML mail.

    - The attacker would need to know the full path and file name
    of a file in order to read it.

    - The vulnerability does not provide any ability to add,
    change, or delete files.

    Risk Rating:
    ============
    - Internet systems: Moderate
    - Intranet systems: Moderate
    - Client systems: Critical

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
    Security Bulletin at
    http://www.microsoft.com/technet/sec...n/ms02-008.asp
    for information on obtaining this patch.





    - ----------------------------------------------------------------------
    Title: Incorrect VBScript Handling in IE can Allow Web Pages to
    Read Local Files
    Date: 21 February 2002
    Software: Internet Explorer
    Impact: Information Disclosure
    Max Risk: Critical
    Bulletin: MS02-009

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/sec.../MS02-009.asp.
    - -
    - ----------------------------------------------------------------------

    Issue:
    ======
    Frames are used in Internet Explorer to provide for a fuller
    browsing experience. By design, scripts in the frame of one site or
    domain should be prohibited from accessing the content of frames
    in another site or domain. However, a flaw exists in how VBScript
    is handled in IE relating to validating cross-domain access. This
    flaw can allow scripts of one domain to access the contents of
    another domain in a frame.

    A malicious user could exploit this vulnerability by using
    scripting to extract the contents of frames in other domains,
    then sending that content back to their web site. This would
    enable the attacker to view files on the user's local machine
    or capture the contents of third-party web sites the user visited
    after leaving the attacker's site. The latter scenario could,
    in the worst case, enable the attacker to learn personal
    information like user names, passwords, or credit card information.

    In both cases, the user would either have to go to a site under
    the attacker's control or view an HTML email sent by the attacker.
    In addition, the attacker would have to know the exact name and
    location of any files on the user's system. Further, the attacker
    could only gain access to files that can be displayed in a browser
    window, such as text files, HTML files, or image files.

    Mitigating Factors:
    ====================
    - The vulnerability could only be used to view files. It could not
    be used to create, delete, modify or execute them.

    - The vulnerability would only allow an attacker to read files that
    can be opened in a browser window, such as image files, HTML
    files and text files. Other file types, such as binary files,
    executable files, Word documents, and so forth, could not be read.

    - The attacker would need to specify the exact name and location of
    the file in order to read it.

    - The email-borne attack scenario would be blocked if the user were
    using any of the following: Outlook 98 or 2000 with the Outlook
    Email Security Update installed; Outlook 2002; or Outlook
    Express 6.

    Risk Rating:
    ============
    - Internet systems: Moderate
    - Intranet systems: Moderate
    - Client systems: Critical

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
    Security Bulletin at
    http://www.microsoft.com/technet/sec...n/ms02-009.asp
    for information on obtaining this patch.

    Acknowledgment:
    ===============
    - Zentai Peter Aron, Ivy Hungary Ltd (http://w3.ivy.hu/)





    - ----------------------------------------------------------------------
    Title: Unchecked Buffer in ISAPI Filter Could Allow Commerce
    Server Compromise
    Date: 21 February 2002
    Software: Commerce Server 2000
    Impact: Run code of attacker's choice.
    Max Risk: Critical
    Bulletin: MS02-010

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/sec.../MS02-010.asp.
    - ----------------------------------------------------------------------

    Issue:
    ======
    By default, Commerce Server 2000 installs a .dll with an ISAPI
    filter that allows the server to provide extended functionality in
    response to events on the server. This filter, called AuthFilter,
    provides support for a variety of authentication methods.
    Commerce Server 2000 can also be configured to use other
    authentication methods.

    A security vulnerability results because AuthFilter contains an
    unchecked buffer in a section of code that handles certain types
    of authentication requests. An attacker who provided
    authentication data that overran the buffer could cause the
    Commerce Server process to fail, or could run code in the
    security context of the Commerce Server process. The
    process runs with LocalSystem privileges, so exploiting the
    vulnerability would give the attacker complete control of
    the server.

    Mitigating Factors:
    ====================
    - Although Commerce Server 2000 does rely on IIS for its base
    web services, the AuthFilter ISAPI filter is only available
    as part of Commerce Server. Customers using IIS are at no
    risk from this vulnerability.

    - The URLScan tool, if deployed using the default ruleset for
    Commerce Server, would make it difficult if not impossible
    for an attacker to exploit the vulnerability to run code,
    by significantly limiting the types of data that could be
    included in an URL. It would, however, still be possible
    to conduct denial of service attacks.

    - An attacker's ability to extend control from a compromised
    web server to other machines would depend heavily on the
    specific configuration of the network. Best practices recommend
    that the network architecture account for the inherent high-risk
    that machines in an uncontrolled environment, like the Internet,
    face by minimizing overall exposure though measures like DMZ's,
    operating with minimal services and isolating contact with
    internal networks. Steps like this can limit overall exposure
    and impede an attacker's ability to broaden the scope of a
    possible compromise.

    - While the ISAPI filter is installed by default, it is not loaded
    on any web site by default. It must be enabled through the
    Commerce Server Administration Console in the Microsoft
    Management Console (MMC).

    Risk Rating:
    ============
    - Internet systems: Critical
    - Intranet systems: Critical
    - Client systems: None

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
    Security Bulletin at
    http://www.microsoft.com/technet/sec...n/ms02-010.asp
    for information on obtaining this patch.
    All that in one day!
    -Simon \"SDK\"

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    132
    I'm almost sick of hearing about M$ security flaws....M$ IS a security flaw, windows should be the 1st thing detected when you run NAV
    SlackWare my first, Debian my second....building my box into the ultimate weapon

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •