Feb 15th: New year new bugs

[Faram]

TITLE:
Microsoft Jet Database Engine Database File Parsing Vulnerability

SECUNIA ADVISORY ID:
SA14896

VERIFY ADVISORY:
http://secunia.com/advisories/14896/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

OPERATING SYSTEM:
Microsoft Windows XP Professional
http://secunia.com/product/22/
Microsoft Windows XP Home Edition
http://secunia.com/product/16/
Microsoft Windows 2000 Server
http://secunia.com/product/20/
Microsoft Windows 2000 Professional
http://secunia.com/product/1/
Microsoft Windows 2000 Advanced Server
http://secunia.com/product/21/
Microsoft Windows 2000 Datacenter Server
http://secunia.com/product/1177/

SOFTWARE:
Microsoft Office 2003 Standard Edition
http://secunia.com/product/2275/
Microsoft Access 2000
http://secunia.com/product/36/
Microsoft Access 2002
http://secunia.com/product/35/
Microsoft Access 2003
http://secunia.com/product/4904/
Microsoft Office 2000
http://secunia.com/product/24/
Microsoft Office 2003 Professional Edition
http://secunia.com/product/2276/
Microsoft Office 2003 Small Business Edition
http://secunia.com/product/2277/

DESCRIPTION:
HexView has discovered a vulnerability in Microsoft Jet Database
Engine, which can be exploited by malicious people to compromise a
user's system.

The vulnerability is caused due to a memory handling error when e.g.
parsing database files. This can be exploited to execute arbitrary
code by tricking a user into opening a specially crafted ".mdb" file
in Microsoft Access.

NOTE: Exploit code has been posted to a public mailing list.

The vulnerability has been confirmed on a fully patched system with
Microsoft Access 2003 (msjet40.dll version 4.00.8618.0) and Microsoft
Windows XP SP1/SP2. Other versions may also be affected.

SOLUTION:
Do not open untrusted ".mdb" database files.

PROVIDED AND/OR DISCOVERED BY:
HexView

ORIGINAL ADVISORY:
http://www.hexview.com/docs/20050331-1.txt

[Faram]

Minor update but WPA-2 For Windows XP

Microsoft

If your router/ap and nic supports this then get it

[Ace Pace]

No new Windows updates for May?

[Faram]

No new Windows updates for May?

Not yet it will come next week.

Microsoft

Security Bulletin Resources

Last Release: April 12, 2005
Next Scheduled Release: May 10, 2005

[Faram]

Fucked up bug in Firefox

Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution:
Disable JavaScript.

Provided and/or discovered by:
john smith

Be on a lookout for a patch really soon!

[Faram]

Only one patch in May.

Microsoft

Issued: May 10, 2005
Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Recommendation: Customers should apply the update at the earliest opportunity.

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:


Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 – Download the update


Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.

[Faram]

Fucked up bug in Firefox

Be on a lookout for a patch really soon!

The Patch is Out

D/L Firefox 1.0.4 Here!

[Faram]

Not much info, just the usual MSIE and Outlook is bad, mkaaay!

eeye.com

Date Reported:
March 16, 2005

Vendor:
Microsoft

Description:
A vulnerability in default installations of the affected software that allows malicious code to be executed, contingent upon minimal user interaction.

Severity:
High (Remote Code Execution)

Software Affected:
Internet Explorer
Outlook
Additional miscellaneous titles

Operating Systems Affected:
Windows NT 4.0 (All versions)
Windows 2000 (All versions)
Windows XP (All versions)
Windows 2003 (To be determined)

Status:
Initial report stage

Might seem old, but the patch is overdue according to EEYE

And here is an advisories that expires soon.

eeye.com

Date Reported:
March 29, 2005

Vendor:
Microsoft

Description:
A vulnerability in default installations of the affected software that allows malicious code to be executed with minimal user interaction.

Severity:
High (Remote Code Execution)

Software Affected:
Internet Explorer
Outlook
Additional miscellaneous titles

Operating Systems Affected:
Windows (Various versions to be determined)

Status:
Initial report stage

All uppcomming advisories

eeye.com

[Vertigo1]

http://support.microsoft.com/kb/898060/

source thread

Merged to the updates thread.

~Faram

[Beowulf]

Seven year old security flaw reintroduced in firefox/mozilla.

Of course, it also works on IE

Missed that one, good find

~Faram

[Faram]

One line of HTML code crashed windows.

Insert this to a webpage

Code: Select all

<HTML>
<BODY>
<IMG SRC="http://domain/images/image.jpg" width="9999999" height="9999999">
</BODY>
</HTML>

And you get a BSOD, sorta pathetic!

Original advisory

[Xon]

One line of HTML code crashed windows.

Insert this to a webpage

Code: Select all

<HTML>
<BODY>
<IMG SRC="http://domain/images/image.jpg" width="9999999" height="9999999">
</BODY>
</HTML>

And you get a BSOD, sorta pathetic!

Original advisory

Doesnt work for me, I've got a fully patched Windows XP sp2 with IE running as a limited user and DEP enabled.

[Faram]

Oh Joyt another month another bunch of patches.

Microsoft.com

Just going to list the critical ones.

SMB Not good not good at all!

HTML Help

Internet Explorer

They should be at Windowsupdate really soon.

[Faram]

Javascript dialog spoofing

All browsers at risk.

Here is a 3rd party solution for firefox, if you install this remember to allow sd.net

No Script @ Mozilla

[Faram]

Bulletin Summary:

Microsoft

Critical Bulletins:

Cumulative Security Update for Internet Explorer (896727)
http://go.microsoft.com/fwlink/?LinkId=45781

Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)
http://go.microsoft.com/fwlink/?LinkId=48900

Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)
http://go.microsoft.com/fwlink/?LinkId=48902

Important Bulletins:

Vulnerability in Telephony Service Could Allow Remote Code Execution (893756)
http://go.microsoft.com/fwlink/?LinkId=42466

Moderate Bulletins:

Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (899591)
http://go.microsoft.com/fwlink/?LinkId=48898

Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (899587)
http://go.microsoft.com/fwlink/?LinkId=48899

Re-Released Bulletins:

Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169)
http://www.microsoft.com/technet/securi ... 5-023.mspx

Vulnerability in Microsoft Agent Could Allow Spoofing (890046) (890169)
http://www.microsoft.com/technet/securi ... 5-032.mspx

Now go and patch!

[Faram]

Okay no patches last month, but now Microsoft is back with a vengeance!

There is a shitload of them over at:

Get them buy the dozen!

[Xon]

1 critical and one important

[Keevan_Colton]

1 critical and one important

Title updated.

[Einhander Sn0m4n]

http://it.slashdot.org/it/05/12/29/0039 ... 72&tid=218

I got burned by this shit, so take my warnings seriously. This fucking bullshit is dangerous, and MS has no patch yet. It's a buffer overflow in shimgvw.dll's handling of .wmf (Windows Meta Files) image files. As you can see [WMV MOVIE AHOY!], it's extremely quick and deadly.

It is extremely easy to get burned by this shit, as exploit sites are popping up like wildfire. Even Firefox and Opera users can get hit if you agree to run the file. Another thing: Programs that load a website inside their window tend to use Idiot Exploiter, so this is yet another avenue of infection. I believe this way is how I got whacked (cough*Kazaa Lite*cough).

The Workaround:

Code: Select all

REGSVR32 /U SHIMGVW.DLL

[Faram]

If the regsvr32 /u shimgvw.dll breaks the viewing of .jpg images, to fix it just type

Code: Select all

regsvr32 shimgvw.dll

And all is back to normal.

Also if you use any other application than somthing from Microsoft, JPG viewing works just fine!

Try this one for example.

http://www.irfanview.com/

[Faram]

God Damned this is even worse that I thought!

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows.

Please do as Microsoft advices:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

To un-register Shimgvw.dll, follow these steps:

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

Edit
Fixed a typo windir% to %windir%

[MKSheppard]

I don't have it on my computer; am I still at risk from this bug?

EDIT: by "it" I mean:

regsvr32 -u windir%\system32\shimgvw.dll

comes up as "NOT FOUND"

No wait

tried einy's

REGSVR32 /U SHIMGVW.DLL

and it unloaded it.

[Glocksman]

MS ought to put Ilfak Guilfanov on the payroll.
His patch and more information on the vulnerability.
He also has a vulnerability checker available for download.

[Faram]

regsvr32 -u windir%\system32\shimgvw.dll

comes up as "NOT FOUND"

No wait

tried einy's

REGSVR32 /U SHIMGVW.DLL

and it unloaded it.

I made a typo while cutting and pasting, it should read %windir%

[Einhander Sn0m4n]

MICROSOFT WMF PATCH HERE!