Continued from: MS Security Bulletins - Vol. 3 (http://www.sysopt.com/forum/Forum1/HTML/002377.html)
--------------
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-050)
--------------------------------------
Patch Available for "Server-side Page Reference Redirect" Vulnerability
Originally Posted: December 08, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability in
Microsoft(r) Internet Explorer 4.01, 5 and 5.01, that could allow a
malicious web site operator to view a file on the computer of a visiting
user, provided that the web site operator knew the name and folder of the
file.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-050faq.asp
Issue
=====
When a web server performs a server-side redirect, the IE security model
checks the server's permissions on the new page. However, under favorable
timing conditions, it is possible for a web server to create a reference to
a client window that the server is permitted to view, then use a
server-side redirect to a client-local file, and bypass the security
restrictions. The result is that it could be possible for a malicious web
site operator to view files on the computer of a visiting user. The web
site operator would need to know (or guess) the name and location of the
file.
Affected Software Versions
==========================
- Microsoft Internet Explorer 4.01
- Microsoft Internet Explorer 5.0
- Microsoft Internet Explorer 5.01
NOTE: This patch also includes the previously-released patch for the
"ImportExportFavorites" vulnerability.
NOTE: This and other patches are available from the Microsoft
Download Center
http://www.microsoft.com/downloads/search.asp?Search=Keyword&Value='security_patch'&OpSysID=1
NOTE: Microsoft produces security patches for Internet Explorer 4.01 SP2 and
higher. In the event that this package is applied to Internet Explorer 4.01
SP1, the package states that a fix is not needed. This message is
incorrect, as the vulnerability does exist on Internet Explorer 4.01 SP1 or
any earlier release. If you are using Internet Explorer 4.01 SP1 or any
earlier release, please upgrade to the latest version of Internet Explorer
to resolve this issue.
NOTE: The patch will be available shortly at the WindowsUpdate site. When
this happens, we will modify the bulletin to provide additional
information.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-050: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-050faq.asp
- Microsoft Knowledge Base (KB) article Q246094,
Update Available for "Server-side Page Reference Redirect"
Vulnerability,
http://support.microsoft.com/support/kb/articles/q246/0/94.asp
(NOTE: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- December 08, 1999: Bulletin Created
[This message has been edited by socalgal (edited 12-09-1999).]
socalgal
12-09-1999, 05:06 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-055)
--------------------------------------
Patch Available for "Malformed Resource Enumeration Argument" Vulnerability
Originally Posted: December 09, 1999
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
Microsoft(r) Windows NT(r). The vulnerability could cause a Windows NT
machine to stop responding to requests for services.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-055faq.asp
Issue
=====
When a specific type of malformed argument is supplied to a resource
enumeration request, the Windows NT Service Control Manager can fail. The
primary effect of the failure is to cause named pipes to fail, which
prevents many other system services from operating. The failure would not
cause the machine to crash, and as a result it might not be obvious to the
operator that the machine was no longer in service. An affected computer can
be put back into service by rebooting.
The resource enumeration request involved in the vulnerability must be made
via IPC, so customers can protect against remote attacks by blocking NetBios
requests at the firewall. Networks that allow anonymous logons can prevent
attacks by disabling the ability for null sessions to submit enumeration
requests; this can be done using the RestictAnonymous registry key. Both of
these measures are good security practices in any case.
Affected Software Versions
==========================
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0, Enterprise Edition
- Microsoft Windows NT Server 4.0, Terminal Server Edition
Patch Availability
==================
Windows NT Workstation, Windows NT Server, and Windows NT Server, Enterprise
Edition:
- x86:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16382
- alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16383
Windows NT Server, Terminal Server Edition:
- To be released shortly
NOTE: This and other patches are available from the Microsoft
Download Center http://www.microsoft.com/downloads/search.asp?Search=Keyword&Value='security_patch'&OpSysID=1
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-055: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-055faq.asp
- Microsoft Knowledge Base (KB) article Q246045,
Malformed Resource Enumeration Arguments May Cause
Named Pipes and Other System Services to Fail,
http://support.microsoft.com/support/kb/articles/q246/0/45.asp
(Note: It may take 24 hours from the original posting of this
bulletin for this KB article to be visible.)
- Microsoft Knowledge Base (KB) article Q143474,
Restricting Information Available to Anonymous Users,
http://support.microsoft.com/support/kb/articles/Q143/4/74.asp
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical
Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges .Rain.Forest.Puppy for bringing this issue to our
attention.
Revisions
=========
- December 09, 1999: Bulletin Created.
socalgal
12-16-1999, 04:21 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-056)
--------------------------------------
Patch Available for "Syskey Keystream Reuse" Vulnerability
Originally Posted: December 16, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability in Syskey, a
utility that provides additional protection for Microsoft(r) Windows NT(r)
password databases. The vulnerability allows a particular cryptanalytic
attack to be effective against Syskey, significantly reducing the strength
of the protection it offers. The patch eliminates the vulnerability and
restores strong protection to the password database.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-056faq.asp
Issue
=====
Syskey is a utility that strongly encrypts the hashed password information
in the SAM database in order to protect it against offline password
cracking attacks. However, Syskey reuses the keystream used to perform some
of the encryption. This significantly reduces the strength of the
protection it provides by enabling a well-known cryptanalytic attack to be
used against it.
A patch is available that eliminates the key reuse vulnerability and again
makes it computationally infeasible to mount a brute-force attack against
the SAM database when Syskey has been applied.
Affected Software Versions
==========================
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0, Enterprise Edition
- Microsoft Windows NT Server 4.0, Terminal Server Edition
NOTE: Additional security patches are available at the Microsoft
Download Center (www.microsoft.com/downloads)
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-056: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-056faq.asp
- Microsoft Knowledge Base (KB) article Q248183,
Syskey Utility Reuses Keystream,
http://support.microsoft.com/support/kb/articles/q248/1/83.asp
(Note: It may take 24 hours from the original posting of this
bulletin for this KB article to be visible.)
- Microsoft Knowledge Base (KB) article Q143475,
Windows NT System Key Permits Strong Encryption of the SAM,
http://support.microsoft.com/support/kb/articles/q143/4/75.asp
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges Bindview's RAZOR Security Team (www.bindview.com) for
bringing this issue to our attention.
Revisions
=========
- December 16, 1999: Bulletin Created.
U-96
12-16-1999, 04:40 PM
For Netscape users laughing at MSIE vulnerabilities:
RST discovers defective crypto in Netscape mail password saver http://catless.ncl.ac.uk/Risks/20.68.html#subj1
This site is worth looking at: it's where I got the colour printer UID tracking mentioned in another post...
U-96
socalgal
12-16-1999, 04:43 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-057)
--------------------------------------
Patch Available for "Malformed Security Identifier Request" Vulnerability
Originally Posted: December 16, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability in
Microsoft(r) Windows NT(r) 4.0. The vulnerability could allow a malicious
user to cause a Windows NT machine to stop responding to requests for
service. The patch for this vulnerability is included in the
previously-released patch for the "Syskey Keystream Reuse" vulnerability;
customers who have already applied it do not need to take any further
action.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-057faq.asp
Issue
=====
The Windows NT Local Security Authority (LSA) provides a number of functions
for enumerating and manipulating security information. One of these
functions, LsaLookupSids(), is used to determine the Security Identifier
(SID) associated with a particular user or group name. A flaw in the
implementation of this function causes it to incorrectly handle certain
types of invalid arguments. If an affected call were made to this function,
it would cause the LSA to crash, thereby preventing the machine from
performing useful work.
An affected machine could be put back into service by rebooting, with the
loss of any work that was in progress at the time. Remote attacks via this
vulnerability would not be possible if NetBios is filtered at the firewall.
Affected Software Versions
==========================
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0, Enterprise Edition
- Microsoft Windows NT Server 4.0, Terminal Server Edition
Patch Availability
==================
- This fix for this vulnerability is included in the patch
for the "Syskey Keystream Reuse" vulnerability. (See
http://www.microsoft.com/Security/Bulletins/ms99-056.asp for
more information on this vulnerability). Customers who
have already applied it do not need to take any additional action.
NOTE: Additional security patches are available at the Microsoft Download
Center
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-057: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-057faq.asp
- Microsoft Knowledge Base (KB) article Q248185,
SID Enumeration Function in LSA may not Handle Argument Properly,
http://support.microsoft.com/support/kb/articles/q248/1/85.asp
(Note: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible.)
- Microsoft Security Bulletin MS99-056:
Patch Available for "Syskey Keystream Reuse" Vulnerability,
http://www.microsoft.com/Security/Bulletins/ms99-056.asp
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges Anthony Osborne of the Security Labs of Network
Associates for bringing this issue to our attention.
Revisions
=========
- December 16, 1999: Bulletin Created.
HaroldW
12-19-1999, 03:24 PM
In regards to MS Security Bulletins, sometimes you have to dig farther to get the whole truth. I realize these emails came right from Microsoft's Security Bulletin email service.
In this thread MS99-056 and MS99-057 are mentioned to be applicable to NT 4.0, however, when you follow the link to download the patch, it states Service Pack Six is a system requirement. Therby if you do not have NT Service Pack Six installed you are not vulnerable in the area mentioned.
socalgal
12-19-1999, 05:29 PM
Thanks for the reminder HaroldW, that it's always a good idea to read carefully through the FAQ's and other info contained at MS before downloading and installing any patch from these bulletins. It's been said before, but it's worth repeating.
socalgal
12-20-1999, 06:18 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-059)
--------------------------------------
Patch Available for "Malformed TDS Packet Header" Vulnerability
Originally Posted: December 20, 1999
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
Microsoft(r) SQL Server(r) 7.0. The vulnerability could cause a SQL server
to crash.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-059faq.asp
Issue
=====
If a specially-malformed TDS packet is sent to a SQL server, it can cause
the SQL service to crash. This vulnerability would not allow any
inappropriate access to the data on the server, nor would it allow a
malicious user to usurp any administrative control on the machine. An
affected machine could be put back into service by restarting the SQL
service. This vulnerability could only be remotely exploited if port 1433
were open at the firewall.
Affected Software Versions
==========================
- Microsoft SQL Server 7.0
NOTE: This patch does not locate the SQL folder and install the patched
files into it; instead, you must copy the three files contained in it to
the MSSQL7/BINN folder.
NOTE: Additional security patches are available at the Microsoft Download
Center
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-059: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-059faq.asp
- Microsoft Knowledge Base (KB) article Q248749,
FIX: Possible Denial of Service Attack with Appropriate NULL Bytes in
TDS Header,
http://support.microsoft.com/support/kb/articles/q248/7/49.asp
(Note: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges Kevork Belian for bringing this issue to our
attention.
Revisions
=========
- December 20, 1999: Bulletin Created.
socalgal
12-21-1999, 05:15 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-058)
--------------------------------------
Patch Available for "Virtual Directory Naming" Vulnerability
Originally Posted: December 21, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability in
Microsoft(r) Internet Information Server and other products that run atop
it. Under certain conditions, the vulnerability could cause a web server to
send the source code of .ASP and other files to a visiting user.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-058faq.asp
Issue
=====
If a file on one of the affected web server products resides in a virtual
directory whose name contains a legal file extension, the normal server-side
processing of the file can be bypassed. The vulnerability would manifest
itself in different ways depending on the specific file type requested, the
specific file extension in the virtual directory name, and the permissions
that the requester has in the directory. In most cases, an error would
result and the requested file would not be served. In the worse case, the
source code of .ASP or other files could be sent to the browser.
This vulnerability would be most likely to occur due to administrator error,
or if a product generated an affected virtual directory name by default.
(Front Page Server Extensions is one such product). Recommended security
practices militate against including sensitive information in .ASP and other
files that require server-side processing, and if this recommendation is
observed, there would be no sensitive information divulged even if this
vulnerability occurred. In any event, an affected virtual directory could be
identified during routine testing of the server.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Site Server 3.0
- Microsoft Site Server Commerce Edition 3.0
NOTE: Additional security patches are available at the Microsoft Download
Center.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-058: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-058faq.asp
- Microsoft Knowledge Base (KB) article Q238606,
Page Contents Visible For Certain Virtual Directory Names,
http://support.microsoft.com/support/kb/articles/q238/6/06.asp
(Note: It may take 24 hours from the original posting of this
bulletin for this KB article to be visible.)
- Microsoft Knowledge Base (KB) article Q186803,
Browsing Folders with Script-Mapped Extensions Returns Errors,
http://support.microsoft.com/support/kb/articles/q186/8/03.asp
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges Adam Hunger for bringing this issue to our attention.
Revisions
=========
- December 21, 1999: Bulletin Created.
socalgal
12-21-1999, 05:20 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-061)
--------------------------------------
Patch Available for "Escape Character Parsing" Vulnerability
Originally Posted: December 21, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability in
Microsoft(r) Internet Information Server and products that run atop it. The
vulnerability could allow files on a web server to be specified using an
alternate representation, in order to bypass access controls of some
third-party applications.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-061faq.asp
Issue
=====
RFC 1738 specifies that web servers must allow hexadecimal digits to be
input in URLs by preceding them with the so-called "escape" character, a
percent sign. IIS complies with this specification, but also accepts
characters after the percent sign that are not hexadecimal digits. Some of
these translate to printable ASCII characters, and this could provide an
alternate means of specifying files in URLs.
The vulnerability does not affect IIS; even specifying a file name via this
alternate method does not bypass IIS' access controls. However, third-party
software that runs atop IIS but does not perform canonicalization is
affected by it.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Site Server 3.0
- Microsoft Site Server Commerce Edition 3.0
NOTE: Additional security patches are available at the Microsoft Download
Center
More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS99-061,
http://www.microsoft.com/security/bulletins/MS99-061faq.asp
- Microsoft Knowledge Base (KB) article Q246401,
IIS may improperly parses specific escape characters,
http://support.microsoft.com/support/kb/articles/q246/4/01.asp
(Note: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible.)
- RFC 1738,
Uniform Resource Locators,
http://www.ietf.org/rfc/rfc1738.txt
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges the ACROS Security Team, Slovenia, for bringing this
issue to our attention.
Revisions
=========
- December 21, 1999: Bulletin Created.
socalgal
12-22-1999, 06:11 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-060)
--------------------------------------
Patch Available for "HTML Mail Attachment" Vulnerability
Originally Posted: December 22, 1999
Summary
=======
Microsoft has released a patch that addresses two issues:
- It eliminates a security vulnerability in the Microsoft(r)
Outlook Express mail client for Macintosh systems. The
vulnerability could allow attachments to HTML mails to be
automatically downloaded onto the user's computer.
- It provides replacements for several digital certificates
that are included in Internet Explorer for Macintosh, and
will expire on December 31, 1999.
Frequently asked questions regarding this patch can be found at
http://www.microsoft.com/security/bulletins/ms99-060faq.asp
Issue
=====
There are two issues here. The first is a security vulnerability found in
Outlook Express 5 for Macintosh. By design, when an HTML mail is received,
the mail content is downloaded onto the user's machine and processed.
However, attachments to the mail should not be downloaded unless the user
requests it. A flaw in Outlook Express 5 for Macintosh causes it to download
all content, including attachments. The vulnerability does not provide a way
for a malicious user to launch the downloaded attachments.
The second issue involves several digital certificates that are included in
Internet Explorer 4.5 for Macintosh. These certificates are due to expire on
December 31, 1999. The patch provides updated certificates, and also adds
support for X509 V3 certificates. There is no security vulnerability
associated with this issue; Microsoft is simply providing the replacement
certificates and X.509 V3 support as a community service.
It is important to note that both the security vulnerability and the
certificate expiration issue affect only Outlook Express and Internet
Explorer on the Macintosh; the Windows versions of these products are not
affected.
Affected Software Versions
==========================
- Microsoft Internet Explorer 4.5 for Macintosh
- Microsoft Outlook Express 5.0 for Macintosh (available as a
stand-alone product or bundled with Internet Explorer 5.0 for Macintosh)
NOTE: Additional security patches are available at the Microsoft Download
Center
More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS99-060,
http://www.microsoft.com/security/bulletins/MS99-060faq.asp
- Internet Explorer 4.5 Security Issue,
http://www.microsoft.com/mac/IESecIssue/default.asp
- Microsoft Knowledge Base (KB) article Q249082,
Outlook Express 5 for Macintosh Automatically downloads HTML
Mail Attachments,
http://support.microsoft.com/support/kb/articles/q249/0/82.asp
(Note: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- December 22, 1999: Bulletin Created.
socalgal
12-23-1999, 07:06 PM
Continued to: MS Security Bulletins - Vol. 5 (http://www.sysopt.com/forum/Forum1/HTML/003113.html)
SysOpt.com
Copyright Internet.com Inc. All Rights Reserved.