Gerrie Mansur, one of the leaders of Dutch hacking group Hit2000, gained access to the global.asa file from the Web servers of the news sites. This file regulates who gets access to what applications on the server. The file also defines what the applications can do and contains the global settings for the applications, as well as start-up and shutdown routines. Nasdaq's global.asa file contains the password to the site's main database, Mansur said.The news sites run on IIS (Internet Information Server) software from Microsoft.
The vulnerability affects servers with Internet printing turned on, the default setting with the software. By sending a specially formatted string of characters, the printing module can be made to give the remote user full access to the Web server.
Any Web site that uses cookies to authenticate users or store private information -- including Amazon.com, HotMail, Yahoo Mail, DoubleClick, MP3.com, NYTimes.com, and thousands of others -- could have cookies exposed by Internet Explorer and intercepted by a third-party Web site.
Microsoft has built a "product activation" feature into Windows XP and Office XP which requires users to verify a unique number with Microsoft's servers to use the software. If the software is installed on more than one PC, then the second request for activation will be denied.But someone has apparently obtained a copy of the corporate version of Office XP, which does not require an activation key, and posted it on Usenet newsgroup alt.binaries.warez.ibm. To further simplify installation, the industrious coders have sewn the serial number into the program.
Microsoft said Thursday that "critical" security lapses in its Office software and Internet Explorer Web browser put tens of millions of users at risk of having their files read and altered by online attackers.The world's leading software maker said that an attacker, using e-mail or a Web page, could use Internet related parts of Office to run programs, alter data and wipe out a hard drive, as well as view file and clipboard contents on a user's system.
Office, which runs on Windows and is used to write documents and crunch numbers, is a major producer of revenue for Microsoft.
Microsoft is considering charging for additional security options, and admits it didn't move on security until customers were ready to pay for itMicrosoft "may offer new security abilities on a paid basis," according to the company's chief technical officer Craig Mundie. The possibility is under consideration within Microsoft's security business unit, recently set up under its own vice president, Mike Nash.
"Our work was diffuse, but we have quite a few security initiatives," said Mundie, speaking on Tuesday at the RSA Conference on IT security in Paris. "Mike is assessing that. The unit will have inputs into products, marketing, training and other areas."
Steve [Gibson] has now decided that there is a simple misunderstanding between he and Microsoft about the issue of raw socket support in Windows XP. He doesn't see Microsoft as evil, just confused. Apparently, thousands of programmers up in Redmond assumed en masse that that only way to allow Windows XP system calls to raw sockets is by allowing XP users to all have administrator privileges. Steve thinks that if he can prove to Microsoft that shutting down USER access to raw sockets won't affect SYSTEM use of sockets, well then just maybe Redmond will see the light and change that aspect of Windows XP. Toward this end, Steve and Jeremy Collake wrote SocketLock, a freeware utility that locks user access to raw sockets in the Windows XP beta version so that Microsoft and the rest of us can see that everything else works just fine.
An older MS internal whitepaper from August 2000 on switching Hotmail, which MS acquired in 1997, from front-end servers running FreeBSD and back-end database servers running Solaris to a whole farm running Win2K, reads like a veritable sales brochure for UNIX, but concludes that the company ought to set the right example by ensuring that each division "should eat its own dogfood."The whitepaper, by MS Windows 2000 Server Product Group member David Brooks, has been posted on the Web by Security Office, which says it discovered the item and numerous other confidential MS documents on a poorly protected server. There are a number of other fascinating documents posted, in which the careful reader will find a veritable treasure map for hacking the citadel, but the one I enjoyed best was the comparison between Win2K and UNIX.
Microsoft knows that a vulnerability within the XBOX dashboard could have serious impact. This is underlined by the fact that the dashboard checks most of its files against an internal stored SHA1 hash value before it uses them.For an unknown reason this check is not performed on the audio (.wav) and font (.xtf) files. Unfourtunately for Microsoft there exists an exploitable integer underflow vulnerabilitiy within the font file loader which can be exploited with a malformed font file. When the XTF header is processed the dashboards reads a 4 byte blocksize field from the font file. This is expected to represent the size of some datablock including the 4 bytes of the size field itself. The blocksize is then allocated and the sizefield is copied into the beginning of the buffer. This is already a possible overflow bug when the field contains the values 0..3. Due to memory alignment this is not exploitable. But then the blocksize is decreased by 4 because the dashboard wants to read the rest of the block into memory. Obviously values of 0..3 will underflow when decreased by 4 and this results in the dashboard wanting to read up to ~4 gigabytes of data from the font file in a f.e. 3 bytes buffer.
Swiss researchers released a paper on Tuesday outlining a way to speed the cracking of alphanumeric Windows passwords, reducing the time to break such codes to an average of 13.6 seconds, from 1 minute 41 seconds.The method involves using large lookup tables to match encoded passwords to the original text entered by a person, thus speeding the calculations required to break the codes. Called a time-memory trade-off, the situation means that an attacker with an abundance of computer memory can reduce the time it takes to break a secret code.
The results highlight a fact about which many security researchers have worried: Microsoft's manner for encoding passwords has certain weaknesses that make such techniques particularly effective, Philippe Oechslin, a senior research assistant and lecturer at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL), wrote in an e-mail to CNET News.com.
"Windows passwords are not very good," he wrote. "The problem with Windows passwords is that they do not include any random information."
DHS expects that exploits are being developed for malicious use. (UPDATE: SEVERAL WORKING EXPLOITS ARE NOW IN WIDESPREAD DISTRIBUTION ON THE INTERNET. THESE EXPLOITS PROVIDE FULL REMOTE SYSTEM LEVEL ACCESS TO VULNERABLE COMPUTERS.) Two additional factors are causing heightened interest in this situation: the affected operating systems are in wide spread use, and exploitation of the vulnerability could permit the execution of arbitrary code. DHS and Microsoft are concerned that a properly written exploit could rapidly spread on the Internet as a worm or virus in a fashion similar to Code Red or Slammer. (UPDATE: NO WORM CODE HAS BEEN REPORTED; HOWEVER, AN INTERNET-WIDE INCREASE IN SCANNING FOR VULNERABLE COMPUTERS OVER THE PAST SEVERAL DAYS REINFORCES THE URGENCY FOR UPDATING AFFECTED SYSTEMS.)
Washington, DC - CCIA sent out the following letter to Secretary Tom Ridge on the Department of Homeland Security's recent decision to choose Microsoft as the preferred supplier of desktop and server software. We believe that the Department should lead by example, and ensure that it uses only the most secure technology, software, and procedures. The Department's decision does not foster confidence that this goal is being realized. Design flaws in Microsoft's products have recently been responsible for temporary closure of Maryland?s Department of Motor Vehicles offices, failure of the passenger check-in system at Air Canada, an intrusion on the Navy-Marine intranet, and cancellations and suspensions of service on the CSX railroad. Additionally, a Microsoft exploit managed to disable a safety monitoring system at an off-line nuclear power plant.
Among the 14 vulnerabilities are 8 which could allow attackers to run their own code by exploiting such weaknesses as in the Windows log-on process and the Negotiate Security Software Provider (SSP) interface used during authentication. The most severe of the dozen-plus-two vulnerabilities -- six of the bugs are rated 'Critical' -- could allow an attacker to take complete control of an system, including installing programs, deleting data, or creating new user accounts that have full access privileges.Also in MS04-011's mega-collection of Windows bugs is one that involves SSL (Secure Socket Layer), the security protocol often used to transmit such confidential information as credit card numbers and other financial data. If any SSL-enabled services are present, and both the PCT 1.0 and SSL 2.0 protocols enabled, a remote attacker could exploit the buffer overflow vulnerability to run code of his own choosing on a vulnerable Windows server. These protocols are turned on by default in Windows NT 4.0 and Windows 2000.
...
This cumulative security update includes four new vulnerabilities in the RPC/DCOM components of Windows -- the same modules that were exploited last summer by the havoc-wrecking MSBlast worm -- and the fix replaces all previous RPC/DCOM patches for Windows NT, 2000, XP, and Server 2003.
The most dangerous of the four new vulnerabilities is in the RPC Runtime Library, which could be exploited by an attacker who crafts a specially-built message to Windows. The hacker could take complete remote control of the system, although Microsoft said that the most likely result of an attack would be a denial of service, which would bring down Windows.
'The RPC/DCOM Runtime vulnerability should be of special concern to all users,' said Gullotto. 'There's great potential for another worm that exploits this.'
Microsoft's third bulletin of the day involves Outlook Express (OE), the free e-mail client bundled with Windows. MS04-013 outlines the problem, which affects versions 5.5 SP2, 6.0 SP1, and 6.0 on Server 2003. An attacker who builds malicious URLs could run HTML code in the Local Security zone of Internet Explorer, possibly resulting in a takeover of the system.
