Dan
Mon Sep 01 05:44:01 CDT 2008
Warning: this is a super-long post and may contain some repetition because of
the hour that it was composed -- thank you so much for your kindness and
support
Here is more evidence --- Note copy and copy so code is contained in post
http://secunia.com/product/1/?task=advisories
http://secunia.com/advisories/7793/
Secunia Advisory: SA7793
Release Date: 2002-12-30
Last Update: 2003-01-27
Critical:
Moderately critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 95
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
This advisory is currently marked as unpatched!
- Companies can be alerted when a patch is released!
Description:
Microsoft Windows is flawed in the way it trusts certificates. Microsoft
Windows File Protection will automatically trust software that has been
digitally signed with certificates rooted in any of the Trusted Root
Certification Authorities.
This can be abused by malicious persons to sign any maliciously designed
code and install it on systems without alerting the user, because Windows
"trusts" root certificates even if they should only be used for signing SSL
certificates and not signing code. This could be done anonymously by using:
http://www.freessl.com/
Also Windows is designed to trust every version of previously published code
from .CAT files, this allows malicious persons to replace new code with old
buggy and vulnerable code.
This problem exists even if you have applied MS02-050 to prevent ID spoofing
with digital signatures.
Solution:
In our opinion no operating system or software should trust the source or
origin of software or digital signatures by default. This should always be
verified by a system administrator or other capable person. We recommend that
you configure your Windows systems to trust as few root certificates as
possible and instruct your users about the consequences (ie. they are
prompted each time they enter an SSL site).
In addition you should change the security settings in Internet Explorer so
that normal users cannot accept additional ActiveX components.
Required root certificates:
http://support.microsoft.com/default.aspx?scid=KB;en-us;293781&
How to remove "trusted" root certificates:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;293819
Windows File Protection may not start:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;296241
Provided and/or discovered by:
Forensics.org
Changelog:
20/01-2003 It has been reported that systems with this patch still may be
fooled, if the certificate has expired, as the user will be warned about the
certificate being expired but not that it is spoofed.
hmm, certainly sounds serious and notice how Windows 98 Second Edition is
not on the list but Windows 95, Windows 2000 and Windows XP are. In
addition, let us see more examples and remember I am ignoring just priveledge
escalations and denial of service errors because I don't see those as too
critical to operations.
Now this next one has only been partially fixed and it even makes one wonder
whether it could be properly executed on Windows Vista and it is highly
critical and includes system access and it even hits Windows 98 Second
Edition as well as all the way back to Windows NT and this should be priority
number one for Microsoft to patch, imo.
http://secunia.com/advisories/13645/
Secunia Advisory: SA13645
Release Date: 2004-12-25
Last Update: 2005-11-21
Critical:
Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Partial Fix (only a partial fix --- what gives Microsoft
--?)
OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millenium
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows NT 4.0 Workstation
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Embedded
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
CVE reference: CVE-2004-1049 (Secunia mirror)
CVE-2004-1305 (Secunia mirror)
CVE-2004-1306 (Secunia mirror)
CVE-2004-1361 (Secunia mirror)
Description:
Flashsky has reported some vulnerabilities in Microsoft Windows, allowing
malicious people to compromise a vulnerable system or cause a DoS (Denial of
Service).
1) The vulnerability is caused due to an integer overflow in the LoadImage
API which can be exploited to cause a heap based buffer overflow. This can be
exploited through a website by using maliciously crafted icon, cursor,
animated cursor, or bitmap files.
Successful exploitation allows execution of arbitrary code.
2) Some errors in the Windows Kernel when parsing ANI files may cause the
system to crash. This can be exploited through specially crafted ANI files.
3) The vulnerability is caused due to a heap overflow and an integer
overflow in "winhlp32.exe" when handling HLP files. This can be exploited
through specially crafted HLP files.
All versions of Microsoft Windows are affected except Microsoft Windows XP
with Service Pack 2.
Solution:
3) Do not visit untrusted web sites and don't open documents from untrusted
sources.
1+2) Microsoft has issued patches.
Microsoft Windows NT Server 4.0 (requires Service Pack 6a):
http://www.microsoft.com/downloads/de...=4604400A-287E-48CC-91B1-BEE44EEA588C
Microsoft Windows NT Server 4.0 Terminal Server Edition (requires Service
Pack 6):
http://www.microsoft.com/downloads/de...=94A0B521-4C39-4D15-AA80-068C30476E6F
Microsoft Windows 2000 (requires Service Pack 3 or Service Pack 4):
http://www.microsoft.com/downloads/de...=722C6C65-3F6C-4029-8EB7-D4612A785E78
Microsoft Windows XP (requires Service Pack 1):
http://www.microsoft.com/downloads/de...=8850954D-57D9-4D23-9AA1-1CCF6085A057
Microsoft Windows XP 64-Bit Edition (requires Service Pack 1):
http://www.microsoft.com/downloads/de...=2325700F-7931-4B0C-A978-BCFF469B8061
Microsoft Windows XP 64-Bit Edition Version 2003:
http://www.microsoft.com/downloads/de...=16A52196-0BD0-4355-9F29-2B26CB0961AF
Microsoft Windows XP Embedded SP1:
http://www.microsoft.com/downloads/de...=aed17ac4-2061-467b-9127-92b539e56f0a
Microsoft Windows Server 2003:
http://www.microsoft.com/downloads/de...=CBCCADF6-449A-4D74-937D-4087A6E6C1C2
Microsoft Windows Server 2003 64-Bit Edition:
http://www.microsoft.com/downloads/de...=16A52196-0BD0-4355-9F29-2B26CB0961AF
Microsoft Windows 98, Microsoft Windows 98 SE, and Microsoft Windows ME:
An update is available via Windows Update.
Updates for the Slovenian, Slovakian, and Thai versions of Windows 98 and
Windows 98 SE are also available:
Slovenian:
http://www.microsoft.com/downloads/de...-88A2-125CB788EA0C&displaylang=sl
Slovakian:
http://www.microsoft.com/downloads/de...-88A2-125CB788EA0C&displaylang=sk
Thai:
http://www.microsoft.com/downloads/de...-88A2-125CB788EA0C&displaylang=th
Provided and/or discovered by:
1) Discovered independently by:
* Flashsky
* eEye Digital Security
2) Flashsky (Microsoft credits Sylvain Bruyere).
3) Keji
Changelog:
2005-01-07: Added links to US-CERT vulnerability note.
2005-01-11: Updated solution. Microsoft has issued patches.
2005-01-12: Added link to eEye Digital Security advisory.
2005-01-19: Added CVE reference.
2005-03-07: Updated advisory.
2005-03-09: Vendor issues updates for Windows 98, Windows 98 SE, and Windows
ME.
2005-11-21: Added patch information for Windows XP Embedded.
Original Advisory:
MS05-002 (KB891711):
http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
Flashsky:
http://www.xfocus.net/flashsky/icoExp/
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20050111.html
Other References:
US-CERT VU#625856:
http://www.kb.cert.org/vuls/id/625856
US-CERT VU#697136:
http://www.kb.cert.org/vuls/id/697136
US-CERT VU#177584:
http://www.kb.cert.org/vuls/id/177584
Here is another one but since it does not have remote access to allow the
malicious user to hack the os then I am not too interested in it because I am
interested in errors that rely on remote hacking and allow system access via
remote hacking of the operating system:
http://secunia.com/advisories/16210/
this one affects Windows 98 Second Edition as well as 2000, XP, Server 2000
and 2003 so it may be of interest to some people
Here is another vulnerability that does not include Windows 98 Second
Edition but is confirmed on Windows 2000 Professional as well as Windows 2000
Server as well as on Windows XP Home and Professional
http://secunia.com/advisories/20061/
Secunia Advisory: SA20061
Release Date: 2006-05-10
Last Update: 2006-05-11
Critical:
Less critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
CVE reference: CVE-2006-2297 (Secunia mirror)
This advisory is currently marked as unpatched!
- Companies can be alerted when a patch is released!
Description:
Rubén Santamarta has discovered a vulnerability in Microsoft Windows, which
potentially can be exploited by malicious people to compromise a user's
system.
The vulnerability is caused due to a boundary error in the Infotech Storage
System Library (itss.dll) when reading a ".CHM" file. This can be exploited
to cause heap corruption and may allow arbitrary code execution via a
specially crafted ".CHM" file.
Successful exploitation requires that the user is e.g. tricked in opening or
decompiling a malicious ".CHM" file using "hh.exe".
The vulnerability has been confirmed in Windows XP SP2 (fully patched) and
also reported in Windows 2000 SP4. Other versions may also be affected.
NOTE: The CHM file format should be considered insecure and treated similar
to an executable file. However, this vulnerability is triggered even when the
user decompiles the file without opening it.
Solution:
The vulnerability will reportedly be fixed in the next Service Pack.
Do not open or decompile untrusted ".CHM" files.
Provided and/or discovered by:
Rubén Santamarta
Changelog:
2006-05-11: Added CVE reference.
Original Advisory:
http://reversemode.com/index.php?opti...&task=view&id=11&Itemid=1
Vendor Microsoft
Product Link View Here (Link to external site)
Affected By 182 Secunia advisories
Unpatched 12% (21 of 182 Secunia advisories)
Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Windows 2000
Professional, with all vendor patches applied, is rated Moderately critical
http://secunia.com/product/22/?task=advisories
Vendor Microsoft
Product Link N/A
Affected By 218 Secunia advisories
Unpatched 14% (30 of 218 Secunia advisories)
Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Windows XP
Professional, with all vendor patches applied, is rated Moderately critical
Now that we have seen overall vulnerabilities in XP Professional and 2000
Professional as well as others let us compare Windows Vista to Windows 98
Second Edition:
http://secunia.com/product/13223/
http://secunia.com/advisories/29867/
Microsoft Windows Privilege Escalation Vulnerability
Secunia Advisory: SA29867
Release Date: 2008-04-18
Critical:
Less critical
Impact: Privilege escalation
System access
Where: From remote
Solution Status: Unpatched
OS: Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Professional
CVE reference: CVE-2008-1436 (Secunia mirror)
This advisory is currently marked as unpatched!
- Companies can be alerted when a patch is released!
Description:
A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious users to compromise a vulnerable system.
The vulnerability is caused due to an error allowing code running in the
context of NetworkService and LocalService accounts to access resources in
other processes running with the same privileges, but with the ability to
elevate their privileges to LocalSystem.
Successful exploitation allows execution of arbitrary code with LocalSystem
privileges, but requires the ability to run code in an authenticated context
e.g via IIS (when ASP.NET code runs in full trust or via ISAPI
extensions/filters) and SQL Server (when having administrative privileges to
load and run code).
Solution:
Microsoft recommends specifying a WPI (Worker Process Identity) for an
application pool (please see the Microsoft advisory for details).
Provided and/or discovered by:
Reported by the vendor.
Original Advisory:
Microsoft (KB951306):
http://www.microsoft.com/technet/security/advisory/951306.mspx
Now, why this has not been patched yet is beyond me since the information
was released on April 18, 2008 and we are now on September 1, 2008 so that is
over 4 months old. The question I must ask everyone is what is going on over
at Microsoft currently with it taking so long for Microsoft to release
patches and now that Microsoft os's has been fully examined let us see the
difference between IE and Mozilla Firefox shall we:
http://secunia.com/product/12366/?task=advisories
http://secunia.com/advisories/30141/
and here is yet another system access from IE 6 and IE 7 fully patched
Secunia Advisory: SA30141
Release Date: 2008-05-14
Last Update: 2008-05-22
Critical:
Less critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
Microsoft Internet Explorer 7.x
CVE reference: CVE-2008-2281 (Secunia mirror)
This advisory is currently marked as unpatched!
- Companies can be alerted when a patch is released!
Description:
Aviv Raff has discovered a vulnerability in Internet Explorer, which can be
exploited by malicious people to compromise a user's system.
Input passed via links within an HTML file is not being properly sanitised
before being used to generate a printable HTML file. This can be exploited to
inject arbitrary script code, which is executed in local context when a user
is enticed to print a specially crafted HTML document with the "Print table
of links" option enabled.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in Internet Explorer 6 and 7 on a fully
patched Windows XP SP2. Other versions may also be affected.
Solution:
Do not print HTML files from untrusted sources with the "Print table of
links" option.
Provided and/or discovered by:
Aviv Raff
Changelog:
2008-05-22: Added CVE reference.
Original Advisory:
http://aviv.raffon.net/2008/05/14/Int...tCrossZoneScriptingVulnerability.aspx
Are we starting to see a pattern, boys and girls and now let us see Mozilla
Firefox
http://secunia.com/product/12434/?task=advisories
Vendor Mozilla Organization
Product Link View Here (Link to external site)
Affected By 26 Secunia advisories
Unpatched 12% (3 of 26 Secunia advisories)
Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Mozilla Firefox 2.0.x,
with all vendor patches applied, is rated Less critical
http://secunia.com/advisories/27907/
the worst I could find is cross-site scripting but thankfully no system
access and now let us see Opera that people say is so great and it is okay
but does not provide users with 256 bit AES encryption and as far as I know
has only a maximum cipher strength of 128 bit and this is the same with
Apple's Safarii as well
http://secunia.com/product/10615/ --- no current vulnerabilities but if
adopted as much as Mozilla Firefox and IE then there will be most likely some
found by hackers
http://secunia.com/product/17989/?task=advisories
the "so called" great Apple has vulnerabilities too in its web browser --
shocked not me --- I am not an Apple fan boy or girl and only use software I
see that is not vulnerable or at least has minimal vulnerabilities
http://secunia.com/product/96/?task=advisories
http://secunia.com/advisories/18963/ (this one is extremely critical and
only has a partial fix by Apple which puts Apple in worse shape than
Microsoft's highly critical vulnerability that only has a partial fix)
Mac OS X File Association Meta Data Shell Script Execution
Secunia Advisory: SA18963
Release Date: 2006-02-21
Last Update: 2006-03-14
Critical:
Extremely critical
Impact: System access
Where: From remote
Solution Status: Partial Fix
OS: Apple Macintosh OS X
CVE reference: CVE-2006-0848 (Secunia mirror)
Description:
Michael Lehn has discovered a vulnerability in Mac OS X, which can be
exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error in the processing of file
association meta data in ZIP archives (stored in the "__MACOSX" folder) and
mail messages (defined via the AppleDouble MIME format). This can be
exploited to trick users into executing a malicious shell script renamed to a
safe file extension stored in a ZIP archive or in a mail attachment.
This can also be exploited automatically via the Safari browser when
visiting a malicious web site.
Secunia has constructed a test, which can be used to check if your system is
affected by this issue:
http://secunia.com/mac_os_x_command_execution_vulnerability_test/
The vulnerability has been confirmed on a fully patched system with Safari
2.0.3 (417.8), Mail 2.0.5 (746/746.2), and Mac OS X 10.4.5.
Solution:
Apply Security Update 2006-002.
NOTE: The update does not completely fix the vulnerability as it is still
possible to trick users into opening malicious shell scripts (masqueraded as
a safe file type) in ZIP archives. Do not open files in untrusted archives.
Provided and/or discovered by:
Michael Lehn
Changelog:
2006-02-22: Added link to US-CERT vulnerability note, and updated
"Description" and "Solution" sections.
2006-02-27: Added CVE reference.
2006-03-02: Updated "Solution" section.
2006-03-03: Updated "Solution" section.
2006-03-14: Vendor issues Security Update 2006-002. Updated "Solution"
section.
Other References:
US-CERT VU#999708:
http://www.kb.cert.org/vuls/id/999708
Thus, you that say that I will just go with Apple and be safe and secure you
can just Dream On because that is Just Not The Case
Now, the real software to use is Ubuntu Linux because see this:
http://secunia.com/product/18611/?task=advisories
Vulnerability Report: Ubuntu Linux 8.04
Vendor Canonical Ltd.
Product Link View Here (Link to external site)
Affected By 30 Secunia advisories
Unpatched 0% (0 of 30 Secunia advisories)
Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all
vendor patches are applied.
Now, I know Fat 32 is not as secure as the NTFS file system but it does
indeed lack the internal safety of disk operating system and makes it harder
to recover from a hit because the system administrator can only go into a
recovery console and or command.com prompt but no true maintenance operating
system. Thus we return to my original argument about software being fully
externally secure with NT source code of Vista, XP, 2000, NT, etc. and
internally safe with Windows 9x kernal and disk operating system technology
while using open source software within this closed source software to
provide the ultimate software solution. The combination of closed source
technologies and open source technologies will be the wave of the future.
Heck, does anyone else understand yet that in my case I use Windows 98 Second
Edition fully patched but containing drivers from Windows ME for my graphics
card and drivers from Windows 2000 for my printer and use Mozilla Firefox 2.x
fully updated for my browsing except when it is needed to use Internet
Explorer and I just happily browse, surf and email to my heart's content
while of course practing safe browsing methods such as reading email in plain
text, not allowing Windows Script Automation because I don't have Windows
Scripting Host Installed because I specifically want everything to be manual.
In addition, I notice that I no longer have Blue Screens of Death because
apparently all of these were from poorly written software drivers from 3rd
parties like Creative that did not understand at first how to program the
driver's correctly. The next big challenge I see for Windows 98 Second
Edition is the end of 2008 when Mozilla supposedly will stop supporting
Mozilla Firefox 2.x which will be the final web browser for Windows 98 Second
Edition. Mozilla Firefox 3.x does not yet support too many extensions so I
don't use it and also while supposedly being more secure is too new in my
opinion to have proved itself because like I have mentioned before I am old
school and like Gary S. Terhune, mvp do not like things to be automatically
done for me and how great a thrill it is to go into the registry after having
a registry backup of course and manually edit it because how many of you
really trust a automatic tool to do what your brain will allow you to do with
the proper study.
Thank you all and to all a great night.
Secunia collects, validates, and verifies all vulnerability reports issued
by security research groups, vendors, and others.
"Alun Jones" wrote:
> "Anteaus" <Anteaus@discussions.microsoft.com> wrote in message
> news:72493273-1D86-4C0F-A43B-DC859EF96246@microsoft.com...
> > The fundamental issue with the NT vulnerabilities is not strictly the
> > fault
> > of Microsoft coders, but is with the preceding code on which NT was based,
> > which contained numerous unchecked buffers. It's a failing of the C
> > language
> > with its lack of any checks on variable bounds, and which therefore
> > requires
> > the coder to perform the near-impossible task of setting traps for every
> > way
> > in which the program could be presented with oversize data. The majority
> > of
> > NT exploits operate on the crude principle of over-filling a data buffer
> > to
> > the point where the data over-writes an adjacent piece of machine-code in
> > memory. The next time this code runs, your Trojan gets launched. The
> > failing
> > here is in the programming-language itself not providing any protection
> > against this kind of exploit.
>
> No, it's in the programmers and designers who used this programming language
> for networked applications without taking appropriate protections.
>
> I've said it before, and I'll repeat it once more:
>
> Writing network code is hard, because you only get to write one half of the
> application. And the guy writing the other half may very well be a lunatic
> who's out to abuse your code, or he may simply be an idiot who didn't
> understand the specifications the same way you did.
>
> Either way, you have to write network-capable code differently from
> standalone code.
>
> Of course, the same should be said of any code that takes input from any
> source other than itself, whether that's through reading files on the hard
> drive, reading key-strokes from the user or mouse movements.
>
> > It is also perfectly true that Windows 9x is a far more secure OS. In
> > fact,
> > its main weakness is in having Internet Explorer built-in. Without that
> > attack-vector it is surprisingly hard to exploit.
>
> That's an astonishing claim, and I'd really like to see you back it up.
>
> While it is certainly true that Windows 95, 98 and ME were running fewer
> servers / services, there are other factors working against it:
> 1. Much of the underlying code was written with the understanding that it
> was not going to be networked - NT code was written with networking in mind
> from day one, so it considered the concept that unwanted data might be
> coming in.
> 2. Windows 9x used FAT as the underlying file system, which has very weak
> protection - the most you can do is mark a file read-only, hidden, or
> system, and even then, every user on the system has complete access to
> remove that marking. NT had the concept of users and groups built into its
> file system, NTFS, allowing you to mark system files and important
> applications or data such that only authorised user accounts can access
> them.
> 3. Any user can install a driver or an application in Windows 9x; in NT,
> only an administrator can do so.
>
> Applying new source code blindly is not going to solve the problems.
> Improving the source code based on the lessons learned from old mistakes -
> that's what will fix things, whether it's done through completely new code,
> or a rewrite or modification of the old code.
>
> Alun.
> ~~~~
> --
> Texas Imperial Software | Web:
http://www.wftpd.com/
> 23921 57th Ave SE | Blog:
http://msmvps.com/alunj/
> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
>
>
>