Next Page >>
Windows Vista
SLES9, SLES10, RedHat 4ES -x86_64 / OV DP6.0 Linux - Core / DPLNX_00142
SLES9, SLES10, RedHat 4ES -x86_64 / OV DP6.0 Linux - Cell Server / DPLNX_00143
Windows Vista, XP, 2008, 2003, 2000 / OV DP6.0 Win - Core / DPWIN_00496
Windows Vista, XP, 2008, 2003, 2000 / OV DP6.0 Win - Cell Server / DPWIN_00501
Operating System / Description / Patch ID
This vulnerability was verified by the authors on the following platforms:
Windows NT4 SP1
Windows Server 2003 SP2
Windows XP SP3
Windows Vista x32
Windows 7 x32 RC
However, all versions of Windows implementing NTLMv1 are suspected to be
affected.
Word document, the victim's Office Word application is compromised.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in the
Embedded OpenType Font Engine for Windows Vista SP1 (T2EMBED.DLL
version 6.0.6001.18000) and Windows XP SP3 (T2EMBED.DLL version
5.1.2600.5512). Previous versions may also be affected.
Microsoft comfirms/reports the following products are vulnerable:
SLES9, SLES10, RedHat 4ES -x86_64 /
OV DP6.11 Linux - Media Agent /
DPLNX_00137
Windows Vista, XP, 2008, 2003, 2000 /
OV DP6.11 Win - Core /
DPWIN_00475
Windows Vista, XP, 2008, 2003, 2000 /
OV DP6.11 Win - Cell Server /
. Internet Explorer 6sp1 on Windows 2000 sp4
. Internet Explorer 6sp2 on Windows XP sp2
. Internet Explorer 6sp2 on Windows XP sp3
. Internet Explorer 7 on Windows XP sp2
. Internet Explorer 7 on Windows XP sp3
. Internet Explorer 7 on Windows Vista sp1
. Internet Explorer 7 on Windows Vista sp2
. Internet Explorer 7 on Windows Server 2003 sp2 if
Protected Mode is OFF and not using Enhanced Security Configuration
. Internet Explorer 7 on Windows Server 2008 i
if Protected Mode is OFF and
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Office 2007 SP2 running on both
Windows Vista SP2 and Windows 7.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Microsoft released MS12-005 [3] that changes the way that Windows
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@isatools.org]
> Sent: Sunday, July 20, 2008 4:33 PM
> To: 'me@abegetchell.com'; 'Thor (Hammer of God)'; 'Johan Beisser'
> Cc: bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> It's about reality & priorities.
>
> What we're both saying is:
> 1. it's a bug and should be fixed in accordance with its impact on real
As somewhat indicated in the paper itself, these types of physical DMA attacks are possible against any PC-based OS, not just Windows. If that's true, why is the paper titled around Windows Vista?
I guess it makes headlines faster. But isn't as important, if not more important, to say all PC-based systems have the same underlying problem? That it's a broader problem needing a broader solution, instead of picking on one OS vendor to get headlines?
[Disclaimer: I'm a full-time Microsoft employee.]
Roger
*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist
------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was tested on Akamai Download Manager version 2.2.4.8 using
Windows XP SP3 running Internet Explorer 6, 7 & 8 and Windows Vista
running Internet Explorer 8.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
4.1. *Vulnerable platforms*
. Microsoft Windows 2000 up to and including Service Pack 4
. Microsoft Windows Server 2003 up to and including Service Pack 2
. Microsoft Windows XP up to and including Service Pack 3
. Windows Vista up to and including Service Pack 1 (not exploitable
with IE running with Protected mode on)
. Windows Server 2008
5. *Non-vulnerable packages*
> > > 'net user " " P@$$w0rd /add'. In between the double quotes, you can
> > > use ALT+0160 to create the blankspace.
> > > Step 3: Attacker creates an interactive scheduled task to run a minute
> > > after creating it. This scheduled task brings up a command prompt as
> > > the NT Authority\SYSTEM account on Windows 2000, XP, and 2003. 'at
> > > 11:24 /interactive cmd.exe'. If using Windows Vista, 7, or 2008
> > > Server, the attacker must do all registry editing from the command
> > > line using 'schtasks'.
> > > Step 4: Once the SYSTEM command prompt comes up, open regedit from the
> > > command line.
> > > Step 5: Browse to
. Windows XP SP3
. Windows XP Professional x64 Edition SP2
. Windows Server 2003 SP2
. Windows Server 2003 x64 Edition SP2
. Windows Server 2003 with SP2 for Itanium-based Systems
. Windows Vista SP1 and Windows Vista SP2
. Windows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
. Windows Server 2008 for 32-bit Systems and Windows Server 2008 for
32-bit Systems SP2
. Windows Server 2008 for Itanium-based Systems and Windows Server
2008 for Itanium-based Systems SP2
> > 'net user " " P@$$w0rd /add'. In between the double quotes, you can
> > use ALT+0160 to create the blankspace.
> > Step 3: Attacker creates an interactive scheduled task to run a minute
> > after creating it. This scheduled task brings up a command prompt as
> > the NT Authority\SYSTEM account on Windows 2000, XP, and 2003. 'at
> > 11:24 /interactive cmd.exe'. If using Windows Vista, 7, or 2008
> > Server, the attacker must do all registry editing from the command
> > line using 'schtasks'.
> > Step 4: Once the SYSTEM command prompt comes up, open regedit from the
> > command line.
> > Step 5: Browse to
-----Original Message-----
From: Abe Getchell [mailto:me@abegetchell.com]
Sent: Sunday, July 20, 2008 12:32 PM
To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser'
Cc: bugtraq@securityfocus.com
Subject: RE: Windows Vista Power Management & Local Security Policy
So, you guys don't think it's an issue that power management in Vista
(apparently) has a pass to bypass local security policy?
--
'net user " " P@$$w0rd /add'. In between the double quotes, you can
use ALT+0160 to create the blankspace.
Step 3: Attacker creates an interactive scheduled task to run a minute
after creating it. This scheduled task brings up a command prompt as
the NT Authority\SYSTEM account on Windows 2000, XP, and 2003. 'at
11:24 /interactive cmd.exe'. If using Windows Vista, 7, or 2008
Server, the attacker must do all registry editing from the command
line using 'schtasks'.
Step 4: Once the SYSTEM command prompt comes up, open regedit from the
command line.
Step 5: Browse to 'HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names'
Application: Microsoft Outlook Express
Microsoft Windows Mail
Platforms: Windows 2000
Windows XP
Windows Vista
Windows server 2003
Windows Server 2008 SR2
Exploitation: Remote Exploitable
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger@banneretcs.com or rogrim@microsoft.com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************
/usr/lib/vmware/settings
(Note that "settings" is the file name, not another directory name.)
On Windows (except Windows Vista), the default pathname for this file is:
C:\Documents and Settings\All Users\Application
Data\VMware\VMware Workstation\settings.ini
forging a trap frame.
The final requirement involves predicting the address of the second-stage BIOS
call handler. The address is static in Windows 2003, XP and earlier operating
systems, however, Microsoft introduced kernel base randomisation in Windows
Vista. Unfortunately, this potentially useful exploit mitigation is trivial
to defeat locally as unprivileged users can simply query the loaded module list
via NtQuerySystemInformation().
--------------------
Affected Software
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
> Sent: Saturday, July 19, 2008 6:20 PM
> To: me@abegetchell.com; Jim Harrison; bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> If Jim is going to get Nancy to run a program, and that's "not all that
> hard," then why not just have that program do what you want in the
> first
> place rather than worrying about the power switch nonsense? This is
/usr/lib/vmware/settings
(Note that "settings" is the file name, not another directory name.)
On Windows (except Windows Vista), the default pathname for this file is:
C:\Documents and Settings\All Users\Application
Data\VMware\VMware Workstation\settings.ini
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger@banneretcs.com or rogrim@microsoft.com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************
--------------------
PacketVideo has addressed the issue. Contact the vendor for the software update.
Tested Systems / Software
-------------------------
Twonky 7.0 Special on Windows Vista
TwonkyManager 3.0 on Windows Vista
Vendor Contact
--------------
Vendor Name: PacketVideo Corporation | http://www.pv.com/
> -----Original Message-----
> From: Abe Getchell [mailto:me@abegetchell.com]
> Sent: Saturday, July 19, 2008 12:33 AM
> To: 'Jim Harrison'; bugtraq@securityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> As stated in my original e-mail to the list, I definitely don't think
> that
> this is a security vulnerability in a traditional sense. I completely
> agree
3. *Vulnerability Description*
Windows Movie Maker is a video creating/editing software, which is
included by default in Windows Vista and XP. Microsoft Producer is an
add-in for PowerPoint to create rich-media presentations.
A vulnerability was found in Windows Movie Maker and Microsoft Producer,
which can be triggered by a remote attacker by sending a specially
crafted file and enticing the user to open it. This vulnerability
HP has provided the following software patches to resolve this vulnerability.
Operating System / Description / Patch ID
Windows Vista, XP, 2008, 2003, 2000 / OV DP 6.11 Win - Core / DPWIN_00475
Windows Vista, XP, 2008, 2003, 2000 / OV DP 6.10 Win - Core / DPWIN_00489
Windows XP, 2003, 2000 / OV DP 6.00 Win - Core / DPWIN_00488
a cascade of exceptions that culminates in a triple fault (reboot).
Fortunately, the critical window is small, and the exploit can take
steps to reduce these risks, and even relatively reckless exploitation
has proven to be reliable.
Windows Vista x64
As mentioned above, incrementing arbitrary kernel memory is not
possible on Windows Vista x64, because the "INC" instruction of
interest modifies a GS-relative DWORD directly (and therefore can only
increment a DWORD in user GS), rather than dereferencing a pointer
machine) to plant a malicious executable with a specific name on the local
drive and wait for this executable to get launched when another user logs
on to the virtual machine.
While this scenario is usually blocked on default VMware Tools'
installations on Windows XP, Windows Vista and Windows 7 due to the
default file system ACLs, a non-administrative local attacker can launch
the attack against virtual machines where VMware Tools were installed on
non-default locations, e.g., on a non-system drive. Additionally, the
attack is always possible on pre- Windows XP systems such as Windows 2000.
Salut, Roger,
On Wed, 5 Mar 2008 16:30:35 -0500, Roger A. Grimes wrote:
> As somewhat indicated in the paper itself, these types of physical
> DMA attacks are possible against any PC-based OS, not just Windows.
> If that's true, why is the paper titled around Windows Vista?
That's very easy: because the specific attack was against Windows
Vista's activation mechanism.
The deficiencies of Firewire with regard to direct memory access have
2. Overwriting arbitrary kernel addresses.
:: Files affected
RTKVHDA.sys < 6.0.1.5605 (32-bit) Windows Vista
RTKVHDA64.sys (signed) < 6.0.1.5605 (64-bit) Windows Vista
:: Credits
Vulnerability discovered and researched by Ruben Santamarta.
Next Page>>
|
