[Am-info] Noteable MickySoft patches.

Fred A. Miller fm@cupserv.org
Fri, 19 Jul 2002 15:29:18 -0400 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cumulative Patch for SQL Server

Microsoft released MS02-034 ("Cumulative Patch for SQL Server"). MS
SQL Server and MSDE installations have three new vulnerabilities:
a buffer overflow in the bulk insert procedure; a buffer overflow in
the password encryption procedure; and insecure permissions on the
SQL service account registry key. The buffer overflows allow attackers
capable of running arbitrary SQL statements to elevate their SQL user
privileges and potentially execute arbitrary code.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-034.asp

Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0012.html

SQL Server setup.iss log file exposes
                passwords

Microsoft released MS02-035 ("SQL Server setup.iss log file
exposes passwords"). It's possible to create a precomputed
set-up file (setup.iss) in MS SQL Server to use for unattended
installations. However, installations that use the setup.iss
file produce installation log files afterwards, which include any
SQL-server-related passwords in plain text.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-035.asp

Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0009.html

RealONE/RealJukebox RJS skin.ini overflow

The RealONE and RealJukebox clients contain a buffer overflow in the
parsing of custom skin files, potentially allowing a malformed skin
file to execute arbitrary code on the user's system. In addition, it
may be possible for a malicious Web site to force the download of a
skin file. Skin files also can potentially contain active scripting,
which is executed in the Local System zone.

The vendor confirmed this problem; updates are listed at:
http://service.real.com/help/faq/security/bufferoverrun07092002.html

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0127.html
http://archives.neohapsis.com/archives/bugtraq/2002-07/0130.html

Norton Personal Internet Firewall HTTP proxy
                overflow

Norton Personal Internet Firewall version 3.0.4.91 (version 2001)
contains a buffer overflow in the handling of large HTTP proxy
requests. As a result, an internal/local attacker can execute arbitrary
code on the system.

The vendor confirmed this vulnerability and released a patch.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0026.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0027.html

- --=20
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org, www.cupserv.org
- --- SuSE Linux v8.0 Pro, KMail 3.0.1---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj04aI4ACgkQB9vk4ichYXcqAACfe1t8t4GHui5aoapcp+te51+a
BRoAoMRjE9vGX1txNC2PQETe+YIVTYIB
=3DKjET
-----END PGP SIGNATURE-----