**** This Security Alert is brought to you by the Windows IT Security channel on the Windows 2000 Magazine Network **** http://www.win2000mag.net/Channels/Security ============================================================ Sponsored by VeriSign - The Internet Trust Company ============================================================ Secure all your Web servers now - with a proven 5-part strategy. The FREE Server Security Guide shows you how: * DEPLOY THE LATEST ENCRYPTION and authentication techniques * DELIVER TRANSPARENT PROTECTION with the strongest security without disrupting users. And more. Get your FREE Guide now: http://www.verisign.com/cgi-bin/go.cgi?a=n061235180013000 ============================================================ Security Alert, May 29, 2001 By embedding a macro in a template and providing another user with a Rich Text Format (RTF) document that links to the template, an attacker can cause macros to run automatically when the user opens the RTF document. Microsoft has released an FAQ and a patch to remedy this vulnerability. An unchecked buffer vulnerability in the method Windows Media Player (WMP) uses to process Active Stream Redirector (.asx) files can result in a buffer overflow. An attacker can use the vulnerability to run code on the vulnerable computer under the user's security context. Microsoft has acknowledged this vulnerability and recommends that users of WMP 6.4 immediately apply the patch contained in Security Bulletin MS01-029. For users of WMP 7.0, Microsoft recommends an upgrade to version 7.1. Multiple vulnerabilities exist in eEye's SecureIIS 1.0.2. The first vulnerability involves the keyword-checking feature: SecureIIS fails to decode escaped characters in a request's query, which can lead to information disclosure. The second involves a directory traversal vulnerability that lets an attacker break out of the Web root directory. The third vulnerability involves a buffer overrun condition caused by the way SecureIIS processes HTTP header and large-character requests. The vendor, eEye Digital Security, recommends that users upgrade to version 1.0.5, which addresses these vulnerabilities. For complete details about these vulnerabilities, including links to patches and additional information, please visit the following URLs. * Macros Can Run Without Warning under Microsoft Word http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21251 * Buffer Overflow Condition in Windows Media Player http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21252 * Multiple Vulnerabilities in eEye SecureIIS http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21250 Thank you for subscribing to Security UPDATE. Please tell your friends about this newsletter and alert list! Sincerely, The Security UPDATE Team (securityat_private) SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATEat_private If you have questions or problems with your UPDATE subscription, please contact securityupdateat_private ___________________________________________________________ Copyright 2001, Penton Media, Inc. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 02:22:43 PDT