Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com> PLEASE VISIT OUR SPONSOR, WHO BRINGS YOU SECURITY ALERT FOR FREE: ALERT: "How a Hacker Launches a SQL Injection Attack!" White Paper It's as simple as placing additional SQL commands into a Web form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL injections are not seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://list.windowsitpro.com/t?ctl=65738:57B62BBB09A6927977A6B59F6BAC0371 === SECURITY ALERT ============================================= 4 Microsoft Security Bulletins for September 2007 by Orin Thomas, MVP Windows Security, orin@private Microsoft released four security updates for September, rating one of them as critical. Here's a brief description of each update; for more information, go to http://list.windowsitpro.com/t?ctl=65739:57B62BBB09A6927977A6B59F6BAC0371 MS07-051: Vulnerability in Microsoft Agent Could Allow Remote Code Execution The attack vector for this exploit is a specially crafted URL that targets Microsoft Agent on computers running Windows 2000 SP4 Applies to: Windows 2000 SP4. Recommendation: Although Microsoft rates this update as critical, the vulnerability has not been publicly disclosed. Given that the affected component is Microsoft Agent, it's likely that nefarious third parties will be working hard to develop an exploit for this vulnerability. Prioritize testing of this update and deploy it on an accelerated schedule if your organization is using this OS version. MS07-052: Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution The attack vector for this exploit is a specially crafted Crystal Reports (.rpt) file. If the file is opened on a system, the system will be vulnerable to a remote code execution attack. Such an attack can be executed with the full rights and privileges of the currently logged on user. Applies to: Editions of Visual Studio that include Crystal Reports. These are the Enterprise Architect, Enterprise Developer, and Professional editions of Visual Studio .NET 2002 SP1 and Visual Studio .NET 2003 (including SP1); and the Professional, Team Edition for Software Architects, Team Edition for Software Developers, Team Suite, and Team Edition for Software Testers editions of Visual Studio 2005 (including SP1). Recommendation: Remind users to not open files from untrusted users. This vulnerability has been publicly disclosed. If your organization uses the targeted software, you should rigorously test the update and deploy it as a part of your organization's normal patch management cycle. MS07-053: Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege The attack vector for this exploit is a specially crafted binary file that can be used to elevate privileges on a computer running the affected software. Applies to: Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based Applications. Recommendation: This exploit has been publicly disclosed, but cannot be remotely exploited. If your organization uses the software that the exploit targets, you should remind users not to run files from untrusted sources, rigorously test the update, and deploy it as a part of your organization's normal patch management cycle. MS07-054: Vulnerability in MSN Messenger and Windows Live Messenger could allow Remote Code Execution The attack vector for this exploit is an incoming video chat request made to an MSN Messenger or Windows Live Messenger client. If unpatched, a successful exploit of this vulnerability could allow an attacker to gain control of a target system with the full rights and privileges of the currently logged on user. Applies to: All versions of MSN Messenger (except MSN Messenger 7.0.0820 on Windows 2000 SP4) and all versions of Windows Live Messenger (except Windows Live Messenger 8.1). Recommendation: This exploit has been publicly disclosed, and it's likely that with the release of this bulletin, nefarious third parties will be working hard to develop an exploit. If clients in your organization use MSN Messenger or Windows Live Messenger, prioritize testing of this update and deploy on an accelerated schedule. ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=6573C:57B62BBB09A6927977A6B59F6BAC0371 http://list.windowsitpro.com/t?ctl=6573E:57B62BBB09A6927977A6B59F6BAC0371 Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=6573B:57B62BBB09A6927977A6B59F6BAC0371 Be sure to add Security_UPDATE@private to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@private About technical questions -- http://list.windowsitpro.com/t?ctl=6573D:57B62BBB09A6927977A6B59F6BAC0371 About your product news -- products@private About your subscription -- windowsitproupdate@private About sponsoring Security UPDATE -- salesopps@private View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=6573A:57B62BBB09A6927977A6B59F6BAC0371 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. ____________________________________ Visit the InfoSec News Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Tue Sep 11 2007 - 22:45:59 PDT