SecurityFocus Microsoft Newsletter #370
—————————————-
This issue is Sponsored by: SPI Dynamics
XPATH Injection Attacks- Web Hackers New Trick: White Paper
One particular form of injection attack, XPath Injection, is rapidly gaining in popularity due to the spread of AJAX applications and their inherent use of XML to store data. XPath Injection can be just as dangerous as SQL Injection, and can be even easier to exploit. Learn how to identify XPath Injection vulnerabilities and which methods of recourse to take to prevent them. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!
https://download.spidynamics.com/1/ad/XP.asp?Campaign_ID=70160000000D803
SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs
——————————————————————
I. FRONT AND CENTER
1.Aye, Robot, or Can Computers Contract?
2.Don’t blame the IDS
II. MICROSOFT VULNERABILITY SUMMARY
1. Tencent QQ LaunchP2PShare Multiple Stack Buffer Overflow Vulnerabilities
2. VanDyke VShell Unspecified Denial Of Service Vulnerability
3. Samhain Labs Samhain Insecure Random Number Generator Information Disclosure Weakness
4. Skype Technologies Skype Voicemail URI Handler Remote Denial of Service Vulnerability
5. Apple QuickTime RTSP Response Header Content-Length Remote Buffer Overflow Vulnerability
6. Apple QuickTime RTSP Response Header Remote Stack Based Buffer Overflow Vulnerability
7. Wireshark 0.99.6 Multiple Remote Vulnerabilities
8. IBM Director CIM Server Remote Denial of Service Vulnerability
9. SMF Private Forum Messages Information Disclosure Vulnerability
10. Microsoft Windows Insecure Random Number Generator Information Disclosure Weakness
III. MICROSOFT FOCUS LIST SUMMARY
1. Windows NT Desktop
2. Security and Implications of Hosted Exchange
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION
I. FRONT AND CENTER
———————
1.Aye, Robot, or Can Computers Contract?
By Mark Rasch
A contract is usually described as a “meeting of the minds.” One person makes an offer for goods or services; another person sees the offer and negotiates terms; the parties enter into an agreement of the offer; and some form of consideration is given in return for the provision of something of value. At least that’s what I remember from first year law school contracts class.
http://www.securityfocus.com/columnists/458
2.Don’t blame the IDS
By Don Parker
Some years ago, I remember reading a press release from the Gartner Group. It was about intrusion detection systems (IDS) offering little return for the monetary investment in them and furthermore, that this very same security technology would be obsolete by the year 2005. A rather bold statement and an even bolder prediction on their part.
http://www.securityfocus.com/columnists/457
II. MICROSOFT VULNERABILITY SUMMARY
————————————
1. Tencent QQ LaunchP2PShare Multiple Stack Buffer Overflow Vulnerabilities
BugTraq ID: 26613
Remote: Yes
Date Published: 2007-11-27
Relevant URL: http://www.securityfocus.com/bid/26613
Summary:
Tencent QQ is prone to multiple stack-based buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.
Read the rest of this entry »
Recent Comments