lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E9A01F52DC939448BBDE44ED2E1C468F78E43A__47446.0818375976$1062618176@muskie.rc.on.ca>
Date: Wed, 3 Sep 2003 13:20:50 -0400
From: Russ <Russ.Cooper@...ON.CA>
To: NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM
Subject: Alert: Microsoft Security Bulletin - MS03-038


http://www.microsoft.com/technet/security/bulletin/MS03-038.asp

Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution (827104)

Originally posted:  September 3, 2003

Summary

Who should read this bulletin: Customers who use Microsoft® Access or who use the downloadable Microsoft Access Snapshot Viewer

Impact of vulnerability: Allow an attacker to execute code of their choice

Maximum Severity Rating: Moderate

Recommendation: Customers who use Microsoft Access or who use the downloadable Microsoft Access Snapshot Viewer should install the security patch at their earliest opportunity.

End User Bulletin:
An end user version of this bulletin is available at: 

http://www.microsoft.com/security/security_bulletins/ms03-038.asp. 

Affected Software: 
- Microsoft Access 97
- Microsoft Access 2000
- Microsoft Access 2002

Technical description: 

With Microsoft Access Snapshot Viewer, you can distribute a snapshot of a Microsoft Access database that allows the snapshot to be viewed without having Access installed. For example, a customer may want to send a supplier an invoice that is generated by using an Access database. With Microsoft Access Snapshot Viewer, the customer can package the database so that the supplier can view it and print it without having Access installed.The Microsoft Access Snapshot Viewer is available with all versions of Access - though it is not installed by default - and is also available as a separate stand-alone download. The Snapshot Viewer is implemented by using an ActiveX control.

A vulnerability exists because of a flaw in the way that Snapshot Viewer validates parameters. Because the parameters are not correctly checked, a buffer overrun can occur, which could allow an attacker to execute the code of their choice in the security context of the logged-on user.

For an attack to be successful, an attacker would have to persuade a user to visit a malicious Web site that is under the attacker's control.

Mitigating factors:
- The Microsoft Access Snapshot Viewer is not installed with Microsoft Office by default.
- An attacker would need to persuade a user to visit a website under the attacker's control for an attack to be successful.
- An attacker's code would run with the same permissions as the user. If a user's permissions were restricted the attacker would be similarly restricted.

Vulnerability identifier: CAN-2003-0665



This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Whatever Happened to Octopus?

LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
replication performance that's 5X faster than the competition in an
independent head-to-head test. Learn how RepliStor uses patented,
asynchronous, real-time replication, to deliver disaster recovery, data
distribution and consolidated backups. It is the first replication solution
to achieve Windows 2003 certification. Get the performance report now.

http://portal1.legato.com/products/replistor/upgrade.cfm

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ