lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <36402DCC1069D411922D00508B5B2CC21E3F2B56@ex-server1.napier.ac.uk>
From: R.Ferris at napier.ac.uk (Ferris, Robin)
Subject: FW: Microsoft Security Update

There appears to be only one that will get the coderz and the admins
slightly worried and that is the:

Title:  	Flaw in Visual Basic for Applications Could Allow 
		Arbitrary Code Execution (822715)

its the only one that could be imho used to propagate anything. 

What do you guys think?

RF

-----Original Message-----
From: Thor Larholm [mailto:thor@...x.com]
Sent: 03 September 2003 23:59
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] FW: Microsoft Security Update


I see a trend going on here, Word, Office, Office, Office and Office. I
guess Office has been overdue in regards to security bulletins lately :)

MS03-034 (NetBIOS information disclosure) gets a rating of Low, even though
Blaster showed us just how many Windows installations run with all ports
accessible.

It's surprising that MS03-035 (circumventing Office Macro security) and
MS03-036 (BO in WordPerfect Converter) got ratings of Important rather than
Critical, I guess the bulletins are waiting for some autoamtic exploit to
surface before revision.

At least MS03-037 (VBA code execution) got a proper Critical rating.

MS03-038 (code execution in Access Snapshot Viewer, an ActiveX control) got
a rating of Moderate for webpage based exploits but completely forgets to
mention HTML email.

Lots of different ratings and lots of details to consider before system
administrators can decide when to apply these patches, but we really want
simplicity over complexity. I would still prefer 2 ratings instead of 4,
Apply Now or Apply Later - with the latter heading for the bi-weekly patch
job. Let's face it, rolling out patches in a big corporation on an almost
daily basis is just not very effective or economical.

Which leads to the positive side, it is definitely great to see Microsoft
releasing 5 vulnerabilities in a single day, rather than releasing a new
every other day. They must have listened to the feedback from administrators
who tired of inefficient and constant patch jobs, and should definitely
adhere to this practice in the future. It may be a small step in optimizing
the entire patch process, but it's a positive trend.

If there is anything we have learnt in the months behind us it is that
producing patches is the least of our worries in security, getting
administrators and endusers to actually apply those patches is an entirely
different ballgame.


Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher



-----Original Message-----
From: Microsoft
[mailto:0_51922_1B06CAE9-7FDB-4EFF-B651-1869EADE5F25_DK@...sletters.Micr
osoft.com]
Sent: 3. september 2003 23:46
To: thor@...x.com
Subject: Microsoft Security Update


-----BEGIN PGP SIGNED MESSAGE-----

THE MICROSOFT SECURITY UPDATE NEWSLETTER

September 3, 2003

The Microsoft Security Update Newsletter for home users
and small businesses provides information on security-related
updates to Microsoft(R) products, as well as virus alerts
and resources for more information on security issues.

You have received this update as a subscriber to the Microsoft
Security Update Newsletter. To cancel your subscription, follow
the instructions at the bottom of this page.
__________________________________________________

SECURITY BULLETIN MS03-034

Security Update for Microsoft Windows
http://go.microsoft.com/?linkid=237617

SEVERITY
Low

WHY WE ARE ISSUING THIS UPDATE
A security issue has been identified in Microsoft Windows(R)
that could allow an attacker to see information in your computer's
memory over a network. You can help protect your computer by
installing this update from Microsoft.

MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Windows NT(R) Server 4.0
Windows NT Server 4.0 Terminal Server Edition
Windows 2000
Windows XP
Windows Server(TM) 2003
__________________________________________________

SECURITY BULLETIN MS03-035

Security Update for Microsoft Word
http://go.microsoft.com/?linkid=237618

SEVERITY
Important

WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Word(R) could allow an
attacker to compromise a Microsoft Windows-based system and then
take a variety of actions. For example, an attacker could read
files on your computer or run programs on it. By installing this
update, you can help protect your computer.

MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Word 97, 98(J), 2000, and 2002
Works Suite 2001, 2002, and 2003
__________________________________________________

SECURITY BULLETIN MS03-036

Security Update for Microsoft Office
http://go.microsoft.com/?linkid=237619

SEVERITY
Important

WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Office could allow an
attacker to compromise a system using Microsoft Office and then
take a variety of actions. For example, an attacker could read
files on your computer or run programs on it. By installing this
update, you can help protect your computer.

MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Office 97, 2000, and XP
Word 98(J)
FrontPage 2000 and 2002
Publisher 2000 and 2002
Works Suite 2001, 2002, and 2003
__________________________________________________

SECURITY BULLETIN MS03-037

Security Update for Microsoft Visual Basic for Applications
http://go.microsoft.com/?linkid=237620

SEVERITY
Critical

WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Visual Basic(R) for
Applications could allow an attacker to compromise a Windows-based
system and then take a variety of actions. For example, an attacker
could read files on your computer or run programs on it. By
installing this update, you can help protect your computer.

MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Visual Basic for Applications SDK 5.0, 6.0, 6.2, and 6.3
Office 97, 2000, and XP
Word 98(J)
Visio 2000 and 2002
Project 2000 and 2002
Publisher 2002
Works Suite 2001, 2002, and 2003
Business Solutions Great Plains 7.5
Business Solutions Dynamics 6.0 and 7.0
Business Solutions eEnterprise 6.0 and 7.0
Business Solutions Solomon 4.5, 5.0, and 5.5
__________________________________________________

SECURITY BULLETIN MS03-038

Security Update for Microsoft Access and Access Snapshot Viewer
http://go.microsoft.com/?linkid=237621

SEVERITY
Moderate

WHY WE ARE ISSUING THIS UPDATE
An identified security issue in Microsoft Access and the downloadable
Access Snapshot Viewer could allow an attacker to compromise a system
using Microsoft Office or the Microsoft Access Snapshot Viewer and
then take a variety of actions. For example, an attacker could read
files on your computer or run programs on it. By installing this
update, you can help protect your computer.

MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE
Access  97, 2000, and 2002
__________________________________________________
<snip rest>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ