Input Method Editors (IMEs) enable character-based languages such as Chinese to be entered via a standard 101-key keyboard. When an IME is installed as part of the system setup, it's available by default as part of the logon screen. In such a case, the IME should recognize that it is running in the context of the LocalSystem and not in the context of a user - the IME for Simplified Chinese does not correctly recognize the machine state, and exposes inappropriate functions as part of the logon screen. As a result, an attacker may gain LocalSystem privilege even without logging onto the machine. Microsoft has published a patch for the Simplified Chinese version as well as for the English version. 

As Caldera reports, a special feature in the traceroute command was found which may possibly be used by local users to obtain super user privileges. Updated packages are available now.

Problems were found in the /etc/X11/Xsession file which disables the Xauthority mechanism of the localhost. So anyone logged into the localhost can arbitrarily connect to an X server running on the localhost. This is only a problem with systems that allow remote logins. There is a bug in the traceroute program which causes segment faults and could be exploited to provide root privilege because the traceroute command is suid root. A format string bug in lpr was found in its calls to the syslog facility. Patches are available now.

Several vulnerabilities have been identified in the Windows NT 4.0 and Windows 2000 implementations of LPC (Local Procedure Calls) and LPC ports, their communication channels. 
By sending an invalid LPC request, on NT 4.0 it's possible to make the affected system fail. By sending many LPC requests, it could be possible to increase the number of queued LPC messages to the point where kernel memory would be depleted. Any process that knows the identifier of an LPC message can access it - the identifiers can be predicted. In the simplest case, an attacker could access other process' LPC ports and feed them random data as a denial of service attack. In the worst case, it could be possible to send bogus requests to a privileged process in order to gain additional local privileges. A new variant of the previously-reported "Spoofed LPC Port Request" vulnerability has been found also. Because LPC can only be used on the local machine, Microsoft states that none of these vulnerabilities could be exploited remotely, only when logged in interactively. 
Microsoft has published patches for Microsoft Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition and Microsoft Windows 2000 Professional, Server, Advanced Server, and Datacenter Server. A patch for NT 4.0 Terminal Server will be published soon.

Lpr has a format string security bug. It also mishandles any extension to the lpd communication protocol, and assumes that the instructions contained in the extension are a file it should try to print. It also has a race condition in the handling of queue interactions. In Red Hat Linux 7.0 LPRng is affected.

Troff is a document processor that ships with most Unix systems. Among other functions, it formats system manual pages into human-readable form. The GNU Groff package includes "troff", the main processing program, and "groff", a front-end for troff. Troff supports a set of potentially dangerous macros. It's configuration is read out of its "troffrc" initialization file in the current working directory. So unsuspecting users (including root) could be coerced into running arbitrary commands on the system. It's recommended not to run "groff", "troff", or even the "man" command from untrusted directories.

A format string vulnerability present in the pw_error() function of OpenBSD 2.7's libutil library can yield localhost users root access through the setuid /usr/bin/chpass utility. This vulnerability only affects OpenBSD users with a system dated before July 1st. Patches are available now.

HP9000 Servers running HP-UX release 11.0X have the problem that /sbin/init.d/net.init uses /tmp files. So users can overwrite any file. It's recommended to install a patch:

If an Access database is specified as a data source via DDE in a Word mail merge document, macro code can run without the user's approval when the user opens that document. This may happen if a user opens a document "unknowingly", e.g. as attachment of an E-Mail or a link at a web server. Microsoft has published patches for Microsoft Word 2000. A patch for Word 97 will be published soon.

Some vulnerabilities were found in CyberOffice v2 running on Windows NT Server. The first vulnerability makes it possible for an attacker to modify the hidden unit price field in the HTML source then submit the form. A second vulnerability exposes sensitive customer information including credit card data. In its default configuration, customer order information, including credit card information is left unprotected and un-encrypted. The information is stored in a Microsoft Access Database and is stored in a unprotected directory, /_private/
SmartWin has made some recommendations on fixing these problems.

Microsoft Internet Information Server 5.0, with Microsoft Index Server installed has been found to be vulnerable to an exploit that allows unauthorized directory listings to be leaked. A demonstration can be found in the advisory, Microsoft has released a knowledge base article about it.

Some versions of tmpwatch contain local Denial-of-Service and root exploits. This is due to using the fork() command to recursively process subdirectories which would allow a local user to perform a Denial-of-Service attack. Updated packages are available now.

Esound, the Gnome sound server, contains a race condition that an attacker may exploit to change permissions of any file owned by the esound user. A root exploit and several additional bugs in traceroute have been corrected. Tmpwatch as shipped in Red Hat Linux uses fork() to recursively process subdirectories, enabling a local user to perform a Denial-of-Service attack. It also contains an option to a local root exploit. If usermode supports internationalized text messages, an attacker can use the LANG or LC_ALL environment variables to create a format-string exploit in these programs. While fixing other problems with the gnorpm package, a locally-exploitable security hole was found where a normal user could trick root running GnoRPM into writing to arbitrary files due to a bug in the gnorpm tmp file handling.

As Georgi Guninski reports, a problem with the com.ms.activeX.ActiveXComponent java object can cause Internet Explorer 5.5 and Outlook Express to execute arbitrary programs. It's important to understand that Outlook Express with "security update", although more difficult, can also be exploited. A demonstration of the problem is available (1, 2). Microsoft seems to work on a patch.

TCP network connections use an initial sequence number as part of the connection handshaking. According to the TCP protocol, an acknowledgement packet from a remote host with the correct sequence number is trusted to come from the remote system with which an incoming connection is being established, and the connection is established. 
Systems derived from 4.4BSD-Lite2 including FreeBSD include code which attempts to introduce an element of unpredictability into the initial sequence numbers to prevent sequence number guessing by a remote attacker. The pseudo-random number generator used is a simple linear congruent generator, and based on observations of a few initial sequence values from legitimate connections with a server, an attacker can guess with high probability the value which will be used for the next connection.
Workarounds and Patches are discussed in the advisory.

ISS has discovered over 800 computers infected with the SubSeven DEFCON8 2.1 backdoor. This backdoor is an updated version of SubSeven. It has been distributed on Usenet newsgroups with file names such as "SexxxyMovie.mpeg.exe". It seems that this tool is used to test new Distributed Denial-of-Service methods and strategies. Infected parties can identify this version of the SubSeven backdoor by verifying that TCP port 16959 is listening and that a connection to that port responds with "PWD". The SubSeven 2.1 client can be used to connect to the infected machine using the password "acidphreak". To remove the server, go to the Connection menu, select Server options, and click the Remove server button.
Further information can be found in the advisory.

Within the last month, 91 (!) new vulnerabilities were found:

Debian points out that the vulnerability in esound, which was found in many Linux, does not affect Debian Linux. But, a vulnerability was found in boa. In versions of boa before 0.94.8.3, it is possible to access files outside of the server's document root by the use of properly constructed URL requests. Patches are available now.

Caldera reports about a hole in the Apache HTTP server which comes with a module named mod_rewrite. This can be used to rewrite URLs presented by the client before further processing. The processing logic in mod_rewrite contains a flaw that allows attackers to view arbitrary files on the server system. A patch is available now. 
Another security hole has been found in ncourses. Due to a buffer overflow local users may gain more rights than wanted. Also for this problem a patch has been published.

Microsoft Windows 9x/Me provides a password protection feature referred to as (share level access) for the File and Print Sharing service. Due to the way the password feature is implemented, a file share could be compromised by an attacker who uses a special client utility, without knowing the entire password required to access that share. Patches are available for Microsoft Windows 98 and 98 Second Edition and Microsoft Windows Me. A patch for Windows 95 will follow.

There was a problem with modutils crashing constantly when used in higher Linux-Mandrake security levels due to a problem with the libsafe library which is used in those higher security levels. A problem exists with openssh's scp program. If a user uses scp to move files from a server that has been compromised, the operation can be used to replace arbitrary files on the user's system. The problem is made more serious by setuid versions of ssh which allow overwriting any file on the local user's system. There is a problem with logrotate because the archives are never removed and can cause the device to fill up. The Apache web server comes with a module called mod_rewrite which is used to rewrite URLs presented by the client prior to further processing. There is a flaw in the mod_rewrite logic that allows an attacker to view arbitrary files on the server system if they contain regular expression references. Patches are available now.

The Microsoft IPX/SPX protocol implementation (NWLink) includes an NMPI (Name Management Protocol on IPX) listener that will reply to any requesting network address, even to a network broadcast address. Such a reply would in turn cause other IPX NMPI listener programs to also reply. This sequence of broadcast replies could generate a large amount of unnecessary network traffic - which means a Denial-of-Service. Microsoft has published patches for Microsoft Windows 95, Microsoft Windows 98 and 98 Second Edition, and Microsoft Windows Me.

There is a Denial-of-Service vulnerability in WebTV for Windows that may allow an attacker to remotely crash either the WebTV for Windows application and/or the computer system running WebTV for Windows. Micrsoft has published patches for Windows 98 and 98SE as well as for Windows Me. 

An implementation flaw in xlock allows global variables in the initialized data section of memory to be overwritten. This opens a security hole where local users can view the contents of xlock's memory - including the shadowed password  file - after root privileges have been dropped. Which Linux is affected is pointed out in the advisory. An official xlockmore patch has been released.

Versions of SuSE Linux 6.3 and higher are also affected by the chance of a race condition in esound, the sound player for the Gnome Desktop. Now patches have been published, they are pointed out in the advisory.

The Microsoft Virtual Machine (VM) is used in Windows 95, 98, Windows Me, Windows NT 4.0, and Windows 2000. It's part of the Microsoft Internet Explorer.
This VM contains functionality that allows ActiveX controls to be created and manipulated by Java applications or applets. A security hole allows ActiveX controls to be created and used from a web page, or from within a HTML based E-Mail message, without requiring a signed applet. If a user visited a web site that exploited this vulnerability, a Java applet on one of the web pages could run any desired ActiveX control, even ones that are marked as unsafe for scripting. This would enable an web site operator to take any desired action on the user's machine. 
Patches have been published for different versions of VM: 2000-series (will be published soon), the others should upgrade to build 3318 or later.

When a user authenticates to a secured web page via Basic Authentication, IE caches the userid and password that were used, in order to minimize the number of times the user must authenticate to the same site. By design, IE should only send the cached credentials to secured pages on the site. However, it will actually send them to non-secure pages on the site as well. This can be used for exploiting the user's account. A patch has been published by Microsoft. It requires IE 5.01 SP1. IE 5.5 is not affected by this problem.

As Caldera reports, there is a format bug in the logging code of the mod_php3 module. It uses apache's aplog_error function, passing user-specified input as the format string. This can be exploited by a remote attacker to execute arbitrary shell commands under the HTTP server account (user httpd). A patch is available now.

Traceroute packages before 1.4a5-3, give local user a chance to gain root access by exploiting an argument parsing error. The version of curl as distributed with Debian GNU/Linux 2.2 has a bug in the error logging code: when it creates an error message it failed to check the size of the buffer allocated for storing the message. This could be exploited by the remote machine by returning an invalid response to a request from curl which overflows the error buffer and trick curl into executing arbitrary code. The version of nis as distributed in Debian GNU/Linux 2.1 and 2.2 contains an ypbind package with a security problem. In versions of the PHP 3 packages before version 3.0.17 and PHP4 before 4.0.3, several format string bugs could allow properly crafted requests to execute code as the user running PHP scripts on the web server, particularly if error logging was enabled. Patches are available now.

A remote Denial-of-Service vulnerability has been discovered in a component of NetMeeting. The DoS can occur when an attacker sends a particular malformed string to a port which the NetMeeting service is listening on and with Remote Desktop Sharing enabled. It's recommended to install the patch provided by Microsoft.

The GNU cfengine is an abstract programming language for system administrators of large heterogeneous networks, used for maintenance and administration. There are a number of string format vulnerabilities in syslog() calls that can be abused to either make the cfengine program segfault and die or to execute arbitrary commands as the user the cfengine program runs as (usually root).  PHP version 3 which ships with Linux-Mandrake are vulnerable to format string attacks due to logging functions that make improper use of the syslog() and vsnprintf() functions. This renders PHP3-enabled servers vulnerable to compromise by remote attackers. Patches are available now.

A vulnerability exists in the syslog(3) function of LPRng, versions prior to 3.6.24. Exploiting this vulnerability it's possible to gain Root-Access to the system as well as locally as remote. It's recommended to de-install the software or to install a patch.

The tmpwatch utility is used in Red Hat and other Linux to remove temporary files. This utility has an option to call the "fuser" program, which verifies if  a file is currently opened by a process. The fuser program is invoked within tmpwatch by calling the system() library subroutine. Insecure handling of the arguments to this subroutine could potentially allow an attacker to execute arbitrary commands as Root. Patches are available now (for Red Hat: See RHSA-2000:080)

HP9000 Series 7/800 running HP-UX 10.24 and 11.04 (VVOS) with VirtualVault are vulnerable against a DoS-attack: The NSAPI plugin versions of the TGA and the Java Servlet proxy demonstrate high CPU utilization under certain conditions. The lpspool subsystem of HP9000 running HP-UX 10.XX and 11.XX show a security hole which allows users to increase their privileges. As reported before, the ftpd has a security hole that can be exploited by users to gain root access. HP has published new patches. Apache 1.3.12 included in the HP Praesidium Web Proxy, contains a vulnerability. Users can gain unauthorized file access if the proxy were to be used to serve static web pages that exist on the VirtualVault. How to increase security is described in the advisory. For the other problems, it's recommended to install the patches, published by Hewlett Packard:

In all versions of WinU backdoor passwords have been found. At the moment there is no workaround or patch available. A demonstration is shown in the advisory.

The Wingate log file server (version 2.1, 3.0, 4.01, 4.1beta) allows logs to be viewed remotely via HTTP. A vulnerability found in the process can allow an attacker to retrieve files other than the log files. A demonstration is shown in the advisory, a patch is not available yet.

Due to a canonicalization error in the Internet Information Server 4.0 and 5.0, a particular type of malformed URL could be used to access files and folders that lie anywhere on the logical drive that contains the web folders. This would potentially enable an attacker to gain additional privileges on the machine. Further information can be found in the advisories. Microsoft has published a patch for IIS 4.0 and 5.0.

TransSoft's Broker FTP Server 3.x and 4.x is vulnerable to a buffer overflow that can allow an attacker to consume all available memory and computing resources. A demonstration is shown in the advisory and TransSoft has published a patch.

There is a bug in the traceroute command that can possibly be use by local users to obtain super user privilege. A patch is available now.

Several problems in ping were found: Root privileges are dropped after acquiring a raw socket. An 8 byte overflow of a static buffer "outpack" is prevented. An overflow of a static buffer "buf" is prevented and a non-exploitable root only segfault is fixed as well. The logging code in ypbind is vulnerable to a printf string format attack that may lead to local root access. If not needed, it's recommmended to remove ypbind. A problem has been found in GnuPG versions (up to and including 1.0.3). Due to this problem, GnuPG may report files which have been signed with multiple keys (one or more of which may be incorrect) to be valid even if one of the signatures is invalid.A bug in some versions of curl would cause it to incorrectly parse error responses from FTP servers. For apache, php, mod_perl, and auth_ldap new packages are available also. (Links to the packages see here.

The Apache web server comes with a module called mod_rewrite which is used to rewrite URLs presented by the client prior to further processing. There is a flaw in the mod_rewrite logic that allows an attacker to view arbitrary files on the server system if they contain regular expression references. Patches are available now.

As Caldera reports, there is a bug in the signature verification of GNUpg, the GNU replacement for PGP. Normally, signature verification with gnupg works as expected; gnupg properly detects when digitally signed data has been tampered with. Affected is OpenLinux eDesktop 2.4 only, a patch is available.

Hilgraeve HyperTerminal is shipped with Microsoft Windows 2000, Windows ME, Windows 98SE, and Windows 98. A buffer overrun has been discovered in the HyperTerminal Telnet module that can allow a malicious user to launch arbitrary commands. This exploit, in theory, could be launched remotely by way of an E-Mail containing the buffer overrun. A demonstration is available as well as patches by Microsoft for Windows 98, Me, and 2000.

As Georgi Guninski reports, a vulnerability could allow an attacker to read local files, arbitrary URL's, and local directory structure. A demonstration is available at http://www.guninski.com/javacodebase1.html - but not yet a patch.

The JRun HTTP Server 3.0 and 2.3.3 may improperly handle leading path-specifying characters and a deliberately malformed URI will allow browser access to otherwise-forbidden JRun resources. In addition to that, using JRun 2.3.3 it's possible to insert executable code in the form of JSP tags and cause the code to be compiled and executed using JRun's handlers. Patches are available and pointed out in the advisory.

The Internet Information Server supports the use of a Session ID cookie to track the current session identifier for a web session. ASP in IIS does not support the creation of secure Session ID cookies as defined in RFC 2109. As a result, secure and non-secure pages on the same web site use the same Session ID. If a user initiated a session with a secure web page, a Session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same Session ID cookie would be exchanged, this time in plaintext. It's recommended to install the patches for IIS 4.0 and 5.0. 

Element InstantShop is vulnerable to price modification. A malicious user could modify the pricing information before submitting the order form. A demonstration is shown in the advisory.

Web browsers accept security certificates from trusted sources. A specific certificate from Sun may have received outside exposure. Affected are the serial numbers:
3181 B12D C422 5DAC A340 CF86 2710 ABE6 (Internet Explorer)
17:05:FB:13:A2:2F:9A:F3:C1:30:F5:62:6E:12:50:4C (Netscape) 
Sun Microsystems recommends to follow these guidelines.

On HP9000 servers running HP-UX releases 10.XX and 11.XX bdf(1m) and df(1m) have misuse potential. So users can gain unauthorized privileges. It's recommended to install the patches provided by Hewlett Packard, further information can be found in the advisory.

The Oracle listener program releases 7.3.4, 8.0.6, and 8.1.6 on all platforms accepts remote commands from remote listener controllers. This is protected by a password. The default Oracle installation does not allow a password for the listener program to be indicated. If a password has not been set, the Oracle listener program can be configured to append log information to a file. Due to a problem with the SET TRC_FILE and SET LOG_FILE commands, these values can be changed to any file name. This allows an attacker to create a new file or corrupt an existing file. A patch to fix this bug (ID 1361722) should be installed soon.

A format string parsing bug exists in ypbind 3.3 if it is run in debug mode which leaks file descriptors under certain circumstances which can lead to a DoS. In addition, ypbind may suffer from buffer overflows. A problem exists in all versions of GnuPG prior to and including 1.0.3: it may report files which have been signed with multiple keys (one or more of which may be incorrect) to be valid even if one of the signatures is in fact valid. Updates are available now.

The Microsoft VM is a virtual machine for the Win32 operating environment. It runs atop Microsoft Windows 95, 98, Me, Windows NT 4.0, and Windows 2000. It's also as part of Microsoft Internet Explorer. 
The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox. An attacker could write a Java applet that could read arbitrary files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet. 
Microsoft has published a patch for the VM of the 3000-series included in Internet Explorer 5.x. A patch for the 2000-series (included in Internet Explorer 4.x) will be published soon. Microsoft recommends an update to IE 5.x. 

For IOS 12.0 to 12.1 with HTTP Service enabled another possibility for a DoS has been found. When a URI containing "?/" is presented to the HTTP service on the router and a valid enable password is supplied, the router enters an infinite loop. A watchdog timer expires two minutes later and forces the router to crash and reload. The router continues to be vulnerable to this defect as long as it is running an affected IOS software release and the enable password is known - this means known, guessed or not set by the administrator. An update is available.

NIS client nodes may be vulnerable to a remote buffer overflow attack. The cfd daemon in GNU CFEngine contains several format string vulnerabilities in syslog() calls. When using the CGI interface of the Global v3.55 package, it's possible to execute random commands. The pw_error() function of the system libutil library, used by several programs including the setuid passwd program, is vulnerable to a format string attack. Patches are available now and should be installed as soon as possible.

In the authorization checks in the version of cyrus-sasl shipped with Red Hat Linux 7 an error has been found. Due to this bug, users who are successfully authenticated could be allowed access to resources even if the system had been configured to deny these users access. Security bugs in versions of Apache prior to 1.3.14 also affect Secure Web Server.

AIX allows user specified locale file to be used for displaying messages. Due to a format string vulnerability in format string in locale, local users may gain root-access to the system. IBM is working on a patch, a temporary fix is available.

There are several security problems in ypbind, the daemon used by NIS clients for binding to their NIS server(s). First, there is a potential buffer overflow; it is not clear whether it is possible to exploit it at all. Second, there is a denial of service attack against ypbind that can make it run out of file descriptors. A patch is available now.

A vulnerability caused by a remotely exploitable buffer overflow condition in one of Network Monitor's protocol parsers has been found. This may allow a remote attacker to gain privileged access and execute arbitrary code on any machine running Network Monitor that displays  captured data. 

Georgi Guninski has discovered a security issue that he believes in present in Internet Information Server 5.0. By using specifically designed URLs a malicious attacker could retrieve specific content. One such scenario could lead to cookie stealing. The user sends an URL to the Internet Information Server with the Microsoft Index Server installed. This URL contains a JavaScript which is executed on the server. Microsoft is working on a patch.