---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Windows Active Directory Federation Services Two Vulnerabilities SECUNIA ADVISORY ID: SA37542 VERIFY ADVISORY: http://secunia.com/advisories/37542/ DESCRIPTION: Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious users to impersonate other users or to compromise a vulnerable system. 1) Improper session management in Active Directory Federation Services (ADFS) can be exploited to impersonate a user on a website that uses the single sign-on functionality. Successful exploitation requires that an attacker is able to obtain access to a used authentication token. 2) An unspecified error in ADFS when processing request headers can be exploited to execute arbitrary code with privileges of the Worker Process Identity (WPI) by sending a specially crafted HTTP request to an ADFS enabled web server. SOLUTION: Apply updates. Windows Server 2003 SP2: http://www.microsoft.com/downloads/details.aspx?familyid=31351b9e-b5bb-4618-990b-1089ea5a3bc2 Windows Server 2003 x64 Edition SP2: http://www.microsoft.com/downloads/details.aspx?familyid=b6eb9d9b-1a43-4b30-a033-19a1db786244 Windows Server 2008 for 32-bit Systems (optionally with SP2): http://www.microsoft.com/downloads/details.aspx?familyid=f6715abb-fd93-44ba-9854-2ecc672622da Windows Server 2008 for x64-based Systems (optionally with SP2): http://www.microsoft.com/downloads/details.aspx?familyid=7d1f5e9e-a7de-4f96-89c8-510fd51f16e7 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: MS09-070 (KB971726): http://www.microsoft.com/technet/security/bulletin/MS09-070.mspx OTHER REFERENCES: http://support.microsoft.com/kb/971726 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------