|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Security Fix for Blackboard CourseInfo 4.0
From: aleph1
securityfocus.comDate: Wed Jul 19 2000 - 17:19:04 CDT
- Next message: COVERT Labs: "[COVERT-2000-08] O'Reilly WebSite Professional Overflow"
- Previous message: Per Hoff: "Re: CheckPoint FW1 BUG"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
----- Forwarded message from Daniel Cane <dcaneblackboard.com> -----
Message-ID: <FB48B8939127D411B07700B0D04903323B6E0Abbmail1.blackboard.net>
From: Daniel Cane <dcaneblackboard.com>
To: "'aleph1securityfocus.com'" <aleph1securityfocus.com>
Subject: RE: Security Fix for Blackboard CourseInfo 4.0
Date: Wed, 19 Jul 2000 16:18:50 -0400
X-Mailer: Internet Mail Service (5.5.2650.21)
I would love you to. There has also been some traffic about some other bugs
which have been fixed in previous versions. Could you post the following:
-----------
Blackboard has recently learned about a possible security issue with
Microsoft NT that could impact Blackboard customers running Blackboard
CourseInfo 4.0 with Microsoft NT. This combination does NOT affect clients
using CourseInfo 4.0 on Unix or any client who has upgraded to Blackboard 5.
In collaboration with Microsoft, the Blackboard product development team has
developed a fix that will generate the level of security that our customers
expect. The patch encrypts the information that Blackboard stores within
the System Registry.
You can have direct access to the download at
http://company.blackboard.com/Support/files/Courseinfo4hotfix.exe.
The patch is also available by following these instructions:
o Go to http://support.blackboard.com
o Go to the "System Administrator Support" area and login with your user ID
and password
o Click on "What's New"
o Click the item titled: "NT Security Encryption Patch"
Once the patch has been downloaded, follow the regular procedures to upgrade
your server.
Also, if you have not already done so, it is suggested that you protect your
registry from network access since the default permissions within the
Windows NT Server do not restrict who has remote access to the registry.
Microsoft has provided detailed instructions at
(http://www.microsoft.com/TechNet/security/c2config.asp#25).
Additionally, there have been messages floating around the net regarding the
ability for users to change each other's passwords and change their security
level within the software. As of the February 2000 release of the software,
Build 408 of CourseInfo 4.0, the security questions concerns mentioned on
several listservs by which unauthorized users can change passwords or
upgrade roles through circumventing the user interface and posting directly
to the application itself do not exist.
Blackboard continues its mission to provide the best possible online
academic teaching and learning experience possible. If you have any
questions about this patch or the upgrade, please feel free to contact our
Technical Support Line at (888) 788-5264.
Thanks!
Daniel Cane
Senior Vice President
Advanced Research and Development
Blackboard, Inc.
1899 L St. NW
5th Floor
Washington, DC 20036
202-463-4860 ext. 204 (voice)
202-463-4863 (fax)
dcaneblackboard.com
http://www.blackboard.com/
-----Original Message-----
From: aleph1securityfocus.com [mailto:aleph1securityfocus.com]
Sent: Wednesday, July 19, 2000 3:47 PM
To: Daniel Cane
Subject: Re: Security Fix for Blackboard CourseInfo 4.0
Daniel,
Care to post this information to the BUGTRAQ mailing list as well?
Its at bugtraqsecurityfocus.com. Thanks.
* Daniel Cane (dcaneBLACKBOARD.COM) [000718 20:24]:
> To whom it may concern:
>
> Blackboard has recently learned about a possible security issue with
> Microsoft NT that could impact Blackboard customers running Blackboard
> CourseInfo 4.0 with Microsoft NT. This combination does NOT affect
clients
> using CourseInfo 4.0 on Unix or any client who has upgraded to Blackboard
5.
>
>
> The Blackboard product development team has developed a fix that will
> generate the level of security that our customers expect. The patch
> encrypts the information that Blackboard stores within the System
Registry.
>
>
> You can have direct access to the download at
> http://company.blackboard.com/Support/files/Courseinfo4hotfix.exe
> <http://company.blackboard.com/Support/files/Courseinfo4hotfix.exe> .
>
> The patch is also available by following these instructions:
> o Go to http://support.blackboard.com
<http://support.blackboard.com>
> o Go to the "System Administrator Support" area and login with your
> user ID and password
> o Click on "What's New"
> o Click the item titled: "NT Security Encryption Patch"
> Once the patch has been downloaded, follow the regular procedures to
upgrade
> your server.
>
> Also, if you have not already done so, it is suggested that you protect
your
> registry from network access since the default permissions within the
> Windows NT Server do not restrict who has remote access to the registry.
> Microsoft has provided detailed instructions at
> (http://www.microsoft.com/TechNet/security/c2config.asp#25
> <http://www.microsoft.com/TechNet/security/c2config.asp#25> ).
>
> Blackboard continues its mission to provide the best possible online
> academic teaching and learning experience possible. If you have any
> questions about this
> patch or the upgrade, please feel free to contact our Technical Support
Line
> at (888) 788-5264.
>
> Regards,
>
> Blackboard, Inc.
-- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum----- End forwarded message -----
-- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
- Next message: COVERT Labs: "[COVERT-2000-08] O'Reilly WebSite Professional Overflow"
- Previous message: Per Hoff: "Re: CheckPoint FW1 BUG"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]