Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Network Computing Security Express #030
From: Network Computing Express (expresslist.nwc.com)
Date: Thu Feb 03 2000 - 09:02:01 CST

Network Computing Security Express #030
-- Number 030 (00.05) ----------------------------------------------------

Welcome to the latest edition of Security Express! Below you should
find only the information pertaining to the categories you requested.
Please bear in mind that you may have received little or no information
in particular categories--this means no security problems pertaining to
those categories were found this week. If you have any problems or
questions, please e-mail us at expressnwc.com.

Enjoy Security Express!


Some reports have surfaced of software vendors abusing e-mail for
product-registration purposes. FTPPro will e-mail abuse for every
FTP server the user uses after his or her product evaluation expires.
The Unix rzsz application will e-mail the creators usage statistics until
you register the product.

Windows 2000 is almost upon us. To celebrate its forthcoming, Microsoft
has released the first Win2K hotfix (MS00-006).

Until next week,
-Security Express Team



Key Area: Windows
Key Element: Information Publishing

{00.06.002} MS00-006: "Malformed Hit-Highlighting Argument" patch
Microsoft has released MS00-006, a patch for the "Malformed
Hit-Highlighting Argument" vulnerability. The patch fixes a bug in
IIS's handling of .htw files that may result in an attacker reading any
file on the drive that contains your Web root.

-Patch and FAQ:

Source: Microsoft


{00.06.009} Tiny FTPd buffer overflow Tiny FTPd version 0.52 beta3 has many buffer overflows in various FTP commands that let a remote attacker execute arbitrary code.

-No patches have been made available.

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0451.html


Key Area: Windows Key Element: Applications

{00.06.007} MS00-007: "Recycle Bin Creation" patch Microsoft has released MS00-007, a patch for the "Recycle Bin Creation" vulnerability. The patch fixes a problem in NT version 4.0 that allows a local user to gain modify- and write-control of another user's recycle bin. It is possible to read sensitive information that is thrown away (but not yet deleted) or trojan applications that may be restored in the future.

-Patch and FAQ:

http://www.microsoft.com/technet/security/bulletin/fq00-007.asp Source: Microsoft http://archives.neohapsis.com/archives/vendor/2000-q1/0014.html


{00.06.008} MS Java VM allows reading of local files The Microsoft's Java Virtual Machine version 5.0 (release contains a vulnerability in getSystemResourceAsStream() that results in a Java applet being able to access local files on the system.

-No patches have been made available. We suggest you disable Java in your Web browser.

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0448.html


{00.06.010} Malicious scripts can read Outlook Express e-mail Outlook Express version 5 (and perhaps other versions) contains a bug where a malicious e-mail can use active scripting to read any consecutive e-mail opened from that point on.

-No patches have been made available. We suggest you disable active scripting.

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0452.html


{00.06.013} RightFax Web server session hijacking RightFax's Web-based fax server contains a vulnerability that allows a user, once logged in, to hijack sessions of other users by guessing a predictable session ID.

-No patches have been made available. Product home page:

http://www.rightfax.com/ Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0424.html


{00.06.015} SyGate administration backdoor vulnerability Sybergen's SyGate version 3.11 (build 560-562) contains an Administration service run on port 7323 that allows an attacker to stop the Sygate service and abuse RAS connections. The built-in protection mechanism for determining which interface (and therefore which segment) to listen for administration requests is flawed; it assumes the segment that answers its DNS requests is the 'Internet' segment, so using internal DNS servers will result in the administration port being opened on the external (Internet) side.

-No patches have been made available. Installing Sybergen Secure Desktop (SyShield) or enabling SyGate's "Enhanced Security" mode will disable the remote administration interface. Product home page:

http://www.sybergen.com/ Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0460.html


Key Area: Linux and BSD Key Element: Applications

{00.06.011} apcd symlink attack The apcd package shipped with Debian Linux contains a symlink vulnerability where it will overwrite any file by following a symlink from /tmp/upsstat. A local user can cause upsd to write to this file by sending apcd a SIGUSR1 signal.

-Download patches: -Intel ia32 architecture: http://security.debian.org/dists/stable/updates/ binary-i386/apcd_0.6a.nr-4slink1_i386.deb -Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/ binary-m68k/apcd_0.6a.nr-4slink1_m68k.deb -Sun SPARC architecture: http://security.debian.org/dists/stable/updates/ binary-sparc/apcd_0.6a.nr-4slink1_sparc.deb

Source: Debian http://archives.neohapsis.com/archives/vendor/2000-q1/0015.html


{00.06.014} New FreeBSD /proc/pid/mem vulnerability A new variant of /proc/pid/mem style of attack has been found that lets a local user gain root privileges in FreeBSD systems.


http://archives.neohapsis.com/archives/bugtraq/2000-01/0418.html Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0418.html


Key Area: Other Key Element: Messaging

{00.05.001} Qpop remote buffer overflow yields uid mail Qpop version 3.0beta29 and earlier (3.0beta only; 2.53 is not vulnerable) has a buffer overflow in the LIST command that lets the attacker run arbitrary code under the uid of the logged in user, and gid mail. Gid mail usually allows the attacker to read everyone's e-mail.

-No patches have been made available.

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0384.html


Key Area: Other Key Element: Information Publishing

{00.06.006} ASB00-04: Allaire Spectra authentication patch Allaire has released ASB00-04, a patch for Allaire Spectra 1.0 Security Authentication System. The bug allows for unrestricted access to Webtop components by providing false login credentials.

-Download patches from:

http://www.allaire.com/handlers/index.cfm?ID=14300&Method=Full Source: Allaire http://archives.neohapsis.com/archives/vendor/2000-q1/0013.html


Key Area: Other Key Element: Applications

{00.06.003} UnixWare remote root via scohelp SCO has released SSE060 for UnixWare version 7.0 through 7.1.1 lang_trans.so, which is used by scohelp and contains a remotely exploitable buffer overflow.

-Install SSE060.

Source: SCO (Bugtraq) http://archives.neohapsis.com/archives/bugtraq/2000-01/0410.html


{00.06.004} UnixWare rtpm local system compromise SCO has released patches SSE056, SSE057, SSE058, SSE059 for UnixWare versions 7.0 through 7.1.1. They fix a local compromise via rtpm that lets users gain root access.

-Install the appropriate patch: UnixWare 7.1.1 - SSE059 UnixWare 7.1.0 - SSE058 UnixWare 7.0.1 - SSE057 UnixWare 7.0.0 - SSE056

Source: SCO (Bugtraq) http://archives.neohapsis.com/archives/bugtraq/2000-01/0410.html


Key Area: Network Hardware Key Element: Applications

{00.06.005} Cobalt RaQ site administrators can change root password Cobalt RaQ (version 1-3) contains a vulnerability that allows site administrators to change anyone's password via the /.cobalt/siteUserMod/siteUserMod.cgi Web-administration CGI. On RaQ1 and RaQ2 systems, they can even change the root password.

-Install the appropriate patch: RaQ 1 - ftp://ftp.cobaltnet.com/pub/experimental/security/ siteUserMod/RaQ1-Security-3.6.pkg RaQ 2 - ftp://ftp.cobaltnet.com/pub/experimental/security/ siteUserMod/RaQ2-Security-2.94.pkg RaQ 3 - ftp://ftp.cobaltnet.com/pub/experimental/security/ siteUserMod/RaQ3-Security-2.2.pkg

Source: Cobalt (Bugtraq) http://archives.neohapsis.com/archives/bugtraq/2000-01/0421.html


{00.06.012} S&P ComStock MultiCSP vulnerabilities Standard & Poor's Comstock service provides stock quotes via a MultiCSP network appliance. This appliance has been found to run Linux and ship with many unpassworded accounts (one of which is a root equivalent). Further, the information received travels through the Internet via the Concentric network, which may allow for spoofed updates.

-No patches have been made available. We suggest you pick strong(er) passwords for the 'netconfig', 'isdnconfig' and 'support' accounts, disable unneeded services and preferably use a firewall or filtering router to block non-CSP traffic.

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0455.html

--------------------------------------------------------- If this e-mail was passed to you and you would like to begin receiving our e-mail newsletter on a weekly basis, we invite you to subscribe today. Just go to http://www.networkcomputing.com/express/ to become a Security Express member.

We'd like to know what you think about the newsletter and what information you'd like to see in future editions. E-mail your comments to mailto:expressnwc.com.

If you'd like to change your account information for this newsletter please go to http://www.0mm.com/express/login.html.

To unsubscribe, reply to this message and include REMOVE or UNSUBSCRIBE in the subject line.

Copyright 2000 CMP Media Inc. A service of Network Computing. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Network Computing, is prohibited.

Distributed by MessageMedia, Inc. -- http://www.messagemedia.com/