This week's issue of Network World relates a story about an ISP that reversed a denial-of-service attack so that it took down the attacker's server (see "Hack Back").
It seems as if ISP Conxion, which hosts the World Trade Organization's Web site, noticed that e-hippies were trying to launch a denial-of-service attack against its customer's site. The administrators quickly caught the problem and wrote a filter that directed the DOS packets pack at the e-hippies site, effectively giving them a taste of their own medicine. However, the article goes on to say that the tactic was met with mixed reaction after the company, proud of its achievement, issued a press release. Some say that fighting crime with crime is wrong. Others say that in this case, the ISP is in the clear because it basically marked the packets return to sender (they had a clear trail to the e-hippies Web site, according to Conxion). They did not technically launch their own denial-of-service attack against e-hippies. But what if the denial-of-service attack had come from so-called Zombie machines? An ISP deflecting the attack could take out innocent by-standers, creating a domino effect of denial-of-service related site outages. Obviously, this is not such a good idea. Where do you stand on the idea of cybervigilantism? Drop me a line at jmeserve@nww.com. Now on with the latest patches and alerts! ********** Gauntlet firewall patch available It seems the software designed to keep intruders out has a hole that could let them in, according to an alert from Gauntlet support. The denial-of-service problem affects Gauntlet for Unix 4.1 and greater as well as the Webshield 100/300 E-ppliance and Webshield for Solaris. According to the alert, this security vulnerability involves a buffer overflow in the CyberPatrol daemon that can cause a denial-of-service for HTTP traffic through the specified products. The CyberPatrol daemon "cyberdaemon" is used to enforce CyberPatrol policy in conjunction with the HTTP proxy. The denial-of-service attack results in the cyberdaemon crashing and dumping a core file, thus preventing the HTTP proxy from checking the CyberPatrol policy which results in failure to accept new connections. In addition to the denial-of-service attack, it is possible to exploit the buffer overflow to execute arbitrary shell commands as root on the firewall. This extension of the attack was replicated on the BSDI version of the Gauntlet firewall. For more information and patches, click here. ********** Filesystem vulnerability in AIX According to an alert from IBM, local users could gain write access to some files on local or remotely mounted AIX file systems, even though the file permissions do not allow write access. IBM recommends downloading a fix immediately. The problem seems to affect most versions of AIX. For patches go click here. ********** FrontPage bug on Cobalt RaQ2 and RaQ3 servers A permission flaw with httpd on the RaQ2/3 servers could let a user overwrite all files on a server when uploading a Web site using Microsoft FrontPage. Instead of being able to access only the user's own information, the flaw lets them access the entire Apache Web server running on the box. Cobalt has released patches for this problem: RaQ3 usersRaQ2 users ********** Buffer overflow in Rockliffe Mailsite The Cerberus Security Team has discovered a buffer overflow problem in Rockcliffe Mailsite, which could let a malicious user view unauthorized e-mail. The server is used for remote users that want to access their POP3 mail via HTTP. The server listens for requests on port 90, but an existing buffer overflow could allow a hacker to execute arbitrary commands, according to the alert. Rockliffe has released Version 4.2.2 to fix the problem. For more information on the patch, click here. ********** Cerberus finds two shopping cart flaws Hole in Carello Web shopping cart According to an alert from The Cerberus Security Team, the hole in the Carello Web shopping cart software could let malicious users overwrite files on a server with a slightly modified file extension. The hole could be used to change the extension of an application service provider file, causing an error on the server and the source of the file to be downloaded to a user's computer. This file could contain sensitive information such as passwords, according to the alert. A new version of the software is due out soon and is said to fix the problem. Click here for more information. Hole in PDGSoft's Shopping Cart Two overruns exist in the redirect.exe and changepw.exe executables that are accessible via the Web. A hacker could use the overruns to execute arbitrary commands on a server. A patch is available from PDGSoft. For patch information, click here. ********** Vulnerability in infosrch.cgi According to SGI, a vulnerability has been discovered in infosrch.cgi that could let any remote user view files on the vulnerable system with privileges of the user "nobody." The cgi script is used for searching all SGI online documentation. For patches, click here. ********** Flaw in PGP 5 A problem with the randomness generator in PGP 5 for Linux and BSD could allow for weak key encryption for a limited number of users. The alert recommends upgrading to a newer version of PGP. For more information on PGP, click here. ********** Aladdin Software's SecretDisk has a flaw According to an alert posted on BugTraq, the SecretDisk file encryption system from Aladdin Software contains a flaw that affects systems with dual monitors: SecretDisk's password-protected screen saver only activates on one monitor, while keyboard and mouse functions are still available on the second screen. Click here for more information from Aladdin. ********** Problem in Slackware's fdmount According to the Slackware alert, the fdmount program shipped with Slackware has been shown to be vulnerable to a buffer overflow exploit. A user must be in the "floppy" group to execute fdmount, but because fdmount is suid root this is a security problem. A patch is available. ********** Problem with Windows browser reset According to an alert from Network Associates' COVERT Labs, an undocumented command in the Microsoft Windows implementation of the Browser Protocol could allow for the browser to be reset. This flaw could be used for denial-of-service attacks in some cases. Microsoft is aware of the problem and has issued an alert and fixes. Click here for more information. ********** Red Hat puts out two alerts 1) Updated libtiff packages are now available. A bug in the fax2ps command included in the libtiff package has been found and corrected. The problem affects Red Hat Linux 6.1 and 6.2 on the i386, Sparc and Alpha platforms. Patch information: Intel:
Patch #1
Patch #2 Alpha:
Patch #1
Patch #2 sparc:
Patch #1
Patch #2 sources:
Patch #1 2) Updated mailman packages are available. New mailman packages are available which close security holes present in earlier versions of mailman. All sites using the mailman mailing list management software should upgrade. Patches: Intel
sources ********** This week's list of virus alerts: WM97/Ciao-A - WM97/Ciao-A is a Word macro virus that will occasionally insert text into infected documents. Upon opening a new document the virus inserts the French text "Microsoft vous souhait ... " if a complex date trigger is activated. When the document is closed it inserts "Ciao!!!" into the document. WM97/Marker-DJ - Another variation of the WM97/Marker virus. As with its cousin, this one takes the File/Properties/Summary information from a Word file and e-mails it to the Codebreakers Web site. WM97/Smac-E - This Word macro virus affects double-byte versions of the software and contains two payloads. The first attempts to open a million message boxes containing non-Roman characters if the date is Sept. 2. If the date is the 13th of any month, the virus will open a message box displaying non-Roman characters. OF97/Cybernet-A - This one has received quite a bit of attention this week. It is said to affect Excel and Word, and will e-mail itself to all entries in an infected user's Outlook address book with the subject "You've GOT Mail!!!" It also has a payload that modifies Word files on a set date and changes autoexec.bat and config.sys files. Computer Associates reported the virus, but others are downplaying it. WM97/Thursday-Z - On the trigger date of Dec. 13, it attempts to delete all files and subdirectories on your computer's C: drive. ********** From the interesting reading category: CERT urges users to install Office 2000 The Computer Emergency Response Team, a group at Pittsburgh Carnegie Mellon University that monitors security issues, is urging users to immediately install a Microsoft patch relating to a previously revealed security hole in Office 2000. Network World, 05/26/00. ********** Miss a newsletter? Don't despair if you've missed a week of the Security and Bug Alert newsletter. The archive can be found online at:
www.nwfusion.com/newsletters/bug/
RELATED LINKS
Jason Meserve is the Multimedia Editor of Network World Fusion and writes about streaming media, search engines and IP Multicast. Jason can be reached at jmeserve@nww.com.
Security and Bug Patch Alert archive
Past newsletters.
on security holes, patches and techniques
Archive of Network World on Security and Bug Patch Alert newsletters
Archive of Network World on Security newsletters
