Editor's note: This week's Bug Alert is a bit abbreviated because of deadline issues surrounding the 4th of July holiday. For all those celebrating, have a happy Independence Day.
Last week, we reported a small item from Caldera mentioning a vulnerability with wu-ftpd's handling of the SITE EXEC command. As reported, the problem could allow users to gain root access to the Caldera Linux environment. This week, a number of Linux vendors have followed suit, releasing alerts and patches to fix the FTP server. SuSE recommends its users upgrade to Version 2.4er of wu-ftpd. Slackware has also issued an alert and released a patch designed to fix the problem. Red Hat, too, issued an alert and patch regarding the problem. A couple of interesting press releases for new security tools also came across the transom during the past week. First, WebAgain is a tool that is supposed to return a Web site to its previous form after being defaced by hackers. According to the release from the tool's creator Lockstep, "[WebAgain] compliments traditional security measures, such as firewalls and intrusion detection software, and concentrates on fixing or repairing content damage." For more information and a free 30-day trial click here. The second item of interest involved eEye, a division of eCompany (of course). Eye has released Retina, a product that is said to "think like a hacker." Retina uses "Common Hacker Attack Method" - a type of artificial intelligence - to scan for "known and unknown vulnerabilities." How it finds "unknown" vulnerabilities is beyond me. But if you want more information this check out. Now on to the latest alerts: ********** Cisco router software glitch opens security hole Cisco is warning users of a hole in its IOS software that runs its router products. The hole could cause a router to crash when it is tested for vulnerabilities by security scanning software. Network World, 6/29/00. ********** Another IE-related vulnerability Microsoft-watcher Georgi Guninski has released another alert concerning IE 5.01, Excel 2000, PowerPoint 2000 and Windows 98. According to Guninski it is possible for programs to be executed while a user views a Web page or HTML-based e-mail. With e-mail, the vulnerability in the latter relates to previously reported IFRAME problems. Guninski recommends disabling ActiveScripting and turning off the run ActiveX and plug-ins option. For a demonstration click here. ********** Debian releases new version of DHCP Open source software house Debian has released a new version of the ISC Dynamic Host Configuration Protocol client for its OpenBSD operating system. Older versions of the software are vulnerable to root exploits that could give malicious users access to execute commands on the server. Click here for more information. ********** Red Hat issues another kernel upgrade alert Popular Linux maker Red Hat this week put out another alert regarding an upgrade to its kernel. This one has to do with the way raw I/O data was handled. Click here for kernel upgrade information ********** Mandrake puts out kernel alert Like Red Hat, the Linux-Mandrake security team this week has put out another alert regarding its kernel. This alert deals with various POSIX "capabilities" that are part of the kernel and have insecure handling of certain privilege controls. Click here for more information. ********** SuSE releases updated kernel According to the SuSE alert, the implementation of the capability feature of the kernel 2.2.x < 2.2.16 is faulty. This bug allows a local adversary to exploit certain setuid applications to increase his/her privileges. Click here for more information. ********** NetWin dMailWeb vulnerability reported DMailWeb, a Common Gateway Interface application that provides Web-based e-mail access to standard POP servers, has a vulnerability that can allow users to send messages through the POP server without authentication. The application also could let an outside user gain access to a number of accounts to send unauthorized e-mail. The two holes can be used to get around the setting that limits the maximum number of e-mails a given user can send over a period of time. The author of the alert, Christopher Wolfe, says NetWin was contacted but has yet to release a patch. Click here for more information from the vendor. ********** Netscape Enterprise Server for NetWare Virtual Directory vulnerability VIGILANTe last week released an alert regarding NetWare's implementation of the Netscape Enterprise Server and virtual directories. According to the alert, by issuing a malformed URL it is possible to cause a denial-of-service situation and/or execute arbitrary code on the server with the privileges of the Web server. Novell has released a patch: 56-bit128-bit ********** iMesh 1.02 vulnerability reported Security consultancy BluePanda is reporting a vulnerability in the iMesh 1.02 client used to search and share information on the Internet. BluePanda says iMesh listens to a central server on a given port. Malicious users can connect to this port and cause a buffer overflow. iMesh claims the patch will be available in its next release. Click here for more information. ********** This week's roundup of virus alerts: WM97/Divi-N - This Excel macro virus creates a file (hr223.xls) in the program's template directory and infects spreadsheets as they are opened or closed. The virus uses a IVID variable and hexadecimal number to label infected files. (Sophos) WM97/Antiv-A - Word macro virus displays text box with a message written in Portuguese saying that the open document is infected. It then adds a "Hunter" module to the document that is the virus. (Sophos) XM/Totaler-B - This Excel macro virus attempts to delete files in c:\windows\system and c:\ directories. It also displays the message "The NHS Fat Cow Has Just Trashed Your Hardisk". The trigger dates are 5/11, 9/11, 10/29, 11/11, 12/11 (all in 1998) and 11/2/99. So impact, if any, should be minimal. (Sophos) WM97/Touchme-A - On preprogrammed trigger dates, the virus attempts to delete all files in the Word start-up path. The virus displays the message "ReYoKh Team Labs mengucapkan Selamat Ulang Tahun !!!" The trigger dates are 3/5, 8/8 and 12/22. (Sophos) WM97/Melissa-G - Yet another Melissa variant. According to the alert, on any day in January 2000 the virus edits the registry so that none of the drive icons appears in the Microsoft Explorer window. (Sophos) WM97/Thursd-AB - Virus randomly selects directories on an infected computer and copies the infected file to that directory, over writing an existing file and adding a .DOC extension. (Sophos) WM97/Surround-B - Here's a whopper... This Word macro virus plays a beep sound if the date of infection is the 21st of any given month. Wow. (Sophos) BAT/Simpsons.Trojan - This nasty little virus comes hidden as a Simpson's executable file (simpsons.exe). When opened, the virus acts a WinZip self-extract archive. If the user clicks okay to extract the file, the virus will run a batch file that attempts to run deltree on all drives. (Computer Associates, Sophos) WM97/Thursd-AI - A variant of the WM97/Thursday Word macro virus, this one, too, attempts to delete all files and subdirectories on the C drive if the date is December 13. (Sophos) ********** From the Interesting Reading category: The Omega file A couple weeks back, Network World brought you the story of a former network administrator found guilty of sabotaging his employer's network. Now, Network World Features Writer Sharon Gaudin, who covered the trial, gives us an inside look at the Secret Service's electronic crimes group and how it captured the culprit. Charges filed against 'Love bug' suspect Philippines National Bureau of Investigation officials Thursday filed charges against a student suspected of releasing the "ILOVEYOU" computer virus that stymied e-mail servers and caused billions of dollars of damage in May, national newspapers reported there. Network World, 06/29/00. ********** Miss a week?
Not to worry, we keep an archive of all our newsletters. To read them, click to: www.nwfusion.com/newsletters/bug/
RELATED LINKS
Jason Meserve is the Multimedia Editor of Network World Fusion and writes about streaming media, search engines and IP Multicast. Jason can be reached at jmeserve@nww.com.
Security and Bug Patch Alert archive
Past newsletters.
on security holes, patches and techniques
Archive of Network World on Security and Bug Patch Alert newsletters
Archive of Network World on Security newsletters
