• United States

Surprise: More Microsoft patches

Nov 13, 20035 mins

* Patches from Microsoft, Red Hat, SCO, others * Beware a variety of Trojans * Security professionals form CSO council, and other interesting reading

Who needs the Atkins Diet? At last week’s Future Forward 03 conference in Portsmouth, NH, CareGroup and Harvard Medical School CIO Dr. John Halamka said he’s on an all Microsoft diet:

“It’s a great company, but every time a new virus comes out, I lose two pounds.”

Today’s bug patches and security alerts:

Microsoft patches three critical security problems

Microsoft released the second installment of its now monthly security bulletins, patching three software holes in Windows systems that it said were “critical” security risks and a fourth problem with Microsoft Office that the company rated “important.” IDG News Service, 11/11/03.


Related Microsoft advisories:

Vulnerability in Microsoft Word and Microsoft Excel could allow arbitrary code to run:

Buffer overrun in the Workstation Service could allow code execution:

Buffer overrun in Microsoft FrontPage Server Extensions could allow code execution:

Cumulative security update for Internet Explorer:

CERT Advisory for Workstation Service flaw:


Hylafax bug patched

A number of Linux vendors have released update Hylafax packages that fix a format string vulnerability that could be exploited to run an attacker’s code of choice on the affected machine. For more, go to:

Hylafax official site:


Mandrake Linux:



Red Hat, OpenPKG patch postgresql

Two bugs found in the postgresql database code could be exploited to trigger a buffer overflow, which could be used to run malicious code on the affected server. For more, go to:

Red Hat:



SCO patches multiple vulnerabilities in gwxlibs for OpenServer

A number of vulnerabilities have been fixed in the gwxlibs package for OpenServer. Some of the flaws could be exploited to run arbitrary code on the effected machine. For more, go to:

SCO issues OpenSSH fix

A recent release of SCO’s OpenSSH implementation only worked under a root login. That problem has been fixed. For more, go to:

Perl cross-scripting flaw fixed for SCO OpenServer

A cross-scripting vulnerability in the Perl module has been fixed by SCO for those running OpenServer. For more, go to:


Red Hat releases Ethereal fix

A number of flaws have been found in ethereal, a free network monitoring tool for Linux/Unix. The vulnerabilities could be exploited in a denial-of-service attack or to potentially execute the attacker’s code of choice. For more, go to:


Debian patches epic4

A buffer overflow in the epic4 IRC client could be exploited to crash the affected client or to potentially run arbitrary code on the effected machine. For more, go to:

Debian releases patch for Conquest

A buffer overflow in the Conquest game package could be exploited to gain the privileges of the “conquest” group. A fix is available. For more, go to:

Debian omega-rpg patch released

Similar to the problem with Conquest, a buffer overflow in the omega-rpg game could be exploited to gain the privileges of the “games” group. For more, go to:


Today’s roundup of virus alerts:

Troj/BDSinit-A – A backdoor Trojan that opens a port on the infected computer to listen for commands from an intruder. (Sophos)

Troj/Webber-C – A password-stealing Trojan horse that spreads via e-mail that looks like it’s from CitiBank regarding a home loan. (Sophos)

Troj/Muly-A – Another Trojan that opens a port so an attacker may access the infected machine. The virus also sends information about its target to a Web site. (Sophos)

Darker.A – This one’s a novelty: A virus that spreads via e-mail attachment pretending to be a useful application. When opened it sends itself out to everyone in the user’s address book. (Panda Software)


From the interesting reading department:

Security professionals form CSO council

A group of information security professionals has formed a “Global Council of CSOs” in an effort to better address online security challenges. IDG News Service, 11/12/03.

Microsoft prepares security assault on Linux

Microsoft is preparing a major PR assault over Windows’ perceived security failings in which it will criticize Linux for taking too long to fix bugs, we have learned. InfoWorld, 11/11/03.

Cisco, Nortel to embrace SSL-based VPNs

Cisco and Nortel – arguably the two biggest names in IP Security VPNs – are getting ready to shake up the fast-growing Secure Sockets Layer segment of the market, which they’ve largely ignored until now. Network World, 11/10/03.

Crankin’ up the heat

New Web application firewalls give you the chance to burn Port 80 hackers. Network World, 11/10/03.

Feds to push new set of security controls

To bolster information systems security, the federal government is pushing to have civilian agencies, such as the Department of Agriculture, follow new regulations based on practices at the Department of Defense and Central Intelligence Agency. Network World, 11/10/03.

Computer viruses now 20 years old

This week computer viruses celebrate 20 years of causing trouble and strife to all types of computer users. U.S. student Fred Cohen was behind the first documented virus that was created as an experiment in computer security. Now there are almost 60,000 viruses in existence and they have gone from being a nuisance to a permanent menace. BBC News, 11/10/03.