Deutsche Version

Here you find (a beta-version of) our search engine!

1) The Favorites feature allows IE users to keep a list of their favorite web sites. In IE 5, the Favorites list can contain icons that are supplied by the associated web sites. However, there is an unchecked buffer in the implementation. A specially-malformed icon could overrun the buffer and be used to run arbitrary code on the user's computer. This vulnerability only affects IE 5 when run on Windows 95 or 98; it does not affect Windows NT systems.
2) The "Legacy ActiveX Control" vulnerability. An ActiveX control that was used by previous versions of IE also was included in IE 4.0 and IE 5 even though it is not used by either. It could be misused to allow a web site to read the user's local hard drive.
It's recommended to install the concerning patch.

When the client software for Microsoft RAS or RRAS is used to dial into a server, a dialogue requests the user's userid and password for the server. On the same dialogue is a checkbox whose caption reads "Save password" and which is intended to provide the user with the option to cache their security credentials if desired. However, the implemented client functionality actually caches the user's credentials regardless of whether the checkbox is selected or de-selected.
It's recommended to install the concerning patches, released by Microsoft: RAS, RRAS

Since the last CERT summary, issued in February 1999 (CS-99.01), CERT has seen these trends in incidents:
1. Virus Activity:
- Melissa: The Melissa virus spreads mainly as Microsoft Word 97 and Word 2000 attachments in E-Mail. It can be detected and removed by current versions of anti-virus software. For more information see CA-99-04
- CIH/Chernobyl: The CIH virus infects executable files and is spread by executing an infected file. Since many files are executed during normal use of a computer, the CIH virus can infect many files quickly. The most common version of the virus becomes active on April 26, but there are other versions that become active on the 26th day of other months (especially June 26).  For more information, see IN-99-03
- Happy99: Happy99.exe is a Trojan horse virus. The first time Happy99.exe is executed, a fireworks display saying "Happy 99" appears on the computer screen. At the same time, it modifies system files to email itself to other people. For more information, see IN-99-02
2. Resurgence of SYN Attacks:
Recently CERT has received an increased number of reports of SYN attacks that result in a denial of service. This is a known exploitation method for which protection is available. For more information, see CA-96.21
3. Continued Widespread Scans:
Intruder scanning tools continue to become more sophisticated, varying from scripted tools and stealth scanning techniques to a tool that incorporates probes for known vulnerabilities, remote operating system identification, and a scripting language that simplifies automation of probes and exploitation attempts. For more information, see IN-99-01, IN-98-06, IN-98-05, IN-98-04, IN-98-02. The most frequent reports involve well-known vulnerabilities in mountd, IMAP, and POP3.
4. Web Server Attacks
CERT has been receiving reports of attacks exploiting vulnerabilities in sample applications in Cold Fusion and IIS. The attacks result in read and write access on the web server, allowing intruders to change web pages at will. For more information, see at Allaire's and Microsoft's site.

The virus W97M.Melissa (CA-99-04) was detected in March 1999. This virus is again being distributed, this time in a Word document whose file name extension is ".RTF". These documents are not really RTF files, but actually Word files whose file extension has been changed. Many users' virus scanners are not configured to scan ".RTF" files by default, which could result in the virus not being detected.
All major antivirus software vendors released signature updates to detect the W97M.Melissa. It's recommended to install the latest patterns (even if this virus is not a new virus) and to make sure ".RTF"-files are also scanned.

By exploiting a vulnerability in midikeys it's possible to gain root-access to a machine. SGI has acknowledged the publicly reported IRIX midikeys vulnerability and is currently investigating, no patches are available at the moment.
A workaround is to remove the setuid-bit in midikeys by chmod 555 /usr/sbin/midikeys

Two vulnerabilities in NetBSD concerning the ARP Protocol were found:
The first vulnerability is specific to hosts with more than one ARP capable network attached. The address information of incoming ARP packets is not checked to ensure that it corresponds to one of the addresses of the interface on which the packet arrived. Thus, it would be able to suppress or redirect traffic from the attacked host to a different destination.
The second vulnerability is related to so-called "static" arp entries. The original NetBSD ARP implementation (as that of most other vendors) allows the creation of "static" or "permanent" ARP entries which can be modified by this vulnerability.
It's recommended to install a patch solving these problems.

The component of the RAS client that processes phonebook entries has an unchecked buffer. This results in a vulnerability that poses two threats to safe operation. The first is a denial of service threat; a malformed phonebook entry could overflow the buffer, causing the RAS client service to crash. The second is that a carefully-constructed phonebook entry could cause arbitrary code to execute on the client via a classic buffer overrun technique. RAS servers are not vulnerable.
It's recommended to install the hotfix published by Microsoft.

CIAC has published some information about Web Security. Public web servers continue to be attractive targets for hackers seeking to embarrass organizations or promote a political agenda. Good security practices can protect your site from the risks such compromises create.

Compaq has discovered a potential vulnerability with the /usr/dt/bin/dtlogin in Compaq's Tru64/DIGITAL UNIX software, where under certain circumstances, a user may gain unauthorized access as superuser.
A patch for this problem has been made available for Tru64/DIGITAL UNIX V4.0B, V4.0D, V4.0E and V4.0F.

ISS reports 14 new vulnerabilities found within the last month:
- oracle-unix-symlinks
- novell-tts-dos
- inn-innconf-env
- inn-pathrun
- sol-lpset
- cde-dtprintinfo
- iis-samples
- http-alibaba-dotdot
- netscape-dirsvc-password
- servu-command-bo
- oracle-oratclsh
- linux-coas
- ie-dhtml-control
- netbsd-svr4
Further information can be found at the site of ISS.

The Windows Help utility parses and displays help information for applications. The help information is contained in files of several types that are generated by the Help Compiler, and is stored by default in the $WINNT\help folder. By default, users can write to this folder. An unchecked buffer exists in the Help utility, and a help file that has been carefully modified could be used to execute arbitrary code on the local machine via a classic buffer overrun technique.
The machines primarily at risk from this vulnerability are workstations, terminal servers, and other machines that allow users to log on interactively and add or modify help files.
For the US-Version of NT 4.0 a fix has been published (X86, alpha) and should be installed as soon as possible.

Site Server allows the installation of an AdSamples directory, which serves to demonstrate the capabilities of the Ad Server component. If this directory is installed, and left open to the public without limiting directory permissions, a user can obtain a site configuration file that contains sensitive information pertaining to an SQL database. This information could contain a DSN, as well as a username and password used by the Ad Server to access the SQL server database.
It's recommended to remove the directory AdSamples from the site.

Microsoft Excel 97 provides a feature that warns the user before launching an external file that could potentially contain a virus or other malicious software. This feature allows the user to weigh the risk of opening the file. Certain scenarios have been identified that could be misused to bypass the warning mechanism. In general, they require the use of infrequently-combined features and commands, and are unlikely to be encountered in normal use.
It's recommended to install the patch, published by Microsoft.

Multiple vulnerabilities exist in Oracle 8 that may allow local attackers to exploit weaknesses in Oracle administrative tools. Attackers may use these vulnerabilities to amplify their privilege to that of the 'oracle' user. By default, the oracle user controls the entire Oracle database system. Attackers may launch local denial of service attacks against the database as well as alter or manipulate data.
What to do against these vulnerabilities is pointed out in the advisory.

Internet Information Server (IIS) 4.0 ships with a set of sample files to help web developers learn about Active Server Pages (ASP). One of these sample files, ShowCode.asp, is designed to view the source code of the sample applications via a web browser. The ShowCode.asp file does inadequate security checking and allows anyone with a web browser to view the contents of any text file on the web server. This includes files that are outside of the document root of the web server! For production servers, sample files should never be installed so delete the entire /msadc/samples directory. An installation of the Site Viewer includes the same risk.
The following file viewers are affected: ViewCode.asp, ShowCode.asp, CodeBrws.asp and Winmsdp.exe. These files should not be present on a server. In addition, file permissions should be set correctly.
Now Hotfixes have been published for IIS and Site Server.

FTP Serv-U 2.5 can be made to crash by sending a series of 155 or more characters to the server using any command that accepts command parameters. If the number of characters is exactly 155 the server crashes without any message. If the number of characters is 156 or more Dr. Watson appears during the crash.
The server is made to crash using a command such as:
CWD xxxxxxxxxxxx... [155 characters or more]
It's recommended to upgrade to version 2.5 or the latest beta.

In addition to the current Cisco Year 2000 Product Compliance table Cisco has published an addendum with latest information.

In OpenLinux 1.0, 1.1, 1.2, 1.3, 2.2 with rsync-2.3.1 and previous there is a security problem with rsync which can cause the permissions of an users home directory to be changed.
It's recommended to install the upgrade-package (source)

Here you can find the News from April 1999 and March 1999