Guarding the perimeter is not always enough

---------------------- Forwarded by Vince J Kaminski/HOU/ECT on 03/27/2000=
=20
08:46 AM ---------------------------

"NW Security and Bug Patch Alert" <Security-BugPatch@bdcimail.com< on=20
03/22/2000 04:28:49 AM
Please respond to "Security and Bug Patch Alert Help" <NWReplies@bellevue.c=
om<
To: <vkamins@enron.com<
cc: =20
Subject: Guarding the perimeter is not always enough

NETWORK WORLD FUSION FOCUS: JASON MESERVE on
SECURITY AND BUG PATCH ALERT
TODAY'S FOCUS: Guarding the perimeter is not always enough
03/21/00

Dear Wincenty Kaminski,

Today's Focus: Guarding the perimeter is=20
not always enough
---------------------------------------------------------------
By Jason Meserve

Oh, the irony. You build your security systems to protect internal
systems from outside intruders, then someone inside the company decides
to play cyber-vandal.

Last week, authorities charged Abdelkader Smires with launching denial-
of-service attacks against his own employer, New York-based Internet
Trading Technologies, Inc. (ITTI). Smires was upset that ITTI did not
meet his demands for a raise and more stock options. He used computers
at a Kinko's Copy store and a local university to launch his revenge
attacks against ITTI that disrupted the company's trading systems for
three days.

"He and the other programmer were involved in writing the software, so
he knew just where to attack. He was fully familiar with weaknesses in
the code," said Eric Friedberg, computer and telecommunications crime
coordinator for the U.S. Attorney's Office in Brooklyn, N.Y., in an
interview with Computerworld "Although it was a potentially disastrous
attack for the company, it wasn't a highly sophisticated attack."

Read more about the attack here:
http://www.nwfusion.com/news/2000/0317insidejob.html

Another interesting article to check out is "The service-pack shuffle
ruffles a lot of feathers" in this week's issue of Network World
(http://www.nwfusion.com/archive/2000/83305_03-20-2000.html). My
colleague Deni Connor writes that customer are fed up with the endless
release of service packs, which seem to be replacing quality assurance
at the companies developing our enterprise software.

But with no bugs, there would be no newsletter, so on with the latest
patches and alerts.

Cisco Secure PIX Firewall FTP vulnerabilities

Cisco announced that its PIX Firewall has a problem interpreting FTP
commands, allowing inappropriate access through the firewall. The
announcement covers two vulnerabilities: One when the firewall receives
an error from an internal FTP server and the second when a client inside
the firewall visits an external site and selects a link that the
firewall interprets as two commands. One of the commands inadvertently
opens a connection through the firewall.
http://www.cisco.com/warp/public/707/pixftp-pub.shtml
************

Patch available for "OfficeScan DoS & Message Replay" vulnerability

Trend Micro has released a new version of OfficeScan Corporate Edition -
Version 3.51 - that eliminates two security vulnerabilities found on
previous versions. Previous versions of OfficeScan allow intruders
within a firewall to initiate a denial-of-service attack on the
OfficeScan client (tmlisten.exe) as well as to capture OfficeScan
commands. These commands can be replayed and used to change other
OfficeScan client configurations.
Patch:
http://www.antivirus.com/download/ofce_patch.htm
Advisory:
http://www.antivirus.com/download/ofce_patch_35.htm
************

FreeBSD releases four advisories

The makers of FreeBSD did a little housecleaning last week, releasing
advisories on a number of previously announced vulnerabilities in
various Linux packages.
mh/nmh/exmh/exmh2 ports allow remote execution of binary code
Relating to the nmh's mhshow vulnerability when reading MIME headers.
New packages at:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/nmh-1.0=
.3.
tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/mail/nmh-1.=
0.3
.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/mail/nmh-1=
.0.
3.tgz

Lynx ports contain numerous buffer overflows
The lynx WWW browser is written in an unsecured format that contains a
number of holes. There is currently no patch available, so FreeBSD
recommends removing the package to eliminate the problem.
mtr port contains a local root exploit
The mtr program (versions 0.41 and below) fails to correctly drop setuid
root privileges during operation, allowing a local root compromise.
Fixes:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mtr-0.42=
.tg
z
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/net/mtr-0.4=
2.t
gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/net/mtr-0.=
42.
tgz

orville-write port contains local root compromise
One of the commands installed by the port is incorrectly installed with
setuid root permissions. The =01&huh=018 command should not have any specia=
l
privileges because it is intended to be run by the local user to view
his saved messages.
Fixes:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/misc/orville=
-wr
ite2.41a.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/misc/orvill=
e-w
rite-2.41a.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/misc/orvil=
le-
write-2.41a.tgz
************

IE and Outlook 5.x allow executing arbitrary programs using .eml files

Georgi Guninski has found yet another flaw in Microsoft's popular
browser and e-mail program. This one allows arbitrary programs to be
launched via attached .eml files. No patch is currently available from
Microsoft, so Guninski recommends shutting off active scripting.
For a demonstration that starts WordPad:
http://www.nat.bg/~joro/eml.html
************

Sojourn search engine exposes files

The Cerberus Security Team has discovered a weakness in the commercial
search engine, Sojourn, that allows attackers to read any local file on
the file system that they have read access to (as provided by the
account the Web server is running under). As such, files such as
/etc/passwd on Unix systems can be read and files such as the
global.asa on Windows NT and 2000. No patch was available as of this
writing.More on Sojourn:
http://www.generationterrorists.com/sojourn_superuser.html
************

Problem with AIX 4.x linker

The Sendmail Consortium is warning of a problem with the AIX 4.x linker.
According to the advisory, unlike most other linkers, the AIX linker
uses the paths specified at compile time for the program's shared
library search path at run time. Therefore, AIX compilations that use
the -L flag with the AIX linker must use extra precautions to prevent
security problems. This problem is not specific to Sendmail and can
affect other applications. IBM claims it is aware of the problem and
provides workarounds.
AIX site:
http://www.ibm.com/servers/aix/
************

Oracle Web Listener 4.0.x

The Cerberus Security Team has discovered a number of issues with
Oracle's Web Listener, part of Oracle Application Server (OAS), which
allow a remote attacker to run arbitrary commands on the Web server. As
part of the default installation, OAS creates an ows-bin virtual
directory that is a cgi-bin equivalent. According to Cerberus, this
directory not only contains a number of batch files, DLLs and
executables but also the binary image file for the Listener itself,
which could lead to malicious users executing commands on the server
with special query strings. No patch is available yet, though Cerberus
recommends removing the ows-bin directory or point to a more benign
directory.
OAS Web site:
http://www.oracle.com/appserver/
************

kreatecd local root compromise

TESO has found a vulnerability within the kreatecd application for
Linux. An attacker can gain local root-access. Halloween Linux Version 4
and SuSE 6.x are vulnerable. According to the TESO advisory, the author
of the software has been notified. The advisory recommends removing the
suid bit of kreatecd.
See the exploit:
http://www.cs.uni-potsdam.de/homepages/students/linuxer
************

'Melting Worm' slithers into the wild

From Computerworld: A new worm now "in the wild" has the potential to
shut down Windows platforms and make the operating system permanently
unusable.
Read the article:
http://www.nwfusion.com/news/2000/0316worm.html
************

Vulnerability in Microsoft SQL Server 7.0 encryption used to store
administrative login ID

Internet Security Systems (ISS) has identified a vulnerability in the
encryption used to conceal the password and login ID of a registered SQL
Server user in Enterprise Manager for Microsoft SQL Server 7.0. When
registering a new SQL Server in the Enterprise Manager or editing the
SQL Server registration properties, the login name that will be used by
the Enterprise Manager for the connection must be specified. If a SQL
Server login name is used instead of a Windows Domain user name and the
'Always prompt for login name and password' checkbox is not set, the
login ID and password are weakly encrypted and stored in the registry.
http://xforce.iss.net/alerts/advise45.php3
************

Patch available for "Malformed Media License Request" vulnerability

Microsoft has released a patch that eliminates a denial-of-service
vulnerability in Windows Media License Manager. The vulnerability could
allow a malicious user to temporarily prevent the license server from
issuing further licenses to customers for protected digital content such
as music and video.
http://www.microsoft.com/technet/security/bulletin/fq00-016.asp
************

To contact Jason Meserve:
-------------------------
Jason Meserve is a staff writer with Network World, covering search
engines, portals, videoconferencing, IP Multicast and document
management. He also oversees the "Security Alerts" page on Fusion
(http://www2.nwfusion.com/security/bulletins.html). Jason can be reached
at mailto:jmeserve@nww.com.

*********************************************************
Subscription Services

To subscribe or unsubscribe to any Network World e-mail newsletters,
go to:
http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp

To change your email address, go to:
http://www.nwwsubscribe.com/news/scripts/changeemail.asp

Subscription questions? Contact Customer Service by replying to this
message.

Other Questions/Comments

Have editorial comments? Write Jeff Caruso, Newsletter Editor, at:
mailto:jcaruso@nww.com

For advertising information, write Jamie Kalbach, Account Executive,
at: mailto:jkalbach@nww.com

Network World Fusion is part of IDG.net, the IDG Online Network.
IT All Starts Here:
http://www.idg.com

Copyright Network World, Inc., 2000