News September 2000

Furhter links lead to the organization which reported the problem. So you can also read the original advisory and you are informed about further actions to be taken and patches to install.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

System:

Short description and further information:

Cisco PIX Firewall

Vulnerability caused by Mailguard: Cisco, ERS-2000.230, S-00-44
The Cisco Secure PIX firewall with software versions up to and including 4.4(5), 5.0(3), 5.1(2) and 5.2(1) and the feature "mailguard", which limits SMTP commands to a specified minimum set of commands, can be bypassed. so command filtering in SMTP can be bypassed. Patches are available now. The IOS Firewall featureset is not affected by these defects.

WQuinn

Hole in QuotaAdvisor: WinITSec
By utilizing NTFS streams, a local user can easily bypass quota controls put in place by QuotaAdvisor 4.1. QuotaAdvisor does not check NTFS streams when enforcing quota rules. A workaround is shown in the advisory.

Talentsoft

Vulnerabilities in Webplus: WinITSec
Multiple vulnerabilities have been found in Talentsoft Webplus 4.6. One vulnerability will expose the real, physical path and not the "Web path" to the user. Another will expose the true IP address to the user, even if NAT is used. A third vulnerability allows an attacker to view the source of WML files that are located on NTFS partitions. The first risk is fixed in build 542, the others will be fixed soon.

Linux Mandrake

Vulnerability in esound: MDKSA-2000:051
A problem has been found in the esound daemon, which is used in GNOME and responsible for multiplexing access to audio devices. Versions of esound prior to and including 0.2.19 create a world-writable directory in /tmp called .esd which is owned by the user running esound. This directory is also used to store a unix domain socket. The socket is created world-writable, so a race condition exists in the creation of this socket which allows a local attacker to cause an arbitrary file or directory owned by the user running esound to become world-writable. An update is available now.

Microsoft IE 5.5, Outlook Express 5.5

Vulnerability exposes file-system: WinITSec
As Georgi Guninski found out, a bug in Internet Explorer and Outlook Express 5.5 makes it possible for a person to remotely read files and local and mapped (UNC) drives. A suggested workaround is to disable active scripting. A demonstration can be found in the advisory.

Check Point FireWall-1/VPN-1

Some Vulnerabilities reported: ISS-062, K-073
At the Black Hat 2000 briefings in July 2000 were the following security holes in Check Point FireWall-1 reported:
1. One-way Connection Enforcement Bypass
2. Improper stderr Handling for RSH/REXEC
3. FTP Connection Enforcement Bypass
4. Retransmission of Encapsulated Packets
5. FWA1 Authentication Mechanism Hole
6. OPSEC Authentication Spoof
7. S/Key Password Authentication Brute Force Vulnerability
8. GetKey Buffer Overflow
According to Check Point, hey are fixed in FW-1/VPNN-1 Version 4.0 SP7 and Version 4.1 SP2 - so an update should be carried through as soon as possible.
Note: These are no new vulnerabilities - we reported before.

Many

New Variants of Trinity and Stacheldraht DDoS-Tools: ISS-061, K-072
New versions of Stacheldraht and Trinity distributed denial of service (DDoS) attack tools have been found in the wild. The new versions of Stacheldraht include "Stacheldraht 1.666+antigl+yps" and "Stacheldraht 1.666+smurf+yps". A variant of the Trinity tool called "entitee" has also been reported. Further information and how to find out, if these Tools are running on a computer can be found in the advisory.

Microsoft Windows Media Player 7

DoS caused by OCX Attachment: MS-068, WinITSec, ERS-2000.229
OCX controls are containers that can hold multiple ActiveX controls. A particular OCX control, associated with Windows Media Player, could be used in a denial of service attack against RTF-enabled E-Mail clients such as Outlook and Outlook Express. If the affected control were programmatically embedded into an RTF mail and then sent to another user, the user's mail client would fail when he closed the mail. Microsoft has published a patch to solve this problem.

EServ

New DoS-Attack: WinITSec
A Denial-ofSservice attack has been discovered in Eserv 2.92 when running under Windows 2000 (SP1) and Windows NT 4.0 (SP5). It is possible for a remote attacker to cause Eserv to consume 99% of CPU resources then eventually crash. A demonstration is shown in the advisory.

HP OpenView

DoS in OpenView NNM Object IDs: HP Security Bulletin #00121, ERS-2000.228, WinITSec
HP9000 Series 700/800 running HP-UX releases 10.XX and 11.XX, Sun Microsystems SOLARIS releases 2.X, plus under Microsoft Windows NT4.X/ Windows 2000 running NNM 6.1, NNM 5.01, and NNM 4.11 show a Java SNMP MIB Browser Object ID parsing problem that could be exploited for a Denial-of-Service attack. It's recommended to install the concerning patches:

HP-UX 11.00	HP-UX 10.X	SOLARIS 2.X	WinNT4.X/2000
PHSS_22407	PHSS_22406	PSOV_02830	NNM_00621

OpenLinux

Vulnerability in LPRng: CSSA-2000-033
As Caldera reports, there is a format bug in the LPRng printer daemon that could possibly be exploited to obtain root privilege. This problem is particulary severe because it can be exercised remotely. A workaround and fixed packages are published now.

Red Hat Linux 5.2

Vulnerability in glint: ERS-2000.227
Glint blindly follows a symlink in /tmp, overwriting the target file, so it can conceivably be used to destroy any file on the system. Red Hat has published patches for 5.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/5.2/i386/glint-2.6.3-1.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/5.2/alpha/glint-2.6.3-1.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/5.2/sparc/glint-2.6.3-1.sparc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/5.2/SRPMS/glint-2.6.3-1.src.rpm

SuSE Linux

Vulnerabilities in shlibs, syslogs/klogd, screen, apache, and pam_smb: SUSEadv5, SUSEadv9, SUSEadv6, SUSEadv7, SUSEadv8, SUSEadv4
The glibc implementations in all SuSE distributions starting with SuSE-6.0 have multiple security problems where at least one of them allows any local user to gain root access to the system. Errors in both the klogd and the syslogd can cause both daemons do die when specially designed strings get passed to the kernel by the user, eg. with a malformed structure in a system call. Screen, a tty multiplexer, is installed suid root by default on SuSE Linux distributions. By supplying a thoughtfully designed string as the visual bell message, local users can obtain root privilege. The default package selection in SuSE distributions includes apache. The configuration file that comes with the package contains two security relevant errors. pam_smb is a package for a PAM (Pluggable Authentication Modules) module that allows Linux/Unix user authentication using a Windows NT server. Versions 1.1.5 and before contain a buffer overflow that would allow a remote attacker to gain root access on the target host. In addition to that, SuSE has published their US locations for the download of a upgraded Netscape.
Further information and links for obtaining the patches are pointed out in the advisories.

CiscoSecure ACS under Microsoft Windows NT Server

Three Security Holes found: Cisco, WinITSec, ERS-2000.226
All Versions of Cisco Secure ACS, including version 2.4(2) show some security risks:
- The CSAdmin software module can be forced to crash by sending it an oversized URL.
- CiscoSecure ACS for Windows NT Server can be placed into an unstable state by sending it an oversized TACACS+ packet.
- The enable password can be bypassed to gain unauthorized privileges on a router or switch when CiscoSecure ACS for Windows NT Server is used in conjunction with an LDAP server that allows users to have null passwords.
Patches are available now and should be installed asap.

NetCPlus

DoS against BrowseGate: WinITSec
An attacker may remotely cause Browsegate (Home) V2.80 (H) to crash with invalid memory errors. A demonstration is shown in the advisory, a patch is available also.

Vigilante

DoS against WinCOM LPD: WinITSec
An attacker may cause all available memory on a Windows NT host to be consumed running WinCOM LPD V1.00.90 by sending a stream of LPD options to port 515/tcp, the default port of WinCOM LPD. So all available memory resources are going to be consumed and a Denial-of-Service condition is present. This will be fixed in the next version.

Debian Linux

Vulnerability in sysklogd: Debian200919
Multiple vulnerabilities have been reported in syslogd and klogd. A local root exploit is possible, and remote exploits may be possible in some cases. Updated Packages are available for all versions of Debian Linux.

OpenLinux

Vulnerability in sysklogd: CSSA-2000-032
As Caldera reports, several problems have been discovered in syslogd and klogd, the daemon programs responsible for system logging on Linux. Fixed packages are available now.

HP MPE/iX

Vulnerability in TurboIMAGE: HP Company Security Bulletin #0007, ERS-2000.224
Given a specific setup on HP3000 with MPE/iX release 4.5 and newer, users with ordinary database privileges can gain additional privileges. HP has published patches for MPE/iX 5.5 and newer, they are pointed out in the advisory.

Microsoft Office 2000

Execution of arbitrary code possible: WinITSec
Users are used to double-click Office Documents. If certain DLL files are present on a system running Windows 98 or Windows 2000 they can be exploited to execute native code. This could lead to an attacker gaining full control over a system. It has been reported that this attack also works via UNC shares. A demonstration of the problem has been published in the advisory, a patch is not available yet.

TurboLinux

Vulnerabilities in xchat and sysklogd: TLSA2000022-1, TLSA2000022-2
There is a vulnerability in all xchat versions 1.4.2 and earlier. By supplying commands enclosed in backticks (``) in URL's sent to X-Chat, an attacker may execute arbitrary commands if the user is running Netscape and if he should decide to view the link by clicking on it. Various vulnerabilities exist in syslogd/klogd. By exploiting these vulnerabilities, it could be possible for local users to gain root access. Patches are available now.

SGI IRIX

Vulnerability in locale: SGI20000901
SGI acknowledges the locale vulnerability reported in Bugtraq and is investigating the problem.

Linux Mandrake

Vulnerabilities in sysklogd, kdnetwok, mod_php3, and mod_perl: MDKSA-2000:046, MDKSA-2000:048, MDKA-2000:005, MDKSA-2000:050
A problem exists with the kernel logging daemon (klogd) in the sysklogd package. A "format bug" makes klogd vulnerable to local root compromise. Versions of KMail, part of the kdenetwork package, have a bug in the date field support that will cause index file corruption.
A problem exists with PHP3 and PHP4 scripts regarding RFC 1867-based file uploads. PHP saves uploaded files in a temporary directory on the server, using a temporary name that is referenced as the variable $FOO where "FOO" is the name of the file input tag in the submitted form. Many PHP scripts process $FOO without taking measures to ensure that it is in fact a file that resides in the temporary directory. Because of this, it is possible for a remote attacker to supply an arbitrary file name as the value for $FOO by submitting a standard form input tag by that name, and thus cause the PHP script to process arbitrary files. The configuration file of mod_perl, /etc/httpd/conf/addon-modules/mod_perl.conf containes an Options directive that was not entirely secure and allowed people to browse the /perl/ directory. Patches are available now.

Many

New ISS Summary: ISS
Within the last month, 87 (!) new vulnerabilities were found:

- ftp-goodtech-rnto-dos	- imail-file-attachment	- go-gnome-preinstaller-symlink
- mailers-cgimail-spoof	- win-netbios-corrupt-cache	- news-publisher-add-author
- xpdf-embedded-url	- intel-express-switch-dos	- viking-server-bo
- win2k-corrupt-lsp	- vqserver-get-dos	- mgetty-faxrunq-symlink
- money-plaintext-password	- wormhttp-dir-traverse	- wormhttp-filename-dos
- cgi-auction-weaver-read-files	- iis-cross-site-scripting	- telnetserver-rpc-bo
- nai-pgp-unsigned-adk	- website-pro-upload-files	- account-manager-overwrite-password
- subscribe-me-overwrite-password	- hp-netinit-symlink	- realsecure-frag-syn-dos
- sunjava-webadmin-bbs	- zkey-java-compromise-accounts	- java-vm-applet
- darxite-login-bo	- gopherd-halidate-bo	- phpnuke-pwd-admin-access
- becky-imail-header-dos	- gnome-installer-overwrite-configuration	- gnome-lokkit-open-ports
- minicom-capture-groupown	- webshield-smtp-dos	- netwin-netauth-dir-traverse
- xlock-format-d-option	- frontpage-ext-device-name-dos	- xchat-url-execute-commands
- irix-worldview-wnn-bo	- os2-ftpserver-login-dos	- weblogic-plugin-bo
- ie-folder-remote-exe	- firebox-url-dos	- trustix-secure-apache-misconfig
- irix-telnetd-syslog-format	- rapidstream-remote-execution	- ntop-bo
- iis-specialized-header	- linux-update-race-condition	- etrust-access-control-default
- zope-additional-role	- list-manager-elevate-privileges	- iis-incorrect-permissions
- varicad-world-write-permissions	- gopherd-gdeskey-bo	- gopherd-gdeskey-bo
- mediahouse-stats-livestats-bo	- linux-umb-scheme	- mdaemon-session-id-hijack
- tumbleweed-mms-blank-password	- ie-scriptlet-rendering-file-access	- office-html-object-tag
- hp-openview-nnm-password	- hp-newgrp	- totalbill-remote-execution
- solaris-answerbook2-admin-interface	- perl-shell-escape	- solaris-answerbook2-remote-exec
- mopd-bo	- java-brownorifice	- diskcheck-tmp-race-condition
- servu-null-character-dos	- pccs-mysql-admin-tool	- irix-xfs-truncate
- win-ipx-ping-packet	- nai-nettools-strong-bo	- fw1-unauth-rsh-connection
- win2k-named-pipes	- sol-libprint-bo	- ntop-remote-file-access
- irix-grosview-bo	- irix-libgl-bo	- irix-dmplay-bo
- irix-inpview-symlink	- nettools-pki-dir-traverse	- fw1-localhost-auth

Many

Exploitation of rcp.statd and wu-ftpd Vulnerabilities: IN-2000-10
CERT-Reports involving intruder exploitation of two vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the attacks suggests that intruders are using scripts and toolkits to automate attacks. Intruders searching for vulnerable machines are performing widespread scanning for vulnerable systems across large blocks of address space. The scans target the services sunrpc (e.g., portmap) on ports 111/udp and 111/tcp and ftp on port 21/tcp. It's recommended to keep all systems up to date.

Microsoft Windows 2000

Security hole in Telnet Client: MS-067, WinITSec, ERS-2000.222
Windows 2000 includes a telnet client capable of using NTLM (NT LanMan) authentication when connecting to a remote NTLM enabled telnet server. A vulnerability exists because the client will, by default, perform NTLM authentication when connecting to any telnet server. This could allow an attacker having access to the telnet server to obtain another user's NTLM authentication credentials without the user's knowledge. The user will maybe connect to such a telnet server by beeing fooled with URL's in HTML documents or by DNS spoofing. If the attacker gets the cryptographically protected NTLM authentication credentials he may start to crack it with brute force methods. Microsoft has published a patch which is not compatible with the first version of it..

Red Hat Linux

Vulnerabilities in xpdf, screen, and sysklogd: RHSA-2000:060, ERS-2000.220, ERS-2000.221, RHSA-2000:061, ERS-2000.223
There is a security problem in xpdf when using tmpnam and fopen. The problem is seen when a root user overwrites files where a symlink is created between the calls to tmpname and fopen. There is also a problem with URL-type links in PDF documents that contain quote characters which could also be used to execute arbitrary commands. Screen allows the user to set a text message. This is handled as a format string, instead of as a pure string, so "special" format strings are allowed to overwrite the stack. Since screen in Red Hat Linux 5.2 and earlier releases was setuid root, this security hole could be exploited to gain a root shell. Various vulnerabilities exist in syslogd/klogd. By exploiting these vulnerabilities, it could be possible for local users to gain root access. Red Hat has published patches which should be installed:
Red Hat Linux 5.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/5.2/i386/screen-3.7.4-4.i386.rpm
rpm -Fvh ftp://updates.redhat.com/5.2/i386/xpdf-0.91-1.5x.i386.rpm
rpm -Fvh ftp://updates.redhat.com/5.2/i386/sysklogd-1.3.31-1.6.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/5.2/alpha/xpdf-0.91-1.5x.alpha.rpm
rpm -Fvh ftp://updates.redhat.com/5.2/alpha/screen-3.7.4-4.alpha.rpm
rpm -Fvh ftp://updates.redhat.com/5.2/alpha/sysklogd-1.3.31-1.6.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/5.2/sparc/xpdf-0.91-1.5x.sparc.rpm
rpm -Fvh ftp://updates.redhat.com/5.2/sparc/screen-3.7.4-4.sparc.rpm
rpm -Fvh ftp://updates.redhat.com/5.2/sparc/sysklogd-1.3.31-1.6.sparc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/5.2/SRPMS/screen-3.7.4-4.src.rpm
rpm -Fvh ftp://updates.redhat.com/5.2/SRPMS/xpdf-0.91-1.5x.src.rpm
rpm -Fvh ftp://updates.redhat.com/5.2/SRPMS/sysklogd-1.3.31-1.6.src.rpm
Red Hat Linux 6.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/6.2/i386/xpdf-0.91-1.6x.i386.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/i386/sysklogd-1.3.31-17.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/6.2/alpha/xpdf-0.91-1.6x.alpha.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/alpha/sysklogd-1.3.31-17.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/xpdf-0.91-1.6x.sparc.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/sysklogd-1.3.31-17.sparc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/6.2/SRPMS/xpdf-0.91-1.6x.src.rpm
rpm .Fvh ftp://updates.redhat.com/6.2/SRPMS/sysklogd-1.3.31-17.src.rpm

FreeBSD

Vulnerabilities in Screen, pine4, Xchat, eject, listmanager, mailman, and esound: FreeBSD, ERS-2000.214, ERS-2000.215, ERS-2000.216, ERS-2000.217, ERS-2000.218, ERS-2000.219, ESB-2000.239, ERS-2000.225
In the programs mentioned above security holes were found. Possible consequences are Denial-of-Service, compromise of the whole system as root or the execution of arbitrary commands as the local user for remote IRC users. It's strongly recommendended to install the patches published by FreeBSD.

HP OpenView

Vulnerability in NNM config. scripts: HP Security Bulletin #00120, ERS-2000.213
On HP9000 Series 700/800 running HP-UX releases 10.XX and 11.XX plus Sun Microsystems SOLARIS releases 2.X, running NNM 6.1, NNM 5.01, and NNM 4.11 users with login can obtain unauthorized privileges. Patches are available now:

	HP-UX 11.00	HP-UX 10.X	SOLARIS 2.X
NNM 6.1	PHSS_22241	PHSS_22240	PSOV_02800
NNM 5.01	n/a	PHSS_22246	PSOV_02802
NNM 4.11	n/a	PHSS_22247	PSOV_02803

SGI IRIX 5.2 - 6.5.10

Security hole in telnet daemon: SGI-20000801, K-066a
As reported before, there is a hole in the telnet daemon of IRIX. SGI recommends to install patch 4060 or to deactivate the telnet daemon. Please read the advisory for further information.

Faststream

DoS in FTP++: WinITSec
Running under Windows 2000, Faststream FTP++ 2.0, is vulnerable to a Denial-of-Service attack. An attacker may simply connect to port 21 (FTP) and send 4.08K of DATA as the username. This causes all available CPU cycles to be consumed and requires a reboot to remedy. A patch is available.

WebClerk Server

Denial-of-Service possible: WinITSec
WebClerk will consume all available CPU for a period of time when extra long strings are sent as username and password responses via a modified sign on HTML page - DoS is successful.

PPPindia

DoS in netMailshare: WinITSec
By sending a long string of data as the remote host name while conversing with the SMTP server could consume all available CPU cycles and resulting in a Denial-of-Service. The vendor is working on a patch.

West Street

DoS in LocalWeb HTTP Server: WinITSec
By entering a very long filename in a URL it is possible to cause LocalWeb HTTP Server installations to crash with a runtime error. This Denial-of-Service attack has been tested under Windows NT Workstation 4.0 SP6. The vendor has been informed of this issue but is not currently maintaining this product.

Microsoft Windows 2000 incl. SP1

Vulnerability caused by malformed RPC packet: MS-066, ERS-2000.212, WinITSec, S-00-43
A remote denial of service vulnerability has been discovered in Microsoft Windows 2000 Server. The denial of service can occur when a client sends a particular malformed RPC (Remote Procedure Call) packet to the server, causing the RPC service to fail. A server behind a firewall that blocks ports 135-139 and 445 will not be affected by this vulnerability from the Internet. Microsoft has published a patch to solve this problem.

Netegrity SiteMinder 3.6 and 4.0

Access to protected Web pages: WinITSec
SiteMinder is designed to provide authentication protection for web sites. A specially designed URL can be used to bypass SiteMinder authentication and access web pages that are supposed to be protected. Netegrity has published version 4.11 which is not vulnerable.

Red Hat Linux

OpenLinux

Vulnerability in xpdf: CSSA-031
Two security problems are found in xpdf, the PDF file viewer. The first is that temporary files are created insecurely. The second problem is that xpdf starts the URL viewer via the system shell, not properly taking care of shell meta characters. This problem could be exploited by creating PDF files that execute arbitrary code when the user selects an URL in the document. Caldera has published updated packages.

Mobius DocumentDirect 1.2

Several Buffer Overflows found: WinITSec
DocumentDirect is a Web-based document management system. Several unchecked buffers exists within the components of the product that could allow arbitrary code to execute on the server. A demonstration is shown in the advisory. Mobius has published an updated version.

Debian Linux

Vulnerabilitiy in screen, imp, xpdf, and libpam-smb: Debian200902a, Debian200910, Debian200910a, Debian200911
A format string bug was discovered in screen. This can be used to gain elevated privileges if screen is setuid. Debian 2.1 (slink) did ship screen setuid and the exploit can be used to gain root privileges. Further holes were found in the IMP webmail interface. It doesn't check the $from variable which contains the sender address for shell metacharacters. This could be used to run arbitrary commands on the server running imp. Xpdf as distributed in Debian GNU/Linux 2.2 shows two problems: 1. The creation of temporary files isn't done safely which made xpdf vulnerable to a symlink attack. 2. When handling URLs in pdf- documents no checking was done for shell metacharacters before starting the browser. This makes it possible to construct a document which cause xpdf to run arbitrary commands when the user views an URL. And finally, libpam-smb contains a buffer overflow that can be used to execute arbitrary commands with root privileges. Patches are available now.

TurboLinux

Vulnerabilities in glibc (unsetenv, locale): TLSA2000021
There have been two major security vulnerabilities involving glibc, one involving ld.so and unsetenv that allows local user's to gain root privileges due to environment variables not getting cleared out in some circumstances. Another vulnerability is lack of good checking on the locale file specification which can be set to a file provided by an attacker to crash an application and gain root access. Patches are available now.

Many

Buffer Overflow in IBM Net.Data db2www CGI program: ISS-060, ERS-2000.209
Net.Data is a middleware application used for Web development and is available on Unix , Windows, OS/2, and mainframe platforms. The db2www component of Net.Data is a CGI program that handles requests from Web clients. An exploitable buffer overflow condition exists in the db2www program, so attacker may execute arbitrary code with the rights of the Web Server. Patches for AIX, OS/2, Linux, Windows NT, HP-UX 11, and Sun Solaris are available now.

OpenLinux

Vulnerability in glibc: CSSA-2000-030
As Caldera reports, also in OpenLinux the vulnerability in parsing the locale name is present. This can be used by local users to obtain root privilege through various setuid root applications. Patches are available now.

Microsoft Windows 2000

Vulnerability in Still Image Service: MS-065, WinITSec, ERS-2000.208
An unchecked buffer exists in the 'Still Image Service' on Windows 2000. A local user can execute code that will use the still image service to escalate their permissions equal to that of the Still Image Service, namely, LocalSystem. A demonstsration of the problem is available. Microsoft has published a patch to fix this problem.

Microsoft Windows Media Services 4.x

DoS by Unicast Service Race Condition: MS-064, WinITSec, ERS-2000.207
If a client sends a request to a Windows Media server, it could induce a race condition. Once the server has been put into such a state, subsequent requests - even ones that would normally be legitimate - could cause the Windows Media Unicast Service to fail. A patch for Microsoft Windows Media Services 4.1 has been published. Users of version 4.0 should upgrade to version 4.1 first.

Microsoft IIS 4.0

DoS by invalid URL: MS-063, WinITSec
If an Internet Information Server receives a special invalid URL, it could start a chain of events that would culminate in an invalid memory request that would cause the IIS service to fail. This means: Denial-of-Service against the Web Server. A patch for Microsoft Windows NT 4.0 Workstation, Server and Server, Enterprise Edition is available now. The patch for the NT 4.0 Terminal Server will follow.

Many

New Tool for DDoS: ISS-059
The new tool for Distributed Denial-of-Service attacks has been published. Trinity v3 seems to be installed on at least 400 hosts in the Internet. In one Internet Relay Chat (IRC) channel on the Undernet network, there are 50 compromised hosts with Trinity running, with new hosts appearing every day. It is not known how many different versions of Trinity are in the wild. So DDoS is a high potential risk, and every administrator should look if the agent is running on his systems.

Microsoft Windows 2000

Security Tool for IIS 5.0 available: MS, ERS-2000.204
The tool called HFCheck has been published. It may help the administrator to keep his Internet Information Server at the "state of the art". It checks the patch status of the IIS by comparing installed patches with a database hosted on the Microsoft Web Server. It can be downloaded here.

SuSE Linux

Vulnerabilities in knfsd, perl, and Netscape: SUSE-058, SUSE-059, SUSE-060
Due to incorrect string parsing in the code, an attacker may gain root access to a machine running the vulnerable rpc.kstatd. The problems about perl (suidperl) also concern SuSE Linux, so a local user may gain root access to the machine. Also the problems about Netscape interpreting JPEG's are inherent in these systems.
It's recommended to install the now released patches from SuSE's Webpage for Patches.

Red Hat Linux

Debian Linux

Security holes in Netscape fixed: Debian200901, Debian200902
Debian has published Netscape Communicator/Navigator 4.75, in which the problems reported before are fixed. Also the holes in glibc are fixed now. It's strongly recommended to install the patches.

Microsoft Outlook 2000

DoS by vCard Data: WinITSec
Outlook 2000 supports vCards attached to an E-Mail. They are sent as file attachments. Data with more than 75 characters in length should be wrapped, according to RfC 2426. Microsoft does not follow this specification. Due to this oversite it is possible to cause Outlook 2000 to consume an unreasonably high amount of CPU time, or to completely crash. Microsoft seems to work on a patch.

SGI IRIX

Vulnerability in telnet daemon: IN-2000-09
As reported before, there is a hole in the telnet daemon of IRIX. The US-CERT has received reports of intruder activity involving the telnet daemon on SGI machines running the IRIX operating system. Intruders are actively exploiting a vulnerability in telnetd that is resulting in a remote root compromise of victim machines. What to do against it is pointed out in the advisory.

Microsoft Office

Privacy Bug found: ZDNet
Documents created with some Microsoft software can be rigged to "phone home" to another computer and report where and how often a document is read. This technique is known as a "Web bug" and takes advantage of a shortcut for including images in Microsoft Word, Excel and PowerPoint. In a document an IP Address may be included, loading an image from the network directly into the document. This can be used to track when a document is opened and possibly by whom. These Web bugs may be of the size of only one pixel.

Microsoft Windows 9x, NT, and 2000

Vulnerability by NetBIOS cache corruption: WinITSec, ERS-2000.203
All Windows platforms are vulnerable to NetBIOS cache corruption via unicast or broadcast UDP datagrams. The overall effect is that an attacker could launch a man-in-the-middle attack (among other activities) by corrupting the cache with altered NetBIOS Name-to-IP address mappings. It's recommended to block the related tcp and udp ports (135-139, 445) and to disable the option "NetBIOS Over TCP/IP". Microsoft is working on a patch.