Northern Neck Computer Users Group

Manufacturers
 Want to present to our group?

Officers

President's Page

Meetings

Search Page

Directions to the Meetings

Tips

Comp Bugs, Viruses and Security Issues

Membership

NNCUG Member's Pages

Web Links

Schedule of Events

Training

Software Reviews

NNCUG History

Y2K Info

Sale/Trade

Chat Room

Magazines

Downloads

Videos

NNCUG Monthly Newsletter

Computer Supplies

Palm Pilot Supplies

apculogo.gif (9085 bytes)

UG-anim.gif (6095 bytes)

daily_link02.gif (1422 bytes)

CLICK HERE TO VISIT THE WORLD 1000!

 

 

Computer Security Issues


Information Security Magazine (Online Version)


Patch Available for "Malformed Favorites Icon" Vulnerability

Originally Posted: May 27, 1999

Summary
=======
Microsoft has released a single patch that eliminates two security vulnerabilities in Microsoft (r) Internet Explorer 4.0 and 5. The first potentially could allow arbitrary code to be run on a user's computer. The second potentially could allow the local hard drive  to be read. A fully supported patch is available to eliminate both vulnerabilities, and
Microsoft recommends that affected customers download and install it, if appropriate.

Issue
=====
This update eliminates two vulnerabilities:
- The "Malformed Favorites Icon" vulnerability. The Favorites feature allows IE users to keep a list of their favorite web sites. In IE 5, the Favorites list can contain icons that are
supplied by the associated web sites. However, there is an unchecked buffer in the implementation. A specially-malformed icon could overrun the buffer and be used to run arbitrary code on the user's computer. This vulnerability only affects IE 5 when run on
Windows 95 or 98; it does not affect Windows NT systems.
- The "Legacy ActiveX Control" vulnerability. An ActiveX control that was used by previous versions of IE also was included in IE 4.0 and IE 5 even though it is not used by either. It could be misused to allow a web site to read the user's local hard drive. The update eliminates the vulnerability by removing the control.

While there are no reports of customers being adversely affected by these vulnerabilities, Microsoft is proactively releasing the patch to allow customers to take appropriate action to protect themselves against it.

Affected Software Versions
==========================
- Microsoft Internet Explorer 4.0 and 5.0

Note: The patch, provided below in What Customers Should Do, will determine the version of IE and the platform on which it is installed, and will apply only the appropriate fix. As a result, the single patch below is appropriate for use by customers who are affected by either or both of the vulnerabilities.

What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do.

Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more
information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q231450,
Update Available for the "Malformed Favorites Icon" Issue in Internet Explorer 5,
http://support.microsoft.com/support/kb/articles/q231/4/50.asp
- Microsoft Knowledge Base (KB) article Q231452, Update Available for "Legacy ActiveX Control" Issue in Internet Explorer 5,
http://support.microsoft.com/support/kb/articles/q231/4/52.asp

What Customers Should Do
========================
Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. As noted above, the patch is appropriate for use on systems that are affected by either or both of the vulnerabilities. The patch can be found at
www.microsoft.com/windows/ie/security/favorites.asp

More Information
================
Please see the following references for more information related to this issue.
- Microsoft Security Bulletin MS99-018,
Patch Available for "Malformed Favorites Icon" Vulnerability,
http://www.microsoft.com/security/bulletins/ms99-018.asp.
- Microsoft Knowledge Base (KB) article Q231450, Update Available for the "Malformed Favorites Icon" Issue in Internet Explorer 5,
http://support.microsoft.com/support/kb/articles/q231/4/50.asp.
- Microsoft Knowledge base (KB) article Q231452, Update Available for "Legacy ActiveX Control" Issue in Internet Explorer 5,
http://support.microsoft.com/support/kb/articles/q231/4/52.asp

Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft acknowledges Flavio Veloso (flaviovs@centroin.com.br) for discovering the "Malformed Favorites Icon" vulnerability and reporting it to us, and Steve Loughran for discovering the "Legacy ActiveX Control" vulnerability and reporting it to us.

Revisions
=========
- May 27, 1999: Bulletin Created.


Summary 5/27/99     Microsoft NT Remote Access Service
=======
Microsoft has released a patch that eliminates a vulnerability in the Microsoft (r) Windows NT (r) Remote Access Service (RAS) and Routing and Remote Access Service (RRAS) clients, in which a user's password is cached even if the user de-selects the "Save password" option.

Issue
=====
When the client software for Microsoft RAS or RRAS is used to dial into a server, a dialogue requests the user's userid and password for the server.
On the same dialogue is a checkbox whose caption reads "Save password" and
which is intended to provide the user with the option to cache their security credentials if desired. However, the implemented client functionality actually caches the user's credentials regardless of whether the checkbox is selected or de-selected.

Cached security credentials, which include the password, are stored in the registry and protected by ACLs whose default values authorize only local administrators and the user to access them. Windows NT 4.0 Service Pack 4 also provides the ability to strongly encrypts the password data stored in the registry using the SYSKEY feature.

While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing a patch that restores correct functionality to the password caching function. The patch should be applied to all machines that are used as RAS or RRAS clients. It is important to note that RRAS servers also can be used as RRAS clients, and any machines used in such a capacity should have the patch applied as well.

Affected Software Versions
==========================
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0, Enterprise Edition

What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do.

Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service.  See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q230681,
RAS Credentials Saved when "Save Password" Option Unchecked,
http://support.microsoft.com/support/kb/articles/q230/6/81.asp
- Microsoft Knowledge Base (KB) article Q233303,
RRAS Credentials Saved when "Save Password" Option Unchecked,
http://support.microsoft.com/support/kb/articles/q233/3/03.asp

(Note: It might take 24 hours from the original posting of this bulletin for
the KB article to be visible in the Web-based Knowledge Base.)

What Customers Should Do
========================
Microsoft highly recommends that customers evaluate the degree of risk that
this vulnerability poses to their systems and determine whether to download
and install the patch. The patch can be found at:
- RAS:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public
/fixes/usa/nt40/Hotfixes-PostSP5/RASPassword-fix/
- RRAS:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public
/fixes/usa/nt40/Hotfixes-PostSP5/RRASPassword-fix/

(Note: The URLs above have been wrapped for readability)

More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-017,
Patch Available for "RAS and RRAS Password Caching"
Vulnerability, (The Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-017.asp.
- Microsoft Knowledge Base (KB) article Q230681,
RAS Credentials Saved when "Save Password" Option Unchecked,
http://support.microsoft.com/support/kb/articles/q230/6/81.asp.
- Microsoft Knowledge Base (KB) article Q233303,
RRAS Credentials Saved when "Save Password" Option Unchecked,
http://support.microsoft.com/support/kb/articles/q233/3/03.asp

Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please
contact Microsoft Technical Support. For information on
contacting Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.

Revisions
=========
- May 27, 1999: Bulletin Created.


Summary 5/25/99 Microsoft File Viewers
=======
This is an update to Microsoft Security Bulletin MS99-013. The purpose of the update is to advise customers of the availability of patches that eliminate a vulnerability that occurs in some file viewers included in Microsoft (r) Internet Information Server and Site Server. The vulnerability could allow a web site visitor to view, but not to change, files on the
server, provided that they knew or guessed the name of each file and had access rights to it based on Windows NT ACLs.

Issue
=====
Microsoft Site Server and Internet Information Server include tools that allow web site visitors to view selected files on the server. These are installed by default under Site Server, but must be explicitly installed under IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production web servers. The underlying problem in this vulnerability is
that the tools do not restrict which files a web site visitor can view.

It is important to note several important points:
- These file viewers are not installed by default under IIS.
- The web site visitor would need to know or guess the name of each file they wished to view.
- This vulnerability only allows a web site visitor to view files, not to change them or to create new ones.
- The file viewers are subject to normal Windows NT file permission ACLs. A web site visitor could only use the file viewers to read files for which they have read access.
- The viewers can only be used to view files on the same disk partition as the currently-displayed web page. Databases such as those used by e-commerce servers are typically stored on a different physical drive, and these would not be at risk.

While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this bulletin to allow customers to take appropriate action to protect themselves against it.

Affected Software Versions
==========================
- Microsoft Site Server 3.0, which is included with Microsoft Site Server 3.0 Commerce Edition, Microsoft Commercial Internet System 2.0, and Microsoft BackOffice Server 4.0 and 4.5 - Microsoft Internet Information Server 4.0

What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do.

Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this issue:
- Microsoft Knowledge Base (KB) article Q231368,
Solution Available for File Viewers Vulnerability,
http://support.microsoft.com/support/kb/articles/q231/3/68.asp.
- Microsoft Knowledge Base (KB) article Q231656,
Preventing Viewcode.asp from Viewing Known Server Files,
http://support.microsoft.com/support/kb/articles/q231/6/56.asp.


Summary 5/19/99 Excel 97 virus warning mechanism
=======
Microsoft has released a patch that eliminates vulnerabilities in the Excel 97 virus warning mechanism. The patch is fully supported, and Microsoft recommends that affected customers download and install it, if appropriate.


Issue
=====
Microsoft Excel 97 provides a feature that warns the user before launching an external file that could potentially contain a virus or other malicious software. This feature allows the user to weigh the risk of opening the file, based on its origin, the network it is located on and the security practices in operation there, the sensitivity of the data on the user's
computer, and other factors.

However, certain scenarios have been identified that could be misused to bypass the warning mechanism. In general, they require the use of infrequently-combined features and commands, and are unlikely to be encountered in normal use. This patch addresses these issues so that they cannot be taken advantage of by a malicious user.

While there are no reports of customers being adversely affected by any of the vulnerabilities eliminated by the patch, Microsoft is proactively releasing the patch to allow customers to take appropriate action to protect themselves against it. These fixes are already built into Excel 2000 and users of that product will not need to download this patch.

Affected Software Versions
==========================
- Microsoft Excel 97

What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do.

Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more
information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q231304, Patch Available for Excel 97 Virus Warning Vulnerabilities, http://support.microsoft.com/support/kb/articles/q231/3/04.asp.
(Note: It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.)

What Customers Should Do
========================
Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The patch can be found at:
- http://officeupdate.microsoft.com/downloaddetails/xl8p6pkg.htm

More Information
================
Please see the following references for more information related to this issue.
- Microsoft Security Bulletin MS99-013, Patch Available for Excel 97 Virus Warning Vulnerabilities (the Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-013.asp.
- Microsoft Knowledge Base (KB) article Q231304, Patch Available for Excel 97 Virus Warning Vulnerabilities, http://support.microsoft.com/support/kb/articles/q231/3/04.asp.

Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.

Revisions
=========
- May 7, 1999: Bulletin Created.


Microsoft Security Bulletin (MS99-013) File Viewers Vulnerability
--------------------------------------

Solution Available for File Viewers Vulnerability

Originally Posted: May 7, 1999

Summary
=======
Microsoft has identified a vulnerability that occurs in some file viewers that ship as part of Microsoft (r) Internet Information Server and Site Server. The vulnerability could allow a web site visitor to view, but not to change, files on the server, provided that they knew or guessed the name of each file and had access rights to it based on Windows NT ACLs.

Microsoft is releasing this security bulletin to inform customers of the vulnerability and enable them to eliminate it immediately. Patches are being developed for the affected file viewers, and will be available shortly. When they are available, an update to this security bulletin will be released.

Issue
=====
Microsoft Site Server and Internet Information Server include tools that allow web site visitors to view selected files on the server. These are installed by default under Site Server, but must be explicitly installed under IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production web servers. The underlying problem in this vulnerability is
that the tools do not restrict which files a web site visitor can view.

It is important to note several important points:
- These file viewers are not installed by default under IIS.
They are only installed under IIS if the user chooses to install the sample web files.
- This vulnerability only allows a web site visitor to view files.
There is no capability through this vulnerability to change files or add files to the server.
- This vulnerability does not in any way bypass the Windows NT file permission ACLs. A web site visitor could only use these tools to view files whose ACLs allows them read access. The administrator of the web server determines the specific permissions for all files on the server.
- The viewers can only be used to view files on the same disk partition as the currently-displayed web page. Databases such as those used by e-commerce servers are typically stored on a different physical drive, and these would not be at risk
- The web site visitor would need to know or guess the name of each file they wished to view.

Specific steps that customers can take to immediately eliminate the vulnerability are discussed below in What Customers Should Do. In addition, Microsoft is developing updated versions of the file viewers and will release them shortly.

While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this bulletin to allow customers to take appropriate action to protect themselves against it.

Affected Software Versions
==========================
- Microsoft Site Server 3.0, which is included with Microsoft Site Server 3.0 Commerce Edition, Microsoft Commercial Internet System 2.0, and Microsoft BackOffice Server 4.0 and 4.5
- Microsoft Internet Information Server 4.0

What Microsoft is Doing
=======================
Microsoft has provided this bulletin to inform customers of specific steps that they can take to immediately eliminate this vulnerability on their servers. Microsoft is developing updated file viewers that fix the problem identified, and will release an updated version of this bulletin when they are available.

Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this issue:
- Microsoft Knowledge Base (KB) article Q231368, Solution Available for File Viewers Vulnerability,
http://support.microsoft.com/support/kb/articles/q231/3/68.asp.

What Customers Should Do
========================
Customers should take the following steps to eliminate the vulnerability on their web servers:
- Unless the affected file viewers are specifically required on the web site, they should be removed. The following file viewers are affected: ViewCode.asp, ShowCode.asp, CodeBrws.asp and Winmsdp.exe.
Depending on the specific installation, not all of these files may be present on a server. Likewise, there may be multiple copies of some files, so customers should do a full search of their servers to locate all copies.
- In accordance with standard security guidelines, file permissions should always be set to enable web visitors to access only the files they need, and no others. Moreover, files that are needed by web visitors should provide the least privilege needed; for example,
files that web visitors need to be able to read but not write should be set to read-only.
- As a general rule, sample files and vroots should always be deleted from a web server prior to putting it into production. If they are needed, file access permissions should be used to regulate access to them as appropriate

More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-013,
Solution Available for File Viewers Vulnerability (The Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-013.asp.
- Microsoft Knowledge Base (KB) article Q231368,
Solution Available for File Viewers Vulnerability,
http://support.microsoft.com/support/kb/articles/q231/3/68.asp.

Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft acknowledges WebTrends  for discovering this vulnerability and reporting it to us.

Revisions
=========
- May 07, 1999: Bulletin Created.

For additional security-related information about  Microsoft products, please visit http://www.microsoft.com/security


home.gif (20220 bytes)

Copyright © 1998-2001 NNCUG. This site is best viewed with Netscape / Explorer 4.0 or higher.