NETWORK WORLD FUSION FOCUS: JASON MESERVE on
SECURITY AND BUG PATCH ALERT
12/11/00 - TODAY'S FOCUS: Cisco fixes bugs in switches and
routers

Dear Wincenty Kaminski,

In this issue:

* Patches and alerts from Cisco, Microsoft and more
* Viruses, including two that spread by e-mail
* A warning about hackers targeting e-commerce sites, and other
  interesting reading
* IT Job Spot(tm): Exclusive opportunities with hot companies.


~~~~~~~ This newsletter sponsored by LUCENT TECHNOLOGIES ~~~~~~

Voted "Best in Test" and a "Good Buy" for carrier/ISP
applications, Lucent Technologies' Secure VPN Solutions
garnered top ratings by Mier Communications' recent Independent
Lab Test Report.  The products, which included Lucent's VPN
Firewall Brick, Lucent Security Management Server, and the
Lucent IPSec Client, were lab-tested using a methodology and
test bed for evaluating VPNs in carrier-class applications. To
obtain a copy of the report and for more information on Lucent
Secure VPN Solutions, visit http://nww1.com/go/2204319a.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Networking For Small and Medium Businesses

You are just one day away from mastering the new network
products and services that can make your business more
competitive and more profitable!  Interactive presentations,
roundtable discussions and one-on-one time with leading
networking specialists equip you with the information you need
to build a network that's more efficient - and much easier to
manage.  Join Network World and PC World at this exciting
event!  For more information visit http://nww1.com/go/2184773a.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Today's Focus: Cisco fixes bugs in switches and routers
---------------------------------------------------------------
By Jason Meserve (write me at jmeserve@nww.com)

I got an interesting response to a Network World column I
mentioned last week titled "Universal secure messaging will
rely on outsourcers." The column was written by James Kobielus,
who talked about authenticating digital signatures.

Reader John R. agrees with assumption in the column, saying
that for these signatures attached at the bottom of the message
to carry any weight, they need to be validated. To prove his
point, he attached a signature to his message. To the naked
eye, one would think it's OK. But, the signature was one he
pulled off an old CERT alert. Obviously, I don't check digital
signatures that vigorously.

John writes there are a couple other common foibles in dealing
with e-mail signatures:

* Assumption that if the "from: ID" is of a friend, it must have
been consciously sent by that person.

"Besides outright SMTP forgery (fakemail via port 25), it is
possible that another person is using the friend's system and
sent the e-mail, or that a software routine hooked into the
friend's e-mail account. The latter has been the [modus
operandi] of some recent worms and Trojans, "John writes.


* Failure to understand the difference between the userID and
the domain portions of an e-mail address.

"In one type of Web scam, a [perpetrator] gets, say, a Hotmail
or Juno account with a user ID that looks a lot like a trusted
company name. Naive people receive the email and think it is
from a trusted company. For example, a scam artist getting a
"Network_World@hotmail.com" address and passing himself off as
a Network World representative," he writes. "Loosely related to
the e-mail insecurities are some Web link tricks, but this is
for another time."

Thanks for the e-mail John. Maybe we'll have to start signing
our e-mails. You can read the Kobielus column at:
http://www.nwfusion.com/columnists/2000/1127kobielus.html


Today's bug patches and security alerts:


DoS bug in Cisco Catalyst switches

A bug exists in Cisco Catalyst switches that could allow a user
to launch a denial-of-service attack. If repeated, failed
telnet requests are made to the switch, the device could fail
to accept traffic and commands until rebooted. For more
information:
http://www.cisco.com/warp/public/707/catalyst-memleak-pub.shtml


Cisco fixes multiple vulnerabilities in CBOS

Cisco last week announced that it had fixed a number of holes
in CBOS, the operating system for its 600-series family of
routers. The problems range from possible SYN flood denial-of-
service vulnerabilities to a locking problem when a specific
URL is sent to the router. For more information:
http://www.cisco.com/warp/public/707/CBOS-multiple.shtml


Microsoft releases tool for "SNMP Parameters" vulnerability

A bug in the way Windows 2000 handles some SNMP parameters
could allow a user in a network group to monitor or change
network service maliciously. This tool fixes the problem in the
registry key. For more information:
http://www.microsoft.com/technet/security/bulletin/ms00-096.asp

A similar vulnerability affects Windows NT 4.0 as well as
Version 4.0's RAS Administration Key and MTS Package
Administration key. Windows NT 4.0 users can find more
information and patches at:
http://www.microsoft.com/technet/security/bulletin/ms00-095.asp


Local root compromise in Lexmark MarkVision

The Lexmark MarkVision printer management utility for Unix
contains an overflow that could allow a user to gain root
access on the affected system. By exploiting the vulnerability,
the user could execute code as root. For fixes:
ftp://ftp.lexmark.com/pub/driver/unix/MarkVision/V4.4


New BitchX patches fix DoS vulnerability

The popular Linux IRC client BitchX contains two
vulnerabilities. First, a stack overflow exists in the client
that can be exploited if a malformed Domain Name System (DNS)
answer is processed. A second vulnerability allows the
malformed packets to be hidden by valid DNS packets. For more
information on BitchX:
http://www.bitchx.org/


Remote command vulnerability in phpGroupWare

According to an alert from Secure Reality, phpGroupWare makes
insecure calls to the include () function of PHP which can
allow the inclusion of remote files, and thereby the execution
of arbitrary commands on the remote web server with the
permissions of the Web server user, usually 'nobody'.
PhpGroupWare is a groupware program that combines calendar, e-
mail, file sharing and to do lists into one application. For a
patch:
http://sourceforge.net/project/showfiles.php?group_id=7305


Conectiva releases fixed version of Bash

The Bash module for Linux contains vulnerability in its
creation of temporary files. The files are written in a
predictable manner and can be exploited by an attacker to
overwrite files on the affected system.
For downloads:
ftp://atualizacoes.conectiva.com.br/4.0/i386/bash-1.14.7-24cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bash-1.14.7-24cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bash-1.14.7-24cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bash-1.14.7-24cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bash-1.14.7-26cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bash-1.14.7-29cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bash1-1.14.7-31cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bash-1.14.7-2
6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bash-1.14.7-26
cl.i386.rpm


Caldera fixes problem in tcsh

The tcsh command writes insecure temporary files that can be
exploited via a symlink attack. This attack can be used to
overwrite arbitrary files. For updates:
OpenLinux Desktop 2.3:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

OpenLinux eDesktop 2.4:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/


Red Hat reports race condition in diskcheck

According to the Red Hat alert, a race vulnerability exists
where a user can replace the temp file used by diskcheck with
symlinks to other files on the system, making it possible to
corrupt those files.
Users of Red Hat Powertools 6.0, 6.1, and 6.2 can download the
patch from:
ftp://updates.redhat.com/powertools/6.2/noarch/diskcheck-3.1.1-10.6x.noarch.
rpm


Today's roundup of virus alerts:


W32/Xtc: This Trojan spreads via e-mail and Internet Relay Chat
and appears as an attachment called services.exe. The
accompanying message claims the attachment is an update for a
product. (Sophos, Computer Associates)

W32/Hybris-B: E-mail worm that can attempt to update itself off
the Internet and displays a spiral on the screen that can be
difficult to close. It also copies itself into compressed files
containing .exe files. (Sophos)

XM97/Laroux-EH: Another Excel spreadsheet virus. No word on the
payload. (Sophos)

WM97/Ded-J: A Word macro virus that spreads but does not cause
damage. (Sophos)

WM97/Marker-FX: A Word macro virus that spreads but does not
cause damage. (Sophos)


>From the interesting reading department:


Feds warn about rise in attacks against e-commerce sites

As the busy holiday shopping season gets into full swing, a
federal security agency affiliated with the FBI is warning that
attacks by malicious hackers against e-commerce Web sites and
other companies doing business online are on the rise.
Computerworld, 12/06/00.
http://www.nwfusion.com/news/2000/1206fedswarn.html


Embedded HTML 'bugs' pose potential security risk

Although seasoned network administrators may have grown
accustomed to the nuisance of unsolicited e-mail, or spam,
these messages may soon pose severe security threats to company
networks, thanks to emerging software geared to give e-
marketers more access to personal data. InfoWorld, 12/06/00.
http://www.nwfusion.com/news/2000/1206bugs.html

Write me at jmeserve@nww.com

Catch up on any missed bug patch and security alert newsletters
by clicking to:
http://www.nwfusion.com/newsletters/bug/index.html

To contact Jason Meserve:
-------------------------
Jason Meserve is a staff writer with Network World, covering
search engines, portals, videoconferencing, IP Multicast and
document management. He also oversees the "Security Alerts"
ppage on Fusion http://www2.nwfusion.com/security/bulletins.html.
Jason can be reached at mailto:jmeserve@nww.com.
-------------------------

Got a technical question related to new technology on your
corporate network? Post it at Experts Exchange on Fusion at
http://nwfusion.experts-exchange.com/. Another network
professional may have the solution to your problem.


***************************************************************
IT Job Spot(tm) presented by http://www.ITcareers.com

With LeadersOnline, your IT career advancement is in the hands
of recruiting professionals...not monsters. We bring exclusive
opportunities to you through our convenient web-based search
process. LeadersOnline finds high-quality, $75K-$200K IT
positions meeting your specific requirements. Developed by
Heidrick & Struggles, the world's leading executive search
firm, LeadersOnline matches top IT professionals with clients
needing emerging leaders in mission-critical positions. Invest
10 minutes to register with LeadersOnline today. It's free and
confidential. We'll do the rest.
http://ad.doubleclick.net/clk;2192266;4831248;j
***************************************************************


May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.nwwsubscribe.com/nl

*********************************************************
Subscription Services

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp

To change your email address, go to:
http://www.nwwsubscribe.com/news/scripts/changeemail.asp

Subscription questions? Contact Customer Service by replying to
this message.

Other Questions/Comments

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: mailto:jcaruso@nww.com

For advertising information, write Jamie Kalbach, Account
Executive, at: mailto:jkalbach@nww.com

Network World Fusion is part of IDG.net, the IDG Online
Network. IT All Starts Here:
http://www.idg.com

Copyright , 2000 Network World, Inc.