---------------------- Forwarded by Vince J Kaminski/HOU/ECT on 03/16/2000 
05:38 PM ---------------------------


"NW Security and Bug Patch Alert" <Security-BugPatch@bdcimail.com> on 
03/14/2000 02:50:13 AM
Please respond to "Security and Bug Patch Alert Help" <NWReplies@bellevue.com>
To: <vkamins@enron.com>
cc:  
Subject: 'South Park' virus on the loose


NETWORK WORLD FUSION FOCUS: JASON MESERVE on
SECURITY AND BUG PATCH ALERT
TODAY'S FOCUS: 'South Park' virus on the loose
03/13/00

Dear Wincenty Kaminski,

Today's Focus: 'South Park' virus on the 
loose
---------------------------------------------------------------
By Jason Meserve

It's been a year since the infamous "Melissa8 virus downed e-mail
systems nationwide and caused some panic in the general Internet
populace. In the year since, we have a number of copycats and variants
of Melissa invading our e-mail systems, though not to the same extent.

Now, the e-mail virus du jour is the "South Park" virus, named after
the animated series on Comedy Central. The South Park virus, known in
security circles as W32/Pretty.worm.unp, attempts to send itself to all
the addresses listed in an infected user's Outlook address book every
thirty minutes. By doing so, the virus causes an "e-mail storm" that
can bog down and crash network servers attempting to relay the flurry
of mail. South Park appears to come from a known user and contains an
icon featuring Kenny, one of the characters from the show.

Security software maker Finjan Software has reported seven variants of
the South Park virus, which itself is a variant of the PrettyPark virus
that made the rounds a few weeks earlier.

For more information on South Park and its variants:
http://www.nwfusion.com/news/2000/0306southpark.html
http://www.finjan.com/attack_release_detail.cfm?attack_release_id=32


Before we get to the latest alerts, two other resources to check out:

1. The Shmoo Group, a security consultancy, has written a paper entitled
"How to Write Secure Code." It can be found at:
http://www.shmoo.com/securecode/

2. Eric Knight of Security Paradigm has written an online book entitled
"Computer Vulnerabilities." The book looks into how hackers exploit
vulnerabilities and what methods they use. Knight's book is available in
PDF format at:
http://www.securityparadigm.com/compvuln_draft.pdf


Now on with the latest alerts and patches:


W97M/Melissa.AO virus

Computer Associates is reporting a new version of the Melissa
macrovirus that could be making the rounds. This one disables the
Tools/Macro command bar, Virus Protection, SaveNormalPrompt and
ConfirmConversions options in Microsoft Word. It also makes a couple of
changes to the Windows registry. Like the original Melissa, this
version replicates itself to the first 25 users in the Outlook address
book.
http://www.ca.com/virusinfo/
***********

Microsoft had a busy week, releasing three patches covering a variety
of problems:

1. Patch available for "Registry Permissions" vulnerability.

It seems as if the security on a couple of registry settings in Windows
NT 4.0 is not as secure as the Redmonians first thought. This patch
fixes the problem, which could let a malicious user gain additional
privileges on a system they are logged into.
http://www.microsoft.com/technet/security/bulletin/fq00-008.asp

2. Patch available for "SQL Query Abuse" vulnerability.

This patch for Microsoft SQL Server 7.0 and Microsoft Data Engine 1.0
plugs a hole that could enable a remote user to author malicious SQL
queries that allow the user to take unauthorized actions against on the
database or underlying operating system.
http://www.microsoft.com/technet/security/bulletin/fq00-014.asp

3. Patch available for "Clip Art Buffer Overrun" vulnerability.

A feature in Microsoft Office that lets users download and install clip
art from the "Microsoft Clip Art Gallery" has a potential hole. Using a
very long embedded field in the clip art files, a malicious user could
crash or even execute code on the system where the clip art file is
downloaded.
http://www.microsoft.com/technet/security/bulletin/fq00-015.asp
***********

Red Hat releases nmh packages

Following up a vulnerability that was reported here last week, Red Hat
has released new nmh packages. A vulnerability in the previous nmh
releases allowed specially formed MIME headers to execute code using
nmh's 'mhshow' utility.
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=9921
***********

Network file resource vulnerability

Eric Hacker of Lucent,s NetworkCare division is reporting that
applications running in Windows could provide remote access to user name
and password information. Hacker warns that programs such as Internet
Explorer, Eudora, Word and Outlook running on default configurations of
Windows can be duped into sending a user name and password information
to unsuspecting users. Though this information may be encrypted, it is
easily crackable, Hacker reports.
For more information:
Windows 95:
http://support.microsoft.com/support/kb/articles/Q165/4/03.ASP
NT 4.0:
http://support.microsoft.com/support/kb/articles/Q147/7/06.asp
Win2000:
http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP
***********

Password problem in SBC DSL routers

A Kewlhair Security advisory reports that routers being used in SBC
Communications' digital subscriber line service are being installed
without a password. Kewlhair reports that engineers are failing to set
the passwords during installation at customer sites. SBC is using
Cayman DSL routers.
For more information on how to set the password:
http://cayman.com/security.html#passwordprotect
***********

Astar application vulnerability

TESO, "crew of coders and freaks who care mostly about network and Unix
security," are reporting a hole in the astar application that ships with
the Halloween 4 Linux distribution. Malicious users could use the
application along with obscure command-line code to gain root access.
Vendor Web site:
http://www.halloween-linux.de/
***********

Vulnerability in StarScheduler

S.A.F.E.R. is reporting a vulnerability in StarScheduler, the groupware
server that comes with Sun,s StarOffice product. The underlying Web
server used by StarScheduler is vulnerable to remote execution of code
and root access, according to the S.A.F.E.R. advisory. Sun has yet to
release a patch.
http://www.safermag.com/advisories/0007.html
***********

To contact Jason Meserve:
-------------------------
Jason Meserve is a staff writer with Network World, covering search
engines, portals, videoconferencing, IP Multicast and document
management. He also oversees the "Security Alerts" page on Fusion
(http://www2.nwfusion.com/security/bulletins.html). Jason can be reached
at mailto:jmeserve@nww.com.

*********************************************************
Subscription Services

To subscribe or unsubscribe to any Network World e-mail newsletters,
go to:
http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp

To change your email address, go to:
http://www.nwwsubscribe.com/news/scripts/changeemail.asp

Subscription questions? Contact Customer Service by replying to this
message.

Other Questions/Comments

Have editorial comments? Write Jeff Caruso, Newsletter Editor, at:
mailto:jcaruso@nww.com

For advertising information, write Jamie Kalbach, Account Executive,
at: mailto:jkalbach@nww.com

Network World Fusion is part of IDG.net, the IDG Online Network.
IT All Starts Here:
http://www.idg.com

Copyright Network World, Inc., 2000