---------------------- Forwarded by Vince J Kaminski/HOU/ECT on 09/06/2000 
08:24 AM ---------------------------


"NW Security and Bug Patch Alert" <Security-BugPatch@bdcimail.com> on 
09/06/2000 12:21:41 AM
Please respond to "Security and Bug Patch Alert Help" <NWReplies@bellevue.com>
To: <vkamins@enron.com>
cc:  
Subject: Palm virus reported


NETWORK WORLD FUSION FOCUS: JASON MESERVE on
SECURITY AND BUG PATCH ALERT
TODAY'S FOCUS: Palm virus reported
09/04/00

Dear Wincenty Kaminski,

~~~~~~~ This newsletter sponsored by 
LUCENT TECHNOLOGIES ~~~~~~

Voted "Best in Test" and a "Good Buy" for carrier/ISP
applications, Lucent Technologies' Secure VPN Solutions
garnered top ratings by Mier Communications' recent
Independent Lab Test Report. The products, which included
Lucent's VPN Firewall Brick, Lucent Security Management
Server, and the Lucent IPSec Client, were lab-tested using
a methodology and test bed for evaluating VPNs in
carrier-class applications. To obtain a copy of the report
and for more information on Lucent Secure VPN Solutions,
visit http://nww1.com/go/1715947a.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

11 FREE Newsletter Additions from Network World!
Sign up Today at http://www.nwwsubscribe.com/foc35
Wireless in the Enterprise, Servers, Optical Networking,
The Network Channel, The Edge, Net Worker, Convergence,
Free Stuff, Mobile Computing, The Network World 200, and
Technology Executive
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Today's Focus: Palm virus reported
---------------------------------------------------------------
By Jason Meserve (write me at jmeserve@nww.com)


Before I get into the more serious topics of the day, I thought
I'd share a funny "virus alert" that one of my friends
forwarded to me. The e-mail, entitled "Virus Alert!!!!!!"
contained the following message:

Alert

I'm too lazy to program a real virus, so this virus works
on the honor system-

Please delete all the files on your hard drive...

Now, please forward this message to everyone you know...

Thank you for your cooperation......


Okay, now on with the serious stuff.

A number of the antivirus vendors have issued alerts about the
Liberty virus that allegedly infects PalmOS machines. The
Trojan is said to come disguised as an update to a legitimate
Palm application, Gambit Studios LLC's Liberty GameBoy
emulation software.

However, when executed, the program attempts to delete all
applications on the Palm. Computer Associates, Symantec and
Trend Micro all say they're the first to release protection for
the virus.

For more information on the Palm Liberty virus, see:
http://www.nwfusion.com/news/2000/0829palmvirus.html

One last thing on the PGP issue we wrote about last week before
we get to the alerts. Phil Zimmerman, the man behind PGP, has
issued a response to the problem. Some are claiming the issue
is the result of a backdoor. Zimmerman explains that this is
not the case. Read his response at:
http://www.nwfusion.com/news/2000/0904pgpzimm.html


Today's alerts and patches:


Allaire issues two security bulletins:

Workaround available for administrative interface security
issue

The Allaire Spectra 1.01 product comes with a utility for
configuring the Spectra applications and was accidentally
included in some commercial releases of the product. The tool
could be used by a malicious user to view sensitive data files
used for configuring and administering the Spectra system. For
a workaround:
http://www.allaire.com/handlers/index.cfm?ID=17372&Method=Full


Patch available for Spectra Container Editor preview-object
security issue

The Spectra Contain Editor runs objects with no security under
preview mode. This means an object can invoke any method
without proper permissions. For more information and to
download a patch:
http://www.allaire.com/handlers/index.cfm?ID=15411&Method=Full
**********


Caldera warns of /tmp file race in faxrunq

According to a Caldera alert, the mgetty package contains a
number of tools for sending and receiving facsimiles. One of
the tools, faxrunq, uses a marker file in a world-writable
directory in an unsecured fashion. This bug allows malicious
users to clobber files on the system owned by the user invoking
faxrunq. For new packages:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
**********


Conectiva warns of symlink attack possibility in mgetty

Conectiva is warning its user of a condition in the mgetty
utility that could allow any files on the system to be
overwritten. Versions prior to 1.1.22 are affected. For source
downloads:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/mgetty-1.1.22-
1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/mgetty-1.1.22-1
cl.src.rpm
**********


Microsoft releases patch for "Local Security Policy Corruption"
vulnerability

A problem in Windows 2000 could allow a user to disrupt
operation of the server and possibly the entire network on
which the server sits. Windows 2000 Service Pack 1 fixed the
problem. This is a patch for those that have not applied the
service pack. For more:
http://www.microsoft.com/technet/security/bulletin/fq00-062.asp
**********


Ipswitch releases fix for Imail 6.0

Ipswitch's Imail e-mail server product for Windows NT contains
a vulnerability that could allow an external user to attach a
file that runs on the server. Download the latest version of
6.0 to fix the problem:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/Imail/imailwebpatch604c.exe
**********


Debian upgrades Xchat, ntop to fix bugs

Debian has released a new version of its Xchat packages to fix
a problem with URL handling. For source downloads:
http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3-0.1.di
ff.gz
http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3-0.1.ds
c
http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3.orig.t
ar.gz


Debian has reissued a patch for ntop after the original patch
released August 5 was deemed ineffective. The patch fixes a
problem in ntop that could allow a malicious user to run
arbitrary code on the affected system. For source downloads:
http://security.debian.org/dists/stable/updates/main/source/ntop_1.2a7-11.diff
.gz
http://security.debian.org/dists/stable/updates/main/source/ntop_1.2a7-11.dsc
http://security.debian.org/dists/stable/updates/main/source/ntop_1.2a7.orig.ta
r.gz
**********


TurboLinux upgrades Netscape/Java packages

New Netscape packages are available to TurboLinux users.
Netscape 7.47 and prior were susceptible to attack from Brown
Orifice, a data-stealing Java applet. TurboLinux has also added
a fix for Netscape's handling of certain JPEG files, which
could cause a buffer overflow. To download the new package:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/netscape-communicator-4.75-1
.i386.rpm
**********


Patch available for GoodTech FTP Server

The GoodTech FTP server is vulnerable to denial-of-service
attacks. Certain commands will stop the listening threads from
operating correctly. If enough commands are sent, all available
sockets will be closed. For a patch:
http://www.goodtechsys.com/predownload.asp
**********


Linux-Mandrake releases patch for xpdf, Xchat and glibc

According to the Linux-Mandrake alert, there is a potential
race condition when using tmpnam() and fopen() in xpdf versions
prior to 0.91. This exploit can be only used as root to
overwrite arbitrary files if a symlink is created between the
calls to tmpname() and fopen(). For updates:
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates


The Xchat patch fixes a problem with the way the IRC program
handles URLs. A malicious URL could be used to run arbitrary
commands on the affected system. For more information:
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates


The glibc program contains a vulnerability in the ld.so module
that could allow a local user to obtain root access. For
patches:
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
**********


Red Hat updates usermode packages

Usermode allows the local user to execute reboot and other
system commands without root privileges. One of those commands
was to shut the system down. This patch removes that
functionality.
Sources for 6.0 and 6.1:
ftp://updates.redhat.com/6.2/SRPMS/usermode-1.35-1.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/SysVinit-2.78-5.src.rpm

Source for 6.2:
ftp://updates.redhat.com/6.2/SRPMS/usermode-1.35-1.src.rpm
**********


FreeBSD issues a batch of alerts:

Netscape - The company has fixed the Brown Orifice and JPEG
vulnerabilities. New packages can be downloaded from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/

Mopd - The mopd module is used for rebooting older DEC
machines. A vulnerability in the package could allow a user to
execute arbitrary commands as root. For upgrades:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mopd-1.2b.t
gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/mopd-1.2b.t
gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/mopd-1.2b.
tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/mopd-1.2b.
tgz
ftp://ftp.FreeBSD.org/pub/FrreeBSD/ports/alpha/packages-5current/net/mopd-1.2b
.tgz

Linux binary problem - FreeBSD is Linux compatible through a
set of "shadow" binaries. These binaries contain a
vulnerability that could allow a local user to gain root access
under certain specific conditions. To download the patch:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:42/linux.patch

Brouted - According to FreeBSD, The brouted port is incorrectly
installed setgid kmem, and contains several exploitable buffer
overflows in command-line arguments. An attacker exploiting
these to gain kmem privilege can easily upgrade to full root
access by manipulating kernel memory. For updates:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/brouted-1.2
b.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/brouted-1.2
b.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/brouted-1.
2b.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/brouted-1.
2b.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/brouted-1
.2b.tgz

Xlockmore - The system is used to lock access to X terminal. A
problem could allow an attacker to steal the hashed password
information from memory. For fixes:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/xlockmore-4
.17.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/xlockmore-4
.17.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/xlockmore-
4.17.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/xlockmore-
4.17.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/xlockmore
-4.17.1.tgz
**********


Today's round up of virus alerts:

Win32/MTX.A.Worm - This Trojan virus infects the Windows
directory and attempts to download files from a Web site. It
then sends itself out as randomly named attachments. (Computer
Associates)

WM97/Verlor-I - Makes changes to the WINl.INI file and global
Word template. (Sophos)

WM97/Piper-A - This virus animates the Office Assistant when
documents are opened, closed, created and saved in Word.
(Sophos)

WM97/Footer-O - This Word macro virus does nothing but
replicate itself. (Sophos)

W32/Apology - Sends an attachment of itself to anyone that an
infected user e-mails. (Sophos)

VBS/Lovelet-BF - Another Love Letter variant. This one comes
with the subject "True Story...." and contains an attachment
called MYLINONG.TXT.SHS. (Sophos)
**********


From the interesting reading category:

The Encyclopaedia of Computer Security

I got an e-mail from the publisher of this British-born site.
The editor claims there are some 6,000 pages of information on
the site and it's growing daily. Check it out at:
http://www.itsecurity.com


Sun admits to memory problem

Problems with a memory component that Sun has been quietly
trying to fix for the past several months are continuing to
plague some large users of Sun's Ultra Enterprise Unix servers.
And Sun has gone to extraordinary lengths to keep its customers
quiet about the issue. Computerworld, 08/28/00.
http://www.nwfusion.com/news/2000/0828sun.html


Microsoft Word documents can be tracked on Web

Creators of Microsoft Word documents can use the application's
ability to include Web hyperlinks to remotely track who is
reading a document, according to a study by the Denver Privacy
Foundation published Wednesday. Network World, 08/31/00.
http://www.nwfusion.com/news/2000/0831wordtrack.html
**********


Miss an issue?
We keep all of our newsletters in an archive (thanks to Marlo
and Chris) back on NW Fusion. Check out:
http://www.nwfusion.com/newsletters/bug/


To contact Jason Meserve:
-------------------------
Jason Meserve is a staff writer with Network World, covering
search engines, portals, videoconferencing, IP Multicast and
document management. He also oversees the "Security Alerts"
page on Fusion http://www2.nwfusion.com/security/bulletins.html.
Jason can be reached at mailto:jmeserve@nww.com.
-------------------------

Got a security alert or bug patch question related to your
corporate network? Post it at Experts Exchange on Fusion at
http://nwfusion.experts-exchange.com/. Another network
professional may have the solution to your problem.

May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.nwwsubscribe.com/nl

*********************************************************
Subscription Services

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp

To change your email address, go to:
http://www.nwwsubscribe.com/news/scripts/changeemail.asp

Subscription questions? Contact Customer Service by replying to
this message.

Other Questions/Comments

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: mailto:jcaruso@nww.com

For advertising information, write Jamie Kalbach, Account 
Executive, at: mailto:jkalbach@nww.com

Network World Fusion is part of IDG.net, the IDG Online
Network. IT All Starts Here:
http://www.idg.com

Copyright Network World, Inc., 2000