Microsoft advisories. Microsoft has published three advisories for a heap overrun in HTR, an unchecked buffer in the Remote Access Service (RAS), and two issues in SQLXML. The combination of these issues presents an excellent opportunity for mischief ranging from crashing a system to an escalation of privileges by running an attacker's choice of code. The risk for an unpatched system is deemed critical. Patches are available on Microsoft's website and should be applied immediately. www.microsoft.com <http://www.microsoft.com> (iss.net, 17 June) EarthLink's passwords are naked. EarthLink, the nation's fourth-largest Internet service, is allowing its support employees to have full access to the passwords of its 4.9 million subscribers. EarthLink service agents are permitted to view customer passwords in order to expedite the handling of one of the ISP's top support issues: forgotten passwords. EarthLink could be exposing its subscribers to a range of security threats, including attacks from disgruntled or unethical employees. At the help section of its site, EarthLink provides the following warning on password security: "Never tell your password to anyone -- with one exception. EarthLink Sprint Technical/Customer Support may ask for it when you call EarthLink Sprint for assistance." EarthLink sometimes requests a subscriber's password to troubleshoot connection problems, but the company does not use passwords as a way of authenticating telephone callers. Such a confusing password policy could make an ISP's customers easy prey for password scams that involve "social engineering" or trickery. It should be noted; any attempts by support reps to gain access to customer accounts would be logged. At America Online, MSN and United Online -- the top three ISPs, respectively -- stored passwords are off-limits altogether to support staff. (Wired News, 17 June) FAA to simulate GPS outages. In September 2002, the Federal Aviation Administration (FAA) plans to run a simulation to assess the impact of a Global Positioning System (GPS) outage on air traffic control. The GPS Outage En Route Simulation (GOERS) will test how the loss of satellite-based navigation aids affects controller workload under conditions that include environments in which a mix of GPS and ground-based navigational aids are available. Jacksonville Air Route Traffic Control Center in Florida is the leading candidate for GOERS, pending coordination with the National Air Traffic Controllers Association. The simulation will be conducted over five weeks. At that time the FAA will recommend whether measures should be taken to lessen the effects of an outage. The plan calls for reducing the ground-based navigation aids aircraft use to fly across the country by about 50 percent beginning in 2007 and finishing in 2012. (Federal Computer Week, 17 June) Further Information: GPS is a space-based radio-navigation system. It consists of 24 satellites, which orbit the Earth at an altitude of approximately 11,000 miles, and ground stations. GPS provides users with accurate information on position, velocity, and time anywhere in the world and in all weather conditions. GPS satellites circle the earth twice a day in a very precise orbit and transmit signal information towards the earth. GPS receivers take this information and use triangulation to calculate the receiver units location. The FAA is developing two satellite-based systems, the Wide Area Augmentation System and the Local Area Augmentation System, which will provide the accuracy, availability, and integrity needed to use GPS as a primary means of navigation in the U.S. National Airspace System (NAS). http://gps.faa.gov/FAQ/index.htm <http://gps.faa.gov/FAQ/index.htm> ) Flaw in Microsoft Corporation's SQL Server. A Russian security researcher claims he has discovered a flaw in Microsoft Corp.'s SQL Server 2000 which gives an attacker the ability to either crash the server or execute malicious code on the machine. Microsoft is aware of the advisory and is investigating the issue. The vulnerability is in the "pwdencrypt" hashing function, which is included with SQL. A buffer overrun flaw in this function enables an attacker to overwrite a portion of the heap memory. (ISN, 14 June) Microsoft accidentally distributes virus. Microsoft accidentally sent the Nimda worm to South Korean developers when it distributed Korean-language versions of VisualStudio.Net that carried the virus. The tools picked up the digital pest when a third-party company translated the program into Korean. Microsoft says the worm has not executed on any developers' systems, and if it did, it would not be able to spread to the developer's system because the virus only runs on systems running IE 5.5 and lower, and the VisualStudio.Net requires version 6.0 of the browser. Microsoft has notified all its registered Korean customers, and the company posted a patch to its Web site. It also plans to provide clean copies to all the developers, free of charge. (CNET Networks, 14 June) IBM software targets "drive-by hacking." IBM software sits on laptops and PCs, analyzing traffic on an internal 802.11 wireless network and sends the data to a centralized server. The server then "crunches" the data and produces a report that can tell system administrators if there are wireless access points that have been misconfigured. Access points are physical connections to the computer network located throughout a site. Wireless networks are cheap, costing less than $100, and convenient to use, allowing workers to carry laptops from office to conference room to cafeteria. (atnewyork.com, 16 June) WWU Comment: Wireless networks require special attention and special security measures to keep both the network and the data within the network secure from outside intrusion.
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 17:50:19 PDT