Message-ID: <24039899.1075858449808.JavaMail.evans@thyme> Date: Thu, 7 Jun 2001 12:10:01 -0700 (PDT) From: security-bugpatch@bdcimail.com To: kamins@enron.com Subject: File execution flaw in Eudora 5.1 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-From: NW Security and Bug Patch Alert @ENRON X-To: kamins@enron.com X-cc: X-bcc: X-Folder: \Vince_Kaminski_Jun2001_10\Deleted Items X-Origin: Kaminski-V X-FileName: vkamins.pst NETWORK WORLD NEWSLETTER: JASON MESERVE on SECURITY AND BUG PATCH ALERT 06/07/01 - Today's focus: File execution flaw in Eudora 5.1 Dear Wincenty Kaminski, In this issue: * Patches and alerts for Eudora, Red Hat, SuSE, others * Viruses, including a worm that claims to hold pictures of Miss World pageant contestants * The huge potential for Windows XP to unleash DoS attacks, plus other interesting reading _______________________________________________________________ This newsletter sponsored by NetIQ SECURITY SECRETS REVEALED: FREE WEBCAST Get the step-by-step advice you need to secure your enterprise during the June 12 "Secrets to Developing a Sound Security Plan" Webcast. Security experts from NetIQ, Trend Micro and Check Point will reveal the essentials of developing and implementing a successful security strategy to protect your corporate network infrastructure. Register now at http://nww1.com/go/2941202a.html _______________________________________________________________ Create and Maintain a Strong Web Presence Join Sprint E|Solutions on June 20 for a free one-hour Webcast, "Hosting Solutions: Satisfying Your Customers' Growing Appetite for Performance and Reliability." Discover how outsourcing your Web needs is a cost-effective and timesaving step for your company. Sprint E|Solutions can provide the latest server hardware, software and applications to help you make sure your Web site stays open for business around the clock. http://nww1.com/go/2936423a.html _______________________________________________________________ Today's focus: File execution flaw in Eudora 5.1 By Jason Meserve (write me at jmeserve@nww.com) Today's bug patches and security alerts: * File execution security hole in Eudora 5.1 A flaw in the way Eudora 5.1 handles file attachments could allow for malicious code to be run on the affected system without the user's permission. No patch is currently available, although users are being urged to disable the "Use Microsoft viewer..." option, which is normally turned on by default. For more on Eudora: http://www.eudora.com/ * Red Hat issues new version of ispell Red Hat has released new versions of its ispell package for Versions 5.2 and 6.2 of its Linux operating system. Previous versions of the package used temporary files that are vulnerable to a symlink attack. For more information and to download the upgrades: http://www.redhat.com/support/errata/RHSA-2001-074.html * New xinetd packages available for Red Hat Red Hat has released new versions of its xinetd package for Red Hat Linux 7.0 and 7.1 that fixes a problem in the way the application uses certain file permissions. Previous versions of the software created world-writeable files. This patch sets these files to the permission '022.' For more information and to download a patch: http://www.redhat.com/support/errata/RHSA-2001-075.html * SuSE issues new version of GnuPG/gpg A flaw in GnuPG (or gpg as its called by SuSE), an open-source version of the PGP encryption standard, could allow a user's private key to be compromised. The format string vulnerability allows a malicious user to execute arbitrary code on the affected system, which could help speed the process of discovering the user's private key information. For more on this flaw and to download patches: http://www.suse.com/de/support/security/2001_020_gpg_txt.txt * PassWD2000 uses weak encryption According to a post on the BugTraq mailing list, PassWD 2000, a utility for storing user passwords, uses a weak encryption standard that makes it easy for a hacker to gain access to the secret password store. Though the application uses a 128-bit encryption key, it is relatively easy to extract the key information. According to the vendor, Version 3.0 of the software will use Blowfish to protect the password information. For more: http://www.passwd2000.com/ Today's roundup of virus alerts: * W32/MissWorld - This e-mail-borne worm comes in an e-mail titled "Miss World" and claims to be pictures of the Miss World competition contestants. After displaying a Flash file, the virus sends itself out to users listed in an Outlook address book and adds items to the autoexec.bat file that could erase the infected user's hard drive. (Sophos) * WM97/Wrench-N - A Word macro virus that attempts to display the Office Assistant, but a broken payload prevents the virus from working correctly. The virus also drops the file "ASCII.VXD" in the infected machine's root directory. (Sophos) >From the interesting reading department: * Windows XP could unleash wave of DoS attacks Windows XP, Microsoft's forthcoming operating system, has the potential to escalate denial-of-service attacks to a level never before seen, according to a computer security researcher. http://www.nwfusion.com/news/2001/0606winxp.html IDG News Service, 06/06/01 * Researcher: DDoS attacks are growing threats Distributed denial-of-service attacks are growing in number and sophistication, though tools to fight them are just over the horizon, said Stefan Savage, a researcher at the University of California at San Diego and the founder and chief scientist at Asta Networks. http://www.nwfusion.com/news/2001/0606ddos.html IDG News Service, 06/06/01 For additional information, see Steve Gibson's "Anatomy of DDoS attack": http://grc.com/dos/grcdos.htm * EU plans antihacking law in Internet security drive As part of an effort to raise the level of online security in the European Union, the European Commission Wednesday said it has begun work on a computer-hacking law. http://www.nwfusion.com/news/2001/0606euantihack.html IDG News Service, 06/06/01 * OpenBSD drops firewall program in licensing dispute When an Australian software developer tightened licensing restrictions on his firewall program last month, he set off a chain of events that has caused a big controversy among the open-source developers who work on the OpenBSD operating system. http://www.nwfusion.com/news/2001/0601bsd1.html Computerworld, 06/01/01 * Check Point partners for data center, app server security Check Point Software is announcing at SuperComm 2001 three partnerships that will result in firewall and VPN protection for data centers as well as application servers. http://www.nwfusion.com/news/2001/0606checkpoint.html Network World Fusion, 06/06/01 * RSA launches ACE/Server 5.0 RSA Security Monday announced the release of Version 5.0 of its ACE/Server user authentication security software. RSA ACE/Server is one component of the company's SecurID authentication system, which also includes RSA SecurID Authenticator and RSA ACE/Agent. SecurID Authenticator is a small device, or token, given to users, and ACE/Agent is software that is installed on the protected systems. ACE/Server is "the brains behind SecurID," and the system won't work without it, said John Worrall, the director of product management for strong authentication at RSA. http://www.nwfusion.com/news/2001/0604rsa.html IDG News Service, 06/04/01 * Archives available online Is there really a revealing picture of Jennifer Lopez being passed around the Internet? Find out the naked truth at: http://www.nwfusion.com/newsletters/bug/index.html _______________________________________________________________ To contact Jason Meserve: Jason Meserve is the Multimedia Editor of Network World Fusion and writes about streaming media, search engines and IP Multicast. Jason can be reached at mailto:jmeserve@nww.com. ______________________________________________________________ FEATURED READER RESOURCE User Excellence Award If you've completed an interesting network project in the last 12 to 18 months, here's your chance to gain industry recognition for it. Network World is currently accepting nominations for its annual User Excellence Award. For more information and an online nomination form, go to http://www.nwfusion.com/nw/awards.html#excellence Deadline for submission is June 11. _______________________________________________________________ SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World e-mail newsletters, go to: http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp To unsubscribe from promotional e-mail go to: http://www.nwwsubscribe.com/ep To change your e-mail address, go to: http://www.nwwsubscribe.com/news/scripts/changeemail.asp Subscription questions? Contact Customer Service by replying to this message. Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: mailto:jcaruso@nww.com For advertising information, write Jamie Kalbach, Fusion Sales Manager, at: mailto:jkalbach@nww.com Copyright Network World, Inc., 2001 ------------------------ This message was sent to: vkamins@enron.com