Netscape Navigator users were able to chuckle as they read about the large number of security problems that have recently surfaced with Microsoft products. However, now it’s their turn to worry about a security hole.

BugNet has verified, using KeyLabs, reports of a potentially serious security hole for people who use Netscape Navigator. The problem exists in Netscape’s Java Virtual Machine, which runs Java applets found on web pages, and was reported by security researcher Dan Brumleve. The exploit could be used to reverse normal browsing – files could be sent from your computer to the web site.

A web site operator could take advantage of this vulnerability to run code on a web surfer’s computer. This code would act as a file server, and could be used to offer up files from the surfer’s hard drive back to the web site. The code itself could be activated without the knowledge of the web browser. BugNet’s tests show that versions of Netscape running on Windows 95, Windows 98, and Windows 2000 are affected. The vulnerability can also be extended so that it can be used against people running Netscape on Macintosh and UNIX computers. BugNet has also gotten the exploit to work on Netscape for Linux, but only if the Linux user is surfing the web while logged in as “root”. Linux security gurus advise against that particular practice.

Normally, Java programs downloaded from the Internet run on your local computer in a “sandbox”. The program’s actions typically would not be allowed to extend beyond this sandbox, which makes the files on your hard drive off limits. Brumleve’s exploit manages to circumvent this restriction, which can give a hacker free reign on your system. Since many people have sensitive information stored in fairly standard locations on their hard drives (such as Quicken, TurboTax, or Microsoft Money files), the hacker could have many tempting targets. Even after you left the offending web page, the exploit would continue to run, staying active until Netscape Navigator is closed.

The Netscape Security Site, listed below, has not yet posted any fix. As a workaround, any Netscape user can disable Java on their machine. Do this by clicking Edit, Preferences. Click Advanced, and then uncheck Enable Java. Doing this may disable some features on web sites you visit, but will keep anyone from exploiting this particular security hole.

As we’ve recounted many times, the first people to install a Microsoft Service Pack often run into problems. Last month it was IE 5.01 Service Pack 1. Before that, it was Office 2000, Office 97 (twice), and Windows NT 4.0. This time it is Windows 2000, Service Pack 1.

This time, the bad luck came to those who were using Zone Labs’ Zone Alarm 2.1.25, a popular firewall program that provides security against Internet marauders. If you were using Zone Alarm, set to High Security, on a Windows 2000 computer, installing the Service Pack would cut you off from almost all Internet connections, including Internet Explorer, Netscape Navigator, and e-mail programs. Tests by KeyLabs show that only the most basic TCP/IP functions, such as Ping, can get through, while the more advanced programs are stymied. Trying to use Netscape Navigator would result in the error message shown in Figure 1.

While there was no mention of this in the Service Pack 1 Release Notes, a workaround was quickly posted in the Microsoft Knowledge Base and at the Zone Labs Site: reducing the Zone Alarm security level from High to Medium allows you to connect to the Internet. (In Zone Alarm, click the Security button, and use the slider to adjust the security level for the Internet). The upshot of this workaround is that while Zone Alarm will still keep hackers out of your computer, you will no longer be operating in Stealth Mode, which makes your computer invisible to others searching for a system to break in. And if they don’t know you’re there, they can’t break in.

Gregor Freund, president of Zone Labs, said that the incompatibility was due to a lack of coordination between Microsoft and Zone Labs which prevented either party from adequately testing the firewall service pack combination. Other personal firewall developers have said that a recent change in the Windows 2000 software developer’s kit (SDK) reached developers at the same time as the new SP1, again preventing adequate testing.

Despite the mix-up, Zone Labs has now released a patch that will allow a Windows 2000 Service Pack 1 computer to operate in ZoneAlarm’s High Security, or Stealth, mode. Download the patch from Zone Labs web site. KeyLabs has confirmed that the patch does indeed work. Once you have downloaded it, run the program and follow the installation instructions. Installing the patch does require a system reboot.

The BugNet database will have more information on what Service Pack 1 fixes, as well as other things it may break. While it may not make you happy, it may keep you from getting the Service Pack Blues.

Last week, BugNet reported an incompatibility between Windows 2000 Service Pack 1 and ZoneAlarm. After more testing with KeyLabs, BugNet was able to identify another personal firewall product that fell victim to Microsoft’s update for Windows 2000. BlackICE Defender users were surprised to find their TCP/IP filtering down for the count after installing SP1. Fortunately, Network ICE was quick to release a patched version that eliminates the SP1 incompatibility.

BlackICE and their competitor, ZoneAlarm, attack the problem of personal Internet safety from different perspectives. Where the ZoneAlarm/SP1 combination killed applications’ ability to access the Internet, the BlackICE/SP1 combination actually disabled filtering, leaving your system unprotected. In other words, BlackICE users were still able to access Internet resources. The only change was that filtering was disabled.
To blame for the BlackICE incompatibility is a last minute change in the Microsoft Windows 2000 SDK. According to John Myung, technical marketing manager for Network ICE, Microsoft released an updated Software Developers Kit (SDK) at about the same they released SP1. Given the timeframe, Network ICE was unable to fully test the effects of the new Application Program Interfaces (APIs). However, after being notified of the problem, Network ICE was able to turn around a patch in short order.

The BlackICE Defender patch is available from Network ICE’s web site. The update works on all platforms, including Windows 95/98, though the SP1 incompatibility is only evident on Windows 2000. Installing the patch is uneventful. Simply download the patch and run the executable. Given the simplicity of installing the patch and the potential for loss, we recommend this patch for all BlackICE installations.

Testing at KeyLabs has verified a security vulnerability that has been discovered in Network Associates PGP (Pretty Good Privacy) encryption program. Giving rise to some “I told you sos”, the vulnerability happens because of a feature added to let certain third-parties read your encrypted mail.

The problem was found by German researcher Ralf Senderek, and has been circulated by CERT, and acknowledged by Network Associates. It affects PGP 5.5.x through PGP 6.5.3 for Windows 95, 98, NT, and 2000.

Encryption in PGP works via a mathematical formula using a private key and a public key. The public key is known to others, and is usually made available through public sources. The problem is due to the introduction of another type of key, called an Additional Decryption Key (ADK). These ADKs were the solution that PGP used for key escrow, which provides a means for someone else, like your company or the FBI, to read your encrypted mail.?

The source of the problem is that PGP implemented these ADKs in a way that allows a third party to tamper with them. Normally, ADKs are supposed to be stored in the signed (i.e. encrypted) area of the certificate. The PGP bug permits a malicious user to add an ADK to the unsigned area of the certificate, and since PGP doesn’t check where the ADK is, it accepts it as legitimate. A particularly good snooper, exploiting a particular set of circumstances, may be able to secretly add an unsigned ADK to a key, so that when you use the key to send an encrypted message to a trusted correspondent (such as your Swiss Banker), that message could be snooped by a malicious third party.

According to CERT, if you are running one of the affected versions in Windows, you should right-click on one of your certificates (which is where your keys are kept). Look at the Key Properties. If you see the ADK tab there, someone has added the additional key. Of course, it may be there legitimately, or it may have been put there as part of a spying operation.

CERT also shows a way for users of GnuPG to check for ADKs. You should give this command:

Gpg -list-packet

If you have a legitimate ADK you will see this in the output:

Hashed subpkt 10 len 23 (additional recipient request)

If the ADK shouldn’t be there, the word Hashed will be missing. (Please note that there are conflicting reports as to whether the open source GnuPG is affected by this problem.)

One aspect of this ADK problem is that the vulnerability happens outside your control. A hacker does not need to break into your computer to tamper with your keys. A vulnerability may occur via one of your correspondents, or via a key server, which is a repository for public keys. According to Network Associates, the PGP Key Server has already been fixed to filter out the fake ADKs. Since the discovery of the problem, NAI did a scan of one of the largest certificate servers. Of the 1.2 million keys on the server, none of them had tampered ADKs.

Yesterday, NAI posted a utility, PGPrepair, that will scan existing PGP key rings and repair keys that have been tampered with. There are versions of PGPrepair 1.0 that will work with Windows, Linux, and Solaris, and will repair systems running PGP 2.6.2 and above. PGPrepair is freely downloadable.

In addition to PGPrepair, NAI has also posted PGP product patches that are available to registered users. For further information and links to PGPrepair 1.0 visit PGP’s ADK advisory.

For many people, the axiom, “If it ain’t broke, don’t fix it”, is their modus operandi. With so many other things to worry about, updating a browser that seems to be working fine just isn’t a high priority. However, a recently discovered security bug in Hotmail may serve as a wakeup call to all Internet Explorer 4.x and 5.0 users. BugNet has verified a security vulnerability that would allow a malicious user to usurp control of someone else’s Hotmail account, allowing the hacker to read and to send e-mail from that account. Because this security hole can be thwarted by upgrading IE, we recommend that all Hotmail users verify that they are running the most current version of the Microsoft browser.?

With testing provided by KeyLabs, BugNet was able to verify this Hotmail vulnerability reported by an Internet developer in Denizli, Turkey. Alp Sinan, an e-commerce and security consultant, supplied demonstration code that allowed us to gain access to test e-mail accounts on the Hotmail server. The exploit involves using a previously reported security hole in IE (”Unauthorized Cookie Access”) to steal an unsuspecting user’s Hotmail cookie. That cookie is then used to authenticate the malicious user to the victim’s Hotmail account.

While newer versions of IE prevent a hacker from stealing cookies, there are still a lot of Internet users that use the default browser that came with the Windows 95 and Windows 98. For many, the size of the download has prevented them from upgrading over a dialup connection.

Since Microsoft has issued Service Packs and Upgrades for the “Unauthorized Cookie Access” bug, this leaves the rest of the blame with Hotmail for their lax security and authentication procedures. Hotmail’s authentication is built on session cookies. When a user logs in, Hotmail sends the user an encoded cookie that the browser uses to authenticate with the Hotmail server throughout the life of the Hotmail session. If the user can be tricked into sending this session cookie to a hacker, then the hacker could also gain access to the victim’s account. The hacker might do this by enticing the user to click on a carefully constructed Internet link within an e-mail or on a web page.

BugNet informed Hotmail of the vulnerability and included sample code. To date we have not received any feedback. Until Hotmail changes it’s security mechanism, the only fix is to update IE to versions 5.1 with Service Pack 1, or to upgrade IE to version 5.5. Both of these are freely downloadable from Microsoft’s site. Stay tuned for more information as it becomes available.

With the help of KeyLabs, BugNet was able to reproduce this bug that affects all Windows 2000 users. The vulnerability occurs because of a new authentication feature added to Windows 2000’s telnet.exe. The feature lets telnet automatically authenticate with NTLM-enabled telnet servers (i.e. Windows 2000 Telnet Servers). NTLM is the standard authentication used by Windows products. It uses a challenge/response mechanism to confirm a user’s identity without sending the password across the wire.

Telnet or not to telnet?

The problem is that NTLM authentication happens automatically and by default whenever telnet is launched. So if a malicious user could entice a victim into initiating a telnet session with a tricked server, then the malicious user could capture the victim’s authentication credentials. Capturing the credentials by itself does not put the victim’s computer at risk, nor does it allow the hacker to gain access to the victim’s computer. It does, however, give the hacker enough information to launch an off-line brute force attack aimed at ascertaining the plain-text password. Because this attack is handled off-line, the user and the system administrator are none the wiser, and the malicious user could take as much time as needed to get the password.

This begs the question, how might a malicious user entice a victim into establishing a remote telnet session? The answer is quite simple. Because pretty much all versions of Internet Explorer and Outlook will launch telnet when they encounter “telnet://hostname” in a carefully constructed HTML reference, the malicious user would only have to create a reference on a web page or in an e-mail message. The referenced command could be as simple as:

<meta http-equiv=”refresh” content=”0;URL=telnet://hostname”>

Or, if you prefer JavaScript:

<script>window.open(”telnet://target”)</script>

Despite the insidiousness of this vulnerability, there are some simple solutions. First, you can install the Microsoft patch. The fix is small and makes for a quick download. Install the patch by running the downloaded executable. No other user intervention is required, except for the mandatory system restart. So when installing the patch on a server, wait until restarting the server will have the least impact on the users.

Unlike Windows 9x and Windows NT, Windows 2000 is the only version that has this problem. Once installed, the patch will warn the user whenever telnet tries to authenticate outside the “Trusted sites” or the “Local Intranet” zones. The warning reads like this: “You are about send your password information to a remote computer in the Internet zone. This might be unsafe. Do you want to send anyway(y/n):”

The second method for protecting a Windows 2000 system running telnet.exe involves disabling NTLM authentication on the telnet client. A Microsoft security bulletin on this vulnerability explains how to disable all NTLM telnet authentications. Issuing the command “unset ntlm” from the telnet command line will prevent telnet from automatically authenticating via NTLM. To check the status of telnet authentication, enter the command “display” from the telnet command prompt. If the “Not Auth (NTLM)” is displayed, then Microsoft’s challenge/response is turned off.

Telnet has been around for a while. With some companies, telnet is the primary tool for managing network devices like servers and routers. Based on our test, BugNet recommends that all Windows 2000 users consider installing this patch.

Telnet and Remote Execution

Our testing revealed that the problem is a buffer overflow caused by a string manipulation with NULL characters. In other words, by introducing approximately 1000 null characters, the REXEC daemon crashes. Buffer overflows are typically caused a user trying to cram more data into a program buffer than the developer originally anticipated. Doing this can have varying effects. But in most cases the buffer overflow causes the vulnerable program to crash. At best, this bug is an inconvenience for the already-harried network administrator who would be required to restart the service. At worst, a buffer overflow could make the server crash, causing a loss of data and service.

In order for the vulnerability in Pragma’s Telnet Server to be exploited, a malicious user would establish a telnet session. After logging in, this user would then copy the offending code to the server. Once this happens, the next user to log in would kill the telnet server process.

Historical Perspective

The same problem was found in a previous incarnation of Pragma’s telnet server, TelnetD, build 4. In July 2000, this problem was corrected with the release of build 8. Pragma assures us that it has taken steps to prevent this problem from reoccurring in future releases.

It is refreshing when a company proactively notifies BugNet of a problem and how they are handling the situation. On September 1, 2000, Pragma notified BugNet of this DoS problem, which was found earlier that week. Since then, Pragma has been working on a patch that was release just days ago.

BugNet, with the help of KeyLabs, was able to validate the 6MB patch using sample exploiting code provided by USSRBack. The Telnet Server, build 2 upgrade is available to registered users. Contact Pragma if your system is affected.

Do: Script the client installation and use application launcher to automatically push the client install to the desktop. Groupware client installations have several questions that affect the installed settings. Your users don’t need to answer those questions (or bother you with questions about how to answer them) if you script the install to do the work for them.?

Don’t: Don’t try to do too much at one time. Use a phased approach — especially in a large environment. Roll-out to one post office or one department at a time. That way if issues are reported, only one group of people is affected and problems can be corrected before the next group receives the product.

Do: Have a rollback plan. This suggestion applies if you are upgrading or changing from one system to another. If something during the implementation doesn’t work out, you need to have a way to restore the previous service until you are ready to try again. Notify users in advance so they will be prepared in the event a problem.

Don’t: Don’t use any compression provided by the file system storing the data. This might seem obvious, but many people overlook this concept. Most groupware systems have built in compression tools. Using an additional form of compression is a quick way to corrupt databases. Look for other file system settings that may interfere with the groupware system such as NetWare’s Transaction Tracking System (TTS). Novell recommends that TTS be turned off for groupware systems. Other groupware systems and other networking platforms will have similar suggestions that will prevent data problems down the road if they are addressed at the time of implementation.

Do: Use client/server configuration. Some groupware systems give you the option of using client/server and some require it. Having the server do most of the work is fast, reliable, and safe for databases. Fewer hands in the database mean fewer chances for corruption. With client/server functionality, access to critical data is controlled.

Picture
It! 2000Microsoft says in Picture It! 2000 the steps for “Create a new folder”
in the Catalog Help topic aren’t accurate. An existing folder can be
cataloged, but creating a new folder in the Picture It! 2000 catalog
isn’t possible.

Norton Internet Security 2000

Your user NetBIOS name may be available on your Internet Service Provider’s network,
unless the workaround provided is applied to Symantec Norton Internet Security 2000 (for all supported
platforms).

QuickBooks

2000Before upgrading to Windows 2000, rename the Intuit QuickBooks 2000 QBCONV32.DLL file.
Unless you rename it, the Windows 2000 Readiness Analyzer can’t complete
the install on a Windows 95 or 98 system. Once the install is complete,
you’ll have to rename the file back to qbconv32.dll to keep QuickBooks
happy.

Internet
Explorer 5Without write
permissions to an FTP site, when a program makes that second FtpOpenFile
function call to a file on a File Transfer Protocol (FTP) server, Microsoft
Internet Explorer 5 for Windows 95, 98, and NT 4.0 may hang. Microsoft
has a fix, but at the time of this writing, it wasn’t fully regression
tested. Therefore, they suggest applying it only if the problem causes
major difficulties. For the fix, head over to Microsoft Product Support.
Services

WinFax
PRO 10Across all
supported platforms, once Microsoft Word 2000 is shut down, WinFax PRO
10.0 may generate this message, says Symantec: “Changes have been
made that affect the global template, Normal.dot. do you want to save
those changes?” At the time of this writing a solid fix wasn’t
available, but a workaround which entails disabling the Save prompt
from appearing in Microsoft Word 2000 .

Combat
Flight SimulatorDo you have
an AGP video adapter installed on your Windows system, and does Combat
Flight Simulator hang within the first five minutes of play time? If
so, Microsoft says, the problem is the AGP adapter.

where you’ll find the latest
Internet Explorer 5.01 Service Pack for Windows 95, 98, 98, NT 4.0,
and 2000. It fixes the vulnerability that allows a Web site to retrieve
cookies that weren’t created by that Web site from your computer, says
Microsoft.

Norton
AntiVirus 2000Beware the
witching hour! If Symantec Norton AntiVirus 2000 for Windows 95 or 98
is installed, and Auto-Protect is enabled, the chances that your system
may come to a screeching halt on any given day at 11:59 P.M. are good.
Doing a Ctrl+Alt+Del maneuver to open the Close Program box, generates
the error, “Msgsrv32.exe (Not responding)”, requiring a reboot.
Symantec Technical Support was alerted of this glitch after the June
16, 2000 and June 19, 2000 virus release definitions. Since then, new
definitions that resolve the problem have been posted to Symantec’s
LiveUpdate. Look for a date after 10 P.M. PST, June 21, 2000 or later
to eliminate any chance of a recurrence.

Norton
Ghost 2000 Personal EditionThe error
message, “(15173) FAT32 detected but not assigned to MBR”,
may display in Symantec Ghost 2000 Personal for Windows 95 and 98 when
users select a drive to create an image, to clone directly, or to check
the drive integrity with Ghost. The fix: Run any disk utility — if
errors exist, they’ll be repaired.

Internet
Explorer 5.5Currently
the Autocomplete feature on the address bar in Internet Explorer 5.5
for Windows 95, 98, 98 SE, and NT 4.0, doesn’t complete a LOCAL intranet
URL. However, the feature does prompt users with possible URLs when
an Internet URL is entered. For now, users will have to type the entire
intranet URL to work around this flub.

Internet
Explorer 5.5To add a
component to Microsoft Internet Explorer (IE) 5.5 in Windows 2000, the
approved method is to use the Add/Remove tool located in the Control
Panel. But in IE 5.5, the Add component may be missing if the browser
was downloaded in Windows 2000. Apparently, this curious behavior is
by design, and the additional components are available at the Windows

WindowsMicrosoft
says visiting a Web page containing a JavaScript Uniform Resource Locator
(URL) in an IMG (image) tag could create the perfect set of conditions
for a malicious web site operator to view files on an unsuspecting user’s
system. To get a handle on this vulnerability, head over toInternet
Explorer 5An “ImportExportFavorites”
vulnerability rears its ugly head in Microsoft Internet Explorer (IE)
5 for these operating systems only: Windows 95, 98, and NT 4.0. In this
case, a malicious Web site operator has an opportunity to take any action
on the computer that the user would be capable of taking. Disabling
Active Scripting in IE 5 puts the kibosh on any attempts by unwelcome
visitors.

To your good fortune, and
our bad, Windows 2000 Service Pack 1 appears to have rolled out smoothly.
The only exception seems to have been the problem with two firewall
devices, ZoneLabs ZoneAlarm, and Network Ice BlackICE Defender. After
installing SP 1, ZoneAlarm users were unable to connect via TCP/IP,
which crippled Internet and many network connections. Users of BlackICE
found their system unprotected. Follow the links below for the full
details on these two problems, and on how to get their fixes.

Both these problems were
fixed rather quickly. Last minute changes to Microsoft’s Software
Development Kit may have partly been the cause of these problems.
The problem was also thoroughly dissected in the Microsoft.public.win2000.general
newsgroup, with Microsoft bashers and defenders having a good time.
Since lots of that talk is unsubstantiated (but fun) we will let you
check that out on your own.

Service Pack 1 is a collection
of bug fixes. Most important, it includes 17 security hot fixes that
Microsoft has released this year. If you haven’t been diligent applying
your security patches, SP 1 is a fast way to catch up. There are also
many other bug fixes included. You can find the details on many of
those in the BugNet database.

Update Your Recovery
Console

One important troubleshooting
feature of Windows 2000 is the Recovery Console. It is an alternative
way to log on to a computer that won’t boot, giving you access to
the Command Prompt and a number of DOS-like utilities for making repairs
to a computer. It’s loosely equivalent of booting straight to DOS
on an older generation Windows computer. These utility files are housed
by default in your system drive’s \Cmdcons folder.

Microsoft points out that
upgrading to Service Pack 1 does not update this folder. The only
way to update your Recovery Console is to re-run the command that
created it in the first place:

winnt32.exe
/cmdcons

• Either on your computer,
  or on a network distribution share, create a new folder, such as \win2kint.
• Take your original Windows
  2000 CD-ROM, and copy all the contents to the \win2kint folder. You
  can do this by clicking and dragging via Windows Explorer, or any
  other way you would normally copy files.
• Next you need to put
  your Service Pack CD into your drive, and run Update.exe in slipstream
  mode. You can do it with this command: d:\i386\update\update.exe
  /s:c:\win2kint
  d: would be the drive letter for your CD-ROM, and c: would
  be the drive where you created the folder in step 1.
  
• Now go to your newly integrated
  folder, and run winnt32.exe/ cmdcons

• Click
  Start, Run
• Type

  cmd

  in the dialog, and click OK.

• At the
  command prompt, change your directory to \%systemroot%\$NtServicePackUninstall$\spuninst\
  
• Give this
  command

  spuninst.exe

• Later,
  you can close the Command Prompt window by typing Exit