Netscape Navigator users were able to chuckle as they read about the large number of security problems that have recently surfaced with Microsoft products. However, now it’s their turn to worry about a security hole.

BugNet has verified, using KeyLabs, reports of a potentially serious security hole for people who use Netscape Navigator. The problem exists in Netscape’s Java Virtual Machine, which runs Java applets found on web pages, and was reported by security researcher Dan Brumleve. The exploit could be used to reverse normal browsing – files could be sent from your computer to the web site.

A web site operator could take advantage of this vulnerability to run code on a web surfer’s computer. This code would act as a file server, and could be used to offer up files from the surfer’s hard drive back to the web site. The code itself could be activated without the knowledge of the web browser. BugNet’s tests show that versions of Netscape running on Windows 95, Windows 98, and Windows 2000 are affected. The vulnerability can also be extended so that it can be used against people running Netscape on Macintosh and UNIX computers. BugNet has also gotten the exploit to work on Netscape for Linux, but only if the Linux user is surfing the web while logged in as “root”. Linux security gurus advise against that particular practice.

Normally, Java programs downloaded from the Internet run on your local computer in a “sandbox”. The program’s actions typically would not be allowed to extend beyond this sandbox, which makes the files on your hard drive off limits. Brumleve’s exploit manages to circumvent this restriction, which can give a hacker free reign on your system. Since many people have sensitive information stored in fairly standard locations on their hard drives (such as Quicken, TurboTax, or Microsoft Money files), the hacker could have many tempting targets. Even after you left the offending web page, the exploit would continue to run, staying active until Netscape Navigator is closed.

The Netscape Security Site, listed below, has not yet posted any fix. As a workaround, any Netscape user can disable Java on their machine. Do this by clicking Edit, Preferences. Click Advanced, and then uncheck Enable Java. Doing this may disable some features on web sites you visit, but will keep anyone from exploiting this particular security hole.

Last week, BugNet reported an incompatibility between Windows 2000 Service Pack 1 and ZoneAlarm. After more testing with KeyLabs, BugNet was able to identify another personal firewall product that fell victim to Microsoft’s update for Windows 2000. BlackICE Defender users were surprised to find their TCP/IP filtering down for the count after installing SP1. Fortunately, Network ICE was quick to release a patched version that eliminates the SP1 incompatibility.

BlackICE and their competitor, ZoneAlarm, attack the problem of personal Internet safety from different perspectives. Where the ZoneAlarm/SP1 combination killed applications’ ability to access the Internet, the BlackICE/SP1 combination actually disabled filtering, leaving your system unprotected. In other words, BlackICE users were still able to access Internet resources. The only change was that filtering was disabled.
To blame for the BlackICE incompatibility is a last minute change in the Microsoft Windows 2000 SDK. According to John Myung, technical marketing manager for Network ICE, Microsoft released an updated Software Developers Kit (SDK) at about the same they released SP1. Given the timeframe, Network ICE was unable to fully test the effects of the new Application Program Interfaces (APIs). However, after being notified of the problem, Network ICE was able to turn around a patch in short order.

The BlackICE Defender patch is available from Network ICE’s web site. The update works on all platforms, including Windows 95/98, though the SP1 incompatibility is only evident on Windows 2000. Installing the patch is uneventful. Simply download the patch and run the executable. Given the simplicity of installing the patch and the potential for loss, we recommend this patch for all BlackICE installations.

For many people, the axiom, “If it ain’t broke, don’t fix it”, is their modus operandi. With so many other things to worry about, updating a browser that seems to be working fine just isn’t a high priority. However, a recently discovered security bug in Hotmail may serve as a wakeup call to all Internet Explorer 4.x and 5.0 users. BugNet has verified a security vulnerability that would allow a malicious user to usurp control of someone else’s Hotmail account, allowing the hacker to read and to send e-mail from that account. Because this security hole can be thwarted by upgrading IE, we recommend that all Hotmail users verify that they are running the most current version of the Microsoft browser.?

With testing provided by KeyLabs, BugNet was able to verify this Hotmail vulnerability reported by an Internet developer in Denizli, Turkey. Alp Sinan, an e-commerce and security consultant, supplied demonstration code that allowed us to gain access to test e-mail accounts on the Hotmail server. The exploit involves using a previously reported security hole in IE (”Unauthorized Cookie Access”) to steal an unsuspecting user’s Hotmail cookie. That cookie is then used to authenticate the malicious user to the victim’s Hotmail account.

While newer versions of IE prevent a hacker from stealing cookies, there are still a lot of Internet users that use the default browser that came with the Windows 95 and Windows 98. For many, the size of the download has prevented them from upgrading over a dialup connection.

Since Microsoft has issued Service Packs and Upgrades for the “Unauthorized Cookie Access” bug, this leaves the rest of the blame with Hotmail for their lax security and authentication procedures. Hotmail’s authentication is built on session cookies. When a user logs in, Hotmail sends the user an encoded cookie that the browser uses to authenticate with the Hotmail server throughout the life of the Hotmail session. If the user can be tricked into sending this session cookie to a hacker, then the hacker could also gain access to the victim’s account. The hacker might do this by enticing the user to click on a carefully constructed Internet link within an e-mail or on a web page.

BugNet informed Hotmail of the vulnerability and included sample code. To date we have not received any feedback. Until Hotmail changes it’s security mechanism, the only fix is to update IE to versions 5.1 with Service Pack 1, or to upgrade IE to version 5.5. Both of these are freely downloadable from Microsoft’s site. Stay tuned for more information as it becomes available.

Telnet and Remote Execution

Our testing revealed that the problem is a buffer overflow caused by a string manipulation with NULL characters. In other words, by introducing approximately 1000 null characters, the REXEC daemon crashes. Buffer overflows are typically caused a user trying to cram more data into a program buffer than the developer originally anticipated. Doing this can have varying effects. But in most cases the buffer overflow causes the vulnerable program to crash. At best, this bug is an inconvenience for the already-harried network administrator who would be required to restart the service. At worst, a buffer overflow could make the server crash, causing a loss of data and service.

In order for the vulnerability in Pragma’s Telnet Server to be exploited, a malicious user would establish a telnet session. After logging in, this user would then copy the offending code to the server. Once this happens, the next user to log in would kill the telnet server process.

Historical Perspective

The same problem was found in a previous incarnation of Pragma’s telnet server, TelnetD, build 4. In July 2000, this problem was corrected with the release of build 8. Pragma assures us that it has taken steps to prevent this problem from reoccurring in future releases.

It is refreshing when a company proactively notifies BugNet of a problem and how they are handling the situation. On September 1, 2000, Pragma notified BugNet of this DoS problem, which was found earlier that week. Since then, Pragma has been working on a patch that was release just days ago.

BugNet, with the help of KeyLabs, was able to validate the 6MB patch using sample exploiting code provided by USSRBack. The Telnet Server, build 2 upgrade is available to registered users. Contact Pragma if your system is affected.

ADOBE
FrameMaker 6
Point your browser to http://til.info.apple.com/techinfo.nsf/artnum/n5809 to find out whether or not your Macintosh computer supports the Energy Saver control panel. If it doesn’t, don’t try running Adobe FrameMaker 6.0, otherwise this message may pop up: “The application ‘FrameMaker 6.0′ could not be opened because ‘PowerMgrLib’ could not be found”. The fact of the matter: FrameMaker 6.0 doesn’t run on any Macintosh that doesn’t support the Energy Saver control panel feature.

APPLE
iMac
If you have an Apple iMac or Power Mac G4 Cube with a slot loading CD-ROM or DVD drive, you can only use standard-sized round disks. You should not try to insert smaller disks or odd-sized disks into these types of drives.

CALDERA SYSTEMS
OpenLinux eDesktop 2.4
Caldera reports that there is a vulnerability in the way sperl interacts with /bin/mail that can be exploited by any local user to gain root access. This vulnerability exists in OpenLinux eServer, eBuilder 2.3, and eDesktop 2.4. Desktop 2.3 is not vulnerable. Caldera recommends upgrading immediately.

DEBIAN
GNU/Linux 2.2
Debian reports that the Netscape Communicator shipped with all recent versions of GNU/Linux has a couple of security holes, one in the jpeg handling portion and the other in the java virtual machine. All users of GNU/Linux and Netscape Communicator are encouraged to upgrade Communicator. Debian deb packages are available for all platforms from the following URL: http://www.debian.org/security/2000/20000901.

DEBIAN
GNU/Linux 2.2
A root exploit has been found in sysklogd. Debian notes that this exploit affects both 2.1 and 2.2. Update packages are available here: http://www.debian.org/security/2000/20000919.

IBM
ThinkPad A20p
If you want to upgrade to Windows ME on your IBM ThinkPad A20, there is a BIOS upgrade for you. Go to http://www.pc.ibm.com/qtechinfo/MIGR-4MNN8Y.html to get BIOS update 1.02, with a release date of 8/16/2000.

INTERACT COMMERCE
ACT! 2000 – PC
Be forewarned! Updating to Act! 2000 5.0.2.353 may not display e-mail attachments in the inbox, and may be missing when the message is opened, says Interact Commerce. A fix wasn’t available at the time of this writing, but a couple of solid workarounds are worth trying.

INTUIT
Quicken 2001
Intuit says the import of Quicken for Macintosh data into Quicken 98, 99, 2000, and 2001 may deliver an “Invalid QIF” message if the process is stopped by an unrecognized or damaged group of transactions. Complete workaround details are posted at http://www.intuit.com/support/quicken/faqs/mac3/2576.html.

INTUIT
QuickPayroll
This error may pop up during the installation routine of the patch update in Intuit QuickPayroll if the settings in the SYSTEM.INI file aren’t right: “ptchinst cause a gpf in mmsystem.dll @ 000a:00000032″. Examples of incorrect settings, plus workarounds for Windows 95 and 98 are posted at http://www.intuit.com/support/quickpayroll/faqs/1134.html.

LOTUS
Notes
In Lotus Notes 5 if you went to your Calendar view and deleted a canceled or expired meeting, a “Decline” notice would be sent to the other participants. This has been fixed in the Notes Quarterly Maintenance Release 5.0.4a.

If you are a subscriber, read the alert here.

We at BugNet know that frustration with software glitches and hang-ups sometimes comes with having business and home computers and we’re glad to be recognized as the source for help.