The BugBlog -- December 2002

BugBlog

11/27	Sun Microsystems Solaris 2.5.1, 2.6, 7, 8, and 9 all have a security vulnerability due to a buffer overflow in the "X Window Font Service." This has been reported by Neel Mehta of the ISS X-Force in a security advisory on their web site, at http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541. They say that remote attackers may be able to use this to gain root access. They reported this to Sun on Oct 16; Sun confirmed it on the 17th; there was supposed to be a fix out by now. When a fix finally comes, it should be at http://sunsolve.sun.com . Not so fast -- the fix for the RealOne and REalPlayer security flaws, reported 111/26, may not be complete. NGSSoftware was able to beat the fix in certain ways, so it is back to the drawing board for Real.
11/26	Novell has released BorderManager Enterprise Edition 3.6 Support Pack 2A. This version of the support pack includes a number of bug fixes, especially in the way that configuration switches are set, and in ways to block HTTP content. Get the full list of issues and installation instructions at http://support.novell.com/servlet/tidfinder/2964147. Real RealOne and RealPlayer have three different security flaws, all related to buffer overflows, and all capable of being exploited by remote users. The flaws were originally found by NGSSoftware, who reported the problems to Real. There is a patch available at http://service.real.com/help/faq/security/bufferoverrun_player.html. You can also use the programs themselves to check for updates.
11/25	Adobe says that if you use their Premiere for the Mac OS to render sequences, they may not be recognized by Windows computers. According to Adobe, it is the format of the sequence files, such as TIFF or Targa, that is the problem. There are two workarounds. The first is to use a Windows computer to render the files for the Windows platform. The second workaround is not to use the three letter filename extension in the Export Movie dialog box. Later, use Applescript or some third-party program to rename the files with the correct extension. For more details, see Adobe's explanation at http://www.adobe.com/support/techdocs/1c9be.htm. Microsoft seems to have made some jumps in their numbering schemes in their online Knowledge Base, judging by the MSKB number of this next item: Microsoft says you may see this error message on Windows 2000 Professional, Server, or Advanced Server, all running with Service Pack 3. Either when logging on to the computer, or while backing up a registry hive, you may see: Stop 0x00000051 REGISTRY ERROR. Microsoft has a hotfix, if you are getting this error. (If you are not getting it, you should wait for the next service pack.) To get it, contact Microsoft Technical Support and ask for the hotfix described in Knowledge Base article 810558. Note that there may be a charge for this call. Macromedia points out that their ColdFusion or ColdFusion MX Servers may run on a Microsoft Windows platform, and thus may be vulnerable to the Microsoft MDAC software bug that Microsoft announced on November 20. To make sure that ColdFusion isn't made vulnerable, you have to install Microsoft's update (I guess one could also switch to a Linux server and run ColdFusion on that.)
11/22	Microsoft has issued an update for Microsoft Data Access Components. While almost no one uses DAC directly, it is an underlying technology that is used in many Microsoft components. In particular, if you browse the web or read e-mail using Windows 98, 98 SE, ME, or 2000, you are vulnerable. Also, any computers that host a web site with Microsoft Internet Information Server is vulnerable. The problem is a buffer overrun that may allow an attacker to run their own code on a vulnerable computer. Either use Windows Update to get the patch, or go to http://www.microsoft.com/downloads/Release.asp?ReleaseID=44733. Foundstone Research Labs gets credit for finding the bug. Red Hat says there is a new samba package for Red Hat Linux 7.3 and 8.0. This package plugs a security leak that may allow an outsider to gain root access. Links to the updates are at https://rhn.redhat.com/errata/RHSA-2002-266.html. Cisco says their PIX firewall has two bugs. Both may allow attackers to breach security and establish connections through the PIX firewall. The affected versions are 5.2.8 and earlier; 6.0.3 and earlier; 6.1.3 and earlier; 6.2.1 and earlier. Cisco says there are no workarounds, but a free upgrade fixes the bugs. Go to http://www.cisco.com/warp/public/707/pix-multiple-vuln-pub.shtml for information on the upgrade and more details. While this seems like a repeat, it is fresh. A new cumulative security patch for Microsoft Internet Explorer 5.01, 5.5, and 6.0 is available. It takes care of all the previous security problems with IE, along with six new bugs since the last cumulative patch was issued. You can get the new patch via Windows Update. If you want the details on the bugs found, see http://www.microsoft.com/security/security_bulletins/ms02-066.asp.
11/20	Sun Microsystems says that the zlib compression library bug that has been reported by CERT affects many different versions of Sun's Java Runtime Environment. This affects other packages that use the Sun JRE, including Netscape 7 for Linux and Netscape 6 for Linux and Windows. Affected versions for Windows are SDK and JRE 1.4.0; SDK and JRE 1.3.1_03 or earlier; SDK and JRE 1.3.0_05 or earlier; SDK and JRE 1.2.2_011 or earlier; JDK and JRE 1.1.8_009 or earlier. Solaris versions affected are SDK and JRE 1.2.2_011 or earlier; JDK and JRE 1.1.8_009 or earlier; SDK and JRE 1.4.0; SDK and JRE 1.3.1_03 or earlier; SDK and JRE 1.3.0_05 or earlier; SDK and JRE 1.2.2_11 or earlier; JDK and JRE 1.1.8_15 or earlier. Affected Linux versions are SDK and JRE 1.4.0; SDK and JRE 1.3.1_03 or earlier; SDK and JRE 1.3.0_05 or earlier; SDK and JRE 1.2.2_011 or earlier. To fix this bug, download the latest JRE from Sun at http://java.sun.com/. Note that if you got use the Microsoft Runtime Environment instead, you are not affected. MandrakeSoft says there is a memory leak in the ypserv 2.5 package, as well as earlier versions. This is distributed with Mandrake Linux 7.2, 8.0, 8.0/PPC, 8.1, 8.1/IA64, 8.2, 8.2/PPC, and 9.0. Since it is possible to trigger this leak remotely, it could lead to a denial of service attack. Links to the update, and file signatures, are at http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:078. You can also update automatically via MandrakeUpdate.
11/19	Hope they've installed the service packs! Slate, owned by Microsoft, is running a series of articles by Mark Mazzetti, a U.S. News and World Reports reporter who is attending a "media boot camp" to prepare reporters to cover a possible Iraq war. In his first article, he reports that the computers that control Tomahawk cruise missles run on Windows NT. Microsoft is still solving some Y2K problems in Y2K+2. Their Microsoft Virtual Machine (their version of Java), when accepting dates from users, might have problems with a few dates. They say that 1/1/2000 may show up as the year 3900, while if you want to get the year 2000, you would enter 1/1/100, or 1/1/00. To fix this, download the latest Virtual Machine at http://www.microsoft.com/java. (Combining these last two items - do you think Saddam feels better or worse?) On 11/13 the BugBlog noted security problems with ISC BIND. According to a roundup at CERT, these vendors or products will have their own security problems because of it: Conectiva, Debian GNU/Linux, IBM AIX, Linux-Mandrake 7.2 and Single Network Firewall 7.2, Red Hat Linux 6.2 and 7.0, Sun Microsystems Solaris 2.6, 7,8, and 9. For more details and links to each vendor, see http://www.cert.org/advisories/CA-2002-31.html .
11/18	Novell has a new DHCP module for NetWare 5.1 and 6. It fixes a bug that caused a CPU hog abend and NAK problems with stubnets. The new version is in dhcp312a.exe at http://support.novell.com/servlet/tidfinder/2964267. On 11/13 the BugBlog noted security problems with ISC BIND. According to a roundup at CERT, these vendors or products will have their own security problems because of it: Conectiva, Debian GNU/Linux, IBM AIX, Linux-Mandrake 7.2 and Single Network Firewall 7.2, Red Hat Linux 6.2 and 7.0, Sun Microsystems Solaris 2.6, 7,8, and 9. For more details and links to each vendor, see http://www.cert.org/advisories/CA-2002-31.html.
11/15	Compaq has a new CPQFlash utility for their Evo N800v, N800c and Presario 2800s. It fixes a problem with LG 15" SXGA+ L50E02 panel displays where an image might not be centered even if you are in center mode. Get the update in SoftPaq SP22703 at ftp://ftp.compaq.com/pub/softpaq/sp22501-23000/sp22703.exe. More fixes in the Apple Mac OS X 10.2.2 update. The bug fixed with the most serious consequences is one that might trigger data loss if you were copying a file using AFP and that filename ends with characters that may resemble a hexadecimal number, such as #02. It also fixes the bug that would cause this error message error -36 when files are copied to an iDisk.
11/14	Novell released an updated WM.EXE file for their Novell Client 4.81 for Windows 2000/NT. The new file plugs up multiple memory leaks. You can get the file from http://support.novell.com/servlet/tidfinder/2960616. Microsoft says that Windows NT Server 4.0 and Workstation 4.0, running with any Service Packs between 1 and 6a, may report the wrong ownership of documents in the print queue. Documents may be reported to be owned by ANONYMOUS LOGON when they aren't. Microsoft has a fix available, but you have to contact Microsoft Technical Support to get it, which means there's a chance they may charge you for the call. Ask for the fix described in Knowledge Base article 323909. More details and some workaround information are at http://support.microsoft.com/?kbid=323909.
11/13	The Internet Software Consortium (ISC) has an alert about a number of new bugs in BIND. Attackers may be able to trigger denial of service attacks, or run their own code against servers. ISC says to upgrade to their BIND 9.2.1. In any event, check out their explanation at http://www.isc.org/products/BIND/bind-security.html. Some bugs bite, some bugs sting. This is a bug that shocks -- Kodak is recalling the DC5000 Zoom Digital Camera because of the possibility of electrical shock. You need to register to get a pre-paid mailer to send it pack to Kodak for free inspection and repair. Get this at http://www.kodak.com/global/mul/digital/cameras/dc5000/recall/ countryPicker.jhtml.
11/12	Apple has released the Mac OS X 10.2.2 Update. A number of its fixes are for digital media issues, including these: you may not be able to remount a CD ejected by mistake, which might prevent applications using this disk from quitting; enhanced CDs may not have their data and audio sessions appearing as expected on the desktop; color-sync problems with third-party displays. In addition to fixing these issues, compatibility problems with these devices have been fixed: LaCie d2 48x24x48x, Sony CRX-820E, Toshiba SD-R2212 and SD-R1202, Pioneer DVR-105, and Yamaha CDW-F1 44x24x44x models. When running Windows NT Server 4.0 Terminal Server Edition with Service Pack 6, you may get an occasional blue screen of death with this error message: 0x50 Microsoft has released a hotfix for this. It's not available for download. Instead, you need to contact Microsoft Technical Support to ask them for the fix described in Knowledge Base article 325913. Be aware that they might charge you for this call.
11/11	Novell has a new ZENworks for Desktops (ZfD) 3.2 Service Pack 1 Client Update. Novell says that if it is installed, it has the latest versions of some files that are also in Novell Client 3.31, 3.32, 3.32 SP1, 4.81, 4.82, 4.83, and 4.83 SP1. If any of these clients are installed after the ZENworks update, the older files will overwrite the new ones. Novell says to make sure the ZENworks update gets installed last. At this point, that's the only way to keep things up-to-date. Macromedia says that if users follow the installation instructions that come with their ColdFusion MX web server, and additional web servers are configured, a security breach is possible. It will only happen if the web server is running and ColdFusion MX isn't running, and it may disclose CFML source code. Only one web server configured? Don't worry about it. More than one? Check out Macromedia's security advisory at http://www.macromedia.com/v1/handlers/index.cfm?ID=23499.
11/7	Wireless connections have more quirks and bugs than wired connections. Need proof? Check out this story in The Register, of a Norweigen man who had the output from his Hewlett Packard wireless keyboard show up on a neighbor's computer almost 150 meters away. The story is at http://www.theregister.co.uk/content/54/27971.html. Sun ONE Synchronization 1.1 will synchronize data between the Sun ONE Calendar Server 5.1.1 and some PIMs and some PDAs. The list of supported ones are: Microsoft Outlook 98/2000; Palm Desktop 3.x/4.0; Palm OS Mobile Devices; Windows CE 2.0/3.x Mobile Devices. Guess I can't hold out hope for my Lotus Organizer file. While Sun ONE Synchronization 1.1 is supposed to let you synchronize between a Sun ONE Calendar Server 5.1.1 and Windows desktop PIMs and a PDA, Sun Microsystems does point out the following problems: It won't sync contact information from Microsoft Outlook to a Palm device; it won't sync tasks between Calendar Server and a Palm; it messes up when synchronizing recurring tasks whose start dates and due dates are in the future; it doesn't handle time zones correctly; and all-day events on the Calendar Server may show up a day earlier on the other device. There are more problems, these are just the highlights. The full list is at http://docs.sun.com/source/816-6470-10/index.html.
11/6	If both Roxio Easy CD Creator 5.1 and Norton Anti-Virus 2002 are installed on a Windows XP Home/Professional computer, auto-play of both audio CDs or data CDs may not work correctly. Microsoft says this is because of "consistency problems." This has been fixed in Windows XP Service Pack 1. If Adobe Acrobat 5.05 is running on a Windows computer with the Windows' Daylight Savings Time option turned on, then digital signatures in the Signature's palette may show up with the wrong time zone. The signature actually does have the correct information. The workaround is to turn off Windows XP's DST option. For details on how to do this for different versions of Windows, see http://www.adobe.com/support/techdocs/2df72.htm?code=TA.
11/5	Oracle says that the Oracle 9i Database Server has a buffer overflow in iSQL*Plus. A remote user may be able to mount an attack via a USERID parameter. Oracle has patched this flaw (there is no workaround.) Go to http://metalink.oracle.com and click the Patches button. Look for the patch to Bug Number 2581911. Opening a PDF document in either Adobe Acrobat or the Acrobat Reader may generate these twin error messages: "Unable to find the colorspace named CS[2, 5, 6, 8, or 9]." "This file contains information not understood by the viewer." According to Adobe, this is most likely caused by incompatibilities between versions of Acrobat. Most likely, the version of Acrobat Distiller used to create the document is newer than the version used to read it. The most obvious workaround is to upgrade to the newer version of Acrobat to read the document. Another workaround is to re-create the document, only set the compatibility standards for the older versions. Details on this are at http://www.adobe.com/support/techdocs/2e056.htm?code=TA.
11/4	Cisco says their Cisco ONS15454 optical transport platform and the Cisco ONS15327 edge optical transport platform have multiple (at least six) security problems. The affected software versions are Cisco ONS 3.4 and earlier. The vulnerabilities may cause weakness in the username and passwords, and may allow denial of service attacks. For full details, and update information, see http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml. When using Corel WordPerfect Office 2002 on a Windows XP computer, the applications may not start up when using a limited user account instead of an administrator account. This has been fixed in Service Pack 3.
11/1	Apple says there is a very rare bug that might prevent built-in modems on Mac OS X 10.2- 10.2.1 platforms from dialing up. You know you've been hit by this bug if you get this error message: "Internet Connect could not open the communications device." The affected hardware includes: iBook (Late 2001); iBook (14.1 LCD); iBook (16 VRAM); iBook (14.1 LCD 16 VRAM); PowerBook G4 (Gigabit Ethernet); PowerBook G4 (DVI); iMac (Flat Panel); iMac (Flat Panel 17); eMac; PowerMac G4's: Dual 1GHz, Dual 1.25 GHz (Mirrored Drive Doors); PowerBook G3 Series: 233, 250, 292 MHz (Wallstreet). If your modem is working, Apple says not to worry. If you are getting this error message, then get the update from http://docs.info.apple.com/article.html?artnum=120157. Debian says that the bug that affects Kerberos 4 (bugblogged on October 25) also affects the heimdal package as well, which is in Debian GNU Linux 2.2. Updated packages that fix this are linked from http://www.debian.org/security/2002/dsa-185. This isn't a bug, but sloppy manufacturing. Microsoft TechNet is a subscription service that mails out monthly CDs that include the Microsoft Knowledge Base, Resource Guides, Service Packs, and the like. The problem is the November issue, which arrived yesterday. Seems they forgot to actually include all the reference material to CD 2, which contains the bulk of the material. An e-mail notice says a replacement disk will arrive shortly.