The BugBlog -- January 2003

BugBlog

	Rather than chopping the BugBlog up into weekly archives, I'm going to try monthly archives instead. So all the January bugs will remain on this page, and I'll slowly go back and combine the past blog pages into monthly entries as well. The BugBlog is free- but if you want to help support its existence, feel free to make a donation via PayPal using the button at left. Better yet, subscribe to the BugBlog Plus. A three month subscription is only $5.
1/31	Interested in Apple's iSync 1.0, but worried about compatibility with existing devices. According to Apple, any Palm OS devices that work with Palm Desktop 4.0 for Mac OS X will work with iSync 1.0. In terms of Bluetooth devices, Apple says to look for indications of iSync compatibility, but their bulletin doesn't say how many there are. Find out more at http://docs.info.apple.com/article.html?artnum=120152. If you want to use Macromedia ColdFusion MX on a Microsoft Internet Information Server box, with Windows NT Authentication and NTFS file permissions, you need to do some extra configuration. According to Macromedia, you need to configure IIS to check file permissions before the request gets sent to ColdFusion MX. For details on how to do this, see http://www.macromedia.com/v1/handlers/index.cfm?ID=23734. If you have Novell Directory Services 8.x running on a NetWare 5.1 server, Novell has an update waiting for you. It fixes a bug in DS.NLM that was causing a -771 error during a schema check when the dib is locked. Get ds883c.exe at http://support.novell.com/servlet/tidfinder/2964740.
1/30	The latest updates from Microsoft on the Slammer worm are at https://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/virus/alerts/slammer.asp . This points back to a lot of the old security bulletins, plus some new stuff.
1/27	The worm that wrecked havoc on the Internet this past weekend, which goes by the name of Sapphire Worm and SQL Slammer, exploited an old bug in Microsoft SQL Server. Microsoft released a fix for this bug in July 2002, and it was also fixed in a SQL Server Service Pack. One problem is that some people may not know they have SQL Server, and thus were vulnerable to the bug. These other products have SQL Server, or some parts of it, inside and they needed the patch too: Microsoft Data Engine 1.0; Microsoft Desktop Engine 2000; Visual Studio .NET; ASP.NET; Web Matrix Tool; Office XP Developer Edition; MSDN Universal and Enterprise subscriptions; and Microsoft Access. A humorous sidelight to the above story - according to this story on C Net, apparently Microsoft itself didn't patch all their servers, and got hit hard by the worm.
1/24	Microsoft's security team woke up from its holiday nap and delivered the first three security bulletins of the year : The first affects Windows NT 4.0 domain controllers or Windows 2000 domain controllers, and Microsoft recommends immediately installing the patch at http://www.microsoft.com/technet/security/bulletin/ms03-001.asp. The patch should also be installed on Windows NT 4.0 (workstations and member servers), Windows 2000 (workstations and member servers), and Windows XP. If you don't patch, there is a chance that attackers may be able to run their code on your system. The second patch is a cumulative patch for Microsoft Content Management Server. There is a cross-site scripting bug in one of the ASP pages that may allow a bad guy to divert information intended for your site. This patch is at http://download.microsoft.com/download/5/9/3/5936344a-480c-4343-bcea-b3f6aa25fa23/mcms2001srp2.exe. The third bug from Microsoft that needs a fix is in Outlook 2002. There is a bug in the way Outlook handles a V1 Exchange Server Security certificate, and instead of sending an encrypted message, a message will go out in plain-text. You can find the link to this patch, and more details, at http://www.microsoft.com/technet/security/bulletin/ms03-003.asp .
1/22	Analog 5.31, the web site usage statistics program, has a problem when running on a Macintosh OS X computer. It may crash if DNS LOOKUP or DNS WRITE is specified. The only workaround at the moment is to avoid doing those operations. Analog 5.31 fixes the bug in the supplied build scripts for OpenVMS. In Analog 5.30, these scripts didn't work. Apache 2.0.44 is now out there. It is described by Apache.org as a security and bug fix release. Two security bugs wiped out are the ones describe in CAN-2003-0016 and CAN-2003-0017, targeting Windows platforms. The former allows denial of service attackes via MS-DOS device names, and the latter may allow files to be stolen. There are many other fixes as well. Get the update at http://httpd.apache.org/download.cgi. If you are doing a big upgrade, from Apache 1.3, remember that the Apache 1.3 add-in modules aren't compatible with Apache 2.0 modules. Updates come from whatever third party wrote the module, not from Apache.
1/20	A CERT bulletin points out a problem with the DHCP implementation put out by the Internet Software Consortium (ISC). A bug may allow attackers to run their own code on a target machine. The ISC has fixed this in ISC DHCP 3.0pl2 and 3.0.1RC11. Other vendors use this code too, so they have to deal with the bug: BSD/OS fixes this in version M431-001 and M500-004 patches for the 4.3.1 and 5.0 versions of BSD/OS; Red Hat Linux 8 is vulnerable, and there is a patch at http://rhn.redhat.com/errata/RHSA-2003-011.html; SuSE Linux is working on a fix. Novell says there may be a problem with their Password Synchronization 1.0 when used with the Active Directory Driver. If you go to the Driver Parameters tab and set the Password Synchronization field to Yes, and the specify Migrate into NDS, you would crash the driver. This has been fixed in the file dradpasa.exe, which you can find at http://support.novell.com/servlet/tidfinder/2964717.
1/17	There is a patch for the US version of Civilization III (not for the European version.) There are some fixes in the online multiplayer feature, some problems that were causing lagging, and a fix for "player-drop" crashes. The latest version is 1.14f. Get it at http://www.civ3.com/support.cfm. The newest update to Macromedia Dreamweaver MX, which is version 6.1, is like all the previous ones in that it won't support the Unix file system on a Macintosh OS X computer. Also, if you run the full installer, it will reset all your configurations back to the default settings. On a Mac, if the full version of Dreamweaver MX was installed in the same folder as the trial version, the updater may think you are still running the trial version, and will give this error message: "The updater cannot update a trial version of Dreamweaver." If that's the case, look for the file VSetupT and rename it VSetupT-Bak. After that, run the update again. What does get fixed in the Dreamweaver MX 6.1 update? Lots of stuff. One fix involves a rare bug that may cause data loss or a file truncation when doing a Get/Put. It also fixes a bug that may cause a file to be deleted when someone tries to check out a file that has already been checked out. The full list of fixes is at http://www.macromedia.com/support/dreamweaver/releasenotes/mx/ dwmx61_fixed.html
1/15	When using Windows 2000 Server or Advanced Server, with either SP2 or SP 3 installed, there may be this error message when trying to log on from a terminal session: Application Error: The instruction at "0x77f8fe43" referenced memory at "0x00c50000". The memory could not be "read". Click on OK to terminate the program. Microsoft has a fix that will be in the next Windows 2000 service pack. If you need it sooner, contact Microsoft Technical Support and ask for the hot-fix described in Knowledge Base article 33149. Microsoft may charge you for this call. Microsoft says that Windows XP Home/Professional users may get this blue screen of death error message: *** Fatal System Error: 0x000000C4 (0x00001003, 0xF7DE4F50, 0xA0C9AFE0, 0x809F6AE8). DRIVER_VERIFIER_DETECTED_VIOLATION (c4) although some of the parameters within the parentheses may be different. This error is caused by a conflict between Symantec Norton Antivirus and the Driver Verifier Deadlock Detection feature. As a workaround, turn off Deadlock Detection. See http://support.microsoft.com/?kbid=325672 for the details. Red Hat has updated Ethereal packages for Red Hat Linux 7,2, 7.3, and 8.0. Ethereal is a network traffic monitoring tool, and they found a number of secuirty bugs that may allow denial of service attacks. Update to Ethereal 0.9.8 from https://rhn.redhat.com/errata/RHSA-2002-290.html.
1/13	Try to install Novell ZenWorks for Desktops 3 on a Novell 4.11 server, and the installation may hang while displaing this message: Determining if you have proper file system and NDS rights to continue. Please wait… Novell has a fix for this. Download 255099.exe from http://support.novell.com/servlet/tidfinder/2958290. That page also has the details on how to install the patch. Novell has released Support Pack 1 for their Client 4.83. It includes new versions of NWFS.SYS, NWDHCP.SYS, NWDNS.SYS, NWSAP.SYS and SRVLOC.SYS, that stomp out a number of bugs. Download nt483pt4.exe from http://support.novell.com/servlet/tidfinder/2964434.
1/10	Macromedia has released a temporary patch for ColdFusion MX Enterprise Edition, pending a full fix in a later version. If you are using the product with Sandbox Security, and you are using ColdFusion templates from untrusted sources, you may be at risk. Get the patch, and more instructions, at http://www.macromedia.com/v1/handlers/index.cfm?ID=23638. Foundstone Research Labs say they have found buffer overflow problems in Winamp 2.81 and 3.0. Attackers may be able to use this overflow to send bad data in MP3 files that will crash Winamp and possibly allow them to run their own code. Updated versions of Winamp that fix this are now available at http://www.winamp.com/.
1/9	Oracle says that the Oracle 9i Application Server Release 2 9.0.2.0.0 has three security bugs. One flaw may allow the disclouser of source code from Java Server Pages; one flaw was lax default permissions; and one fault gave outsiders the ability to see the contents of the WEB-INF folder. The first two are fixed in Oracle9i Application Server Release 2 v. 9.0.2.0.1 for all platforms. The third is fixed in 9.0.2.0.1 on NT, and is fixed in v. 9.0.3 for Solaris and other Unix platforms. Matt Moore of Westpoint Ltd. gets thanks from Oracle for finding the problems. See http://otn.oracle.com/deploy/security/pdf/2002alert47rev1.pdf for more information. The latest Linux kernel is out. The new version is 2.5.55. A summary of the changelog for this version, and link to the full changelog, is at Linux Today at http://linuxtoday.com/news_story.php3?ltsn=2003-01-09-011-26-NW-KN-DV.
1/8	After installing Service Pack 3, a Windows 2000 computer may give this error message when starting: User Interface Failure: The Logon User Interface DLL msgina.dll failed to load. Contact your system administrator to replace the DLL, or restore the original DLL. The problem, according to Microsoft, is that some DLLs are calling on the Registry before that part of the Registry is initialized. Microsoft has a fix, which will be in a future Windows 2000 Service Pack. If you need the fix immediately, contact Microsoft Technical Support and ask for the hot-fix described in Knowledge Base article 329316. You may have to pay for this call. Microsoft reports a log-on problem that affects all versions of Windows 2000, running under all service packs. The problem will cause an access violation when logging on to Windows 2000 the first time, and you are not an administrator. Log on again, and the problem goes away. Tired of the extra log ons? Microsoft has a fix that will be in a future service pack. It fixes some corruption in the internal Shell32.dll memory structure. If you don't want to wait for the service pack, contact Microsoft and ask for the hot-fix described in Knowledge Base article 329771. Note that you may get charged for this call.
1/6	OK, I'm back to bug-blogging The ZoneAlarm Pro 3.5.169 update fixes some compatibility problems for people using ZoneAlarm, Windows 98 and AOL. It also fixes a bug that caused web filtering to be turned on for some people after upgrading to ZoneAlarm 3.5.166. Cisco says that many of their products which support SSH (Secure shell Server) are vulnerable to a denial of service attack. The attack can be mounted by the SSHredder test suite from Rapid7. Vulnerable products include: Cisco Catalyst Switches running Cisco CatOS; Cisco VPN3000 series concentrators; Cisco PIX Firewall; Cisco Secure Intrusion Detection System (NetRanger) appliance; Cisco Secure Intrusion Detection System Catalyst Module; Cisco SN5400 Series Storage Routers; CiscoWorks 1105 Wireless LAN Solution Engine (WLSE); CiscoWorks 1105 Hosting Solution Engine (WLSE). Cisco is rolling out fixes for the vulnerable products. Consult the listings at http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml to see what's been fixed. Novell has updated windows scanners for ZENworks for Desktops 3.0. They say that the fix is explicitly for German-based clients, but that the scanners are intended for all versions of Windows. If you want the update, the file is zd30scan.exe and it is at http://support.novell.com/servlet/tidfinder/2964613.