|
Internet Security Issues; Page 2 |
If your machine is always connected to the Net, it gives hackers more opportunity for mayhem. Keep in mind that even if you want to stay online all the time, many ISPs knock you offline after 15 minutes or so of inactivity. But let's put aside the issue of being a Net hog for a moment. What you are really asking is: Are people with a constant connection to the Internet opening themselves up to hacking? The answer is yes. When you are on the Net, you're on a network, and in theory, anyone else on the network can try to gain access to your computer. That's why most corporations use firewall software to protect their internal networks from unauthorized access.
Home users are less at risk in general, because hackers just aren't very interested in the kinds of information people generally keep on their family computers. And most home users have dial-up Internet accounts with dynamic IP addresses. With this type of account, your ISP randomly assigns you an address from a pool it owns each time you log on. This provides you with limited protection, since hackers never know exactly where or when you're online.
If you have a static IP address -- one that's permanently assigned to you -- it's easier for people to find you. This is the type of connection most businesses have -- and the kind cable modems provide. Obviously, if your machine is always connected to the Net, it gives hackers more opportunity for mayhem.
Chat lines, ICQ, Mirc and online gaming:
Be aware that are all things leave you vulnerable
Microsoft Security Bulletin (MS99-031):
Frequently Asked Questions
Malicious Java Applet may be able to Read, Write, or Delete Files on the Computer of a Web Site Visitor
What's this bulletin about?
Microsoft
Security Bulletin MS99-031 announces the availability of a patch that
eliminates a vulnerability in Microsoft VM. The vulnerability could allow
a Java program on a web page to take virtually any action on the computer
of a user who visited the page. Microsoft takes security seriously, and
is providing the bulletin to inform customers of the vulnerability and
what they can do about it.
What's the scope of the vulnerabilities?
This is a privilege
elevation vulnerability. A web-hosted Java program could take virtually
any action against visitors to the web site: it could create, delete or
modify files on the user's computer, reformat the hard drive, copy data
to or from a web page, or take other desired action.
Are all Java programs affected by this vulnerability?
No. There are two general classes of Java programs: Java applications,
which are hosted on a local machine and run like any other program, and
Java applets, which are hosted on web sites and run when a web site visitor
arrives at a particular page. Java applets are treated differently from
Java applications. Because they are untrusted code, the virtual machine
runs them in a "sandbox" that restricts what they are allowed to do. In
general, the sandbox is designed to prevent a Java applet from making any
changes to the data on the user's computer. The vulnerability at issue
here involves the sandboxing function, and so affects only Java applets.
What's the vulnerability?
A scenario has been identified through which a Java applet could escape
the sandbox and be able to perform normally-unauthorized functions on a
user's computer. Exploiting the vulnerability would only be possible through
a very carefully-managed series of steps, and could not happen accidentally.
However, if a malicious web site operator hosted a Java applet that exploited
this security vulnerability, it would be able to take virtually any action
on the computer of a user who visited the site.
Does disabling Java applets in IE protect against this vulnerability?
Yes. If you've disabled Java applets, they cannot run and you cannot
be affected by this vulnerability. Microsoft recommends that you consider
applying the patch even if you have disabled Java applets in IE, as you
may decide later to re-enable Java support.
How do I know if I have a version of the Microsoft VM that requires
a patch?
The Microsoft VM ships as part of a number of Microsoft products, but
by far the most prevalent ship vehicle is Internet Explorer. If you have
Internet Explorer 4.0 or 5 on your machine, you definitely have an affected
version of Microsoft VM and should consider applying the patch.
However, the Microsoft VM also ships as part of a small number of other products, such as Microsoft Visual Studio. If you have installed such a product, you could have an affected version of the Microsoft VM even if you do not have IE 4.0 or 5 on your machine. If you suspect that this may be the case, you can consult the build number of Microsoft VM on your machine and determine whether you have an affected build or not. Here's how to do this:
Choose "Start", then "Run", then "CMD" and hit the enter key.
At the command prompt, type "JVIEW" and hit the enter key.
The version information will be at the right of the topmost line. It
will have a format like "5.00.xxxx", where the "xxxx" is the build number.
For example, if the version number is 5.00.1234, you have build number
1234.
Here's what the build information means:
If you have a build number of 1520 or lower, you are not affected by
this vulnerability.
If you have a build number higher than 1520, you are affected by this
vulnerability. The build number for the patched version is 3186.
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability
poses to their safe computing and determine whether or not to apply the
patch. The download location for the patch is provided in the security
bulletin.
I'd like to verify that I installed the correct patch. How can I
do this?
Just verify that you now have build 3186 of the Microsoft VM:
Choose "Start", then "Run", then "CMD" and hit the enter key.
At the command prompt, type "JVIEW" and hit the enter key.
The version information will be at the right of the topmost line.
It will have a format like "5.00.xxxx", where the "xxxx" is the build number. If the last four digits are 3186, you have the patch installed correctly.
What is Microsoft doing about this issue?
Microsoft has developed a patch that eliminates the vulnerability.
Microsoft has provided a security bulletin and this FAQ to provide
customers with a detailed understanding of the vulnerability and the patch.
Microsoft has sent copies of the security bulletin to all subscribers
to the Microsoft Product Security Notification Service, a free e-mail service
that customers can use to stay up to date with Microsoft security bulletins.
Microsoft has issued a Knowledge
Base article explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft Security Advisor web site is the best to place to get
information about Microsoft security.
Where can I learn more about the Microsoft VM?
The Microsoft Technologies for Java web site is the best to place to
get information about Microsoft's Java development efforts. A very good
overview of the Microsoft VM is available at http://www.microsoft.com/java/resource/vm.htm
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available
at
http://support.microsoft.com/support/contact/default.asp.
The Telnet client that ships as part of Windows 95 and 98 has an unchecked buffer. A specially-malformed argument could be passed to the client via a web page in order to cause arbitrary code to execute on the computer via a classic buffer overrun technique.
Affected Software Versions
==========================
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
Patch Availability
==================
- Microsoft Windows 95
http://www.microsoft.com/windows95/downloads/contents/
WUCritical/Telnet/Default.asp
- Microsoft Windows 98 and Windows 98 Second Edition
http://www.microsoft.com/windows98/downloads/contents/
WUCritical/Telnet/Default.asp
Based on:
Buffer Overrun in Telnet in Windows 98 Poses a Security Risk
http://support.microsoft.com/support/kb/articles/q240/1/63.asp
Patch Available for "Set Cookie Header Caching" Vulnerability
Affected Software Versions
==========================
- Microsoft Site Server 3.0
- Microsoft Site Server 3.0 Commerce Edition
- Microsoft Commercial Internet System 2.0 and 2.5
Patch Availability
==================
ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/
siteserver3/Hotfixes-PostSP2/ProxyCache/
Proxy Caching Can Cause Multiple Clients to Receive the Same GUID
http://support.microsoft.com/support/kb/articles/q238/6/47.asp
IE 5 includes a feature that allows users to export a list of their favorite web sites to a file, or to import a file containing a list of favorite sites. The method that is used to perform this function, ImportExportFavorites(), should only allow particular types of files to be written, and only to specific locations on the drive.
However, it is possible for a web site to invoke this method, bypass this restriction and write files that could be used to execute system commands. The net result is that a malicious web site operator potentially could take any action on the computer that the user would be capable of taking.
This vulnerability would chiefly affect workstations that are connected to the Internet. As an immediate measure, customers can prevent the ImportExportFavorites function from operating by disabling Active Scripting, as discussed in the FAQ. A patch that restores correct operation is under development and will be delivered shortly.
Affected Software Versions
=====================
- Microsoft Internet Explorer 5
Workaround
==========
The vulnerability can be prevented by disabling Active Scripting. The
FAQ contains details on how to do this.
Please see the following references for more information related to
this issue.
- Microsoft Security Bulletin MS99-037: Frequently Asked Questions
http://www.microsoft.com/security/bulletins/MS99-037faq.asp
- Microsoft Security Advisor web site
http://www.microsoft.com/security/default.asp
Government has a global surveillance system called Echelon in place
that intercepts email, Internet telephony, chatrooms, instant
messaging, etc!
Yikes! Recent headlines are shouting that the government has gone too far. A global surveillance system called Echelon is in place that intercepts transmissions of your email, Internet telephone conversations, faxes, instant messages, chatroom chatter and possibly even your surfing habits!¹
The governments of the United States, Canada, Britain, Australia and New Zealand have coordinated a cooperative eavesdropping effort. This effort is called Echelon. It is a global network of satellites and computerized monitoring stations that scan and intercept communications containing pre-programmed buzzwords.
Many world governments support Echelon and are involved in the approval of this global surveillance system. Memorandums have been agreed to by the United States, its allies and the European Union that dictate that, even if third world countries do not agree with Echelon, they will still have their communications monitored.
If you were wondering how much of your communication is subject to satellite surveillance, consider the level of technology today as compared to when the Echelon was first put into service decades ago.
The NSA (National Security Agency) of the United States is documented as having placed surveillance satellites, called Intelsats, in orbit as early as 1971. These early behemoths were heavy and limited in their ability to monitor communications using the technology of the day.
NSA sent more technologically advanced satellites capable of broader surveillance methods into orbit around the earth during the 1980's and l990's.
Additional elements of the Echelon surveillance system involve land-based, or under-sea systems of communications that use cables or microwave tower networks.
Echelon has always used buzzwords from an ever-evolving glossary comprised of keywords, phrases, people, places, or items of special interest based on the current political climate.
Couple this knowledge with the fact that computer users were denied the use of super-encryption technology last year, and you'd have to wonder if the implementation of this new encryption code was too costly to implement into the Echelon surveillance system
Today's technology is far more advanced. It allows the monitoring stations across the globe to sift through enormous volumes of communications much more thoroughly than in earlier years.
Anyone who uses a communications device, including Internet users, mobile PC users and users of cell phones who engage in questionable conversations, can pretty much count on being subjected to scrutiny. Scrutiny from investigating sources can involve accessing not only the content of the questionable conversation(s), but extends to all "associated data".
Associated data includes communications made before and after a questionable conversation. Despite what we have seen on movies, even connections that are not completed are recorded for evaluation.
We all know that our employers can read our email and record our telephone conversations. And we know that our Internet Service Providers can read our email and keep all records for a period of time.
We also know that our government can read our mail and listen, too, in a continuing effort to fight crime and to protect national security. Echelon has been in place for decades.
Privacy issues drive emotions through the roof. Revelation of the depth and breadth of privacy loss is a surprise only to the uninformed.
For more information on Echelon
http://www.privacy.org/pi/activities/taping/statewatch_tap_297.html
http://jya.com/ic2000-dc.htm
http://www.gn.apc.org/duncan
http://jya.com/echelon-dc.htm#echelon
http://www.ncoic.com
http://europarl.eu.int
Microsoft has released a patch that eliminates a vulnerability in Microsoft Windows 95 or Windows 98. The vulnerability could allow a malicious web site or e-mail message to cause the Windows machine to crash, or to run arbitrary code.
Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-049faq.asp
Issue
=====
There is a buffer overflow in the Windows 95 and Windows 98 networking
software that processes file name strings. If the networking software were
provided with a very long random string as input, it could crash the machine.
If provided with a specially-malformed argument, it could be used to run
arbitrary code on the machine via a classic buffer overrun attack.
The vulnerability could be exploited remotely in cases where a file:// URL or a Universal Naming Convention (UNC) string on a remote web site included a long file name or where a long file name was included in an e-mail message.
Affected Software Versions
==========================
The buffer overrun is present in the networking software in all versions
of Windows 95 and Windows 98.
Patch Availability
==================
Windows 95:
http://download.microsoft.com/download/win95/update/245729/
w95/en-us/245729us5.exe
Windows 98:
http://download.microsoft.com/download/win98/update/245729/
w98/en-us/245729us8.exe
Patch Available for "Frame Domain Verification", "Unauthorized Cookie Access", and "Malformed Component Attribute" Vulnerabilities
Originally Posted: May 17, 2000
Summary
=======
Microsoft has released a comprehensive patch that eliminates three
security vulnerabilities in Microsoft(r) Internet Explorer 4 and 5:
- The "Frame Domain Verification" vulnerability, which could allow a malicious web site operator to read, but not change or add, files on the computer of a visiting user.
- The "Unauthorized Cookie Access" vulnerability, which could allow a malicious web site operator to access "cookies" belonging to a visiting user.
- The "Malformed Component Attribute" vulnerability, which could allow a malicious web site operator to run code of his choice on the computer of a visiting user.
Issue
=====
The three security vulnerabilities eliminated by this patch are unrelated
to each other except by the fact that they all occur in the same .dll.
We have packaged them together for customer convenience.
The vulnerabilities are:
- "Frame Domain Verification" vulnerability. When a web server opens a frame within a window, the IE security model should only allow the parent window to access the data in the frame if they are in the same domain. However, two functions available in IE do not properly perform domain checking, with the result that the parent window could open a frame that contains a file on the local computer, then read it. This could allow a malicious web site operator to view files on the computer of a visiting user. The web site operator would need to know (or guess) the name and location of the file, and could only view file types that can be opened in a browser window.
- "Unauthorized Cookie Access" vulnerability. By design, the IE security model restricts cookies so that they can be read only by sites within the originator's domain. However, by using a specially-malformed URL, it is possible for a malicious web site operator to gain access to another site's cookie and read, add or change them. A malicious web site operator would need to entice a visiting user into clicking a link in order to access each cookie, and could not obtain a listing of the cookies available on the visitor's system. Even after recovering a cookie, the type and amount of personal information would depend on the privacy practices followed by the site that placed it there.
- "Malformed Component Attribute" vulnerability. The code used to invoke ActiveX components in IE has an unchecked buffer and could be exploited by a malicious web site operator to run code on the computer of a visiting user. The unchecked buffer is only exposed when certain attributes are specified in conjunction with each other.
The patch also eliminates a new variant of the previously-addressed WPAD Spoofing vulnerability (http://www.microsoft.com/technet/security/bulletin/ms99-054.asp).
Affected Software Versions
==========================
- Microsoft Internet Explorer 4.0
- Microsoft Internet Explorer 4.01
- Microsoft Internet Explorer 5.0
- Microsoft Internet Explorer 5.01
Patch Availability
==================
- http://www.microsoft.com/windows/ie/download/critical/patch6.htm
Note: The patches require IE 4.01 Service Pack 2 or IE 5.01 to install. Customers using versions prior to these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q262509.
Note: Additional security patches are available at the Microsoft Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-033, http://www.microsoft.com/technet/security/bulletin/fq00-033.asp
- Microsoft Knowledge Base article Q262509 discusses the overall patch and will be available soon.
- Microsoft Knowledge Base articles Q251108 and 255676 discuss the "Frame Domain Verification" vulnerability and will be available soon.
- Microsoft Knowledge Base article Q258430 discusses the "Unauthorized Cookie Access" vulnerability and will be available soon.
- Microsoft Knowledge Base article Q261257 discusses the "Malformed Component Attribute" vulnerability and will be available soon.
- Microsoft Knowledge Base (KB) article Q247333, Web Proxy Auto-Discovery "Spoofing" May Change Proxy Settings, http://www.microsoft.com/technet/support/kb.asp?ID=247333
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp