... patches and updates

Previous issues:

• September 1998 - Operating System upgrades or patches
• September 1998 - Security or bugfix patches, and security warnings.

Current additions since September 98

This is not necessarily a complete, exhaustive listing, but it will contain all the relevant notifications of which we have been made aware. Users with mission critical installations are advised to look regularly to the appropriate security resources for their os/applications. IT managers are recommended to subscribe to the BUGTRAQ mailing list, and regularly check the CIAC Bulletins.

---

Security Bulletins:

The Cuartango Security Hole in IE4
Affected:	Microsoft Internet Explorer 4.01 and V5 preview on Windows 95/98 and possibly NT
Workaround/fix:	Microsoft has confirmed the bug and is looking at how to fix it.
Description:	"With a small amount of JavaScript code on a Web page, a Web site operator can steal any file from a user's hard disk and automatically uploaded the contents to a Web server. More worrisome is that fact that the security hole can be also exploited in an HTML-based Email message in Outlook Express. Simply by reading a booby-trapped Email message, private files can be stolen from one's hard disk." from the message posted to BUGTRAQ.

---

Various Java/Javascript exploits in Netscape
Affected:	Netscape Communicator/Navigator any version since (and possibly including) 4.05
Workaround/fix:	Use an earlier version.
Description:	These are largely re-surfaced known exploits using malicious Java and Javascript. They include browsing of users file systems, uploading of broswer history to foreign sites, deleting of files on users systems etc.

---

e-mail hoaxes
Affected:	Any poorly informed computer user
Workaround/fix:	Ignore or if in doubt, check the CIAC Internet Hoaxes database
Description:	If you receive any message from any person, even a friend, warning you about a dangerous e-mail message and urging you to pass it on to as many friends as possible, DO NOT DO IT!!!!!!! In most cases you will be (yet another) victim of internet e-mail hoaxes. Check the information out with authoritative sources FIRST - for example the CIAC Internet Hoaxes database, BUGTRAQ, the affected software manufacturer if appropriate. Doing the rounds (again!!) is the following email hoax: Win a Holiday Do not believe everything you see or read about on the internet without checking it out thoroughly first. This is one reason why we will endeavour, in this section, to supply you with links to additional information, official bug reports and/or vendor fixes where-ever possible.

---

9-0-# phone scam
Affected:	Some businesses in the US (that's the United States of America)
Workaround/fix:	Ignore and do not cause unnecessary concern by circulating any futher.
Description:	The following "warning" may circulate from time to time: PLEASE REGARD THIS AS A WARNING If you receive a call from someone identifying themselves as a phone technician performing a test, and this person asks you to press: nine (9), zero (0) Hash (#) and then hang up - REFUSE TO DO SO !! As far as the Australian phone system is concerned, this may as well be a HOAX. Telstra's switch equipment in use in Australia does not provide this facility. For details of this "exploit", which only affects some businesses using PBXs, and most likely only those in the US, check out AT&T's Find out about the 9-0-# phone scam Do not cause others unnecessary anxiety by spreading this scam/hoax any further.

---

Further reading (to be expanded):

• Additional Microsoft Security Bulletins