... patches and updates

This section is to become a regular feature of our newsletters and will contain notification of and links to:

• Operating System upgrades or patches,,
• Security or bugfix patches, and security warnings as posted from time to time by the relevant authorities and or software manufacturers.

This is not necessarily a complete, exhaustive listing, but it will contain all the relevant notifications of which we have been made aware. Users with mission critical installations are advised to look regularly to the appropriate security resources for their os/applications. IT managers are recommended to subscribe to the BUGTRAQ mailing list, and regularly check the CIAC Bulletins.

---

Operating System upgrades/patches:

Newcomers to computers may not be aware that the base operating systems, the software under which all your applications run, are constantly evolving, just as the applications you use are regularly upgraded, improved or fixed. The boundary between operating system and application is currently deliberately being blurred, particularly by Microsoft, and newcomers seem frequently unaware as to what their operating system actually is!

Editors note: we are running an on-going survey of subscribers to determine (among other things) whether there is a requirement for some basic introductory computing articles to be included in our newsletters. We ask all subscribers to complete the survey.

The links below will be to the vendors site, although we will try to keep them up to date, they are beyond our direct control and may not always be accessible. This list is by no means exhaustive. If your operating system is not included here and you would like it to be, please email the editor with full details.

Microsoft Operating Systems:

Windows NT 4: Service Packs and Updates

Windows NT 3.51: Service Packs and Updates

Windows 98: This link points the user to the Windows update site.

Windows 95: There's about 30 updates to 95 at this address!! At least get the Service Pack 1 update.

Windows 3.1/3.11 support

IBM Operating Systems:

Workspace on Demand: Support page

OS/2 Warp and Warp Server Fix packs, device drivers, Software Choice, beta programs and additional Software Updates with instructions and help.

Apple Macintosh Operating Systems:

MacOS 8 ==> 8.1 This is the international English update.

MacOS 6.x and 7.x updates for older systems.

Unix variants:

Linux:

Redhat (Manhattan, Hurricane, Biltmore, Vanderbilt and Colgate and Picasso)

Caldera

SuSE

Kernel patches and upgrades

XFree86 updates

FreeBSD

BSDI

Security Bulletins:

Internet Explorer Cross Frame Navigate Vulnerability
Affected:	Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 on Windows NT 4.0, Windows 95 Microsoft Windows 98, with integrated Internet Explorer (version 4.01 SP1) Microsoft Internet Explorer 4.0 and 4.01 for Windows 3.1 and Windows NT 3.51 Microsoft Internet Explorer 4.0 and 4.01 for Macintosh Microsoft Internet Explorer 3.x This vulnerability could also affect software that uses HTML functionality provided by Internet Explorer. Anyone using such programs should download the patch even if they do not run Internet Explorer as their default browser.
Workaround/fix:	from Microsoft
Description:	The Cross Frame Navigate issue involves a vulnerability in Internet Explorer that could allow a malicious hacker to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious Web site operator to read the contents of files on your computer. Microsoft's security bulletin has full details.

---

Microsoft Internet Explorer Bug
Affected:	Microsoft Internet Explorer V4.0, 4.01 and 4.01 SP1
Workaround/fix:	from Microsoft
Description:	Vulnerability in Microsoft Internet Explorer's JScript engine that could cause Internet Explorer to terminate. A skilled hacker could exploit this vulnerability to run arbitrary computer code on the unsuspecting users machine. Microsoft's security bulletin has full details.

---

Microsoft IE e-mail upgrade is a fake
Affected:	All existing Explorer users
Workaround/fix:	Delete any suspicious messages, DO NOT RUN ANY ATTACHMENTS
Description:	Microsoft have issued a warning of a fake email message circulating claiming to be from Microsoft themselves and offering a phony Internet Explorer upgrade. The attachment with this fake message is designed to download information from the user's computer to an unauthorised location on the internet. See CNN's story and the CIAC's summary.

---

Hotmail password exploit
Affected:	Any javascript-enabled browser, including the Microsoft Internet Explorer and Netscape Communicator
Workaround/fix:	If you receive a suspicious message, do not log back in; or don't use Hotmail accounts.
Description:	From a message posted to Bugtraq: "We have just found a serious security hole in Microsoft's Hotmail service (http://www.hotmail.com) which allows malicious users to easily steal the passwords of Hotmail users. The exploit involves sending an e-mail message that contains embedded javascript code. When a Hotmail user views the message, the javascript code forces the user to re-login to Hotmail. In doing so, the victim's username and password is sent to the malicious user by e-mail." An example of the exploit: see http://www.because-we-can.com/hotmail/default.htm for demo. (Please exercise caution. Although this link claims to be a non-malicious demonstration, and may well be, we cannot guarantee the safety of any link outside those under our direct control. Ed.)

---

Booby-trapped link bug in Eudora Pro V4
Affected:	Windows 95 version of Eudora 4.0 and 4.01 when used with Internet Explorer as the html mail viewer.
Workaround/fix:	Available from Eudora
Description:	This hole allows a malicious person to create a booby-trapped e-mail message that will run a Windows executable program attached to the message. The program can potentially cause all sorts of damage such as erasing the hard disk, installing a virus of the victim's computer, or stealing private files and e-mail messages. Possible work-arounds - turn off the Microsoft Email viewer in Eudora; use Internet Explorer 3 or Netscape Navigator instead of IE4 as the html mail viewer or download and install the Fix available from Eudora. For further information see the CIAC's summary

---

Buffer overflow vulnerability
Affected:	Microsoft Outlook, Outlook Express, and Netscape Messenger (mail) on Windows 95, Windows 98, Windows NT, Macintosh and Solaris
Workaround/fix:	Apply patches from Microsoft and Netscape. See the "Patches" section of the CIAC summary
Description:	Basically, a buffer overflow condition caused by improper handling of the mime name tags used to identify attachments to e-mail/news messages, can be exploited to run any arbitrary code contained in the attachment's tags. The code runs with the user's permissions to do anything the user can do such as re-send the e-mail to the users mailing list, change files, or format the hard drive. See the CIAC summary for more information.

---

Yikes! Caution to Microsoft Access users:
Affected:	Microsoft Access 97
Workaround/fix:	Not known
Description:	Bug in Access 97 can allow users to inadvertently delete or overwrite parts of the database they have created. Check Microsoft's site for a patch, as of 27th August no announcement has been made as to where or when.

---

CIH Virus
Affected:	Windows 95/98/NT, 32 bit executables
Workaround/fix:	Update your virus checker and make sure it can detect the CIH virus.
Description:	The CIH virus is not all that new, but it has been relatively rare. It has been found in countries all over the world although it's not yet widespread. It is pretty nasty in that it can re-write the flash ROM BIOS in susceptible systems, preventing the machine from booting. As most BIOS chips are soldered directly to the motherboard, the whole motherboard may need to be replaced. In the case of laptops or notebooks, it may be cheaper to replace the machine than fix it. Oh, and while it's doing it's nasty work, CIH can also destroy data on the hard drive, particularly if the BIOS has flash BIOS protection to prevent this just this type of attack. The CIH virus is getting increasing media coverage on many sites lately. Symantecs AntiVirus Research Center - CIH and MSNBC's articles on CIH are good places to start.

---

e-mail hoaxes
Affected:	Any poorly informed computer user
Workaround/fix:	Ignore or if in doubt, check the CIAC Internet Hoaxes database
Description:	If you receive any message from any person, even a friend, warning you about a dangerous e-mail message and urging you to pass it on to as many friends as possible, DO NOT DO IT!!!!!!! In most cases you will be (yet another) victim of internet e-mail hoaxes. Check the information out with authoritative sources FIRST - for example the CIAC Internet Hoaxes database, BUGTRAQ, the affected software manufacturer if appropriate. Do not believe everything you see or read about on the internet without checking it out thoroughly first. This is one reason why we will endeavour, in this section, to supply you with links to additional information, official bug reports and/or vendor fixes where-ever possible.

---

Further reading (to be expanded):

• Additional Microsoft Security Bulletins