Computer Security Weekly, September 20, 1999

It never rains but it pours, in security (insecurity?) ...

---

The Microsoft knowledge base too busy? Know something is in there but the search function won't bring it up? There is an unofficial mirror of the Microsoft Knowledge Base at http://www.bugsoft.hik.se/mskb/

---

Find any 99/9/9 bugs? I've only heard of two. One is only suspected:

• Radio Shack will not confirm that if you had a credit balance on their credit card as of 99/9/9 you would get a whopping big cheque from them.
• The other is a little more esoteric: if you tried to install Windows 95 version a on 99/9/9, the copying process errored out before it completed.

---

Have you recently got a message from a friend with an attached program that claims (in both Spanish and English) to be a fix for a Y2K Internet bug? Don't run the file. The Fix2001 virus, when run, displays a message saying your connection is OK, but then follows every message you send with one sending a copy of itself and the warning message. (Just for your info, there is nothing in the Internet protocols that is subject to the Y2K bug, although individual computers may have problems with individual programs.)

The email has the subject: "Internet problem year 2000.", appears to be from "Administrator," and includes the following text:

"Internet Customer:

We will be glad if you verify your Operative System(s) before Year 2000 to avoid problems with your Internet Connections. If you are a Windows 95/98 user, you can check your system using the Fix2001 application that is attached to this E-Mail or downloading it from Microsoft (C) WEB Site: HTTP://WWW.MICROSOFT.COM If you are using another Operative System, please don't wait until Year 2000, ask your OS Technical Support.

Thanks. Administrator."

---

Win2K isn't even out yet and a lot of people are concerned about security loopholes. Here's a big one. When W2K is installed standalone, it makes an administrative account out of the owner's name, but doesn't assign a password to the account. W2K also has a telnet server, although it is not enabled by default. However, the telnet server can be turned on by a remote call, if you know the username and password of the administrator. Username is the owner. There is no password. Hey, presto! pretty much anyone can log in to your machine and do pretty much what they want.

---

Our good friend, and Bulgarian bugfinder, Georgi Guninski has found yet another security loophole in Hotmail. You can embed STYLE tags in messages with JavScript in them, and Hotmail, with both Netscape and IE, will run it on your system for you, no questions asked.

Go To Page: 1 2

Articles in this Topic    Discussions in this Topic