Security Hole (Wishlist)

Security Hole // Wishlist

1  2  |  

aule

Jul 29, 1998, 12:15pm
Using Netscape or Outlook for your email? Better have a look at this:

<http://www.zdnet.com/zdnn/stories/zdnn_smgraph_display/0,3441,2123238,00.html>

paul barrow

Jul 29, 1998, 7:48pm
That only applies to Local Area Networks and the hacker has to be on the
local network. Can't be hacked by remote (as the article itself says).

Paul

[View Quote]

aule

Jul 29, 1998, 8:26pm
[View Quote] Close but wrong, you're thinking of the privilege elevation attack on
NT. My post is regarding the email clients mentioned further down the
same article. See also <http://www.slaughterhouse.com/pick_072998.html>
for further information on the subject (this article deals with Outlook
only).

raven shadow

Jul 29, 1998, 9:40pm
But still threat is fortunatley limited
----------------------------------------------------------------------------
-------------------------------------
Outlook Express users and Outlook 98 users who are installed with an
Internet Mail Only configuration or with an Internet Mail service in a
corporate/workgroup configuration are at risk. They can be affected when
malicious code is sent in a message and they highlight the name of an
attachment, right mouse click on it and then move the mouse over the
attachment, Cooper explained.
----------------------------------------------------------------------------
-----------------------------------------

The "bug" is still only a threat under certain conditions
But , of course one should always be safe and get the fixes ... no telling
what else these problems could be capable of




Outlook Express users and Outlook 98 users who are installed with an
Internet Mail Only configuration or with an Internet Mail service in a
corporate/workgroup configuration are at risk. They can be affected when
malicious code is sent in a message and they highlight the name of an
attachment, right mouse click on it and then move the mouse over the
attachment, Cooper explained.


[View Quote]

aule

Jul 30, 1998, 2:54pm
Correct, if one is using Outlook one has to work at it to allow this to
happen, should a "malicious" email be received in the first place. For
Netscape users, the problem is easier to trigger.

Quote
For Netscape Mail users, malicious code can be launched by simply
highlighting the message -- without launching the attachment or opening
the message -- and then accessing the File menu, Cooper said.
End Quote

Right now it takes a bit of know how to produce a "malicious" message.
However, like Winnuke, how long before a GUI "Nuke your neighbor"
appears allowing anyone to create them in a few short steps?

[View Quote]

paul barrow

Jul 30, 1998, 5:53pm
Most motherboards require you to change a jumper before you can flash the
bios and thus are not vulnerable.

Paul

[View Quote]

athena

Jul 30, 1998, 6:47pm
[View Quote] If you want something to feel paranoid about, how about Win95/CIH......a
virus that can flash your BIOS? For most machines, that means you have
to replace hardware in order to get it running again. There are already
several flavors floating around....one of which hits on the 26th of
*every month*......

Athena
Looking for a "hole" to crawl into.....with my computer.....

[View Quote]

grover

Jul 30, 1998, 8:59pm
oh man! how do we stay safe from this one?? (i have a jumperless motherboard,
paul!)

grover

[View Quote] > Most motherboards require you to change a jumper before you can flash the
> bios and thus are not vulnerable.
>
> Paul
>
[View Quote]

flirbnic

Jul 30, 1998, 9:18pm
You can set the date ahead... : )
and 98% of all virii are on floppy discs. Only 2% are on the internet.

[View Quote] [View Quote]

grover

Jul 30, 1998, 9:31pm
yes, but most viruses don't blow up your bios either ;-)

[View Quote] > You can set the date ahead... : )
> and 98% of all virii are on floppy discs. Only 2% are on the internet.
>
[View Quote]

aule

Jul 30, 1998, 9:37pm
[View Quote]
Just to help further the paranoia (note, check your harddrive for CIH
using the link at the bottom).

http://www.zdnet.com/zdnn/stories/zdnn_smgraph_display/0,3441,2123156,00.html

http://www.zdnet.com/zdnn/stories/zdnn_smgraph_display/0,3441,2122748,00.html

http://www.antivirus.com/vinfo/alerts.htm

http://housecall.antivirus.com/

paul barrow

Jul 31, 1998, 12:04am
Well then, you need the latest DAT files for McAfee or the latest version of
whatever virus scanner you have (but, the virus was set to go off on the
26th which is past now).
Oh, McAfee is no longer making DAT updates for version prior to 3.x.

Paul

[View Quote]

dnapalm

Jul 31, 1998, 3:33am
Not any that I've seen...:)

-DN

[View Quote] > Most motherboards require you to change a jumper before you can flash the
> bios and thus are not vulnerable.
>
> Paul
>
[View Quote]

dnapalm

Jul 31, 1998, 3:35am
Hell most viruses don't even damage you....About 10% of people are infected, and 10%
of them have a harmful virus...(Data collected by the DN Census Bureau)

-DN

[View Quote] > yes, but most viruses don't blow up your bios either ;-)
>
[View Quote]

paul barrow

Jul 31, 1998, 4:08am
One brand I can name off the top of my head that uses a jumper is ASUS.

Paul

[View Quote]

dnapalm

Jul 31, 1998, 4:58am
All I can say is I've worked with Gateway, Dell, Magitronic, and PB, and not
one has required a jumper to flash the BIOS....

-DN

[View Quote] > One brand I can name off the top of my head that uses a jumper is ASUS.
>
> Paul
>
[View Quote]

athena

Jul 31, 1998, 2:23pm
[View Quote] My hardware consultant tells me that "some" motherboards can be jumpered
to make the BIOS write-protected, not "most". He says that he thinks
about half of the computers we have at work are jumperless. Also, you
have to make sure that the jumpers are set correctly....if they were set
to "write" and not set back, even having a jumpered motherboard won't
save you.

Athena

[View Quote]

athena

Jul 31, 1998, 2:27pm
[View Quote] 26th of *every* month. In July, the 26th was a Sunday, which means that
most company computers weren't being used that go around. What about
August 26th? And that's only one version of CIH....there are several
floating around.

Really not trying to be an alarmist.....they report that this virus will
show up with *most* virus-scanning software. It's just a measure of how
persistant the virus-writers are....

Athena

[View Quote]

athena

Jul 31, 1998, 3:07pm
[View Quote] Yes, the two motherboards I know of here that have jumpers are both
Asus.

Does anyone know of any other brand?

Athena

[View Quote]

paul barrow

Jul 31, 1998, 3:34pm
Of course not. Those are all junk computers. The only way I would have one
is if it was given to me.

Paul

[View Quote]

paul barrow

Jul 31, 1998, 3:39pm
Most custom built machines using quality motherboards have a flash jumper.
The department store class machines like PB, Dell, IBM, Gateway, etc., are
all built to minimum standards and as cheaply as possible (so they have a
chance to compete on price) and have many short comings and are (compared to
good quality custom built systems) junk.
Out of all the motherboards we used over the years in our systems, only one
was jumperless.

Paul

[View Quote]

paul barrow

Jul 31, 1998, 3:40pm
The article I read said July 26th.

Paul

[View Quote]

paul barrow

Jul 31, 1998, 3:43pm
If I remember correctly, Micronics has flash jumpers. Check the MB
manufacturers web site and you can probably find info on your boards.

Paul

[View Quote]

aule

Jul 31, 1998, 5:53pm
CIH v1.2- April 26th
CIH v1.3- June 26th
CIH v1.4- 26th of every month

[View Quote]

dnapalm

Aug 1, 1998, 4:41am
Yes of course...I should have gone for.....uhhhh....hmmmm...oh wait, my
office doesn't buy no-names or over-priced Microns...

-DN

[View Quote] > Of course not. Those are all junk computers. The only way I would have one
> is if it was given to me.
>
> Paul
>
[View Quote]

dnapalm

Aug 1, 1998, 4:43am
Hate to break it to you, but those "department store class" machines are 90%
of the ones out there, disdain or not. Like them or not, I don't give a
crap...the ORIGINAL point was most machines don't require a jumper to flash the
BIOS...

-DN

[View Quote] > Most custom built machines using quality motherboards have a flash jumper.
> The department store class machines like PB, Dell, IBM, Gateway, etc., are
> all built to minimum standards and as cheaply as possible (so they have a
> chance to compete on price) and have many short comings and are (compared to
> good quality custom built systems) junk.
> Out of all the motherboards we used over the years in our systems, only one
> was jumperless.
>
> Paul
>
[View Quote]

chloe

Aug 1, 1998, 5:19am
http://kumite.com/myths/
just an FYI :))
most viruses (not ALL) are hoaxes.
chloe

[View Quote] > Using Netscape or Outlook for your email? Better have a look at this:
>
> <http://www.zdnet.com/zdnn/stories/zdnn_smgraph_display/0,3441,2123238,00.html>

paul barrow

Aug 1, 1998, 7:51pm
Oh, so your office would rather buy name brand, corner cutting, feature
impaired junk rather than a custom built "to your specs" professional system
just to save 5 or 10% on price? By the way, company I worked for offered
Life Time Labor support on our systems. Like to see you ask Dell, PB, or
one of the others for that? If you have to replace an "out of warranty"
cheapo sound cards in a PB, say, it's $100 to $200+. Replace one of our
AWE64 Golds and it's about $89. So you're gonna pay the price in the end
regardless. Well, it's your companies data, if they choose to risk it, then
they've no one to blame but themselves when a systems fails, or they can't
upgrade because it's proprietary, or it gets clobbered buy a CIH virus.
There's the old saying, "you get what you pay for". If you company hasn't
worried about all the press about these companies doing things like using
refurb parts to using feature cut name brand designs (like the scandal over
the reduced feature Matrox Millennium designed into one of the above named
systems), then I don't know why they would be concerned over security holes
anyway. And let me guess, your office doesn't do tape backups of their
systems either?

Paul

[View Quote]

paul barrow

Aug 1, 1998, 8:02pm
Hey, that's not news to me. As a computer technician, we repair the junk
machines sometimes (though we don't sell them or do warranty work) and sell
people our custom systems all the time after they've realized than what they
bought was junk and we've even had people return NEW "junk" systems where
they bought it and replaced it with one of ours. Also, we had an Office
Depot employee come to work for us, so we know all about their return rate
on this stuff, not to mention that Office Depot tried as hard as possible to
refer what service work they could to us. 90%? Yeah, I believe that 90%
of the buying public is ill-informed and gullible, including the supposed
"professionals" buying computer systems for their companies. Of course
there are a few who have enough sense to at least lease the junk rather than
buy it.

Paul

[View Quote]

dnapalm

Aug 3, 1998, 2:34am
I have no idea what you are saying. We can't buy custom systems because we
don't normally have the time to wait for the thing to be built, even if we
trusted the people to build it right. You may not know this since the smaller
computer manufacturers don't usually get large contracts, but many businesses
prefer to buy in bulk. Or customize themselves. Custom-built systems are great
for a gamer who plays Q2 all day, but not for a company that needs one quickly.
We don't generally have specific needs when we buy, except that it be a decent
system with good support. We've had problems with support in the smaller
vendors, so we went with Dell. Good support. 1 year on-site, 3 year limited for
default, and you CAN get 3 year on-site for a bit extra. I don't give a crap
about life-time support because the lifetime of a system isn't much over a year.
95% we can fix it ourselves anyway. So all we really need are replacement parts.
Which we get. I don't trust no-name systems because of the one we went with for
a year. They sucked. We once bought Gateways, we now buy Dells. Personally, I
just don't trust small company support. I've seen many go out of business and
screw their customers.
And as to your other comments, we have a backup system in place and virus
detectors on every machine with updated definition files. Who we buy machines
from has nothing to do with that. There isn't a vendor out there that can
promise machines won't go down. We need a decent price and part repairs. We get
that through Dell. Plus, they are a client of our company. They do just fine.

-DN

[View Quote] > Oh, so your office would rather buy name brand, corner cutting, feature
> impaired junk rather than a custom built "to your specs" professional system
> just to save 5 or 10% on price? By the way, company I worked for offered
> Life Time Labor support on our systems. Like to see you ask Dell, PB, or
> one of the others for that? If you have to replace an "out of warranty"
> cheapo sound cards in a PB, say, it's $100 to $200+. Replace one of our
> AWE64 Golds and it's about $89. So you're gonna pay the price in the end
> regardless. Well, it's your companies data, if they choose to risk it, then
> they've no one to blame but themselves when a systems fails, or they can't
> upgrade because it's proprietary, or it gets clobbered buy a CIH virus.
> There's the old saying, "you get what you pay for". If you company hasn't
> worried about all the press about these companies doing things like using
> refurb parts to using feature cut name brand designs (like the scandal over
> the reduced feature Matrox Millennium designed into one of the above named
> systems), then I don't know why they would be concerned over security holes
> anyway. And let me guess, your office doesn't do tape backups of their
> systems either?
>
> Paul
>
[View Quote]

1  2  |  
Awportals.com is a privately held community resource website dedicated to Active Worlds.
Copyright (c) Mark Randall 2006 - 2024. All Rights Reserved.
Awportals.com   ·   ProLibraries Live   ·   Twitter   ·   LinkedIn