ThreadBoard ArchivesSite FeaturesActiveworlds SupportHistoric Archives |
Security Hole (Wishlist)
Security Hole // WishlistauleJul 29, 1998, 12:15pm
Using Netscape or Outlook for your email? Better have a look at this:
<http://www.zdnet.com/zdnn/stories/zdnn_smgraph_display/0,3441,2123238,00.html> paul barrowJul 29, 1998, 7:48pm
That only applies to Local Area Networks and the hacker has to be on the
local network. Can't be hacked by remote (as the article itself says). Paul [View Quote] auleJul 29, 1998, 8:26pm
[View Quote]
Close but wrong, you're thinking of the privilege elevation attack on
NT. My post is regarding the email clients mentioned further down the same article. See also <http://www.slaughterhouse.com/pick_072998.html> for further information on the subject (this article deals with Outlook only). raven shadowJul 29, 1998, 9:40pm
But still threat is fortunatley limited
---------------------------------------------------------------------------- ------------------------------------- Outlook Express users and Outlook 98 users who are installed with an Internet Mail Only configuration or with an Internet Mail service in a corporate/workgroup configuration are at risk. They can be affected when malicious code is sent in a message and they highlight the name of an attachment, right mouse click on it and then move the mouse over the attachment, Cooper explained. ---------------------------------------------------------------------------- ----------------------------------------- The "bug" is still only a threat under certain conditions But , of course one should always be safe and get the fixes ... no telling what else these problems could be capable of Outlook Express users and Outlook 98 users who are installed with an Internet Mail Only configuration or with an Internet Mail service in a corporate/workgroup configuration are at risk. They can be affected when malicious code is sent in a message and they highlight the name of an attachment, right mouse click on it and then move the mouse over the attachment, Cooper explained. [View Quote] auleJul 30, 1998, 2:54pm
Correct, if one is using Outlook one has to work at it to allow this to
happen, should a "malicious" email be received in the first place. For Netscape users, the problem is easier to trigger. Quote For Netscape Mail users, malicious code can be launched by simply highlighting the message -- without launching the attachment or opening the message -- and then accessing the File menu, Cooper said. End Quote Right now it takes a bit of know how to produce a "malicious" message. However, like Winnuke, how long before a GUI "Nuke your neighbor" appears allowing anyone to create them in a few short steps? [View Quote] paul barrowJul 30, 1998, 5:53pm
Most motherboards require you to change a jumper before you can flash the
bios and thus are not vulnerable. Paul [View Quote] athenaJul 30, 1998, 6:47pm
[View Quote]
If you want something to feel paranoid about, how about Win95/CIH......a
virus that can flash your BIOS? For most machines, that means you have to replace hardware in order to get it running again. There are already several flavors floating around....one of which hits on the 26th of *every month*...... Athena Looking for a "hole" to crawl into.....with my computer..... [View Quote] groverJul 30, 1998, 8:59pm
oh man! how do we stay safe from this one?? (i have a jumperless motherboard,
paul!) grover [View Quote] > Most motherboards require you to change a jumper before you can flash the > bios and thus are not vulnerable. > > Paul > [View Quote] flirbnicJul 30, 1998, 9:18pm
You can set the date ahead... : )
and 98% of all virii are on floppy discs. Only 2% are on the internet. [View Quote] [View Quote] groverJul 30, 1998, 9:31pm
yes, but most viruses don't blow up your bios either ;-)
[View Quote] > You can set the date ahead... : ) > and 98% of all virii are on floppy discs. Only 2% are on the internet. > [View Quote] auleJul 30, 1998, 9:37pm
[View Quote]
Just to help further the paranoia (note, check your harddrive for CIH using the link at the bottom). http://www.zdnet.com/zdnn/stories/zdnn_smgraph_display/0,3441,2123156,00.html http://www.zdnet.com/zdnn/stories/zdnn_smgraph_display/0,3441,2122748,00.html http://www.antivirus.com/vinfo/alerts.htm http://housecall.antivirus.com/ paul barrowJul 31, 1998, 12:04am
Well then, you need the latest DAT files for McAfee or the latest version of
whatever virus scanner you have (but, the virus was set to go off on the 26th which is past now). Oh, McAfee is no longer making DAT updates for version prior to 3.x. Paul [View Quote] dnapalmJul 31, 1998, 3:33am
Not any that I've seen...:)
-DN [View Quote] > Most motherboards require you to change a jumper before you can flash the > bios and thus are not vulnerable. > > Paul > [View Quote] dnapalmJul 31, 1998, 3:35am
Hell most viruses don't even damage you....About 10% of people are infected, and 10%
of them have a harmful virus...(Data collected by the DN Census Bureau) -DN [View Quote] > yes, but most viruses don't blow up your bios either ;-) > [View Quote] paul barrowJul 31, 1998, 4:08am
dnapalmJul 31, 1998, 4:58am
All I can say is I've worked with Gateway, Dell, Magitronic, and PB, and not
one has required a jumper to flash the BIOS.... -DN [View Quote] > One brand I can name off the top of my head that uses a jumper is ASUS. > > Paul > [View Quote] athenaJul 31, 1998, 2:23pm
[View Quote]
My hardware consultant tells me that "some" motherboards can be jumpered
to make the BIOS write-protected, not "most". He says that he thinks about half of the computers we have at work are jumperless. Also, you have to make sure that the jumpers are set correctly....if they were set to "write" and not set back, even having a jumpered motherboard won't save you. Athena [View Quote] athenaJul 31, 1998, 2:27pm
[View Quote]
26th of *every* month. In July, the 26th was a Sunday, which means that
most company computers weren't being used that go around. What about August 26th? And that's only one version of CIH....there are several floating around. Really not trying to be an alarmist.....they report that this virus will show up with *most* virus-scanning software. It's just a measure of how persistant the virus-writers are.... Athena [View Quote] athenaJul 31, 1998, 3:07pm
[View Quote]
Yes, the two motherboards I know of here that have jumpers are both
Asus. Does anyone know of any other brand? Athena [View Quote] paul barrowJul 31, 1998, 3:34pm
Of course not. Those are all junk computers. The only way I would have one
is if it was given to me. Paul [View Quote] paul barrowJul 31, 1998, 3:39pm
Most custom built machines using quality motherboards have a flash jumper.
The department store class machines like PB, Dell, IBM, Gateway, etc., are all built to minimum standards and as cheaply as possible (so they have a chance to compete on price) and have many short comings and are (compared to good quality custom built systems) junk. Out of all the motherboards we used over the years in our systems, only one was jumperless. Paul [View Quote] paul barrowJul 31, 1998, 3:43pm
If I remember correctly, Micronics has flash jumpers. Check the MB
manufacturers web site and you can probably find info on your boards. Paul [View Quote] auleJul 31, 1998, 5:53pm
dnapalmAug 1, 1998, 4:41am
Yes of course...I should have gone for.....uhhhh....hmmmm...oh wait, my
office doesn't buy no-names or over-priced Microns... -DN [View Quote] > Of course not. Those are all junk computers. The only way I would have one > is if it was given to me. > > Paul > [View Quote] dnapalmAug 1, 1998, 4:43am
Hate to break it to you, but those "department store class" machines are 90%
of the ones out there, disdain or not. Like them or not, I don't give a crap...the ORIGINAL point was most machines don't require a jumper to flash the BIOS... -DN [View Quote] > Most custom built machines using quality motherboards have a flash jumper. > The department store class machines like PB, Dell, IBM, Gateway, etc., are > all built to minimum standards and as cheaply as possible (so they have a > chance to compete on price) and have many short comings and are (compared to > good quality custom built systems) junk. > Out of all the motherboards we used over the years in our systems, only one > was jumperless. > > Paul > [View Quote] chloeAug 1, 1998, 5:19am
http://kumite.com/myths/
just an FYI :)) most viruses (not ALL) are hoaxes. chloe [View Quote] > Using Netscape or Outlook for your email? Better have a look at this: > > <http://www.zdnet.com/zdnn/stories/zdnn_smgraph_display/0,3441,2123238,00.html> paul barrowAug 1, 1998, 7:51pm
Oh, so your office would rather buy name brand, corner cutting, feature
impaired junk rather than a custom built "to your specs" professional system just to save 5 or 10% on price? By the way, company I worked for offered Life Time Labor support on our systems. Like to see you ask Dell, PB, or one of the others for that? If you have to replace an "out of warranty" cheapo sound cards in a PB, say, it's $100 to $200+. Replace one of our AWE64 Golds and it's about $89. So you're gonna pay the price in the end regardless. Well, it's your companies data, if they choose to risk it, then they've no one to blame but themselves when a systems fails, or they can't upgrade because it's proprietary, or it gets clobbered buy a CIH virus. There's the old saying, "you get what you pay for". If you company hasn't worried about all the press about these companies doing things like using refurb parts to using feature cut name brand designs (like the scandal over the reduced feature Matrox Millennium designed into one of the above named systems), then I don't know why they would be concerned over security holes anyway. And let me guess, your office doesn't do tape backups of their systems either? Paul [View Quote] paul barrowAug 1, 1998, 8:02pm
Hey, that's not news to me. As a computer technician, we repair the junk
machines sometimes (though we don't sell them or do warranty work) and sell people our custom systems all the time after they've realized than what they bought was junk and we've even had people return NEW "junk" systems where they bought it and replaced it with one of ours. Also, we had an Office Depot employee come to work for us, so we know all about their return rate on this stuff, not to mention that Office Depot tried as hard as possible to refer what service work they could to us. 90%? Yeah, I believe that 90% of the buying public is ill-informed and gullible, including the supposed "professionals" buying computer systems for their companies. Of course there are a few who have enough sense to at least lease the junk rather than buy it. Paul [View Quote] dnapalmAug 3, 1998, 2:34am
I have no idea what you are saying. We can't buy custom systems because we
don't normally have the time to wait for the thing to be built, even if we trusted the people to build it right. You may not know this since the smaller computer manufacturers don't usually get large contracts, but many businesses prefer to buy in bulk. Or customize themselves. Custom-built systems are great for a gamer who plays Q2 all day, but not for a company that needs one quickly. We don't generally have specific needs when we buy, except that it be a decent system with good support. We've had problems with support in the smaller vendors, so we went with Dell. Good support. 1 year on-site, 3 year limited for default, and you CAN get 3 year on-site for a bit extra. I don't give a crap about life-time support because the lifetime of a system isn't much over a year. 95% we can fix it ourselves anyway. So all we really need are replacement parts. Which we get. I don't trust no-name systems because of the one we went with for a year. They sucked. We once bought Gateways, we now buy Dells. Personally, I just don't trust small company support. I've seen many go out of business and screw their customers. And as to your other comments, we have a backup system in place and virus detectors on every machine with updated definition files. Who we buy machines from has nothing to do with that. There isn't a vendor out there that can promise machines won't go down. We need a decent price and part repairs. We get that through Dell. Plus, they are a client of our company. They do just fine. -DN [View Quote] > Oh, so your office would rather buy name brand, corner cutting, feature > impaired junk rather than a custom built "to your specs" professional system > just to save 5 or 10% on price? By the way, company I worked for offered > Life Time Labor support on our systems. Like to see you ask Dell, PB, or > one of the others for that? If you have to replace an "out of warranty" > cheapo sound cards in a PB, say, it's $100 to $200+. Replace one of our > AWE64 Golds and it's about $89. So you're gonna pay the price in the end > regardless. Well, it's your companies data, if they choose to risk it, then > they've no one to blame but themselves when a systems fails, or they can't > upgrade because it's proprietary, or it gets clobbered buy a CIH virus. > There's the old saying, "you get what you pay for". If you company hasn't > worried about all the press about these companies doing things like using > refurb parts to using feature cut name brand designs (like the scandal over > the reduced feature Matrox Millennium designed into one of the above named > systems), then I don't know why they would be concerned over security holes > anyway. And let me guess, your office doesn't do tape backups of their > systems either? > > Paul > [View Quote] |