In-Reply-To: <000301c3726e$5f919010$0200000a@JumperLappy>

>MS03-038 (code execution in Access Snapshot Viewer, an ActiveX control)

got

>a rating of Moderate for webpage based exploits but completely forgets to

>mention HTML email.

While we're criticizing MS's handling of this series of goof-

[ more ]  [ reply ]

>MS03-034 (NetBIOS information disclosure) gets a rating of Low, even
though
>Blaster showed us just how many Windows installations run with all
ports
>accessible.

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulleti

n/MS03-034.asp

"Under certain conditions, the response to a

[ more ]  [ reply ]

We'd like to share with you the release of InlineEgg 1.0. the following
is a reduced version of the
README available at
http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html,
the same page points to the .tar.gz

Welcome to InlineEgg.

Short version:

InlineEgg is a collection of

[ more ]  [ reply ]

Rosiello Security

http://www.rosiello.org

(

I advise you to read the original paper:

http://www.rosiello.org/archivio/Stack%20Overflow-en.pdf

)

Stack Overflow?s Analysis & Exploiting Ways

Introduction

The first passage to foll

[ more ]  [ reply ]

On Thu, Sep 04, 2003 at 01:36:17PM -0400, Richard M. Smith composed:
> And here's more:
>
> Blackout Probe Hears FirstEnergy Tapes
> http://tinyurl.com/m8q4
>
> ...
>
> The House committee released a transcript of telephone calls between
> FirstEnergy and the Midwest region's power grid operator

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 04 September 2003 17:45, you wrote:
> Hi,
>
> sorry for being innacurate, but I noticed that our transparent-proxy system
> is trying (and even to succeeds at some level) to hijack client http
> connections.

Sounds like a bug in your proxy

[ more ]  [ reply ]

[-- Genre : Denial of Service(DoS)
[-- Name : augustiner.c
[-- Desc : Freezing Windows 98(not SE).
[-- : DoS'ing Zonealarm

(note: those are seperate incidents. It affects both independantly, not just
W98 with ZA)

[-- Url : www.nologin.org

Yo everyone!

_6Mo_hAcK posted a

[ more ]  [ reply ]

And here's more:

Blackout Probe Hears FirstEnergy Tapes
http://tinyurl.com/m8q4

...

The House committee released a transcript of telephone calls between
FirstEnergy and the Midwest region's power grid operator which showed
growing chaos and confusion in FirstEnergy's control room in the hours
bef

[ more ]  [ reply ]

> -----Original Message-----
> From: Aaron Cheek [mailto:aaron_cheek (at) yahoo (dot) com [email concealed]]
> Sent: Wednesday, September 03, 2003 5:03 PM
> To: Schmehl, Paul L
> Cc: stefano.zanero (at) ieee (dot) org [email concealed]; BUGTRAQ (at) securityfocus (dot) com [email concealed]
> Subject: Re: Windows Update: A single point of failure for
> the world's economy?
>
> > Mo

[ more ]  [ reply ]

On 2003-09-02 13:02:39 -0400, Igor Filippov wrote:
> It seems the patent in question covers not only client-side
> executables, but server-side as well:
> "Once selected the program object executes on the
> user's (client) computer or may execute on a remote server or additional
> remote computers"

[ more ]  [ reply ]

> More of a risk than up2date for RedHat or emerge -u system for Gentoo? Or
> cvsup for *BSD?

Yeah. A lot more.

None of these is enabled "by default" or, worse, "mandatorily", which was
the point of my post. Additionally, none of these ADD or REMOVE things from
your system you didn't configure.

[ more ]  [ reply ]

> -----Original Message-----
> From: Jeremy C. Reed [mailto:reed (at) reedmedia (dot) net [email concealed]]
> Sent: Wednesday, September 03, 2003 5:12 PM
> To: Schmehl, Paul L
> Cc: Stefano Zanero; BugTraq
> Subject: Re: Windows Update: A single point of failure for
> the world's economy?
>
> cvsup (or cvs) to update to new

[ more ]  [ reply ]

Paul Schmehl wrote:

> --On Sunday, August 31, 2003 09:01:49 PM +0200 Stefano Zanero
> <stefano.zanero (at) ieee (dot) org [email concealed]> wrote:
>
>>
>> Enabling a world-wide auto-update feature does indeed seem much of a
>> security risk to me.
>>
> More of a risk than up2date for RedHat or emerge -u system for
> Gentoo?

[ more ]  [ reply ]

On Wed, 3 Sep 2003, Paul Schmehl wrote:

> > Enabling a world-wide auto-update feature does indeed seem much of a
> > security risk to me.
> >
> More of a risk than up2date for RedHat or emerge -u system for Gentoo? Or
> cvsup for *BSD?

cvsup (or cvs) to update to new operating system or ports/pkg

[ more ]  [ reply ]

> > Enabling a world-wide auto-update feature does indeed seem much of a
> > security risk to me.
> >
> More of a risk than up2date for RedHat or emerge -u system for Gentoo? Or
> cvsup for *BSD?

Yes. These systems are voluntary. The structure of UNIX systems, and updates
makes it much easier to t

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

leafnode-SA-2003:01.fetchnews-hang

Topic: potential denial of service in leafnode

Announcement: leafnode-SA-2003:01
Writer: Matthias Andree
Version: 1.01
Announced: 2003-09-04
Category: main
Type: potential denial of service
Impact: fetchnews hang

[ more ]  [ reply ]

Dear Domas Mituzas,

I can't confirm this behaviour for IE 5.5 and 6.0. May be behaviour your
observe is a result of customer having his own proxy server (for example
something like proxymitron, or some kind of ad killer, etc) before your
transparent proxy and customer's proxy server do

[ more ]  [ reply ]

I see a trend going on here, Word, Office, Office, Office and Office. I
guess Office has been overdue in regards to security bulletins lately :)

MS03-034 (NetBIOS information disclosure) gets a rating of Low, even though
Blaster showed us just how many Windows installations run with all ports
acces

[ more ]  [ reply ]

As suggested the day of the blackout, SCADA / DCS security was
a primary factor in the blackouts.

--MSBlast's Effect on the Blackout
(29 August 2003)
The MSBlast worm apparently slowed some communications lines that
connect data centers used to manage the power grid, abetting the
"cascading effect

[ more ]  [ reply ]

> More of a risk than up2date for RedHat or emerge -u
> system for Gentoo? Or cvsup for *BSD?

Certainly!!! For Red Hat (and all the major distros),
you have a zillion mirrors all over the world, and,
additionally, you can in extremely straightforward way
(e.g. wget -r) bulk download all the patc

[ more ]  [ reply ]

In-Reply-To: <20030815193237.4614.qmail (at) www.securityfocus (dot) com [email concealed]>

We have contacted Mr Pingree to resolve the issue reported. He has stated

that the problem WAS NOT with Antigen but a configuration problem. He has

since resolved the problem.

Thank You

Thomas Roughley

Manager- Techncial Acc

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Updated httpd packages fix Apache security vulnerabilities
Advisory ID: RHSA-2003:240-01
Issue date: 20

[ more ]  [ reply ]

In order to use the shortcut command your code must be launched
in HTML Help. Simply linking to contents inside a chm file with the
mk: protocol will not do the trick since you are still operating inside
IE. That is the reason why you didn't get the chm file to execute
programs using the shortcut co

[ more ]  [ reply ]

[My apologies if you receive multiple copies of this message]

The special interest group SIDAR (Security - Intrusion Detection and
Response) of the German Informatics Society (GI) engages in the
detection and management of information security incidents. In
cooperation with the IEEE Task Force on I

[ more ]  [ reply ]

--On Sunday, August 31, 2003 09:01:49 PM +0200 Stefano Zanero
<stefano.zanero (at) ieee (dot) org [email concealed]> wrote:
>
> Enabling a world-wide auto-update feature does indeed seem much of a
> security risk to me.
>
More of a risk than up2date for RedHat or emerge -u system for Gentoo? Or
cvsup for *BSD?

Paul Schmehl

[ more ]  [ reply ]

[ more ]  [ reply ]

Stefano Zanero wrote:

> Enabling a world-wide auto-update feature does indeed seem much of a
> security risk to me.

There was an interesting article in the Washington Post recently:

http://www.washingtonpost.com/ac2/wp-dyn/A34978-2003Aug23?language=print
er

It included the text:

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: sb (at) xiongmao.otago.ac (dot) nz [email concealed]
> [mailto:sb (at) xiongmao.otago.ac (dot) nz [email concealed]] On Behalf Of Simon Brady
> Sent: Sunday, August 31, 2003 6:43 PM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Re: RIP: ActiveX controls in Internet Explor

[ more ]  [ reply ]

Stefano:

I rebuilt my Windows 2000 system from scratch this spring because of an
update. I can't remember the patch number anymore, but I remember that
it was a critical security update. I also remember reading about it the
day after it happened to me. Supposedly it was related to another patch

[ more ]  [ reply ]

It seems the patent in question covers not only client-side
executables, but server-side as well:
"Once selected the program object executes on the
user's (client) computer or may execute on a remote server or additional
remote computers"
So, not only javascript/flash/java are subjects of this copyr

[ more ]  [ reply ]