-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Alert Summary
April 1, 2000
Volume 5 Number 3
 
X-Force Vulnerability and Threat Database: http://xforce.iss.net/   To
receive these Alert Summaries, subscribe to the ISS Alert mailing list.
Send an email to majordomo@iss.net, and within the body of the message
type:  'subscribe alert'.
 
_____
 
Contents

33 Reported Vulnerabilities
 - windmail-pipe-command
 - windmail-fileread
 - simpleserver-exception-dos
 - linux-domain-socket-dos
 - linux-gpm-root
 - outlook-manipulate-hidden-drives
 - vqserver-dir-traverse
 - vqserver-passwd-plaintext
 - iis-chunked-encoding-dos
 - nav-email-gateway-dos
 - netscape-server-directory-indexing
 - mercur-webview-get-dos
 - officescan-admin-pw-plaintext
 - officescan-admin-access
 - linux-kreatecd-path
 - win-dos-devicename-dos
 - wmcdplay-bo
 - nt-registry-permissions
 - staroffice-scheduler-fileread
 - staroffice-scheduler-bo
 - iis-root-enum
 - mssql-query-abuse
 - clipart-cil-bo
 - oracle-installer
 - linux-rpm-query
 - thebat-mua-attach
 - irix-infosrch-fname
 - linux-dosemu-config
 - coldfusion-reveal-pathname
 - netscape-enterprise-command-bo
 - nmh-execute-code
 - htdig-remote-read
 - ie-html-shortcut
 
Risk Factor Key
 
_____

Date Reported:    3/25/00
Vulnerability:    windmail-pipe-command
Platforms Affected:  WindMail 3.0
Risk Factor:    High
Attack Type:    Network Based

WindMail is a command-line email messenger for Windows that can create
mail forms for web sites from CGI scripts. By issuing an HTTP command that
includes the pipe character, an attacker could execute arbitrary commands
on the vulnerable system.

Reference:
Bugtraq Mailing List: "Windmail allow web user get any file" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000325224146.6839.qmail@securityfocus.com

_____

Date Reported:    3/25/00
Vulnerability:    windmail-fileread
Platforms Affected:  WindMail 3.0
Risk Factor:    Medium
Attack Type:    Network Based

WindMail is a command-line email messenger for Windows that can create
mail forms for web sites from CGI scripts. By sending a
specially-formatted URL, an attacker could retrieve any ASCII file on the
vulnerable system.

Reference:
Bugtraq Mailing List: "Windmail allow web user get any file" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000325224146.6839.qmail@securityfocus.com

_____

Date Reported:    3/25/00
Vulnerability:    simpleserver-exception-dos
Platforms Affected:  SimpleServer WWW 1.03
Risk Factor:    Medium
Attack Type:    Network/Host Based

AnalogX SimpleServer WWW is a standard web server for Windows. Version
1.03 is vulnerable to a simple denial of service attack. By requesting a
URL with exactly 8 characters following the /cgi-bin/ directory, an
attacker can crash the server, requiring it to be rebooted.

Reference:
Bugtraq Mailing List: "AnalogX SimpleServer 1.03 Remote Crash" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=web-5645555@post2.rnci.com

_____

Date Reported:    3/23/00
Vulnerability:    linux-domain-socket-dos
Platforms Affected:  RedHat Linux (6.1, 6.2)
Risk Factor:    Medium
Attack Type:    Network/Host Based

The Linux kernel is vulnerable to a denial of service attack due to
improper handling of Unix domain sockets. The Unix domain sockets ignore
limits set in wmem_max. A local attacker can crash the system by creating
successive Unix domain sockets, requiring the system to be rebooted.

Reference:
Bugtraq Mailing List: "Local Denial-of-Service attack against Linux" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000323175509.A23709@clearway.com

_____

Date Reported:    3/22/00
Vulnerability:    linux-gpm-root
Platforms Affected:  Linux running Global Purpose Mouse
Risk Factor:    Low
Attack Type:    Host Based

The General Purpose Mouse (gpm) package is a tool to enable the mouse for
cutting and pasting on consoles, which ships with several Linux
distributions. Due to a design flaw in gpm-root, which causes the setgid
call to fail, a local user with console access can obtain the group id
that is running gpm-root (usually root).

Reference:
Bugtraq Mailing List: "gpm-root" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com

_____

Date Reported:    3/22/00
Vulnerability:    outlook-manipulate-hidden-drives
Platforms Affected:  Microsoft Outlook 98
Risk Factor:    Medium
Attack Type:    Host Based

Microsoft Outlook contains a vulnerability that would allow a local user
to view hidden drives. In Windows NT, an administrator can hide specific
drives using systems policies, so that they cannot be accessed using My
Computer, Windows NT Explorer, or the command prompt. However, the Insert
File option in Microsoft Outlook reveals the hidden drives, allowing a
user to copy, cut, paste, or delete files.

Reference:
Bugtraq Mailing List: "Hide Drives does not work with OUTLOOK 98" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000322151011.2581.qmail@securityfocus.com

_____

Date Reported:    3/21/00
Vulnerability:    vqserver-dir-traverse
Platforms Affected:  vqSoft's vqServer
Risk Factor:    Medium
Attack Type:    Network/Host Based

The vqServer program by vqSoft is a Java-based personal web server for
cross-platform environments. Version 1.9.9 of vqServer, and possibly
others, contains a vulnerability that would allow a user to traverse the
directories by appending /........../ to a URL, then submitting to the
server. This would allow a remote attacker to access any file on the
system.

Reference:
Bugtraq Mailing List: "vqserver /........../" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net

_____

Date Reported:    3/21/00
Vulnerability:    vqserver-passwd-plaintext
Platforms Affected:  vqSoft's vqServer
Risk Factor:    High
Attack Type:    Network/Host Based

The vqServer program by vqSoft is a Java-based personal web server for
cross-platform environments. Version 1.9.9 of vqServer, and possibly
others, stores server settings and passwords unencrypted. A remote user
could access the password file, via a directory transversal vulnerability
in the program, to obtain the administrator password and gain
administrative rights to the server.

Reference:
Bugtraq Mailing List: "vqserver /........../" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net

_____

Date Reported:    3/20/00
Vulnerability:    iis-chunked-encoding-dos
Platforms Affected:  Microsoft Internet Information Server 4.0
Risk Factor:    Medium
Attack Type:    Network/Host Based

Microsoft Internet Information Server (IIS) 4.0 contains a vulnerability
in its support for chunked encoding transfers, because it does not limit
the size of these transfers. An attacker could consume memory on the
server by requesting a buffer be reserved for an extremely large amount of
data, and then keeping the session open without sending the data. It is
possible for an attacker to consume enough memory to cause the server to
stop functioning properly. The server could be restored by stopping and
restarting the IIS service.

Reference:
Microsoft Security Bulletin (MS00-018): "Patch Available for 'Chunked
Encoding Post' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-018.asp

_____

Date Reported:    3/17/00
Vulnerability:    nav-email-gateway-dos
Platforms Affected:  Norton AntiVirus for Internet Email Gateways
Risk Factor:    Medium
Attack Type:    Network/Host Based

Norton AntiVirus for Internet Email Gateways is a SMTP agent that scans
email attachments for viruses. It includes an web-based management and
administration interface that uses an embedded web server in the product.
By sending a long URL to the server, a user will overflow a buffer and
crash the program.

Reference:
Bugtraq Mailing List: "DoS with NAVIEG" at:
http://www.securityfocus..com/templates/archive.pike?list=1&msg=s8d1f3e3.036@kib.co.kodiak.ak.us

_____

Date Reported:    3/17/00
Vulnerability:    netscape-server-directory-indexing
Platforms Affected:  Netscape Enterprise Server (3.0, 3.51, 3.6)
Risk Factor:    Medium
Attack Type:    Network/Host Based

Netscape Enterprise Server version 3.x contains a feature called Directory
Indexing. This feature, which is enabled by default, displays a directory
listing when the a user includes certain tags in a requested URL. This
could allow a remote attacker to gain unauthorized access to documents or
retrieve lists of file names (such as CGI scripts).

Reference:
Bugtraq Mailing List: "[SAFER 000317.EXP.1.5] Netscape Enterprise Server
and '?wp' tags" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38D2173D.24E39DD0@relaygroup.com

_____

Date Reported:    3/16/00
Vulnerability:    mercur-webview-get-dos 
Platforms Affected:  Mercur WebView WebMail-Client 1.0
Risk Factor:    Medium
Attack Type:    Network/Host Basde

MERCUR WebView WebMail-Client 1.0 is an add-on to the MERCUR 3.0 mail
server that allows users to read email via a web browser. Due to improper
bounds checking in the GET command on port 1080, a user can overflow a
buffer and cause the WebMail service to crash.

Reference:
Underground Security Systems Research: "Local / Remote DoS Attack in
MERCUR WebView WebMail-Client 1.0 for Windows 98/NT Vulnerability" at:
http://www.ussrback.com/labs36.html

_____

Date Reported:    3/16/00
Vulnerability:    officescan-admin-pw-plaintext
Platforms Affected:  Trend Micro OfficeScan Corporate Edition 
      (3.0, 3.11, 3.13, 3.5)
Risk Factor:    High
Attack Type:    Network/Host Based

Trend Micro OfficeScan 3.51 and below transmits the administrator password
over the network in cleartext. OfficeScan is anti-virus software for
corporate networks. When configured in the web-based mode on a Windows NT
server, an attacker can use a sniffing program to intercept the
administrator password.

Reference:
Bugtraq Mailing List: "OfficeScan TrendMicro: admin for everybody!" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38D0E213.5F0AA04@neurocom.com

_____

Date Reported:    3/16/00
Vulnerability:    officescan-admin-access
Platforms Affected:  Trend Micro OfficeScan Corporate Edition 
      (3.0, 3.11, 3.13, 3.5)
Risk Factor:    High
Attack Type:    Network/Host Based

Trend Micro OfficeScan 3.51 and below allows users to perform
administrative tasks without authentication. OfficeScan is anti-virus
software for corporate networks. When configured in the web-based mode on
a Windows NT server, an unauthenticated attacker can use a web browser to
access and execute cgi scripts for administration of the software across
the network.

References:
Bugtraq Mailing List: "OfficeScan TrendMicro: admin for everybody!" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38D0E213.5F0AA04@neurocom.com

Bugtraq Mailing List: "Trend Micro releases Patch for 'OfficeScan
Unauthenticated CGI Usage' vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=D129BBE1730AD2118A0300805FC1C2FE0650E8E6@209-76-212-10.trendmicro.com

_____

Date Reported:    3/16/00
Vulnerability:    linux-kreatecd-path
Platforms Affected:  SUSE Linux (6.0, 6.1, 6.2, 6.3)
Risk Factor:    High
Attack Type:    Host Based

The kreatecd package is a graphical front end tool for the cdrecord
command that ships with several Linux distributions. The program is
installed setuid root and is designed to trust the configuration path to
cdrecord. A local attacker could use kreatecd to execute commands as root.

Reference:
Bugtraq Mailing List: "TESO & C-Skills development advisory -- kreatecd" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=ine.LNX.3.96.1000316143853.257E-200000@ati12.cs.uni-potsdam.de

_____

Date Reported:          3/16/00
Vulnerability:    win-dos-devicename-dos
Platforms Affected:  Windows 95
      Windows 98
Risk Factor:    Medium
Attack Type:    Network Based

Microsoft Windows 95 and 98 contain a vulnerability in the parsing of file
path names. DOS device names, such as COM1 or LPT1, are reserved words and
normally cannot be used as file or directory names. If a user attempts to
access a file path name that includes one DOS device name, it is treated
as invalid, and an error is returned. However, if the path name includes
multiple DOS device names, the machine will crash.

Reference:
Microsoft Security Bulletin (MS00-017): "Patch Available for 'DOS Device
in Path Name' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-017.asp

_____

Date Reported:    3/10/00
Vulnerability:    wmcdplay-bo
Platforms Affected:  wmcdplay
Risk Factor:    High
Attack Type:    Host Based

The wmcdplay CD player program is vulnerable to a buffer overflow attack.
An local attacker can pass an argument to overflow the stack, due to
insufficient bounds checking on calls to sprintf. The program is setuid
root, allowing an attacker to gain root privileges by overflowing the
stack and executing arbitrary code on the system.

Reference:
BugTraq mailing list: "wmcdplay Buffer Overflow Vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000311143230.4C0C01EE8B@lists.securityfocus.com

_____

Date Reported:    3/9/00
Vulnerability:    nt-registry-permissions
Platforms Affected:  Microsoft Windows NT 4.0
Risk Factor:    High
Attack Type:    Host Based

Windows NT 4.0 including Workstation, Server, and Terminal Server
versions, have some registry permissions that are too permissive. A local
user with access to the machine could potentially increase their access
and cause code to be executed on the machine.

Reference:
Microsoft Security Bulletin (MS00-008): 'Patch Available for "Registry
Permissions' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-008.asp

_____

Date Reported:    3/9/00
Vulnerability:    staroffice-scheduler-fileread
Platforms Affected:  StarOffice 5.1
Risk Factor:    Medium
Attack Type:    Network Based

StarOffice is an office-productivity suite from Sun Microsystems. The
StarSchedule server, which controls the group scheduling component of
StarOffice, allows an attacker to read files on the server. A remote user
can traverse directories using "../" paths to read any file on the server
through a browser.

Reference:
Bugtraq Mailing List: "[SAFER 000309.EXP.1.4] StarScheduler (StarOffice)
vulnerabilities" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38C68FB8.6F234393@relaygroup.com

_____

Date Reported:    3/9/00
Vulnerability:    staroffice-scheduler-bo
Platforms Affected:  StarOffice 5.1
Risk Factor:    High
Attack Type:    Network Based

StarOffice is an office-productivity suite from Sun Microsystems. The
StarSchedule server, which controls the group scheduling component of
StarOffice, is vulnerable to a buffer overflow attack. Sending a large
amount of data to the GET command will crash the server, and could allow
an attacker to execute arbitrary code as root.

Reference:
Bugtraq Mailing List: "[SAFER 000309.EXP.1.4] StarScheduler (StarOffice)  
vulnerabilities" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38C68FB8.6F234393@relaygroup.com

_____

Date Reported:    3/8/00
Vulnerability:    iis-root-enum
Platforms Affected:  IIS (4.0, 5.0)
Risk Factor:    Medium
Attack Type:    Host Based

Microsoft Internet Information Server (IIS) 4.0 and 5.0 discloses paths of
network shares if configured incorrectly. Files of type IDQ, IDA, and HTX
cannot be served from a network share. If a web site administrator
attempts to serve these type of files from network shares, a user who
attempts to access them will receive an error message that discloses the
share path of the file.

Reference:
BugTraq mailing list: "Microsoft IIS UNC Path Disclosure Vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=007201bf89dc$a18dd2e0$056fee3f@spis.net

_____

Date Reported:    3/8/00
Vulnerability:    mssql-query-abuse
Platforms Affected:  Microsoft SQL Server 7.0
      Microsoft Data Engine 1.0
Risk Factor:    High
Attack Type:    Network Based

Microsoft SQL Server 7.0 and Microsoft Data Engine 1.0 are vulnerable to a
remote query problem. The server and engine do not perform sufficient
argument validation on particular types of SQL statements. A remote user
who has access to submit queries could take actions on the SQL database
and possibly perform actions on the server itself.

Reference:
Microsoft Security Bulletin (MS00-014): "Patch Available for 'SQL Query
Abuse' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-014.asp

_____

Date Reported:    3/6/00
Vulnerability:    clipart-cil-bo
Platforms Affected:  Microsoft Office 2000
      Microsoft Works 2000
Risk Factor:    High
Attack Type:    Host Based

Microsoft Clip Art Gallery, shipped with such packages as Microsoft Office
2000 and Microsoft Works 2000, contains a possible buffer overflow in the
handling of CIL files. The CIL file format is used for downloading
additional clips for installation into the gallery. If a CIL file is
created with a long field embedded in it, it will overflow the buffer and
crash the Clip Gallery, which could result in the execution of arbitrary
code.

Reference:
Microsoft Security Bulletin (MS00-015): "Patch Available for 'Clip Art
Buffer Overrun' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-015.asp

_____

Date Reported:    3/5/00
Vulnerability:    oracle-installer
Platforms Affected:  Oracle 8.1.5i
Risk Factor:    High
Attack Type:    Host Based

The installation program for Oracle 8.1.5i contains a vulnerability that
could allow an attacker to gain root access. The Oracle installation
script creates the directory /tmp/orainstall, owned by oracle:dba, mode
711, containing the shell script orainstRoot.sh, mode 777. Then, the
installation program stops and asks the user to run the orainstRoot.sh
script. An attacker could create a symbolic link from this file to
elsewhere on the file system, which could be used to create an .rhosts
file and gain access to the root account. A local user could also edit
this script to execute arbitrary commands when run by root.

Reference:
BugTraq Mailing List: "Oracle for Linux Installer Vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.10.10003051801030.22289-100000@obscurity.org

_____

Date Reported:    3/3/00
Vulnerability:    linux-rpm-query
Platforms Affected:  Caldera OpenLinux 2.3
Risk Factor:    Medium
Attack Type:    Network Based

Caldera OpenLinux 2.3 contains a vulnerability in the rpm_query CGI. The
rpm_query CGI is installed in the /home/httpd/cgi-bin/ directory. A remote
user could run this CGI to obtain a listing of the name and version number
of every package installed on the system.

Reference:
BugTraq mailing list: "Caldera OpenLinux 2.3 rpm_query CGI Vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0003041204220.6797-100000@juggernaut.el8.org

_____

Date Reported:    3/2/00
Vulnerability:    thebat-mua-attach
Platforms Affected:  The Bat!
Risk Factor:    Medium
Attack Type:    Network Based

The Bat! is a mail agent for Windows developed by Rit Research Labs. One
of the program's features is that it saves attachments from incoming mail
in a specified folder on the system, and adds the file's path to the
incoming message as a pseudo-header called X-BAT-FILES. If a message with
an attachment is forwarded to someone else, the pseudo-header line
remains. This allows the recipient to see the sender's default location
for all saved email attachments.

Reference:
BugTraq Mailing List: "Rit Research Labs 'The Bat!' X-BAT-FILES
Vulnerabilities" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=200003021443.RAA31070@adm.sci-nnov.ru

_____

Date Reported:    3/2/00
Vulnerability:    irix-infosrch-fname
Platforms Affected:  IRIX 6.5
Risk Factor:    High
Attack Type:    Network/Host Based

InfoSearch is a tool distributed by SGI that converts man pages, release
notes, and other documents into HTML format for reading on the Internet.
It contains a vulnerability in the method it uses to parse input for the
fname variable that would allow a remote attacker to execute arbitrary
commands on the web server.

Reference:
Bugtraq Mailing List: "infosrch.cgi vulnerability (IRIX 6.5)" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10003021059360.21162-100000@inetarena.com

_____

Date Reported:    3/2/00
Vulnerability:    linux-dosemu-config
Platforms Affected:  Corel Linux 1.0
Risk Factor:    High
Attack Type:    Host Based

Corel Linux 1.0 contains a vulnerability in the configuration of the
dosemu package. Dosemu is a DOS emulator that allows DOS programs to run
on Linux. A local user can use the system.com binary to execute commands
as root.

Reference:
Bugtraq Mailing List: "Corel Linux 1.0 dosemu default configuration: Local
root vuln" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200003020436.PAA20168@jawa.chilli.net.au

_____

Date Reported:    3-01-2000
Vulnerability:    coldfusion-reveal-pathname
Platforms Affected:  ColdFusion 4.01
Risk Factor:    Low
Attack Type:    Network Based

ColdFusion 4.01 contains a vulnerability that can reveal path names to cfm
pages. When a remote user makes an HTTP request to a cfm page, the server
will return an error message that reveals the full path name to the file.

Reference:
NTBUGTRAQ Mailing List: "ColdFusions application.cfm shows full path" at:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0003&L=ntbugtraq&F=&S=&P=435

_____

Date Reported:    3-01-2000
Vulnerability:    netscape-enterprise-command-bo
Platforms Affected:  Netscape Enterprise Server (3.6)
Risk Factor:    High
Attack Type:    Network Based

Netscape Enterprise Server 3.6 web server for Windows NT 4.0 contains a
buffer overflow in commands issued to the server.  If a remote user issues
a command followed by a large quantity of data, the server will crash.  It
is possible for the user to then execute arbitrary code.

References:
S.A.F.E.R. Security Bulletin SAFER 000229.EXP.1.3: "Buffer Overflow in
Netscape Enterprise Server" at:
http://www.safermag.com/advisories/0006.html

BUGTRAQ Mailing List: "[SAFER 000229.EXP.1.3] Remote buffer overflow in
Netscape Enterprise Server 3.6 SP2" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-29&msg=38BC065A.E6AE7002@relaygroup.com

_____

Date Reported:    3/1/00
Vulnerability:    nmh-execute-code
Platforms Affected:  Debian Linux 2.1
Risk Factor:    High
Attack Type:    Network Based

The nmh package does not properly check incoming mail message headers. A
remote attacker could send specially-crafted MIME message headers that
would cause mhshow to execute arbitrary code.

Reference:
Debian Security Advisory: "New version of nmh released" at:
http://www.debian.org/Lists-Archives/debian-security-announce-00/msg00005.html

_____
 
Date Reported:    3/1/00
Vulnerability:    htdig-remote-read
Platforms Affected:  Unix running htdig 3.1.5
Risk Factor:    Low
Attack Type:    Network Based

The ht://dig program is a web indexing and searching system for intranets
and small domains. Due to improper validation of form input, a remote
attacker could pass a variable to the htsearch CGI that would allow the
attacker to read any file on the machine that is accessible by the htdig
user.

Reference:
Debian Security Advisory: "New version of htdig released" at:
http://www.debian.org/Lists-Archives/debian-security-announce-00/msg00004.html

_____

Date Reported:    3/1/00
Vulnerability:    ie-html-shortcut
Platforms Affected:  Microsoft Internet Explorer (5.0, 5.0.1)
Risk Factor:    High
Attack Type:    Network/Host Based

Microsoft Internet Explorer 5 uses window.showHelp() to open HTML help
files (.chm). If these files contain a shortcut to an executable, it will
be run with the privileges of the current user. An attacker could create a
.chm file with a link to an executable and cause it to execute on the
victim's machine.

Reference:
Bugtraq Mailing List: "IE 5.x allows executing arbitrary programs using
.chm files" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38BD37F6.C9B3F8B@nat.bg

_____

Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via brute force methods.

_____

Permission is hereby granted for the redistribution of this Alert Summary
electronically.  It is  not to be edited in any way without express
consent of the X-Force.  If you wish to reprint the whole or any part of
this Alert Summary in any other medium excluding electronic medium,
please e-mail xforce@iss.net for permission.

Disclaimer
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at:   http://xforce.iss.net/sensitive.php3 as 
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.

About Internet Security Systems

Internet Security Systems (ISS) is the leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite* security software, ePatrol* remote managed security services,
and strategic consulting and education offerings, ISS is a trusted
security provider to its customers and partners, protecting digital assets
and ensuring safe and uninterrupted e-business. ISS' security management
solutions protect more than 5,500 customers worldwide including 21 of the
25 largest U.S. commercial banks, 10 of the largest telecommunications
companies and over 35 government agencies. Founded in 1994, ISS is
headquartered in Atlanta, GA, with additional offices throughout North
America and international operations in Asia, Australia, Europe, Latin
America and the Middle East. For more information, visit the Internet
Security Systems web site at www.iss.net <http://www.iss.net>  or call 
888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOOjlnzRfJiV99eG9AQHSOgQAj9D2ufzmwt8RyBRDZLzDCtdfTcG9KiaZ
AbQfghGaav5IlYrSUEj2GFHj1KeLb2o8OCCnzVo5T1YFoIKC3L6ZxQ9q0Gsi2Pfv
KXYGtYmNcOzQ5WIjUuBm1T2/ZXcL3cPYkfcMzyIKp0iddhx7noxuHJOffP1QTzm6
/hbYgL+fum8=
=bxur
-----END PGP SIGNATURE-----