Welcome to PhyAdmin

ITS has received reports of MS RPC compromised hosts at other sites being used to launch Denial of Service attacks threatening local and Internet-wide operations. Due to these increasing threats, hosts identified as being vulnerable to the MS RPC exploit have been blocked at the border of campus until secured. The list of vulnerable hosts is based on ITS-Information Security Office scans completed 7/31/03 at 21:30.

Departmental TSCs have been sent notifications of vulnerable hosts. Network TSCs may search for hosts suspected of being blocked through the TSC tools. Others may contact the ITS Help Desk (help@its.utexas.edu, 475-9400) to request information concerning a blocked hosts and assistance in securing those hosts. To request a block be lifted, contact the ITS Information Security Office (abuse@its.utexas.edu) so that they may verify the host has been secured. For additional information concerning the MS RPC exploit, and links to local copies of security patches the blocked host may download, see:

http://www.utexas.edu/its/alerts/dhsalert07252003.html

Microsoft ended support on June 30th for NT 4.0 workstation software. This means that they will no longer provide security patches or vulnerability warnings for Windows NT 4.0 workstation software.

Microsoft plans to discontinue support for the NT 4.0 server at the end of 2004.

mail.utexas.edu seems to be having problems since sometime June 3rd. It failing to relay mail for some users, and failing to receive mail at times. No e-mail should be getting lost; the sending host will get a failure and try to send it again later. But delays in mail delivery are being noticed.

ITS is adding new servers this afternoon to fix the problem and anticipates that the system will be back to full capacity at 6 p.m. For more information see:
http://www.utexas.edu/its/news/its-headlines/062003/umbs06032003.html

On Tuesday morning, May 27, the UT webmail will be reconfigured so the early access version currently available on the front page (running IMP 3) is the default version.

This timing is in order to have the new interface in place for summer orientation.

The old IMP 2 interface will be available for a limited time in case there are any problems.

ITS needs to update the firmware in in the file server for mail.utexas.edu and thus there will be a brief period on 28 May 2003 between 7:00 AM to 7:30 AM when pop/imap services will not be available for mail.utexas.edu.

This means that you won't be able to read your e-mail from mail.utexas.edu.

SMTP service for mail.utexas.edu will be unaffected. This means you can send e-mail through mail.utexas.edu during this period and e-mail will continue to be delivered into mail.utexas.edu. No mail will be lost.

This in no way affects your physics email at mail.ph.utexas.edu

Electrical work will affect certain ITS services; we expect these services will not be available during the time frame 5 am- 8:30 am on Sunday 1 June. Updates and details on this planned outage will be forthcoming... But I wanted everyone to have the earliest possible heads-up for planning purposes....

UTS timesharing systems
CCWF timesharing systems
ADS timesharing systems
Campus printing
USENET news service
UT web search engine
RealServer Streaming media services
Mailing lists on lists.cc.utexas.edu
WebMail
WebSpace
WebCT
Blackboard
ITS Oracle
ITS departmental mail (name@its.utexas.edu)
AccessUT
Austin Active Directory Services
Austin Exchange Messaging Service
Faculty Jobs
WNT SQL Services
VMS Cluster
WINS & Terminal Services

On the morning of April 19th, ITS will complete the implementation of a new Public Network Authentication System. For details about the new system see (this notice also has been posted on the old authentication system login page):

http://www.utexas.edu/its/news/its-headlines/032003/pna.html

Redhat 9.0 ISO images (no other files) are now on ftp.utexas.edu and ftp.the.net for download locally. Paths are

ftp://ftp.the.net/mirrors/ftp.redhat.com/linux/9.0 ftp://ftp.utexas.edu/mirrors/ftp.redhat.com/linux/9.0

Please download from these sites to avoid consuming large amounts of the limited UT Internet bandwidth.

The mail/feedback/problem report form was broken, but it has been fixed. (It was sending us a blank message each time it was filled out.) If you have submitted a comment, question, or problem report with the form, but have not received a reply, please submit your report again. We apologize for the inconvenience.

You may no longer use any SSN info for posting grades. This new policy prohibits, even if the student has given permission in writing, web pages that display the grades of an entire class by SSN or partial SSN as well as local databases that take SSN or partial SSN input and display only one student's grades.

The ITS Information Security Office will continue to scan the University's web space and will alert webmasters and other responsible staff in the event that they find web pages containing SSNs and grades, or SSN-based interfaces to grade databases.

Alternative ways to post grades include:

The UT Homework Service (https://hw.utexas.edu/)
Blackboard, the widely-used UT course management system (http://www.utexas.edu/cc/blackboard/tutorials/Gradebook/index.html)
e-Gradebook, the recently-developed UT tool (https://utdirect.utexas.edu/diia/egb/)

The Computer Emergency Response Team (CERT) is warning of an increase in compromised systems running Microsoft Windows 2000/XP due mainly to poorly protected file shares. CERT cited null or weak administrator passwords as the primary cause and cited the recent Slacker and Deloder worms among the methods of exploit. The W32/Slackor and W32/Deloder worms both scan the infected host for systems listening on TCP 445. Deloder then attempts to compromise the Administrator account by using a list of preloaded passwords and also installs a backdoor. Slackor connects to the $IPC share using a set of preprogrammed usernames and passwords. CERT recommends disabling or securing file shares; using strong passwords, updated antivirus products and a firewall; and employing ingress/egress filtering. For more information see: http://www.cert.org/advisories/CA-2003-08.html

The new Code Red version CodeRed.F worm is making the rounds, differing in only two bytes from the original CodeRed II that exploited a buffer-overflow vulnerability and allows an attacker to gain full remote access to Microsoft IIS 5.0 Web servers. The new variant is classified as a medium-level threat by most AV vendors and is detected by updated antivirus definitions as Code Red. All users should upgrade IIS, switch to another web server, or apply the 18 month-old patch to vulnerable IIS servers.

http://securityresponse.symantec.com/avcenter/venc/data/codered.f.html
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

The Physics Department web site has been filtered at the UT boarder -- that is no one from outside of UT can reach it -- due to some personal web pages on it which are against UT policy. We will disable those pages and get the block removed as soon as possible.

From Michael Cerda:

We are going to patch various servers Sunday morning, 12:00 midnight - 2am, March 9, 2003.

The services affected will be Oracle, Blackboard, webspace, and webmail. Operating system patches will be applied live before midnight and the systems rebooted. Oracle requires application patches. We expect that to take 30 minutes. Other services will be started after that. We don't expect the outage to take longer than one hour.

-Michael Cerda

ITS to launches new UT Direct 2.0 on March 9th.

The new version of UT Direct, Version 2.0, will be launched on March 9, will feature a new look and navigation and deliver increased functionality for its services.

For more information see: http://www.utexas.edu/its/news/features/022003/utdirect.html

Sun Microsystems issued a patch for a serious directory traversal vulnerability affecting multiple Solaris versions that could allow an attacker to gain root privileges remotely.

The vulnerability affects Sun's Kodak Color Management System (KCMS), which is installed by default in Solaris/Sparc 2.5, 2.6, 7, 8 and 9 and Solaris/x86 2.5, 2.6, 7, 8 and 9.

Entercept discovered that logic flaws in the way Solaris does security checks can be used to read arbitrary files on the system. Any user without any special privilege level can remotely access the KCMS library service daemon, run the exploit and read any file on the system, including passwords and other sensitive data.

Affected users should apply the patches immediately, and/or disable the KCMS service in their /etc/inetd.conf file (followed by restart the inetd daemon).

http://docs.sun.com/db/doc/8161325/6m7oiipal?q=kcms_server&a=view#profiles-2
http://www.kb.cert.org/vuls/id/850785
http://www.entercept.com/ricochet/alerts

A THEnet network maintenance event has been scheduled at the UT System OTS Austin NOC for 08:00am to Noon CST on Sunday, February 2, 2003. The purpose of this event is to expand the capacities of a fiber mux in Austin. The fiber mux carries a number of THEnet and TX-BB backbone links, the Austin/Qwest commercial ISP link, and the link from Austin to Houston for Internet2 traffic belonging to UT-Austin and SWRI.

During the maintenance period there will be a possibility for sporadic momentary outages of service through the fiber mux. This could include disruption of commercial Internet service for UT-Austin, UT System Administration (including the Telecampus), and a number of THEnet and DIR/CAPnet subscribers whose normal outbound path to the Internet is through the Qwest/Austin link. Additionally Internet2 service for UT-Austin and SWRI could be interrupted. UT/THEnet subscribers in Dallas could be momentarily isolated from Austin and the rest of THEnet. And finally, DIR/CAPnet communications with UT-Austin, UT System, and the rest of THEnet and TX-BB could be momentarily disrupted or delayed.

On Sunday, Jan. 12, between 8 a.m. and 11 a.m., maintenance will be performed on the network equipment across the campus. There will be intermittent outages during this time.

Deployment of the new Public Network Authentication System has been postponed (originally scheduled for 12/18-12/20). There will be announcement to the vtechsupport list when there is a new schedule.

The orginal message was:

A new Public Network Authentication System will be deployed for all wired and wireless public networks over the break 12/18-12/20. For more details see (this notice has been posted on the old authentication system login page):

https://netdb.gw.utexas.edu/newauth/newpna.html

The Solaris X Window Font Service (XFS) daemon (fs.auto) contains a remotely exploitable buffer overflow vulnerability that could allow an attacker to execute arbitrary code or cause a denial of service.

The XFS daemon is installed and running by default on all versions of the Solaris operating system. Further information about this vulnerability may be found in VU#312313.

http://www.kb.cert.org/vuls/id/312313

This vulnerability is also being referred to as CAN-2002-1317 by CVE.

Note this vulnerability is in the X Window Font Server, and not the filesystem of a similar name.

Solaris users should install the patch when it becomes available, and in the mean time should, if possible, disable the font server (auto.fs) in /etc/inetd.conf and restart inetd and restart X.

FROM: TRACY BROWN (tracy.brown@forum.utexas.edu)

Colleagues,

We want to inform you of some changes that are coming to the EID system.
Phase II of EID changes will be moved into production between 5 and 7 a.m.
on Monday, November 11.

The UT EID changes included in Phase II are:

1. Everyone who has a UT EID more than 8 characters long will be
   assigned a new UT EID in a new format. The new format is:

   * Use a minimum of 2 characters and maximum of 8 characters.
   * The first characters must be the your initials.
   * Any and all characters after your initials must be
   numbers. (These are optional.)
   * The numbers 0 & 1 are excluded (cannot be used).

2. At time of next logon, the user will be informed of the new UT
   EID and MUST start using the new one to successfully log on.
   Each time users try an old UT EID, they will get this reminder
   message:

   "Error (RL): The UT EID XXXXXXXXXX has been changed; your new
   UT EID is YYYYYYYY. You must use your new UT EID to log on.
   To learn why it has changed, see:

   https://utdirect.utexas.edu/nlogon/eid_suite/faqs/eid_too_long.WBX "

Notes:

1. PERM-EIDs will remain in the same format of Last Name and Initials.

2. Users can still use the Help Suite Essentials page to change
   their UT EIDs. However, the new EID can no longer be greater
   than 8 characters.

3. Department contacts can still use *TXEID to change UT EIDs.
   However, the new EID can no longer be greater than 8 characters.

While webspace.utexas.edu was previously for students only, it is now available to all faculty and staff as well. Up to 75 MB of publishing space is available per user.

The UT-EID service will be down for 30 minutes on Sunday morning, Oct 27th between 2:00 a.m and 3:00 a.m. All services requiring the use of the UT-EID service will be inoperative during this 30 minutes of downtime. >

The crisis is over for now and email is being delivered at normal speed whether coming in from off-campus, on-campus or within UMBS.

UMBS (mail.utexas.edu) will be taken down at 10 p.m., Thursday, October 24, for about 30 minutes in order to upgrade the disk filer from four 100-megabit connections to a 1 gigabit connection. This upgrade is one of the many steps taken to ensure UMBS can accommodate the increased mail load. This is the only currently planned step that will require the system to go offline.

Most of the queued e-mail from on- and off-campus servers has been delivered. On-campus servers (utexas.edu) sending mail to UMBS are receiving preferential treatment. Mail arriving from off-campus will continue to come in slowly. Other services are operating normally.

UMBS SMTP is back online as of 8:06. However, the number of external inbound connections has been severely constrained to keep from getting flooded by everybody dumping their queued up mail on UMBS. Thie means that external mail will continue to be slow for now.

Three of the worker bees didn't finish draining overnight. These three will continue to be offline until they finish draining.

Mail sent between UMBS users should not experience delivery problems. UMBS users should also have no problem sending mail. There are still significant delays in delivering of e-mail into UMBS—these delays are variable depending on which queue the e-mail joins.

We have blocked sites sending large amounts of spam into UMBS and upgraded the network switch, but the queues holding inbound-to-UMBS e-mail are still unreasonably high and the UMBS system is overloaded trying to process this backlog.

ITS is taking UMBS “off the air” to non-utexas.edu SMTP connections from 9 p.m. tonight, October 22, to 8:00 a.m. tomorrow, October 23. This will allow the system to process all of the backlog and function properly tomorrow.

During this period of 9 p.m. to 8 a.m. UMBS users can still send e-mail from UMBS to anywhere (within UMBS, anywhere in utexas.edu, and anywhere in the world) and can still read their e-mail.

E-mail coming from utexas.edu servers will be accepted and delivered as the queues empty. E-mail coming from within UMBS will be performing normally. E-mail coming from outside of campus (outside of utexas.edu) will remain in the mail queues of the servers which originated it, to be delivered later. As long as those mail servers have a queue retention period greater than 12 hours (anything less than three days is considered short), no mail should bounce.

A problem is occurring on mail.utexas.edu (UMBS) such that people are successfully relaying spam using UMBS --we look like an 'open relay'. This is causing us to be blacklisted by anti-spam blacklists.

To immediately get us off those lists, we are shutting down 'pop-before-send'. This does NOT affect on campus users of UMBS nor does it affect UMBS users using Telesys. It does affect off campus users coming in via the Internet (e.g., Road Runner, DSL, some other campus connected to the Internet). They will not be able to send email OUT through UMBS. They will be able to read email.

We were in the process of converting to a better method anyway, called authenticated SMTP. We will activate that now and will get assistance up as quickly as possible to explain it on the web.

ITS-Communciations will be putting up a variant of this notice onto the web shortly. And we will update that before 5 PM.

Staff is of course working to also correct the pop-before-send problem as quickly as possible.

Sun announced today that it is to restore Intel hardware support for Solaris beyond Sun's LX50. See the following websites for more details.

http://www.eweek.com/article2/0,3959,588641,00.asp
http://groups.yahoo.com/group/solarisonintel/message/39773

Adobe will be on campus October 14th, in COM 8, doing demos, drawings, etc. They will cover Adobe Acrobat 5, Photoshop Elements, InDesign, Photoshop, and Premiere.

For more info contact the Campus Computer Store at manager@campuscomputer.com or Adobe at www.adobe.com/education/

There is a new worm attacking Apache Web Servers using mod_ssl on linux/intel based systems via a hole in OpenSSL. While it currently is only known to attack linux/intel machines, it could be use against other operating systems and/or platforms in the future, so all users of apache+mod_ssl should take note. In fact, any user offering ssl/tsl services via openssl should take note and upgrade as soon as possible.

You can mimimize your risk to this worm by adding the following global setting to your apache configuration file:

ServerTokens ProductOnly

For more on the openssl vulnerability, see

http://www.kb.cert.org/vuls/id/102795
http://www.cert.org/advisories/CA-2002-23.html

For more information on this worm, see:

http://www.cert.org/advisories/CA-2002-27.html

Zone Labs Inc. has released ZoneAlarm 3.1. The free version offers improved security at no cost for personal and nonprofit use. The new version includes a redesigned, more intuitive user interface and improved alert logging.

More info at: http://www.zonelabs.com

Internet Security Systems (ISS) X-Force has found a buffer-overflow flaw in a Sun RPC library component that could allow a remote attacker to execute arbitrary commands on a target system with super-user privileges. Sun Microsystems Solaris 2.5.1/2.6/7/8/9 are affected by the vulnerability. Many other vendor implementations of RPC may also be affected.

Info at: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823

Microsoft has just release its final version of Service Pack 3. A list of fixes incorporated into SP3 can be found at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320853

Service Pack 3 (128 mg) can be downloaded at:

http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/w2ksp3.exe

Overview

There are four remotely exploitable buffer overflows in OpenSSL. There are also encoding problems in the ASN.1 library used by OpenSSL. Several of these vulnerabilities could be used by a remote attacker to execute arbitrary code on the target system. All could be used to create denial of service.

Systems Affected

OpenSSL prior to 0.9.6e, up to and including pre-release 0.9.7-beta2
OpenSSL pre-release 0.9.7-beta2 and prior with Kerberos enabled
SSLeay library

More information can be found at: http://www.cert.org/advisories/CA-2002-23.html

Apple has released a Security Update that addresses a vulnerability in Mac OS X Software Updates versions prior to 1.4.6. That vulnerability would have allowed a malicious hacker to spoof an Apple server and deliver arbitrary code to the victim's Mac OS X computer. The Security Update adds verification of cryptographic signatures to Software Updates versions 1.4.5 and earlier.

Note that if you haven't installed all previous updates before installing this security update, you won't be able to bring your system to the most recent version until Apple releases authenticated versions of all of its system updates.

For more information and to download the update, go to the Apple Knowledge Base article (75304) at:

https://depot.info.apple.com/security7-12/

All services provided by Information Technology Systems will switch to a "pay in advance" system later this year. The switch includes billing for SMF printing charges and Telesys, UT's dial-up modem service.

SMF printing will require Bevo Bucks as of August 15th. The other services will not require Bevo Bucks.

There is a local Off-by-one vulnerability in mod_ssl for apache. For information see:

http://online.securityfocus.com/archive/1/279074

Versions affected are mod_ssl versions < 2.8.10 for Apache 1.3

There is a remote vulnerability in certain OpenSSH versions, known as the OpenSSH Challenge Response Handling vulnerability. Information can be found at:

http://www.cert.org/advisories/CA-2002-18.html
http://online.securityfocus.com/news/503

Versions affected are OpenSSH versions 2.3.1p1 through 3.3, with certain configuration options enabled.

There are known exploits for this bug, so it is important to check your system asap.

Dell and Compaq PC sites

On the Campus Computer Store's home page at http://www.campuscomputer.com/ you will see a new customized computer storefront for Dell. The Dell storefront is for personal (individual) purchases from Dell and is open to any student, faculty or staff member at UT. The pricing there will be less than if you go to Dell's regular on-line consumer site or education site. This site emphasizes Dell's consumer line but a configuration similar to the Business school's laptop program is also available. Again, this is only for personal purchases. Departmental purchases should continue to go through the web site at http://www.utexas.edu/computer/sales/dell.html for the best pricing on corporate grade computers and our UT bundles.

Also in the Store's home page you will see a new customized computer storefront for Compaq. Compaq has a blanket order with DIR through the Western States Computer Agreement. And they offer individual purchasing for UT students, faculty and staff.

ITS is looking at an opportunity from Tripwire (www.tripwire.com) to site license their products for servers, monitoring and management. Tripwire is product to detect intrusions on servers and help restore the integrity of the information. This is a short fused offer so they have approached the tech-deans from each college for funding. So far they have more than 85% covered.

If the program does get created, ITS will announce the program details around 1 July. The initial license fee would be covered and we would get (approximately) half-price on maintenance.

ITS will soon have a student version of the Apple OS program. ITAC fees will cover all UT students and they expect the media to arrive from Apple about 1 July. They already have a department/faculty/staff program for those who want a Mac operating subscription program, please see http://www.utexas.edu/computer/sales/appletap.html. Over 2700+ subscriptions to date. Please note, that dept/faculty/staff must pay for their subscriptions.

UTConnect has been replaced with BevoWare, available at http://www.utexas.edu/its/bevoware/.

The web page will tell you how to get to the no-cost download page. The Campus Computer Store now has the media available for sale ($5/CD).

BevoWare provides the software you need to protect your computer from viruses, improve the security of your connections, browse the Web, read and send e-mail, use the campus printing system and more.

The UT Austin Enterprise Web Server name dpweb1.dp.utexas.edu will be retired soon. All references to UT Austin's Enterprise Web Servers previously known as dpweb1.dp.utexas.edu should now use the name utdirect.utexas.edu. Note: the address utdirect.utexas.edu can be used now -- changes to your web pages can begin immediately. Beat the rush!

Changes will begin to occur at the server level August 5, 2002. At that time any requests received at the address dpweb1.dp.utexas.edu will be redirected to utdirect.utexas.edu. After a period of time, this redirection will be replaced by a static notification page with a link to the appropriate URL reminding the users to update their bookmarks.

The new DMG, which is now in public beta and expected to go production next week, has a great new Scan and Replace feature. This should be a very useful tool for changing any hard-coded references to dpweb1 you might have in scripts accessible from DMG.

For further background on the issue:
https://dpdev1.dp.utexas.edu/developers/urlConsolidation
Frequently Asked Questions (and Answers):
https://dpdev1.dp.utexas.edu/developers/urlConsolidation/faq.html
For a list of scripts on dpweb1/utdirect with references to dpweb1.dp.utexas.edu:
https://dpdev1.dp.utexas.edu/dputil/scanlist.html
For an interactive discussion about this topic:
http://shoptalk.acs.utexas.edu/tooltalk/viewDiscussion.jsp?threadId=19

StarOffice is an office suite (similar in function to Microsoft Office) which runs on Windows, Linux (x86), and Solaris (Intel and Sparc). OpenOffice is an opensource version of StarOffice. It includes most all the features of StarOffice, except for the database, some clip art, and some extra fonts. Sun is going to start charging for StarOffice starting from release 6.0. As of 5/30/02, you can no longer download StarOffice 5.2 for free. It's still available, but Sun has removed the publically available installation files. StarOffice 6.0 will still be available free for education, except for the cost of the media. For more information, see: http://www.sun.com/products-n-solutions/edu/scholar/staroffice.html

Effective 1 June 2002, ITS will introduce the BevoWare software package. An overview can be found at www.utexas.edu/its/bevoware. "BevoWare provides the software you need to protect your computer from viruses, improve the security of your connections, browse the Web, read and send e-mail, use the campus printing system and more." Distributed by UT Austin for both Macintosh and Windows computers, BevoWare saves you money, time and trouble by offering all the products you will need in one convenient location. *BEVOWARE WILL REPLACE THE UT CONNECT PROGRAM.* Eligibility: All current students, faculty and staff at UT Austin. Costs: BevoWare for students will be covered by ITAC fees. ITS will seek funding for faculty, staff and departments; however, because we feel it is important that the entire UT community have products such as virus protection readily available, ITS is waiving the BevoWare fees for faculty, staff and departments through May 2003. Separate media costs will apply (see below). Obtaining BevoWare: A download site (www.utexas.edu/its/bevoware/download) will be available to all those eligible beginning June 1, 2002. BevoWare will also be available on CD-ROM from the Campus Computer Store for $5 per CD for those who prefer to have physical media. We hope to have the BevoWare CD available from the store by mid-June. UT Connect Subscriptions Will Be Honored: Current UT Connect subscribers (faculty, staff, students, departmental bulk purchases) may pick-up a complimentary BevoWare CD at Software Distribution & Sales (COM 14) after its release (we estimate mid-June). UT Connect subscriptions will be honored through their expiration (one year from original date of purchase). This means UT Connect subscribers will receive any BevoWare CDs published before their UT Connect subscription expires at no cost. Retired UT Connect Subscribers: Retired UT Connect subscribers are not eligible for BevoWare downloads or media; however, a special retiree CD will be available from SDS in COM 14 when the BevoWare CD is released. Support: The Help Desk will be answering technical and eligibility questions.

Microsoft released a "critical" cumulative patch for six new Internet Explorer (IE) vulnerabilities affecting IE 5.01/5.5/6.0. The flaws include a cross-site scripting vulnerability in a Local HTML Resource; an HTML object information disclosure vulnerability; a script within cookies information disclosure vulnerability; a zone spoofing vulnerability; and two variants of the "Content Disposition" vulnerability (MS01-058). Microsoft recommends applying the patch immediately. http://www.microsoft.com/technet/security/bulletin/MS02-023.asp

Sunday, May 19, 2002 The WNT cluster, which is composed of WNTdisk (file storage), FORUM (Exchange Mail), WNTSQL (SQL server), and WNTapp (IIS and Cold Fusion) will be down for equipment relocation on Sunday, May 19, 2002 from 6:00 a.m. until 2:00 p.m. This move is necessary to accomdate the merger of the MAI 22 and COM 10 computer rooms. On Sunday, May 19, 2002, between 8:00 am. and 11:00 am., maintenance will be performed on network equipment across campus. There will be intermittent outages during this time.

Wednesday, May 15, 2002: The University Mailbox Service (UMBS) will be down Wednesday, May 15 from 7 p.m. - 9 p.m. for an emergency hardware upgrade to address the current performance problems. During this time UMBS users will be unable to access or download mail sent to any mail.utexas.edu address. Any e-mail sent from a client machine through mail.utexas.edu will still be accepted. No mail will be lost during this time.

The EID Team has redesigned the EID login page to bring it more into line with the look and feel of UTDirect and Web Central. On Wednesday, May 8, the EID team will implement this new version of the UT EID Login page. The new page will retain the same functionality and all links will point to the same pages that they do currently. If you have any questions, comments, or concerns, please contact us at eidteam@lists.cc.utexas.edu.

*SERIOUS FLASH BUG COULD AFFECT IE USERS By Shawna McAlearney Warning of a serious remote code execution vulnerability in Macromedia Flash, eEye Digital Security is recommending all Internet Explorer (IE) users immediately upgrade to the latest version of Flash. According to an eEye advisory posted on Bugtraq, the buffer-overflow flaw affects Flash ActiveX OCX Version 6, revision 23. But the vulnerability could potentially affect IE users "because this is a Macromedia signed OCX. We advise them to upgrade their Flash version immediately to version 6, revision 29," says eEye. "This issue was found in the wild, and it is not safe to assume it could not be found by others with malicious intent," according to the advisory. "Nor do we believe it is safe to assume this has not been found by users with malicious intent." The vulnerability occurs in the parameter handling the Flash OCX, and could lead to the execution of attacker-supplied code via e-mail, Web or any other avenue in which IE is used to display HTML, according to the advisory. http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash

*VIRUS-LADEN, PHONY MESSAGES FROM CISCO CIRCULATING Bogus messages supposedly from Cisco System's Product Security Incident Response Team may contain a variety of computer viruses and should be ignored, the company warned last week. The forged e-mails appear to be from psirt@cisco.com, but don't carry the PGP signature used on all Cisco messages coming from the company's moderated listserv. Cisco sent a warning to subscribers to ignore the tainted messages and said it was "actively looking at solutions to reduce or eliminate the forged messages."

*EXCEL SUBJECT TO ACTIVE SCRIPTING VULNERABILITY Bulgarian bug-hunter Georgi Guninski is once again warning of an Active Scripting interaction in a Microsoft product--this time Excel--that he says can allow malicious script execution. Though Microsoft last week issued a patch for the "E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward" vulnerability affecting Outlook 2000/2002, Guninski says it continues to be a problem for Excel. The flaw could allow an attacker to run code of choice on a target system if a user forwards or replies to an attacker's message while using Word as the e-mail editor. Alternatives are to create and edit e-mail using Outlook's native editing functions. Using Word as the e-mail editor has been contrary to security experts' recommendations for some time. http://www.microsoft.com/technet/security/bulletin/MS02-021.asp http://www.guninski.com/m$oxp-2.html

*SOLARIS FLAW GIVES ROOT By Shawna McAlearney A hacker group Tuesday released exploit code targeting vulnerabilities in Sun Solaris 2.5.1/2.6/7/8 that could allow an attacker to execute arbitrary code on the system with root privileges. Both locally and remotely exploitable, a buffer-overflow flaw exists in rpc.walld, which is used to broadcast messages to users over a network. Though hacker group Gobbles deems the threat "super duper high," researchers say users who follow security best practices won't have a problem. "For security-minded people, this is one of the 57 things in the Solaris default that you habitually turn off, and it isn't a problem," says Jon McCown, a security researcher at TruSecure. (TruSecure publishes Security Wire Digest.) "But if bad guys get inside the perimeter in a 'default Solaris' shop, it isn't pretty." A Computer Emergency Response Team (CERT) advisory released yesterday, recommended users apply available patches or, if a patch isn't available, disable the rwall daemon (rpc.rwalld) in inetd.conf until a patch can be applied. If disabling the rwall daemon isn't an option, implement a firewall to limit access to rpc.rwalld--typically port 32777/UDP--but note that this won't mitigate all vectors of attack. Gobbles' suggests similar mitigators and warns that "if you wait until patch (is) available (to) upgrade, you probably will have to upgrade by reinstalling (the OS) because exploit (code is) out and probably in hands of less than ethical penetrators looking to abuse you in one way or another." http://www.cert.org/advisories/CA-2002-10.html