December 10, 1999 - Security UPDATE Alert - Two new security risks were reported recently. In addition, an advisory has been released warning users about proper configuration to avoid an SQL Server 7.0 SA password compromise. USSRLABS reported a denial of service (DoS) condition within GoodTech's Telnet Server v.2.2.1. The DoS is caused by an unchecked buffer in the login sequence. GoodTech is aware of the problem, however no vendor response is know at this time. .rain.forrest.puppy. reported a DoS condition in Windows NT Server 4.0. The problem can lead to a crashed Service Manager and break functionality of named pipes. Microsoft issued a patch, FAQ, and Support Online article regarding this matter. Kevork Belian pointed out how easy it is to change an SA password on SQL Server 7.0. The situation exists largely due to improper security permission settings on SQL's files. For complete details on each of the discoveries, please visit our Web site at the URLs listed below: - GoodTech Telnet Server v.2.2.1 http://www.ntsecurity.net/scripts/loader.asp?iD=/security/goodt1.htm - Windows NT Denial of Service http://www.ntsecurity.net/scripts/loader.asp?iD=/security/resenum1.htm - SQL 7.0 Advisory http://www.ntsecurity.net/scripts/loader.asp?iD=/security/sql701.htm Thanks for subscribing to Security UPDATE. Please tell your friends about this newsletter and alert list! Sincerely, The Security UPDATE Team security@ntsecurity.net ======================================================================= TO UNSUBSCRIBE from this alert list DO NOT REPLY, instead send e-mail to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. TO SUBSCRIBE to this alert list, send e-mail to the same address listed above with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. ======================================================================= Security UPDATE is powered by LISTSERV(R) software http://www.lsoft.com/LISTSERV-powered.html ======================================================================= Copyright (c) 1999 Duke Communications Intl. Inc. - ALL RIGHTS RESERVED Forwarding this email is permitted, as long as the entire message body, the mail header, and this notice are included.