home *** CD-ROM | disk | FTP | other *** search
- Date: Thu, 18 Feb 1999 14:44:48 -0800 (PST)
- From: CIAC Mail User <ciac@rumpole.llnl.gov>
- To: ciac-bulletin@rumpole.llnl.gov
- Subject: CIAC Bulletin J-030: Microsoft BackOffice Vulnerability
-
- [ For Public Release ]
- -----BEGIN PGP SIGNED MESSAGE-----
-
- __________________________________________________________
-
- The U.S. Department of Energy
- Computer Incident Advisory Capability
- ___ __ __ _ ___
- / | /_\ /
- \___ __|__ / \ \___
- __________________________________________________________
-
- INFORMATION BULLETIN
-
- Microsoft BackOffice Vulnerability
-
- February 16, 1999 19:00 GMT Number J-030
- ______________________________________________________________________________
- PROBLEM: Microsoft has identified a vulnerability in the installer for
- BackOffice Server (R) 4.0.
- PLATFORM: Microsoft BackOffice Server 4.0
- DAMAGE: Users who can log into the server locally would be able to
- access name and password for the accounts associated with the
- services which are part of a BackOffice 4.0 installation.
- SOLUTION: The fix for this problem is to delete the file \Program
- Files\Microsoft Backoffice\Reboot.ini after each BackOffice 4.0
- installation, whether successful or not.
- ______________________________________________________________________________
- VULNERABILITY Risk is low. In most cases, the ability to access this file
- ASSESSMENT: would be granted to selected users such as administrators.
- ______________________________________________________________________________
-
- [ Start Microsoft Advisory ]
-
-
- Microsoft Security Bulletin (MS99-005)
- - --------------------------------------
-
- BackOffice Server 4.0 Does Not Delete Installation Setup File
-
- Originally Posted: February 12, 1999
-
- Summary
- =======
- Microsoft (R) has learned of a potential vulnerability in the installer for
- BackOffice Server (R) 4.0. The installer asks the user to provide the
- account userid and password for selected services and writes these to a file
- in order to automate the installation process. However, the file is not
- deleted when the installation process completes. As detailed below,
- Microsoft recommends that BackOffice 4.0 customers delete this file.
-
- Microsoft has received no reports of customers being adversely affected by
- this problem. However, it is releasing this security bulletin in order to
- proactively provide customers with information about the problem in order to
- allow them to take steps to ensure their safe computing.
-
- Issue
- =====
- When a user chooses to install SQL Server (R), Exchange Server (R) or
- Microsoft Transaction Server (R) as part of a BackOffice 4.0 installation,
- the BackOffice installer program requests the name and password for the
- accounts associated with these services. Specifically, it asks for the
- account name and password for the SQL Executive Logon account, the Exchange
- Services Account, and the MTS Remote Administration Account. These values
- are stored in <systemdrive>\Program Files\Microsoft Backoffice\Reboot.ini,
- and used to install the associated services.
-
- BackOffice Server does not erase this file when the installation process is
- completed. This is true regardless of whether the installation process
- completes successfully or unsuccessfully. By default, the Microsoft
- BackOffice folder is not shared, so network access to reboot.ini generally
- does not pose a risk. Users who can log onto the server locally would be
- able to access the file, but in most cases this ability is granted only to
- selected users such as administrators.
-
- The fix for this problem is to delete the file <systemdrive>\Program
- Files\Microsoft Backoffice\Reboot.ini after each BackOffice 4.0
- installation, whether successful or not. The file is created only by the
- installer, and, once deleted, will not be re-created unless BackOffice 4.0
- is re-installed.
-
- Affected Software Versions
- ==========================
- The following software versions are affected:
- - Microsoft BackOffice Server 4.0
-
- What Microsoft is Doing
- =======================
- On February 12th, Microsoft sent this security
- bulletin to customers subscribing to the Microsoft
- Product Security Notification Service
- (see http://www.microsoft.com/security/services/bulletin.asp
- for more information about this free customer service).
-
- Microsoft has published the following Knowledge Base (KB) article on this
- issue:
- - Microsoft Knowledge Base (KB) article Q217004,
- BackOffice Installer Tool Does Not Delete Password Cache File.
- http://support.microsoft.com/support/kb/articles/q217/0/04.asp
- (Note: It might take 24 hours from the original posting of this
- bulletin for the KB article to be visible in the Web-based
- Knowledge Base.)
-
- What customers Should Do
- ========================
- Microsoft recommends that customers ensure that they delete the file
- <systemdrive>\Program Files\Microsoft Backoffice\Reboot.ini after the
- installation program for BackOffice 4.0 completes
-
- More Information
- ================
- Please see the following references for more information related to this
- issue.
- - Microsoft Security Bulletin MS99-005,
- BackOffice 4.0 Does Not Delete Installation Setup File
- (the Web-posted version of this bulletin),
- http://www.microsoft.com/security/bulletins/ms99-005.asp.
- - Microsoft Knowledge Base (KB) article Q217004,
- BackOffice Installer Tool Does Not Delete Password Cache File.
- http://support.microsoft.com/support/kb/articles/q217/0/04.asp
- (Note: It might take 24 hours from the original posting of this
- bulletin for the KB article to be visible in the Web-based
- Knowledge Base.)
-
- Obtaining Support on this Issue
- ===============================
- If you require technical assistance with this issue, please contact
- Microsoft Technical Support. For information on contacting Microsoft
- Technical Support, please see
- http://support.microsoft.com/support/contact/default.asp.
-
- Revisions
- =========
- - February 12, 1999: Bulletin Created
-
-
- For additional security-related information about Microsoft products, please
- visit http://www.microsoft.com/security
-
-
- - ----------------------------------------------------------------------------
- - ----
-
- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
- WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
- EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
- FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
- SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
- INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
- IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
- LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
- FOREGOING LIMITATION MAY NOT APPLY.
-
- (C) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
-
-
- [ End Microsoft Advisory ]
- ______________________________________________________________________________
-
- CIAC wishes to acknowledge the contributions of Microsoft for the
- information contained in this bulletin.
- ______________________________________________________________________________
-
-
- CIAC, the Computer Incident Advisory Capability, is the computer
- security incident response team for the U.S. Department of Energy
- (DOE) and the emergency backup response team for the National
- Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
- National Laboratory in Livermore, California. CIAC is also a founding
- member of FIRST, the Forum of Incident Response and Security Teams, a
- global organization established to foster cooperation and coordination
- among computer security teams worldwide.
-
- CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
- can be contacted at:
- Voice: +1 925-422-8193
- FAX: +1 925-423-8002
- STU-III: +1 925-423-2604
- E-mail: ciac@llnl.gov
-
- For emergencies and off-hour assistance, DOE, DOE contractor sites,
- and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
- 8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
- or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
- Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
- duty person, and the secondary PIN number, 8550074 is for the CIAC
- Project Leader.
-
- Previous CIAC notices, anti-virus software, and other information are
- available from the CIAC Computer Security Archive.
-
- World Wide Web: http://www.ciac.org/
- (or http://ciac.llnl.gov -- they're the same machine)
- Anonymous FTP: ftp.ciac.org
- (or ciac.llnl.gov -- they're the same machine)
- Modem access: +1 (925) 423-4753 (28.8K baud)
- +1 (925) 423-3331 (28.8K baud)
-
- CIAC has several self-subscribing mailing lists for electronic
- publications:
- 1. CIAC-BULLETIN for Advisories, highest priority - time critical
- information and Bulletins, important computer security information;
- 2. SPI-ANNOUNCE for official news about Security Profile Inspector
- (SPI) software updates, new features, distribution and
- availability;
- 3. SPI-NOTES, for discussion of problems and solutions regarding the
- use of SPI products.
-
- Our mailing lists are managed by a public domain software package
- called Majordomo, which ignores E-mail header subject lines. To
- subscribe (add yourself) to one of our mailing lists, send the
- following request as the E-mail message body, substituting
- ciac-bulletin, spi-announce OR spi-notes for list-name:
-
- E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
- subscribe list-name
- e.g., subscribe ciac-bulletin
-
- You will receive an acknowledgment email immediately with a confirmation
- that you will need to mail back to the addresses above, as per the
- instructions in the email. This is a partial protection to make sure
- you are really the one who asked to be signed up for the list in question.
-
- If you include the word 'help' in the body of an email to the above address,
- it will also send back an information file on how to subscribe/unsubscribe,
- get past issues of CIAC bulletins via email, etc.
-
- PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
- communities receive CIAC bulletins. If you are not part of these
- communities, please contact your agency's response team to report
- incidents. Your agency's team will coordinate with CIAC. The Forum of
- Incident Response and Security Teams (FIRST) is a world-wide
- organization. A list of FIRST member organizations and their
- constituencies can be obtained via WWW at http://www.first.org/.
-
- This document was prepared as an account of work sponsored by an
- agency of the United States Government. Neither the United States
- Government nor the University of California nor any of their
- employees, makes any warranty, express or implied, or assumes any
- legal liability or responsibility for the accuracy, completeness, or
- usefulness of any information, apparatus, product, or process
- disclosed, or represents that its use would not infringe privately
- owned rights. Reference herein to any specific commercial products,
- process, or service by trade name, trademark, manufacturer, or
- otherwise, does not necessarily constitute or imply its endorsement,
- recommendation or favoring by the United States Government or the
- University of California. The views and opinions of authors expressed
- herein do not necessarily state or reflect those of the United States
- Government or the University of California, and shall not be used for
- advertising or product endorsement purposes.
-
- LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
-
- J-020: SGI IRIX fcagent daemon Vulnerability
- J-021: Sun Solaris Vulnerabilities ( dtmail, passwd )
- J-022: HP-UX Vulnerabilities ( snmp, sendmail, remote network command )
- J-023: Cisco IOS Syslog Denial-of-Service Vulnerability
- J-024: Windows NT Remote Explorer
- J-025: W97M.Footprint Macro Virus Detected
- J-026: HP-UX rpc.pcnfsd Vulnerability
- J-027: Digital Unix Vulnerabilities ( at , inc )
- J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE)
- J-029: Buffer Overflows in Various FTP Servers
-
-
-
-
- -----BEGIN PGP SIGNATURE-----
- Version: 4.0 Business Edition
-
- iQCVAwUBNsntTbnzJzdsy3QZAQFF4QQAlcsUV0UfKVWCUu2mMgw099LyDg6hM28D
- NeME8HPjwTzSxOuIyLBt2ipLZwEAN/m7CskA8L+XY1FlNK+745Y8qK+++XdDPH80
- V8GPduOpaDP6lLFE1z6jjbl4CVzx7Nu+hKIjwgG61rtsMWa3MwFG9FuVPSReSkfM
- YLUSBofBqOQ=
- =yXG3
- -----END PGP SIGNATURE-----
-
-