by Executive Software Team Jump Executive Software>@@@
Recently, a program was posted on the Internet which exploited a
Privilege Elevation vulnerability in Windows NT. The program performs a
sophisticated set of steps to allow a non-administrative user who is
logged on locally to a system to gain debug access level on a system
process. They are then able to grant themselves local administrative
privileges on the local system. Note that in order to perform this
attack the user has to have a valid local account on a system; the
attack cannot be used over a network to get domain administrative
privileges remotely.
Microsoft has now posted a fix to handle this vulnerability, and has
issued a bulletin fully describing the problem. You can find the
bulletin, containing links to hotfixes for the problem, at:
Almost concurrently, an e-mail bug was discovered which affects both
Netscape and Microsoft (Outlook) e-mail clients running on Windows 3.1,
95 98 and Windows NT. This bug, which was widely (and falsely) reported
by the media as an "e-mail virus", actually causes the client to crash
when a user receives and opens an e-mail message with an attachment that
has an extremely long filename. The long filename could be followed by
arbitrary code which could then execute after the crash has occurred,
which of course could damage a computer.
Both Microsoft and Netscape state that there have been no reports of any
customer being affected by this issue.
You can find Microsoft's description of the problem as it relates to
Outlook, and patches for the problem, at: