Bruce Steers said,

>> >> i just read this url http://www.abraxis.co.uk/SA-2001-11-08.html
>> >
>> > If you insist on using YAM and AWNPIPE, there is a sort of fix. Rename
>> > AWNPIPE in DEVS:DOSDrivers and change the name in any AWNPipe scripts you
>> > run (stringer is handy for this).
>> >
>> > It's not a real fix, the insecurity is still there, but no one knows the
>> > name of the pipe to send it too.
>> >
>> > This is a serious risk, it is possible to erase a hard drive partition
>> > with this exploit.

>> Neil, I checked devs:dosdrivers, and found a program called Pipe, is this
>> the same thing? The only awnpipe on my system is L:awnpipe-handler. This
>> is the case in my other machine too, also an independent install of 3.9.
>> I don't have it in User-Startup either, as someone on the YAMML mentioned.

It's not the same thing. The affected pipes (AFAIK) are APIPE and
AWNPIPE. If you have awnpipe-handler i L: and AWNPIPE in DEVS:DOSDrivers
or SYS:Storage/DOSDrivers you are vulnerable.

> Mike
> I don't know if Neil is on this list (his msg was posted to the AWNPipe
> list:)

I'm not.

> if you do not have the AWNPIPE descriptor file in devs/dosdrivers then it is
> only mounted when it is needed.

> the URL that showed the risks mainly spoke about APIPE and only mentioned
> AWNPipe but did not mention the normal ADos PIPE.

It affects only APIPE and AWNPIPE AFAIK.

> a better fix would be to make YAM (or whatever) check to see if AWNPipe: is
> mounted and if it is un-mount it before using yam.

All YAM needs to do is strip escape codes from data before passing ti
elsewhere. Or it could check that any file it tries to load is really a
file.

> this could be done by using an ARexx command set as YAM's startup-script (or
> before getting mail) the following script should be either saved as a script
> file in REXX and called from your prog or cut-n-pasted into an existing
> startup-script

That would mean you couldn't use, for example, AWebModes while YAM was
running. If you have a permanent connection and YAM is always running,
this is a major inconvenience.

> the report mentioned ANY MUI internet prog so i guess it includes V and IB as
> well ? also the report mainly spoke of APIPE: the above script can be
> modified by changing the references to AWNPipe: to whatever pipe you want
> checked.

V is secure, because Vapor have been aware of this problem for some time
and have made sure it doesn't pass unchecked data to the system. AWeb is
also secure from similar exploits. I don't know about IBrowse.

The safest approach is to remove AWNPIPE if nothing you have uses it.
Otherwise, rename it and change the scripts that call it. If the pipe
has an arbitrary name, no external source will know the name to use.


Cheers

Neil
--
Nostalgia isn't what it used to be.