Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security Fix for Blackboard CourseInfo 4.0

From: aleph1 () securityfocus com (aleph1 () securityfocus com)
Date: Wed, 19 Jul 2000 15:19:04 -0700

----- Forwarded message from Daniel Cane <dcane () blackboard com> -----

Message-ID: <FB48B8939127D411B07700B0D04903323B6E0A () bbmail1 blackboard net>
From: Daniel Cane <dcane () blackboard com>
To: "'aleph1 () securityfocus com'" <aleph1 () securityfocus com>
Subject: RE: Security Fix for Blackboard CourseInfo 4.0
Date: Wed, 19 Jul 2000 16:18:50 -0400
X-Mailer: Internet Mail Service (5.5.2650.21)

I would love you to. There has also been some traffic about some other bugs
which have been fixed in previous versions. Could you post the following:

-----------

Blackboard has recently learned about a possible security issue with
Microsoft NT that could impact Blackboard customers running Blackboard
CourseInfo 4.0 with Microsoft NT.  This combination does NOT affect clients
using CourseInfo 4.0 on Unix or any client who has upgraded to Blackboard 5.

In collaboration with Microsoft, the Blackboard product development team has
developed a fix that will generate the level of security that our customers
expect.  The patch encrypts the information that Blackboard stores within
the System Registry.

You can have direct access to the download at
http://company.blackboard.com/Support/files/Courseinfo4hotfix.exe.

The patch is also available by following these instructions:
o Go to http://support.blackboard.com
o Go to the "System Administrator Support" area and login with your user ID
and password
o Click on "What's New"
o Click the item titled: "NT Security Encryption Patch"
Once the patch has been downloaded, follow the regular procedures to upgrade
your server.

Also, if you have not already done so, it is suggested that you protect your
registry from network access since the default permissions within the
Windows NT Server do not restrict who has remote access to the registry.
Microsoft has provided detailed instructions at
(http://www.microsoft.com/TechNet/security/c2config.asp#25).

Additionally, there have been messages floating around the net regarding the
ability for users to change each other's passwords and change their security
level within the software. As of the February 2000 release of the software,
Build 408 of CourseInfo 4.0, the security questions concerns mentioned on
several listservs by which unauthorized users can change passwords or
upgrade roles through circumventing the user interface and posting directly
to the application itself do not exist.

Blackboard continues its mission to provide the best possible online
academic teaching and learning experience possible.  If you have any
questions about this patch or the upgrade, please feel free to contact our
Technical Support Line at (888) 788-5264.

Thanks!

Daniel Cane
Senior Vice President
Advanced Research and Development
Blackboard, Inc.
1899 L St. NW
5th Floor
Washington, DC 20036
202-463-4860 ext. 204 (voice)
202-463-4863 (fax)
dcane () blackboard com
http://www.blackboard.com/

 -----Original Message-----
From:   aleph1 () securityfocus com [mailto:aleph1 () securityfocus com]
Sent:   Wednesday, July 19, 2000 3:47 PM
To:     Daniel Cane
Subject:        Re: Security Fix for Blackboard CourseInfo 4.0

Daniel,

  Care to post this information to the BUGTRAQ mailing list as well?
Its at bugtraq () securityfocus com. Thanks.

* Daniel Cane (dcane () BLACKBOARD COM) [000718 20:24]:

To whom it may concern:

Blackboard has recently learned about a possible security issue with
Microsoft NT that could impact Blackboard customers running Blackboard
CourseInfo 4.0 with Microsoft NT.  This combination does NOT affect

clients

using CourseInfo 4.0 on Unix or any client who has upgraded to Blackboard

5.



The Blackboard product development team has developed a fix that will
generate the level of security that our customers expect.  The patch
encrypts the information that Blackboard stores within the System

Registry.



You can have direct access to the download at
http://company.blackboard.com/Support/files/Courseinfo4hotfix.exe
<http://company.blackboard.com/Support/files/Courseinfo4hotfix.exe> .

The patch is also available by following these instructions:
o       Go to http://support.blackboard.com

<http://support.blackboard.com>

o       Go to the "System Administrator Support" area and login with your
user ID and password
o       Click on "What's New"
o       Click the item titled: "NT Security Encryption Patch"
Once the patch has been downloaded, follow the regular procedures to

upgrade

your server.

Also, if you have not already done so, it is suggested that you protect

your

registry from network access since the default permissions within the
Windows NT Server do not restrict who has remote access to the registry.
Microsoft has provided detailed instructions at
(http://www.microsoft.com/TechNet/security/c2config.asp#25
<http://www.microsoft.com/TechNet/security/c2config.asp#25> ).

Blackboard continues its mission to provide the best possible online
academic teaching and learning experience possible.  If you have any
questions about this
patch or the upgrade, please feel free to contact our Technical Support

Line

at (888) 788-5264.

Regards,

Blackboard, Inc.


--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

----- End forwarded message -----

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
Previous By Date Next
Previous By Thread Next

Current thread: