Seven Windows patches, 2+ critical; New Bagle variant
LATEST NEWS
- Second MYOB founder boosts Xero holding
- Vodafone NZ loses customers || 7
- Video will drive UFB uptake, but NZ lacks content choices: ComCom || 4
- TelstraClear's half-year revenue drops by 4 percent, but telco posts $1m profit || 1
- Peter Finch leaves CIO post at Gen-i || 1
- 2degrees announces 875,656 customers || 1
SUBSCRIBE
Computerworld is New Zealand's only specialised information systems fortnightly. Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
SIGN UP
This issue's topics:
Introduction:
* Seven Windows patches, 2+ critical; New Bagle variant
Virus News:
* Bagle on a roll?
Security News:
* Important Outlook Express cumulative update released
* Local privilege escalation in Windows 2000 Utility Manager
* Local privilege escalation in NT 4.0, Windows 2000 POSIX sub-system
* Patch fixes remote code execution buffer overflow in IIS 4.0
* Critical vuln in Windows 2000, XP Task Scheduler; IE 6.0 SP1 on NT 4.0
* Critical vulnerability in Windows HTML Help patched
* Remote code execution in Windows Shell patched
By IDGNet Staff | Auckland | Friday, 16 July, 2004
This issue's topics:
Introduction:
* Seven Windows patches, 2+ critical; New Bagle variant
Virus News:
* Bagle on a roll?
Security News:
* Important Outlook Express cumulative update released
* Local privilege escalation in Windows 2000 Utility Manager
* Local privilege escalation in NT 4.0, Windows 2000 POSIX sub-system
* Patch fixes remote code execution buffer overflow in IIS 4.0
* Critical vuln in Windows 2000, XP Task Scheduler; IE 6.0 SP1 on NT 4.0
* Critical vulnerability in Windows HTML Help patched
* Remote code execution in Windows Shell patched
Introduction:
Seven new Microsoft security patches, two officially 'critical' and at least two more possibly so depending on your system's integrity and separation of user access requirements.
Aside from the new Bagle variant, which shouldn't cause any corporate sites any problems, a miserable piece of dreck known as the 'Atak worm' has been garnering way too much media attention. A near-fatal bug in its self-mailing routine means that in practice it is going no-where fast except down a well-deserved electronic evolutionary dead-end. Thousands of copies may have been stopped somewhere as the result of a manually orchestrated seeding run, but the electronic spawn of that effort has the motility of the fish in tonight's dinner...
Virus News:
* Bagle on a roll?
Just today a new Bagle variant, Bagle.AB, has caused quite a deal of activity. Last week we reported that the then-new Bagle.Y was distributing copies of its source code along with the virus and that antivirus researchers were concerned that may cause a spike in new Bagle variants being written and released into the wild. While it is too soon to say for sure whether such a spike is occurring, virus analysts who have looked at both variants say this new one is almost certainly based on the source of the earlier one.
Astute readers will also recall that there is some divergence in variant naming in the Bagle family because of close similarities between the Bagle virus family and the Mitglieder keyloggers. Although this new Bagle is correctly the Bagle.AB variant, many antivirus products will call it Bagle.AF.
All antivirus developers have had samples for several hours now - pagers started going off around the world between 10:00 and 11:00am this morning (Friday, New Zealand). Your AV vendor should have an 'emergency' update available or being shipping detection in the next scheduled update.
Computer Associates Virus Information Center
F-Secure Security Information Center
Network Associates Virus Information Library
Sophos Virus Info
Symantec Security Response
Trend Micro Virus Information Center
Security News:
* Important Outlook Express cumulative update released
Microsoft has shipped a cumulative update for Outlook Express (OE) that is publicly rated as of 'moderate' severity. Officially this update is described as fixing a denial of service due to improper bounds checking while OE parses e-mail message headers. Receiving a message with specially malformed headers can cause OE to crash and, if the preview pane is enabled, require some rather arcane manoeuvring to enable OE to be restarted without it crashing repeatedly.
Aside from fixing the header parsing vulnerability, the installer for this update also alters the default security configuration in OE 5.5 SP2 installations so HTML messages are rendered in the Restricted Sites zone. Also, an annoying bug introduced in the MS03-014 cumulative security update, wherein OE 6.0 SP1 and later leaves copies of the Windows Address Book in predictable places with the filename "~" has been fixed.
Note that MBSA and SMS (as the latter uses the former for security update detection) will not detect this as a 'missing patch' as MBSA does not currently check for OE updates. The vulnerability this patch fixes has been publicly disclosed, but is not known to be in active use. Despite that and this being rated of moderate severity, OE has a long and sad security history and it is generally felt that applying all patches for it is the more advisable approach as Microsoft is not above silently slipping fixes for undisclosed vulnerabilities into updates such as this.
Microsoft Security Bulletin MS04-018
* Local privilege escalation in Windows 2000 Utility Manager
Utility Manager has been the source of previous serious vulnerabilities in Windows 2000 and Microsoft generally recommends disabling the service unless it really is needed. Folk who have taken that standard hardening advice will not be vulnerable to this flaw, but those who must run Utility Manager should get the patch and install it.
This latest flaw in Utility Manager can be exploited to allow a locally logged in user to execute programs with greater privileges than that user should have, perhaps even giving full system access. On systems where user privilege separation is important and Utility Manager must be used to enable easy access to Windows' Accessibility features for disabled users, installing the patch should be considered critical.
Note that aside from addressing the specific new vulnerability in Utility Manager, this patch also disables context sensitive help in Utility Manager to further harden it against further possible attacks of this nature.
Microsoft Security Bulletin MS04-019
* Local privilege escalation in NT 4.0, Windows 2000 POSIX sub-system
A privilege escalation flaw in the POSIX sub-system of NT 4.0 and Windows 2000 can allow any locally logged in user to elevate their privileges to local system level. Windows XP and Server 2003 no longer include the POSIX sub-system so are not vulnerable.
Aside from installing the patch, the Microsoft security bulletin documenting this issue describe how to disable the POSIX sub-system if you do not need its functionality in your configuration. Again, as for the previous issue, if you must (or prefer to) leave the affected sub-system enabled and have important privilege separation requirements in your environment, this is obviously a more critical patch than the overall rating Microsoft gives of 'important'.
Microsoft Security Bulletin MS04-020
* Patch fixes remote code execution buffer overflow in IIS 4.0
NT 4.0 users running IIS 4.0 should seriously consider installing this latest IIS 4.0 patch despite Microsoft rating it as only of 'important' severity. A buffer overflow in the web server's handling of long requests that result in server redirections can be remotely and anonymously exploited to run arbitrary code of an attacker's choice on the victim web server.
This is the same general class of vulnerability that several especially virulent worms, such as CodeRed (on Windows IIS servers) and Slapper (on Linux Apache servers), have exploited in the past. To date there is no know public exploit code for this vulnerability and no evidence of the vulnerability being exploited in the wild. URL 'sanitizers', such Microsoft's own URLScan, can protect against the types of web requests that would be necessary to exploit this vulnerability and using such tools is part of general best practices recommendations for IIS sites.
Microsoft Security Bulletin MS04-021
* Critical vuln in Windows 2000, XP Task Scheduler; IE 6.0 SP1 on NT 4.0
Microsoft has released a patch that fixes a remote code execution vulnerability it rightly rates as being of 'critical' severity in Windows 2000 and XP. Further, NT 4.0 systems that have IE 6.0 SP1 (or later) installed are also vulnerable as the affected component is included as part of the IE installation on that platform.
The vulnerability is due to the way Task Scheduler verifies application names in scheduled jobs and can be exploited remotely, over the Internet. The Task Scheduler runs applications with raised privileges allowing a potential attackers to install and run code of their choice.
Note that MBSA (and therefore SMS as it depends on MBSA for patch detection) will not detect this as a 'missing patch' on NT 4.0 systems with IE 6.0 SP1 (or later) installed. MBSA and SMS correctly detect this patch's status on other affected systems.
Microsoft Security Bulletin MS04-022
* Critical vulnerability in Windows HTML Help patched
Two vulnerabilities, one allowing so-called 'cross-zone' access from other security zones into the privileged 'My Computer' zone and the second allowing remote code execution, have been patched. Microsoft rightly rates the overall severity of these vulnerabilities as 'critical' and all affected users are urged to obtain and install the patch as soon as is practicable.
All currently supported Windows operating systems except NT 4.0 server platforms are vulnerable in their default installations. Further, NT 4.0 is vulnerable if Internet Explorer 5.5 or later (and quite possibly even just the now unsupported IE 5.01) has ever been installed. As this is a critical severity vulnerability, patches have also been provided for Windows 98, 98 SE and ME (which are now in the 'extended support' phase of their lifecycle).
One of the vulnerabilities fixed in this patch has been exploited in the wild several times, so patching should be considered to be very urgent.
Microsoft Security Bulletin MS04-023
* Remote code execution in Windows Shell patched
A publicly disclosed vulnerability in the way the Windows Shell launches applications, which can be exploited to execute arbitrary remote code with the privileges of the exploited user application (most likely IE or OE, or a third-party application embedding IE) has been patched. Although rated as 'important' on all Windows platforms (and thus no patches have been released for Windows 98, 98 SE or ME) it is suspected that this update fixes several other subtle issues that, although not necessarily critical in and of themselves, could greatly ease exploitation of other flaws in Internet Explorer and/or Outlook Express.
Users of affected platforms for which patches are available are therefore strongly recommended to obtain and install them as soon as practicable (face it - with all the other patches your weekend is shot anyway, so why not add another one?).
Windows XP users should also read the Microsoft Knowledge Base article linked after the security bulletin, below. If you run XP and are affected by any of the issues listed in the KB article a hotfix addressing those issues is available from PSS.
Microsoft Security Bulletin MS04-024
MOST POPULAR
Social Media @Computerworld NZ
Computerworld NZ has now reached LinkedIn! Join to expand your networks and meet others interested in information systems.
