Newsroom worm makes for big story

Worms running rampant on the internet, causing large numbers of sites to 'shut up shop' and the like, tend to get news headlines.

This issue's topics:

Introduction:

* Nine Windows updates/warnings, many critical; OS X and CPAINT updates

Virus News:

* Newsroom worm makes for big story

* Hasta la virus, baby

Security News:

* YACCUFIE — Another critical cumulative update for IE

* Critical Plug and Play vulnerability patched

* Remote code execution in Telephony Server fixed

* Windows Remote Desktop Protocol update fixes denial of service flaw

* Two low to moderate severity Windows Kerberos security fixes

* Critical remote code execution in Windows Print Spooler fixed

* MS05-023 revised

* MS05-032 revised

* Microsoft warns of yet another COM object vulnerability

* Multiple Mac OS X security updates

* Server command injection vulnerability in CPAINT Ajax Toolkit fixed

Introduction:

Sorry for the unannounced break the last couple of weeks. As my time is especially pressured at the moment and we have a bumper issue — this is the second-largest piece of copy I've ever submitted to the V&S Watch editorial team — with many new and revised Windows patches and a series of worm outbreaks based on one of those new vulnerabilities, and a few other big stories, I'll not say any more by way of introduction, and simply let you sort your way through the content.

Virus News:

* Newsroom worm makes for big story

Worms running rampant on the internet, causing large numbers of sites to "shut up shop" and the like, tend to get news headlines.

They're not common but the likes of Code Red, Blaster and Sasser spring to mind.

But a new phenomenon was seen last week. Faced with the machines in its own newsrooms persistently crashing and its own computer techs trundling around scratching their heads, CNN possibly over-hyped a real but not so massive worm outbreak. True, other sites reported similar symptoms, but those were common to most, if not all, of the dozen or so MS05-039 Plug and Play vulnerability-exploiting worms and standalone exploits that had been seen by then (see the second item in the Security section, below). True, in at least some of those cases it was confirmed that samples of the same worm as was found at CNN were captured, but in many of the cases there was no definite confirmation of the actual cause of the reported symptoms.

Something really happened, but the impression gained from watching CNN's coverage did not match the feeling for the size of this event experienced by seasoned security professionals "in the trenches".

It made for good news coverage though. While most large corporations are loathe to even admit they have been affected by such outbreaks, all CNN had to do to capture evidence of this worm was send camera crews around its newsrooms. They came back with excellent footage of crashing machines, perplexed and frustrated users, "confoozled" technicians and so on.

Windows worm spreading; CNN among those affected — computerworld.co.nz

Worm strikes down Windows 2000 systems — cnn.com

Virus Attacks Windows Computers at Companies — nytimes.com (registration required)

CA: Windows 2000 worms now affecting 250,000 — computerworld.co.nz

What You Should Know About Zotob — microsoft.com

Computer Associates Virus Information Centre

F-Secure Security Information Centre

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Hasta la virus, baby

OK, so this is old news (what a terrible oxymoron!), but in case you haven't heard, the virus writers' collective thirst for being the first to produce a virus for newly released computing platforms has possibly hit a new high (or low, depending on your point of view).

Juvenile Austrian virus writer "SPTH" has released several uninspired, trivial yet buggy, "proof of concept" viruses for Microsoft Shell (MSH, previously code-named Monad).

This is an experimental Microsoft scripting environment originally expected (well, maybe "hoped" by some) to be the command shell of what was then still code-named Longhorn. MSH is undoubtedly a much improved shell over its forerunners, cmd of the NT era OSes and the truly bad command.com stretching all the way back to MS- DOS 1.0, but with the release of the first Vista beta sans MSH, it was clear that MSH would not be shipping with Vista. (A beta version of MSH that installs on XP and Server 2003 is available, by invitation, from BetaPlace.)

Anyway, these proof of concept MSH viruses are so derivative and uninspiring that they probably would not normally have featured here at all (and, in fact, they didn't). However, an early, shall we say "enthusiastic", entry in the F-Secure virus analysts' blog announcing 'First "Vista Virus" found' raised the ire of some "softies" who blogged back that MSH wouldn't be in Vista so these can't be 'the first Vista viruses'.

The battle of the blogs went something like this:

First "Vista Virus" found — f-secure.com

A virus for Windows Vista? Wrong — blogs.technet.com

Monad and the "First Vista Virus" — leeholmes.com

Slashdot article incorrect — blogs.technet.com

Latest on the "Danom" MSH virus — f-secure.com

Security News:

* YACCUFIE — Yet another critical cumulative update for IE

Another Microsoft Patch Tuesday and another cumulative update for Internet Explorer. Two of the included patches are rated as "critical" on all, or virtually all of the supported platforms, including Windows 98. The aggregate severity assessment across all included vulnerability fixes is "critical" for all platforms.

Included among the fixes are further fixes to a bunch of vulnerabilities similar to that fixed in last month's MS05-037 IE security update that addressed the JView Profiler (javaprxy.dll) vulnerability.

This fix involves setting the 'kill bit' for various COM objects that were never intended to be accessed through IE, but which were able to be called (and exploited) through ActiveX-related functionality. The remotely exploitable buffer overflow in the JPEG parser was publicly disclosed before this update was released, but it is not yet known to have been actively used in hostile web pages or HTML email.

Users who very promptly installed these updates when they were released last Tuesday (Wednesday in New Zealand) should note that some of the updates have been re-released due to packaging errors. If your chosen installation method included any of the packages affected by this, Microsoft strongly recommends that you obtain the updated packages and re-install them, even if the initial installation appeared to proceed normally. For more details, please carefully review the bulletin, linked below.

Also note that although Microsoft states in the security bulletin associated with this update that at the time of release there was no known public exploitation of any of the newly-killed COM objects, shortly after the patches were released several web pages apparently attempting to exploit one of these newly-announced "bad" COM objects were discovered, apparently attempting to install adware and spyware as the payload of these exploits.

Microsoft Security Bulletin MS05-038

* Critical Plug and Play vulnerability patched

Microsoft has released patches for a Plug and Play vulnerability that affects all supported Windows OSes, including all 64-bit versions. On Windows 2000 systems this vulnerability is rated as "critical" severity because it can be remotely exploited by anonymous users. On all other affected OSes it is rated "important" because valid user credentials are necessary to exploit the vulnerability, and in most of those cases it is not remotely exploitable at all, or only through an administrator-privilege user login.

As well as allowing remote arbitrary code execution in some cases, this vulnerability can be exploited locally to provide privilege elevation. Note that, on Windows 2000 systems, installing the patch not only removes the vulnerability, but adds the policy requirement that only authenticated users are able to communicate with the Plug and Play components across the network. This change brings the functionality of this aspect of Windows 2000 into line with the increased security stance of this component in Windows XP and later versions.

Shortly after this vulnerability was announced and the update made available, "proof of concept" exploit code was publicly posted on the web, leading to speculation that a worm was likely to follow, given the vulnerability opened up remote anonymous code execution on Windows 2000 machines. In fact, as of this writing more than a dozen new worms exploiting the vulnerability have been discovered. Many were existing worms or bots whose authors simply added another spread mechanism via an exploit of this vulnerability. Although to date none of these worms has caused an epidemic outbreak like Blaster and Sasser one of them gained special media attention by "striking it lucky" and affecting computers at CNN in New York and Atlanta and at other media centres such as ABC and the New York Times.

It was probably just coincidence that several large media operations were hit, but it fuelled suggestions, particularly within media circles, that the media itself had been picked out for special attack. That particular conspiracy theory neatly ignores that several other large sites with no notable media interests, such as Caterpillar and the US Immigration Service were also reported to have been affected by similar, if not the same, "computer problems".

The virus news section, above, has coverage of the specific worm variant that is known to have been responsible for some of those "high profile" incidents, and that seems likely responsible for most of the ruckus on Wednesday 17 August (late Tuesday 16 August in the US).

Microsoft also used its recently established security advisory mechanism to release an advisory (the first link below) on the Zotob worm family, which specifically exploits this vulnerability, and into which some antivirus companies have erroneously classified the worm most likely responsible for most of last Wednesday's commotion.

Finally, that same Microsoft security advisory was updated later in the week to add information about the role of null sessions in exploiting this vulnerability on Windows 2000 machines, and the "RestrictAnonymous" registry key controlling their availability. Even unpatched Windows 2000 systems are immune from remote exploits of this vulnerability, including its use in any network worm, if null sessions are disabled. By default XP and later Windows OSes have null sessions "partially disabled" and there are further policy restrictions regarding which users are allowed access to the Plug and Play component across the network. However, Windows 2000 has null sessions enabled by default and it seems surprisingly few organisations change this setting.

Null sessions have, for the best part of a decade, been well-known to expose various less-than-desirable "features", with Microsoft first introducing an element of control over what resources could be accessed with null sessions with the RestrictAnonymous key first appearing in Windows NT 4 Service Pack 3.

Aside from the Microsoft resources the security advisory recommends anyone considering limiting null sessions with RestrictAnonymous consult, an excellent presentation on this topic by Jean-Baptiste Marchand of Hervé Schauer Consultants is also linked below and recommended by your newsletter compiler (as are most of the other Windows resources on the HSC website).

Vulnerability in Plug and Play Could Allow Remote Code Execution — microsoft.com

MSRPC NULL sessions: exploitation and protection — hsc.fr

Microsoft Security Bulletin MS05-039

* Remote code execution in Telephony Server fixed

Similar to the Plug and play vulnerability described in the preceding item, this is a local privilege elevation vulnerability that may, depending on OS version and system configuration, also be remotely exploitable with arbitrary code execution. However unlike the vulnerability in the Plug and Play vulnerability this one is only rated as being of "important" severity because no default configurations are remotely vulnerable.

As the Telephony Service supports TAPI (Telephony Application Programming Interface) functionality and several other commonly-used services are dependent on TAPI (for example, dial-up networking, RAS and the FAX service), the obvious workaround of disabling the affected service will not be at all practical for many Windows users, so obtaining and installing the patch as soon as practicable is probably the best approach. The Telephony Service itself contains the local elevation of privilege vulnerability at the core of this issue, but that vulnerability can be exposed across the network if the Telephony Server is enabled (this is only an option on Windows 2000 Server and Windows Server 2003).

These vulnerabilities apply equally to 32- and 64-bit versions of all currently supported OSes. Because this is not rated as "critical" severity on that platform, there is no patch for Windows 98 or ME.

Microsoft Security Bulletin MS05-040

* Windows Remote Desktop Protocol update fixes denial of service flaw

Updates for Windows 2000 Server, Windows XP and Windows Server 2003 (including all 32- and 64-bit versions of the latter two) fix a "moderate" severity denial of service vulnerability in the Remote Desktop Protocol (RDP) component of these OSes. Normally RDP is not enabled by default on any of the affected OSes, but systems running Terminal Server services, Remote Desktop or Remote Web Workplace are potentially vulnerable.

More details, including download links for the update, are available from the Microsoft security bulletin linked below.

Microsoft Security Bulletin MS05-041

* Two low to moderate severity Windows Kerberos security fixes

A flaw in the processing of specially malformed Kerberos messages directed to a domain controller could be used to crash the server, and then prevent further user authentication processing by the server. This vulnerability only affects Windows 2000 Server and Windows Server 2003. As normal best practice firewalling should restrict access to the vulnerable service from "outside" and the vulnerability can only be exploited by someone with valid login credentials, this is rated a "moderate" severity vulnerability.

Another Kerberos-related vulnerability is also fixed in the same update package, but this affects the client-side implementation in Windows 2000 Professional and Windows XP as well as the server versions described in the previous paragraph.

A "man in the middle" style attack against the PKINIT design and implementation is addressed in this update. PKINIT is used where smart cards are employed for interactive login and an information disclosure vulnerability in the PKINIT protocol allows for a spoofing attack. The requirements to successfully execute such an attack are quite high, so Microsoft rates this as a "low" severity vulnerability. Note that to entirely fix this vulnerability in a domain environment, all domain servers and clients must be patched and restarted.

This update also includes a functionality change, adding the "RequireAsChecksum" registry key and its associated option which is thought to add protection against further possible PKINIT-related vulnerabilities. It is recommended that anyone considering implementing this option read the associated Knowledge Base article carefully and follow the update installation and activation order for this option as described. Microsoft recommends that this new optional configuration setting be adopted.

Microsoft Security Bulletin MS05-042

* Critical remote code execution in Windows Print Spooler fixed

On Windows 2000 and XP SP1 this remote code execution vulnerability is rated as having "critical" severity, whereas it is rated as "moderate" on Windows XP SP2 and Server 2003 Gold (x86 and Itanium versions). All other currently supported OSes — Windows XP Pro x64, Server 2003 x64 and Server 2003 SP1 (x86 and Itanium versions) — are not affected.

The difference in severity rating between the two groups of affected OSes is due to vulnerability being limited to authenticated users in the second group of OSes, whereas it is open to anonymous users in the first group of OSes.

Microsoft Security Bulletin MS05-043

* MS05-023 revised

Although specifically listing Word 2003 Viewer in the "Not Affected" table, leading to our advice that users of all previous Word Viewer versions should update to that version, Microsoft has revised the MS05-023 security bulletin to include Word 2003 Viewer as an affected product. This means, of course, that there is now an updated version of the viewer that is not vulnerable to the arbitrary code execution vulnerabilities reported in MS05-023. There is not a patch though, so Word Viewer users, regardless of version, will have to download the full Word 2003 Viewer installer and run that.

Also, note that MBSA does not support the Word Viewer application, so MBSA will not detect the need for this update.

Microsoft Security Bulletin MS05-023

* MS05-032 revised

Users of 64-bit versions of all supported Windows OSes who have already installed the MS05-032 update are recommended to obtain and install the appropriate, revised security update due to a problem with the originally released update. The MS05-032 security bulletin describes the setting of the "kill bit" on the Microsoft Agent v1.5 ActiveX control. The original 64-bit updates properly set the kill bit for the 64-bit version of IE, but do not properly set it for 32-bit versions of IE. Microsoft recommends that even if the original 64-bit update has been installed that the revised update be installed.

Microsoft Security Bulletin MS05-032

* Microsoft warns of another COM object vulnerability

A bit over a month back it was a security advisory warning about problems with the javaprxy.dll COM object being called as if it were an ActiveX control, followed in quick succession by the MS05-037 security bulletin and patch to address that issue.

Then, this month's Patch Tuesday (see above) brought news of 30 more dud COM objects that could be similarly exploited and have now been kill-bitted, and we have subsequently seen real-world attempts to exploit some of those.

Then, late last week, an exploit of yet another Microsoft COM object that was never intended to be used as an ActiveX control, msdds.dll, was posted to a website and word passed quickly through the security community. Microsoft responded by posting yet another security advisory, linked below.

In brief, users of Visual Studio 2002 and/or Office XP SP3 may be at risk and are recommended to read the security advisory to determine which versions and configurations of those applications are at risk. The versions of msdds.dll known to be vulnerable are 7.0.9064.9112 and 7.0.9446.0. Versions 7.0.9955.0, 7.10.3077.0 and higher are not vulnerable according to Microsoft.

As with the earlier cases of such COM objects not intended for use as ActiveX controls in IE, setting the "kill bit" on this control is a suitable workaround that should not affect any of the normal functionality of this DLL.

The security advisory directs readers to the "How to stop an ActiveX control from running in Internet Explorer" Knowledge Base article, describing the general procedure for setting the kill bit on a control. Several other workarounds with varying effectiveness and/or side-effects are also described.

Msdds.dll Could Cause Internet Explorer to Unexpectedly Exit — microsoft.com

* Multiple Mac OS X security updates

Security Update 2005-07 for OS X has been released and fixes multitudinous vulnerabilities in the obscure through the downright common. Severity ranges from information disclosure through arbitrary code execution. Some vulnerabilities just affect the server versions of OS X, some just 10.4.2, others just 10.3.9.

But, there are lots and lots of vulnerabilities fixed and some will be of critical severity on whatever combination of 10.3.9 vs. 10.4.2, client versus server that you run, so obtaining and installing these as soon as is practicable is highly advisable.

About Security Update 2005-007 — apple.com

* Server command injection vulnerability in CPAINT Ajax Toolkit fixed

The original author of the CPAINT Ajax Toolkit has warned of a serious vulnerability in all versions of the toolkit prior to v1.3-SP; ASP and PHP versions are equally affected. CPAINT-based applications are equally affected by the vulnerability which allows an attacker to run commands on, and read files from, servers running CPAINT-based web applications.

CPAINT is used by some of the most prominent web apps, such as Flikr, Gmail and MSN Virtual Earth, so the implications of this vulnerability cannot be understated. Further, in a message posted to the Bugtraq mailing list, CPAINT's author warned "We also suspect this problem affects other AJAX toolkits (as they are all very similar in the way they execute functions on the backend) and urge other AJAX toolkit authors and users to test for any security problems as well".

Development tool security hole threatens internet apps — computerworld.co.nz

Security Hole found in CPAINT v1.x — cpaint.sourceforge.net

Archived Bugtraq list message — securityfocus.com

Join the newsletter!

Error: Please check your email address.

More about ABC NetworksABC NetworksCA TechnologiesCaterpillar of AustraliaCNNF-SecureMBSAMicrosoftMSNSophosSymantecToolkitTrend Micro Australia

Show Comments
[]