Sasser scoundrel snags suspended sentence

Another VX'er walks [relatively] free. Following a long tradition of lenient through downright laughable sentences for such crimes, the German courts have handed a cheery 'naughty boy' message to the writer of Sasser and the wannabe net-ne'er-do-wells following him.

This issue's topics:

Introduction:

* Sasser slap; Windows, Oracle, OS X, PHP, krb5, Mozilla updates

Virus News:

* Sasser scoundrel snags suspended sentence

Security News:

* Critical Word 2000, 2002 (Office XP) and Works Suite 200x updates

* Buffer overflow in Microsoft Colour Management Module fixed

* JView Profiler (javaprxy.dll) remote code execution update

* MS05-033 revised; additional Services for UNIX patches available

* Mac OS X 10.4.2 update includes security fixes

* Multiple security fixes for Firefox/Mozilla/Thunderbird; Netscape too?

* PHP 4.4.0 maintenance release fixes serious memory corruption bug

* Critical krb5 vulnerabilities fixed

* Multiple critical updates for Oracle products

Introduction:

Another VX'er walks [relatively] free. Following a long tradition of lenient through downright laughable sentences for such crimes, the German courts have handed a cheery "naughty boy" message to the writer of Sasser and the wannabe net-ne'er-do-wells following him.

On the security front, Microsoft's Patch Tuesday rolled around again last week, with three updates, all rated "critical".

Likewise, Oracle's monthly patch date occurred last week — I tired of counting them, but according to Secunia staff, Oracle admitted to fixing 47 vulnerabilities in this month's patch bonanza. Apple has also released a large update for Tiger (OS X 10.4) this month, but most of that updated code is feature enhancements and non-security patches, though there are two important security fixes among all those megabytes.

Despite the hype, the Mozilla-based browsers are not necessarily "more secure" than IE (although it's very hard to settle on any meaningful metric by which to judge such things), with another update for Firefox and Thunderbird shipping and another with the same fixes for the Mozilla Suite expected too. The main advantage these browsers hold though is that with their less than dominating market share, the bad guys do not (yet) seem terribly interested in exploiting the vulnerabilities that are discovered in the Mozilla browsers (perhaps the fact, or at least the perception is, that these browsers tend to be used by the more security-aware users also mitigates against such exploitation?).

Finally, important updates for PHP and MIT's krb5 Kerberos implementation should be checked out by potentially affected users.

Virus News:

* Sasser scoundrel snags suspended sentence

Sven Jaschan, the now 19 year-old German author of the Sasser worm, was handed a 21-month suspended sentence on three years probation and 30 hours community service at the end of his trial last week. The trial and sentencing were carried out under German juvenile court guidelines because Jaschan was 17 at the time of the crime. That there was no fine and no attempt to provide reparation to the victims has many feeling the sentence was far too lenient — see the second and third links below for a taste of the commentary this sentencing has raised.

Jaschan was clearly aware of what he was doing and to some degree the sentencing apparently reflects that, with the court noting Jaschan's "mischievous glee" when he successfully improved the worm, developing faster-spreading versions. This inclined the court toward the two-year sentence requested by the prosecution, rather than the one year term suggested by Jaschan's defence.

Still, one is left to wonder what sentence he would have received had he not been so outwardly pleased with himself? A slap on the back of the hand with a wet bus ticket? Oh wait, that is what he got. And his mates got to split a US$250,000 reward for dobbing him in!

Sasser worm creator sentenced by German court

78% feel virus writer sentence was not harsh enough — sophos.com

Worse Than Death — nytimes.com (Registration req'd)

Security News:

* Critical Word 2000, 2002 (Office XP) and Works Suite 200x updates

Microsoft has released updates for Word 2000 and 2002 (the version in Office XP) that address a remote arbitrary code execution vulnerability in those applications' handling of malformed fonts embedded in Word document files. This vulnerability is not known to have been actively exploited, but this may change if technical details of the buffer overflow underlying the vulnerability are disclosed.

Works Suite 2000 and 2001 include Word 2000, and Works Suite 2002, 2003 and 2004 include Word 2002, so all these packages are also affected. The Word version-appropriate patch for your version of Works should be obtained and installed on machines running these versions of Works Suite. Note that earlier versions of Word may also suffer this vulnerability but are no longer supported, so users of earlier versions of Word and Works Suite may remain vulnerable.

Before trying to obtain and install these update, carefully note the Word Service Pack versions necessary for installation of these updates and obtain and install them first. History suggests that this can be a non-trivial exercise, particularly for those with bundled, pre-installed, OEM versions of the applications due to the Service Pack installers insistence of checking original media and the legitimate lack thereof with many pre-installed OEM packaging of this software.

MBSA 1.2.1 users should note that MBSA can only detect necessary Office updates during local scans; remote (network) scanning will fail to detect the need for these updates. The newly-released MBSA 2.0 can remotely detect the need for Office XP updates but does not support earlier versions such as Office 2000.

Word 2003 is not vulnerable to this flaw but users of the free "Word Viewer" programs that allow reading and printing but not editing of Word document files should note that only the Microsoft Office Word 2003 Viewer version is now considered supported, and it is also specifically listed as "non-affected".

This suggests that earlier versions of Word Viewer may well be vulnerable but as they are no longer supported Microsoft has not checked them (or, if it has, will not be making any public comment on what it found). Prudence would suggest that users of such earlier versions of Word Viewer should update to Microsoft Office Word 2003 Viewer version to ensure that they are not vulnerable to possible future exploitation via this vulnerability.

Microsoft Security Bulletin MS05-035

* Buffer overflow in Microsoft Colour Management Module fixed

Rated as "critical" severity on all currently supported platforms except Windows 98 and ME (so no patch for them), a buffer overflow in Windows' Colour Management Module can be remotely exploited to execute arbitrary code. This vulnerability could be exploited through a specially prepared malformed graphics file hosted on a webpage or sent to a victim as part of an HTML (or possibly other "graphics included" email message), or simply as an email attachment the recipient is exhorted to view.

The security bulletin accompanying the release of this update says that Microsoft was not aware of any public disclosure of the vulnerability or methods to exploit it, it also says Microsoft knows of attempts to exploit this vulnerability. All this makes the colour management vulnerability a likely target for the phishers, other scammers and "drive-by" adware and spyware installers who already pollute the internet.

Further, although Microsoft was not aware of any public disclosure of the vulnerability or methods to exploit it, some limited information of the locus of the mishandled data that triggers the overflow has subsequently been disclosed on a public mailing list. Coupled to Microsoft's claim that the vulnerability has been actively exploited, it's a fair bet that some of the "bad guys" are now huddled over their debuggers and code disassemblies, working out how to exploit this to their advantage.

Although this is not specifically an Internet Explorer vulnerability, it should be treated as if it were an IE remote code execution flaw, as the attack surface is the same, if not larger.

Microsoft Security Bulletin MS05-036

* JView Profiler (javaprxy.dll) remote code execution update

Further to our earlier reports on this publicly disclosed, already in limited use for nefarious purposes, remote code execution exploit, Microsoft has raised the issue from a security advisory to a full, "critical" severity rated security bulletin, with update.

Internet Explorer can be persuaded, by a webpage, to load the JView Profiler component of the Microsoft Java Virtual Machine, via its COM interface as if it were an ActiveX control. This process can be controlled by the webpage to corrupt system memory in such a way that arbitrary code of an attacker's choice can be run with elevated privileges, surrendering complete control of the victim's system to the attacker.

Microsoft has completed its investigation of this vulnerability and, on this month's Patch Tuesday, raised the status of its earlier recommended "workaround" of setting the "kill bit" on the javaprxy.dll component, to the level of a critical security update. If you followed our earlier discussion of this issue and "kill bitted" this .dll, there is nothing further to do. But if you didn't, you now have a further "patch" to install.

Microsoft Security Bulletin MS05-037

* MS05-033 revised; additional Services for UNIX patches available

The MS05-033 security bulletin has been revised to include information on the availability of updates for Services for UNIX 2.0 and 2.1, which fix an information disclosure vulnerability in the telnet client included with those products.

Microsoft Security Bulletin MS05-033

* Mac OS X 10.4.2 update includes security fixes

Apple's 10.4.2 update of Mac OS X includes a couple of security fixes, detailed on the first page linked below. The second and third links are to the download pages for the "delta" and "combo" versions of the update (the delta is 44 MB and only applies 10.4.1, whereas the combo update will apply to 10.4.0 or 10.4.1, but weighs in as 14 MB heavier download).

About the security content of the Mac OS X 10.4.2 update

Mac OS X 10.4.2 Update — apple.com

Mac OS X 10.4.2 Update Combo — apple.com

* Multiple security fixes for Firefox/Mozilla/Thunderbird; Netscape too?

Several critical security vulnerabilities in the Mozilla browser engine have been fixed and users are strongly advised to obtain and install updated versions of affected software.

Updates for Firefox (1.0.5) and Thunderbird (1.0.5) that include these have already been shipped and available from the Mozilla project's home page (linked below) and are being shipped in various update package formats for the popular Linux distributions that include them.

The fixes included in those Firefox and Thunderbird releases are listed on the "known vulnerabilities" page as fixed in Mozilla Suite 1.7.9, but 1.7.8 is the latest version being offered from mozilla.org — presumably 1.7.9 is expected soon.

At least two of the vulnerabilities are claimed to affect the current 8.0.2 release of the Netscape browser, so users of that browser would be advised to keep an eye open for updates. As of this writing, there is no mention of a newer release than Netscape 8.0.2.

Mozilla project home page — mozilla.org

Known Vulnerabilities in Mozilla Products — mozilla.org

* PHP 4.4.0 maintenance release fixes serious memory corruption bug

Improper use of references in earlier versions of PHP could produce often non-obvious memory corruptions that eventually led to erratic behaviour such as variables and objects changing class and so on. Because the fix changes the internal API of PHP, binary extension modules must be recompiled to work with the 4.4.0 release.

PHP 4.4. Release Announcement — php.net

* Critical krb5 vulnerabilities fixed

MIT has posted security advisories describing three critical vulnerabilities in its krb5 Kerberos implementation.

A double-free bug in krb5_recvauth can allow remote arbitrary code execution, and memory corruption issues in the krb5 Key Distribution Centre (KDC) exposes denial of service and possibly remote arbitrary code execution.

The upcoming krb5-1.4.2 release will incorporate fixes for these vulnerabilities but in the meantime MIT has released source code patches to address these issues. Further, popular OS distributions that include the affected components are back-porting the patches and releasing appropriate update packages.

Double-free in krb5_recvauth — mit.edu

Buffer overflow, heap corruption in KDC — mit.edu

* Multiple critical updates for Oracle products

Oracle has released a swathe of patches across the field of its database and application server products and supporting technologies. The official announcement of these, which contains rudimentary details of the vulnerabilities and links to the updates in Metalink, is linked below.

Critical Patch Update July 2005 — oracle.com

Join the newsletter!

Error: Please check your email address.

More about AppleLinuxMBSAMetalinkMicrosoftMITMozillaOracleSecunia

Show Comments

Market Place

[]