UK government attacked with targeted trojans

It was a big week for security patches, with Microsoft releasing ten new updates (including three rated as critical severity), revising three older security bulletins (including issuing revised patches in some cases) and patches and updates fixing security problems in three popular network-oriented products - Adobe Reader/Acrobat 7.x, the Opera web browser and SquirrelMail.

This issue's topics:

Introduction:

* Ten Windows patches; Adobe Reader & Acrobat, Opera, SquirrelMail updates

Virus News:

* UK government attacked with targeted trojans

Security News:

* Latest cumulative update for IE includes critical patch

* Critical HTML Help vulnerability fixed

* Update removes remote code execution vulnerability in SMB

* Windows Web Client Service remote code execution vulnerability fixed

* Outlook Web Access for Exchange Server 5.5 updated

* Update for Outlook Express fixes NNTP remote code execution flaw

* Remote code execution vuln in Step-by-Step Interactive Training fixed

* Microsoft Agent spoofing vulnerability fixed

* Windows telnet client information disclosure bug fixed

* Cache poisoning, privilege elevation vulns fixed in ISA Server 2000

* MS02-035 revised

* MS05-004 revised

* MS05-019 revised

* Fix for XML External Entity vulnerability in Adobe Reader, Acrobat

* Opera 8.01 released

* Multiple security fixes for SquirrelMail

Introduction:

Telecom's DSL outages yesterday have delayed the production of this issue of the newsletter, so I'll be very brief in my introductory comments.

It was a big week for security patches, with Microsoft releasing ten new updates (including three rated as critical severity), revising three older security bulletins (including issuing revised patches in some cases) and patches and updates fixing security problems in three popular network-oriented products - Adobe Reader/Acrobat 7.x, the Opera web browser and SquirrelMail.

On the malware front there was one big story — the UK government's IT security watchdogs warning of an extensive, long-running targeted attack against carefully chosen and usually quite limited groups of public-service employees. The briefing makes for quite interesting reading, as it shows the lengths at least some of "the bad guys" are prepared to go to keep their attacks "under the radar", targeting very small groups of possible victims with very carefully chosen "bait". This kind of targeted attack is almost certainly much more widespread than we know. With very few of the examples ever uncovered being publicised, it is good to see this report detail some of the workings of such attacks seen within the UK government.

Virus News:

* UK government attacked with targeted trojans

The UK government's National Infrastructure Security Co-ordination Centre (NISCC) has released a briefing on an ongoing series of targeted attacks against various parts of the UK government and its private-sector contacts. Apparently, for the last year or more carefully written emails, intended to be especially relevant to small groups of mainly public-sector employees, have been sent to carefully targeted groups. The intention of these messages was actually to deliver key-logging trojans and other malware to allow remote attackers to spy on the work and business of these carefully chosen government employees.

The executive summary of the NISCC briefing is linked below in HTML form, with the full version PDF (approximately 70 KB) linked below that.

NISCC Briefing: Targeted trojan email attacks - niscc.gov.uk

NISCC Briefing: Targeted trojan email attacks - niscc.gov.uk (PDF)

Security News:

* Latest cumulative update for IE includes critical patch

All supported versions of Internet Explorer on all supported platforms are vulnerable to a buffer overflow in the browser's handling of certain malformed PNG (Portable Network Graphics) format graphics files. This is exploitable to remotely execute arbitrary code on a vulnerable machine, and can be exploited through HTML email if the Internet Explorer ActiveX controls are used by one's email client to display HTML and other richly-formatted messages. Only very limited information about the specifics of this vulnerability and it is not known to be actively exploited at the moment but this is the kind of vulnerability that has, in the past, been exploited for malicious purposes once the details become known to the computer underground.

Aside from this critical severity PNG processing flaw this update fixes several other security flaws (by patching or removing functionality; for example, a similar problem to the PNG one has been fixed by removing IE's support for the very rarely used XBM graphics format) and alters other Internet Explorer behaviour, including setting the "kill bit" on some older and deprecated ActiveX controls. Before installing this update it would be advisable to check all such details in the associated security bulletin, linked below. As this is a critical security vulnerability, Windows 98 and ME users are covered but (as usual in such cases) only via Windows Update.

Microsoft Security Bulletin MS05-025

* Critical HTML Help vulnerability fixed

Again, a critical vulnerability affecting all currently supported Windows OSes that can be exploited to execute arbitrary code. This vulnerability is not known to have been exploited in the wild yet, but the earlier MS05-001 HTML Help vulnerability is still widely employed on many malicious websites to silently download and install all manner of malware, adware and spyware.

This update is additional to that documented in the MS05-001 security bulletin, and that update is replaced by this one. Given the other functionality changes it also implements, it is highly advisable to carefully check the associated security bulletin (linked below) before installing this update. This is particularly so if the MS05-001 update has not been installed.

Microsoft Security Bulletin MS05-026

* Update removes remote code execution vulnerability in SMB

A newly released update for all Windows OSes except Windows 98 and ME patches a critical severity flaw in SMB (Server Message Block) packet processing. Microsoft's security bulletin suggests that successful exploitation to execute arbitrary code of an attacker's choice would be difficult, but is possible. The update for this vulnerability is independent of the MS05-011 update, which also fixes a remote code execution vulnerability in SMB. Thus, if MS05-011 has not been installed already, both it and this MS05-027 patch will have to be installed.

Typical firewalling best practice should reduce vulnerable sites' exposure to this vulnerability to the LAN, rather than WAN.

This is the kind of vulnerability previous extremely fast-spreading worms have exploited — do not delay installing this patch.

Microsoft Security Bulletin MS05-027

* Windows Web Client Service remote code execution vulnerability fixed

Although possibly exploitable to remotely execute arbitrary code, this vulnerability is rated as being of "moderate" or "important" severity, depending on the host OS, rather than "critical", due to several mitigating factors. Windows XP SP1, XP IA64 (Gold and SP1), and Server 2003 (both 32-bit and IA64 versions) are vulnerable, with the higher ("important") severity rating going to the affected XP versions.

Microsoft Security Bulletin MS05-028

* Outlook Web Access for Exchange Server 5.5 updated

Microsoft has released an update for the Outlook Web Access (OWA) component of Exchange Server 5.5 SP4 which has a cross-site scripting flaw that could allow the execution of script code embedded in email messages read in a web browser. OWA users who read their email with Internet Explorer and who have set their OWA domain to a higher level of trust (ie a lower security zone than the default internet zone) will be especially vulnerable to such exploitation.

Microsoft Security Bulletin MS05-029

* Update for Outlook Express fixes NNTP remote code execution flaw

A new cumulative update for Outlook Express (OE) includes a fix for a newly- reported remote code execution vulnerability. A buffer overflow in OE's handling of responses to the NNTP (Network News Transport Protocol) LIST command could see an attacker running a specially modified or created news server take control of the victim's computer. Microsoft rates the severity of this vulnerability as "important" due to the level of user intervention necessary to effect a successful attack (at a minimum a user would have to engage in some kind of web browsing or email reading activity and choose "Yes" from a prompt displayed by OE when first connecting to the news server).

As this is not rated "critical", there are no updates specifically for Windows 98 and ME but users of other affected versions are recommended to obtain and install the patches as soon as practicable.

Microsoft Security Bulletin MS05-030

* Remote code execution vulnerability in Step-by-Step Interactive Training fixed

Microsoft has released fixes to deal with a buffer overflow affecting all versions of its Step-by-Step Interactive Training products, variously known as "Microsoft Press Interactive Training", "Interactive Training" and "Microsoft Interactive Training". Affected versions are bundled and installed by default in some OEM versions of Windows and "hundreds" of Microsoft Press titles have included the software on the disks accompanying the books.

Microsoft only rates the vulnerability as being of "important" severity. However, exploitation opens the possibility of remote arbitrary code via a malformed Step-by-Step Interactive Training "bookmark link" file (variously ".cbo", ".cbl" and ".cbm" extensions, depending on which of the versions is installed). It is not difficult to imagine a Step-by-Step Interactive Training user, familiar with such bookmark file, to not be particularly wary of what should be a harmless data file.

Note that MBSA does not support detection of Step-by-Step Interactive Training components, so either Windows Update or the Enterprise Update Scanning Tool (EST) must be used to detect the need for this patch.

Microsoft Security Bulletin MS05-031

* Microsoft Agent spoofing vulnerability fixed

Microsoft Agent has been updated to fix a vulnerability that affects all currently supported Windows versions (but because it is not rated as "critical" severity, will not actually ship as an update for Windows 98 and ME). A rather convoluted-sounding sequence of steps can see the Microsoft Agent component install malicious software to an unsuspecting user's machine through Internet Explorer. The update that fixes this also sets the kill-bit on an older version of the Microsoft Agent ActiveX control. Although this vulnerability is not known to be in use at the moment, it would be advisable to update as soon as practicable, as "more or less silent installation via Internet Explorer" has always been a highly desirable attack for the spammers, scammers and other malcontents on the net.

Microsoft Security Bulletin MS05-032

* Windows telnet client information disclosure bug fixed

Telnet clients from all versions of Windows except 98, ME and 2000 SP3 and SP4, and from Windows Services for Unix have an information disclosure vulnerability. In response to a request from a connected server these Telnet clients will send the values of any local environment variables, rather than limiting such responses to Telnet-specific environment variables. Such information disclosure may be useful for remote system (and user) profiling and the like, leading up to a better planned and more targeted attack. Inclusion of a telnet:// protocol URI in an iframe on a web page is one possible method of automatically exploiting this vulnerability, although the victim would still have to be lured to the web page.

Although MBSA can detect the need for this update in standard Windows Telnet client programs no Windows Services for Unix versions are covered by MBSA so detecting Windows Services for Unix Telnet clients in need of updating requires the use of the Enterprise Update Scanning Tool (EST). More details are available from the security bulletin linked below.

Microsoft Security Bulletin MS05-033

* Cache poisoning, privilege elevation vulnerabilities fixed in ISA Server 2000

Internet Security and Acceleration (ISA) Server 2000 SP2 has been patched to fix several cache poisoning and privilege elevation vulnerabilities rated as being of "moderate" severity. Users of Microsoft Small Business Server 2000 and Microsoft Small Business Server 2003 Premium Edition should note that ISA Server 2000 is included in those product bundles.

Microsoft Security Bulletin MS05-034

* MS02-035 revised

Microsoft has revised the MS02-035 security bulletin, known so well by MS SQL admins (and to a lesser extent by MSDE users). Aside from adding some information about the locations passwords are stored in ".ini" files if doing cluster installations of MS SQL an updated version of the "KillPwd" utility has been released.

Microsoft Security Bulletin MS02-035

* MS05-004 revised

Microsoft has revised security bulletin MS05-004 to announce the availability of a corrected update for the Tablet PC and Media Centre editions of Windows XP running .NET Framework 1.0 SP3. The original update shipped for those platform combinations failed to install when distributed via SMS or AutoUpdate. Affected users who installed the updated via other means need not obtain and re-install this new update but those wishing to use either of the affect update mechanisms for machines with the affected OS and component version combinations should obtain the new update.

Microsoft Security Bulletin MS05-004

* MS05-019 revised

Problems with certain WAN configurations after installing the original MS05-019 update (rated "critical" on Windows 2000 and XP SP1, and "moderate" on XP SP2 and Server 2003) have been addressed in a newly-released update to the MS05-019 patches.

Although most users have not been affected by these problems, Microsoft recommends installing the revised updates anyway, as a protective measure against possible future problems should a machine's network environment change. Users who installed the special hotfix issued to deal with the specific connectivity issue identified after the initial release of the MS05-019 patch are also recommended to install the revised update. Most already patched systems will be detected by MBSA as requiring this updated patch — it is recommended that users read the revised security bulletin and associated Knowledge Base articles.

Microsoft Security Bulletin MS05-019

* Fix for XML External Entity vulnerability in Adobe Reader, Acrobat

Adobe has released version 7.0.2 of both the Adobe Reader (formerly Acrobat Reader) and Adobe Acrobat for the Windows platform and is promising to release the Macintosh version 7.0.2 shortly. These new versions correct an XML External Entity vulnerability in the 7.0 and 7.0.1 versions of these products. Users with automatic updates enabled should already have the update.

Details of the vulnerability, along with proof of concept PDFs demonstrating some of the things that can be achieved through exploiting this vulnerability, are available from Sverre H Huseby's website at thathost.com, linked below. Briefly, this is an information exposure vulnerability, whereby XML scripts included in PDF files can access, and send to other web servers, the contents of some files on the machine running the PDF display software.

As the Macintosh updates are not yet available Adobe recommends Macintosh users of the affected products should disable scripting support. This workaround is also effective on Windows machines that may not be able to be upgraded for whatever reason. Details of applying this workaround and of the location of the updates, are available from Adobe's Support Knowledgebase article linked below.

Adobe Reader 7.0 for Linux users appear left in limbo. Huseby's advisory claims that version is affected but there is no mention of this in the Adobe advisory and the current Linux version available for download from Adobe is 7.0. Linux users of that version of the Adobe Reader would be advised to disable scripting support until this issue is clarified.

Finally, a recent post to the Bugtraq security mailing list suggests there may be complicating issues on machines with different language versions of the software installed and/or with (re-)installing version 7.0 (from distribution media) after installing the update. Readers possibly in that situation should read the linked Bugtraq message.

Adobe Reader XML External Entity Attack — thathost.com

XML External Entity vulnerability (Reader and Acrobat 7.0-7.0.1) — adobe.com

Archived Bugtraq list message — securityfocus.com

* Opera 8.01 released

As the title says and it includes a security fix for cross-site scripting and local file reading vulnerabilities, so is an advisable update for any Opera users.

Opera download page — opera.com

* Multiple security fixes for SquirrelMail

Maintainers of the open source webmail platform SquirrelMail have released a patch to address several cross-site scripting vulnerabilities. As several SquirrelMail sites have suffered major invasions recently, obtaining and installing these patches would be advisable for all SquirrelMail sites. Further, SquirrelMail users still running 1.2.x series releases are strongly commended to update to 1.4.4 and then apply this latest patch as those releases are no longer supported and are likely to contain many of these latest vulnerabilities.

Several cross site scripting vulnerabilities — squirrelmail.org

Join the newsletter!

Error: Please check your email address.

More about Adobe SystemsCacheInteractiveLANLinuxMBSAMicrosoftTelnet

Show Comments
[]