More Sober; Bluetooth car virus; MS antivirus

This month's Patch Tuesday passed with only one Microsoft security update released - a fix for a possible remote code execution vulnerability in Windows Explorer's web view mode. Service Pack 4 for SQL Server 2000 and MSDE 2000 was also released. As this likely contains undocumented security fixes it should be considered an important upgrade despite the hassles of obtaining and installing MSDE 2000 updates. And, while still talking about Microsoft, a pilot 'security advisory' service is being tested and the first concrete steps to the release of Microsoft's new antivirus product are seen in the announcement of the Windows OneCare service.

This issue's topics:

Introduction:

* More on the Sober saga; Explorer, Firefox, iTunes patches; IPsec weaknesses

Virus News:

* And another Sober...

* Bluetooth viruses in cars

* Microsoft's antivirus offering may be taking shape

Security News:

* Remote code execution vulnerability in Windows Explorer fixed

* SP4 for SQL Server 2000, Analysis Services, MSDE 2000 released

* Microsoft 'Security Advisory' service pilot

* Another critical Firefox security update

* Apple iTunes update fixes arbitrary code execution vulnerability

* IPsec configuration weaknesses identified

* Telecom "027 hack"...

Introduction:

As this is running very late I'll keep the introduction very short.

This month's Patch Tuesday passed with only one Microsoft security update released — a fix for a possible remote code execution vulnerability in Windows Explorer's web view mode. Service Pack 4 for SQL Server 2000 and MSDE 2000 was also released. As this likely contains undocumented security fixes it should be considered an important upgrade despite the hassles of obtaining and installing MSDE 2000 updates. And, while still talking about Microsoft, a pilot 'security advisory' service is being tested and the first concrete steps to the release of Microsoft's new antivirus product are seen in the announcement of the Windows OneCare service.

Firefox users should obtain the new latest release as it fixes two vulnerabilities that, when combined, can be used for remote code execution.

Apple's popular iTunes has also been updated to fix an arbitrary code execution bug and exploitable weaknesses in some combinations of IPsec configuration options have been described in an NISCC advisory. Any coverage of the last week's security news relevant to us Kiwis would be incomplete without mentioning the so-called '027 hack', in which Telecom's 027 voicemail system was shown to be open to abuse from caller ID spoofing.

On the virus front, we have seen further machinations and developments in the Sober saga. And although not really virus-related, the folk at F-Secure have done some security testing of the Bluetooth functionality in Toyota cars which makes for some interesting reading.

Virus News:

* And another Sober...

Well, not really. Shortly after the previous Sober variant 'went to sleep', dropping from active-spreading mode to check-for-updates mode, it downloaded a spamming engine that started sending right-wing, neo-fascist propaganda to addresses harvested from the victim machine.

As this new pest does not mass-mail itself (or spread in any other way aside from being downloaded and run by the latest Sober variant) it is not considered viral so should not be classified in the Sober virus family. As if there was not enough naming confusion in this space already, some antivirus vendors have added it to their roster of Sober family variants, while others have added it to various Trojan families.

Sober's author is apparently also worried about being wrongly branded a spammer. The new Trojan we referred to above as a spamming engine drops a file with a message, in German, that basically claims 'I am not a spammer but perhaps I should become one'.

Computer Associates Virus Information Centre

F-Secure blog entry

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Centre

* Bluetooth viruses in cars

Several months back there were rumours floating around that certain Lexus models had been affected, if not infected, by some Bluetooth malware or viruses. Toyota strenuously denied this and as there was no good evidence one way or the other, we did not report it in the newsletter.

Recently the lucky folk at F-Secure managed to convince Toyota to lend them a Bluetooth-enabled car to run some tests. Toyota claims its Prius models have the same Bluetooth systems and functionality as the Lexus range, so some of the F-Secure malware analysts were let loose on a Prius, suitably secured from the possibility of infecting stray phones. It seems Toyota's claims were right and the rumours wrong — read the details in the F-Secure malware analysts' blog page linked below.

F-Secure blog entry

* Microsoft's antivirus offering may be taking shape

Late last week a Microsoft press release described the approaching availability of Windows OneCare — a subscription service providing an 'all-in-one PC health service for consumers'. This service is initially being tested by Microsoft employees before entering a broader (US) public beta test later in the year. Microsoft did not release any details of the service's likely pricing.

Clearly targeted at consumer-level users, OneCare will provide automatic updating and configuration management of antivirus, anti-spyware and personal firewall software, schedule and perform backups and other routine maintenance tasks such as disk defragmentation. The service is also said to be dynamic, potentially altering its offerings as the threat changes.

OneCare has attracted a deal of criticism along the lines that it is somehow improper or unethical of Microsoft to charge for such service. Typically such critics suggest that Microsoft should have made its software properly secure in the first place but this partly overlooks the fact that an awful lot of 'security problems' on Windows PCs are due to user error coupled with the desire for 'easy-to-use' computers. When 'being able to run anything that takes the user's fancy' is a major criterion in deciding usability, problems are likely to follow. That the name makes New Zealanders and Australians laugh out loud should be considered a feature, not a bug.

Microsoft to Deliver Automated, All-in-One PC Health Service for Consumers

Security News:

* Remote code execution vulnerability in Windows Explorer fixed

Rated as being of 'important' severity by Microsoft, the only update shipped on this month's Patch Tuesday affects all supported Windows 2000 versions including Small Business Server 2000. Windows ME also has the affected components but because the vulnerability is not rated as critical severity, there is no patch for that ageing platform.

In short, the components that supply part of the 'web view' functionality in Windows Explorer do not properly sanitise possibly dangerous characters, opening a script injection vulnerability. To exploit this an attacker would have to persuade the user of a vulnerable system to download a specially prepared file to their system and then select it so its properties are displayed in Explorer. This can allow a script to be run with that user's privileges — it does not require the user to actually run or otherwise "open" the file.

Microsoft Security Bulletin MS05-024

* SP4 for SQL Server 2000, Analysis Services, MSDE 2000 released

Microsoft has released Service Pack 4 for SQL Server 2000 and SQL Server 2000 Analysis Services. Note that this includes SQL Server 2000 Desktop Engine, or MSDE 2000 — a component installed with several Microsoft and third- party applications (Microsoft applications that include MSDE 2000 are listed on the first page linked below).

MSDE is often overlooked by administrators trying to find all their SQL Server installations, as became only too obvious following the release of the Slammer worm. Cleaning up that mess also showed that finding and patching MSDE was not as easy or straightforward a job as would have been desirable. This is still the case, so MSDE 2000 administrators should read the release notes, on the second page linked below, very carefully.

Microsoft's service packs have long been rumoured to include undocumented updates, possibly including important security fixes. The KnowledgeBase articles listing the bugs fixed in SQL Server SP4 explicitly acknowledge this. "Other fixes may be included in the service pack that are not documented". Thus, we suggest it would be prudent to test and rollout this service pack with some priority.

Finally, however, note the warning about not installing SP4 on machines with more than 2GB of memory and Address Windowing Extensions (AWE) enabled. Users with such systems should check the SQL Server 2000 SP4 page regularly for a resolution to this situation.

Microsoft Products that include MSDE 2000

SQL Server 2000 Service Pack 4 - microsoft.com

* Microsoft 'Security Advisory' service pilot

Further to the existing security bulletin service that describes security updates, the Microsoft Security Response Centre (MSRC) has started a pilot programme of security advisories. The notion behind these advisories is that often the MSRC is aware of issues it feels users and system administrators should be made aware of but that do not (or at least, do not yet) get a security bulletin because there is no update shipping to fix the situation.

Thus, the security advisory service will post information on workarounds for serious, publicly-divulged vulnerabilities that are not yet patched, best security practices for deploying various Microsoft technologies if there is a perception that these are not generally being followed or are not widely known, advice on new security-oriented features that may be added to an existing product through a security update or service pack, and so on. In general, a security advisory will describe the points of issue and link to the related KnowledgeBase article that goes into the gory details.

To kick things off, MSRC released two security advisories a few days ago. One describes how the default digital rights management settings in Windows Media Player (WMP) may, unintentionally, be used to open a web page designed to dupe a user into accepting the installation of normally undesirable software (such as adware or spyware), and describes how to obtain an updated version of MWP that has configuration options that allow better control over such situations. The second security advisory describes the new 'tar pit' options in the updated version of the SMTP service provided in the recent Windows Server 2003 SP1 release. These options are certainly not relevant for all Server 2003 users and unlikely to even be desirable for all administrators running SMTP on their Server 2003 boxes.

Microsoft Security Advisories - microsoft.com

* Another critical Firefox security update

Two vulnerabilities in Firefox 1.0.3 and previous versions, which alone are not critically severe, can be combined into a remote arbitrary code execution exploit. The Mozilla Foundation has released an updated version, 1.0.4, that fixes the vulnerabilities.

As a proof of concept exploit has been released, it may seem expedient to obtain and install the update as soon as practicable. However, although the joint exploit of this pair of vulnerabilities opened a yawning hole in Firefox's security, one of the exploits depends on behaviour of the software installation function. By default, that function will only offer software for installation from the mozilla.org domain and a subtle alteration to the server-end of that process has rendered the current exploit inoperable. It is unclear whether this sleight-of-hand could be worked around. The discoverer of the combination vulnerability suspects it may not be difficult to bypass this change, but has stated he will not investigate this further given that the patch is now available.

Archived Bugtraq list message - securityfocus.com

Firefox home page - mozilla.org

* Apple iTunes update fixes arbitrary code execution vulnerability

MPEG4 format parsing flaws leave users of earlier versions of Apple's popular iTunes media player open to possible denial of service or remote code execution attacks. Specially prepared, malformed MPEG4 format media files can trigger a buffer overflow in versions of iTunes prior to 4.8. There are no known active exploits of this vulnerability at present, but iTunes users would be well-advised to obtain and install the latest version as soon as practicable.

iTunes 4.8: Security enhancements

* IPsec configuration weaknesses identified

The UK's National Infrastructure Security Co-ordination Centre (NISCC) has released a high severity rating advisory describing weaknesses in some configurations of IP security (IPsec) protocols. In short, configurations using Encapsulating Security Payload (ESP) in tunnel mode with confidentiality only or otherwise providing integrity protection with a higher-layer protocol, and some configurations providing integrity protection with Authentication Header (AH) are vulnerable.

These flaws are due to poor configuration choices rather than improper implementation of the protocol itself. The NISCC advisory describes the vulnerable combinations and suggests alternative configurations that are not vulnerable. Although the actual attacks have been demonstrated under realistic test conditions, there are no known real-world instances of attacks using these techniques, yet.

NISCC Vulnerability Advisory IPSEC 004033 - niscc.gov.uk

* Telecom "027 hack"...

Computerworld tech journalist Juha Saarinen broke last week's largest local IT security story, with his investigation of the "027 hack". This has been fairly extensively covered in other media and online, so we'll simply provide links to the two key Computerworld reports.

Telecom’s 027 service hit by ‘Hilton hack’ - computerworld.co.nz

Multiple victims of 027 hack - computerworld.co.nz

Join the newsletter!

Error: Please check your email address.

More about AppleCA TechnologiesF-SecureLexusMicrosoftMozillaMozilla FoundationSophosSymantecToyota Motor Corp AustTrend Micro Australia

Show Comments
[]