Another sober variant, Spyware vendors, OS X vulnerabilities

As many of you are presumably aware from your email virus scanners' logs, a new Sober variant was on the rampage early last week, benefiting this time from German interest in World Cup 2006 soccer tickets and its bilingualism. We also have some hopefully interesting material on the size of the spyware/adware advertising market and the companies supporting the spyware vendors.

This issue's topics:

Introduction:

* Sober virus; value of spyware; OS X, HP OpenView RMP, Acrobat updates

Virus News:

* Yet another Sober variant on the loose

* Spyware makers supported by largest, wealthiest corporations

Security News:

* Multiple OS X vulnerabilities patched

* Remote code execution via HP OpenView Radia Management Portal fixed

* Adobe Acrobat and Reader file existence information leak on Windows

* Netscape 6.x and 7.x remote code execution vulnerabilities

Introduction:

As many of you are presumably aware from your email virus scanners' logs, a new Sober variant was on the rampage early last week, benefiting this time from German interest in World Cup 2006 soccer tickets and its bilingualism. We also have some hopefully interesting material on the size of the spyware/adware advertising market and the companies supporting the spyware vendors.

On the security front, Apple has released a raft of patches for OS X, several of which are of critical severity and HP has fixed a remote code execution vulnerability in its OpenView system management software. Further, Windows users of Adobe's Acrobat and Acrobat Reader should consider updating/upgrading to the latest version, 7.0.1 and many Netscape browser users should consider replacing their browser.

Virus News:

* Yet another Sober variant on the loose

Trading on German interest in tickets for soccer's World Cup 2006 (to be held in Germany), the latest Sober variant has been quite successful.

This 'success' is also at least partly due to its bilingualism. When sending its messages to addresses plucked from files on its victims' computers, it checks whether the address ends in '.at', '.ch', '.de' or '.li' (representing Austria, Switzerland, Germany and Liechtenstein respectively), or contains the string 'gmx.' (which is likely to signify an address at a large German ISP). If any of those checks pan out, the virus sends one of several German-language messages, otherwise it sends an English message.

Significant volumes of traffic generated by this email worm were seen early last week, with some commentators noting that at its peak close to 5% of all Internet e-mail traffic was generated by this new Sober variant. True to form, the antivirus vendors have variously labelled this Sober.N, Sober.O, Sober.P and Sober.S.

Computer Associates Virus Information Centre

F-Secure Security Information Centre

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Centre

* Spyware makers supported by largest, wealthiest corporations

US law student Ben Edelman has been an enthusiastic campaigner against the excesses of so-called 'spyware' and 'adware' for the last few years. Edelman simply uses the term 'spyware', arguing that most 'adware' is installed without proper consent and typically reports user web browsing and link-clicking trends, so is also rightly considered 'spyware'.

Some of Edelman's recent research has been into the vendor capitalists fronting money for the developers of such spyware, and who is purchasing advertising from these spyware/adware pushers. Perhaps not surprisingly, it turns out that much of the money invested in, and revenue garnered by, this largely unwanted modern computer scourge comes from many of the largest corporations and vendor capitalists. A recent news.com interview with Edelman contains more of the details and provides an interesting oversight of the forces driving the spyware development industry.

And, while talking about spyware, although sceptical of the actual estimate (suggesting it is likely to be self-servingly high), a recent article at The Register looks at the possible revenue being generated by the spyware industry.

Spying on the spyware makers - news.com

Spyware scumbags make $2bn a year - theregister.co.uk

Security News:

* Multiple OS X vulnerabilities patched

Apple has released a bumper crop of patches for OS X 10.3.9 Client and Server this month. Included are fixes for several critical vulnerabilities that can be remotely exploited to execute arbitrary code of an attacker's choice. It is not clear how many, if any, of these vulnerabilities are present in Apple's newly-released OS X 10.4, or Tiger, version of the operating system, but a matching set of patches has not been released for that version. Users and administrators of Bluetooth-capable Macs should also read the article describing changes the installation of this update may make to their Bluetooth configuration settings.

Proofs of concept exploits have been released for some of the vulnerabilities fixed in this patch-set, so it would be prudent to update as soon as practical.

About Security Update 2005-005 - apple.com

Security Update 2005-005 changes default sharing settings - apple.com

* Remote code execution via HP OpenView Radia Management Portal fixed

HP has released updates for the Radia Management Agent (RMA) component of OpenView Radia Management Portal (RMP). This patch fixes a critical vulnerability that can expose unpatched sites running RMP with RMA to remote, unauthorized code execution and/or denial of service. All 1.x versions of RMP on AIX 4.1 and later, Linux, SunOS 5.5 and later, and all supported NT-based OSes are affected, as are all RMP 2.x versions running on all supported NT-based OSes. Further, RMP 1.x versions on HP-UX B.10.20 through HP-UX B.11.23 are affected if '/opt/Novadigm/ManagementAgent/rma.tkd' exists.

Details of how to obtain the necessary updates are available from the HP Security Bulletin linked below. No details of the vulnerability have yet been made public, but the discoverers say they will release details in about three months.

RMA Remote Unauthorized Privileged Access and DoS - hp.com (registration required)

* Adobe Acrobat and Reader file existence information leak on Windows

Adobe advises Windows users of all versions of its Acrobat and the Acrobat Reader browser ActiveX control for Internet Explorer prior to version 7.0.1 to update to that (or a subsequent) version of the product. As described in a posting to the Bugtraq mailing list, a method exported by the control and marked 'safe for scripting' can be used to determine the existence of arbitrary files in the file system local to the browser viewing a suitably produced web page. Although not a critical vulnerability itself, such information leakages can be very useful when some other attack needs to know which version of the operating system it is targeting (for example, because an exploitable buffer overflow may have to be targeted via different return addresses depending on the Windows version, language, etc).

Common to previous vulnerabilities in its Acrobat products, Adobe has chosen to only fix this in the very latest version of the product. This forces users of earlier versions of Acrobat and Acrobat Reader who want to fix Adobe's problem on their machines to upgrade - a nice little arm-twister from Adobe.

Archived Bugtraq list message - securityfocus.com

Advisory for local file discovery through Internet Explorer - adobe.com

* Netscape 6.x and 7.x remote code execution vulnerabilities

Recent Netscape web browser versions are, not surprisingly, also vulnerable to some of the recent flaws that affect the Mozilla browser. Generally, Netscape users are being advised to switch to Mozilla as updates do not seem likely for the affected browser versions. Another option, at least for the less conservative, may be to download and test the beta version of Netscape 8.0, which was just released a few days ago (note that as of this writing we have not had time to test whether the beta also suffers the vulnerabilities recently patched in Mozilla or not). Of course, being a beta version this may not be an attractive option for corporate installations.

The Netscape Browser 8.0 BETA - netscape.com

Join the newsletter!

Error: Please check your email address.

More about Adobe SystemsAppleCA TechnologiesF-SecureHPLinuxMacsMozillaNovadigmSophosSwitzerlandSymantecTrend Micro Australia

Show Comments
[]