Italian fined for releasing worm

Eight new Microsoft security bulletins and the associated patches in April's Patch Tuesday, plus major revisions (meaning new patch releases) to two earlier bulletins. Important PHP and Oracle updates too.

This issue's topics:

Introduction:

* Multiple critical Windows patches; PHP, Oracle updates

Virus News:

* Italian fined for releasing worm

Security News:

* Arbitrary remote code execution in Windows Shell fixed

* Remote code execution vuln in Microsoft Message Queuing fixed

* Windows kernel update fixes multiple vulnerabilities

* Multiple Windows TCP/IP vulnerabilities patched

* Latest IE cumulative update has new patches for critical vulns

* Update fixes critical Exchange Server buffer overflow

* Critical MSN Messenger 6.2, 7.0 beta update

* Critical remote code execution flaw in word, Works Suite fixed

* MS05-002 revised

* MS05-009 revised

* Multiple Oracle vulnerabilities

* PHP updates include several security fixes

Introduction:

Sorry -- rushing hugely this week, so this introduction will be very brief. Curt even...

Eight new Microsoft security bulletins and the associated patches in April's Patch Tuesday, plus major revisions (meaning new patch releases) to two earlier bulletins. Important PHP and Oracle updates too.

One of the first cases of a mass-mailing worm being released with clearly financial motives has had its day in court, with an Italian being fined 3000 Euros for a scam that took in more than 100,000 Euros (though the would-be thief never saw this).

Virus News:

* Italian fined for releasing worm

The Italian writer of the premium-rate-dialler-installing worm variously known as Zelig, Voltan, Marque and Marq has had his day in court. Reputedly the dialler netted more than 100,000 Euros, but Italian fraud police were able to intercept the accounts used for transferring this money and it never reached the perpetrator -- a 39 year-old Italian.

Truffa attraverso un virus prima condanna a un italiano - repubblica.it (Italian)

Google translation of the above into 'English' - google.com

Sophos commentary - sophos.com

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Arbitrary remote code execution in Windows Shell fixed

Microsoft's MS05-016 security bulletin is delightfully vague about the specific details at the heart of this vulnerability - so vague, in fact, that it does not even mention 'OLE' (Object Linking and Embedding) or 'OLE2', which is at the core of the issue.

Briefly then, what someone at Microsoft surely once thought was a neat, clever, and presumably even desirable design feature in the handling of OLE2 format files is, as is so often the way with features chosen primarily because they are 'neat and clever' and likely to improve usability, sadly lacking in security nous. (In case you don't know, OLE2 format files are used by Word, Excel, PowerPoint and several third-party applications.) The basic idea that has now been shown to be at fault is, if an application uses OLE2 format files, neither the application nor the Windows shell (explorer.exe) would actually have to worry about the files of that application retaining their conventional file extensions because the OLE2 format puts a unique identifier for the application that handles each OLE2 format file right there in the header of the file. Thus, the Windows shell would happily and correctly open, say, a Word document prepared on a Macintosh (most of whose users have no idea what a filename extension is and even if they do, don't care to use them as Mac OS has had much better file-to-application association methods from day one) and conventionally not given a '.doc' extension, when it was received by e-mail or shared across the company LAN.

The 'neatness' of this basic idea can easily be tested by renaming a Word Document (.doc) file to an unregistered extension, or no extension. Double-clicking such a file in Explorer will result in Word opening the file, 'as normal'.

The problem with this idea, or at least its implementation, is that there are file handlers that don't actually use OLE2 format files and that don't care about the 'extraneous binary junk' (to them) that makes up the basic OLE2 headers and other internal OLE2 format structures, BUT which can be 'registered' in just the same way as OLE2-format handlers like Word must be registered for the 'magic' described above to work. Worse still, some of these other applications implement powerful scripting languages. One such example is mshta.exe; Microsoft's own 'HTML Application Host application' (MSHTA).

Although Microsoft rates this vulnerability as being of 'important' severity rather than 'critical', sites connected to the Internet would be better served to treat it as critical. Microsoft's severity rating is downplayed from critical because 'user interaction' is said to be required to initiate exploitation of the vulnerability. Previous similar vulnerabilities have been shown to be trivially exploited because of the simplicity of the social engineering generally required to 'trick' many users into trying to open files that may exploit such a vulnerability. Further, automated attacks using such files are not that difficult to imagine, at least among experienced Windows vulnerability watchers. As Microsoft has not rated this vulnerability 'critical', Windows 98 and ME users do not get a patch.

It is important to note that although the MS05-016 security bulletin specifically mentions MSHTA in its workaround section, there are potentially many other methods of exploitation. Exploiting this vulnerability does not depend on MSHTA and it would be wrong to just focus on this specific example, although it may be the only example likely to be on every Windows machine. Other exploitation scenarios may require that an attacker know something about the applications likely to be installed on the targeted machines. Researchers at iDEFENSE alerted Microsoft to this vulnerability and the iDEFENSE security advisory discussing this issue (linked below) tends to focus heavily on the MSHTA angle. However, a careful reading of both the iDEFENSE and Microsoft advisories shows that the real 'problem' is the way the Windows shell determines how to handle OLE2 format files under specific conditions.

A trivial exploit generator for this vulnerability has been publicly posted, though a cursory reading of the iDEFENSE description suggests that writing code to generate such an exploit is overkill.

Microsoft MSHTA Script Execution Vulnerability - idefense.com

Microsoft Security Bulletin MS05-016

* Remote code execution vuln in Microsoft Message Queuing fixed

A vulnerability in Microsoft Message Queuing (MSMQ) exposes a possible remote arbitrary code execution mechanism via a buffer overflow. As MSMQ is not installed by default on the affected systems, and even if it were conventional firewall best practices would shield it from remote exploitation, Microsoft rates this an 'important' severity vulnerability. More details, and links to patches, are available in the Microsoft security bulletin, linked below.

Microsoft Security Bulletin MS05-017

* Windows kernel update fixes multiple vulnerabilities

Three privilege elevation and one denial of service vulnerabilities have been patched in the latest Windows kernel security update. None can be exploited unless a potential attacker is locally logged onto the victim machine, so Microsoft rates them as 'important' or lower severity (with an aggregate rating of important on most affected OSes). As usual, in some circumstances, where the userbase is not necessarily terribly trustworthy (educational institutes, public access machines, etc) any privilege elevation vulnerability must be treated as critical if the integrity of the machine's contents, or if maintaining the integrity of the system's access controls, matters to the machine's owners.

Microsoft Security Bulletin MS05-018

* Multiple Windows TCP/IP vulnerabilities patched

Five vulnerabilities in the Windows TCP/IP stack, with one rated as critical on all affected platforms except Windows 98 and ME have been patched. The vulnerability Microsoft rates as critical severity is a remotely exploitable buffer overflow that could result in execution of arbitrary code of the attacker's choice. The other four vulnerabilities expose denial of service possibilities.

Windows Server 2003 SP1 (x86 and Itanium versions) and the x64 versions of Windows Server 2003 and Windows XP Pro are not affected. All other currently supported versions of Windows are vulnerable. It's a fair bet that some folk are busy reverse engineering the patch to work out how to exploit these vulnerabilities, so do not delay patching this.

Microsoft Security Bulletin MS05-019

* Latest IE cumulative update has new patches for critical vulns

Three newly disclosed vulnerabilities in Internet Explorer, two rated as being of critical severity on most affected platforms, are included in the latest IE cumulative security update. Windows Server 2003 SP1 (x86 and Itanium versions) and the x64 versions of Windows Server 2003 and Windows XP Pro are not affected.

A proof of concept exploit for one of the critical vulnerabilities that allows remote arbitrary code execution - the DHTML Object Memory Corruption Vulnerability - have already been released, so do not delay in obtaining and installing this update.

Microsoft Security Bulletin MS05-020

* Update fixes critical Exchange Server buffer overflow

An arbitrary code execution vulnerability, caused by an unchecked buffer in the SMTP service, exists in some current Exchange Server versions. On Exchange 2000 Server the vulnerability is rated as 'critical' severity, but mitigating factors on Exchange Server 2003 result in the vulnerability only being rated as 'moderate' severity there.

Exchange Server 5.5 SP4 and Exchange Server 5.0 SP2 are not affected, but all other currently supported versions of Exchange Server are. Exchange 2000 Server SP3 admins should note the caveats in the security bulletin about installing this update on their systems.

Microsoft Security Bulletin MS05-021

* Critical MSN Messenger 6.2, 7.0 beta update

Specially malformed GIF image files can be used to execute arbitrary code of an attacker's choice when viewed with MSN Messenger 6.2 and the beta release of MSN Messenger 7.0. An update for the former has been released and 7.0 users are strongly encouraged to update to the final release version of MSN Messenger 7.0.

Note that MBSA does not detect MSN Messenger versions, so neither MBSA nor SMS can be used to test for machines needing these updates. For this reason, Microsoft has released an updated version of its Enterprise Update Scanning Tool (EST). More details about availability and use of EST are available in the security bulletin, linked below.

Microsoft Security Bulletin MS05-022

* Critical remote code execution flaw in word, Works Suite fixed

Microsoft has released updates for Word 2000, 2002 and 2003, and Works Suite 2001, 2002, 2003 and 2004. These updates address two buffer overflow vulnerabilities in Word rated as critical in Word 200 and 2002, and moderate in Word 2003. As Works Suite contains either Word 2000 or Word 2002, all affected Works Suite versions are vulnerable to the critical-rated vulnerabilities.

Both vulnerabilities allow attackers to run code of their choice on affected machines if a user can be persuaded to open a specially prepared document file.

Microsoft Security Bulletin MS05-023

* MS05-002 revised

New Windows 98, 98SE and ME updates for the MS05-002 vulnerability have been released. In some cases, installing the original updates caused machines to unexpectedly restart. Microsoft recommends that all Windows 98 and ME customers who have already installed the MS05-002 update obtain and install the revised patch, whether the original appeared to install properly or not.

Any Windows users who have not installed this critical patch already, should do so as soon as possible, as it is being actively exploited on the web to install adware, spyware and other forms of 'legitimate marketing and customer tracking applications' [Sorry, in joke - Ed.].

Microsoft Security Bulletin MS05-009

* MS05-009 revised

Microsoft has revised the MS05-009 security bulletin to note its release of an updated patch for Windows Messenger 4.7.0.2009 running under Windows XP SP1. According to the revised security bulletin, the initial patch for this specific version of the affected products, and configuration, was not installing properly via AutoUpdate or when distributed via SMS. These problems have been addressed in the newly released patch for Windows Messenger 4.7.0.2009.

Microsoft Security Bulletin MS05-009

* Multiple Oracle vulnerabilities

Oracle's monthly Critical Patch Update has been posted and it lists 24 Database, 18 Application Server, 34 Collaboration Suite, 5 E-Business Suite, 1 Enterprise Manager and 7 PeopleSoft vulnerabilities and availability of patches for the various affected versions of the products containing those vulnerabilities.

Critical Patch Update April 2005 - oracle.com (~80KB PDF)

* PHP updates include several security fixes

PHP 4.3.11 and 5.0.4 have been released, including several non-critical bug fixes and multiple security fixes. All PHP users are advised to update as soon as possible (most Linux distributions have already shipped update packages).

PHP 4 Changelog - php.net

PHP 5 Changelog - php.net

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesExcelF-SecureGoogleLANLinuxMBSAMessengerMicrosoftMSNOraclePeopleSoftSophosSymantecTrend Micro Australia

Show Comments

Market Place

[]