Dumb and dumber... virus-writing contest

It seems there was a great deal of security-related news this week, but on reviewing it, very little seems worthy of reporting here. The highlight (or is that lowlight?) for me, if there was one, was the virus writing contest briefly promulgated by an over-zealous Mac fan. I've included so little else, you can check the headings and decide for yourself...

This issue's topics:

Introduction:

* Write a virus for US$25,000; MS saves virus writer US$500,00; 2K3 SP1 released

Virus News:

* Dumb and dumber...

* Microsoft to save Blaster.B writer US$500,000?

Security News:

* Server 2003 SP1 released

* Further Firefox fixes; affects Thunderbird and Mozilla too

* Sylpheed buffer overflow fixed

Introduction:

It seems there was a great deal of security-related news this week, but on reviewing it, very little seems worthy of reporting here. The highlight (or is that lowlight?) for me, if there was one, was the virus writing contest briefly promulgated by an over-zealous Mac fan. I've included so little else, you can check the headings and decide for yourself...

Virus News:

* Dumb and dumber...

DVForge Inc (makers of stylish Mac-oriented accessories) CEO, Jack Campbell, took umbrage at recent Symantec comments that Mac users should beware what the antivirus maker's researcher's see as a growing interest among malicious code writers in OS X.

Apparently unaware of the basic results of theoretical computer science models that effectively prove that general purpose computers necessarily support viral functions (or perhaps just unaware of the fact that Macintoshes are general purpose computers?), the CEO offered a US$25,000 prize for the first person to write a virus that fulfilled some basic criteria specified in his contest. Aside from the obvious ethical concerns such an ill-advised competition raises, Campbell was busy pulling the competition in less than 24 hours of its announcement.

Humble pie was not on the menu that day though - instead of admitting the obvious wrong-headedness of his competition on both technical and ethical grounds he claimed the contest offer had been withdrawn because of possible legality and culpability issues. His tone suggests he still wrongly believes the Mac, or at least OS X, to be all but invulnerable to malicious software.

Your newsletter compiler hopes history does not contradict him, but suspects it will...

DVForge Virus Prize offered, rescinded - macworld.com

DVForge Virus Prize 2005 - dvforge.com

* Microsoft to save Blaster.B writer US$500,000?

For his role in lightly modifying the original Blaster virus and releasing the resulting Blaster.B variant, Jeffrey Lee Parson was sentenced, in January, to 37 months in prison, three years of supervised release, 100 hours of community service after he is released and to pay Microsoft $500,000 in restitution. Parson had earlier pleaded guilty to

the charges arising from this incident.

Microsoft has now filed a request that instead of paying the half million restitution, that Parsons have an extra 75 hours community service per year, for each of the three years of supervised release he faces after leaving prison.

Blaster author avoids restitution - virusbtn.com

Security News:

* Server 2003 SP1 released

Service Pack 1 (SP1) for Windows Server 2003 has (finally) been released. Aside from rolling all security patches, except the very recent, into a single installer, several core components have had a security overhaul along the lines of several of the security improvements incorporated in Windows XP SP2.

Microsoft is also pushing its new Security Configuration Wizard. This is claimed to make selecting the best 'out of the box' security choices for Server 2003 machines based on answering a few simple questions about the main role played by each server, rather than taking a broader brush approach, as in the past.

A great deal of information about SP1 and planning its rollout and configuration is available from the Microsoft web page linked below, as are download links. Note that SP1 for Pentium-class processors is approximately a 330MB download and 430MB for the Itanium processor version.

Learn About and Install Windows Server 2003 SP1 - microsoft.com

* Further Firefox fixes; affects Thunderbird and Mozilla too

It's only a few weeks since we announced the first official Firefox update that addressed several serious security concerns. Well, the Mozilla Project has now released Firefox 1.0.2, and Mozilla 1.7.6 and Thunderbird 1.0.2, to address several more security issues.

All three suffer the same heap-based buffer overflow in routines common among the products for handling a specific GIF 'extension block'. Specially created malformed GIF image files, that could be delivered via e-mail or through normal web-browsing, could exploit this vulnerability to run arbitrary code of an attacker's choice. Further, less serious, security flaws are also patched in these updates, which should be considered with some urgency.

We also noted earlier that the automatic update notification option did not seem to work. It appears (at least on this machine) that this has now been addressed, as Firefox asked for permission to obtain the 1.0.2 update the other day.

Mozilla Project home page - mozilla.org

* Sylpheed buffer overflow fixed

Sylpheed mail client users should upgrade (either to 1.0.4 or 1.9.7 if using the 'stable' or 'development' releases respectively).

A remotely exploitable buffer overflow in the mail client's handling of MIME-encoded filenames in messages with attachments has been fixed in these latest releases.

Sylpheed home page - good-day.net

Join the newsletter!

Error: Please check your email address.

More about MicrosoftMozillaParsonsSymantec

Show Comments
[]