More mobile viruses; no March MS patches

The next step up in the mobile (cell) phone malware race happened this week, with the first virus that uses phone call messaging-based, rather than just Bluetooth, spread mechanisms. We have also seen a deal of MSN Messenger activity with malware advertising itself or its 'services' via the popular messaging service where it seems users are yet to make the association 'if I shouldn't click on it in my e-mail I shouldn't click on it here either'.

This issue's topics:

Introduction:

* More mobile viruses; no March MS patches; Firefox, CA License, RealPlayer updates

Virus News:

* Kelvir one of many 'MSN worms'

* Commwarrior set to take on road warriors?

Security News:

* No security updates from MS this month

* XP SP2 automatic update blocking ends in April

* Mozilla Firefox 1.0.1 released

* Critical OS X Java fix

* Remote code execution in CA License fixed

* RealNetworks media players vulnerable to remote buffer overflows

Introduction:

The next step up in the mobile (cell) phone malware race happened this week, with the first virus that uses phone call messaging-based, rather than just Bluetooth, spread mechanisms. We have also seen a deal of MSN Messenger activity with malware advertising itself or its 'services' via the popular messaging service where it seems users are yet to make the association 'if I shouldn't click on it in my e-mail I shouldn't click on it here either'.

Microsoft has confirmed there are no 'patch Tuesday' updates this month, but Firefox, OS X, CA License and RealNetworks media player users all have important patches to obtain as soon as possible.

Virus News:

* Kelvir one of many 'MSN worms'

Somewhat wrongly attributed the mantle of 'MSN worms', Kelvir is one of several new pieces of malware seen the past few weeks that sends messages across popular MSN instant messaging systems to help spread the word.

And that word is not good.

Kelvir messages links with simple social engineering hooks to entice the unwary to click on the link and run the program that is offered in response. Much as security professionals may be patting themselves on their backs at the apparent reduction in the success of mass-mailing worms, it seems they still have a long way to go to teach typical end users that clicking on links in IM to unknown, and therefore untrusted URLs (even if the message does seem to come from dear old Aunty Mabel or your latest squeeze) is far from a sensible idea.

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Commwarrior set to take on road warriors?

Commwarrior is the first Symbian OS Series 60 virus to spread via Multimedia Messaging Service (MMS). It also spread via Bluetooth, but unlike the Cabir variants before it, Commwarrior looks for further Bluetooth connections after it succeeds sending its .SIS file to a Bluetooth device. Cabir's method of only trying to send itself to the first-located Bluetooth device means Commwarrior's enhanced Bluetooth spreading routine may make it much more successful propagating to other devices.

As well as trying to locate nearby Bluetooth devices and spread by sending them a randomly-named .SIS installation package containing a copy of the virus, Commwarrior extracts phone numbers from each infected device's address book and sends MMS messages to those numbers. Spreading this way, Commwarrior sends variable messages with a 'commw.sis' attachment that, of course, contains a copy of itself. At least for now, Commwarrior's Bluetooth replication method may be the more successful distribution method. Several network operators do not make MMS available by default, so even when running on a Series 60 phone, Commwarrior may not have MMS service available to it. Further, there is an even smaller probability that a phone number, chosen from an arbitrary phone book, will even be going to an MMS capable device, let alone another Series 60 phone than that a Bluetooth-capable device will be a Series 60 phone.

So, despite some doom and gloom predictions in some corners of the media, this discovery is not quite the death of the cell phone...

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* No security updates from MS this month

Patch Tuesday it wasn't.

That's right - if you're a Windows administrator, you were not imagining that this (US) Tuesday just gone, and the rest of the week, was in some way oddly quiet. Microsoft announced that there would be no patches released on its usual monthly patch release day for March.

Microsoft Security Bulletin Search - microsoft.com

* XP SP2 automatic update blocking ends in April

Windows XP administrators who have taken advantage of the grace period during which XP SP2 has not been offered from WindowsUpdate should note that grace period is about to end. XP machines visiting WindowsUpdate after 12 April (US West Coast) who have not already installed SP2 will be offered the service pack. Those with automatic download and/or update enabled will thus silently start to download the service pack.

Temporarily Disabling Delivery of XP SP2 Through WindowsUpdate - microsoft.com

* Mozilla Firefox 1.0.1 released

With downloads of the official 1.0 release passing 25 million in the last few weeks, Firefox's share of the browser market is rapidly closing on 5%; a third of the way to the Mozilla Organization's target of 15% market share by the end of this year.

The last few weeks also saw the first official update for the alternative browser. Firefox 1.0.1 closes some vulnerabilities that could facilitate URL spoofing (especially useful in phishing attacks), some flaws that can lead to browser crashes when rendering malformed web pages and addresses a number of minor design and feature requests. Although the browser should now be even more stable, some early reports suggest a few implementation glitches still exist - for example, installing the update is said to (sometimes) reset your home page, rather than leave it as was.

There are also reports that the automatic 'check for updates' functionality in Firefox is not reliably reporting the availability of this update.

Firefox home page - mozilla.org

* Critical OS X Java fix

A flaw in the Java web browser plug-in, announced three months ago by Sun, has finally been corrected by Apple in OS X. The vulnerability could allow an applet to gain elevated privileges and possibly run arbitrary code of a remote attacker's choice.

About Security Update 2005-002 - apple.com

* Remote code execution in CA License fixed

Multiple remotely exploitable vulnerabilities, with the worst opening the possibility of running arbitrary executable code of an attacker's choosing have been reported in the CA License package, which is installed on most platforms with most Computer Associate (CA) software.

Affected platforms are AIX, DEC, HP-UX, Linux Intel, Linux s/390, Solaris, Windows, Apple Mac and the affected versions are all versions between 1.53 and 1.61.8 inclusive. Vulnerable CA License installations should be upgraded to CA License 1.61.9 or higher. Most of the commands CA License responds to on its listening ports are vulnerable to straightforward buffer overflows. Download links are available in the CA security bulletin linked below.

Working exploits for some of these vulnerabilities are now publicly available, so obtaining and installing the updates as soon as practicable is highly advised.

Computer Associates License Manager Remote Vulnerabilities - eeye.com

License Patches Are Now Available To Address Buffer Overflows - ca.com

* RealNetworks media players vulnerable to remote buffer overflows

Most current versions of RealPlayer, RealOne Player and Helix Player on Windows, Mac OS/OS X and Linux OSes are vulnerable to one or both of two buffer overflow flaws that could allow an attacker to run arbitrary code on the target machine.

One of the possible buffer overflows is in the Synchronized Multimedia Integration Language (SMIL) parser, the other

RealNetworks RealPlayer .smil Buffer Overflow Vulnerability - idefense.com

RealNetworks Updates Address Security Vulnerabilities - real.com

Join the newsletter!

Error: Please check your email address.

More about AppleCA TechnologiesF-SecureHPIntelLinuxMessengerMicrosoftMozillaMSNRealNetworksSophosSymantecSymbianTrend Micro AustraliaWest

Show Comments
[]