No FBI virus; Microsoft AntiSpyware

In brief, a new Sober variant has had some news outlets and the FBI, in a twist because some of its messages are forged to look as if they are official investigation messages from the FBI. It's old hat of course...

This issue's topics:

Introduction:

* No FBI virus; Exchange 2000, Arkeia, PuTTY, Mailman fixes

Virus News:

* Not the FBI calling

* Microsoft AntiSpyware to be free (at least for home users)

Security News:

* MS04-035 updated; now includes patch for Exchange 2000

* Remote exploits in Arkeia Network Backup software fixed

* PuTTY 0.57 fixes two vulnerabilities

* Mailman 2.1.x remote directory traversal fixed

* More on SHA-1 break

Introduction:

In brief, a new Sober variant has had some news outlets and the FBI, in a twist because some of its messages are forged to look as if they are official investigation messages from the FBI. It's old hat of course...

Microsoft has released some details of its anti-spyware product pricing - it will be free, at least so long as you are happy using the 'end user' version. Details not released yet include whether there will be a difference in the frequency and availability of updates between the free, personal use version and the planned corporate, network deployment version. This announcement, and Redmond giant's unexpected back-down on its 'no new IE before and without Longhorn' stance saw a Gartner analyst take MS to task for what he characterized as Microsoft's wrong-headed approach to securing its desktop operating system offerings.

On the security front, Microsoft has added Exchange 2000 Server to the list of affected platforms in the critical SMTP remote code execution vulnerability originally announced last October in MS04-035. Arkeia Network Backup, PuTTY and Mailman users should also be preparing to install important updates, and we link to some further discussion of the SHA-1 break and what it means in practical and theoretical cryptanalytic terms.

Virus News:

* Not the FBI calling

Lest you have heard stories of an 'FBI virus', relax.

The FBI has not (as far as we know) released a virus. However, yet again a mass-mailing virus that forges its from address and claims (in one of the many possible messages it can send) to be from a law enforcement agency, is doing the rounds.

Sober.K to be precise. Typical mass-mailer. Little different from previous variants. Uses much the same tricks and techniques.

In other words, same old, same old.

And not even particularly widely seen (although a few vendors have claimed notable numbers of reports).

Makes you wonder why some media outlets even bothered to make 'news' of it...

FBI Alerts Public To Recent E-Mail Scheme - fbi.gov

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Microsoft AntiSpyware to be free (at least for home users)

In announcing a reversal of previous plans to not release a new, standalone version of Internet Explorer Bill Gates also made the first public announcements about the pricing of Microsoft AntiSpyware, whose public beta release featured here back in January.

The product as it is now will be freely available. Further announcements from the company noted an advanced version featuring functionality for network distribution and management, as is generally desired in corporate network settings, would be available as a paid-for product.

Gartner research director Neil MacDonald heavily criticized Microsoft's security stance following the announcement.

Gates promises new version of IE by midyear - computerworld.com

Microsoft security strategy still lacking despite new IE - infoworld.com

Security News:

* MS04-035 updated; now includes patch for Exchange 2000

In all the excitement over the dozen or so new updates released on this month's 'Patch Tuesday', we missed noticing that MS04-035 also had a significant makeover.

Microsoft Exchange 2000 Server was not initially listed as being affected by this critical vulnerability. Subsequent to the original release of the MS04-035 security bulletin, Microsoft became aware of a variation of the vulnerability that also affected Exchange 2000 Server.

An patch for this critical vulnerability, that applies to Exchange 2000 Server SP3, is now available and download and installation details for this patch have been added to the security bulletin.

Microsoft Security Bulletin MS04-035

* Remote exploits in Arkeia Network Backup software fixed

Two vulnerabilities in versions of Arkeia Network Backup Software prior to 5.3.5 have been fixed in the 5.3.5 release. These vulnerabilities affect all platforms on which Arkeia runs, which includes many Unix and Unix-ish platforms, Mac OS and Windows.

One of the vulnerabilities is a remotely exploitable buffer overflow that surrenders root or system level code execution. Proof of concept exploits for this vulnerability, crossing several affected platforms, have been publicly disclosed. Following the announcement of these vulnerabilities, SANS' Internet Storm Center (ISC) showed a notable spike in scanning for port 617, the port on which the affected Arkeia backup client runs.

Arkeia Corp has released updated versions of its currently supported releases of the Arkeia Network Backup client, including Arkeia Light. These updates are linked from the Arkeia page linked below. Also, as noted in Arkeia's response to this issue, Arkeia administrators should take heed of the directions in Appendix B of the Arkeia User Manual describing configuration options for restricting access to the software.

ISC Port 617 Graph - sans.org

New Arkeia Release Fixes Potential Security Vulnerability - arkeia.com

* PuTTY 0.57 fixes two vulnerabilities

PuTTY is a popular client program for the SSH, Telnet and Rlogin protocols, available on Windows, Linux and other Unix-ish OSes.

iDEFENSE has reported two vulnerabilities in PuTTY's SFTP client code (included in PuTTY's PSFTP and PSCP applications), versions 0.56 and earlier. Version 0.57 of PuTTY, which addresses both vulnerabilities has been released and users of PuTTY are recommended to obtain and build or install this update as soon as practicable.

Exploitation would require a malicious server to send specially malformed responses to a vulnerable PuTTY client - a less likely attack scenario than when such vulnerabilities exist in server software.

Multiple PuTTY SFTP Packet Parsing Integer Overflows - idefense.com

PuTTY vulnerability vuln-sftp-readdir

PuTTY vulnerability vuln-sftp-string

* Mailman 2.1.x remote directory traversal fixed

Popular mailing list management software GNU Mailman versions 2.1 through 2.1.5 are vulnerable to a directory traversal attack that can expose sensitive information regarding a list's configuration, membership and member data including their list-management passwords.

This vulnerability arises from improper sanitization of URLs in the 'private.py' CGI script of Mailman's web interface. The sanitization process will render specially crafted URLs into valid paths pointing to parts of the server that this script is supposed to prevent access to.

John Cartwright, list manager for the Full-Disclosure security mailing list, disclosed the flaw after the Full-Disclosure list was 'attacked' through exploitation of the vulnerability. Mailman is commonly included in Linux, and other Unix-ish OS, distributions.

Archived Full-Disclosure list message - securityfocus.com

Mailman security issues - gnu.org

* More on SHA-1 break

Last week we reported that SHA-1 had been broken. As the hash function of choice in the most widely used of today's cryptographic solutions, this is an especially significant cryptanalytic result. Despite this break, 'easy' forgery of digitally-signed documents and the like is still some way off. That is, the practical significance of this finding is not that we should immediately abandon SHA-1, but the finding of an algorithmic weakness in SHA-1 is of significant theoretical importance (which is why cryptographers are so interested in the result).

Again, we refer you to further discussion of the issues in Bruce Schneier's blog...

Cryptanalysis of SHA-1 - schneier.com

Join the newsletter!

Error: Please check your email address.

More about BillCA TechnologiesCGIFBIF-SecureGartnerLinuxMicrosoftSophosSSHSymantecTelnetTrend Micro Australia

Show Comments
[]