New old Mydoom variant on rampage

Sorry for disappearing for a while there, but we do intend to keep bringing you this newsletter on a regular, weekly basis.

This issue's topics:

Introduction:

* 12 MS patches; 23 from Oracle; SHA-1 flawed; brace of worms

Virus News:

* New old Mydoom variant on rampage

* Bropia takes to MSN Messenger

Security News:

* ASP.NET security bypass fixed

* Patch for critical Office XP, Project 2002, Visio 2002 vulnerability

* SharePoint [Team] Services XSS and content spoofing flaws patched

* Windows information disclosure hole closed

* Windows Shell drag and drop vulnerability fixed

* Windows Media Player, Windows/MSN Messenger PNG vulnerability patched

* Remote code execution in Windows License Logging Service fixed

* Critical SMB client remote code execution vulnerability patched

* Patch for critical OLE and COM vulnerabilities released

* Cross-domain vulnerability in DHTML Editing control fixed

* Cumulative IE update released

* Windows Hyperlink Object Library buffer overflow fixed

* Oracle patches 23 vulnerabilities; some critical

* SHA-1 broken?

Introduction:

Sorry for disappearing for a while there, but we do intend to keep bringing you this newsletter on a regular, weekly basis.

As time is now really tight, I'll just briefly comment that there have been many mini-outbreaks on the virus front of late, and of course, taking up the bulk of today's issue, a dozen new Microsoft security patches. Oracle seem to be competing with Microsoft on the number of security patches released, with the January roster clocking in at 23 vulnerabilities!

And, it would difficult to ignore the strong suggestion from earlier this week that the SHA-1 hash algorithm, at the heart of much digital signature technology, may have been shown to be seriously weaker than previously thought.

Virus News:

* New old Mydoom variant on rampage

Even your newsletter compiler has become confused with the plethora of variant names used for each new Mydoom variant, but this latest (let's call it Mydoom.AU for now) may well take the cake. Aside from the rampaging sub-variantitis caused by some vendors classifying various things others consider to not be Mydoom variants into that family, we now have a variant that seems likely to be the result of a trivial binary editing of an earlier variant. Should it be given a new sub-variant ascription or not? Some vendors think not and have given it the same name as the earlier variant they believe it is based on, while (most) others have simply incremented their own (almost unique) variant counters for this family...

Oh - the virus itself? A fairly typical Mydoom, with self-mailing and 'spread through P2P shares' distribution methods. It also searches Altavista, Google, Lycos and Yahoo! for possible e-mail addresses to send itself to as well as looking for addresses in the usual local files.

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Bropia takes to MSN Messenger

Spreading through MSN Messenger (and/or other popular chat networks), by 'spimming' a URL to a download location is not a new technique, although it is still not as widely used as one may expect given the popularity of the various chat networks. Bropia has been around for a few weeks now, and there have been a fair number of variants given the family's recent appearance, gaining it some notoriety.

Perhaps the most interesting thing about Bropia is that it seems to mainly exist to spread other malware. Various 'spy bots' and backdoors have been distributed by different Bropia variants and this latest is typical in that respect.

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* ASP.NET security bypass fixed

Microsoft has released patches for all currently supported versions of ASP.NET to fix a path disclosure vulnerability that can allow an unauthenticated user to access parts of an ASP.NET website that should require user authentication. The precise nature of any exploitation of this vulnerability depends on the contents and sensitivity of any material supposedly protected by the ASP.NET security system.

Administrators of affected ASP.NET systems should note that the Microsoft Baseline Security Advisor (MBSA) does not detect ASP.NET installations or updates. SMS can detect the need for these updates. Users of other, third-party, patch management systems should check their ability to correctly detect the need for these patches. To fill this gap, Microsoft has released a new update detection tool - the Enterprise Update Scanning Tool (EST). Microsoft plans to release new EST versions to cover any future security bulletin updates that are not covered by MBSA or the Office Detection Tool (ODT). This may seem an odd approach, but MBSA is covered by licensing issues between Microsoft and Shavlik which limit the platforms and level of updates that MBSA can cover.

Microsoft rates the severity of this vulnerability as 'important', rather than 'critical', cryptically noting that it 'only affects sites that require authenticated access'. One may have thought that for such sites, a complete bypass of their apparent security system would be a critical exposure...

Microsoft Security Bulletin MS05-004

How to obtain and use the Enterprise Update Scan Tool - microsoft.com

* Patch for critical Office XP, Project 2002, Visio 2002 vulnerability

A remote code execution vulnerability in some Office XP components (Word and PowerPoint), Project 2002 and Visio 2002 has been corrected. The latest security update for these products also applies to Works Suite 2002, 2003 and 2004 because of the inclusion of the affected version of Word 2002 in those suites.

This vulnerability is due to a buffer overflow in the affected products' handling of specially formed, unduly long URLs passed to the application when links to content handled by those applications are clicked in IE (or other applications embedding the IE browser control, such as Outlook and Outlook Express). Remote code execution is possible through exploiting this vulnerability and Microsoft rates it as being of critical severity.

Office XP SP2 users should note that the standard patch installation requires SP3, but the administrative security update version of the patch (necessary to apply the patch to network server installation points) can be applied to either SP2 or SP3 installations.

Although there are no known instances of this vulnerability being exploited in the wild, the researcher from Finjan Software who found the vulnerability and reported it to Microsoft has now released details, including the basis for a proof of concept exploit. An archived copy of that release, posted to the NTBugtraq mailing list, is linked below.

Archived NTBugtraq list message - securityfocus.com

Microsoft Security Bulletin MS05-005

* SharePoint [Team] Services XSS and content spoofing flaws patched

SharePoint Services and SharePoint Team Services contain cross-site scripting (XSS) and content spoofing vulnerabilities that may allow a malcontent to modify the content of web browser and proxy caches, and perform other XSS attacks. Microsoft has now released patches to address these vulnerabilities, which it rates as being of 'moderate' severity.

Microsoft Baseline Security Adviser (MBSA) users should note that SharePoint Team Services is not supported by MBSA. Further, MBSA only supports SharePoint Services through the Office Detection Tool, meaning that MBSA can only detect the need for the SharePoint Services update during a local scan. Microsoft has included support for detecting these updates into the Enterprise Update Scanning Tool (EST) released this month.

Microsoft Security Bulletin MS05-006

* Windows information disclosure hole closed

All supported versions of Windows XP apart from 'XP 64-Bit Edition Version 2003 (Itanium)' are vulnerable to an information disclosure flaw. A remote machine can obtain the names of users connected to the shares on vulnerable machines.

Various mitigating circumstances (such as typical and best-practice firewalling techniques) and workarounds (such as disabling the 'Computer Browser' service) are described in the Microsoft security bulletin associated with the release of the patch. Microsoft rates the severity of this vulnerability as 'important'.

Microsoft Security Bulletin MS05-007

* Windows Shell drag and drop vulnerability fixed

Microsoft has released an update addressing a serious vulnerability in the drag and drop functionality of the Windows Shell that, if exploited, could see arbitrary code silently saved to a target machine as a result of simple web browsing activity.

Although Microsoft rates this vulnerability as being of 'important' severity on Windows 2000 and XP platforms (including XP SP2), and 'moderate' severity on Windows Server 2003 (where the effectiveness of an exploit would be mitigated in IE's default, Enhanced Security Configuration), this vulnerability has been found being exploited in the field, so users of affected systems should seriously consider updating. Windows 98 and ME users should note that their platforms are vulnerable, but because Microsoft does not rate this a 'critical' vulnerability on those platforms, there is no extended security support for this issue.

Microsoft Security Bulletin MS05-008

* Windows Media Player, Windows/MSN Messenger PNG vulnerability patched

A remote code execution vulnerability in the PNG graphics file format handling code in various Microsoft products is fixed in a batch of recently released critical updates. Windows Media Player 9 Series (on some platforms), Windows Messenger 5.0 and MSN Messenger 6.1 and 6.2 are all affected, and many combinations of affected product and supported platform for those products are rated, by Microsoft, as being of critical severity.

Details of a related vulnerability (in non-Microsoft products) had been publicly disclosed before Microsoft released this update. Since the Microsoft security bulletin for the MS05-009 update was published, claiming that no exploits were known to have been published, proof of concept exploit code for the Windows PNG vulnerability has also been publicly distributed. MSN Messenger users with affected versions have since been blocked from signing into the MSN Messenger service, likely forcing many affected users to update, but those who haven't should as soon as practicable.

Microsoft Security Bulletin MS05-009

* Remote code execution in Windows License Logging Service fixed

Vulnerabilities in the License Logging Service, rated as being of critical severity on NT 4.0 Server and Windows 2000 Server SP3, and as important and moderate severity respectively on Windows 2000 Server SP4 and Windows Server 2003, are addressed in the updates associated with the MS05-010 security bulletin.

Firewall best practices should limit exposure of these vulnerabilities to other machines on the local network, but in environments where local users may not necessarily be considered benevolent, applying the patches as soon as practicable would be advisable.

Microsoft Security Bulletin MS05-010

* Critical SMB client remote code execution vulnerability patched

All supported Windows 2000, Windows XP and Windows Server 2003 platforms are vulnerable to a remote code execution vulnerability in the Server Message Block (SMB) client. The SMB client handles responses from SMB servers and researchers at eEye Digital Security found flaws in its handling of specially malformed responses. These vulnerabilities can, in some cases, be exploited through web-mediated communications.

Microsoft rates the severity of this vulnerability as 'critical', but firewall best practices should limit public exposure of most sites. Again, prudence suggests applying one of the documented workarounds or installing the update as soon as practicable.

SMB Client Transaction Response Handling Vulnerability - eeye.com

Microsoft Security Bulletin MS05-011

* Patch for critical OLE and COM vulnerabilities released

Microsoft has released an update for Windows OLE and COM components to address privilege elevation and possible remote code execution vulnerabilities on Windows 2000, XP and Server 2003 platforms.

Don't be misled by the product matrix in the MS05-012 security bulletin. On a vulnerable system, the input validation vulnerability affecting the handling of OLE structured files can be exploited through any application that uses OLE format files, not just the Microsoft applications listed in the security bulletin. OLE format files are used by many third-party applications, any of which could be used as a vector for an exploit of this vulnerability. The listed Microsoft applications are just there as examples of common, OLE-using programs. The vulnerability is not in the applications per se, but in the underlying OLE component, however it can only be exploited through a specially malformed OLE file of a form that will be opened by an installed, OLE-using application.

The severity rating given the OLE vulnerability is arguably incorrect too, as the vulnerability is not in the application but in the OS. Thus, any of the affected OSes are critically affected if they have any applications installed that use OLE format files.

Microsoft Security Bulletin MS05-012

* Cross-domain vulnerability in DHTML Editing control fixed

Windows 98, ME, 2000 and XP systems are vulnerable to a critical vulnerability in the DHTML Editing Component ActiveX control. Due to tighter default IE security policies on XP SP2 and Windows Server 2003, this same vulnerability is rated as being of 'important' and 'moderate' severity, respectively, on those OSes. The vulnerability is due to a flaw in the security zone for content handled by the DHTML Editing Component is assessed, with some methods of the component having their content incorrectly assigned to the local machine zone.

On the critically affected OSes, exploiting this vulnerability allows script code from a remotely-served web page to be executed in the 'local machine' zone, with such code potentially having almost total control of the target machine.

Microsoft Security Bulletin MS05-013

* Cumulative IE update released

All currently supported versions of IE, on all platforms (including Windows 98 and ME) are updated by the latest cumulative IE update. This update is given an aggregate severity rating of 'critical' on all OSes, including XP SP2 and Server 2003 despite their enhanced (default) security settings for IE that often mitigate IE security flaws on those platforms.

This update fixes multiple vulnerabilities, two of which are rated critical on most or all platforms. Note that the Drag and Drop vulnerability mentioned in the MS05-014 security bulletin is only partially addressed by this update - to gain full protection against this vulnerability you must also install the MS05-008, discussed above.

As is usual with such IE updates, this is a cumulative update, including all security fixes since the relevant previous service or OS release.

Microsoft Security Bulletin MS05-014

* Windows Hyperlink Object Library buffer overflow fixed

An unchecked buffer in the Hyperlink Object Library of all supported versions of Windows allows for remote code execution if the user of an affected machine clicks on a suitably malformed web link on a web page or in an e-mail message. The severity of this vulnerability is rated 'critical' on all affected Windows platforms, including Windows 98 and ME.

Same old story - bad, bad things can happen if you don't patch ASAP...

Microsoft Security Bulletin MS05-015

* Oracle patches 23 vulnerabilities; some critical

Multiple Oracle Database Server, Application Server, Collaboration Suite and E-Business Suite products are affected by multiple vulnerabilities. Some of these are rated as critical severity because they expose remote arbitrary code execution opportunities requiring little or no user authentication.

Critical Patch Update January 2005 - oracle.com (PDF)

* SHA-1 broken?

Cryptographer Bruce Schneier has released some limited details of the claims of a team of Chinese mathematicians that they have found significant weaknesses in the SHA-1 hash algorithm.

Schneier says, in a posting to his blog, that the team has been 'quietly circulating a paper describing their results' and that '[a]t this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team'. The Chinese team is much the same one that recently also found weaknesses in MD5 and RIPEMD and Schneier was at the RSA Conference (a major security and crypto conference) when he posted that blog entry, so there is a strong implication that he has been given a copy of the paper, perhaps for comment or review.

SHA-1 Broken - schneier.com

SHA family - wikipedia.org

Join the newsletter!

Error: Please check your email address.

More about AltavistaCA TechnologieseEye Digital SecurityFinjanF-SecureGoogleHyperlinkLycosMBSAMessengerMicrosoftMSNOracleRSAShavlikSophosSymantecTrend Micro AustraliaVisioYahoo

Show Comments

Market Place

[]