Beware e-cards carrying Christmas surprises...

My apologies for the delay in this, the last (and nominally, last week's), V&S Watch of the year. We'll be back mid-January 2005...

This issue's topics:

Introduction:

* Five Windows patches; no Win2K SP5; Christmas viruses

Virus News:

* Beware e-cards carrying Christmas surprises...

* 'tis the season to be folly...

Security News:

* Update for remote code execution vulnerabilities in WordPad

* Multiple vulnerabilities in NT 4.0 DHCP Server fixed

* HyperTerminal update fixes remote code execution flaw

* Two Windows privilege elevation vulnerabilities fixed

* WINS flaws fixed

* No Windows 2000 SP5

* Cybercrime 'all about the bottom line'

* Muslim radicals to join cybercrime-wave?

Introduction:

My apologies for the delay in this, the last (and nominally, last week's), V&S Watch of the year. We'll be back mid-January 2005...

I'm also sorry that my mis-reading of the Microsoft's 'December security bulletin' summary prompted me to report last week that the critical severity, out-of cycle IE patch was to be the only Microsoft security patch for December 2004 -- Patch Tuesday rolled around and sure enough, five more security updates from Redmond! To the extent that news of five security patches released just before Christmas can be 'good news', none are rated by Microsoft as 'critical', though the privilege elevation vulnerabilities should be treated as critical in public-access situations and where shared access machines combine with 'less than entirely trustworthy' users.

Aside from these five Windows patches comes official confirmation that there will not be a Service Pack 5 release for Windows 2000, with Microsoft opting for a 'security rollup' style package to be delivered in the middle of next year instead. As expected of the hoped-for SP5, the security rollup will be devoid of the numerous 'enhanced' security updates included in XP SP2. We close the security section with two hopefully interesting and informative news articles about the changing face and orientation of cybercrime...

On the virus front, the expected 'Christmas Greetings' oriented mass-mailers have arrived for 2005, though they are generally uninteresting in terms of their not introducing any new technical twists...

Virus News:

* Beware e-cards carrying Christmas surprises...

Didn't we warn you a few weeks back that the season for bogus Christmas greetings carrying malware was rapidly approaching?

Well, if we didn't we meant to, and of course, more or less on cue, mid-December (the 14th/15th to be precise) delivered the first of what is likely to be several such beasties. Win32/Zafi.D is another multi-lingual (well, bi-lingual - Hungarian and English) member of a family of mass-mailing viruses that have previously expressed political concerns.

Beyond its Christmas message, Zafi.D is a run-of-the-mill mass-mailer that also has a P2P spreading mechanism, and of very little technical interest...

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* 'tis the season to be folly...

OK - so you don't want to hear us sing... [No, really you don't! Ed.]

The day after Zafi.D (see previous item) started spreading its Christmas cheer, Win32/Atak.I was found in the wild. Another technically uninteresting typical mass-mailer, Atak.I - followed two days later by another variant, Atak.J - suffers the naming confusion so common in the antivirus industry and goes by several different variant ascriptions, depending on which antivirus vendor's web site you check...

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Symantec Security Response

Security News:

* Update for remote code execution vulnerabilities in WordPad

Microsoft has released updates for the venerable [pedestrian, even? - Ed.] WordPad 'word processor' that has shipped with all versions of Windows your newsletter compiler can recall installing (although in earlier versions of the OS it was called Windows Write, explaining the '.WRI' file association). Two vulnerabilities that allow remote code execution through buffer overflows in the Word for Windows 6.0 Converter included with WordPad are fixed in the update, and some 'defense in depth' changes that had already been made in XP SP2 and Windows Server 2003, altering the default configuration are also applied when the MS04-041 updates are installed.

Despite fixing buffer overflow vulnerabilities that potentially allow remote execution of arbitrary code, Microsoft only rates the updates associated with security bulletin MS04-041 as being of 'important' severity on NT 4.0, Windows 2000 and XP SP1, and of 'moderate' severity on XP SP2 and Windows Server 2003. As this vulnerability is not rated 'critical' on that platform, an update for Windows 98 has not been made available.

Microsoft Security Bulletin MS04-041

* Multiple vulnerabilities in NT 4.0 DHCP Server fixed

The Dynamic Host Configuration Protocol (DHCP) Server service included in NT 4.0 Server and Terminal Server, but not installed by default, is vulnerable to a denial of service and a potential remote code execution vulnerability. Both are fixed in an update released by Microsoft as described in the linked security bulletin. As this service is not installed by default and traditional best practice for firewalling rules would prevent external access to possibly vulnerable servers, Microsoft has rated the aggregate severity of these vulnerabilities as 'important'.

Microsoft Security Bulletin MS04-042

* HyperTerminal update fixes remote code execution flaw

Specially crafted HyperTerminal session files (conventionally, '.HT' files) can trigger a buffer overflow in HyperTerminal causing execution of arbitrary code. The versions of HyperTerminal in all currently supported versions of Windows except Windows 98 and ME suffer this vulnerability. Microsoft lists several mitigating circumstances in the MS04-043 security bulletin associated with this issue, which reduces its assessment of the vulnerability as being of 'important' severity, except on Windows Server 2003 platforms, where HyperTerminal is not installed by default so the severity rating is 'moderate'.

Microsoft Security Bulletin MS04-043

* Two Windows privilege elevation vulnerabilities fixed

Privilege elevation flaws in the Windows kernel and/or the LSASS service affecting all currently supported NT-based Windows OSes have been patched in an update released by Microsoft. Both flaws require valid login access to exploit and both surrender complete system control to an attacker if successfully exploited.

Microsoft rates the aggregate severity of the vulnerabilities as 'important' on all affected platforms, however, in circumstances where local users cannot necessarily be considered 'trustworthy', such as public-, and many other shared-, access systems (Internet cafe's, school and university computer labs, etc), such privilege elevation vulnerabilities are generally better thought of as critical severity.

Microsoft Security Bulletin MS04-044

* WINS flaws fixed

Two weeks back we warned of a publicly disclosed flaw in the Windows Internet Name Service (WINS) of NT 4.0, noting that proof of concept code exploiting the vulnerability had been released. Since then there has been a notable spike in apparent WINS detection and/or vulnerability exploit attempts. The vulnerability, whose successful exploitation could lead to execution of arbitrary code, is apparently present in a wider range of OSes with Microsoft releasing updates for two WINS vulnerabilities affecting NT 4.0 Server, Windows 2000 Server and Windows Server 2003 (32- and 64-bit).

Microsoft's aggregate severity rating for all affected platforms is 'important', given mitigating factors such as firewall best-practice being to block such services from being visible to the Internet and that the WINS service is not installed by default (except on Small Business Server 2000 and on Small Business Server 2003, but the default configuration of these systems blocks the WINS ports from Internet access).

Microsoft Security Bulletin MS04-045

* No Windows 2000 SP5

Microsoft has announced that it will not be releasing a Service Pack 5 for Windows 2000 after all.

Long-awaited, SP5 was expected by many to include some of the security enhancements of the recent XP SP2 despite Microsoft representatives having made it fairly clear throughout the year that there were no plans to back-port the 'extended' security improvements of XP SP2 to other OSes. SP5 would also have included all security patches for Windows 2000 released since SP4, easing the current 'install and upgrade' process those building new Windows 2000 machines now face.

Instead of releasing a full Service Pack, Microsoft has announced that it will release an Update Rollup for Windows 2000 'in mid-2005'. As well as containing all security updates between SP4 and the Update Rollup's finalization date, Microsoft says the rollup 'will also contain a small number of important non-security updates'.

The cynics see this as yet another Redmond ploy to encourage users of older Windows OSes to 'upgrade' to XP and Server 2003, boosting the company's revenues which may otherwise sag due to the further delays in the expected ship date for the OS Longhorn evolves into...

Windows 2000 Update Rollup Announcement

* Cybercrime 'all about the bottom line'

Network World Fusion recently featured a series of 'cybercrime' articles, and the interview with FBI Computer Intrusion Section chief, Dave Thomas, neatly summarizes the recent trends. Thomas discusses the increasing involvement of organized crime (especially Eastern European organized crime) and the migration of specific crimes (especially identity theft) to the online world.

Serious business - nwfusion.com

* Muslim radicals to join cybercrime-wave?

On the same theme as the previous item, a Washington Post article by Alan Sipress describes the interest of Muslim radical Imam Samudra in 'carding' (credit card fraud) and related Internet fraud schemes. Samudra is currently in prison in Indonesia awaiting the execution of his death sentence for his role in planning the Bali bombing. He has just published an autobiography containing a chapter titled 'Hacking, Why Not?', in which he urges other extremists to take up carding to fund their activities and provides what Sipress describes as a rudimentary primer for would-be carders.

Prison Memoir Takes Holy War to Cyberspace - washingtonpost.com [reg'n req'd]

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesFBIF-SecureIntrusionKasperskyKasperskyMicrosoftSophosSymantecTrend Micro Australia

Show Comments
[]