Pirates of the Caribe-ean?

A quiet week this apart from all the Windows admins who will have to roll-out a new IE 6.0 cumulative update that patches a critical buffer overflow that has already been used in a virus and some hacked banner advertisements on popular websites. Windows server admins may also have to think about WINS, if they use it. Mac OS X has also seen some important security patches released and popular (at least in small/medium New Zealand companies) Windows e-mail server Mercury/32 is due a security update to fix multiple buffer overflows in its IMAP command handling code.

This issue's topics:

Introduction:

* New Skulls phone Trojan; IE 6.0, OS X patches

Virus News:

* Pirates of the Caribe-ean?

* On the trail of Sasser

Security News:

* Critical IE 6.0 vulnerability fixed in cumulative security update

* Workarounds for WINS flaw

* Multiple Mac OS X vulnerabilities fixed in latest security update

* Mercury/32 IMAP buffer overflow vulnerability

Introduction:

A quiet week this apart from all the Windows admins who will have to roll-out a new IE 6.0 cumulative update that patches a critical buffer overflow that has already been used in a virus and some hacked banner advertisements on popular websites. Windows server admins may also have to think about WINS, if they use it. Mac OS X has also seen some important security patches released and popular (at least in small/medium New Zealand companies) Windows e-mail server Mercury/32 is due a security update to fix multiple buffer overflows in its IMAP command handling code.

On the virus front not much of note happened, but we have chossen to feature yet another Symbian OS cell phone malware (well, two really) and a good article detailing the timeline of the appearance of the Sasser worm and events that were important precursors to it.

Virus News:

* Pirates of the Caribe-ean?

A new variant of the Skulls Trojan for Nokia series 60 devices has been discovered. Skulls.A was reported in last week's newsletter, and this new variant is also not especially interesting aside from suggesting that some folk are actively interested, and engaged, in developing malware for Symbian OS.

Aside from mainly superficial differences (filenames and icons used, etc) Skulls.B has an interesting twist relative to its predecessor - it also installs a copy of the second variant of the Cabir family of Symbian OS Bluetooth worms.

F-Secure Security Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Sophos Virus Info

Symantec Security Response

Symantec Security Response

Trend Micro Virus Information Center

Trend Micro Virus Information Center

* On the trail of Sasser

PC World journalist Dan Verton has assembled a detailed report of the discovery of the LSASS vulnerability made infamous by the Sasser worm, Microsoft's response in devising a patch, the release and effect of Sasser and the trail that led to the arrest and charging of German teenager Sven Jaschan.

Biography of a Worm - pcworld.com

Security News:

* Critical IE 6.0 vulnerability fixed in cumulative security update

Microsoft has released its last expected security update for 2004 - a cumulative security update for IE 6.0. Although released 'out of cycle' - that is, not on the usual second Tuesday of the month - the update was accompanied by a statement from Microsoft that this was the only security update it expected to release this month.

Since implementing its policy of consolidating security update releases on 'patch Tuesday', out of cycle security patches have been rare, and normally only occur if a critical vulnerability is being actively exploited. Such is the case here, with the only vulnerability acknowledged in the security bulletin accompanying this update's release being the remotely exploitable buffer overflow in IE 6.0's handling of certain attributes of FRAME, IFRAME and possibly some other HTML elements. We warned of the public availability of exploits for this vulnerability, and the discovery of the early Bofra viruses four weeks ago. Since then, other exploits of this vulnerability have been seen in the wild, particularly related to spamming and bot distribution.

All versions of IE 6.0 are affected except on machines running Windows XP SP2, Windows XP 64-Bit Edition Version 2003, and 32- and 64-bit editions of Windows Server 2003. Affected platforms include Windows 98 and ME, and as Microsoft rates this vulnerability as being of critical severity, patches for Windows 98/ME are also available. System administrators supporting multiple OSes should note that there are two different versions of the update, using different installer technologies, depending on whether the target client runs Windows 9x/NT 4.0, or Windows 2000 and later.

Microsoft Security Bulletin MS04-040

* Workarounds for WINS flaw

Microsoft has published a KnowledgeBase article describing several possible, partial workarounds to protect against a reported security issue in the Windows Internet Name Service (WINS) component of NT 4.0 (Server and Terminal Server Edition), Windows 2000 Server and Windows Server 2003. Proof of concept exploit code has been published, but normally WINS should be firewalled from the Internet, so this should not be a huge exposure for sites with affected machines.

How to help protect against a WINS security issue - microsoft.com

* Multiple Mac OS X vulnerabilities fixed in latest security update

Apple's latest security updates for Mac OS X 10.2.8 and 10.3.6 include fixes for several recent Unix and BSD vulnerabilities, for vulnerabilities in several popular Unix-ish applications such as Apache, Cyrus IMAP, Kerberos and Postfix, and in OS X-specific components such as the Safari web browser.

Users that do not have Software Update set to obtain security fixes automatically should consider obtaining these fixes from Apple Downloads (linked from the Security Updates page, linked below) and installing them.

Apple Security Updates - apple.com

* Mercury/32 IMAP buffer overflow vulnerability

An authenticated IMAP user on a Mercury/32 server can exploit a buffer overflow in the server's handling of several IMAP commands to execute arbitrary code with the privileges of the Mercury/32 server process.

Mercury/32 v4.01a is specifically mentioned in connection with this vulnerability and users of this New Zealand-authored e-mail server should keep a running check on the Pegasus Mail home page for a change in the current version of Mercury/32. Pegasus Mail and Mercury server author, David Harris, has said that v4.01b, which includes fixes for these issues, is currently under test and it should be released very soon now.

Unfortunately, this was on a mailing list whose archives are only accessible to list members, so we cannot provide a link to Harris' comments. One of several security mailing list messages posting proof of concept exploit code is linked below, as is the Pegasus Mail home page.

Archived Bugtraq list message - securityfocus.com

Pegasus Mail home page - pmail.com

Join the newsletter!

Error: Please check your email address.

More about ApacheAppleF-SecureMicrosoftNokiaPegasusSophosSymantecSymbianTrend Micro Australia

Show Comments
[]