Bagle.AM makes its run; Sasser, Netsky writer employed

My apologies for there being no newsletter for the last two weeks, but I was laid low by a very nasty virus - a biological one that is, not a computer-borne one... There's quite a bit to consider in retrospect, though most of it is recent. As time is now pressing again, I'll simply point you to the table of contents above and suggest you read whatever seems relevant.

This issue's topics:

Introduction:

* ASP.NET, Helix & JRun servers, RealPlayer/etc, AtHoc, DB2, Firefox flaws/fixes

Virus News:

* Bagle.AM makes its run

* Sasser, Netsky writer employed by security product developer

* Symantec Internet Security Threat Report released

Security News:

* ASP.NET directory traversal flaw

* Exploits for Windows GDI+ JPG vulnerability; Worm to follow?

* MS04-028 security bulletin updated

* Update fixes DoS in RealNetworks' Helix Universal Server

* Critical update for AtHoc (eBay, WiredNews, etc) IE toolbar

* 20 critical vulnerabilities fixed in DB2

* Updated Firefox Preview Release fixes nasty file deletion flaw

* Update fixes critical vulnerabilities in Macromedia JRun Server

* Critical updates for RealPlayer, RealOne Player, Helix Player

Introduction:

My apologies for there being no newsletter for the last two weeks, but I was laid low by a very nasty virus - a biological one that is, not a computer-borne one...

There's quite a bit to consider in retrospect, though most of it is recent. As time is now pressing again, I'll simply point you to the table of contents above and suggest you read whatever seems relevant.

Virus News:

* Bagle.AM makes its run

The latest addition to the populous Bagle family, Bagle.AM was released late last week and made a brief splash, not least for the huge number of different names it was given. If you don't like Bagle.AM as a name, perhaps you'd like to take your pick from the (at least) nine other names it was given by various antivirus developers - Bagle.AQ, .AR, .AS, .AU, .AX, .AZ or .BB, or Beagle.AR or the totally fruitcake Win32.HLLM.Beagle.18688...

Aside from the huge naming divergence, this variant was mainly just more of the same, spreading by mass-mailing itself and the 'shared folders' of popular P2P client programs.

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Sasser, Netsky writer employed by security product developer

Germany's Securepoint, makers of firewalls and related network security products, has employed Sven Jaschan, self-confessed writer of the Sasser worm and all the earlier Netsky mass-mailing viruses. This move has produced quite an outcry, particularly from the antivirus industry which has long fought against the common misconception that members of the industry 'write the viruses so as to keep themselves employed', and similar nonsense.

Securepoint claims it employed Jaschan because of his skills and experience; a spokesman for Securepoint was reported as saying Jaschan had 'a certain know-how in this field'. Some critics of the move have questioned Securepoint's motives, with at least one suggesting it is 'a cheap publicity stunt'.

Firm justifies job for virus writer - bbc.co.uk

Teen responsible for Sasser, Netsky hired by German security firm - sophos.com

* Symantec Internet Security Threat Report released

Security product and services vendor Symantec has released its sixth half-yearly Internet Security Threat Report, and things look pretty grim. There were significant increases in the number of new Win32 malware families and variants, particularly in the bot classification, and the time between public disclosure of a vulnerability and public release of an exploit of the vulnerability was down to an average of 5.8 days. The report discusses many of these trends, and the complications that are likely to arise from the interaction of them (for example, the speed with which the Internet can be scanned for machines susceptible to new vulnerabilities by bot-net 'owners' pushing out a new scanning tool once a vulnerability or exploit is released).

The report (a 700 KB PDF) can be downloaded for free, but requires online registration via the link below.

Symantec Internet Security Threat Report Volume VI - symantec.com

Security News:

* ASP.NET directory traversal flaw

Administrators of, and content providers for, IIS web servers running any version of ASP.NET on Windows 2000 Professional or Server, Windows XP Professional, or Windows Server 2003 should be aware of a recently discovered, trivial authentication bypass issue. Simply requesting carefully formed URLs can allow anonymous, remote, unauthenticated access to supposedly 'secured' content because ASP.NET fails to properly canonicalize some well-known forms of URL obfuscation. As a result, ASP.NET fails to notice that the URL actually points to a 'secured' location and serves up the supposedly 'secure' content without requiring authentication from the requesting client.

Microsoft recommends that all potentially affected web site owners or administrators and content developers read the Microsoft KnowledgeBase article 'Programmatically Checking for Canonicalization Issues with ASP.NET'. Note that IIS servers on the platforms listed above that are not serving ASP.NET content are not affected - this problem specifically affects just ASP.NET servers with secure content. The incident note says an forthcoming security update for ASP.NET will provide a fix for this problem, but does not commit to releasing that update in a specified timeframe.

Although Microsoft posted an incident note on this issue just this week, it seems that a message posted to the NTBugtraq mailing list a few weeks back (a link to the official archived copy is provided below) may have been the initial discovery point of this problem. The author of that message noted the irony of the fact that a Microsoft publication on best practices for designing secure web applications, 'Improving Web Application Security: Threats and Countermeasures' (which is available online from the MSDN web site), actually describes this newly-discovered attack against ASP.NET (we have linked to the appropriate section of the online HTML form of the book - skip down to the 'Be Careful with Canonicalization Issues' section). Note that some of the known successful forms of this attack cannot be demonstrated by typing URLs into Internet Explorer's address bar, as IE automatically replaces '\' characters in URLs with '/' characters.

Note that Chapter 10, 'Building Secure ASP .NET Pages and Controls', of the 'Improving Web Application Security: Threats and Countermeasures' book covers important ASP.NET path canonicalization and input data sanitization issues in some depth, so we have also included a link to the online HTML version of that chapter. If you think this sounds like a useful book for your web developers, a PDF version of the whole book (approximately 6.5 MB) can be downloaded from the online version's 'Landing Page', linked at the beginning of each of the online HTML chapters.

Archived NTBugtraq list message - ntbugtraq.com

What You Should Know About a Vulnerability in ASP.NET - microsoft.com

Programmatically Checking for Canonicalization Issues with ASP.NET - microsoft.com

Design Guidelines for Secure Web Applications - microsoft.com

Building Secure ASP .NET Pages and Controls - microsoft.com

* Exploits for Windows GDI+ JPG vulnerability; Worm to follow?

Three weeks ago we reported the release of the MS04-028 patch and some details of the vulnerability (GDI+ mishandling of certain malformed JPEG image files) it fixed. Since then, several exploits of this vulnerability have been posted to public mailing lists or websites, and automated exploit generators, producing JPEG image files with embedded code to exploit the MS04-028 vulnerability, have been written and released. Public availability of all this exploit code has produced a great deal of concern that a 'JPEG of death' worm must now be imminent, but still, after three weeks, such a beast has not been found, although there have been some pretenders to this crown...

There was an incorrect report of such a 'worm' early last week. In fact that case was 'only' an exploit of the vulnerability that dropped and ran a downloader. When executed through exploitation of the GDI+ vulnerability, this downloader obtained a 'warez server' Trojan kit from a server and installed on the victim's machine. As neither the warez server kit itself nor the JPEG carrying the exploit were self-replicating or automatically replicated as part of the installation and setup cycle of the warez server, so this was not a 'worm' or virus.

Since then there have been at least two more incidents involving MS04-028 exploits. A few days after the non-worm incident described above, there was a short-lived incident where instant message 'spam' on the AOL Instant Messenger network directed potential victims to a uweb page that included a JPEG also exploiting MS04-028. The details of this were quite sketchy, but it seems the web site hosting the malicious JPEG image file was quickly shut down (there were conflicting reports as to whether the exploit used in this case actually worked or not). And earlier this week another spammed message, this time on Usenet, directed its readers to a URL whose page included an attempt to install a common remote access Trojan (or 'backdoor') via exploitation of this vulnerability.

Still, as Friday 8 October ticks away, almost four weeks after the patch was released and discussion of this vulnerability's potential for unleashing a worm of untold magnitude began, no significant, widespread exploitation has been noted, and certainly no high-speed, fast-spreading worm has been launched via exploitation of this vulnerability. Of course, despite this relative lack of exploitation (compared to what the doomsayers predicted), it is still extremely prudent to get any remaining machines that are not already patched but potentially vulnerable updated!

* MS04-028 security bulletin updated

Microsoft has updated some of the specific product and OS platform vulnerability information in this important security bulletin. Administrators of possibly affected machines should re-read the bulletin to check that they have, in fact, properly covered all the bases...

Microsoft Security Bulletin MS04-028

* Update fixes DoS in RealNetworks' Helix Universal Server

iDEFENSE has disclosed a vulnerability in RealNetworks' Helix Universal Server that can be exploited to restart, and possibly disable, the media server. Helix Server improperly handles POST commands with Content-Length headers of '-1', allowing an unauthenticated remote attacker to consume vast amounts of CPU time on a vulnerable machine.

Helix Server 9.0.2 for Linux and 9.0.3 for Windows have been confirmed vulnerable, and earlier versions are suspected to be also be vulnerable. The iDEFENSE security bulletin linked below describes the issue and includes links to RealNetworks' update pages for the affected software.

RealNetworks Helix Server Content-Length DoS - idefense.com

* Critical update for AtHoc (eBay, WiredNews, etc) IE toolbar

Next Generation Security Software researchers have discovered two critical vulnerabilities in the AtHoc toolbar for Internet Explorer. If exploited, these vulnerabilities could allow arbitrary code execution. The advisory is short on details, but lists the following companies and services as known distributors of the AtHoc toolbar: Accenture, Agile PLM, CarFax, eBay, Juniper Networks, ThomasRegister, ThomasRegional, WiredNews. Anyone who has installed an IE toolbar from any of these companies should obtain the updated version, which fixes the vulnerabilities, as soon as practicable.

Patch available for high risk flaws in the AtHoc Toolbar - nextgenss.com

* 20 critical vulnerabilities fixed in DB2

DB2 8.1 FixPak 7 and earlier versions may contain 20 (or more) vulnerabilities, mostly critical severity remotely exploitable buffer overflows, as reported in the Next Generation Security Software advisory linked below. IBM has released updates, as listed in the advisory, which also includes a link to the official IBM download site for updated FixPaks.

Patch available for critical IBM DB2 flaws - nextgenss.com

* Updated Firefox Preview Release fixes nasty file deletion flaw

The Preview Release of the Mozilla Project's browser-only offering, Firefox, has been updated to address a nasty security flaw whereby a user can be tricked into unintentionally deleting files in their download directory. This vulnerability is not known to be actively exploited at present. Concerned Firefox users should update to version 0.10.1 which is linked from the Mozilla home page.

Mozilla home page - mozilla.org

* Update fixes critical vulnerabilities in Macromedia JRun Server

Multiple critical vulnerabilities in Macromedia JRun Server, 3.0, 3.1 and 4.0 are fixed in the latest cumulative security patches for this product. The vendor's security bulletin should be checked for details and links to download locations for the relevant cumulative updates for your version(s) of JRun Server.

Macromedia security bulletin MPSB04-08 - macromedia.com

* Critical updates for RealPlayer, RealOne Player, Helix Player

RealNetworks Inc. has released updates for its media player applications RealPlayer, RealOne Player, Helix Player (including for handheld devices such as Nokia phones, Symbian and Palm devices). These updates protect against multiple unspecified vulnerabilities said to raise the possibility of an attacker executing arbitrary code on devices running vulnerable versions of the media player. Presumably this is due to some kind of buffer overflow vulnerability, as 'malformed calls' are mentioned in the vendor's advisory.

Download locations for the updates to the various player products for various platforms (Linux, Mac, Windows and the aforementioned handheld devices) are available in RealNetworks' advisory, linked below.

Updates to Address Security Vulnerabilities - real.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Accenture AustraliaAgileAOLCA TechnologieseBayF-SecureIBM AustraliaInc.Juniper NetworksJuniper NetworksLinuxMacromediaMessengerMicrosoftMozillaNext Generation Security SoftwareNokiaPalmRealNetworksSophosSymantecSymbianTrend Micro Australia

Show Comments
[]