Talking, sniffing malware; Windows, Office, Apache, Mozilla patches

This issue's topics: Introduction: * Talking, sniffing malware; Windows, Office/etc, Apache, Mozilla/etc patches Virus News: * Virus talks Turkey... * Symantec's doom? * Network sniffing bot Security News: * Update for Word, Works Suite, Publisher, FrontPage * Microsoft fixes critical JPEG processing flaw * Office XP SP1 released * Multiple e-mail message format parsing flaws defeat content filters * Apache 2.0.51 release fixes five security flaws * Several critical Mozilla/Firefox/Thunderbird bugs fixed * World's largest ID theft felon faces 14 years' jail

This issue's topics:

Introduction:

* Talking, sniffing malware; Windows, Office/etc, Apache, Mozilla/etc patches

Virus News:

* Virus talks Turkey...

* Symantec's doom?

* Network sniffing bot

Security News:

* Update for Word, Works Suite, Publisher, FrontPage

* Microsoft fixes critical JPEG processing flaw

* Office XP SP1 released

* Multiple e-mail message format parsing flaws defeat content filters

* Apache 2.0.51 release fixes five security flaws

* Several critical Mozilla/Firefox/Thunderbird bugs fixed

* World's largest ID theft felon faces 14 years' jail

Introduction:

September's 'Patch Tuesday' came and went last week. Although relatively quiet in that there were only two updates released, one of those - the GDI+ patch - affects most recent Microsoft operating systems and applications, and has great scope to cause headaches for weeks to come. Aside from the already complex job of working out which vulnerable versions of the faulty component are running from what Microsoft applications on what OS and service pack versions, you have to search out an unknown number of unspecified third-party applications that may include this redistributable component and work out if they need updating too. 'Can we all say "what a mess"?' somehow just doesn't quite seem to cover it...

Microsoft also released another update to its WordPerfect 5.x document import filter and I belatedly noticed that SP1 for Office XP was released a few weeks back.

Outside Redmond, the Apache web server had a security overhaul, with five vulnerabilities being fixed, the Gecko-based browsers from the Mozilla project and e-mail clients had up to ten vulnerabilities fixed in new releases (and the Preview release of Firefox), and multiple issues with multiple products' parsing of various e-mail message format structures were divulged (but without naming names, pointing fingers or highlighting 'necessary updates').

On the virus front, the first 'talking virus' and network sniffing bot received media attention (although very belatedly in the first case!), and Symantec may face a DoS attack from one of this week's new Mydoom variants.

Virus News:

* Virus talks Turkey...

Earlier this week some media attention was turned on an oddity - a worm that speaks to its victims!

Win32/Amus.A@mm is a triflingly insignificant mass-mailer - how trifling? It was initially discovered around 6 August this year, yet despite having five weeks to make some impact before media attention was turned on it a few days ago, there is no record of a single sample ever turning up at UK e-mail ASP and virus scanning zealots MessageLabs; not one.

Anyway, its only real claim to fame is that when run on Windows XP machines it will use the Microsoft Speech Engine to speak an eccentric message to its victims. Depending on the date, it may delete critical system files early in the startup process, preventing the machine from restarting properly and it hijacks Internet Explorer's home page setting to display a message, in Turkish. Its use of Outlook's MAPI interface to spread is also very unusual these days, especially given that current versions of Outlook all raise dire warnings when another process tries to use Outlook to send e-mail messages. This alone could explain Amus' abundant lack of 'success' to date...

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Symantec's doom?

A couple more Mydoom variants have been isolated this week, but they have not 'taken off' in any significant or worrying way. One of them may, however, worry Symantec, maker of the well-known Norton AntiVirus and related personal firewall and other computer security products as it has a denial of service (DoS) payload targeting Symantec's web site. Given the very low numbers of this variant reported from the wild however, it seems unlikely the antivirus giant's servers will notice this 'attack'. The only other marginally interesting thing about this new Mydoom variant, which is mostly just more of the same, is that it creates a text file that includes a very brief description of the virus' main features.

Of course, it wouldn't be a Mydoom story without a mentioning that the naming of this variant being all over the map...

Computer Associates Virus Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Network sniffing bot

So-called 'spy bot' programs have become increasingly common as elements of the computer underworld have realized there is money to be made from identity theft, selling spammers 'untraceable' network bandwidth and so on. (In fact, some generally reliable sources suggest that increasingly, many of the hackers involved in such rackets have been more or less forcibly co-opted into assisting existing, more organized criminals - the old 'you break into that computer or we break your fingers' routine. But that's another story, so back to spy bots...)

The term 'spy bot' is not strictly defined, which means different folk may disagree as to whether a specific program is, or is not, a spy bot. However, in general a program that is surreptitiously or deceptively installed, that monitors various activities on the victim computer (such as browser history monitoring, key logging and/or other forms of password or identity stealing) and that reports this information back to someone not authorized to collect such information, would be classified by most as a spy bot.

There are now thousands of spy bots.

Although not at all commonly reported from the field, one particular spy bot received a deal of media attention this week. Known by a dizzying array of names by different antivirus vendors, this spy bot was deemed to be of interest because it was (reputedly) the first to include network 'sniffer' functionality. Despite most major virus scanners detecting this spy bot, few of the web sites whose virus descriptions we normally link have a specific description of this - in fact, at press time, just two such sites carried useful descriptions of this spy bot...

Sophos Virus Info

Trend Micro Virus Information Center

Security News:

* Update for Word, Works Suite, Publisher, FrontPage

What does this motley crue have in common?

Among other things, a buggy import filter for WordPerfect 5.x format document files. Observant readers may recall MS03-036 from last year, which was a fix for a buffer overflow, discovered by the lads at eEye, in this same component. Well, MS04-027 is a fix for a similar problem discovered by Peter Winter-Smith from NGS (Next Generation Security) Software.

What may exploitation of this vulnerability allow? A suitably modified WordPerfect 5.x format document can be made such that, when opened in Word (or another of the listed programs) and parsed by the affected filter, arbitrary code of an attacker's choice will run with the privileges of the user running the application hosting the vulnerable filter.

No known real-world exploitation of this vulnerability has occurred, and as is common with such vulnerabilities, Microsoft's security bulletin tends to downplay the ease with which the vulnerability can be exploited. For example, the default behaviour of Word is to open and translate, without comment to the user, any document format for which it has an import filter. True, there is an option to prompt users to confirm the filter selection, giving them an opportunity to cancel the opening of that file, but this is not the default configuration (and even when enabled, there are mechanisms for opening documents in Word that do not trigger the expected warning). Further, the simple expedient of renaming an 'attack' document in WordPerfect format to either of the '.DOC' or .'RTF' extensions conventionally associated with Word means that, on the intended victim's machine, Word would silently open what would be expected to be a Word document anyway.

Administrators of systems with one or more of the affected products installed should read the security bulletin carefully, as there are several interdependencies between application, OS and application service pack versions.

Microsoft WordPerfect 5.x Converter Heap Overflow - nextgenss.com

Microsoft Security Bulletin MS04-027

* Microsoft fixes critical JPEG processing flaw

The official security bulletin for this update may well be the longest Microsoft security bulletin yet.

Sadly, if you run almost any recent Microsoft product (IE 6.x, XP, Server 2003, 64-bit editions of either, Office or any component applications, OneNote, InfoPath, FrontPage, Publisher, Project, Visio, Visual Studio .NET, .NET Framework, Picture It!, Digital Image Pro, Digital Image Suite, Producer for PowerPoint and maybe others) you have to read it, and do so very carefully. The affected component has been shipped with so many products and gets installed in so many different ways and places, depending on the product, the target OS and the target OS service pack level, that describing all the dependencies, ifs, buts and maybes has resulted in a security bulletin of epic proportions...

In short, a very stupid programming error in the handling of comment fields in JPEG format graphics files in the GDI+ ('gdiplus.dll') component included in many Microsoft operating systems and applications, and as a 'redistributable' in third-party applications, opens many, if not most, Windows machines to compromise via specially malformed JPEG format image files. Microsoft credits Nick DeBaggis with reporting the bug. As well as the usual link to the Microsoft security bulletin, we have included a link to an archived copy of DeBaggis' detailed description of the bug, originally posted to security mailing list Bugtraq earlier this week.

As mentioned, the Microsoft Security Bulletin is long (and rather tedious) but must be read very carefully so as to ensure that all variations of the patch relevant to any given machine are installed. While patch automation tools such as Windows Update, SUS and SMS can be used to detect and install many of the patches, this is not true for all cases. Such limitations may also apply to third-party patch management solutions. Machine by machine inspection of installed software really needs to carried out and the relevant patches chosen based on the advice in the security bulletin. In an effort to help with this task, Microsoft has produced the GDI+ Detection Tool utility. The security bulletin links to a KnowledgeBase article describing the tool and its use.

And, despite all that, you may still be vulnerable to some avenues of attack via this vulnerability. As already mentioned, the vulnerable GDI+ component is a 'redistributable' - a component that Microsoft allows (even encourages) third-party software developers to ship with their own products. Of course, that means copies of it can show up in (and be used from) all manner of other places than just the ones the standard Microsoft patch installers and checkers know to look for. If you do have independently supplied copies of gdiplus.dll on your system, Microsoft recommends you contact the developers of those products to check whether they need to be updated and the recommended method of obtaining and installing such updates.

Finally, example (partial) exploits of this vulnerability have been publicly posted to some security mailing lists, so although there is no known exploitation of this vulnerability 'in the wild' yet, it may not be too far off...

Archived Bugtraq list message - securityfocus.com

Microsoft Security Bulletin MS04-028

* Office XP SP1 released

Some things your newsletter compiler doesn't just dislike, but rejects with a passion - polka dots, laptops that only have touchpad pointing devices, Office XP...

Sadly, the utter contempt in which I hold Office XP means I entirely missed noticing that Microsoft had released a service pack for it several weeks back. For those unfortunate enough to use Office XP, it would probably not be a bad idea to obtain and install this service pack, as apart from fixing many bugs, it consolidates several security patches. Office aficionado Woody Leonhard has some good advice about Office XP SP1 in his 'Woody's Office Watch' e-mail newsletter from last week - we've linked to the official archived copy of that for those tempted to consider the update...

Woody's Office Watch Vol 9 No 15 - woodyswatch.com

Updates for Office 2003 - microsoft.com

* Multiple e-mail message format parsing flaws defeat content filters

UNIRAS (the UK government CERT) has issued an advisory describing eight broad classes of flaws in Internet e-mail message format handling. Some of these flaws have been found in several widely used e-mail content inspection and policy enforcement products, including anti-spam and antivirus product and other e-mail gateway scanner products. Each of these eight broad classes of flaws represent several specific known test cases where one or more products have been shown to fail in 'properly' interpreting the structure of a message and therefore may result in further unexpected behaviour, such as letting spam or a virus into (or out of) an organization, or not blocking messages with 'inappropriate' (lewd, proprietary, etc) content.

Multiple shortcomings in each class were found across many products tested in research performed by UK security consultancy Corsaire. We have linked each of Corsaire's eight highly general 'advisories' below, although from a casual reading they don't contain any additional or more detailed information than the omnibus advisory from UNIRAS. Specific products and problems are not mentioned, but users of such gateway or 'border' security products would be advised to check with their vendors in case some of these issues are known to affect their products.

NISCC Vulnerability Advisory 380375/MIME - uniras.gov.uk

Multiple vendor MIME/RFC2047/RFC2231/RFC822 issues - corsaire.com

Multiple vendor MIME/RFC2047/RFC2231/RFC822 issues - corsaire.com

Multiple vendor MIME/RFC2047/RFC2231/RFC822 issues - corsaire.com

Multiple vendor MIME/RFC2047/RFC2231/RFC822 issues - corsaire.com

Multiple vendor MIME/RFC2047/RFC2231/RFC822 issues - corsaire.com

Multiple vendor MIME/RFC2047/RFC2231/RFC822 issues - corsaire.com

Multiple vendor MIME/RFC2047/RFC2231/RFC822 issues - corsaire.com

Multiple vendor MIME/RFC2047/RFC2231/RFC822 issues - corsaire.com

* Apache 2.0.51 release fixes five security flaws

Apache Software Foundation has released version 2.0.51 of its Apache HTTP Server to fix five security vulnerabilities. The worst of these vulnerabilities probably only exposes a remotely triggered DoS against the server, but upgrading is still desirable. None of these vulnerabilities are known to be actively exploited in the wild at this time.

Most popular Unix and Linux distributions that contain the Apache httpd have already shipped update packages addressing these issues, or are expected to do so soon. Traditionalists may still prefer to obtain the source (or patches) and build from scratch.

Apache HTTP Server 2.0.51 Released - apache.org

* Several critical Mozilla/Firefox/Thunderbird bugs fixed

The most recent releases of Mozilla and Thunderbird, and the Preview Release of Firefox address ten security flaws, as acknowledged on the official 'Known Vulnerabilities in Mozilla' page (linked below). Among the vulnerabilities are buffer overflows that could allow attackers to run arbitrary code on their victims' machines, by persuading victims (using a vulnerable version of the Gecko-based browsers and e-mail clients) to view suitably prepared web pages or e- mail messages.

Although Mozilla is available in full production versions, we don't normally feature updates for beta and other pre-release software. However, as Firefox and Thunderbird are based on the mature Gecko browser engine and both are of increasing popularity with several major publications and Microsoft critics recommending 'use anything but IE', it seems appropriate, desirable even, to alert our readers to update in this pre-release browser and e-mail client as well.

The Mozilla project homepage always has download links for the latest versions of these applications.

Known Vulnerabilities in Mozilla - mozilla.org

Mozilla home page - mozilla.org

* World's largest ID theft felon faces 14 years' jail

A former help desk employee of Teledata Communications Inc has pleaded guilty to charges stemming from his involvement in the largest identity theft case known to US authorities. Philip Cummings played a central role in a scheme possibly involving as many as 30,000 victims who were defrauded of at least US$50m.

Teledata provides credit history access services to its customers Access codes to the credit rating services Teledata drew its information from were obtained by Cummings who passed on credit histories of as many as 30,000 people. This data was used by others to fraudulently obtain credit cards, purchasing goods with those.

Ex-Teledata employee pleads guilty to massive ID theft - computerworld.com

Join the newsletter!

Error: Please check your email address.

More about ApacheApache Software FoundationCA TechnologiesCERT AustraliaF-SecureKasperskyKasperskyLinuxMessageLabsMicrosoftMozillaNortonSophosSymantecTrend Micro AustraliaVisio

Show Comments
[]