Kerberos, WinZip, Oracle, zlib, Samba updates; new Bagles

A raft of serious and critical updates this week, more news of the 'cybercrime crackdown' in the US and a 'softie' suggesting the Firefox may be his browser of choice. Not to forget the confusion two back-to-back releases of new Bagle variants caused...

This issue's topics:

Introduction:

* Kerberos, WinZip, Oracle, zlib, Samba updates; new Bagles

Virus News:

* New Bagle downloaders spammed

Security News:

* Critical Kerberos v5 flaws patched

* Unspecified buffer overflows fixed in WinZip

* Multiple critical vulnerabilities in multiple Oracle server products

* Moderately critical zlib flaw patched

* Samba 2.2.11 released to fix XP SP2 incompatibility

* Commercial DDoS'ers brought to trial

* Microsoft's own security mavens switch to Firefox?

Introduction:

A raft of serious and critical updates this week, more news of the 'cybercrime crackdown' in the US and a 'softie' suggesting the Firefox may be his browser of choice. Not to forget the confusion two back-to-back releases of new Bagle variants caused...

Virus News:

* New Bagle downloaders spammed

Two new Bagle variants made a bit of splash earlier this week, drawing attention to themselves because of the massive spamming of their downloader components. Unlike traditional mass-mailers, these Bagle variants (like a couple of earlier Bagles) mass-mail a small .ZIP file that contains an HTML file and a 'downloader'. The HTML contains an exploit of an Internet Explorer vulnerability such that, if the HTML file is opened in IE, the downloader program will be executed. In turn, the downloader sets its components in place and regularly tries to obtain a copy of the main Bagle component from a long list of URLs encoded into the downloader.

This rather roundabout and somewhat fragile replication chain appears to have been largely unsuccessful, as the new Bagle variants associated with the spammed downloaders do not seem to have taken hold...

Sadly, there is huge confusion as to the roles played by the various components of these new Bagle virus variants and their downloaders. And, of course, the many and varied names used by the various AV developers for this terribly mixed up family are all the more confused and confusing, as a result!

Computer Associates Virus Information Center

Computer Associates Virus Information Center

F-Secure Security Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Kaspersky Lab Virus Encyclopedia

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Trend Micro Virus Information Center

Security News:

* Critical Kerberos v5 flaws patched

All releases of MIT Kerberos 5 up to and including krb5-1.3.4 are vulnerable to double-free errors that may be exploited by an unauthenticated remote user to execute arbitrary code on a Key Distribution Center (KDC) host or a host running krb524d. Although double-free vulnerabilities can be very difficult to exploit and no exploit for this vulnerability is currently known, affected systems should be updated as soon as is practicable.

Further, a denial of service against a KDC or application server is possible by exploiting a bug in the ASN.1 decoder of all Kerberos 5 releases from krb5-1.2.2 through krb5-1.3.4 inclusive. The problem in the ASN.1 decoder is such that invalid BER encodings of indefinite length (a feature introduced to support older, improper implementations) can cause the decoder to fall into an infinite loop, resulting in a denial of service. There are currently no known exploits of this vulnerability either, but as the MIT security advisory on this issue notes, 'it is trivial to construct a corrupt encoding which will trigger the infinite loop', so this flaw should be addressed as soon as practicable.

Both MIT security advisories linked below include source patches, allowing system administrators to patch and rebuild from source, and an upcoming release, krb5-1.3.5, will include all the fixes for these vulnerabilities. Further, many Linux distributions have already, or soon will, ship update packages that include the patches.

Double-free vulnerabilities in KDC and libraries - mit.edu

ASN.1 decoder denial of service - mit.edu

* Unspecified buffer overflows fixed in WinZip

WinZip 9.0 Service Release 1 (SR-1) has been released, fixing several unspecified buffer overflows and adding some further security features to this popular ZIP archive handler. One of the buffer overflows involves malformed input on the WinZip command line and was reported by a WinZip user. Other buffer overflows were found as a result of WinZip Computing's internal code auditing. Aside from the vulnerability fixes, several warning dialogs are now triggered when potentially dangerous actions are engaged, such as double-clicking a .EXE file inside an archive.

A matching service release for WinZip's Command Line Support Add-On 1.1 provides the same fixes to the commandline version of the program.

WinZip Computing claims there are no known public exploits or disclosures of any of the vulnerabilities fixed in Service Release 1, but recommends users to upgrade.

WinZip 9.0 Service Release 1 - winzip.com

WinZip Command Line Support Add-On 1.1 SR-1 - winzip.com

* Multiple critical vulnerabilities in multiple Oracle server products

Security researchers at Application Security Inc. have discovered, and released details of, 41 vulnerabilities in various and multiple versions of Oracle Database Server, Enterprise Manager and Application Server. These are all fixed in at least some of the affected product versions in the first of Oracle's new monthly security update releases.

Details of each of the 41 buffer overflows described by Application Security's researchers can be found in their advisory, linked below. At a minimum most of these vulnerabilities provide easy means to deny service to the rest of the users of an 'attacked' server or to take over the whole server process and alter database contents at will. When a vulnerable server is hosted under Windows, many also allow for complete system compromise as Oracle server processes typically run with local system or administrator privileges.

Patches are available via Metalink as described in Oracle's security alert, also linked below.

Multiple vulnerabilities in Oracle Database Server - appsecinc.com

Alert #68: Oracle Security Update - oracle.com (150KB PDF)

* Moderately critical zlib flaw patched

Norwegian computer security firm Secunia has reported a 'moderately critical' vulnerability, apparently disclosed to it by Johan Thelmen, in the very widely used data compression library zlib. Insufficient error checks in two decompression functions in zlib 1.2.1 (and possibly earlier versions) leave applications linked against vulnerable versions of the zlib library open to denial of service attacks if those applications can be persuaded to run suitably malformed data through the vulnerable zlib routines.

As zlib is deeply ingrained in so many applications and services commonly deployed on some Unix and most Linux and BSD distributions, a patching frenzy associated with this vulnerability is bound to ensue. Several popular Linux distributions and at least one of the BSDs have already shipped packaged updates for the patched zlib libraries included in their distributions; expect the rest to follow in short order. While those updates (coupled with application shutdown and restart) fix applications and services dynamically linked to the zlib library, a potentially large number of other popular applications and services may exist that are either statically linked with zlib, or incorporate code derived from earlier, vulnerable zlib versions.

It appears the official zlib maintainers have either not been contacted, or have not responded, as there was no mention of the issue on the zlib home page at press time and the initial patching efforts seem to derive from the maintainers of a popular Linux distro...

zlib Denial of Service Vulnerability - secunia.com

zlib home page - zlib.org

* Samba 2.2.11 released to fix XP SP2 incompatibility

Samba developers report that Windows XP SP2 can 'incorrectly' send a 'FindNextPrintChangeNotify' request without first issuing a 'FindFirstPrintChangeNotify' request. If this incorrect sequence of requests is received by smbd from Samba 2.2.10 and earlier releases, the daemon will crash. As Windows XP SP2 is now being rolled out, mixed environments where XP clients may have need to print to Samba 2.2.10 or earlier print servers, should seriously consider updating.

Samba 2.2.11 Available for Download - samba.org

* Commercial DDoS'ers brought to trial

Last week we mentioned that various US legal authorities and other interested parties had been engaged in investigations of some of the larger spammers and those behind 'phishing' rackets and related identity theft crimes. This was all part of a much larger crackdown on computer-related crimes in, or originating from, the US. Shortly after we filed last week's newsletter the US Department of Justice released a report mentioning several other similar investigations. The report claims the investigations, collectively referred to as Operation Web Snare, involves more than 150 arrests or convictions, around 150,000 victims and more than US$215 million in estimated losses.

One of the operations in Web Snare is believed to be the first case to be brought to court involving the use of distributed denial of service (DDoS) attacks for commercial advantage. The details of this case may be of great interest, so we have linked to specific coverage of it on the Securityfocus site.

FBI busts alleged DDoS Mafia - securityfocus.com

Operation Web Snare Targeting Online Fraud and Crime - usdoj.com

* Microsoft's own security mavens switch to Firefox?

In a recent interview published in Wired, Microsoft security program manager Stephen Toulouse was quoted as saying 'Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system'. Rather than being seen as an attack on Firefox, it was seen by many in the security industry as an admission by a top Microsoft security wonk that IE was not the best choice of browser.

Hmmmmmmm...

Should you wish to check we have not wrenched this comment horribly out of some otherwise innocuous context, please check the item linked below.

Microsoft's War on Bugs - wired.com

Join the newsletter!

Error: Please check your email address.

More about Application securityCA TechnologiesDepartment of JusticeFBIF-SecureInc.KasperskyKasperskyLinuxMetalinkMicrosoftMITOracleSecuniaSophosSymantecToulouseTrend Micro AustraliaUS Department of JusticeWinZip

Show Comments
[]