Fresh XP installs have 20 minute survival time on Internet

This issue's topics: Introduction: * XP TTL 20 mins; more XP SP2; libpng, Mac OS X, QT, NetBSD ftpd updates Virus News: * Fresh XP installs have 20 minute survival time on Internet Security News: * SP2 'problem programs' listed by Microsoft * XP SP2 via SUS refreshed to properly enabled 'silent' installs * Exploit for libpng flaw posted * Mac OS X updates, patches include critical libpng fixes * Multiple buffer overflows in QT image handling fixed * NetBSD ftpd root escalation fixed

This issue's topics:

Introduction:

* XP TTL 20 mins; more XP SP2; libpng, Mac OS X, QT, NetBSD ftpd updates

Virus News:

* Fresh XP installs have 20 minute survival time on Internet

Security News:

* SP2 'problem programs' listed by Microsoft

* XP SP2 via SUS refreshed to properly enabled 'silent' installs

* Exploit for libpng flaw posted

* Mac OS X updates, patches include critical libpng fixes

* Multiple buffer overflows in QT image handling fixed

* NetBSD ftpd root escalation fixed

Introduction:

There was very little specific on the virus front worth reporting this past week. Of course, that did not prevent many news outlets carrying stories of doom and imminent destruction with several new variants of now common, even 'standard', virus families such as Mydoom and Bagle hitting the net, but none of these really raised more than the faintest of ripples on the big pond of the Internet... We do report an interesting item suggesting how widespread network-borne viruses and worms have now become. SANS' Internet Storm Center statistics suggest the expected survival time of a fresh, default (pre-SP2) Windows XP installation hooked up to the Internet has halved since last year to just twenty minutes.

On the security side of things, Windows XP SP2 and issues surrounding its rollout and compatibility with existing products continue to hold the attention of many systems administrators. There are more fixes for products affected by the previously reported libpng buffer overflow, including updates to Mac OS X. Similar flaws in the QT library's handling of some other graphics formats have also been fixed and as these raise the possibility of remote arbitrary code execution in popular environments such as KDE and the Konqueror web browser, they are quite critical. Finally, NetBSD's ftpd has been updated to fix a remote root exposure. Although not enabled by default, this service is likely to be used on many NetBSD servers and should be treated as a critical update.

Virus News:

* Fresh XP installs have 20 minute survival time on Internet

Current data from the SANS Institute suggests that a freshly installed Windows XP computer connected to the Internet has a 'life expectancy' before infection by some form of malware of around twenty minutes. This claim is based on the rate at which various network probes are recorded by SANS' Internet Storm Center (ISC). In practice, the likely survival time varies widely, depending on all manner of issues, some of which are described on the ISC's 'Survival Time History' web page, linked below.

Twenty minutes is half the average survival time from last year, and much less time than a typical 'fresh install' XP machine would need to go online for the first time and download all necessary security patches and updates from Windows Update, or to get XP SP2. Fortunately, a few easy configuration tweaks turn the 'far too open for typical Internet use' XP defaults into a configuration that is safe to allow Internet connectivity. SANS has a simple, step-by-step guide addressing just these issues, linked from the Survival Time History page, and below. Although that guide is not SP2-aware, following its advice on freshly installed XP Gold (original release) or XP SP1 machines should see the machine make a safe initial connection to the Internet and eventually have SP2 downloaded and installed.

Survival Time History - sans.org

Windows XP: Surviving the first day - sans.org [1.2 MB PDF]

Security News:

* SP2 'problem programs' listed by Microsoft

In the wake of SP2's release, many reports are floating around to the effect that one or other popular program does not work properly after installing the service pack, or worse, may prevent proper installation of the service pack. Many of these are 'FOAFs' - the source of the report is 'a friend of a friend' and difficult or impossible to confirm. Others are one-off or oddball situations where the reported application may not be at fault but is being reported as the problem when really it is some third-party driver or other problem manifesting in a previously functional program apparently misbehaving once SP2 is installed.

Microsoft has published, and seems likely to update, a KnowledgeBase article listing popular products it has confirmed to have 'SP2 issues'.

Programs with loss of functionality when run on XP SP2 - microsoft.com

* XP SP2 via SUS refreshed to properly enabled 'silent' installs

A packaging error in the Software Update Services (SUS) distribution of XP SP2 means that the claimed 'silent' (no user interaction required) installation option for SUS-managed rollouts of SP2 did not, in fact, run silently. One consequence of this is that a user may be able to abort the SP2 installation part way through.

This error has been addressed and an updated SUS distribution package for XP SP2 'was made available at approximately 11:30 a.m. Pacific Time on Thursday, August 19, 2004'.

SUS administrators will need to synchronize their SUS servers for them to pick up the fixed distribution. If a SUS server has already downloaded all of the SP2 package, all synchronization will require is a single .CAB file (the one containing the incorrect installation parameters for the 'silent install' option). That file is smaller than a Megabyte.

Update for Delivery of Windows XP SP2 Through SUS - microsoft.com

* Exploit for libpng flaw posted

The libpng flaws we reported a couple of weeks ago may now be a little more urgent for those who have not updated, patched, etc against those vulnerabilities. A sample exploit for one of the specific vulnerabilities has been posted to public, computer security-related mailing lists. This may act as a catalyst to further, malicious exploitation of this, or other vulnerabilities in the libpng package.

Note that many applications statically link libpng, or include libpng-derived code (for example, the Mozilla family of browsers and e-mail clients), so some widespread exposures to these vulnerabilities may not be as obvious as others.

libPNG 1.2.5 buffer overflow and other code concerns - beasts.org

libpng home page - libpng.org

* Mac OS X updates, patches include critical libpng fixes

Among other fixes and feature enhancements, the Mac OS X 10.3.5 release, available to all 'Panther' (Mac OS X 10.3.x) users, includes fixes for the aforementioned critical libpng vulnerabilities. Mac OS X 10.2.8 users can also obtain libpng security fixes relevant to their OS version.

Apple Security Updates - apple.com

Apple Downloads - apple.com

* Multiple buffer overflows in QT image handling fixed

Chris Evans has disclosed several exploitable buffer overflows in the handling of 8-bit RLE encoded BMP files in the 3.3.2 release of the popular QT image handling libraries. Code handling 4-bit RLE BMP files already had the necessary sanity checks, but further investigation of related code handling XPM, GIF and JPEG formats was also found to expose similar flaws. QT 3.3.3 has been released to address all these flaws and popular Linux distributions have released update packages.

QT is widely used by graphics viewing applications, including the KDE, and Konqueror web browser. Exploitation of these vulnerabilities on systems with unpatched versions of QT could see a remote attacker execute arbitrary code with the privileges of the application used to view specially prepared image files. Evans has released a proof of concept BMP format image file to display the problem, which may act as a model from which those with nefarious intentions can more easily work...

qt 3.3.2 BMP parser heap overflow error - beasts.org

* NetBSD ftpd root escalation fixed

A possible root privilege escalation in NetBSD has been fixed. Since NetBSD-1.5.3 ftpd has been disabled by default, but many sites are likely to have enabled ftpd, and as the vulnerability is considered to open the possibility of a remote root, this fix should be treated as a critical update.

According to the NetBSD security advisory, any version of lukemftpd, any version of NetBSD-ftpd prior to 20040809, or any version of tnftpd prior to 20040810 is vulnerable. Disabling ftpd or reconfiguring it to drop root privileges may be suitable short-term workarounds for sites that cannot update ftpd straight away. Availability of updates and instructions for obtaining and installing them are provided in the advisory.

NetBSD Security Advisory 2004-009 - netbsd.org

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AppleKDEKDELinuxMicrosoftMozillaSANS Institute

Show Comments
[]