XP SP2 ships; OWA, AIM, MAILsweeper & Acrobat fixes

This issue's topics: Introduction: * XP SP2 ships; OWA, AIM, MAILsweeper & Acrobat fixes; cell annoyances Virus News: * Could cell phones be more annoying? Apparently, yes... * Blaster.B suspect pleads guilty Security News: * Updates fixes possible OWA/Exchange 5.5 remote code execution * Major revision to MS04-020; INTERIX 2.2 added * XP SP2 released; on Windows Automatic Update Monday * MBSA update needed for XP SP2 * AIM vulnerable to overlong 'away' messages * MAILsweeper for SMTP update fixes several parsing flaws * Adobe ships silent fix for Unix Acrobat reader vulnerability

This issue's topics:


* XP SP2 ships; OWA, AIM, MAILsweeper & Acrobat fixes; cell annoyances

Virus News:

* Could cell phones be more annoying? Apparently, yes...

* Blaster.B suspect pleads guilty

Security News:

* Updates fixes possible OWA/Exchange 5.5 remote code execution

* Major revision to MS04-020; INTERIX 2.2 added

* XP SP2 released; on Windows Automatic Update Monday

* MBSA update needed for XP SP2

* AIM vulnerable to overlong 'away' messages

* MAILsweeper for SMTP update fixes several parsing flaws

* Adobe ships silent fix for Unix Acrobat reader vulnerability


Of course, the big news this week has to be the final release of the long-awaited Service Pack 2 for Windows XP. As that's covered in detail below, we'll say no more by way of introduction except to point out that in a corporate or institutional setting you shouldn't rollout SP2 without thoroughly testing it first. Home users and small businesses are, unfortunately, left a bit more in the laps of the gods...

Aside from XP SP2, Microsoft also released an update for Outlook Web Access on Exchange Server 5.5 and updated MS04-020 to cover INTERIX 2.2.

Outside of Microsoft, other notable updates available this week are AIM and MAILsweeper for SMTP, and Adobe Acrobat reader 5.0 for Unix and Linux.

On the virus and malware front probably the 'big interest' story was the 'hacked' copy of the Symbian OS game Mosquitos that reputedly had a premium rate SMS dialler function added...

Virus News:

* Could cell phones be more annoying? Apparently, yes...

They ring in conference rooms, meetings, theatres - could they be more annoying?

Add malware - this week a Trojan, premium rate SMS message dialler - and the answer, it seems, is 'yes'. Admittedly this should be much more of an increased nuisance to the owner of the phone, so perhaps it's not all bad...

Following stories in recent weeks of the first viruses, Trojans and backdoors for these platforms, this week we add yet another nasty to the small, but growing, list of cell phone and PDA malware. Named various things by the different antivirus developers, the beast in question is a reputedly hacked version of a game for Symbian OS Series 60 cell phones. The original game has reputedly been hacked to include an SMS dialler that calls premium rate SMS numbers.

However, it seems the 'hacking' claim is misleading. According to F-Secure's antivirus research manager, Mikko Hypponen, the premium rate SMS dialling functionality was in the original release of the Mosquitos game and was put there by the program's developers, Ojom, as some form of anti-piracy incentive. According to Hypponen an Ojom representative told an F-Secure malware analyst that Ojom removed the dialler functionality from subsequent versions of the game because of complaints from users. However, someone had already 'cracked' the early version of game and this version (which displays the message 'This version has been cracked by SODDOM BIN LOADER') is still readily available on P2P networks and pirate software sites.

Thus, the original version would still be considered a Trojan by many because of the undisclosed and undesirable premium rate number dialling. Ojom says that the premium rate contracts have been terminated now, so it is not benefiting from folk still using the pirated copy of its game.

Finally, although this item has just become a 'story' in the last week, at least one of the online copies of the cracked form of the game found online clearly dates from early January this year. Thus, claims that this is 'new' are somewhat optimistic...

Information about Mosquitos Trojan - symbian.com

Mosquitos smartphone 'Trojan' there by design - theregister.co.uk

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Blaster.B suspect pleads guilty

Jeffrey Lee Parson, the Minnesota teenager arrested and charged over his alleged involvement in modifying the original Blaster virus to make the Blaster.B variant and its subsequent release, this week changed his plea in a Seattle court to guilty.

Teen who unleashed Blaster virus pleads guilty - katu.com

Security News:

* Updates fixes possible OWA/Exchange 5.5 remote code execution

Outlook Web Access (OWA) on Exchange Server 5.5 is vulnerable to several possible cross site scripting (XSS) and content spoofing attacks that have been fixed in the latest 'Patch Tuesday' monthly patch cycle. Microsoft rates the overall severity of the combined vulnerabilities as 'moderate' and recommends 'that customers consider applying the security update'. Successful attack scenarios include a fair element of user participation.

Those considering installing the update should note that it replaces many standard .ASP pages, some of which may have been customized by the user. Before installing the update on such systems, all customized .ASP pages that will be replaced in the updated should be copied somewhere safe and the customizations applied to the new copies of these files after the update is installed. Simply restoring backed-up copies of these files is insufficient as that re-introduces the flawed .ASP code, re-opening the vulnerability through that script.

Anyone installing this update must read the whole associated security bulletin carefully, as this is not your typical 'one-shot, point and click' upgrade.

Microsoft Security Bulletin MS04-026

* Major revision to MS04-020; INTERIX 2.2 added

Microsoft has revised its MS04-020 security bulletin, adding another vulnerable product to the those listed as vulnerable. Subsequent to posting its original bulletin about the privilege escalation flaw in the POSIX sub-system of NT 4.0 and Windows 2000, Microsoft became aware that same flaw affected INTERIX 2.2. An patch for that product has now been released to fix this vulnerability.

Microsoft Security Bulletin MS04-020

* XP SP2 released; on Windows Automatic Update Monday

Long-awaited and much-discussed, the final release version of Windows XP Service Pack 2 (SP2) is now available. Released at the end of last week to OEMs and to the general public in its 'full' or 'network install point' form early this week, the full version is a possibly daunting 266 MB download. Microsoft's Automatic Updates (AU) system and Software Update Services will start pushing out SP2 on Monday (probably 'Monday US') and Windows Update (WU) users will be offered the update starting later in August.

AU and WU users will not download as large a package. This is because the new version 5.0 release of Windows Update will only download the components actually installed on the machine, and has support for interrupted and partial downloads (the latter allows 'small' patches to large files to be downloaded as a form of 'binary diff' rather than having to download the whole file). However, it still seems that obtaining and installing SP2 will be daunting prospect for those on dial-up or other low-ish bandwidth connections. Regardless of bandwidth issues however, businesses that depend on AU (or possibly WU) as their patch management solution may want to prevent SP2 being downloaded and installed via AU or WU. Microsoft has provided a mechanism to temporarily disable SP2 over AU and WU - we have linked to the instructions for configuring this below.

In the first few days of SP2's availability the service pack has received mixed reactions, but those doing properly tested and managed rollouts in corporate/institutional settings do not seem to be reporting any major problems. Of course, media attention tends to focus on the 'it seriously broke something' claims of 'suck it and see' users, ignoring the relatively trouble-free rollouts to thousands of corporate machines.

However, it is to be expected that SP2 will break some things. That is the point of SP2 - this is partly a case of Microsoft saying 'whoops, we got that wrong and now we're going to put it right'. Of course, third-party software written to take advantage of the initial, security-weak design will likely not work under SP2. Worse, depending on how Microsoft chose to break whatever it is such an application depends on, simply installing SP2 over the top of such applications may even prevent the machine from booting properly. Such cases should be rare, but Microsoft apparently made some fairly major changes at the very last minute. Presumably it was thought these changes should not affect any legitimate software, but read the archived NTBugtraq mailing list message linked below for a description of the trouble one developer had with changes made between the last pre-release version he could get and the version of SP2 that actually shipped.

We have included links to the 'IT Professionals' page for XP SP2 information, the 'less technical' page for small business and home users, a link to Microsoft's

Windows XP Service Pack 2 Resources for IT Professionals - microsoft.com

Windows XP Service Pack 2 - microsoft.com

Temporarily Disabling Delivery of SP2 Through WU and AU - microsoft.com

Archived NTBugtraq list message - ntbugtraq.com

* MBSA update needed for XP SP2

Windows XP system administrators who use the Microsoft Baseline Security Advisor (MBSA) for patch checking and the like should note that Microsoft will soon be releasing an updated version, 1.2.1, to resolve some issues the current 1.2 release has running under XP SP2. There is currently a note to this effect on the MBSA home page, linked below, and it is probably prudent to check back there for the final release announcement every few days.

MBSA home page - microsoft.com

* AIM vulnerable to overlong 'away' messages

Windows versions of the popular AOL Instant Messenger (AIM) have been reported vulnerable to a buffer overflow that can be remotely exploited to run arbitrary code of an attackers choice. This vulnerability was publicly disclosed before AOL produced a patch. It is not known to be actively used in the wild yet, but given the popularity of AIM and disdain in which many 'hackers' hold AOL users, it would not be surprising to see denial of service attacks exploiting this, if not full-blown automated attack software or a worm. AOL is expected to release an update soon to address the vulnerability. Further, although not generally recommended, a beta release of a new version of AIM that is free of this vulnerability can be obtained from AOL.

AOL Instant Messenger aim:goaway Handler Buffer Overflow - idefense.com

AOL Instant Messenger "Away" Message Buffer Overflow - secunia.com

* MAILsweeper for SMTP update fixes several parsing flaws

Clearswift, makers of popular e-mail content filtering product MAILsweeper (formerly MIMEsweeper), have announced the general availability of the MAILsweeper for SMTP 4.3.15 hotfix (Technology update 1.4_15 and Anti-spam filter update 1.6.2). This update includes several important fixes to flawed processing of certain archive types and a potential denial of service due to malformed PowerPoint format attachments.

More detail of the various fixes is available from the 'readme' for the update, linked below.

ReadMe for MAILsweeper for SMTP 4.3.15 - mimesweeper.com

MAILsweeper for SMTP 4.3.15 hotfix download - clearswift.com

* Adobe ships silent fix for Unix Acrobat reader vulnerability

iDEFENSE security researchers have publicly disclosed a vulnerability they reported earlier in the year to Adobe. Unix and Linux versions of Adobe Acrobat Reader 5.0 were found vulnerable to a buffer overflow in filename handling code in a function that decodes uuencoded data. This is remotely exploitable to run arbitrary code with the privileges of the user running Acrobat Reader.

iDEFENSE reports that Unix 5.0.9 release, date-stamped mid-May this year is not vulnerable, but precisely which version of Acrobat Reader this was fixed in is unknown. It would seem prudent for Unix and Linux Acrobat Reader users with versions prior to 5.0.9 to update to this, or a later, release.

Acrobat Reader Unix 5.0 Uudecode Filename Buffer Overflow - idefense.com

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Adobe SystemsAOLClearswift Asia PacificF-SecureIT ProfessionalsKasperskyKasperskyLinuxMBSAMessengerMicrosoftSophosSymantecSymbianTechnologyTrend Micro Australia

Show Comments