Korgo surprises...

This issue's topics: Introduction: * AV surprises; Notes/Domino, Crystal Reports, Linux kernel, ISC DHCPD updates Virus News: * Korgo surprises... * Is Microsoft about to get into the antivirus business? Security News: * Notes/Domino URI handler remote code execution exploit fixed * Crystal Reports, Crystal Enterprise * Recent Linux Kernel patches, updates * ISC DHSPD 3.0.1x updates fix exploitable buffer overflows

This issue's topics:

Introduction:

* AV surprises; Notes/Domino, Crystal Reports, Linux kernel, ISC DHCPD updates

Virus News:

* Korgo surprises...

* Is Microsoft about to get into the antivirus business?

Security News:

* Notes/Domino URI handler remote code execution exploit fixed

* Crystal Reports, Crystal Enterprise

* Recent Linux Kernel patches, updates

* ISC DHSPD 3.0.1x updates fix exploitable buffer overflows

Introduction:

Members of the Korgo family have been surprisingly successful. Although not reaching anything like the distribution of Sasser, surprisingly many sites are reporting infections of Korgo, despite it depending on the same vulnerability as Sasser to spread. And more surprises in the antivirus vendor market - is Microsoft soon to join the fray? If so, will it be by buying the maker of McAfee antivirus products? Or is McAfee up to something else?

On the security front, Lotus Notes and Domino users should consider upgrading to beat a possible remote code execution flaw among others, there are more updates for Crystal Reports users, Linux kernel patches to consider and fixes for possible arbitrary code execution bugs in a popular DHCP server.

Virus News:

* Korgo surprises...

Spreading by exploiting the LSASS vulnerability patched by Ms04-011 (the 'Sasser patch'), Korgo should have been a non-issue. The first variant of this rapidly growing family was isolated early this month, but still businesses are reporting outbreaks inside their networks and many small business and home users are turning up infected.

The surprise, of course, is due to Korgo's reliance on exploiting the LSASS vulnerability to spread, as it seems most of the world must have been patched against this to have stopped Sasser.

As is not uncommon when multiple new variants of a virus are discovered in a short period of time, the naming of variants in the Korgo family is chaotic if different vendors' names for the same variant are considered, but most vendors do call this family Korgo (though, of course, at least one large vendor uses something different - Padobot). As no one variant is truly common, we have linked to descriptions of several different variants, most of these being the most recently identified variant described in detail on the relevant vendor's web site.

Microsoft Security Bulletin MS04-011

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Is Microsoft about to get into the antivirus business?

About a year ago we reported the surprise sale of the antivirus intellectual property (primarily the RAV antivirus product line) from the Romanian software developer GeCAD (which, as the company name suggests, did other than just develop antivirus software). The Surprising thing about the sale (apart, for many, from learning that there was a Romanian antivirus company -- in fact, there were two!) was that the purchaser was Microsoft's Security Business Unit (SBU).

Much speculation followed... Would Microsoft be giving away an antivirus product? Would 'Microsoft Antivirus' appear as part of XP SP2? If so, would a monster anti-competitive practice court case between Microsoft and other antivirus developers ensue, much as the Netscape/Microsoft case followed the 'browser wars'? Some, with longer memories, wondered if Microsoft had forgotten the lessons it learned the hard way when it last tried to do antivirus, way back in MS-DOS 6.x days.

Many of these ruminations were re-awakened last week when the head of the SBU, Mike Nash, said that Microsoft still planned to release an antivirus product that it would sell in competition with established major players such as Symantec (maker of the Norton product range) and Network Associates (NAI, makers of the McAfee product range).

Further intrigue still arose this week with rumours that NAI has apparently been preening itself for sale, with the suggestion being that Microsoft is the likely buyer. As is standard practice in such circumstances, both companies denied or refused to comment on these suggestions.

Another suspicion that your newsletter compiler has heard is that NAI's preparations are not for sale to Microsoft, but to networking giant Cisco. The divestiture of its encryption and network-related products strips the company back to a sole focus on its 'core competency' - and the thing that would make it of most value to Cisco - antivirus technology and products. If Cisco, rather than Microsoft, is the likely buyer, these moves may also reduce the delay between the eventual announcement of the sale and the sale's closure, as there could be little of concern for regulatory bodies to consider in terms of overlapping markets and potential dominance (or, perhaps greater dominance in Cisco's case) of some network device markets.

Microsoft on Track to Offer Anti-Virus Software - reuters.com

Network Associates up for sale? - itnews.com.au

Security News:

* Notes/Domino URI handler remote code execution exploit fixed

Researchers at iDEFENSE have disclosed some nasty cross site scripting and remote code execution vulnerabilities in Domino 6.x servers and Lotus Notes clients. The remote code execution vulnerability is potentially of critical severity, so should be paid careful attention by administrators of affected systems.

IBM has included fixes for these vulnerabilities in Domino 6.0.4 and 6.5.2. Short of installing the updated versions, various workarounds and system configuration options may sufficiently ameliorate exposure.

Lotus Notes URI Handler Argument Injection Vulnerability - idefense.com

Lotus Notes URL Handler Argument Injection Vulnerability - ibm.com

Cross-site Scripting Vulnerability Addressed in 6.0.4 & 6.5.2 - ibm.com

* Crystal Reports, Crystal Enterprise

Further to our report a few weeks back of updates for Crystal Reports, and related products from Business Objects, bundled with various Microsoft products, we note a more general release of updates by Business Objects. Affected Business Objects' products are Crystal Reports 9 and 10, Crystal Enterprise 9 and 10, Crystal Enterprise 8.5 Java SDK, Crystal Enterprise RAS 8.5 for Unix, Crystal Reports for Borland J Builder, Crystal Reports for Borland C# Builder and Crystal Reports for BEA WebLogic Workshop 8.1.

Users of any of these products are advised to check the Business Objects advisory linked below.

Critical Updates - businessobjects.com

* Recent Linux Kernel patches, updates

Several Linux kernel security bugs have been reported recently and most distributors have released various update packages or full kernel updates to 2.6.7 to address these. If you have not recently updated your Linux kernel you may wish to consider doing so.

The Linux Kernel Archives - kernel.orgZ

* ISC DHSPD 3.0.1x updates fix exploitable buffer overflows

The Internet Software Consortium's (ISC) DHCPD 3.0.1rc12 and 3.0.1rc13 are vulnerable to two related buffer overflows. ISC DHCPD is one of the most popular DHCP server implementations, and although these flaws are in 'release candidate', rather than 'production' versions, it is suspected that users of several popular Linux distributions will be affected. Exploitation of these vulnerabilities would lead to, at a minimum, denial of DHCP service and possibly execution of arbitrary code with the permissions of the DHCPD process (usually root or system level).

Both flaws are fixed in ISC DHCPD 3.0.1rc14, and users running other versions, such as the current 'stable' release 3.0pl2 are believed not to be vulnerable to either flaw. Several popular distributions have already ship, or will soon ship, update packages. Of course, updated source distributions can be obtained from ISC and built and installed locally for those who prefer the more direct approach.

Multiple Vulnerabilities in ISC DHCP 3 - us-cert.gov

ISC DHCP distribution homepage - isc.org

Join the newsletter!

Error: Please check your email address.

More about BEABorland AustraliaBusiness ObjectsCA TechnologiesCiscoF-SecureIBM AustraliaInternet Software ConsortiumKasperskyKasperskyLinuxMcAfee AustraliaMicrosoftNAINortonSophosSymantecTrend Micro Australia

Show Comments
[]