Witty revisited; critical RealPlayer, Squid, Mailman, CVS updates

This issue's topics: Introduction: * Witty revisited; two MS updates; critical RealPlayer, Squid, Mailman, CVS updates Virus News: * Witty worm revisited Security News: * Patch for remote denial of service in DirectX DirectPlay interface * DoS, information leaks patched in Crystal Reports Web Viewer * Update fixes remote code execution vuln in RealPlayer, RealOne Player * Buffer overflow in Squid's NTLM Authentication support * Password exposure fixed in Mailman 2.1.5 release * Multiple critical vulnerabilities in CVS fixed

This issue's topics:

Introduction:

* Witty revisited; two MS updates; critical RealPlayer, Squid, Mailman, CVS updates

Virus News:

* Witty worm revisited

Security News:

* Patch for remote denial of service in DirectX DirectPlay interface

* DoS, information leaks patched in Crystal Reports Web Viewer

* Update fixes remote code execution vuln in RealPlayer, RealOne Player

* Buffer overflow in Squid's NTLM Authentication support

* Password exposure fixed in Mailman 2.1.5 release

* Multiple critical vulnerabilities in CVS fixed

Introduction:

Although small in absolute number terms, the Witty worm was very 'successful' in the speed with which it reached (virtually) all of its possible victims. Recent detailed analysis of the Witty worm event, rather than just of the worm's code, suggests some developments we may see more of in future.

In the security section, we note updates for two 'moderate severity' vulnerabilities in components commonly found on Windows machines - the only fruit of Redmond's 'Patch Tuesday' tree this month. We also note updates fixing critical vulnerabilities in Windows RealPlayer and RealOne Player, the popular caching web proxy Squid, the popular mailing list software Mailman and in the version control system that is probably most-used in the open-source development community, CVS.

Virus News:

* Witty worm revisited

In an op-ed piece in Computerworld, security maven and author Bruce Schneier raises some interesting observations about the design, spread and effectiveness of the Witty worm. Drawing on analysis of the event by the International Computer Science Institute (ICSI) at the University of California, Berkeley, Schneier points out the lessons the worm and virus writers were likely to have learned from observing the event and some developments we may expect to see in future worms as a result.

Speaking of the ICSI and predictions for the future of worm attacks, results of some recent modelling work done by ICSI researchers suggests that the direct costs of a 'worst case' worm could have US$50 billion in direct costs to the US economy. Your newsletter compiler has always taken such large estimated damage figures with a grain of salt, but the reasoning behind this prediction may be of interest to some of our readers. To this end we have provided a link to a PDF version of the research paper hosted at the Workshop on Economics and Information Security (WEIS04) web site at the University of Minnesota (umn.edu).

Aside from your newsletter compiler's scepticism about such huge (potential) damage claims, researchers at George Mason University, viewing things from a different angle, have also recently suggested that things may not be as bad as some suggest. We have also provided a link to this report, hosted at network technology tracking firm, Netcraft.

The Witty worm: A new chapter in malware - computerworld.com

A Worst-Case Worm - umn.edu (65KB PDF)

Microsoft Not a Threat to US National Security - netcraft.com

Security News:

* Patch for remote denial of service in DirectX DirectPlay interface

Versions of DirectX from 7.0a through 9.0b are vulnerable to a denial of service in the IDirectPlay4 application programming interface of Microsoft DirectPlay. Machines running a networked DirectPlay application are vulnerable to a denial of service attack through the DirectPlay service due to inadequate bounds checking on parameters passed from the network to the DirectPlay application.

Microsoft claims that the worst effect of such an attack would be the hanging of the DirectPlay application, requiring an application restart. As DirectPlay is not deemed a core system service and the result of exploitation is not a serious security breach, Microsoft rates the severity of this vulnerability as 'moderate' on all affected platforms.

Affected versions of DirectX are available for Windows 98, ME, 2000, XP and Server 2003. NT 4.0 users are not affected, and Windows 98 and ME, although affected, are no longer supported for non-critical severity security fixes. Note that MBSA does not currently check for ActiveX versions and vulnerabilities, so exposure to this vulnerability will not be reported by MBSA.

Microsoft Security Bulletin MS04-0

* DoS, information leaks patched in Crystal Reports Web Viewer

Crystal Reports and related components, from Business Objects, have been included in various versions of various Microsoft products for several years now. Microsoft has just released a patch for denial of service and potential information leakage flaws in the version of Crystal Reports distributed in all versions of Microsoft Visual Studio .NET 2003, and in Outlook 2003 with Business Contact Manager. The version of Crystal Enterprise distributed with Microsoft Business Solutions CRM 1.2 is also vulnerable to the same flaws and a patch for that product is also available.

As with the other Microsoft patch this month, this rated of 'moderate' severity. Users of the products should read the Security Bulletin carefully in deciding the urgency of installing the patch in their systems.

Microsoft Security Bulletin MS04-00#

* Update fixes remote code execution vuln in RealPlayer, RealOne Player

Security researchers at eEye Digital Security have announced their discovery of a heap overflow vulnerability in the embd3260.dll component of several Real Networks RealPlayer and RealOne Player products for Windows. This vulnerability can be reliably exploited remotely to execute arbitrary code of an attackers choice on a victim machine so long as the victim can be persuaded to 'play' a suitably crafted RAM file.

Real Networks has released updates for the various affected versions or, in some cases, suggests upgrading to later versions. The details of which versions are affected and of how to obtain updates for each are included in the security advisory link below the eEye research advisory.

RealPlayer embd3260.dll Error Response Heap Overflow - eeye.com

Update to Address Security Vulnerabilities - real.com

* Buffer overflow in Squid's NTLM Authentication support

iDEFENSE has reported a remotely exploitable buffer overflow in the popular caching web proxy, Squid, if it has NTLM Authentication support. The advisory includes a link to a patch, and suggests recompiling Squid with NTLM Authentication support disabled as a workaround of NTLM Authentication is not strictly necessary. Several distributors have already made updated packages, including the recommended patch, available.

Squid Cache NTLM Authentication Helper Buffer Overflow - idefense.com

* Password exposure fixed in Mailman 2.1.5 release

The popular mailing list management software Mailman was recently updated to version 2.1.5. Included in the release announcement (an archived copy of which is linked to below) was the comment 'This version also contains a fix for an exploit that could allow 3rd parties to retrieve member passwords. It is thus highly recommended that all existing sites upgrade to the latest version.'

Reputedly sending a specially (mal-)formed e-mail message to a list address managed by Mailman could cause it to return configuration details, including passwords to access member profiles.

[Mailman-Announce] RELEASED Mailman 2.1.5 - python.org

* Multiple critical vulnerabilities in CVS fixed

Stefan Esser has reported the results of a security audit of the Concurrent Versions System (CVS) version control system. The audit was inspired by the cvshome.org hack and found several remotely exploitable vulnerabilities in CVS, some of which are now known to have been used or are still being used against vulnerable CVS systems on the Internet.

Administrators of CVS sites, particularly Internet-exposed ones, are recommended to update to the latest version as soon as practicable. Esser's advisory also links to a paper describing running CVS chrooted and over SSH.

More CVS remote vulnerabilities - e-matters.de

CVS home page - cvshome.org

Join the newsletter!

Error: Please check your email address.

More about Business ObjectsCacheCVSeEye Digital SecurityMBSAMicrosoftNetcraftReal NetworksSSH

Show Comments
[]