Symantec firewall, Eudora vulnerabilities; Access mass-mailer

This issue's topics: Introduction: * Symantec firewall, Eudora vulnerabilities; Access mass-mailer Virus News: * Sad day for Access 2000 * Sasser bounty seeker under investigation Security News: * Multiple critical vulnerabilities fixed in Symantec firewall * Multiple issues till in new Eudora for Windows * XP SP2 demo code from Microsoft * The cost of insecurity...

This issue's topics:

Introduction:

* Symantec firewall, Eudora vulnerabilities; Access mass-mailer

Virus News:

* Sad day for Access 2000

* Sasser bounty seeker under investigation

Security News:

* Multiple critical vulnerabilities fixed in Symantec firewall

* Multiple issues till in new Eudora for Windows

* XP SP2 demo code from Microsoft

* The cost of insecurity...

Introduction:

On the virus front we have a new entry in the 'well I never' category - an Access database mass-mailer. Although initially reported from the field, it seems unlikely to be much of a threat. And more developments around the Sasser arrest - it seems the informant who tipped off Microsoft and the German authorities may be more closely associated with the action than just being a school friend or neighbour of the youth originally charged.

On the security front, several serious vulnerabilities in Symantec firewall products have been patched, and several previously known issues in Eudora for Windows remain, despite some older flaws being patched in the latest release. Also, hopefully of interest to any Windows programmers is Microsoft's recent release of code demonstrating the security issues the nest service pack (SP2) for Windows XP will introduce. The interesting thing to note here is that Microsoft is knowingly and deliberately breaking several things in the interest of better security and developers of products that are not updated to play nicely under SP2 are unlikely to get much sympathy once SP2 ships.

Virus News:

* Sad day for Access 2000

Stranger things have happened, somewhere ... surely!

Earlier this week a new Access 2000 virus was discovered. Access viruses are quite rare beasts because of the relative lack of opportunities to spread - Access is not included in the cheaper versions of the various Office product bundles (including many of the OEM bundles), Access files (.MDB) tend be large compared to .DOC, .XLS, .PPT files (even for 'empty' databases) and because they are not usually e-mailed around it was thought suspicion of receiving an unsolicited .MDB file via e-mail should be high, significantly reducing the viability of a Melissa-like .MDB mass-mailer.

Well, as is so often the case in this field, reality has perplexed these expectations. Sadcor (or Sadip, or Donei depending on the vendor) is a mass- mailing Access 2000 VBA virus that was reported active, in the wild this Wednesday. Its code is quite similar to Melissa's but unlike Melissa, it does not keep a record of which addresses it has already sent itself to, so the mass-mailing routine does its stuff every time a victim opens an infected .MDB file.

Aside from blocking .MDB attachments at your e-mail gateway, the only variant seen as of this writing uses the Subject: line 'Re: Saddam Corrupted', has the message 'Please find the details of Saddam Corrupted' as its message body and has an attachment named 'account.mdb'.

Network Associates Virus Information Library

Sophos Virus Info

* Sasser bounty seeker under investigation

Last week we reported the arrest of German teenager Sven Jaschan, who admitted writing and releasing the Sasser and Netsky families of worms after police were tipped off as to Jaschan's identity. We also reported that the tip leading to the arrest came after someone approached Microsoft Deutschland asking if Microsoft would make a payout from the reward scheme it has for those dobbing in virus writers.

It now seems that the claimant of the Microsoft Anti-Virus Reward Program money may have been more closely involved in Sasser's development, release and/or distribution, with The Register reporting he is being investigated by German police. Microsoft says that should the informant be involved, the reward will not be paid.

And, while we're on the topic of Sasser's writer and bounties for malware writers, Securityfocus columnist Tim Mullen has an interesting take on the value of such bounties in light of the Sasser case...

Police probe Sasser informant - theregister.co.uk

Busted - securityfocus.com

Security News:

* Multiple critical vulnerabilities fixed in Symantec firewall

Security researchers at eEye Digital Security have discovered multiple vulnerabilities in multiple Symantec firewall products. Symantec Norton Internet Security 2002, 2003, 2004, Symantec Norton Internet Security Professional 2002, 2003, 2004, Symantec Norton Personal Firewall 2002, 2003, 2004, Symantec Client Firewall 5.01, 5.1.1, Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) and Symantec Norton AntiSpam 2004 are all affected, as the vulnerabilities are present in a SYMDNS.SYS - a component common to all these products. At least two of these vulnerabilities are believed to allow remote exploitation giving up a kernel level access for the execution of arbitrary code.

Symantec has shipped updates which are available via its LiveUpdate

service.

Multiple Firewall NBNS Response Processing Stack Overflow - eeye.com

Multiple Firewall DNS Response Denial-of-Service - eeye.com

Multiple Firewall NBNS Response Remote Heap Corruption - eeye.com

Multiple Firewall Remote DNS KERNEL Overflow - eeye.com

Client Firewall Remote Access and Denial of Service Issues - symantec.com

* Multiple issues till in new Eudora for Windows

Paul Szabo from the School of Mathematics and Statistics at the University of Sydney has a long-running interest in the security of Eudora for Windows (among many other things). Szabo has found many vulnerabilities and security weaknesses in previous versions of Eudora, and with the release of v6.1.1 this week he reviewed its susceptibility to a list of vulnerabilities seen in previous versions. A summary of his results is linked below.

Secure your PC: Do not use Eudora - usyd.edu.au

* XP SP2 demo code from Microsoft

From Microsoft's web site:

'With Windows XP Service Pack 2 (SP2), Microsoft is introducing a set of security technologies that will help improve Windows XP-based computers' ability to withstand malicious attacks from viruses and worms. To developers these technologies will have impacts on the applications that they create and the tools they use. This download contains code samples and a PowerPoint deck dealing with these impacts. This information was originally presented by Microsoft Product Manager Tony Goodhew in an MSDN Webcast.'

Windows XP Service Pack 2 Code Demos - microsoft.com

* The cost of insecurity...

It has often been said that security incidents cost companies business, but there is not much evidence, beyond the purely anecdotal, supporting the position. A recent survey of large UK businesses by telecom firm Energis, reported earlier this month, suggests that the costs may, in fact, be quite high.

The Cost of Chaos: UK business pays for poor IT security - energis.co.uk

Join the newsletter!

Error: Please check your email address.

More about eEye Digital SecurityEnergisMicrosoftNortonSophosSymantecUniversity of SydneyUniversity of Sydney

Show Comments

Market Place

[]