Exchange Server 5.0; Windows SMTP service patches

This issue's topics: Introduction: * Exchange Server 5.0; Windows SMTP service patches; spyware abounds Virus News: * Far from quiet on the malware front... Security News: * TCP flaw poses some concerns for core Internet routing protocol * Three new 'old' vulnerabilities in Exchange Server 5.0 patched * MS02-011 SMTP authentication flaw also affects NT Server 4.0

This issue's topics:

Introduction:

* Exchange Server 5.0; Windows SMTP service patches; spyware abounds

Virus News:

* Far from quiet on the malware front...

Security News:

* TCP flaw poses some concerns for core Internet routing protocol

* Three new 'old' vulnerabilities in Exchange Server 5.0 patched

* MS02-011 SMTP authentication flaw also affects NT Server 4.0

Introduction:

Most of the security talk this week was focussed on the new TCP sequence number guessing flaw. Advance publicity for a paper presented at the CanSecWest conference this week fired up a lot of discussion - informed and otherwise - about the issue. Also, almost lost in the hoards of new Microsoft patches released last week - and overlooked by yours truly - four older MS security bulletins were also updated on April's 'Patch Tuesday'. Three of these disclose that Exchange Server 5.0 is, in fact, vulnerable to several flaws previously only thought to affect one or more of the later versions of this product.

It has been a week of distributed annoyances, rather than a few focussed outbreaks, so when better to devote the virus section of the newsletter to the growing menace of 'spyware'?

Virus News:

* Far from quiet on the malware front...

However, this is due to a large number of small incidents rather than any especially newsworthy virus (or a small number thereof). However, your newsletter compiler spotted three news articles this week that resonated deeply with his own recent experience, noting an apparently dramatic rise in the incidence of 'spyware' (or perhaps just the tenaciousness of certain strains that have started to become more common?). The first two items we are linking describe the phenomenon and its (growing) extent. The third outlines why the US FTC thinks it need do nothing (in terms of drafting new laws) about this brewing plague...

Spyware's victims spread - computerworld.co.nz

EarthLink Spy Audit - earthlink.net

No need for anti-spyware laws - FTC - theregister.co.uk

Security News:

* TCP flaw poses some concerns for core Internet routing protocol

There has been much talk (and not all of it insightful) about what many are referring to as a design flaw in the TCP network protocol, part of the networking core of the Internet. Although this flaw has significant consequences for major Internet routing hubs, it seems unlikely to have much impact on typical users.

Historically TCP sequence number guessing attacks have been of interest to security researchers. In the mid-1990s some changes were made to common TCP stack implementations to reduce the vulnerabilities that had been uncovered by then and many thought that these problems had been practically fixed. Note that was not 'entirely removed', but 'practically fixed' - in effect, the general belief was that sequence number guessing attacks had been reduced to a level of insignificance such that no-one need worry about them again.

In fact, that is not so, as recent research, publicized at the CanSecWest security conference this week, has shown. Paul Watson has presented a paper detailing how increased availability of bandwidth coupled with two other TCP features designed to improve the reliability of TCP connections work to seriously improve the odds in favour of a specific form of TCP sequence number guessing attack - the 'TCP Reset' attack - succeeding. His paper shows how a worst case scenario for such an attack can reduce the time of a successful, brute force attack against an already established connection from the previously assumed approximately 35 minutes to less than a tenth of second.

To many 'typical' Internet users, TCP Reset attacks are of little concern as at most they are generally of nuisance value. However, TCP Reset attacks may be especially disruptive to long-term TCP connections that cannot necessarily simply be resumed, such as TLS-style (SSL, SSH) connections. Worse still, such attacks can be of significant disruptive effect if targeted at BGP (border gateway protocol) devices as BGP depends on continuous connectivity, with each end of a peering arrangement flushing from its routing tables information received from the other peer should their connection be lost.

As we said above, much has been said about this but we have chosen some of the more measured sources to link to. The US CERT Security Alert is a good overview, tying in previous sequence number guessing issues, and the UK's National Infrastructure Security Co-ordination Centre (NISCC) advisory 'Vulnerability Issues in TCP' includes summary information regarding the status of this issue with several major product developers. Finally, the Open Source Vulnerability Database (OSVDB) entry for this vulnerability includes links to Watson's PowerPoint slide show and his full, technical paper describing the issue, as presented at CanSecWest.

Vulnerability Issues in TCP

Vulnerabilities in TCP - us-cert.gov

TCP Reset Spoofing - osvdb.org

* Three new 'old' vulnerabilities in Exchange Server 5.0 patched

Late in 2000 Microsoft initially claimed that Exchange Server 5.5 was the only version vulnerable to the 'Malformed MIME Header' vulnerability, discussed in its MS00-082 security bulletin. Now it has released a patch for that vulnerability in Exchange Server 5.0. As the discoverer of the original vulnerability published basic exploit details (linked below in an archived Bugtraq mailing list posting) of the vulnerability shortly after Microsoft posted its patch, administrators of Exchange Server 5.0 machines would be advised to obtain, test and roll-out the patch.

Lather, rinse, repeat...

A similar tale applies for the malformed RPC request denial of service vulnerability described in Microsoft security bulletin MS01-041. Originally Microsoft said that Exchange Server 5.0 was not vulnerable, whereas more recent testing shows it is. Successful exploitation of these flaws in Exchange Server 5.0 could lead to a denial of service against Exchange Server.

Lather, rinse, repeat...

And again, with MS03-046, Microsoft now claims that Exchange Server 5.0, originally thought unaffected, is vulnerable to the same 'important' severity denial of service vulnerability as Exchange Server 5.5 (but not the more sever - critical - arbitrary code vulnerability in Exchange 2000 Server discussed in that security bulletin).

All three flaws are fixed in a cumulative security rollup package for Exchange Server 5.0. By all means read all three security bulletins to get more of the technical details, but there is only need to download and run the patch installer from one of the security bulletins, as all three link to the same patch.

Archived Bugtraq list message - securityfocus.com

Microsoft Security Bulletin MS00-082

Microsoft Security Bulletin MS01-041

Microsoft Security Bulletin MS03-046

* MS02-011 SMTP authentication flaw also affects NT Server 4.0

Microsoft has also revised MS02-011, adding information about the availability of a patch for NT Server 4.0 Option Pack fixing this issue. As with the previous item, this version of the affected software was originally not though vulnerable, but has subsequently been found to be so. Although Microsoft rates the severity of this vulnerability as 'low', note that it effectively turns affected systems into open relays, potentially begging for the attention of spammers.

Microsoft Security Bulletin MS02-011

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaEarthLinkFTCMicrosoftSSH

Show Comments
[]