OS X Trojan claim just so much horse puckey?

This issue's topics: Introduction: * Mac OS X Trojan; ColdFusion MX, Linux kernel, scads of critical windows patches Virus News: * OS X Trojan claim just so much horse puckey? * Japanese police blame virus for information leak Security News: * Multiple critical system fixes in Windows OSes * Critical remote code execution flaw in Windows RPC patched * Critical Outlook Express security patch * Remote code execution via buffer overflow in Jet Database Engine fixed * Fix for ColdFusion MX 6.1 denial of service * The dangers of not patching promptly...

This issue's topics:

Introduction:

* Mac OS X Trojan; ColdFusion MX, Linux kernel, scads of critical windows patches

Virus News:

* OS X Trojan claim just so much horse puckey?

* Japanese police blame virus for information leak

Security News:

* Multiple critical system fixes in Windows OSes

* Critical remote code execution flaw in Windows RPC patched

* Critical Outlook Express security patch

* Remote code execution via buffer overflow in Jet Database Engine fixed

* Fix for ColdFusion MX 6.1 denial of service

* The dangers of not patching promptly...

Introduction:

Microsoft patch day this month (US Tuesday) delivered three critical patches for all NT-based OSes and a serious Jet Database Engine upgrade. Windows admins will be busy for days making sure all this stuff works in their environments and then rolling it out...

Macromedia also announced a moderately critical fix for ColdFusion MX 6.1 and, although there is no article covering it, several critical vulnerabilities have been fixed in the Linux kernel, with all the popular distros already having shipped update packages.

On the virus front, claims for the first Max OS X uber-malware seem to have been overstated and the Japanese police a fingering a virus for leaking some information...

Virus News:

* OS X Trojan claim just so much horse puckey?

Last weekend (NZ time) the all but unheard of Mac security software vendor Intego made its first notable foray into the media with a press release that turned out to be just another "scare 'em into buying our product" ruse. There is nothing especially notable about this - most security and antivirus companies more than four non-employees can name have done pulled much the same dodgy trick at some point in their histories, but as Intego claimed that the first Mac OS X-specific malware had been found, their claim garnered some following before the scale of its bogosity was entirely revealed.

At one level, Intego was right (in a sense). There are trivial methods to fool the less than highly techno-literate Mac user into executing what is actually a program by disguising it to appear to be a music file (or pretty much any other kind of 'data' file). However, much the same holds for your run-of-the-mill Windows users too, yet we don't see 'security experts' (with vested interests in selling 'protective' software) dashing out press releases proclaiming this.

For the record, a proof of concept has been implemented and publicly posted, and seems to be what is behind Intego's headlong rush to print. However, it was neither OS X-specific (it works on Mac OS 9 as well, according to its creator) nor worryingly Trojanic. It is true that it could have done all manner of nasty things, but it didn't. Due to all the fuss, several established antivirus developers posted information in their online virus description databases.

OS X Trojan Horse Is a Nag - wired.com

Computer Associates Virus Information Center

F-Secure Security Information Center weblog

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Japanese police blame virus for information leak

Personal information about eleven people who had been investigated by Japanese police found its way onto the Internet through the actions of a computer virus. At least, so say the Japanese police. The greater questions of how and why such sensitive documents ended up on a policeman's personally-owned laptop computer, from where the reputed virus leaked them, are the subject of an ongoing disciplinary action...

Japanese finger virus for police document leak - theregister.co.uk

Security News:

* Multiple critical system fixes in Windows OSes

Microsoft has released a 'mega-patch' (for example, the Windows 2000 version includes 62 updated executables, .DLL files and drivers) for all NT-based OSes. It fixes multiple vulnerabilities in each OS, with at least three of the patches for any affected OS being rated critical, giving the overall patch a critical severity rating for each OS.

Although Windows 98 and/or ME are listed as affected, the severity rating for the two vulnerabilities is not 'critical' so patches for those vulnerabilities on these OSes have not been publicly released. This is in line with Microsoft's standard position on providing updates for products in the extended support phase. One of the vulnerabilities on these OSes can be eliminated by installing an updated version of NetMeeting, as detailed in a note on the vulnerability rating table in the security bulletin.

There is such a great deal to read in the security bulletin, describing each of the vulnerabilities, which OSes are affected by each and to what degree, that we will not delay you further except to note that if you run NT 4.0 Terminal Server Edition, do not miss that the patch requires not only the latest service pack but also the current Security Rollup Package for that OS (for other affected OSes, the usual prerequisite conditions apply).

Microsoft Security Bulletin MS04-011

* Critical remote code execution flaw in Windows RPC patched

Recall the Blaster worm? (Where were you if you can't??)

It was terribly 'successful' because there were huge numbers of Windows users who did not have their machines sufficiently firewalled from the net and who had not updated with an RPC patch that had been available for several weeks. This is another patch for the same sub-system and, at least on the most common NT-based OSes, Windows 2000 and XP, and on Server 2003, it is rated as being of critical severity. There are four vulnerabilities fixed in this latest patch, but with one of providing remote code execution hole, the don't really matter.

Patch now or risk becoming a victim of a possible (perhaps even likely) future 'son of Blaster' worm!

Microsoft Security Bulletin MS04-012

* Critical Outlook Express security patch

You don't use Outlook Express?

Think again...

Although dubbed an OE patch, this actually affects the 'operating system' functionality that handles MHTML URL requests. Internet Explorer and many third-party products will depend on the functionality patched in this 'Outlook Express' update, should they ever confront an MHTML URL. As with the preceding two updates this month, this is of critical severity on all affected platforms - even Windows Server 2003's much heralded 'Enhanced Security Configuration' mode does nothing to protect against this vulnerability.

This vulnerability has been used extensively in the last few weeks in phishing scams, spammed remote access Trojan, adware and spyware installation runs and by a few other malwares. As more of the bad guys work out how to utilize this trivial flaw in Windows' handling of MHTML URLs, we will only see more exploitation of it for nefarious purposes.

Patch early, patch hard...

Microsoft Security Bulletin MS04-013

* Remote code execution via buffer overflow in Jet Database Engine fixed

Not rated quite as seriously as the preceding vulnerabilities, but perhaps of critical significance in corporate environments, this latest update to the Microsoft Jet Database Engine patches a buffer overflow that could allow remote code execution.

Again, there is scads of reading if you support more than one or two affected OSes so, we'll not delay you further here. NT 4.0 administrators should note the caveats in the security bulletin about their OS and, if any of their machines are running a vulnerable version of the Jet Database Engine, they should obtain and install the latest version of Jet from the link in the advisory.

Microsoft Security Bulletin MS04-014

* Fix for ColdFusion MX 6.1 denial of service

ColdFusion MX 6.1 is vulnerable to a denial of service attack according to a Macromedia security bulletin. A flaw in product's the file upload logic means disk space allocated to partially uploaded files is never reclaimed. In theory this could be exploited as a disk-filling denial of service by a malicious user repeatedly starting file uploads then interrupting each upload before completion.

A patch and installation instructions are available from the security bulletin, linked below.

Macromedia security bulletin MPSB04-06

* The dangers of not patching promptly...

Aside from the long-running theoretical debate about the extent of the threat exploits of non-publicized security vulnerabilities pose, real-world experience often shows the problems that can arise once updates for publicized vulnerabilities have released but not installed. A recent spate of breakins involving large numbers of Solaris and Linux systems at US universities, research institutions and high performance computing centres has recently been in the news.

These breakins have mainly been achieved through exploitation of 'old' vulnerabilities, for which patches and upgrade packages have been available for quite some time. Stanford University was among the affected sites and its security alert describes in some detail some of the lengths the attackers went to, including the installation of rootkits to hide the presence of the hacks and the hacker's ongoing use of the machines.

Hackers Strike Advanced Computing Networks - washingtonpost.com

Multiple UNIX compromises on campus - stanford.edu

Join the newsletter!

Error: Please check your email address.

More about CA TechnologieselevenF-SecureIntegoLinuxMacromediaMicrosoftSophosStanford UniversityStrikeSymantecTrend Micro Australia

Show Comments
[]