More on Witty, Blaster; New IE, Dreamweaver flaws

This issue's topics: Introduction: * More on Witty, Blaster; New IE, Dreamweaver flaws; LEAP cracker released Virus News: * Did Blaster infect 8 to 16 million PCs? * Further Witty analyses Security News: * New IE remote code execution vulnerability & URL obfuscation issue * Cisco LEAP cracking tools released * Database test scripts can leave Dreamweaver sites wide open * An interview with 'Spaf'

This issue's topics:

Introduction:

* More on Witty, Blaster; New IE, Dreamweaver flaws; LEAP cracker released

Virus News:

* Did Blaster infect 8 to 16 million PCs?

* Further Witty analyses

Security News:

* New IE remote code execution vulnerability & URL obfuscation issue

* Cisco LEAP cracking tools released

* Database test scripts can leave Dreamweaver sites wide open

* An interview with 'Spaf'

Introduction:

Another quiet week - perhaps all the bug hunters and virus writers have taken off early for an extended Easter break?

Of special note this week is the active exploitation of new Internet Explorer flaws that have not been patched by Microsoft and the release of Joshua Wright's 'asleap' tools that expose serious weaknesses in Cisco's LEAP wireless authentication protocol. Dreamweaver sites with database connectivity may have unintentionally been left with wide open database access according to a new advisory from Next Generation Security Software and we supply a few interesting links for Easter break reading.

Enjoy, because next week holds 'Microsoft patch day' for April...

Virus News:

* Did Blaster infect 8 to 16 million PCs?

Blaster (aka MSBlast, Lovsan) was perhaps the worm incident of 2003, in terms of most widespread impact (although Slammer's brutal, albeit short- lived, effect on total Internet traffic is difficult to argue against). Most estimates of Blaster's 'effectiveness' have had it infecting something in the region of 200,000 to half a million PCs. However, some new statistics just released by Microsoft suggest that Blaster may have infected at leat eight million, and perhaps as many as 16 million PCs.

Since it released its own Blaster disinfection tool through Windows Update, Microsoft has been gathering statistics on the number of machines downloading and successfully executing its Blaster worm cleaner. When this removal utility was posted, Windows Update was modified to detect machines infected with the worm, and only offered the removal tool to such machines. The article linked below investigates some of the possible sources of discrepancy between the earlier estimates of the size of the Blaster infection and these newer data.

MSBlast epidemic far larger than believed - news.com

* Further Witty analyses

Although a very short-lived event, the recent Witty worm has proven an interesting example of several concepts in worm technology. Two new commentaries on the worm are worth reading for insight into these features of the worm and as an indication of what we come to expect from future fast, pure network worms.

The Spread of the Witty Worm - caida.org

Witty Extinction - securityfocus.com

Security News:

* New IE remote code execution vulnerability & URL obfuscation issue

AusCERT has released two advisories concerning newly discovered issues with Internet Explorer, both of which are currently being exploited in spam and/or in the distribution of malware.

The security vulnerability allows scripts embedded in an HTML component of a Windows 'compiled HTML Help' (.CHM) file to be run in IE's 'My Computer' security zone. This is achieved through some rather 'creative' abuse of the proprietary 'ms-its' and 'mk' protocols that fools the security zone determination mechanisms into believing that an HTML component of a .CHM file fetched from a remote server is, in fact, being loaded from the local file system. Default IE configurations set very few constraints on what HTML-embedded scripts run from the 'My Computer' security zone can do. Typical abuse of this vulnerability sees a Trojan Horse written to the local file system and executed, without raising any warnings or the usual security alerts associated with downloading remote programs. This vulnerability has been used in several phishing scams and in a few other spam e-mails seen over the last few days.

Further, as well as using the just-described vulnerability to download a key-logging Trojan, a recent bank phishing scam used a new trick to obfuscate a displayed URL in its HTML e-mail message if the message was displayed in Outlook (and probably also in Outlook Express). Devious use of an HTML form field 'over' the location of a hyperlink field can cause IE to display the contents of the form field, rather than the underlying URL in the status bar, deceiving the user as to actual location clicking the hyperlink will take them to. There are no known fixes from Microsoft for either issue, although a possibly less than ideal workaround for the remote code execution vulnerability is mentioned in the AusCERT note AU-2004.007 describing the vulnerability.

AU-2004.007: Vulnerability in IE Allows Program Execution - auscert.org.au

AL-2004.10: Bogus Banking Email Allows Trojan Infection - auscert.org.au

* Cisco LEAP cracking tools released

Joshua Wright has released his 'asleap' tools for offline brute-force cracking the Cisco LEAP wireless authentication protocol. Full source for Unix-ish systems and a partially functional Windows binary are available for those curious to check their own LEAP installations.

Archived Bugtraq list message - securityfocus.com (359694)

Cisco Security Notice: Dictionary Attack on Cisco LEAP - cisco.com

* Database test scripts can leave Dreamweaver sites wide open

Security researchers at Next Generation Security Software (NGSSoftware) have described how attackers can gain full access to the database server 'behind' a Dreamweaver-authored site without needing to provide any user authentication to the database server. The problem lies in the creation of test scripts created by Dreamweaver when database connectivity is required in a web site project. These test scripts are not supposed to be part of the final site, but NGSSoftware suggests that they are not always removed as they should be.

Checking for exposure, and remediation steps are discussed in both the Macromedia security bulletin and the NGSSoftware advisory.

Macromedia Dreamweaver Remote Database Scripts - ngssoftware.com

Macromedia security bulletin MPSB04-05

* An interview with 'Spaf'

Eugene Spafford, or 'Spaf' as almost everyone (including those who have never met him) knows him, is a professor of Computer Science at Purdue University and one of the best known academics focussing closely on computer security and related IT issues. Further, he was into such topics long before they achieved their current, and rather recent, fashionability. Greplaw has just posted an interview with Spaf delving into what drove him to the computer security field, testifying before US Congressional committees, his interests in computer ethics education and his views on why much technology legislation is 'bad law'. Hopefully this will provide some interesting reading to occupy a few minutes of your long weekend.

Spaf on Legislating Technology ... and Info Security - harvard.edu

Join the newsletter!

Error: Please check your email address.

More about CiscoMacromediaMicrosoftNext Generation Security SoftwareTechnology

Show Comments

Market Place

[]