Multiple Windows patches; Sort of quiet on the virus front...

This issue's topics: Introduction: * Multiple Windows patches; Office XP SP3; Mozilla, Acrobat, DB2 updates Virus News: * Sort of quiet on the virus front... Security News: * Editorial: Microsoft revamps security bulletins; security the loser * Update fixes Media Services DoS on Windows 2000 Server * Critical Outlook 2002 code execution bug patched * MSN Messenger for Windows update fixes remote file retrieval flaw * MS03-022 updated * Office XP service pack released on the sly... * Windows Adobe Acrobat Reader users recommended to update to v6.x * IBM DB2 remote privilege escalation fix * Multiple vulnerabilities fixed in Mozilla browser update

This issue's topics:

Introduction:

* Multiple Windows patches; Office XP SP3; Mozilla, Acrobat, DB2 updates

Virus News:

* Sort of quiet on the virus front...

Security News:

* Editorial: Microsoft revamps security bulletins; security the loser

* Update fixes Media Services DoS on Windows 2000 Server

* Critical Outlook 2002 code execution bug patched

* MSN Messenger for Windows update fixes remote file retrieval flaw

* MS03-022 updated

* Office XP service pack released on the sly...

* Windows Adobe Acrobat Reader users recommended to update to v6.x

* IBM DB2 remote privilege escalation fix

* Multiple vulnerabilities fixed in Mozilla browser update

Introduction:

'Official Microsoft patch day' this month was (US) Tuesday this week, so there are a few Windows patches described below. Aside from releasing three new patches (one rated as critical), Microsoft also updated an earlier security bulletin and snuck Office XP Service Pack 3 out without any fanfare (yet). Microsoft has also 'revised' the design of its security bulletin pages so that they are now entirely useless to anyone who may care to browse the web with a securely configured browser.

Other than Microsoft patches and updates worthy of a mention are the recent updates to Mozilla, Adobe Acrobat Reader and IBM's DB2 database server. And, although it was a busy week for virus analysts, few of the latest crop of Netsky, Bagle, etc variants actually seem to have successfully taken hold out there in userland...

Virus News:

* Sort of quiet on the virus front...

In terms of the number of new Netsky and Bagle variants, it has been pretty much 'business as usual' the last week, but none of the new variants have really gained much of a toehold - it seems the generic detection capabilities of several popular scanners and perhaps an increasing wariness (on the part of most users) of such banal messages as these viruses send has dampened the spread of the newer variants. The 'war of words' between the virus writers responsible for these two families (with Bagle's writer or writers apparently also responsible for Mydoom, and the Mitglieder Trojan family) has continued. The latest variants of Netsky suggest something of a change of heart or direction, and may be evidence that Netsky's writer has followed through on a threat a little earlier in the week to stop writing more variants himself and to release the source code of the virus for others to pick up and 'improve'...

More NetSky worms. So much for quitting - theregister.co.uk

F-Secure Antivirus Research Team weblog - f-secure.com

Security News:

* Microsoft revamps security bulletins; security the loser

Microsoft has redesigned the web pages that display its security bulletins. As if it were not already bad enough that, under the old design, the security conscious using Internet Explorer had to click through more than a dozen script and ActiveX control permission dialog boxes to get a useful version of the page, Microsoft's web design wizards have now rendered all the 'section expansion' links in javascript, preventing successful reading of the page unless you take the security lowering option of enabling scripting in whatever browser you prefer.

As a result you may have to decrease the security settings of your browser to read the useful content in the Microsoft Security Bulletins linked below and in future newsletters.

* Update fixes Media Services DoS on Windows 2000 Server

Microsoft has released an update that fixes a possible denial of service against Windows Media Services 4.1. Windows Media Services is an optional component of Windows 20000 Server and this vulnerability is rated by Microsoft as being of moderate severity. A downloadable version of Windows Media Services 4.1 is available for NT 4.0 Server but does not have this vulnerability, nor does Windows Media Services 9.0, as supplied with Windows Server 2003.

There are several mitigating factors that are likely to reduce the attack surface of a server running a vulnerable version of Windows Media Services and these are described in the security bulletin, linked below.

Microsoft Security Bulletin MS04-008

* Critical Outlook 2002 code execution bug patched

Finnish security researcher Jouko Pynnonen has discovered a vulnerability in Outlook's handling of parameters passed to it in response to a user clicking a mailto: URL in a web page, e-mail message and so on. Microsoft has released patches for Outlook 2002 (the version included in Office XP), but it is not necessary if the newly-released Service Pack 3 (see item below) for Office XP has already been installed, as Office XP SP3 contains this fix.

Initially Microsoft rated the vulnerability as being of only 'important' severity because it incorrectly believed the vulnerability could only be triggered if an unusual, non-default configuration was in effect. However, Pynnonen posted a correction to that misconception to several security mailing lists and Microsoft revised its security bulletin, upping the severity to critical.

Outlook mailto: URL handling flaw allows code execution - iki.fi

Microsoft Security Bulletin MS04-009

* MSN Messenger for Windows update fixes remote file retrieval flaw

Microsoft has released an update to its MSN Messenger for Windows client that fixes a remote file retrieval vulnerability in MSN Messenger 6.0 and 6.1 (although the download page at msn.com simply identifies the current version as '6.1', its main executable has a version stamp of 6.1.0.211 and is date-stamped 4 March 2004 (at least in the Windows 2000 version the newsletter compiler just very quickly tested).

Details of how to remotely exploit this vulnerability, so as to retrieve files whose absolute paths on the victim machine are known, or easily guessed, have been published. Thus, although Microsoft rates the severity of this vulnerability as 'moderate', all active MSN Messenger users are advised to update as soon as practicable.

MSN Messenger home page - msn.com

Microsoft Security Bulletin MS04-010

* MS03-022 updated

Microsoft has become aware of situations under which the original MS03-022 update installer would not properly replace the vulnerable file (NSIISLOG.DLL). The updated installer addresses this issue and Windows Update has been updated to re-offer this patch if the older, unpatched version of the affected file is found to be present, even if the registry value suggesting this patch has already been installed is present. The revised security bulletin, linked below, details (in the 'Frequently asked questions' section) how to locate that file and check its version number manually, should administrators prefer doing this themselves or use other patch management methods than depending on Windows Update.

Microsoft Security Bulletin MS03-022

* Office XP service pack released on the sly...

Observant Office XP users probably noted with some interest the reference to Office XP SP3 in the Outlook parameter passing vulnerability item above. Although your newsletter compiler can find no 'official' comment from Microsoft about the release of this service pack, it does indeed seem that Office XP SP3 is now available for download from the page linked in the MS04-009 security bulletin.

Note that there have been some comments posted to the NTBugtraq mailing list that installing Office XP SP3 seems to have broken (or at least seriously downgraded the usefulness of) at least two popular third-party spam-blocking products. Russ Cooper, the moderator of NTBugtraq list is sceptical that the service pack per se is the 'problem' here and has also posted his comments to that effect. We have linked to the March archive - readers interested in following up on this will have to scroll down and find the specific links to the 'Office XP SP3 breaks 3rd-party junk email filter' thread (the structure of the archive does not allow reliable linking to a specific thread and the 'read next/previous message in thread' options if we linked to the first message itself...). This issue may indicate the presence of some wider problem - users with any Outlook message filtering plug-ins would be well-advised to install the service pack on a test rig and carefully check that everything works as expected before rolling out SP3 to your production network (of course, you all do that already anyway, right?).

Microsoft Security Bulletin MS04-009

Archived NTBugtraq list message - nybugtraq.com

* Windows Adobe Acrobat Reader users recommended to update to v6.x

Next Generation Security Software researchers have found an exploitable buffer overflow in the Windows version of Adobe Acrobat Reader v5.1. The vulnerability can be triggered when Acrobat Reader renders 'XML Forms Data Format' (XFDF) content and may be rendered automatically on download when using applications such as Internet Explorer. Adobe advised the discoverer of the vulnerability that the current release of Acrobat Reader is not vulnerable and users of the vulnerable version should update as soon as practicable.

Acrobat Reader XML Forms Data Format Buffer Overflow - nextgenss.com

Adobe download page - adobe.com

* IBM DB2 remote privilege escalation fix

Researchers at Next Generation Security Software (NGSSoftware) have found a remote privilege escalation in IBM's DB2 database server. Specifically, the Remote Command Server component accepts commands from any validated Windows user, but runs the commands it is sent on the DB2 server with administrative privileges. A little more detail, plus links to the updates that fix this vulnerability are available in the NGSSoftware advisory linked below.

IBM DB2 Remote Command Execution Privilege Upgrade - nextgenss.com

* Multiple vulnerabilities fixed in Mozilla browser update

Problems with cookie handling, ASN.1 parsing and various other security and privacy related flaws have been fixed in the latest release of the Mozilla browser. Popular amongst Linux distribution packagers, most of which have already shipped, or are preparing to ship, updated packages, pre-built Windows and Mac OS binary distributions of Mozilla 1.6 are also available from Mozilla's home page.

Mozilla home page - mozilla.org

Join the newsletter!

Error: Please check your email address.

More about Adobe SystemsF-SecureIBM AustraliaLinuxMessengerMicrosoftMozillaMSNNext Generation Security Software

Show Comments
[]