[Virus & Security Watch] Three new MS patches; Linux kernel patch; attack of the Xombes

Introduction: * Three new MS patches; Linux kernel patch; attack of the Xombes Virus News: * Attack of the Xombe... * Just what you need after New Year - Sober.C Security News: * Critical patch for MS Internet Security and Acceleration Server 2000 * Fix for Microsoft Exchange Server 2003 privilege elevation issue * Patch for remote code execution flaw in MDAC released * MS03-045 updated for Arabic, Hebrew, Thai NT 4.0 users * Multiple H.323 protocol vulnerabilities uncovered * Linux kernel update fixes critical security flaw

Introduction:

* Three new MS patches; Linux kernel patch; attack of the Xombes

Virus News:

* Attack of the Xombe...

* Just what you need after New Year - Sober.C

Security News:

* Critical patch for MS Internet Security and Acceleration Server 2000

* Fix for Microsoft Exchange Server 2003 privilege elevation issue

* Patch for remote code execution flaw in MDAC released

* MS03-045 updated for Arabic, Hebrew, Thai NT 4.0 users

* Multiple H.323 protocol vulnerabilities uncovered

* Linux kernel update fixes critical security flaw

Introduction:

Welcome back, and to the first "official Microsoft patch week" of 2004 at that!

Speaking of which, three new patches (one critical) and an update to an earlier one (at least if you run Arabic, Hebrew or Thai Windows NT 4.0).

In the broader security field, many implementations of the H.323 protocol has been found to be seriously buggy and the Linux kernel has had to be patched for a critical local privilege elevation bug.

On the virus front there was very little innovation seen over the Christmas/New Year period, but a couple of modestly interesting recent incidents are described.

Virus News:

* Attack of the Xombe...

Although not an entirely new twist, earlier this week a 'downloader' named Xombe (pronounced the same as 'zombie') was spammed to many thousands (if not millions?) of e-mail addresses. A downloader is a program whose main (usually only) function is to download another program (or a list of them) from the net and to run that new program or to set the victim machine to run the new program when it is restarted. When released, Xombe was set to download and run another downloader and a Trojan Horse designed to perform a denial of service (DoS) attack against a web site.

The point of mass-mailing a downloader is that simple downloaders (like Xombe) can be just a few kilobytes in size (precisely 4KB in Xombe's case), making them much smaller and therefore much faster to send, than their ultimate payload. If run, Xombe downloads a further 50KB of programs and runs them, which means that in the same period of time it would take to e-mail 1000 copies of that full 50KB 'payload', 12,500 copies of Xombe could be sent. Another potential 'benefit' (to the malware distributor!) of using a downloader is that, so long as the server(s) carrying the downloader's 'payload' code are not shut down, the payload can be changed part way through the distribution of the downloader (sometimes the spamming runs that deliver these things continue for many, many hours and even for many days in rare cases).

Computer Associates Virus Information Center (Xombe)

F-Secure Security Information Center (Xombe)

Network Associates Virus Information Library (Xombe)

Sophos Virus Info (Xombe)

Symantec Security Response (Xombe)

Trend Micro Virus Information Center (Xombe)

* Just what you need after New Year - Sober.C

While you were off on vacation ('Vacation? What vacation?' I hear you protest) a new variant of the Sober virus family was launched. Sober.C has not been especially 'successful' apart from in Germany. There, apparently, the novelty of a German-speaking worm improved its chances immensely - when mass-mailing itself, if the target e-mail address ends in '.de', it sends a German language message and Subject: line.

Aside from its ability to 'sprechen Sie Deutsches' Sober.C is somewhat interesting for the variety and temerity of the messages it sends. Some of the message texts it sends suggest that the recipient's computer has been remotely monitored by the FBI or the RIAA and various charges are about to be brought because of the activities or content observed. Aside from these 'social aspects', Sober.C really has nothing technically interesting to offer - it's just more of the same old, same old...

Computer Associates Virus Information Center (Sober.C)

F-Secure Security Information Center (Sober.C)

Network Associates Virus Information Library (Sober.C)

Sophos Virus Info (Sober.C)

Symantec Security Response (Sober.C)

Trend Micro Virus Information Center (Sober.C)

Security News:

* Critical patch for MS Internet Security and Acceleration Server 2000

The H.323 filter of Microsoft Internet Security and Acceleration Server 2000 is vulnerable to a buffer overflow in its Microsoft Firewall Service. This buffer overflow could be remotely exploited to execute arbitrary code in the security context of the Microsoft Firewall Service, giving the attacker full control of the vulnerable system.

This vulnerability was discovered in collaborative testing between the UK National Infrastructure Security Co-ordination Centre and the University of Oulu Security Programming Group. More details of that work, which has exposed many other similar flaws in many other products, are given in the 'Multiple H.323 protocol vulnerabilities uncovered' item below.

Microsoft rightly rates this a critical severity vulnerability and users of Microsoft Internet Security and Acceleration Server 2000 are recommended to read the security bulletin below for workaround and patch availability information. Microsoft claims its related Proxy Server 2.0 product is not affected by this vulnerability.

Microsoft Security Bulletin MS04-001

* Fix for Microsoft Exchange Server 2003 privilege elevation issue

Due to vagaries in the way HTTP connections are re-used between Microsoft Exchange Server 2003 running on Windows Server 2003 and Windows 2000 or Windows Server 2003 machines running Outlook Web Access (OWA), users can be connected to the wrong mailbox. The actual conditions are more complex than just suggested - please read the advisory for a description of the precise combination of options and configurations that are vulnerable.

Aside from the obvious privacy issues (which Microsoft does not mention in its security bulletin), there are potential privilege elevation issues as well. As the security bulletin points out, there are no reliable ways to abuse this vulnerability, but despite this many affected sites may consider this more than a moderate severity flaw.

Microsoft Security Bulletin MS04-002

* Patch for remote code execution flaw in MDAC released

Microsoft has released a security bulletin and patch covering a buffer overflow vulnerability in Microsoft Data Access Components (MDAC) that could be exploited to produce a remote code execution attack. Due to some complications inherent in exploiting this vulnerability, Microsoft only rates it as being of 'important' severity rather than 'critical' as might normally be expected of vulnerabilities that allow remote code execution exploits.

MDAC versions 2.5 through 2.8 inclusive, including the 2.8 release shipped with Windows Server 2003, are vulnerable and users of affected versions should seriously consider obtaining and installing the appropriate update as soon as practicable.

Microsoft Security Bulletin MS04-002

* MS03-045 updated for Arabic, Hebrew, Thai NT 4.0 users

Perhaps unlikely to affect many of our (mostly New Zealand) readers, but Microsoft has released updated MS03-045 patches for the Arabic, Hebrew and Thai language versions of the NT 4.0 Server and Workstation. Some users of localised versions of Windows reported installation problems with the original versions of the MS03-045 patch and Microsoft has been releasing updated patches that fix these issues, with this being the latest such revision.

Any users of Arabic, Hebrew or Thai language versions of NT 4.0 Server or Workstation who have had difficulties installing MS03-045 should consider obtaining and installing this updated patch.

Microsoft Security Bulletin MS03-045

* Multiple H.323 protocol vulnerabilities uncovered

Researchers at the UK National Infrastructure Security Co-ordination Centre (NISCC) and the University of Oulu Security Programming Group (OUSPG) have uncovered multiple security flaws in multiple implementations of the H.323 protocol, which is used in many multimedia telephony applications. Hardware and software systems that implement the H.323 protocol include many video conferencing systems, systems using Session Initiation Protocol (SIP), Voice over Internet Protocol (VoIP) and networking equipment or software such as routers, firewalls and Intrusion Detection Systems (IDSes) that may process or analyse H.323 traffic.

OUSPG developed a test suite, similar to that used previously by them for testing the SNMP and ASN.1 protocols that, as in the previous cases, uncovered many implementation errors in many products employing H.323. A list of vendors with the status of their products known to implement H.323 is available in the NISCC advisory describing the tests and their results. Links to patches or updates, or vendor advisories, for products known to be affected, are listed at the end of the NISCC advisory.

NISCC Vulnerability Advisory 006489/H323

* Linux kernel update fixes critical security flaw

Members of the Polish iSEC Security Research group recently announced their discovery of exploitable memory management flaws in the Linux kernel do_mremap kernel code. All maintained Linux distros have issued updated kernel packages by now, but as this happened over what is conventionally a vacation period, it seems prudent to include coverage in this 'back to work' issue.

Several proof of concept exploits have been posted to public mailing lists and the like, so this should be considered an urgent issue to address. The original iSEC advisory, which has been updated several times is linked below for those thirsting for the gory technical details. Mere mortals may prefer to just check for the availability of a kernel update package with their distributors...

Linux kernel do_mremap local privilege escalation - isec.pl

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesFBIF-SecureIntrusionLinuxMicrosoftSNMPSophosSymantecTrend Micro Australia

Show Comments
[]