[Virus & Security Watch] Flash Player, J2EE, MS03-049 patches; phish'n'URLs?; Blasted power

Introduction: * Flash Player, J2EE, MS03-049 patches; phish'n'URLs?; Blasted power Virus News: * Blaster and the North American power blackout... Security News: * IE & Mozilla URL obfuscation flaws... * Time to re-evaluate MS03-049 patching policy? * Macromedia Flash Player predictable filename fix * Remote code execution in J2EE 1.4 reference implementation

Introduction:

* Flash Player, J2EE, MS03-049 patches; phish'n'URLs?; Blasted power

Virus News:

* Blaster and the North American power blackout...

Security News:

* IE & Mozilla URL obfuscation flaws...

* Time to re-evaluate MS03-049 patching policy?

* Macromedia Flash Player predictable filename fix

* Remote code execution in J2EE 1.4 reference implementation

Introduction:

First, a reminder that this is the last Virus & Security Watch for 2003.

Hopefully your pagers and cell phones will be silent over the Christmas break so you can fully appreciate the festive season...

There has been very little of great consequence this week, apart from extensive, ongoing discussions about the mis-handling of certain specially-crafted URLs by Internet Explorer and, to a lesser extent, Mozilla. Microsoft has released a Knowledge Base article discussing some of the issues, but what is really needed is a patch so IE users are not exposed to identity theft scams (or 'phishing expeditions' as these have come to be known) made even more difficult to spot through the use of these URL-obscuring bugs.

Other Microsoft Windows news is that some of the RPC vulnerabilities known to be behind Blaster and related worms have been found to be exploitable via other means than the traditional RPC ports, suitable firewalling of which has been the basis of some network defences against this worm and related attacks. The security advisory from Core Security Technology addressing these developments is discussed.

The virus front has been quiet in terms of 'large stories', although there has been an unusual amount of remote access Trojan (RAT) or 'backdoor' activity the last few weeks. As these are largely not self-spreading, this has not amounted to a 'large outbreak' type story, but those working behind the scenes in the analysis labs have been kept especially busy. Hopefully of interest to our readers though is a commentary by Bruce Schneier on the likely role of the Blaster worm in August's power blackouts in central/north-east US and adjoining parts of Canada.

Have a safe holiday season and we hope to see you back reading our first issue of the new year on Friday 16 January 2004.

Virus News:

* Blaster and the North American power blackout...

Ever since the event earlier this year, speculation has been rife as to what role, if any, the Blaster worm had in the North American power blackout of 14 August. An interim report from an ongoing analysis of the events leading up to the blackout suggests that Blaster played no contributing part in the event, but renowned computer security specialist Bruce Schneier is not so sure.

In a recent commentary on the interim report, Schneier pays particular attention to a sequence of computer monitoring system failures, detailed chronologically in the report, that took out several critical monitoring functions in the elaborate scheme of checks and balances whose ultimate failure caused the power surge that produced the blackout. It appears that the causes of these computer monitoring system failures are not described in the report (nor apparently even investigated yet) but as described in the report, Schneier notes that the sequence of events is highly suggestive of networked systems being sequentially compromised by a network worm, and as Blaster was still very much active and common on the date of the blackout, Schneier suggests the coincidence is too obvious to ignore.

To read all of Schneier's commentary, which includes a link to the interim report (in case you want some weighty Christmas reading!), follow the link below.

Internet worms and critical infrastructure - news.com

Security News:

* IE & Mozilla URL obfuscation flaws...

Scams attempting to obtain users online identification details such as PayPal or electronic banking login information (and more) have become increasingly common and in the last couple of weeks a problem in Internet Explorer and to a lesser extent in Mozilla, has exacerbated fears of increased risk of such scams. It transpires that certain 'non-printable' characters cause the string parsing routines in IE that display the URL in the browser's address field, title bar and status bar to quit prematurely, resulting in only the first part of the actual URL being displayed. IE's URL address parsing logic is not similarly short-circuited, resulting in the browser showing the content of the 'desired' page but possibly displaying quite a different URL in the address bar (or in the status bar if users hover their mice over the malformed URLs rather than follow the links).

Mozilla has a similar problem, though is affected by fewer of these 'special' characters.

Microsoft has not released a fix for IE addressing this yet, but it has published a Knowledge Base article describing how to determine the 'true' URL behind a link (though, realistically, this is not something you will be able to train most of your users to do!).

Identify and protect yourself from deceptive Web sites - microsoft.com

* Time to re-evaluate MS03-049 patching policy?

Researchers at Core Security Technologies have released a security advisory describing further Microsoft DCE RPC vulnerabilities. These vulnerabilities are fixed in the latest DCE RPC patches described in Microsoft's MS03-049 security bulletin, but as Core Security's researchers show, several of the previously known and some of these new vulnerabilities are exposed on further network ports than the original security bulletin discussion described.

When the original MS DCE RPC vulnerabilities were announced, many organisations already had (or quickly implemented) what seemed like suitable firewalling of the conventional MS DCE RPC ports. In light of this, some sites have elected to delay, at least for their 'non-critical' and/or 'purely internal' machines, installation of the MS03-049 updates until they appear in a service pack. Sites that have taken such an approach to dealing with the MS DCE RPC vulnerabilities and patches should read the Core Security advisory, linked below, and at least check that their firewall policies and rules are sufficient to cover the new MS DCE RPC exposures described in the advisory.

DCE RPC Vulnerabilities New Attack Vectors Analysis

* Macromedia Flash Player predictable filename fix

Although it is claimed not to be directly exploitable, a vulnerability in Macromedia's Flash Player web browser plugin can be used to leverage greater effect from other web browser vulnerabilities. The problem is that the Flash Player can be made to store some of its content in a predictable location and filename and thus can be combined with other browser vulnerabilities to expose a greater attack surface.

Recent proof of concept exploits for vulnerabilities in Internet Explorer and Opera have enjoined exploitation of this Flash Player vulnerability to demonstrate the browser vulnerabilities. If left unfixed, this Flash Player vulnerability could also be used in future exploits of other browser vulnerabilities that require knowledge of a file location on the client machine hosting the browser.

Macromedia has released a security bulletin (linked below) and updated versions of the Flash Player (version 7.0.19.0) to address this issue.

Macromedia security bulletin MPSB03-08

* Remote code execution in J2EE 1.4 reference implementation

Marc Schoenefeld has described a method of remotely executing arbitrary programs already hosted on a J2EE machine running the Pointbase 4.6 database (which is bundled with the J2EE 1.4 reference implementation).

Schoenefeld claims that Sun has denied responsibility for this issue as the problem is really in the Pointbase database server (Schoenefeld's description suggests the core issue here is an SQL injection issue). No update is available to address the issue, but J2EE 1.4 users may wish to check Schoenefeld's advisory (an archived copy of which, from the Bugtraq mailing list, is linked below) for a description of a security manager workaround Schoenefeld claims addresses the problem.

Archived Bugtraq list message - securityfocus.com

Join the newsletter!

Error: Please check your email address.

More about Core Security TechnologiesMacromediaMicrosoftMozillaPayPalTechnology

Show Comments
[]