IDGNet Virus & Security Watch Friday 28 November 2003

This issue's topics: Introduction: * Opera, OS X, GnuPG, BIND 8 updates; virus birthday Virus News: * Delphi timeout warning not a virus (for now) * It was twenty years ago today... Security News: * MS03-035 & MS03-037 updated * Critical authentication failure in Exchange Server 2003/OWA/SharePoint * Another Opera update fixes multiple critical security flaws * Mac OS X security updates * Workaround for Mac OS X DCHP remote root vulnerability published * Critical flaw in GnuPG ElGamal signing keys * BIND 8 users recommended to update * What Microsoft does to secure its own house...

This issue's topics:

Introduction:

* Opera, OS X, GnuPG, BIND 8 updates; virus birthday

Virus News:

* Delphi timeout warning not a virus (for now)

* It was twenty years ago today...

Security News:

* MS03-035 & MS03-037 updated

* Critical authentication failure in Exchange Server 2003/OWA/SharePoint

* Another Opera update fixes multiple critical security flaws

* Mac OS X security updates

* Workaround for Mac OS X DCHP remote root vulnerability published

* Critical flaw in GnuPG ElGamal signing keys

* BIND 8 users recommended to update

* What Microsoft does to secure its own house...

Introduction:

A critical bug has been uncovered in GnuPG that results in the effective invalidation of all ElGamal signing keys. Users of GnuPG who have ElGamal signing keys, and all users who are unsure, should read the GnuPG item with some alacrity and take the appropriate measures now...

Welcome back! The rest of the week's news is not as 'exciting' I'm afraid, though there is a critical authentication failure in some Exchange OWA configurations that also run SharePoint Service 2.0 installed on the same machines and a critical update for the Opera browser. The Mac OS X security updates that were included with Panther but not released for Jaguar are now available, but Panther users do not get off patch duty - there are further security updates for both platforms included in the latest Mac OS X security update releases.

And talking of Mac OS X, a critical vulnerability allowing remote root compromise has been described and workarounds published after the discoverer grew tired of what he saw as Apple's stalling on releasing a proper fix for the problem. Mac users, especially those with wireless network cards in their laptops, should take a close look at this item.

Aside from those, BIND 8 users are recommended to update again and Microsoft has added Works Suite 2004 to the list of vulnerable products in two of its recent security advisories. The Redmond software developer has also released a white paper describing its in-house security processes and procedures, which we have included as it may be of interest to anyone wondering how to withstand the apparently ceaseless escalation of attacks against Windows machines.

Virus News:

* Delphi timeout warning not a virus (for now)

If you are asked whether the message 'This module was compiled with a trial version of Delphi. The trial period has expired' means the asker has a virus, you'll be able to assure them it probably doesn't. At least, for now that is...

Many Windows users have had this message popup on their screens in the last couple of days and have had their computing experience curtailed as a result. In fact, Borland, makers of the popular Delphi development tools, has been moved to publish a FAQ about this (linked below). It seems that someone has used a time-limited trial version of Delphi to build an application and has then distributed the application. The 'problem' with this (apart, from the legal perspective that Borland's trial license forbids distributing programs built with its trial versions) is that programs built with such time-limited versions of Delphi enforce the same time limits themselves. When such time-limited programs are executed outside the trial period, they display the message above and refuse to run.

Borland has tracked this recent spate of 'your time is up' messages to the file 'cpr.dll'. That file is a shell extension or browser helper object which some quick Internet searching suggests may be related to online advertising by AdRoar.

Although this shell extension may be an unwanted, even unknowingly installed, pest that may be problematic for many of its victims to remove, it may also be a harbinger of things to come. Delphi has been quite popular among certain segments of the malware-writing fraternity and any of them who have used a time-limited trial version to build their 'creations' will find that in doing so they have also effectively signed the discovery and death warrant of their works.

FAQ: 'The trial period has expired' - borland.com

* It was twenty years ago today...

Well, not quite literally, but sometime this month the twenty year anniversary of the first use of the term 'computer virus', in a discussion between then University of Southern California graduate student Fred Cohen and his research advisor Len Adleman, will pass. Although Cohen - who went on from that discussion to complete a Ph.D. thesis on theoretical aspects of self-replicating computer code - is often credited with coining the term, he freely admits that it was suggested to him by Adleman (who is an acknowledged cryptographer and the 'A' of RSA cryptography fame).

The linked news item is an interesting, brief retrospective of the history of the development of the idea and implementation of self- replicating programs and the problems they have come to cause us.

Decades after creation, viruses defy cure - news.com

Security News:

* MS03-035 & MS03-037 updated

Microsoft has made what it lists as a minor revision to these two security bulletins. As Works Suite 2004 also includes a vulnerable version of Word (Word 2002; the version in Office XP) Works Suite 2004 has been added to the list of vulnerable products in need of 'undetectable macro' and VBA buffer overflow patches.

Microsoft Security Bulletin MS03-035

Microsoft Security Bulletin MS03-037

* Critical authentication failure in Exchange Server 2003/OWA/SharePoint

Microsoft has confirmed a report posted to the NTBugtraq mailing list (an archived copy of which is linked below) of a critical authentication failure in Outlook Web Access (OWA), whereby users may be given full access to any other randomly chosen user's mailbox. The problem only affects Exchange Server 2003 setups with front-end and back-end Exchange 2003 servers running on Windows Server 2003 and that have SharePoint Service 2.0 installed. In such configurations, Kerberos authentication is disabled in IIS, in turn producing the anomalous authentication behaviour in OWA, as described in the NTBugtraq post.

Microsoft has released a document describing the problem, diagnosing whether it affects your setup and explaining the reconfigurations necessary to rectify things. We have also provided a link to that below.

Archived NTBugtraq list message - ntbugtraq.com

Exchange 2003 and Outlook Web Access Issue - microsoft.com

* Another Opera update fixes multiple critical security flaws

Finnish security researcher Jouko Pynnonen has discovered two security flaws in Opera 7.22, the popular alternative to IE, suggesting users should update to Opera 7.23 as soon as practicable. Both relate to Opera's handling of 'skin' files with the first being an extension of one of the vulnerabilities discovered by S.G. Masood that we reported last week as being responsible for the release of Opera 7.22.

This newly discovered vulnerability allows a specially prepared web page to deliver files to an Opera user (through Opera's automatic download of files that seem to be skin files) and place them anywhere on the user's hard drive through the use of hex-encoded slashes in the downloaded filename (to escape the skin directory). The zip file-type checks (implemented in Opera 7.22 as a result of Masood's discoveries) are incomplete and it is possible to create executable content that passes those tests but could still be executed. Another group, calling itself 'Operash', discovered this vulnerability independently of Pynnonen.

Pynnonen also discovered that specially crafted zip files trigger a buffer overflow in Opera that appears to be readily exploitable to execute arbitrary code of an attacker's choice. He did not develop an exploit to prove this, but Opera Software has also patched its zip file handling in the latest release of the browser.

As exploits of the directory traversal vulnerability and several other, recently fixed, Opera vulnerabilities have been publicly posted, Opera users should obtain and install this latest update as soon as practicable. Also note that as of Opera 7.22, the version of Sun Java included in the Java version has been updated to 1.4.2_01, which also contains some Java security updates, so users of the Java version would be advised to obtain the full download this time to update both the browser and their Java implementation.

Opera directory traversal and buffer overflow vulns - jouko.iki.fi

Opera 7 Arbitrary File Auto-Saved Vulnerability - 'Operash' web site

Opera download page - opera.com

* Mac OS X security updates

Apple has released security updates for both Panther (OS X 10.3.1) and Jaguar (OS X 10.2.8). Both patch a couple of moderate severity bugs in OpenSSL and zlib, and the Jaguar update also includes patches for several vulnerabilities we reported a few weeks ago as being fixed in the Jaguar release.

Security Update 2003-11-19 for Jaguar 10.2.8 - apple.com

Security Update 2003-11-19 for Panther - apple.com

* Workaround for Mac OS X DCHP remote root vulnerability published

William Carrel has published an advisory describing a remote root vulnerability in server and workstation versions of Mac OS X 10.2.x, 10.3.x and probably many or all previous versions. The problems arise from the default Mac OS X settings which allow various administrative settings to be provided via DHCP. Carrel's advisory describes basic workaround approaches to prevent, or significantly reduce, the attack surface exposed through the default configuration.

Malicious DHCP response can grant root access - carrel.org

* Critical flaw in GnuPG ElGamal signing keys

Full compromise of ElGamal sign+encrypt (type 20) keys generated by GnuPG 1.0.2 or later, or used by GnuPG 1.0.2 or later to sign anything, has been demonstrated, due to a serious flaw in GnuPG's implementation of this feature. According to the GnuPG advisory announcing this flaw and the recommended remediation steps, nearly all ElGamal signing keys can be recovered from signed material with a few seconds decryption effort.

GnuPG allows ElGamal signing for historic reasons, but has always strongly discouraged its use, including forcing the user to go to extraordinary lengths to even create such a key. Only a few new ElGamal keys are registered with the public key servers each year, but the scope of this compromise is such that the GnuPG developers recommend that all ElGamal sign+encrypt keys that have been used to sign anything with GnuPG 1.0.2 or later be considered compromised and be revoked by their owners immediately. Further, they suggest that even ElGamal sign+encrypt keys generated with, and only used for signing with, previous versions of GnuPG should also be revoked. The GnuPG developers are removing all support for ElGamal signing from future versions of the product.

Note that ElGamal encrypt-only keys are not affected by this problem and need not be revoked.

GnuPG's ElGamal signing keys compromised - gnupg.org

* BIND 8 users recommended to update

Internet Software Consortium (ISC) recommends all BIND 8 users to update to the latest release, 8.4.3. This new release fixes a possible DNS cache poisoning attack and adds IPv6 transport support to several BIND components. Full source is available from ISC directly, plus many popular distributions that include BIND have shipped update packages (the rest must be close to follow...).

ISC BIND 8 - isc.org

* What Microsoft does to secure its own house...

Microsoft has released a technical white paper describing what its own Corporate Security Group does 'to prevent malicious or unauthorized use of digital assets at Microsoft'. Those running security in Windows-based environments may be especially interested in reading this white paper...

Security at Microsoft - microsoft.com

Join the newsletter!

Error: Please check your email address.

More about AppleBorland AustraliaFredInternet Software ConsortiumJaguarMicrosoftOpera SoftwareRSA

Show Comments

Market Place

[]