IDGNet Virus & Security Watch Friday 21 November 2003

This issue's topics: Introduction: * More Mimails; critical SAP DB & Web-tools, Opera updates Virus News: * New Mimail variants add identity theft to repertoire Security News: * Surviving the first few hours of Windows XP... * Be wary of 'guest' accounts on Exchange boxes * XP SP2 changes may impact developers - details released * Opera browser update fixes two serious vulnerabilities * Multiple SAP DB Web-tools issues fixed * Critical flaws in SAP DB fixed

This issue's topics:

Introduction:

* More Mimails; critical SAP DB & Web-tools, Opera updates

Virus News:

* New Mimail variants add identity theft to repertoire

Security News:

* Surviving the first few hours of Windows XP...

* Be wary of 'guest' accounts on Exchange boxes

* XP SP2 changes may impact developers - details released

* Opera browser update fixes two serious vulnerabilities

* Multiple SAP DB Web-tools issues fixed

* Critical flaws in SAP DB fixed

Introduction:

A number of remote access Trojans, spyware and adware are still being installed via exploits of 'old' Internet Explorer vulnerabilities, at least one of which was patched two or three cumulative IE upgrades back. Aside from that the malware scene has been fairly quiet this week apart from the appearance of two new Mimail variants, accounting for about a hundred thousand detects between at MessageLabs as I finish off this issue of the newsletter.

On the security front, we have critical updates for SAB DB and SAP DB Web-tools, and for the popular alternative to IE, Opera. Also, Microsoft has released a draft discussion paper of the likely consequences for third-party developers of the security changes it expects to introduce to Windows XP with the release of SP2, we have a warning about possible abuse of 'guest' accounts on Exchange boxes and a guide to putting a 'fresh' XP install on the Internet (to get the security patches, etc it needs) without getting it trashed by Blaster and friends (which are still out there in spades).

Virus News:

* New Mimail variants add identity theft to repertoire

Shortly after filing last week's copy, a new Mimail variant - Mimail.I - started its run. Unlike previous members of its family, Mimail.I forgoes the distributed denial of service (DDoS) attack payload in favour of an identity theft scam. E-mail messages sent by Mimail.I claim to be from the popular online payment management service PayPal.

These messages suggest that the recipient's account is about to be suspended and that they must update their personal details as part of a new security policy to prevent this. The message indicates that running the attached application is the way to update the necessary information. In fact, if the application is run, it copies itself to the Windows installation directory and sets a registry value to run that copy at successive startups. It also displays a dialog box apparently asking for the required information, which is actually saved to a file and sent to several e-mail addresses, presumably accessible to those behind this scam. Mimail.I also collects a list of e-mail addresses from several sources on the victim machine and starts mailing itself out in messages just like those it arrived in, completing the cycle...

Mimail.I made moderate headway over the weekend, but by Tuesday morning another variant - Mimail.J - was on the loose. Mimail.J is much like Mimail.I, sticking to the PayPal identity theft scam, albeit with a slightly different message, but has been considerably more successful in terms of sheer numbers of copies reported. For example, UK e-mail ASP MessageLabs reports having stopped, as of this writing, about three times as many Mimail.J as Mimail.I messages. The relative success of Mimail.J partly reflects the fact that it seems to have been deliberately 'seeded' - that is, someone (presumably the virus' writer) has spammed thousands of copies of virus-carrying messages in the hope that this will get Mimail.J better distributed and established.

MessageLabs' Virus Eye - messagelabs.com

Computer Associates Virus Information Center - 37542

Computer Associates Virus Information Center - 37596

F-Secure Security Information Center - mimail_i

F-Secure Security Information Center - mimail_j

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library - v_100822

Network Associates Virus Information Library - v_100825

Sophos Virus Info - w32mimaili

Sophos Virus Info - w32mimailj

Symantec Security Response - w32.mimail.i

Symantec Security Response - w32.mimail.j

Trend Micro Virus Information Center - mimail.i

Trend Micro Virus Information Center - mimail.j

Security News:

* Surviving the first few hours of Windows XP...

Background levels of Blaster, and other malware spreading through common security misconfigurations or unpatched vulnerabilities in 'virgin' Windows XP installations, are high enough to cause serious problems, particularly for newly acquired or installed machines. In most parts of the Internet you cannot connect a default installation of Windows XP to the net and download the necessary service packs and/or system and application security patches and hotfixes in the time it will take for one or more of these viruses, worms and other malware programs to infest the machine.

Faced with such a scenario, what do you do to ensure that the new PC and high-speed Internet connection you plan for Christmas is not chewing huge amounts of your expensive bandwidth serving wares, spewing viruses and worms and so on within a few minutes of being extracted from the packaging and all plugged-in?

The incident handlers and others at the SANS Institute's Internet Storm Center (ISC) have put together a step-by-step guide explaining the minimum system hardening steps necessary to safely connect an otherwise 'virgin' Windows XP machine to the Internet. The thirteen page, 1.2 MB PDF describes, in simple language and with plenty of illustrative screen shots, disabling File and Print Sharing, the need for setting strong passwords, enabling Internet Connection Firewall and a few related procedures. Equally important, it explains the steps involved in using Windows Update for the first time, which is usually a multi-step 'patch, reboot, repeat' process although this is not necessarily obvious to many users.

So, if you are considering upgrading to XP or to a new XP machine, or if you know other home or small business users struggling with an 'unusable' Internet connection, this guide may be just the ticket... (Note that if you do use this guide, more complete material covering fully hardening XP systems is linked in the 'References' section.)

Windows XP: Surviving the First Day - isc.sans.org (PDF)

* Be wary of 'guest' accounts on Exchange boxes

Not surprisingly, Exchange boxes that have 'guest' enabled and have 'guest' as an Exchange user can be abused for sending spam. This was highlighted in a message posted to the Full-Disclosure security mailing list earlier this week, an archived copy of which is linked below. The poster points out that the standard installation and configuration steps for setting up Exchange, at least for Exchange 2000 and later on Windows 2000 and later OSes, should mean the problem does not exist.

Administrators of any Exchange configuration worried that they may be relaying spam (there have been claims that this claimed 'hole' has been used for sending large volumes of spam recently) should read the archived list message to help clarify the possible issues (perhaps particularly if running an older version of Exchange on NT).

Archived Full-Disclosure list message - netsys.com

* XP SP2 changes may impact developers - details released

Microsoft has released a draft paper describing the implications for developers of the multiple security enhancements to be introduced in XP SP2. Several changes mean that services or functions that developers could previously consider to be likely to be available will now be disabled by default or new security procedures mean that access to certain services will now require extra work on the developer's part.

The draft paper is available from the MSDN site at the link below.

Windows XP Service Pack 2: A Developer's View - microsoft.com

* Opera browser update fixes two serious vulnerabilities

An Indian security researcher, S. G. Masood, has discovered a collection of serious vulnerabilities in the Opera web browser that allow aribitrary code execution. A sample proof of concept exploit showing how to use these vulnerabilities was also publicly posted, so Opera users would be well-advised to obtain the latest release (7.22 as this was written) and install it as soon as practicable.

Archived copies of Masood's advisories, posted to the Full-Disclosure mailing list, are linked below:

Archived Full-Disclosure list messages - netsys.com (013545)

Archived Full-Disclosure list messages - netsys.com (013546)

Archived Full-Disclosure list messages - netsys.com (103547)

* Multiple SAP DB Web-tools issues fixed

Security researchers at @stake have uncovered multiple security flaws in SAP DB Web-tools prior to version 7.4.03.30. The flaws are present in versions across the OSes supported by the product and include several severely critical vulnerabilities such as remote execution of arbitrary code, administrator authentication bypass and retrieval of files that should not be accessible. @stake has been discussing these vulnerabilities for over a year with SAP and the recently released version 7.4.03.30 addresses all the problems.

Multiple Issues with SAP DB Web-tools - atstake.com

* Critical flaws in SAP DB fixed

@stake researchers also (see previous item) found privilege escalation and buffer overflow flaws in SAP DB versions prior to 7.4.03.30. The buffer overflow is suspected to expose remote arbitrary code execution and, on Windows, the privilege escalation bug surrenders local system user rights to an attacker exploiting this flaw.

Aside from updating to the 7.4.03.30 release, @stake's advisory carries some further advice on securing SAP DB installations.

SAP DB priv. escalation/remote code execution - atstake.com

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesF-SecureKasperskyKasperskyMessageLabsMicrosoftPayPalSANS InstituteSAP AustraliaSophosSymantecTrend Micro Australia

Show Comments

Market Place

[]