IDGNet Virus & Security Watch Monday 17 November 2003

This issue's topics: Introduction: * Multiple critical Windows patches; another 'Trojan defence' Virus News: * Another successful 'Trojan defence' in UK courts Security News: * Critical revision of MS02-050 patch for Windows 2000 SP4 users * Critical vulnerabilities patched in latest IE cumulative update * Update for critical remote code execution flaw in Windows 2000, XP * Arbitrary code execution in multiple versions of Excel, Word fixed * Update fixes critical FrontPage Server Extensions flaws * Attempt to backdoor Linux kernel foiled

This issue's topics:

Introduction:

* Multiple critical Windows patches; another 'Trojan defence'

Virus News:

* Another successful 'Trojan defence' in UK courts

Security News:

* Critical revision of MS02-050 patch for Windows 2000 SP4 users

* Critical vulnerabilities patched in latest IE cumulative update

* Update for critical remote code execution flaw in Windows 2000, XP

* Arbitrary code execution in multiple versions of Excel, Word fixed

* Update fixes critical FrontPage Server Extensions flaws

* Attempt to backdoor Linux kernel foiled

Introduction:

Tuesday last week (in the US; Wednesday here) was November's 'Windows patch release day', so we have several Windows-related updates to cover. Unlike last month's bumper crop of seven security patches, the second (US) Tuesday in November saw the release of four updates, three of which were rated by Microsoft as critical. The less severe one is still a remote arbitrary code execution bug, but because the user has to actively participate in the compromise, Microsoft weasels out of rating it as a critical vulnerability - users who depend on Word and Excel warning them of the presence of macros, or worse, who assume because they have set Word and Excel to ignore non-signed macros, are liable to disagree with Microsoft's rating...

Also mentioned is the critical update to a rather old patch - MS02-050 from September last year - necessitated by a regression error in Service Pack 4 for Windows 2000 and an oddity of Internet Explorer 6.0 Service Pack 1 installation process.

There have been many small flare-ups of malware spreading via various the recently disclosed IE vulnerabilities, but nothing of any great consequence, at least to corporate users as the spread methods mainly messages sent via IRC - a messaging protocol seldom used in corporate networks. However, another UK court case has seen an acquittal through a 'Trojan defence'. At least this one seemed reasonable, in that a competent forensic examination of the machine showed there was some supporting evidence for the claims.

Virus News:

* Another successful 'Trojan defence' in UK courts

A few weeks back we reported on concerns arising from the success of 19 year-old UK teenager Aaron Caffrey in getting off charges under the UK's computer misuse regulations.

Recall that although Caffrey admitted the involvement of his computer as the 'master' controlling a network of DDoS 'agents' that disrupted Port of Houston computers, the jury found him not guilty, apparently swayed by his claims that his computer had also been hacked and attacked the Port of Houston computers not under his control, but at the behest of unknown hackers who had installed a remote access Trojan. This 'Trojan defence' was entirely unsubstantiated by the forensic investigation of his computer.

Subsequent to Caffrey's case, another UK case - and the second of its kind this year - saw a man accused of downloading child pornography acquitted because of expert testimony that a Trojan program capable of allowing others to have transferred the image files to his computer was installed on his machine. At least in these cases however, there was evidence of a Trojan being present.

Hackers get novel defense: The computer did it - computerworld.com

Suspected paedophile cleared by computer forensics - theregister.co.uk

Security News:

* Critical revision of MS02-050 patch for Windows 2000 SP4 users

Due to an error in SP4 for Windows 2000, users with that OS and service pack combination installed who install or re-install Internet Explorer 6.0 SP1 will regress the MS02-050 patch. The fix Microsoft has decided to make to this situation is to issue a special Windows 2000 SP4 version of the MS02-050 patch which should be installed after installing IE 6.0 SP1 on Windows 2000 SP4 machines.

Note that as well as the affected platform, product and service packs, their installation order also contributes to determining the relevance of this patch. Windows 2000 SP4 users with IE 6.0 SP1 installed prior to installing SP4 for their OS need not obtain the updated MS02-050 patch. However, should they subsequently re-install IE 6.0 SP1 they will need to obtain and install the Windows 2000 SP4 version of the MS02-050 patch.

Are we confused yet?

Microsoft Security Bulletin MS02-050

* Critical vulnerabilities patched in latest IE cumulative update

Aside from including all security hotfixes since the previous relevant service pack, the latest cumulative updates for Internet Explorer contain fixes for five previously unpatched vulnerabilities. Three of those vulnerabilities are cross-domain security zone flaws rated as critical. For several weeks at least one of these has been actively exploited (by spammers, dodgy web pages, purveyors of banner advertisements, virus writers and the like) to silently install unwanted software on the machines of those innocently visiting their web sites, reading their e-mail and so on.

Obtaining and installing this cumulative update is a "must do", doubly so for those who still use IE for web browsing or whose e-mail client uses embedded IE controls for rendering HTML e-mail messages.

Microsoft Security Bulletin MS03-048

* Update for critical remote code execution flaw in Windows 2000, XP

The Workstation Service in Windows 2000 and XP contains a buffer overflow that can be remotely exploited. Effects of such exploitation could range from crashing the Workstation Service through running arbitrary code in the Local System security context. As the Workstation Service is enabled and listening by default in all versions of NT-based OSes running on machines with supported network interfaces, Microsoft has quite rightly rated this a critical severity flaw.

Normal network firewalling practices should mean that machines in corporate networks are not exposed to the Internet, but the increasing use laptops, dial-in and other remote access solutions means that many 'corporate' machines may be beyond such measures much of the time. Typical small business and home users are likely to be wide open to attack unless they have personal firewalls or use a NAT-enabled device for connecting to their service provider. 'Standalone' installations may disable the Workstation Service as it is only needed for file and print sharing on network-connected machines - its absence will not affect a machine's ability to perform Internet-only network tasks.

eEye Digital Security, whose researchers discovered this flaw, has released a security advisory describing the flaw in some detail. Functional proof-of-concept exploits have already been posted to public mailing lists, so in-the-wild exploitation of this bug may not be far off...

A number of messages to the NTBugtraq mailing list have suggested there may be some problems with the patch installer, at least under some circumstances - it would pay to check the archive of this message thread linked below.

Windows Workstation Service Remote Buffer Overflow - eeye.com

Microsoft Security Bulletin MS03-049

Archived NTBugtraq list message - ntbugtraq.com

* Arbitrary code execution in multiple versions of Excel, Word fixed

Buffer overflows in Excel 97, 2000 and 2002, and in Word 97, 98(J), 2000 and 2002, allow macros embedded in spreadsheets or documents to execute regardless of macro security level settings in Excel and Word. As Microsoft's VBA macros can perform almost any system actions standalone programs can, any action the user has permissions to perform on the machine could be done by a macro executed this way.

Microsoft rates the severity of this flaw as 'important'. However, as a Russian hacker published some details of exploiting this vulnerability some time ago, and that information is available on the web, sites that 'must' accept Word documents or Excel spreadsheets from essentially unknown sources should probably treat this as a more pressing concern.

Microsoft Security Bulletin MS03-050

* Update fixes critical FrontPage Server Extensions flaws

FrontPage Server Extensions (FPSE) for 2000 and 2002 (shipped with Windows 2000 and XP, and in the SharePoint Team Services 2002 option in Office XP) has two vulnerabilities, the more serious of which is rated as being of critical severity. The critical severity vulnerability is a buffer overflow in the remote debugging functionality and if exploited could cause FPSE to fail or lead to the execution of arbitrary code with the privileges of the web server application. If the second, less serious, vulnerability were exploited a temporary (but readily repeated) denial of service could be effected against the web server hosting FPSE.

Microsoft Security Bulletin MS03-051

* Attempt to backdoor Linux kernel foiled

Linux kernel code on a less-used distribution site was modified to include a backdoor that would have allowed remote compromise of any machine running a kernel built from that code. Fortunately the unauthorized code change was detected within hours of the change occurring and only a few developers had downloaded the hacked code. Reports of the incident suggest that he lower profile of the server involved meant that less security effort may have been spent on it, but had such a surreptitious change have been made to the main kernel code distribution servers considerably more serious consequences would likely have followed as many more copies of the compromised code would likely have been downloaded and distributed further.

Linux kernel attack thwarted

Join the newsletter!

Error: Please check your email address.

More about eEye Digital SecurityExcelLinuxMicrosoft

Show Comments
[]