IDGNet Virus & Security Watch Friday 26 September 2003

This issue's topics: Introduction: * Big Windows virus, critical Windows patch Virus News: * Swen will it all end? * US State department 'Welching' on visa applications? Security News: * New DCOM RPC vulnerability a blast from the past? * OpenSSH update fixes buffer overflows * Multiple security flaws fixed in Mac OS X update * ProFTPD server update

This issue's topics:

Introduction:

* Big Windows virus, critical Windows patch

Virus News:

* Swen will it all end?

* US State department 'Welching' on visa applications?

Security News:

* New DCOM RPC vulnerability a blast from the past?

* OpenSSH update fixes buffer overflows

* Multiple security flaws fixed in Mac OS X update

* ProFTPD server update

Introduction:

I'm in a rush this week, so the introduction is especially brief...

This week we cover a major new Windows virus outbreak and a critical Windows security patch. Less serious flaws in common Unix and Linux applications are also included.

Virus News:

* Swen will it all end?

Yet another very fast spreading mass-mailing virus has been ripping through the net for the last week. Known as Win32/Swen, it's 'success' seems likely to be (partly) due to the recent awareness raising among users of the need to regularly update their Windows systems, particularly by installing security patches. Swen generates e-mail messages claiming to be the latest Microsoft security updates and that urge the recipient to the 'install' the attached patch. Of course, that 'patch' is simply a copy of the virus. Swen also creates false 'bounce' messages and many of the messages it creates attempt to exploit a very old Internet Explorer 'auto-execute' vulnerability.

As of this writing, UK-based e-mail ASP MessageLabs has recorded approximately 110,000 instances of Swen in the last 24 hours. Unfortunately MessageLabs' longer-term statistics are not updating properly, so totals for the last week or so of Swen's distribution are not available.

MessageLabs VirusEye daily statistics - messagelabs.com

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* US State department 'Welching' on visa applications?

Welchia (aka Nachi) - the 'anti-Blaster worm' in the news on the heels of Blaster a few weeks back - has been confirmed as the cause of a several hour cessation of US visa application processing worldwide earlier this week. US State Department spokespeople have admitted that Welchia was at the heart of a disruption to their internal computer system used for checking visa applicants against a database of known and suspected terrorists and other undesirables.

State Department visa system disrupted by virus - computerworld.com

Security News:

* New DCOM RPC vulnerability a blast from the past?

Last week Microsoft released another patch for remotely exploitable DCOM RPC vulnerabilities. Do not be confused - this is _not_ the same thing as the MS03-026 vulnerability that was so effectively exploited by the recent Blaster worm and its copiers. In fact, the new patch fixes two new remotely exploitable buffer overflows that allow execution of arbitrary code, and a denial of service against the DCOM/RPC interface that, if suitably attacked, crashes the RPC service rendering several core Windows OS functions inoperable.

All NT-based versions of Windows are affected (NT 4.0 Workstation, Server and Terminal Server, all Windows 2000 releases, Windows XP and Windows Server 2003) and the two buffer overflow vulnerabilities are quite rightly rated as being of 'critical' severity on all affected platforms. Regardless of whether the MS03-026 patch has been applied to all vulnerable machines in your organization, moving attention to testing and rolling out MS03-039 across the board should now be a top priority. The MS03-039 patches supersede the relevant MS03-026 precursors so can be properly installed on machines that have not yet been patched to MS03-026 level.

Microsoft Security Bulletin MS03-039

* OpenSSH update fixes buffer overflows

It is unclear whether the buffer overflows fixed in the latest patches for OpenSSH are exploitable, but preferring to err on the side of caution the OpenSSH maintainers have released patches. Taking the same line, the distributors of most popular Linux, Unix and other flavours of OpenSSH have released (or soon will) update packages. Either download the latest patches and rebuild or check with your distributors for the availability of updated packages. The new version is 3.7.1.

Portable OpenSSH users who use PAM should get the subsequent 3.7.1p2 updates to fix additional flaws in the PAM code.

OpenSSH Security Advisory: buffer.adv - openssh.org

Portable OpenSSH Security Advisory: sshpam.adv - openssh.org

* Multiple security flaws fixed in Mac OS X update

Apple Computer Inc recommends that all OS X users update to the latest Mac OS X release, 10.2.8, which includes many security updates. Availability of patches and a brief outline of each update are available on the page linked below.

Apple Security Updates - apple.com

* ProFTPD server update

Versions 1.2.7 through 1.2.9rc2 of ProFTPD are vulnerable to remote exploitation of an ASCII translation flaw. Users of these (and any earlier versions) are strongly recommended to update to the latest release (1.2.8p or 1.2.9rc2p) to avoid this flaw.

ProFTPD ASCII File Remote Compromise Vulnerability - iss.net

ProFTPD home page - proftpd.org

Join the newsletter!

Error: Please check your email address.

More about AppleApple ComputerCA TechnologiesF-SecureKasperskyKasperskyLinuxMessageLabsMicrosoftPAMSophosSymantecTrend Micro Australia

Show Comments

Market Place

[]