IDGNet Virus & Security Watch Friday 12 September 2003

This issue's topics: Introduction: * All Windows need patching again; Pine, unrar updates; virus writers charged Virus News: * Two charged in TK Worm case in UK * Blaster.F suspect charged in Romania * AV pioneer questions competitors Security News: * New DCOM RPC patch to prevent a blast from the past... * Multiple new IE vulnerabilities again raise the question... * Pine 4.58 update fixes security flaws... * Fix for WinRAR, other unrar utils possible DoS with malformed archives

This issue's topics:

Introduction:

* All Windows need patching again; Pine, unrar updates; virus writers charged

Virus News:

* Two charged in TK Worm case in UK

* Blaster.F suspect charged in Romania

* AV pioneer questions competitors

Security News:

* New DCOM RPC patch to prevent a blast from the past...

* Multiple new IE vulnerabilities again raise the question...

* Pine 4.58 update fixes security flaws...

* Fix for WinRAR, other unrar utils possible DoS with malformed archives

Introduction:

The security scene is abuzz with talk about the new DCOM RPC flaws and speculation is rife whether a new worm will appear to exploit these flaws on unpatched machines, as Blaster did to exploit the similar vulnerabilities patched in MS03-026. There has been a good deal of confusion in various security mailing lists over the MS03-039 patch, most of it stemming from the fact that some folk just don't seem to understand what 'supersede' means. MS03-039 supersedes MS03-026, thus there is no need to apply MS03-026 if it is not already on a machine. Much of the rest of the confusion stems from the fact that most of the network scanning tools released to remotely detect whether MS03-026 has been installed on a machine incorrectly report machines patched with MS03-039 as vulnerable to MS03-026. Please check the NTBugtraq FAQ on MS03-039 issues, linked in the relevant item below, for help resolving all this.

Aside from this big concern for Windows administrators, Unix and Linux administrators running Pine or unrar should carefully consider a couple of recent updates. Finally, there revelation of a bevy of new IE vulnerabilities again raises the question of whether you should allow your users to run this benighted browser...

Apart from the speculation about the appearance of 'Blaster II', Sobig.F's 'drop dead' passed a couple of days back and the level of Sobig e-mail messages is falling, as expected, but this raises the spectre of the possibly imminent release of a new variant. Aside from these concerns, two stories of interest about the arrest and charging of virus writers, and antivirus pioneer Fridrik Skulason has raised some concerns about a common feature in many e-mail gateway virus scanners being more of a hindrance than a help.

Virus News:

* Two charged in TK Worm case in UK

Further to our reports back in mid-February that UK police had arrested two men in relation to the creation and distribution of the TK Worm, and its subsequent use to control others' computers, the men were formally charged this week and face a court appearance late next week. The UK's National High Tech Crime Unit, which has been investigating the case, alleges that an estimated 5.5 million pounds damage was caused by the men and their, as yet unidentified, affiliates known as the 'Threat-Krew' (or, as they styled themselves in 'leet speak', the 'Thr34t-Krew'). These latest reports make no mention of the man arrested on related charges in the USA at the same time as the original UK arrests.

Two Brits charged with releasing TK worm - theregister.com

British duo face TK Worm charges - vunet.com

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Blaster.F suspect charged in Romania

Subsequent to our report last week of the arrest of 24 year old Romanian Dan Dumitru Ciobanu for creating and/or distributing the Blaster.F variant, various sources ran stories denying Ciobanu had been arrested. He was described as 'helping the authorities with their investigations' or said to have 'answered some questions'. Regardless, Reuters now report he has been charged with 'illegal and major disturbing of informatics systems and for holding illegal software', quoting a police officer from Iasi, Ciobanu's hometown and location of the university his modifications of the original Blaster worm were apparently intended to attack.

Cybercrime Charges Slapped on Virus Suspect reuters.com

Blaster-F suspect charged with cybercrime - theregister.com

* AV pioneer questions competitors

Fridrik Skulason, founder of FRISK Software International (FSI; makers of the well-known F-PROT antivirus products) and one of the first full- time antivirus researchers, has published an open letter on FSI's web site challenging some of his competitors to reconsider the options in their e-mail virus scanning products.

Skulason points out in his letter that although Sobig.F itself has recently been responsible for massive volumes of e-mail, that flood has been greatly exacerbated by the 'you have a virus' response messages typically generated by many e-mail virus scanners. Originally intended as 'helpful warnings' to their recipients, these messages are quite inappropriate - misleading even - in response to messages carrying viruses such as Sobig (and most other recent 'successful' mass-mailers) that forge From: and other sender address information. Many recipients of such 'warnings', who receive them because their address is on an infected machine rather than because they are infected themselves, become distressed that they may have been sending out a virus and waste precious time trying to locate and eradicate the non-existent virus from their machines.

Lamenting that sending such messages, which cause distress and confusion, is the default setting for many e-mail virus scanners (and thus left unchanged by many system administrators), and that such an option is clearly inappropriate for self-mailing malware that forges sender address information, Skulason challenges his competitors to remove the feature, or at least disable sending such warnings by default.

Why AV companies are to blame for the recent e-mail flood - f-prot.com

Security News:

* New DCOM RPC patch to prevent a blast from the past...

Microsoft has just released _another_ patch for remotely exploitable DCOM RPC vulnerabilities. Do not be confused - this is _not_ the same thing as the MS03-026 vulnerability that was so effectively exploited by the recent Blaster worm and its followers. In fact, the new patch fixes two new remotely exploitable buffer overflows that allow execution of arbitrary code, and a denial of service against the DCOM/RPC interface that, if suitably attacked crashes the RPC service rendering several core Windows OS functions inoperable and most machines quite unstable.

All NT-based versions of Windows are affected (NT 4.0 Workstation, Server and Terminal Server, all Windows 2000 releases, Windows XP and Windows Server 2003) and the two buffer overflow vulnerabilities are quite rightly rated as being of 'critical' severity on all affected platforms. Regardless of whether the MS03-026 patch has been applied to all vulnerable machines in your organisation, moving attention to testing and rolling out MS03-039 across the board should now be a top priority. The MS03-039 patch supersedes MS03-026, so can be properly installed on machines that have not yet been patched to MS03-026 level.

The moderator of the NTBugtraq mailing list has put together a good FAQ covering many of the issues surrounding this patch. If you have been using any of the various scanning tools to detect machines in your network that require the MS03-026 patch note that most of those tools have been replaced with updated versions -- the reason being that the original versions would list MS03-039-patched machines as requiring the MS-03-026 patch which is incorrect.

DCOM/RPC Vulnerabilities FAQ - ntbugtraq.com

Microsoft Security Bulletin MS03-039

* Multiple new IE vulnerabilities again raise the question...

...is using IE in your corporate network worth the risk?

Chinese security researcher Liu Die Yu this week released advisories describing seven previously unknown security flaws in Internet Explorer that are still unpatched. He also released five other advisories that described either re-discoveries of previously known and now patched vulnerabilities, or previously unknown vulnerabilities that now do not work in fully up-to-date (all service packs and security hotfixes installed) IE. These latter vulnerabilities have obviously been fixed, but not announced by Microsoft.

Most of Yu's new, as yet unpatched, vulnerabilities are cross-domain scripting flaws. Fellow security researcher Jelmer has shown that one of these can be combined with a previously announced flaw he discovered to build a remote arbitrary code execution attack against IE 6.0 on Windows XP.

Yu's advisories can be pretty hard going even for experienced security administrators, so instead of linking to them we have linked to an archived copy of Jelmer's announcement of the combination attack against IE 6.0 on XP, and our old favourite, Thor Larholm's roster of 'Unpatched IE security holes' at pivx.com.

Archived Full-Disclosure list message - netsys.com

Unpatched IE security holes - pivx.com

* Pine 4.58 update fixes security flaws...

Pine, a popular e-mail client shipped with many Unix and Linux distributions, has been updated to, among other things, fix a couple of buffer overflows. Discovered by iDefense security researchers, these vulnerabilities can be exploited if specially malformed messages are opened in the e-mail client. Such exploitation can allow arbitrary code, supplied by the attacker, to run with the credentials of the user running Pine.

Most popular distributions that include Pine have shipped update packages and the source can be obtained from the University of Washington and Pine 4.58 built. Pine for Windows users should obtain the 4.58 binary distribution from the University of Washington.

Changes from Pine 4.56 to 4.58 - washington.edu

* Fix for WinRAR, other unrar utils possible DoS with malformed archives

A message posted to the Bugtraq security mailing list this week describes a potential denial of service situation involving unrar code from the official RAR sources. WinRAR and other unrar utilities built from older, official 'free' unrar source code can incorrectly determine the size of files to be extracted from malformed RAR archive files. In turn this can result in very large files being temporarily created, possibly producing 'out of disk' denial of service situations.

Aside from WinRAR, the unrar commandline utility shipped with many Unix and Linux distributions has been shown to be vulnerable. Updated versions should be obtained from the RAR developers (and presumably the Unix and Linux distributors will build and release update packages in the next few days).

Archived Bugtraq list message - securityfocus.com (336959)

WinRAR and RAR archiver addons page - rarlab.com

Join the newsletter!

Error: Please check your email address.

More about iDefenseLinuxMicrosoftReuters AustraliaSophosSymantecTrend Micro AustraliaWinRAR

Show Comments
[]