IDGNet Virus & Security Watch Friday 5 September 2003

This issue's topics: Introduction: * The Microsoft edition (plus Blaster arrests) Virus News: * Two arrested for writing Blaster worm variants Security News: * Fix for potential information leak in Windows NetBIOS service * Critical Word (and Works Suite!) macro detection bug fixed * File converter for Office, Works Suite, FrontPage, Publisher updated * VBA update fixes arbitrary code execution in multiple applications * Access Snapshot Viewer updated to fix buffer overflow

This issue's topics:


* The Microsoft edition (plus Blaster arrests)

Virus News:

* Two arrested for writing Blaster worm variants

Security News:

* Fix for potential information leak in Windows NetBIOS service

* Critical Word (and Works Suite!) macro detection bug fixed

* File converter for Office, Works Suite, FrontPage, Publisher updated

* VBA update fixes arbitrary code execution in multiple applications

* Access Snapshot Viewer updated to fix buffer overflow


Two arrests - one in the US and one in central Europe - show that when prodded hard enough (or when presented with easy enough cases, the authorities will take action against virus writers. Both arrests are of seemingly clueless young men, both of whom clearly underestimated the level of interest Blaster had raised and thus the likely consequences of distributing 'look how clever I am' copycat variants chock full of clues to their real identities and/or whereabouts. As it also seems unlikely the 'real' writer of the original Blaster worm will be caught, these hapless chaps may pay a disproportionate price for their curiosity, but we all know what killed the cat...

Office users get to join the patch-o-rama this week with four separate security bulletins covering vulnerabilities in various features of Microsoft's flagship product, Office. The sceptical may wonder how long some of these flaws have been known, for surely it is not coincidental that the newest version of Office was released just a few days before the announcement of all these patches _and_ that Office 2003, and none of its components, is not listed as vulnerable to any of them. Aside from the heavy preponderance of Office patches, a critical generic VBA update affecting all products that use VBA, including several hundred not made by Microsoft, is in the bunch. Finally, another Windows networking flaw, but this is not likely to be anywhere near as nasty as the RPC DCOM one whose extensive non-patching led to the Blaster disaster.

Virus News:

* Two arrested for writing Blaster worm variants

The big story from very late last week (i.e. a few hours after that issue of the newsletter was put to bed) is that a US teenager has been arrested and charged over his alleged involvement in creating and releasing one of the variants of the Blaster worm. Jeffrey Lee Parsons, an 18 year-old Minnesota senior high student was arrested early last Friday morning (Minnesota) after earlier answering police questions about the Blaster variant confusingly known as Blaster.B or Blaster.C depending on which antivirus company you prefer (ignoring, of course, that not all call it Blaster, with LovSan, MSBlast and Poza also being used by different vendors).

Parsons has admitted modifying the original Blaster.A worm. He has admitted to changing some strings in the code that affect the filename used by the worm, adding a bot net agent that allowed him to obtain remote control of machines compromised by the worm, and a few other minor modifications. He certainly does not appear to be the writer of the original Blaster.A - all Parsons' changes could have been made with the aid of readily available compression and hex-editor tools.

Subsequent to Parsons' arrest and the extensive media coverage surrounding it, yet another Blaster variant, Blaster.F, was released, apparently from Romania. Perhaps news of Parsons' arrest and the details behind it had not made it to the nether regions of the former Eastern Bloc state where 24 year-old Dan Dumitru Ciobanu lives, before he released his virus, for his rarely seen variant exhibits much the same 'mistakes' as does Parsons' inept attempt. Like Parsons, Ciobanu included references to his nickname, 'Enbiei', in the text he modified from the original worm. And if Ciobanu's disparaging reference to one of his lecturers in the Hydrotechnics Faculty at the Technical University of Iasi (where Ciobanu was a student) and changing the DoS payload to target a server at that university was not intended to ease locating the hapless Romanian virus' writer, its stupidity certainly paralleled that of Parsons adding to his variant a bot net agent that 'called home' to a server registered in his name and to his home address.

Update: Teenage Blaster worm suspect arrested

Blaster Worm Case slideshow -

Report: Blaster suspect 'surprised' at arrest

Scanned copy of the initial charges against Parsons -

Romanian nabbed for launching Blaster-F

Computer Associates Virus Information Center (36594)

F-Secure Security Information Center (lovsanf)

Network Associates Virus Information Library (100588)

Sophos Virus Info (w32blasterf)

Symantec Security Response (w32.blaster.f)

Trend Micro Virus Information Center (worm_msblast.g)

Security News:

* Fix for potential information leak in Windows NetBIOS service

All supported NT-based Windows OSes (NT 4.0 Server and Terminal Server, Windows 2000, XP and Server 2003) are vulnerable to a potential random information leak via the NetBIOS service. Listening on UDP port 137 on all default installations of these OSes (if the TCP/IP protocol is installed), the NetBIOS Name Service (NBNS) improperly pads packets it sends in response to name queries. Rather than filling 'short' response packets with null (zero) characters, NBNS reply packets are padded with whatever happened to be in the 'surplus' memory locations when the response buffer was requested.

Information leaked thus is random in the sense that someone intent on snooping on the 'extra' content in NBNS replies can exert no control over what memory contents are divulged through this flaw. Further, it would normally be very difficult to impossible for such a 'snooper' to reliably determine the meaning or significance of data leaked this way. Because of these factors and that usual 'best practices' require firewalling or other blocking of UDP port 137, Microsoft rates the severity of this vulnerability as 'low', recommending system administrators to evaluate the likely exposure the vulnerability could cause in their situation. Networks with good border protection but little internal port filtering, access control, system hardening and so on will be 'wide open' to abuse of this from inside the firewall; in such circumstances the risk of not patching is largely dependent on the threat posed by your users and the sensitivity of data processed on vulnerable Windows machines.

Should something more sinister turn up in relation to this vulnerability however, recall the recent success of the various Blaster worms. These all spread through an RPC vulnerability on port 135 - a 'sister port' to 137 and others commonly open by default on machines with Windows Networking installed and enabled. It is very unlikely sites and individual machines that had port 135 open to Blaster infection will have selectively closed port 137, so there is obviously quite a population for port 135 nastiness to exploit, should such exploitation subsequently be discovered possible.

Microsoft Security Bulletin MS03-034

* Critical Word (and Works Suite!) macro detection bug fixed

Microsoft has released patches for all supported versions of Word for Windows (Word 2000 and 2002) and also for Word 97 and 98(J), that fixes a fundamental flaw in the macro security tests of all these versions.

In brief, an error in the logic of Word's 'is there macro code in this document' check, performed early in the opening and processing of Word document and template files, means that specially prepared files that do contain macros will fail the test (i.e. be considered by Word to not contain macros). On its own, that would not be much of a problem - one would imagine that the macros would effectively be 'invisible' and thus would not be able to pose any risk. However, it is Microsoft software we are talking about and unfortunately, once this initial determination has been made and certain macro security events do not occur because of Word's erroneous belief that there are no macros present, further processing of the document makes _other_ checks, decides there are macros which are loaded, interpreted and, depending on the type of these macros, auto-run or enabled to run as the handlers for various events within the Word object model.

As this flaw completely, _and silently and invisibly_, eliminates the security checks conscientious Word users believe Word is performing for them, it is inconceivable why Microsoft has rated the severity of this vulnerability as anything other than 'critical'. Inconceivable as it is though, Microsoft has rated this FUBAR as 'being of important' severity - the list of mitigating factors in the security bulletin dumbfounds the newsletter compiler, leading him to question the intelligence and sanity of the author of the bulletin.

Supported Word for Macintosh versions (Word 98, 2001 and X) have been tested for this flaw and found to be unaffected. Users of Works Suite 2001, 2002 and 2003 are also affected as these versions of Works Suite bundle affected versions of Word. Other Office products are not affected by this flaw.

Detailed guides to obtaining, preparing for and installing these patches are available in (or linked from) the most recent (as we go to print) issue of Woody Leonhard's 'Woody's Office Watch' (WOW) newsletter. As well as linking to the Microsoft security bulletin, we have also linked to the official archived copy of that WOW newsletter.

Microsoft Security Bulletin MS03-035

WOW #8.35 New Office security patches explained -

* File converter for Office, Works Suite, FrontPage, Publisher updated

Microsoft has released an updated WordPerfect document file converter to replace the one shipped and installed by default in many of its products, and available as a separate download in the 'Microsoft Office Converter Pack'. This is nowhere as convoluted as the flaw described in the preceding item - in brief, this is a classic buffer overflow due to improper (or no) checking of the amount of data to be copied into a fixed-size buffer. Exploitation can result in execution of arbitrary code of the attacker's choosing.

Microsoft's rating of the severity of this flaw as 'important' is due, at least in part, to the fact that code run as a result of exploitation of this flaw would only run with the security credentials of the Word (or other vulnerable application) user. However, again this rating has to be tempered with real-world observations conveniently ignored or glossed over in the 'Mitigating factors' section of Microsoft's security bulletin.

For example, the researchers at eEye Digital Security who found this flaw have posted rudimentary details of exploiting it in their own security advisory. Extending that information to a working exploit may not be very difficult and although not divulged in the eEye advisory it seems likely (from their past record) that such an exploit was developed by eEye and sent to Microsoft as proof of the concept. Further, most computer users expect word processing documents to be 'safe' to open and view, and by default Internet Explorer will silently open Word and direct it to open files with .DOC extensions. combined, this means that specially prepared WordPerfect document files renamed with .DOC extensions and remotely hosted on an attacker's web server could be loaded into Word on a typical user machine with very little user intervention. As several successful viruses and identity theft scams have recently shown how easy it can be to entice a computer user to click a web link in an e-mail message, rolling several of these factors into a mass-mailing virus or targeted information stealing Trojan would seem quite trivial.

Again, we have included a link to the official archived copy of the most recent 'Woody's Office Watch' (WOW) newsletter for its detailed guides to obtaining, preparing for and installing these patches, as well as to the eEye advisory and Microsoft security bulletin.

Microsoft WordPerfect Document Converter Buffer Overflow -

Microsoft Security Bulletin MS03-036

WOW #8.35 New Office security patches explained -

* VBA update fixes arbitrary code execution in multiple applications

Visual Basic for Applications (VBA) is the standard programming language and development environment settled on within Microsoft for most of its applications' macro automation functions. Further, VBA has been packaged as a development kit and licensed to many third-party application developers for inclusion in their own products (to date over 200 developers have licensed VBA - see the 'VBA Licensing Partners' link below).

Researchers at eEye Digital Security have discovered an exploitable buffer overflow in the Visual Basic Design Time Environment (or VBE - vbe.dll or vbe6.dll) component of VBA 5.0 and 6.0, 6.2 and 6.3 (this is the primary runtime component installed on systems of users of VBA-hosting software). As suggested above, copies of these vulnerable components have been shipped with many products, not just those from Microsoft. The overflow occurs very early in the VBE's processing of files potentially needing VBA support and occurs because the VBE does not apply proper bounds checks while manipulating the properties of the document handed to it by the hosting application. eEye researchers have released basic information on how to malform a Word document to display the overflow in Word for Windows and extending this to a working exploit may be a simple task for a suitably motivated blackhat.

The Microsoft security bulletin contains a lengthy list of Microsoft products shipping with vulnerable versions of the VBE. Further, it explains how to detect if VBA and its vulnerable components are installed and what versions. More specific details pertaining to systems running third-party applications hosting vulnerable versions of VBA should be obtained from the appropriate vendors.

Oddly, in light of the comments in the two previous Office/VBA-related security bulletins and given that the mitigating factors are essentially the same, Microsoft has - correctly - rated the severity of this issue as 'critical'. Go figure...

As for all the Word and Office updates in this issue, we have included a link to the detailed guides to obtaining, preparing for and installing these patches in the archived copy of the most recent 'Woody's Office Watch' (WOW) newsletter. Of course, we have also linked to the Microsoft security bulletin and the eEye advisory.

VBE Document Property Buffer Overflow -

Microsoft Security Bulletin MS03-037

WOW #8.35 New Office security patches explained -

VBA Licensing Partners -

* Access Snapshot Viewer updated to fix buffer overflow

Yet another buffer overflow in an Office-related product has been fixed. Databases, by their nature, tend to reside in large files (or large sets of large files) and their contents tend to vary over time. Often it is desirable to have a 'snapshot' of the results of a particular query at a given moment in time. To this end, Microsoft provides the Access Snapshot Viewer, allowing users of its Access database product to make snapshots of pertinent database contents and to distribute that data and a viewer application to others who need not have Access to view the snapshot. Access Snapshot Viewer is implemented as an ActiveX control, which also allows browsing-in-place in IE.

Oliver Lavery discovered a buffer overflow that affected all supported versions of the Access Snapshot Viewer and that allows arbitrary code of an attacker's choice to run in the security context of the user running the Access Snapshot Viewer.

Although Snapshot Viewer is not installed by default with any version of Office or Access, it would pay to carefully check for its presence (an entry for '.snp' file type in the registry may be a useful starting point for such a search). Again, the mitigating circumstances are much the same as for the other Office-related vulnerabilities reported above, but Microsoft rates this as being of 'moderate' severity. Given that use of Access snapshot files may be very rare, this is probably a reasonable rating (at least for those who not in the habit of using such files).

Microsoft Security Bulletin MS03-038

WOW #8.35 New Office security patches explained -

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CA TechnologieseEye Digital SecurityF-SecureMicrosoftOffice ConverterParsonsSophosSymantecTrend Micro Australia

Show Comments