Almost as if to make amends for not releasing any Security Bulletins to report in last week's newsletter, Microsoft released seven and updated an existing one in the last seven days. The on-going saga of MS00-086 is still playing, with Microsoft admitting that it reintroduced an IIS bug it had already fixed several weeks earlier in its first MS00-086 patch for IIS 5.0. Microsoft has also patched several Internet Explorer bugs, and as these are being investigated actively, if not actually used in anger yet, these patches should be applied as soon as practicable.
There are also important SQL Server and NetBIOS over TCP/IP patches, and several patches for lesser-used optional NT and/or Windows 2000 components. Sun also has an important advisory out for a security model implementation error in its Java Runtime Environment you should check if you depend on Java's security model for running remote or otherwise "unknown" code.
And where would we be without one of those seemingly ubiquitous e-mail worms for Windows 9x or NT?
New worm Win32/ProLin on the loose
About the time last week's newsletter hit the list servers, the first reports of Win32/ProLin started to filter in. This mass-mailing worm, also known as Shockwave and Creative, typically arrives at a victim's
machine as the attachment creative.exe to an e-mail message with a Subject: line of "A great Shockwave flash movie" and the short message "Check out this new flash movie that I downloaded just now ... It's Great Bye". The attached file has the icon of a Shockwave Media Player application, but it is not.
If it is run, creative.exe copies itself to the startup folder and sends copies of itself to all users in the Outlook address list (if Outlook is installed). ProLin also renames all JPG, MP3 and ZIP files it can find
on the host by adding (error and all) "change atleast now to LINUX" to the end of the existing extension. It then moves these files to the root of the C: drive, which can slow boot times considerably if large numbers of files are moved there.
As with most recent worms, ProLin depends on users running an e-mail attachment they shouldn't. Clearly the message is not making an impact, or at least it is not making enough of an impact. For example, Auckland PR firm Botica Conroy was infected and as its address lists include most of the IT journalists in the country, their infection rapidly became widely known. This is doubly ironic as Botica Conroy handles New Zealand PR for Symantec, makers of the well-known Norton AntiVirus product.
Shockwave worm gets into local firms - IDGNet
Prolin 'one-hit' menace - Computerworld
Various antivirus vendors' technical descriptions:
New worm Win32/ProLin on the loose
New variant of Verona worm
The Verona worm, first reported in this newsletter two weeks ago, has shown up in a minor variant. It still has the same self-limiting feature of choosing a mail server from its internal list of machines known to be running open SMTP relays, though the list is three times the length as in the original variant. Win32/Verona.B, as it is known, should pose no greater threat than its predecessor.
Multiple Internet Explorer v5.x updates
Microsoft has released a patch for IE v5.x that fixes four separate bugs leading to security vulnerabilities in IE v5.x releases. One of these vulnerabilities only affects IE v5.5, but the others affect all IE v5.x versions. The range of security exposures of these flaws are the ability of remote web servers to retrieve information from files on the machine running the browser through execution of arbitrary code (including ActiveX controls not marked safe for scripting) from remote web pages or
HTML e-mail messages.
The patch available from the Security Bulletin (at the link below) only works with IE 5.01 SP1 and IE 5.5 SP1. Users of other IE v5.x versions should first upgrade to one of those versions. Attempts to install the patch on other E v5.x releases could result in a misleading warning message that the patch need not be installed.
NBT patch for NT 4.0; Workaround for Windows 9x and ME
A flaw in the implementation of NetBIOS over TCP/IP (NBT) in NT 4.0 and all Windows 9x and ME platforms exposes such machines with TCP Port 139 open to a potential Denial of Service attack. Such an attack would require the attacker to generate a special sequence of malformed packets addressed to the target machine. A patch for NT 4.0 to fix the so-called "Incomplete TCP/IP Packet" vulnerability is available from the Microsoft Security Bulletin page, linked below.
Administrators of other affected operating systems are recommended to disable File and Print Sharing as Microsoft says that those systems were not designed to face the security rigors of simultaneous direct Internet connection and having the NBT protocol enabled. To quote from the FAQ associated with the Security Bulletin:
Microsoft recommends disabling the use of File and Printer sharing services on any Windows 9x or Windows Me machine directly connected to the Internet. Customers who need a robust file server solution should use either Windows NT 4.0 or Windows 2000.
Windows 9x and ME machines in a corporate LAN, behind a properly configured firewall should be safe from external attack, but could still be compromised from machines on the LAN.
This vulnerability does not affect Windows 2000.
Several registry permissions fixes for NT 4.0
Microsoft has released a utility that fixes several possible security vulnerabilities due to loose security permissions on registry keys in NT 4.0. Loose permissions on registry keys affecting SNMP (Simple Network Management Protocol), RAS (Remote Access Server) and MTS (Microsoft Transaction Server) allow various security exposures on NT 4.0 machines with any of these optional components installed.
The details of each possible attack scenario and the potential impact of someone exploiting these flaws are described in the FAQ accompanying the Microsoft Security Bulletin, linked below. These vulnerabilities apply to all versions of NT 4.0 -- Workstation and Server (including Enterprise and Terminal Server editions). Administrators of such systems that have one or more of the affected, optional components installed should obtain the configuration utility from the links in the Microsoft
Security Bulletin. Note the NT 4.0 registry security vulnerabilities discussed in the earlier Security Bulletins MS00-008 and M00-024 are automatically applied by the update tool -- links to the Security
Bulletins discussing these issues are also included below to assist in making a fully informed decision about running the update utility.
- Earlier Microsoft Security Bulletins mentioned
SNMP registry permissions fix for Windows 2000
This is essentially the same vulnerability as the SNMP flaw mentioned in the previous item in this newsletter. For various technical reasons (not least that this is the only one of the three vulnerabilities in the previous item that also applies to Windows 2000) Microsoft decided to announce this vulnerability and its fix in a separate Security Bulletin (linked below).
Unlike the NT 4.0 version of this vulnerability, there are no earlier, related registry security fixes that need to be applied with this one. Further, the fix for this vulnerability is shipped as a template for the
Security Configuration and Analysis Tool rather than as a commandline utility. As in NT4.0, SNMP is not installed and enabled by default.
Patch for IIS Phone Book Service buffer overflow
Microsoft has announced a fix for a remotely exploitable buffer overflow in the optional Phone Book Service of IIS 4.0 and 5.0. The vulnerability allows a remote attacker to run arbitrary code with the privileges of the IUSR_machinename account (on IIS 4) or the IWAM_machinename account (on IIS 5).
IIS 4.0 and 5.0 servers running the Phone Book Service should be patched as soon as is practicable.
The compiler of this newsletter is losing count of the changes, twists and turns on the MS00-086 patch. The latest turn of events is that the previously posted patch for IIS v5.0 users has been replaced with a new version. The reason for the release of a new patch for IIS v5.0 users is that a "regression error" was discovered in the original patch.
It seems that internally, Microsoft has trouble keeping track of the latest version of the code for IIS (perhaps because it had multiple teams working on different security patches at the same time?). Whatever -- the MS00-086 patch for IIS v5.0 correctly fixed the "Web Server File Request Parsing" vulnerability but re-introduced the "Web Server Directory Traversal" vulnerability announced (and previously fixed) in the MS00-078 Security Bulletin. What all that means is, if you are an IIS v5.0 administrator and have been faithfully installing Microsoft's recommended patches, when you fixed the "Web Server File Request Parsing" vulnerability with the original MS00-086 patch, you effectively undid the "Web Server Directory Traversal" patch you applied a couple of weeks earlier.
Update for SQL Server and MSDE buffer overflow
An update has been released to fix a buffer overflow affecting several Extended Stored Procedure (XP) DLLs shipped with SQL Server and MSDE. Named the "Extended Stored Procedure Parameter Parsing" vulnerability by Microsoft, this flaw can allow a malicious attacker to run arbitrary code in the security context of the SQL Server service account or perform a Denial of Service (DoS) attack against the server. This vulnerability could also be exercised via a web page front-end to a SQL Server database.
Note that the Microsoft fix cannot entirely eliminate this vulnerability, as the "problem" is located in the code of the DLLs implementing the XP functionality. The patch replaces all vulnerable Microsoft-provided XPs with fixed ones, but third-party XPs may also be vulnerable. A KnowledgeBase article describes some test procedures to check third-party XPs for such vulnerabilities.
Microsoft has released patches for SQL Server 7.0 and 2000 and the associated Microsoft Data Engine 1.0 (MSDE 1.0) and Microsoft SQL Server Desktop Engine 2000 (MSDE 2000).
Sun Java Runtime Environment class loading issue
The Java Runtime Environment (JRE) may, in some circumstances may allow an untrusted class to call into a disallowed class. Sun's security staff believe this vulnerability does not affect either Netscape Navigator or Internet Explorer browsers, though it could affect other vendors' Java implementations if they are based on the Sun Java Development Kit (JDK).
Sun has released JDK updates and some vendors (for example, HP) have already issued updates based on this. Administrators of systems employing Sun JDK-derived Java implementations should check with their vendors for their status on this issue.