Two of Microsoft's IIS security bulletins have been updated this week and one -- the "Web Server File Request Parsing" vulnerability - requires urgent attention of any IIS v4.0 or v5.0 users. This is the
second update to that vulnerability in as many weeks and is related to the hacks of a Microsoft web server reported in the previous two issues of this newsletter. If you are an IIS administrator, you may also find the web pages posted recently by Russ Cooper to be worth adding to your bookwarks. These pages attampt to keep up to date with all the IIS patches and updates...
This issue also carries news of two serious bugs in the Microsoft Media Player, an Exchange server problem and an update to close a possible password brute-forcing hole in most versions of Windows 2000.
And, of course, it seems we would not be complete without an e-mail worm... This one was particularly stupid and correspondingly short-lived, causing no significant damage to date.
Yet another e-mail worm...
Just after posting last week's newsletter, another e-mail worm was reported on the rampage. Variously named Win32/Blebla, Win32/Verona and "Romeo and Juliet", it was a very short-lived phenomenon, not least because of a serious design flaw. It depended on six e-mail servers in Poland that were "misconfigured" to allow relaying of messages from any machine to any other machine.
Such machines, commonly referred to as "open relays", are the scourge of the anti-spamming movement as much spam is delivered via open relays to obfuscate the originator distribute the traffic load from the spammer's own service providers. Most of those machines were reconfigured to
remove the open relays within hours of the worm first being distributed, so its life was a very short flash in the pan of notoriety...
Known user account vulnerability on Exchange 2000 Server machines
Microsoft has released a Security Bulletin warning of a potential security breach of Exchange 2000 Server and Exchange 2000 Enterprise Server via an account created during the setup procedure. The problem arises because an account is created with a fixed name and password. As these details are commonly known, machines that have the affected versions of Exchange 2000 installed are vulnerable to remote or attack attack through this account.
The Security Bulletin and associated FAQ contain descriptions of manual fixes and a link to a utulity to remove the "Exchange User Account" vulnerability. Only early versions of Exchange 2000 are affected and details of determining which are in the Security Bulletin, but these include the version that shipped on the October 2000 Microsoft Select distribution. If you have a vulnerable version of Exchange 2000,
removing, disabling or changing the password on the EUSR_EXSTOREEVENT account following the product's installation, remove the vulnerability.
Microsoft says this type of account was included in beta versions while new methods of handling workflow and event scripts were developed. Previous versions of Exchange had similar accounts but these were not created with fixed usernames and passwords. The EUSR_EXSTOREEVENT account at the heart of this problem is a local account with normal user privileges. Thus, the exposure created by this vulnerability is not great unless Exchange happens to be installed on a domain controller, as local accounts on domain controllers are domain accounts.
More details and other workarounds are discussed in the Security Bulletin and FAQ, referenced below. Microsoft will build a fix for this vulnerability into Service Pack 1 for Exchange 2000.
Windows 2000 password brute-force attack vulnerability
An update has been released to fix what Microsoft calls the "Domain Account Lockout" vulnerability on Windows 2000 machines. The vulnerability affects all Windows 2000 versions except Windows 2000 Gold and is due to a flaw NTLM authenication procedures. One consequence of this vulnerability is that a malicious user could obtain an account's password by brute-force guessing despite a domain account lockout policy. The vulnerability only applies to Windows 2000 machines in non-Windows 2000 domains, and there are other limitations that aplpy for password brute-forcing to be possible.
Details and links to the necessary patch are in the Security Bulletin and FAQ, linked below. This patch will also be included in Service Pack 2 for Windows 2000.
Update fixes two security holes in Windows Media Player
Two unrelated security holes in Windows Media Player are fixed in the patches referenced in the Security Bulletin below. The unrelated bugs have been named the "ASX Buffer Overrun" vulnerability and the "WMS Script Execution" vulnerability and these affect both v6.4 and v7.0, and just v7.0 respectively.
The "ASX Buffer Overrun" vulnerability is due to an unchecked buffer in the Media Player code that parses Active Stream Redirector (.ASX) files. These files do not contain streaming media, but direct the Media Player where to find particular media on the network. A malicious user could craft a specially malformed ASX file such that Windows Media Player would run any code of the attackers choosing via an overflow in an unchecked buffer.
A new feature in Windows Media Player v7.0 was its suport for "skins", allowing the customization of the "look and feel" of the player. Skins are stored in .WMS files and can also be included in .WMZ and .WMD files. Regardless of how a skin is packaged, it can contain script program which in turn can call ActiveX controls. Because skins are downloaded to the local machine before being used by the Media Player, such scripts can do pretty much anything any locally-hosted program can, including, for example, running ActiveX controls not marked safe for scripting. In the FAQ associated with this Security Bulletin announcement, Microsoft's security team has written a very convulted description of the potential for abuse here, which would be amusing were it not such a clever exercise in spin control. If anyone still needs proof that ActiveX and its deep embedding in the system and application architecture is an inherently dangerous idea, this latest design and implementation error should be it...
Aside from obtaining and installing the patch referenced in the Security Bulletin, the next updated release of Windows Media player, which Microsoft says is scheduled for December shipping, will also include these fixes. All users of Windows Media Player v6.4 or v7.0 are recommended to obtain and install the patch.
IIS "Web Server File Request Parsing" vulnerability updated again
Last week the newsletter noted that Microsoft had updated MS0-086 to include more details about the vulnerability and to inform that users of IIS v4.0 on machines running NT 4.0 previous to SP6a actually were susceptible to the vulnerability after all.
Last week the newsletter also reported that the Dutch hacker, reported the previous week as breaking into a Microsoft web server via this vulnerability on an unpatched server, had hacked the same server again. Further, the hacker claimed to have exploited the same hole, implying that Microsoft had still not installed its own patch to a server it knew had been attacked via this vulnerability. Microsoft and the hacker, referred to in all reports of these hacks as "Dmitri", are reported to have met late last week and discussed the break-ins (see the news article link below). Your newsletter compiler suspects that meeting and this latest update to MS00-086 may not be unrelated.
Microsoft now says that new variants of the vulnerability have been found and that these affect all versions of IIS v4.0 and v5.0 regardless of what service pack they are running on. Microsoft is strongly urging users of either IIS version to obtain the updated patches referenced in the Security Bulletin (linked below) and apply them as soon as practicable.
- InfoWorld article on Microsoft/Dmitri meeting
IIS "Session ID Cookie Marking" patch updated
Another IIS patch has been updated, resulting in a re-release of the associated Security Bulletin. The "Session ID Cookie Marking" vulnerability was first mentioned in this newsletter a month ago, and
this week Microsoft updated the bulletin because it released updated
patches. The updated patches correct problems with the Alpha version of
the IIS v4.0 patch and x86 IIS v5.0 patch not installing correctly. The
x86 version of the IIS v4.o patch was unaffected by these problems, so
users of that platform need not do anything as a result of this update.
Note that the updates apply the fixes for secure Session ID cokkies, but
this feature has to be enabled on a site by site basis.
Web pages tracking "necessary" IIS updates
Russ Cooper, moderator of the NTBugtraq mailing list, has posted two web pages dedicated to trcking the post-service pack hotfixes necessary to keep IIS v4.0 and v5.0 installations updated with the latest security patches. The listings assume you are running the latest service pack for your operating system.
If you cannot upgrade to the latest service pack, Russ would like to hear from you -- he may be able to help with suggestions of what to install anyway and is collecting a list of applications that are known to not work properly with the latest service packs. This latter information may assist in pressuring developers of those applications and/or Microsoft into releasing updates which avoid such service pack instabilities.