There is nothing sufficiently newsworthy to report from the antivirus frontlines this week, and aside from a plethora of minor format string problems, the main security issues mostly focus around Microsoft's IIS web server and Internet Explorer web client software. Serious failures in the security model of the Microsoft VM, allowing any HTML script or Java applet to run any ActiveX control, including ones not marked safe for scripting have been documented and patched. The VM component is "part of the operating system" and is shipped and updated with Microsoft's Internet Explorer software.
The good news about the serious directory traversal and arbitrary code execution bug in IIS is that those who installed a patch recommended in this newsletter over a month ago are already covered. This newly discovered problem was fixed by an "old" patch, so those who have been keeping their patches up to date have a bonus there!
Users of the Unix version of Internet Explorer, however, may be wishing that Microsoft kept its own in-house patches consistent. A report on the bugtraq mailing list shows that several serious IE bugs that have been previously fixed for Windows platform versions of the browser also apply to the Unix version and Microsoft has not been shipping patches and updates for the Unix version of IE.
No news is good news, right?
It has been a particularly quiet week on the computer virus front. Qaz, MTX and LoveLetter.AS (aka Colombia), reported as having been more noticeable in the past couple of weeks, have maintained that position, but there seems to be nothing new or of serious concern worth reporting from the antivirus frontlines this week.
More Microsoft VM updates
Although rather innocuous sounding by name, the so-called "Microsoft VM ActiveX Component" vulnerability is very serious security hole. It was announced just after the previous Virus & Security Watch newsletter was posted. In a nutshell, this vulnerability means that a series of very dubious actions, that were supposed to only be available to signed applets, could be used by any arbitrary HTML source with embedded scripts. This could be any web page or HTML e-mail message. Further,
under the default security settings of Internet Explorer, Outlook and Outlook Express, code exploiting this vulnerability would not raise any security warnings or prompts suggesting that something untoward may be happening.
The specific problem relates to the ability of applets to create and use ActiveX controls. Instead of just being limited to signed applets, a mechanism was found whereby the expected security checks fail (or are simply not made), including the use of controls that are not marked as "safe for scripting". As exploitation of this vulnerability requires some form of HTML-embedded scripting, users with active scripting and scripting of Java applets disabled in Internet Explorer cannot be affected by this hole.
Despite the rather innocuous name, this means that malicious users could arrange to have any code they wished run on their victims' machines, so long as they could coax their victims to visit a web site
they maintain or read an HTML-formatted e-mail of their devising. All users of affected versions of the Microsoft VM, which ships with Windows 98, 98SE, Me, NT and Windows 2000 and with Internet Explorer v4.x and v5.x and that have Internet connectivity should update as soon as practicible. Note that although Windows 95 did not ship an affected version, users of this platform will be affected if they have installed any vulnerable version of Internet Explorer. Visual Studio and some other products are also known to ship vulnerable VM components, so having Windows 95 and not having installed Internet Explorer 4.0 or a later version is not enough to ensure you have an unaffected system.
Microsoft has released updates for the 3000-series versions of the VM and will release an update for the 2000-series soon. Details of using the JVIEW utility to determine what VM version is installed on your machines are contained in the FAQ associated with the Microsoft Security Bulletin covering this issue. Finally, note that this update supercedes the MS00-059 VM update mentioned a month or so back in the newsletter.
Update stops Internet Explorer "leaking" security credentials
Another update for another serious security hole in Internet Explorer was also announced just after the previous newsletter was posted. The "Cached Web Credentials" vulnerability means that malicious web site designers can easily trick Internet Explorer v4.x and v5.0-5.01SP1 client software to send login credentials (usercode and password) to their sites "in the clear" -- i.e. without the normal protection of the encryption usually required in such transmissions.
This is a serious shortcoming and all users of affected software versions should update as soon as possible. However, a word of warning there... Microsoft now says that Internet Explorer v4.x is no longer supported for security patches. This means that users of IE v4.x will have to update to either v5.01SP1 or v5.5. IE v 5.5 does not have this bug and an update has been made available for v5.01SP1.
NetMeeting v3.01 update available
Microsoft has released an update for a security vulnerability that can remotely exploited to utilize 100% of CPU resources. This leaves the affected machine all but unusable and many users are likely to resort to powering affected machines down, resulting in loss of unsaved work, if affected by something like this.
NetMeeting is not enabled by default under standard Windows 2000 installations and is only available to NT users as an extra download. If it is enabled with Remote Desktop Sharing it is vulnerable to a denial of service as described above if specially created malformed requests are sent to the hosting machine. If the port NetMEeting listens on (1720) is blocked at your firewall, then you are only at risk from inside attackers.
The Microsoft Security Bulletin and FAQ suggest that there may be other versions of NetMeeting which may also be vulnerable. However, the FAQ also says that the patch can only be applied on NT machines "as long as the product version matches what was noted in the Affected Product section of the bulletin". This update will be included in SP2 for Windows 2000.
New IIS hole fixed by "old" patch
It has just come to light that a serious "directory traversal" hole in IIS was also fixed by the patch designed to solve the "File Permissions a canonicalization" vulnerability. Although we did not describe the details of that vulnerability, this was one of several important patches the newsletter recommended to IIS users in the past.
The technical details of this new vulnerability are discussed in the usual Microsoft links at the end of this article. IIS v4.0 and v5.0 users who are not absolutely sure they have run the patches recommended in the MS00-057 Security Bulletin should check. Microsoft now rates that patch as "critical", particularly for remotely accessed (Internet-connected) IIS servers.
Note: Just before posting this week's newsletter, it was reported that this patch can break those parts of sites that depend on directories with dots in their names. Specifically, it seems that web directories
with extensions in their names (e.g. <webroot>/test.dir) will be inaccessible to the server if the directory name "looks like" a file-type that is executable to the server (e.g. <webroot>/test.com).
Security update for HyperTerminal
Some versions of the HyperTerminal application that ships with 32-bit Windows OSes (Windows 98, 98SE, ME and 2000, and NT) have a buffer overflow that can be exploited to run arbitrary code. The overflow is in HyperTerminal's handling of "long" telnet URLs. As HyperTerminal may be the default handler for telnet URLs on some systems, this vulnerability could be exploited via malicious web pages or HTML e-mail messages.
Unfortunately, the information in the relevant Microsoft Security Bulletin about which versions of HyperTerminal are vulnerable is confused, at best -- for example, Microsoft is unsure whether it shipped HyperTerminal with NT or not. Worse, some of the closely related information is plain wrong -- HyperTerminal is not the default telnet URL handler on any Windows 98 machine the newsletter compiler recalls seeing. Perhaps this confusion is due to HyperTerminal being a third-party product Microsoft ships with its OSes?
HyperTermonal is made by Hilgraeve Inc. When the information in the Microsoft bulletin is compared with the information at Hilgraeve's site, some disparities appear. Hopefully the two companies will sort this out soon, so that administrators can ensure they have fixed their machines.
In the meantime, users of machines with HyperTerminal installed are recommended to check what both Hilgraeve and Microsoft have to say about the issue.
IE for Unix security problems
Following the recent spate of problems with IE 5 for Windows, a user of the Unix version reported to the bugtraq mailing list that many of those vulnerabilities also apply to the Unix version of IE. Further, Microsoft has not been releasing patches or updates for the Unix version to match its patches for the Windows platform version of IE.
Details of seven vulnerabilities tested against the Unix version of IE can be read in the bugtraq message archive from the URL below.