The cynic in me suspects a substantial proportion of the virus scanners in the world have probably not been updated since the end of the last week in May. Why? Because a trivial, "old" LoveLetter variant is now being reported in considerable numbers. After the shock of the initial LoveLetter outbreak on 4/5 May, most antivirus developer's web sites were under a form of self-inflicted distributed denial of service attack, due to the incomparable customer demand for detection database updates. It's a fair bet that many of those updaters were acting as the result of a guilt attack, perhaps not having updated since the media scared them into action over Prtty Park, or ExploreZip before it, or even SouthPark or maybe (heaven forbid) even as far back as Melissa...
Other issues covered this week include the first Windows Me security updates, although they are not Me-specific, applying to components of the whole, extended Windows 9x family. And there are some (perhaps now obligatory?) format string updates to consider.
Love's letters lost?
It seems four months may be the limit of the collective memory of computer users. Or perhaps the rate of growth in new users is such that four moths after all the media attention, all the hype, all the fear,
loathing and doubt, enough of the PC user gene pool is prepared to double-click unknown attachments with dodgy names ending ".jpg.vbs".
Yes -- the last week or so has seen quite an upsurge in reports of some of the LoveLetter variants but most notably LoveLetter.AS (also known as Plan and Colombia from some comments in the virus' code). Despite this recent rise to prominence, LoveLetter.AS was discovered in early June, one month after the initial LoveLetter outbreak. The increase in awareness of such threats following the first LoveLetter fiasco is no doubt responsible for the fact that many people are now reporting intercepting and blocking this latest surge, rather than reporting being infected. However, that there is an increase in reporting means there is an increase in users not taking reasonable precautions and/or not keeping their antivirus software up to date.
MTX on the loose
This rather complex virus has been reported from many sites around the world in the last couple of weeks and would appear to be on the rise. It uses several techniques that have been incorporated, individually, into previous viruses, but chief among its arsenal is that it modifies WSOCK32.DLL (the core 32-bit WinSock network component).
This approach was originally used by Win32/Ska (aka Happy99) to intercept e-mail and Usenet News posts and send a copy of itself along to the same destinations its victim posted electronic messages.
Win32/MTX takes a slight deviation from the Ska approach. Like Ska, it tracks e-mail sending but is not interested in Usenet News postings. However, MTX is also interested in the web sites its victims visit, and it prevents access to most antivirus developers sites (and some other sites) if it detects attempts to access such sites. This is done by searching URL requests for sub-strings extracted from the developers' site names. MTX also blocks attempts to send Email to addresses with the same sub-string matches.
Good safe hex procedures, or a virus scanner updated within the last few weeks should prevent you becoming infected with MTX, as it was first isolated in mid-August.
Various antivirus developer's descriptions of MTX:
Update for WebTV for Windows
Windows 98, 98SE and Me machines with WebTV for Windows installed are vulnerable to a remote denial of service that allows a malicious to crash either the WebTV program or the machine running it. Restarting the program or the machine resolves the problem, but could result in loss of unsaved work.
Despite the simialrity of names, WebTV for Windows has nothing to do with the US "Internet via your television" service, WebTV. WebTV for Windows is works with television tuner cards to display television on the computer screen. It is not installed under any default Windows configurations, so this vulnerability should only concern those who have installed WebTV for Windows (or will in the future).
Fix for Word 97/2000 mail merge vulnerablity
Word's ability to use an Access database as the source of addresses for a mail merge operation opens it to possible attack. Normally Word warns its users if the are opening a document containing active content ("code") in the form of VBA macros. However, a Word document that has a DDE link to an Access database for the purposes of obtaining the addresses to use in a mail merge will not cause such a warning if the database itself contains VBA macros. (Unlike other programs in the Office suite, Access does not raise such warnings itself.) Compounding this issue is the fact that database can be located on a machine remote from the affected user and even on the Internet.
Microsoft has released a update for Word 2000 and will soon release one for Word 97. The update causes Word to properly apply zone-checking, as used in Internet Explorer, to Access data sources. Once the update is installed such attempts to use a database in the Internet or Restricted Sites zones, will display a warning that the source is unavailable.
Peer networking security update for Windows 9x/Me
A serious weakness in the implementation of peer networking dependent on share-level access permissions has been uncovered in all versions of Windows 9x and Windows Me. Microsoft has released an update to fix this vulnerability and recommends that all users of the affected OSes with
file and print sharing and share-level access should update as soon as possible (although, when this issue of the newsletter was put to bed, the Windows 95 version of the patch was still not available).
The relevant Microsoft security bulletin is delightfully vague about the nature of this latest flaw. However, an advisory from Network Security Focus (the people who uncovered the problem) suggests that a simple network scanner could locate network shares then brute-force the password by guessing the first character only and sending its guesses to the target machine in an "unexpected" way. This is not the first time Microsoft password security has been found wanting due to assumptions in the server code based on the programmer's knowledge of what the Microsoft written client code does and apparent blindness to the possibility that non-Microsoft client code may do something else.
Note that this vulnerability does not affect NT or Windows 2000 because they only support user-level access to shares.
Patch for Windows 9x/Me IPX denial of service hole
The IPX/SPX protocol shipped with Windows 95, 98, 98SE and Me can be coerced into generating a broadcast network storm, resulting in a possible denial of service against affected machines and brief network degradation. This occurs because of erroneous handling of the NMPI (NetBIOS Name Management Protocol on IPX) protocol whereby, an affected machine will respnd to a name request in a packet with a broadcast source address. Such packets should just be dropped, as a broadcast
address cannot be a valid source address.
Affected machines processing such packets hang, so the broadcast storm can not be escalated into a true flood by a rogue machine delivering a modest level of invalid "attack" packets to a targetted network. Of course, machines locking-up mean loss of unsaved work. IPX/SPX is not installed by defult under any Windows 98, 98SE or Me configurations, but is installed by default when installing Windows 95 on machines with Plug'n'Play ethernet cards. NMPI is enabled if IPX/SPX is installed, but this is not user-configurable so there is no simple workaround such as disabling NMPI. As IPX is not generally routed over the Internet, the most likely victims of an attack based on this flaw would be corporate or education networks, and possibly home users with DSL or cable modem service where IPX may be exchanged between users within a sub-net.
Apache web server patches
Several vendors have released updated Apache packages that, among other things, fix two security vulnerabilities in this popular web server. The mod_rewrite vulnerability could allow a remote user to read any file on server to which the apache process has access rights, while the Host: header vulnerability could allow file system access outside the webroot in a mass hosting configuration.
Concerned users should check with their vendors for packages or obtain the latest source tree and rebuild their own binaries.
rpc.statd vulnerability in various Linuxes
The CERT Coordination Center is still reporting a high level of system compromises via a format string bug in rpc.statd. Part of the of the nfs-utils package, rpc.statd ships with most Linux distributions and is
installed by default in some. The vulnerability is due to user-supplied data being passed to syslog without suitable checking, opening the possibility of a format string attack.
As rpc.statd is usually run as root, and rpc.statd is often open to remote connections, a remote root exploit is possible. Many systems compromised in this way have had DDoS agents installed, presumably for use in later, distributed attacks against other sites.
Affected vendors have updates available, so if you run a susceptible rpc.statd and have not yet addressed this issue, you should do so with some haste. Aside from your vendor's site, the CERT/CC and Security Focus sites feature detailed coverage of this problem:
In case you are not yet sick of cross-site scripting issues...
Although we have not mentioned it in the newsletter, a significant computer (in)security story recently has been the exposure of on-line brokerage, Etrade, through a cross-site scripting attack. InfoWorld's
network security columnists, Stuart McClure and Joel Scambray, have an interesting discussion of issues arising from the events surrounding the discovery and announcement of Etrade's "problem":