The Win32/MTX virus, a couple of variants of VBS/LoveLetter and the perrenial JS/Kak have all been quite active the last week or two, if the level of reports of, and questions about, them in public newsgroups are anything to go by. All sould be dealt with quickly and efficiently by current virus scanners. That has been true for several weeks, even for the newest of these threats -- Win32/MTX -- that was first isolated and added to most major scanner detection databases late in August.
MTX virus very widespread
Although isolated some weeks back, reports of the MTX virus have increased recently. MTX e-mails itself as the older, and very "successful" Ska (or Happy99) virus did, by patching WSOCK32.DLL and
sending an extra e-mail message to each person an infected user sends a message to. Such viruses are easily stopped ot prevented -- do not "open" executable attachments in e-mail.
Many users, however, suffer from double-click mania and are compelled by this condition to run anything and everything that graces their mailbox with its presence. For such users, the next best solution is a reliable virus scanner with the on-access component (variously referred to as
"active monitor", "shield", "resident", "real-time" etc) enabled. Although such products will miss new viruses and related threats, so long as they are updated regularly they will protect against things such
as MTX, which by its nature spreads more slowly, but more successfully, than "big bang" infectors such as LoveLetter and Melissa.
MTX descriptions from several antivirus developers:
California toughens e-crime legislation
California Governor, Gray Davis, recently signed a bill into law that promotes harsher penalties for computer crimes. Included in the bill are provisions for US$5000 fines and up to three years prison for spreading computer viruses. The Assemblyman behind the bill feels California's role in the centre of the computer- and Internet-revolution behooves it to take a stronger stand against computer crime than previous state law which, for example, treated distributing a virus as a minor infraction drawing a fine of US$250.
Multiple Internet Explorer security flaws
Several serious security and/or privacy vulnerabilities have recently been exposed in Internet Explorer v5.0x and/or v5.5. Microsoft has not addressed these to date, and some date back many weeks.
In light of this inaction, the compiler of the newsletter can only recommend that users of IE browsers ensure that all active content options are disabled in all security zones other than the Trusted Sites
zone. Further, membership in your Trusted Sites zone should be reviewed very carefully -- simply adding sites to that zone "to make them work" is a recipe for disaster.
Simplified Chinese IME state recognition update for Windows 2000
The Simplified Chinese IME (Input Method Editor) for Windows 2000 does not correctly respond to user context. If an IME is installed as part of a system setup, it will be available in the logon screen, running in the LocalSystem context, rather than under a user context. Because of the Simplified Chinese IME's failure to recognize such state issues, any user with local logon privileges can use this IME to elevate their privileges.
Microsoft has released an update for the Simplified Chinese IME and recommends that users with this component as part of their system setup install the update. Note that installing a language pack that includes the Simplified Chinese IME after Windows 2000 has been installed does not expose one to this vulnerability, as, in that case, the IME will not be avaialable in the logon screen. By default, only the Simplified Chinese version of Windows 2000 is vulnerable, but customized installations of other Windows 2000 language versions could have this IME installed durig system setup and those systems would be vulnerable.
Update for multiple LPC vulnerabilities in NT/Windows 2000
Detailed analysis of the largely undocumented LPC (Local Procedure Call) and LPC Ports interfaces in NT and Windows 2000 has uncovered a number of design flaws and bugs that raise security concerns. Successful exploits of these holes require local logon privileges, which should reduce the likely threat, but denials of service, BSODs, service impersonation and privilege elevation have been shown as possible results of careful exploitation of LPC services.
LPC services provide the important function of allowing processes and threads running on the same machine to communicate. Although the precise exposure from these vulnerabilities varies slightly between NT and Windows 2000, all versions of both OSes are at risk. The NT version of the update installs over SP6a but the Windows 2000 update will install on an original installation or SP1.
Pegasus Mail file reading vulnerability
The popular e-mail client, Pegasus Mail, has been shown to be vulnerable to a possible remote attack. The method involved depends on Pegasus Mail being installed as the default e-mail handler and using a carefully crafted mailto: URL in a web page or HTML mail message. Clicking the URL on a suitably configured machine (say with Internet Explorer as the web browser and Pegasus Mail as the default e-mail client) could result in files being sent to a designated e-mail address. Successful exploitation of this hole requires that the attacker to knows the local path to the file(s) that are to be stolen. Pegasus Mail's author is working on a fix for this problem.
This attack works because Pegasus Mail accepts commandline switches that can direct it to use the core functionality of the mailer itself. Thus, other e-mail client software, or any applications installed as the default handlers for other URL types, that have similar commandline switch functionality may be open to a similar attack.
Various Unix format string vulnerabilities
As reported several weeks back, format string security holes are becoming the exploit de jour on Unix and Linux OSes. Many such holes are still being uncovered in popular, and less so, Unix and Linux utilities and applications. Users of these systems should be regularly checking the status of their vendors' security sites for updates to such problems. Also, the web sites of the independently maintained applications and packages you use should be checked for similar information.