IDGNet Virus & Security Watch Friday 25 July 2003

This issue's topics: Introduction: * Multiple Windows, Darwin Server, OS X, NW 5.1, Oracle, UniVerse & VMWare patches Virus News: * Gruel continues run with many variants * Welsh virus writer's sentence appeal fails Security News: * NT 4.0 Server denial of service vulnerability fixed * Critical DirectX buffer overflow fixed in all Windows OSes * New cumulative patch for SQL Server and MSDE * Multiple flaws in Apple QuickTime/Darwin Streaming Server fixed * Update fixes account creation flaw in Mac OS X * NetWare 5.1 perl2cgi.nlm buffer overflow fixed * Multiple Oracle Applications & E-Business Suite security fixes * Multiple IBM U2 UniVerse database privilege elevations * Privilege elevation with VMWare on Linux hosts fixed

This issue's topics:

Introduction:

* Multiple Windows, Darwin Server, OS X, NW 5.1, Oracle, UniVerse & VMWare patches

Virus News:

* Gruel continues run with many variants

* Welsh virus writer's sentence appeal fails

Security News:

* NT 4.0 Server denial of service vulnerability fixed

* Critical DirectX buffer overflow fixed in all Windows OSes

* New cumulative patch for SQL Server and MSDE

* Multiple flaws in Apple QuickTime/Darwin Streaming Server fixed

* Update fixes account creation flaw in Mac OS X

* NetWare 5.1 perl2cgi.nlm buffer overflow fixed

* Multiple Oracle Applications & E-Business Suite security fixes

* Multiple IBM U2 UniVerse database privilege elevations

* Privilege elevation with VMWare on Linux hosts fixed

Introduction:

Three more Windows patches this week and again, one of them (the DirectX update) is critical for all Windows platforms, or for all but Windows Server 2003 depending on your view of 'critical' (if you only run Microsoft code and do so in the default configuration then this vulnerability may not quite be 'critical' on Windows Server 2003). Administrators of systems running SQL Server or MSDE will get some more patching experience too, with a new cumulative patch for those products introducing fixes for three new vulnerabilities.

The serious patching wagon doesn't just stop by the Windows admin's doors this week - OS X and NetWare 5.1 OSes and significant applications for several other OSes, such as Oracle and IBM UniVerse databases and VMWare for Linux also require some attention.

On the virus front, the highly destructive payload of Gruel (aka Fakerr) has been propagated further by several new variants of this nasty mass-mailer since we reported its initial appearance last week. And things may be looking up on the legal side of malware issues, with a UK court upholding the initial two-year jail term handed down to Welsh virus writer Simon Vallor who earlier admitted writing and releasing the Gokar, Redesi and Admirer viruses.

Virus News:

* Gruel continues run with many variants

The writers of the Gruel (aka Fakerr) mass-mailer we mentioned last week may not receive many points for the originality of their code or of the basic approach they chose, but they may receive credit for persistence. At least eight variants have been discovered in the week since the first Gruel was uncovered, although none have become very widespread...

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Welsh virus writer's sentence appeal fails

Welsh virus writer, Simon Vallor, has failed to reduce his two-year prison sentence for writing and releasing three self-mailing viruses (or 'e-mail worms'). At the sentencing appeal, Vallor's lawyer wheeled out the time-weary 'my client did not realize the likely extent of trouble or damage that could be caused' excuse. The appeals judge rejected these claims in dismissing the appeal. By his own admission, Vallor wrote and released the viruses that came to be known as Gokar, Redesi and Admirer.

Virus writer's appeal fails - bbc.co.uk

Virus writer's appeal dismissed; two-year sentence stands - silicon.com

Security News:

* NT 4.0 Server denial of service vulnerability fixed

A patch has been released for a newly announced vulnerability rated by Microsoft as being of 'moderate' severity. The patch covers NT 4.0 Server and NT 4.0 Terminal Server, but it is fair bet that NT 4.0 Workstation is also open to this vulnerability but not patched because the OS has reached its official 'end of life'. Later NT-based OSes are claimed not vulnerable to this flaw, which Microsoft rates as being of 'moderate' severity due to no default NT 4.0 Server components exposing the vulnerability to remote exploitation.

The vulnerability was discovered by security researchers from @stake, whose advisory discusses the flaw in relation to the 'java.io.getCanonicalPath' function of IBM's Java 2 Runtime Environment. This Java function calls the vulnerable underlying OS function without sanitizing its input, which can easily be directly supplied by a user. As @stake's researchers note '[t]his class of problem highlights the Java platform's dependence on the correctness of the underlying operating system for it's overall security'.

Windows NT 4.0 with IBM JVM Denial of Service - atstake.com

Microsoft Security Bulletin MS03-029

* Critical DirectX buffer overflow fixed in all Windows OSes

Microsoft has released patches for, and updated versions of, DirectX to address a buffer overflow vulnerability in all supported versions of this multimedia sub-system. Microsoft rates the vulnerability as being of critical severity for all versions of DirectX on all OSes except for Windows Server 2003, where it rates the vulnerability as 'important'. This latter rating is dubious however as the mitigating circumstances listed in the security bulletin are Internet Explorer-specific while the bug is in a system component widely used by other, non-Microsoft, applications. Whilst a default installation of Windows Server 2003 with no other applications installed is 'protected' from the automatic exploitation of this vulnerability, Windows Server 2003 users with other application environments will likely not have this 'protection'.

Discovered by researchers at eEye Digital Security, the vulnerability is due to two similar buffer overflows in the 'quartz.dll' DirectX component. eEye's security advisory suggests that the Windows Server 2003 version of quartz.dll is immune to one of the overflows because it contains an additional sanity check for one of the potential overflow conditions, but the advisory does not specify the DirectX version or quartz.dll file version. Both overflows are due to 'integer overflows' where mathematical operations on 16-bit integers do not take sufficient care to note whether 'wrap around' occurs.

Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption - eeye.com

Microsoft Security Bulletin MS03-030

* New cumulative patch for SQL Server and MSDE

All currently supported SQL Server versions and their derived 'desktop engine' versions (often known as MSDE) have three 'important' severity vulnerabilities fixed in a newly released cumulative patch. Aside from including all previously released patches (relative to the supported product or service pack version), this cumulative patch is the only source of fixes for named pipe hijacking leading to privilege escalation, a named pipe-based denial of service, and a buffer overflow in SQL Server's handling of Local Procedure Call requests. Although the first and third of these vulnerabilities could be exploited to obtain elevated privileges to access and/or modify database contents, neither of these vulnerabilities can be remotely exploited and both require that an 'attacker' using them can already authenticate to the server.

Researchers from @stake discovered these vulnerabilities and the @stake advisories describing them are linked below.

SQL Server and MSDE are included in many products, including several third-party applications. An extensive, but probably non-definitive, list of products known to include either is available at the SQLSecurity page linked below.

@stake SQL Server & MSDE security advisories (a070803-1) - atstake.com

@stake SQL Server & MSDE security advisories (a072303-2) - atstake.com

@stake SQL Server & MSDE security advisories (a072303-3) - atstake.com

SQL Server/MSDE-Based Applications - sqlsecurity.com

Microsoft Security Bulletin MS03-031

* Multiple flaws in Apple QuickTime/Darwin Streaming Server fixed

Rapid7 security researchers have uncovered several vulnerabilities in the Apple QuickTime/Darwin Streaming Server, most of which Apple has now fixed in a new release of its streaming media server product. The flaws that have been fixed are specific to either OS X or Win32 versions only, but one vulnerability listed in Rapid7's security advisory is listed as not yet fixed and sounds as if it may affect all platform versions of the Darwin Streaming Server. Administrators of affected systems should upgrade to version 4.1.3g (or later), which is now available from Apple's Streaming Server pages linked below.

Multiple Vulnerabilities QuickTime/Darwin Streaming Server - rapid7.com

Developer Connection: Streaming Server - apple.com

* Update fixes account creation flaw in Mac OS X

Workgroup Manager in OS X initially creates new accounts with blank passwords. This allows users with access to the system to login while only knowing the new account name. Apple has released an updated Workgroup Manager that creates new accounts with the password initially set to the 'disabled' state, preventing their use until a password is specifically set.

Security Update 2003-07-23 v.1.0: Information and Download - apple.com

* NetWare 5.1 perl2cgi.nlm buffer overflow fixed

Novell has released an updated 'perl2cgi.nlm' to fix a buffer overflow in this component of its 5.1 SP6 and earlier server products. If exploited the vulnerability could result in remote crashing of the server or the service calling the affected NLM (most likely this would be a web server service). A link to the patch download is included in the Novell Technical Information Document linked below.

CGI2PERL 7-19-03: TID2966549 - novell.com

* Multiple Oracle Applications & E-Business Suite security fixes

Multiple vulnerabilities, ranging in seriousness from sensitive information disclosure through denial of service to full database access and running arbitrary code in the security context of the database process, have been patched in recent updates released by Oracle. Affected products are Oracle E- Business Suite 11i, Oracle Applications, Oracle 8i, and Oracle 9i Releases 1 and 2. Details of precisely which products are open to which of these vulnerabilities and the availability of patches can be found in the Oracle security alerts linked below.

Oracle Security Alerts 55 - oracle.com (PDF)

Oracle Security Alerts 56 - oracle.com (PDF)

Oracle Security Alerts 57 - oracle.com (PDF)

* Multiple IBM U2 UniVerse database privilege elevations

Staff at Secure Network Operations have disclosed several privilege elevation vulnerabilities in the IBM U2 UniVerse relational database, 'an extended relational database designed for embedding in vertical applications', and its related U2 Tools. Workarounds for each are also provided in the security advisories describing the vulnerabilities.

Secure Network Operations security advisories (0831) - secnetops.com

Secure Network Operations security advisories (0833) - secnetops.com

Secure Network Operations security advisories (0913) - secnetops.com

Secure Network Operations security advisories (1223) - secnetops.com

IBM UniVerse home page - ibm.com

* Privilege elevation with VMWare on Linux hosts fixed

Linux versions of VMWare Workstation 4.0, GSX Server 2.5.1 build 4968, and the earlier releases of both products have a vulnerability that allows a user of the host (Linux) system to launch any program with root user privileges. Details of the vulnerability have not been published, but what has been described is suggestive of an environment variable overflow. Versions of the products patched to fix these problems have been released as VMWare Workstation 4.0.1 and GSX Server 2.5.1 patch 1.

Although exploit details have not been released, these are clearly critical flaws for which the relevant updates should be obtained as soon as possible if less privileged users have access to the affected software.

Archived Bugtraq list message - securityfocus.com

Join the newsletter!

Error: Please check your email address.

More about AppleCA TechnologieseEye Digital SecurityF-SecureIBM AustraliaLinuxMicrosoftNovellOracleRapid7SophosSymantecTrend Micro Australia

Show Comments
[]