The NT 4.0 "Invalid URL" patch mentioned in last week's newsletter was unavailable from Microsoft's download servers for much of the week. Many people reported no success in obtaining it. Microsoft admitted having sporadic replication problems in the server farm of the Microsoft Download site, but it seems to be available now. However, there have also been reports that this update requires SP5 or later but the installer does not check SP-level, installing the patch on any NT 4.0 system. Machines still on SP4 or earlier are rendered unbootable ("DLL initialization failed" while loading KERNEL32.DLL) by installing the update. The standard advice to always trial patches and updates on test machines reflecting the configuration of your production environment would be well-heeded here.
This newsletter focuses on several Windows 2000-specific updates and points to an accessible description of the workings of format string vulnerabilities. A new virus, which is unlikely to be seen in the wild, masquerading as an e-mail virus hoax is described and a good site for information about virus myths, that has a suitably cynical twist, is recommended for your browser's bookmarks...
Wobbler hoax no virus, but this is
Search for "wobbler" in any antivirus web encyclopedia, and you should quickly discover (if you did not already know) that the well-travelled "warning" that the dreaded "WOBBLER virus" spreads in an e-mail message with a Subject: line of "CALIFORNIA" is actually a hoax. A new virus, which has not been seen in the wild, takes advantage of the existence of this hoax in a rather odd way.
One way this new virus distributes itself is as an e-mail attachment that, when run, displays the text of the Wobbler hoax. Meanwhile, in the background the virus' main code runs. This distributes the virus to
addreses in the victim's Outlook address book (if Outlook is installed) and copies the virus to any writable netwrok shares that are currently mapped to the victim machine. This latter distribution method is not likely to be very effective, as no further steps are taken to ensure these copies of the virus are executed on those machines.
Antivirus developer descriptions:
It's all over but the streaming...
The debate over the real significance of the discovery of the first computer virus that uses an NTFS additional data stream (ADS), has continued through the week. As reported in the previous newsletter, the Win2K/Stream virus copies its host's primary stream into an ADS then overwrites the primary stream with the virus' code. Thus, Win2K/Stream does not use the ADS feature for any viral code.
Further, in general, any virus or other form of malware trying to utilize an ADS must have some code somewhere in a primary stream to be able to have its ADS part launched. Virus scanners that do not
specifically scan ADS will thus still be able to detect such viruses by locating this "loader" code. These facts have not stopped some fairly wild speculation about some future, new viruses and what may be possible with ADS. Some commentators have questioned the motivation of the antivirus developer pushing the story hardest. It has been suggested the main reason that Kaspersky Lab, Russian maker of AntiViral Toolkit Pro (AVP), is pushing this is because Kaspersky Lab is looking for US media
exposure. Kaspersky Las has just opened its first US office, previously having depended on distributors to market its product there. Kaspersky Lab denies these claims, suggesting it is just more concerend at warning of likely new trends than its competitors.
Virus myths site revamped
All this talk about virus hoaxes and hype surrounding virus issues reminds me that Rob Rosenberger has recently revamped the Virus Myths web site. Rob's site has been an island of sanity amidst the hype, over-selling, name-calling and one-up-manship that often sees the important issues overlooked during virus outbreaks (and, increasingly, during suspected and anticipated outbreaks).
Rob's cynicism is the sort of thing you probably either love or hate, but it's well worth a look to decide for yourself. If you don't appreciate his particualr take on the scene, ignore the "editorial" pages (though you'll miss some great humour!) and bookmark his site for the extensive collection of virus hoax and "mythconception" debunking information. Finally, his treatise on "false authority syndrome" is a must-read for anyone who works with computers (and not just for those whose job it is to keep the computers in the office running).
Windows 2000 policy corruption vulnerability patched
This update is included in Windows 2000 SP1, but Microsoft has released it as a separate update for users not installing SP1 yet, due to the seriousness of the security hole it patches. The “Local Security Policy Corruption” vulnerability could allow a malicious user to corrupt parts of a Windows 2000 machine's local security policies. The effect of this varies, depending on the machine -- for example, workstations would effectively be removed from their domains and domain controllers would stop processing domain validation requests.
To succeed with such an attack, the attacker would have to be able to make RPC connections to the target machines. Typical firewall configurations should prevent this posing a serious threat from remote sites. However, the fact that recovery requires restoring a known good configuration from backup suggests that leaving this vulnerability open could be a costly decision. The vulnerability is present in all Windows 2000 versions except for the Datacenter Server version.
Patch for Windows 2000 with digital cameras, scanners, etc
Microsoft has released a patch for the rather esoterically named "Still Image Service Privilege Escalation" vulnerability. In essence, this security hole allows any user who can log into the console to raise their privileges to the level of the "Still Image Service", which runs as LocalSystem. The "Still Image Service" is not installed by default on Windows 200 machines, but is automatically installed by plug-n-play should a suitable device (such as digital camera or scanner) be attached to the machine.
Update removes Windows 2000 remote RPC DoS vulnerabilty
An update is available for the remotely exploitable "Malformed RPC Packet" vulnerability in all Windows 2000 releases. Specially created, invalid packets directed to a Windows 2000 machine can cause the RPC service to fail responding to other, valid, RPC traffic. Should this happen, a reboot is required to restore RPC functionality.
Machines behind a firewall blocking external traffic to ports 135-139 and port 445 will not be vulnerable to remote attack, but are still open to attack from the local network. If you cannot trust your LAN users, or cannot block remote traffic to those ports at a firewall, you should install the following update on all Windows 2000 machines.
Useful tool for checking IIS v5.0 security patches
IIS v5.0 administrators may be interested in a new securty checking utility from Microsoft. It can be configured to periodically or continuously check a database of security fixes and determine whether the local IIS installation and/or remote ones have had all available updates applied. Several other security tools and configuration checklists are also available from the same web page. Microsoft security staff have suggested that a similar tool for users of IIS v4.0 will be released once the use and performance of this toll has been evaluated.
- Microsoft Securty Tools page
Format string vulnerabilties explained
Recently, the security community has become interested in a security vulnerability that has become known as the "format string attack". In common with the more traditional buffer overflow attack, and many other security vulnerabilities, format string attacks take advantage of poor or lazy programming practices. The locale sub-system vulnerabilities covered in last week's newsletter, and several other recent Unix and/or Linux vulnerabilities, are based on format string attack techniques.
You would not be alone, however, if you have heard the term but found the descriptions to date either too vague or too technical. If so, a recent paper by Tim Newsham, of security consultants Guardent, may be of interest as it covers the topic in a very readable manner. Newsham's paper can be read at the first URL below, and a PDF version may be obtained from the second URL.
Note that many Unix and Linux packages are being extensively tested for potential format string vulnerabilities. As a result, many updates are being posted by the various vendors. In general, these will not be covered in this newsletter unless they are of significant scope, such as the glibc locale vulnerability. You should monitor your vendor's security page for news of fixes to the smaller packages.
Also note that whilst format string vulnerabilities tend to be talked about in the context of Unix and Unix-like OSes, they are more general. Such bugs could potentially affect any applications written in C/C++.
Newsham's format string attack paper:
Web servers hacked through default passwords
Several recent episodes of web sites being defaced have been attributed to poor password management. The most common of these poor practices is the site administrator not changing default passwords on the database servers that often run hand-in-glove with today's complex web sites.
A recent example was the UK Legoland site being defaced because the SQL server default admin password (which was blank) had not been changed. Regretably, too many administrators leave such passwords in the belief (or hope) that firewalls will be properly configured to prevent outsiders getting access to the database server ports.
- News story on Legoland defacement