IDGNet Virus & Security Watch Friday 11 July 2003

This issue's topics: Introduction: * Critical patches for Windows, Apache; web search engine snafu Virus News: * Another quiet week really Security News: * Arbitrary code execution in Windows HTML Converter fixed * Patch for SMB buffer overflow flaw in most NT-based OSes * Privilege elevation via Accessibility Utility Manager patched * New Apache 2.x release fixes four security vulnerabilities * Web search engine snafu exposes embarrassing, confidential documents

This issue's topics:

Introduction:

* Critical patches for Windows, Apache; web search engine snafu

Virus News:

* Another quiet week really

Security News:

* Arbitrary code execution in Windows HTML Converter fixed

* Patch for SMB buffer overflow flaw in most NT-based OSes

* Privilege elevation via Accessibility Utility Manager patched

* New Apache 2.x release fixes four security vulnerabilities

* Web search engine snafu exposes embarrassing, confidential documents

Introduction:

Two new Windows security patches were released this week.

Windows NT 4.0 Workstation hit its 'end of life' on 30 June. On 9 July Microsoft released patches for two quite serious security vulnerabilities that affect, among other OSes, NT 4.0 Server. Given the near identical code-bases of the NT 4.0 Server and Workstation products it seems highly probable that NT 4.0 Workstation is just as vulnerable to these flaws as its Server version 'cousin'. However, fixes for both of these flaws were included in Windows 2000 SP4, released before the end of June.

Virus News:

* Another quiet week really

Despite the over-active adrenal glands of a few marketing and PR types, there were no virus stories of great import this week. A new variant of the MyLife family of mass-mailers made a relatively small and short-lived 'blip' on the radar screens late last Friday and over the weekend, but subsequently has largely disappeared. Given it tried the old 'appeal to the lascivious side' trick, its relative failure may suggest that, among other things it included in its Subject: lines, linking Julia Roberts with sexual activities involving toilets is not exactly a winning combination...

Honestly - it's not worth the link-space. You've read it all before and it did nothing new.

Security News:

* Arbitrary code execution in Windows HTML Converter fixed

Microsoft has released fixes for a critical vulnerability in the HTML Converter component installed with all supported Windows OSes. Due to a flaw in the HTML Converter, specially formed HTML code can overflow a buffer in the converter during clipboard operations on the HTML. These operations can be scripted, so the vulnerability can be 'automatically' exploited by viewing HTML in the Internet security zone under a default IE installation and under various other scenarios. Aside from obtaining and installing the patch (which is very highly recommended), Microsoft lists several workarounds that may be useful in the short-term until a mass-patching operation can be performed at your site. These workarounds are not ideal though and are likely to reduce the normal, expected functionality of various software.

As already stated, Microsoft rates this as a critical severity vulnerability for all supported Windows operating systems. The newly released Windows Server 2003 is the exception - on that OS IE runs in the so-called 'Enhanced Security Configuration' which reduces its exposure to this vulnerability, and the non-IE forms of exposure of this flaw are unlikely to occur on a server.

Note that the HTML Converter in NT 4.0 Workstation is almost certainly shares this vulnerability with the listed OSes. Microsoft has not released an NT 4.0 Workstation patch for this flaw because this OS reached its 'end of life' nine days before Microsoft published the relevant security advisory.

Windows NT Workstation 4 'end of life' announcement - microsoft.com

Microsoft Security Bulletin MS03-023

* Patch for SMB buffer overflow flaw in most NT-based OSes

NT 4.0 Server and Terminal Server, Windows 2000 (all versions) and XP Professional are vulnerable to an exploitable buffer overflow due to flaws code handling SMB command parameters. This flaw can only be exploited on an already authenticated SMB connection and normally SMB should not be exposed directly to the Internet. For these reasons Microsoft has rated this vulnerability as being 'important', rather than of higher severity.

Windows Server 2003 is not vulnerable, but as with the preceding item, Windows NT 4.0 Workstation most probably is, but is not covered with a patch because it reached its 'end of life' just over a week before Microsoft published the relevant security advisory and therefore does not feel obliged to supply a hotfix for that platform. Windows 2000 users should note that this patch is included in SP4, so if that is already installed, there is no need to install the standalone patch for that OS, linked from the security bulletin.

Windows NT Workstation 4 'end of life' announcement - microsoft.com

Microsoft Security Bulletin MS03-024

* Privilege elevation via Accessibility Utility Manager patched

Windows 2000 administrators should assess their systems' likely exposure to a newly announced privilege elevation vulnerability in the Utility Manager component of the Accessibility functionality provided in that OS. The problem arises from the lack of checking of Windows messages passed to the Utility Manager. Such messages can cause the Utility Manager to execute callbacks to arbitrary addresses and as Utility Manager runs with system privileges, any application with access to the interactive desktop could send a message to Utility Manager and have it execute any function on the machine.

Microsoft rates this an 'important' vulnerability. However, sites running Windows 2000 in shared-computer networks, or with some users who may be best considered 'hostile', should treat this as a higher severity than that. This vulnerability is patched by SP4 but a standalone patch has been released for those who have not tested and rolled out that service pack.

Again, as with the preceding two items, NT 4.0 Workstation was not tested for vulnerability as it has reached its 'end of life', but as the closely related NT 4.0 Server versions were tested and rated not vulnerable, there is probably little for NT 4.0 Workstation users to worry about.

Microsoft Security Bulletin MS03-025

* New Apache 2.x release fixes four security vulnerabilities

The Apache Software Foundation has just released v2.0.47 of the world's most deployed web server. This release includes four security fixes with consequences, if exploited, ranging from use of weaker than expected encryption through short-term denials of service to server crashes. Aside from these security fixes, a few other bug fixes and feature enhancements are also included in this release. Apache 2.0 administrators are recommended to update - major Unix and Linux distributions that include Apache 2.0 have started shipping updated packages, or soon will be.

Apache 2.0.47 Release Notes - apache.org

* Web search engine snafu exposes embarrassing, confidential documents

Consumer rights advocacy group, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), uncovered a hole in the web site content of the Auto-ID Center. The Auto-ID Center is a partnership of commercial and academic interests set to further the use of radio Frequency ID (RFID) technology. In the centre's own words '[We are] designing, building, testing and deploying a global infrastructure - a layer on top of the Internet - that will make it possible for computers to identify any object anywhere in the world instantly.' By 'any object' they mean every manufactured object - if the idea of a remotely trackable RFID tag on every can of coke seems far-fetched, you may not fit in well at the Auto-ID Center.

Not surprisingly, some consumer rights groups are not too happy about the basic tenet behind this - CASPIAN is one such group. Members of CASPIAN discovered that simply searching the Auto-ID Center's site with its own, publicly accessible search engine returned documents that presumably were not intended for public consumption. Simply searching for the word 'confidential', reports CASPIAN, returned 68 documents. Repeating the search now returns the claim that 56 results were found but only three documents (rather oddly number 1,3 and 5) are displayed in the results' list.

Although the cause is not entirely clear, it seems likely that a local web indexing engine (that is, running on the Auto-ID Center's web server) 'over zealously' indexed all documents that it could see on the web server, even if they were not explicitly linked from any of the site's pages. Of course, depending on the non-availability of public links to 'protect' content that is not supposed to be publicly available but which is stored on a public web server is dubious to start with. It raises the interesting question however, of how much more unintentionally accessible material can be found through such means?

Tracking tag firm exposes confidential data online - silicon.com

CASPIAN uncovers security hole on Auto-ID Center's website - nocards.org

Join the newsletter!

Error: Please check your email address.

More about ApacheApache Software FoundationLinuxMicrosoft

Show Comments
[]