IDGNet Virus & Security Watch Friday 4 July 2003

This issue's topics: Introduction: * Opera DoS, exploitable IE HTML parser flaw, MSAV 2.0? Virus News: * First hints of Microsoft antivirus product plans? Security News: * Multiple DoS flaws in Opera 7 * More on last week's 'scripting grief in Internet Explorer' item * Windows Commerce Server may give up SQL Server login details * More holes in Passport

This issue's topics:

Introduction:

* Opera DoS, exploitable IE HTML parser flaw, MSAV 2.0?

Virus News:

* First hints of Microsoft antivirus product plans?

Security News:

* Multiple DoS flaws in Opera 7

* More on last week's 'scripting grief in Internet Explorer' item

* Windows Commerce Server may give up SQL Server login details

* More holes in Passport

Introduction:

We have not included an item in the newsletter proper on the following story as no good web references were available as this issue of the newsletter 'went to press'. Anyway, it seems that the US Federal Computer Incident Response Center (FedCIRC) has released a low severity 'informational notice' headed 'Website Defacement Contest Scheduled for Sunday, July 6, 2003'. It seems there is a good chance that this notice will be forwarded all over the net in the next few hours, and worse that it will probably be restated in other people's own words but with increasing levels of alarm and concern expressed (and possibly the fact that FedCIRC rates this a 'low severity' notice missed out entirely). In fact, I have already seen a couple of such messages on mailing lists supposedly mainly subscribed to by security professionals who should know better... The Subject: line of the FedCIRC notice, should it be forwarded to you is, as best I can tell, 'Hacker Challenge- FedCIRC Informational Notice 2003-07-01' (although the punctuation looks wrong to me).

Aside from the FedCIRC story there has been nothing of great import in the security scene this week, although Windows users of Opera 7 should be on the lookout for updates to their browser and the ante on the IE 'scripting flaw' we mentioned last week has been upped with it turning out to be a remotely exploitable, arbitrary code executing buffer overflow in an IE component that is used by several other products for HTML parsing during format translation. Further, a proof of concept exploit has been released, so it will not be surprising to see this being exploited in the wild in the near future and as there is not yet a patch for this problem, the wisdom of leaving scripting enabled (which the PoC exploit depends on) should be questioned again. A new Passport flaw that allows easy recovery of thee passwords of 'older' Passport accounts should be of concern to anyone whose Passport account is around two years or more old.

The virus scene was very quiet too, with a hint of Microsoft's plans for its newly-acquired virus scanning technology being the dim highlight of the week.

Virus News:

* First hints of Microsoft antivirus product plans?

Microsoft's European senior security strategist has spoken briefly about the company's plans for its recent antivirus technology acquisition from Romanian developer GeCAD. He also admitted that Microsoft faced the issue of overcoming the history of its poor reputation for security. Noting the company planned to release a virus scanning product with some form of subscription update service, he did not divulge any of the more sought after details such as a likely timeframe for the appearance of this product, whether it would be bundled with future OSes and so on.

Microsoft to bundle own anti-virus protection? - silicon.com

Security News:

* Multiple DoS flaws in Opera 7

A recent report posted to the Bugtraq mailing list suggests that Opera for Windows 7.11 build 2887, and several earlier builds/versions that were also tested, are vulnerable to five trivial denial of service or application crash attacks from script and HTML code found in use on general web sites. Unfortunately for the Opera user, Opera's web site only describes the currently available versions by version number and not build. As of this writing, downloading and installing the current Opera 7.11 gives one a build 2887 installation.

As these vulnerabilities have now been 'advertised', Opera users should keep a close eye on the Opera site for any hint a new version has been released and hope that it addresses these problems.

Archived Bugtraq list message (327333) - securityfocus.com

* More on last week's 'scripting grief in Internet Explorer' item

In last week's newsletter we mentioned the Bugtraq and Full-Disclosure mailing list discussions of a remotely exploitable buffer overflow in IE's handling of certain JavaScript constructs, and suggested that exploits of this vulnerability were probably being devised as we spoke. This week a Russian hacker going by the handle 'ZARAZA' (alternately spelt '3APA3A') posted proof of concept exploit code taking advantage of this flaw, which is actually a buffer overflow in the horizontal rule ('HR') tag processing of 'html32.cnv' (a renamed DLL).

As this exploit, and more importantly the method of 'protecting' its shellcode from the parsing it has to pass through before the vulnerable code strikes it, is now public, last week's advice to reconsider disabling JavaScript in IE may be even more pertinent, at least until Microsoft ships a patch. We have posted links to archived copies of the original vulnerability announcement and ZARAZA's exploit announcement.

Archived Bugtraq list message (326395) - securityfocus.com

Archived Bugtraq list message (327330) - securityfocus.com

* Windows Commerce Server may give up SQL Server login details

Cesar Cerrudo posted an advisory to the Full-Disclosure security mailing list describing a weakness in Windows Commerce Server 2002, and which may also be in the 2000 version of the product. If the SQL Server Authentication method, rather than the Windows Integrated Authentication method, is chosen, the installation process (or, subsequent to installation, the Commerce Server Manager) saves an obfuscated form of the password in a registry key for which the 'users' group has read permission. Cerrudo implies that reversing the password's obfuscation is not a complex task, and his advisory explains another way that less priviliged users can also use to extract the SQL Server's administrator account password. Once armed with that password, a less-privileged user could then wreak havoc on the database.

Cerrudo's advisory outlines Microsoft's response to his divulging this problem and describes a couple of possible workarounds as he says Microsoft will not be 'fixing' the issue.

Archived Full-Disclosure list message - netsys.com

* More holes in Passport

Further concerns for the security of Microsoft's online identity management service Passport were raised this week. Following the May disclosure by Pakistani security researcher Muhammad Faisal Rauf Danka that anyone who knew the user name associated with a Passport account could reset the password for the Passport account, self-described security researcher Victor Manuel Alvarez Castro has revealed that 'older' Passport accounts may still vulnerable to a similarly trivial password reset flaw. The affected 'older' accounts are those created before the 'secret question' option was added to the Passport account management process about two years ago. This flaw allows anyone who knows the e-mail address associated with a Passport account to have its password sent to any e-mail address.

Another Passport Flaw Reported - pcworld.com

Join the newsletter!

Error: Please check your email address.

More about DankaMicrosoft

Show Comments
[]