IDGNet Virus & Security Watch Friday 27 June 2003

This issue's topics: Introduction: * Windows Media Player & Server, PDF viewer updates, yet another Sobig Virus News: * New Sobig variant zips onto the scene... * Downloader users fake 'Windows Update' site, recent IE vulnerability Security News: * Windows Media Player 9 Series privacy patch * Windows Media Services for Windows 2000 Server patched again * More scripting grief in Internet Explorer * Windows 2000 Service Pack 4 released * SurfControl for ISA Server directory traversal flaw * Insecure URL linking in PDF viewers may execute shell commands

This issue's topics:


* Windows Media Player & Server, PDF viewer updates, yet another Sobig

Virus News:

* New Sobig variant zips onto the scene...

* Downloader users fake 'Windows Update' site, recent IE vulnerability

Security News:

* Windows Media Player 9 Series privacy patch

* Windows Media Services for Windows 2000 Server patched again

* More scripting grief in Internet Explorer

* Windows 2000 Service Pack 4 released

* SurfControl for ISA Server directory traversal flaw

* Insecure URL linking in PDF viewers may execute shell commands


Seems I spoke too soon last week in voicing optimism that the virus writer or writers behind the Sobig family of mass-mailers might be showing signs of fading away. The fifth variant in the family was released less than 48 hours ago and it contains an interesting trick presumably designed to improve its chances of gaining widespread distribution soon after launch (once virus scanners are updated to detect a new mass mailer, it's almost certain that large scale spreading through massive corporate address lists and the like will be prevented). Aside from the Sobig story a recent downloader using a previously unused IE security flaw to help it on its way is also described in our virus news section.

On the security front Windows administrators with users of Windows Media Player 9 Series products may be busy installing the latest security patch for that product range. Because it is 'just an information leak' Microsoft has downplayed its severity. However, employers aware of possible legal exposures from not patching something now known to suffer from privacy concerns may consider fixing this more urgent than Microsoft's severity rating suggests. Windows 2000 server administrators whose machine run Windows Media Services (for providing streaming media) may also be busy patching another buffer overflow that can be remotely exploited to run arbitrary code on affected machines. Less directly security related, but still good to know is that Service Pack 4 for Windows 2000 has been released.

Windows ISA Server administrators running SurfControl for ISA Server should check the advisory linked later in the security section, as a default configuration option may have left your servers wide open to those who know where (and how) to look. And finally, Unix-ish system admins don't get of entirely - popular PDF viewers for your OSes have problems in their handling of URLs embedded in PDF files which may result in them running arbitrary shell commands when trying to link to such embedded URLs.

Virus News:

* New Sobig variant zips onto the scene...

It seems the hope expressed last week that Sobig's writer seemed to be tiring in developing new features was misplaced. Overnight Wednesday (New Zealand) yet another new variant in one of the most successful families of self-mailing viruses was released, and it contains a twist that just may help it succeed.

However, most of Sobig.E's features are much like those of its forebears. In common with its predecessor variants and most other recently successful mass-mailers it uses its own built-in SMTP code to send its messages, thus not being dependent on the e-mail software on its victims' systems. It also spoofs the apparent sender information for the messages it sends, making simple blocking of mail from a particular user cannot be used to impede its spread. The message it sends is very simple and 'content neutral', not requiring the recipient to be tempted by offers of particular kinds of content, such as images of popular culture icons, female nudity, free access to pornography, etc, as have been somewhat successful for some previous mass-mailers. Unusually, and common to some previous Sobig variants, it selects its e-mail message Subject: lines from a very short list (two in fact).

What makes Sobig.E stand out though, and may just give it an edge, is that it sends a copy of itself in a ZIP archive attachment rather than just as an executable (possibly with a funky extension). Sobig.E's e-mail messages carry a ZIP file named '' (although a bug in the virus means this will often appear as 'your_details.zi' when the attachment's name is displayed by a recipient's e-mail client). Other possible filenames are present in its code, but not used.

How might this help Sobig.E?

First, some corporate network administrators accept ZIP files from their content scanning policies. Odd as this may seem, it is sometimes argued that it requires an element of technical expertise to produce ZIP files and although 'typical users' are increasingly accustomed to handling ZIP files they receive, it is still not common for 'typical users' to create ZIP files to send to others. Thus, 'technical users' with legitimate 'needs' to receive otherwise blocked or delayed content are advised to have such material ZIP-ed and sent to them that way. Further, the extra processing steps at the recipient's end are expected to trigger extra precautions by the recipients of such attachments, but the cynics among us respond 'Yeah, right...' to such claims. Aside from the cynicism, Windows XP has built-in ZIP handling and this puts the tools necessary for easing handling of such attachments in more and more poorly trained and largely security-naive users' hands.

Second, recent versions of Outlook, and perhaps more importantly, the latest service pack for Outlook Express (OE) 6.0, include various e-mail security mechanisms that, among other things, block e-mail users from (directly) accessing e-mail attachments of various file types. The blocked types include all the extensions commonly used by mass-mailing viruses such as Sobig, but do not include ZIP file. Users of these 'secured' versions of Outlook and OE may be less wary of attachments that 'get through' because they have become accustomed to Outlook or OE blocking 'dangerous' file types. Add the increased ease of ZIP handling described in the previous point, and the part of the small business and home user market that has already adopted Windows XP may be ripe for picking by a mechanism such as Sobig.E's ZIP attachment.

So, is it the right time for ZIP-ed copies of self-mailing viruses to provide a decisive edge? It is too soon after its release to be sure, however, as of this writing, MessageLabs has seen over 32,000 samples of Sobig.E. That currently places it as the ninth most commonly seen virus in all of June, despite only having been around for approximately 36 hours. Another virus, variously known as Duksten and BogusBear, tried the same trick in early October last year and was not especially successful, but maybe increased uptake of Windows XP since then is enough to swing the balance?

Finally, Sobig.E has another feature in common with other members of its family - a 'drop dead' date, after which it stops spreading by e-mail (but otherwise remains 'active' on its victims' computers). That date is 14 July, so presumably we should expect to see yet another variant released close to that date...

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Downloader users fake 'Windows Update' site, recent IE vulnerability

Some recent spam warns unwary Windows users that they need to obtain an urgent security update for their systems. The URL provided in the e-mail ostensibly directed the recipient to Microsoft's 'Windows Update' site, but actually pointed to a bogus site at ''. Visiting that site with a copy of Internet Explorer that was not patched with the latest IE cumulative security patch (announced a few weeks ago in MS03-020 - linked below) would result in 'update0932.exe' being downloaded to the victim's machine and executed without warning, due to the 'File Download Dialog Vulnerability'. update0932.exe was a copy of a downloader that reads a file from another URL, and in turn downloads and executes the files pointed to by the URLs in that file.

When first investigated, the downloader was obtaining and running a 1.5 MB program that installed an IRC-controlled bot with DDoS agent and warez FTP distribution functions. The 'download locator' file was subsequently changed twice, to point to different IRC-controlled bots that, when run would connect to IRC control channels that then instructed the bot to download and run the same DDoS and warez bot installer. Both the download servers have been disabled and the bogus Windows Update site now just displays bandwidth usage statistics.

Exploiting the 'File Download Dialog Vulnerability' is trivial so long as you have web space whose content you can control. Given this, it is perhaps surprising that it was five weeks between the public release of exploits of the vulnerability (an archived copy of the first of which, mailed to the Bugtraq mailing list, is linked below) to it being used for malware distribution.

Microsoft Security Bulletin MS03-020

Archived Bugtraq list message 321532 -

F-Secure Security Information Center - zasil_b

Network Associates Virus Information Library (v_100428)

Network Associates Virus Information Library (v_99410)

Symantec Security Response - trojan.b

Symantec Security Response - sdbot.m

Security News:

* Windows Media Player 9 Series privacy patch

Microsoft has released a patch for Windows Media Player (WMP) 9 Series that fixes an information disclosure bug in an ActiveX control installed as part of the product. The ActiveX control is flagged as 'safe for scripting' and, as a result, web pages can access information from the media library on the user's computer. Microsoft rates this a moderate severity vulnerability, but depending on your, or your users', take on personal privacy issues, it may warrant more expeditious treatment than a moderate severity security flaw normally would.

Note that only WMP 9 Series is affected - no earlier versions of WMP still on support display this information disclosure problem.

Microsoft Security Bulletin MS03-021

* Windows Media Services for Windows 2000 Server patched again

Further to last month's Windows Media Services (WMS) patch announced in the MS03-019 security bulletin, Microsoft has released another patch for this optional Windows 2000 service. Unlike the vulnerability announced in MS03-019 however, this vulnerability only exists on Windows 2000 Server implementations of WMS. NT 4.0 Server systems with WMS installed are not affected so long as the previous (MS03-019) patch has been applied. Servers running versions of WMS vulnerable to this flaw can be exploited remotely with an attacker able to run arbitrary code. A proof of concept exploit demonstrating this was released within a day of Microsoft publishing the security bulletin announcing this vulnerability and availability of the patch.

All Windows 2000 Server versions (Server, Advanced Server and Datacenter Server) are affected. Microsoft rates the vulnerability as being of 'important' severity and recommends that administrators of affected systems obtain and install the patch as soon as practicable. WMS cannot be installed on Windows 2000 Professional.

Note that this patch is not included in the just-released Windows 2000 SP4 (see next item) but can be installed on SP2 through SP4 inclusive.

Microsoft Security Bulletin MS03-022

* More scripting grief in Internet Explorer

A discussion thread on the Bugtraq and Full-Disclosure mailing lists this week suggests there is a remotely exploitable buffer overflow in IE's handling of certain JavaScript constructs. Active discussion of this issue suggests that exploits are being devised and some sample code has been publicly posted. It may be time to reconsider disabling JavaScript in IE again. We have posted links to an archived copy of the message that started this thread in Bugtraq and as it has been a while, perhaps it is time to post Thor Larholm's 'Unpatched IE Security Holes' page link again...

Archived Bugtraq list message 326395 -

Unpatched IE Security Holes -

* Windows 2000 Service Pack 4 released

Service Pack 4 for Windows 2000 has just been released. As well as including all fixes from previous Windows 2000 service packs, SP4 includes all post-SP3 security hotfixes pertinent to the OS up to and including the one announced in MS03-019 (which is, itself, superseded by the patch announced in MS03-021 - see above). Of course, all manner of non-security patches and feature enhancements are also included.

The 'all-in-one' or 'network install' version of SP4 is a 130 MB download.

Windows 2000 SP4 Now Available -

Windows 2000 Service Pack 4 download page -

* SurfControl for ISA Server directory traversal flaw

Thomas Adams posted to the Bugtraq mailing list disclosing that the SurfControl Web Filter for Microsoft ISA Server exposes any file on its host server through its web reporting interface. The SurfControl report server has a directory traversal bug that allows any remote web browser who knows of or finds the server to easily escape the report server's web root. The details of both the exploit and the necessary configuration changes to remove the vulnerability are in Adams' advisory, an archived copy of which is linked below.

Archived Bugtraq list message 325896 -

* Insecure URL linking in PDF viewers may execute shell commands

Someone using an anonymous e-mail account has posted a leaked CERT advisory to the Full-Disclosure security mailing list. The advisory describes the inadequate (or complete lack of) shell escaping in popular Unix-based PDF viewers that can lead to execution of arbitrary shell commands when URLs embedded in a PDF are clicked. The leaked advisory only specifically mentions Adobe Acrobat Reader 5.06 and Xpdf 1.01, but other PDF viewers with 'clickable' URL support may also be vulnerable.

Although CERT has not released a full advisory on this issue, it has published a 'Vulnerability Note' briefly describing the flaw. That note also lists the stated vulnerability position of various developers known to produce or ship PDF viewing software. Some vendors have already shipped, or are close to shipping, updates that address the problem - for example, Adobe Acrobat 5.07 is available for affected platforms.

Note that Windows, Mac OS 9.x and OS X platforms are not affected as this vulnerability depends on the viewer program passing text from the URL 'link' to an OS shell, which is not commonly done on Windows and Mac systems.

Archived Full-Disclosure list message 010397 -

Various *NIX PDF readers execute hyperlink embedded commands -

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Adobe SystemsCA TechnologiesCERT AustraliaF-SecureKasperskyKasperskyMessageLabsMicrosoftSophosSymantecTrend Micro Australia

Show Comments