IDGNet Virus & Security Watch Friday 20 June 2003

This issue's topics: Introduction: * IIS, Linux-PAM updates, new Sobig variant Virus News: * Better never, but late it is * BBC's Bill Thompson on MSAV 2.0 Security News: * IIS change password functionality (ISM.DLL) replaced with ASP * Free ASP.NET application security guidelines e-book available * Linux-PAM may surrender root * Legal consequences of weak IT security

Introduction:

* IIS, Linux-PAM updates, new Sobig variant

Virus News:

* Better never, but late it is

* BBC's Bill Thompson on MSAV 2.0

Security News:

* IIS change password functionality (ISM.DLL) replaced with ASP

* Free ASP.NET application security guidelines e-book available

* Linux-PAM may surrender root

* Legal consequences of weak IT security

Introduction:

It has been another relatively quiet week, although Linux administrators using PAM (Pluggable Authentication Module) have to check they are not vulnerable to a worrying local root privilege escalation possible in some non-default system configurations. Also, administrators of IIS 4.0 or 5.0 systems using the supplied 'change password' functionality are advised to look at upgrading to the new change password ASP and to remove the existing ISM.DLL version of the functionality. The other items in the security section are more of a news or informational nature, covering the release of Microsoft's view of best practice in securing ASP.NET web sites and applications and a story from the US emphasizing why doing so is likely to become increasingly important.

On the virus front the latest Sobig variant has arrived, late and making less of a splash than its forebears. We also link to some further interesting commentary on Microsoft's move into the antivirus market..

Virus News:

* Better never, but late it is

A couple of weeks ago we reported that Sobig.C's 'drop dead' date was close. Hardcoded to stop spreading via e-mail on 8 June, the expectation was that, as when its forebears hit their drop dead dates, a new variant would be released. Much as we would all prefer that no new variants were released at all, the appearance of Sobig.D has been slightly delayed, with interception of the first samples being reported late this Wednesday evening (New Zealand time).

As seen in one or more of its forebears, Sobig.D spreads via e-mail as an attachment with a name randomly selected from a short list in the virus' code and with a .PIF, .SCR or .PI extension. The virus spoofs the addresses its messages are apparently from, choosing an address from among those it has harvested from the victim's machine or using 'admin@support.com'. E-mails carrying the virus will have a Subject: line randomly selected from another list. It also spreads by enumerating Windows network shares and trying to copy itself to two common 'startup folder' locations - some reports suggest that, as in some other LAN crawling viruses, this process does not care about the type of share it targets and may cause huge paper wastage when it copies itself to network-shared printers.

Also like its forebears, Sobig.D has a drop dead date programmed in. It will stop trying to spread by e-mail on 2 July this year. Relative to the previous variants in its family, Sobig.D shows a lack of 'innovation'. The hopeful among us may see this as an indication that Sobig's writer is losing interest and if so, perhaps this will be the last of the line?

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* BBC's Bill Thompson on MSAV 2.0

BBC computer commentator Bill Thompson has some interesting further comments on Microsoft's purchase of the RAV antivirus line from Romanian firm GeCAD.

How far do you trust Microsoft? - bbc.co.uk

Security News:

* IIS change password functionality (ISM.DLL) replaced with ASP

Described as providing greater defence in depth, Microsoft highly recommends IIS 4.0 and 5.0 administrators using the change password functionality provided in those versions by the ISM.DLL to download and install the ASP implementation of this functionality it has just released. This is the same change password functionality used in later IIS versions. Its security advantages are that, as an ASP, it runs with lower privileges, so any compromise of this functionality results in less of a security exposure (ISM.DLL runs in the local system security context, meaning any compromise gives the attacker full control of the host). Non-security advantages include that the change password page can be customized under the ASP implementation. This ASP package has been tested and approved for use with Outlook Web Access (OWA) running on Exchange versions 5.5 and 2000.

IIS: Change Password Replaced with Active Server Page - microsoft.com

* Free ASP.NET application security guidelines e-book available

Microsoft's latest 'Patterns and Practice' guide focuses on the burgeoning field of web application security with a specific focus on ASP.NET-based applications and sites. Titled 'Improving Web Application Security: Threats and Countermeasures', the guide is a 900+ page PDF covering significant aspects of web site and database security, security-sensitive coding techniques and much more.

Given the price - free, or as close to it as a 5.8 MB download can be - it represents great value for money for anyone considering, or already developing and/or maintaining, ASP.NET sites. However, some of the checklists and 'how to' sections may be of more general interest. For example, the checklists for securing web and database servers and for securing your network, and sections on hardening the TCP/IP stack on Windows servers, the use of Microsoft's IISLockdown and URLScan tools, and on patch management, may be of use to a broader audience.

The page linked below contains an overview of its contents and a download link for the guide. Note that although the actual download is an executable, it is a self-extracting ZIP archive and should be easily unpacked by any good 'unzip' utility if you prefer not running unknown executables.

Improving Web Application Security home page - microsoft.com

* Linux-PAM may surrender root

Researchers at iDefense have discovered that the pam_wheel module of Linux-PAM (Pluggable Authentication Module) uses 'getlogin' insecurely. Under specific non-default configurations, a non-privileged user can easily gain root privileges. The necessary configuration includes that the wheel group must be configured to trust a suid root application (it is not uncommon for su(1) to be configured thus) and the use_uid option must not be enabled (this is not the default in most Linux-PAM distributions). The full security advisory outlining this issue and describing workarounds and code fixes should be consulted to determine whether your configuration is vulnerable and to decide the most appropriate fix should any be necessary.

Linux-PAM getlogin() Spoofing Vulnerability - idefense.com

* Legal consequences of weak IT security

Although specifically pertaining to US jurisdictions, a recent settlement between the Federal Trade Commission (FTC) and clothing marketer Guess suggests that failing to take 'reasonable or appropriate measures' to protect your customers from exposure, information theft and the like through hacking and related computer security failures is not only actionable, but increasingly likely to be prosecuted.

The FTC press release outlining its settlement with Guess also includes a link to its computer security fact sheet for business, 'Security Check: Reducing Risks to your Computer Systems'. The fact sheet points out useful computer security resources businesses unsure where to start should consult.

Guess Settles FTC Security Charges - ftc.gov

Join the newsletter!

Error: Please check your email address.

More about BBC Worldwide AustralasiaBillCA TechnologiesFederal Trade CommissionF-SecureFTCiDefenseISMLANLinuxMicrosoftPAMSophosSymantecTrend Micro Australia

Show Comments

Market Place

[]