IDGNet Virus & Security Watch Friday 6 June 2003

Introduction: * Critical IE & Yahoo! client updates, Sobig.C & Bugbear.B viruses rage Virus News: * SoBig can't get round it... * New Bugbear variant starts its rampage Security News: * Yet another cumulative Internet Explorer patch * MS03-019 severity rating revised * AdSubtract banner ad blocking software may proxy e-mail/spam * Yahoo! Audio Conferencing update fixes buffer overflow


* Critical IE & Yahoo! client updates, Sobig.C & Bugbear.B viruses rage

Virus News:

* SoBig can't get round it...

* New Bugbear variant starts its rampage

Security News:

* Yet another cumulative Internet Explorer patch

* MS03-019 severity rating revised

* AdSubtract banner ad blocking software may proxy e-mail/spam

* Yahoo! Audio Conferencing update fixes buffer overflow


Critical cumulative security patches for IE should be nothing new to Windows administrators, and their skills in obtaining, testing and rolling out such can be honed again this weekend... Also, the irony of installing banner advertisement blocking software that enables spammers to anonymously relay e-mail through your system cannot be overlooked in the AdSubtract item, and users of Yahoo! Chat and/or Messenger servicess hould be aware there is a critical security-related update available for the Yahoo! client software.

On the virus front, a couple more mass-mailers have been cooking up a storm, with one looking to be the biggest new thing for quite some time.

Virus News:

* SoBig can't get round it...

Yet another Sobig variant, Win32/Sobig.C@mm, has been released. Like its forebears it is a mass-mailer that sends copies of itself to all addresses it can harvest from multiple common sources of e-mail addresses on its victims' machines, uses a small set of Subject: lines and message bodies, sets itself to run at system startup and tries to spread to the Startup directory on other machines visible via Windows networking shares. Unlike its forebears, it spoofs the From: header rather than using one hard-coded address.

Also like the earlier variants, Sobig.C has a 'drop dead' date, after which it stops spreading. It also tries to download and install additional software (possibly including updated or modified copies of itself) from a web site but this functionality continues after the drop dead date of 8 June if it is left active on a machine. Fortunately these 'update sites' have been closed and the web hosting company responsible for them will prevent the re-creation of these sites.

MessageLabs detected significant numbers of Sobig.C in the first few days of June (it was apparently released on 31 May) and it is, as of this writing, the most detected virus at the UK e-mail ASP this month (though by the time you read this, the new Bugbear variant may have outrun it - see next item).

If recent history is anything to go by, on or around 8 June we should see yet another Sobig variant released...

Computer Associates Virus Information Center - Sobig.C

F-Secure Security Information Center - Sobig.C

Kaspersky Lab Virus Encyclopedia - Sobig.C

Network Associates Virus Information Library - Sobig.C

Sophos Virus Info - Sobig.C

Symantec Security Response - Sobig.C

Trend Micro Virus Information Center - Sobig.C

* New Bugbear variant starts its rampage

88,000-plus copies of Bugbear.B had, as of this writing, been intercepted by MessageLabs during the first day of this new Bugbear variant's mass e-mail distribution. Its 'success' seems rather surprising, given that it uses attachment types that any sane system administrator will have been arbitrarily blocking for quite some time now. As well as mass-mailing itself to all addresses found in several locations on the victims' machines, Bugbear.B copies itself to Windows startup folders on network shares. Bugbear.B's e-mail messages are highly variable, being composed of text randomly selected from random text and document files or other e-mail messages on the victim machine. It also spoofs the From: address and its attachment names are randomly constructed from combinations of words and filenames from the victim machine and word and extension lists inside its own code.

Aside from its self-mailing and network share-crawling infection modes, Bugbear.B is also a parasitic executable infector, albeit somewhat choosy about the programs it will infect. The virus contains a list of executable filenames that consists of the main program files of many popular and widely used applications (KaZaA, Acrobat, Internet Explorer, MSN Messenger, Cute FTP, and so on). It looks for these, and some guaranteed Windows system files (such as 'regedit.exe') under the '\Program Files' and Windows installation directories of its direct victims and of machines located in its share-crawling infection mode.

This infection process is polymorphic, meaning that if multiple copies of a host file are infected, the resulting infected files will each be different. This may prevent some e-mail blocking systems, which rely on the checksums of known mass-mailers to block their attachments, from reliably detecting and blocking the virus' entry through e-mail.

Computer Associates Virus Information Center - Bugbear.B

F-Secure Security Information Center - Bugbear.B

Kaspersky Lab Virus Encyclopedia - Bugbear.B

Network Associates Virus Information Library - Bugbear.B

Sophos Virus Info - Bugbear.B

Symantec Security Response - Bugbear.B

Trend Micro Virus Information Center - Bugbear.B

Security News:

* Yet another cumulative Internet Explorer patch

Aside from being released just 43 days after the previous cumulative IE patch (MS03-015), this one may be notable for technically being the first publicly released security patch for Windows Server 2003.

As usual, apart from including all security patches since the appropriate release or service pack level of IE, this patch includes fixes for some newly discovered security flaws in IE. One of these vulnerabilities is a buffer overflow in the code that checks type properties for HTML embedded objects - this can be exploited to run arbitrary code of an attacker's choice. The other is a failure of the file download restrictions check, which can also be exploited to execute arbitrary code of an attacker's choice.

The first vulnerability is described in detail in the eEye Digital Security advisory linked below. The second vulnerability may have been discovered separately by several security researchers. For example, discussion threads in a couple of popular computer security mailing lists about three weeks ago described the flooding attack against the download dialog handler in IE, wherein specially crafted web pages or possibly even HTML e-mail messages could cause a program to be executed. It appeared, according to those analyses, that once 'enough' of IE's 'run from current location, save, or cancel' download warning dialogs were displayed and left awaiting input (a button push indicating the user's decision), the next attempt to 'download' a file would result in it silently being accepted for download _and execution_ without presenting the relevant and expected download option dialog to the user. This latest patch seems to fix that problem (at least as indicated by the proof of concept samples from that discussion), and the description of the flaw in the Microsoft security bulletin sounds like the same problem. An archived copy of the post kicking off the more detailed thread discussing this problem in the Bugtraq mailing list is also linked below.

Microsoft rightly rates both vulnerabilities as being of 'critical' severity. Well, that is unless you are running IE on Windows Server 2003 with its default 'Enhanced Security Configuration'. In that case Microsoft claims neither vulnerability is exploitable and rates the severity of the vulnerabilities as 'moderate'. This is because virtually all of IE's functionality, apart from its HTML rendering, is disabled under the Enhanced Security Configuration. Windows Server 2003 administrators are still urged to install the patch however, for as soon as the Enhanced Security Configuration becomes unbearable and it is disabled (for example, almost surely on a Windows Server 2003 Terminal Server setups), IE faces the world with two critical security vulnerabilities.

Internet Explorer Object Type Property Overflow -

Archived Bugtraq message thread -

Microsoft Security Bulletin MS03-020

* MS03-019 severity rating revised

Last week we questioned whether the 'moderate' severity rating of the vulnerability described in the MS03-019 security bulletin was sufficient. Although the affected software, Windows Media Services, is not installed or enabled by default, a rating of 'moderate' seemed on the light side for any remotely exploitable arbitrary code execution vulnerability. But, there was conflicting information about whether the reported vulnerability could, in fact, be exploited to run arbitrary code.

Microsoft's own e-mailed announcement of the security bulletin's release suggested that the vulnerability could be exploited thus, as did some independent security researchers. However, the official security bulletin posted on the TechNet Security web site listed denial of service as the most severe outcome of exploiting the vulnerability.

The bulletin has been revised to clarify that remote execution of arbitrary code is, indeed, a possible outcome of exploitation and the severity rating has been raised to 'important'. Note that just the bulletin has been revised - the patch itself is unchanged, so those who have already taken took the precaution of installing the patch need not worry.

Microsoft Security Bulletin MS03-019

* AdSubtract banner ad blocking software may proxy e-mail/spam

Security researchers at LURHQ Corporation discovered that AdSubtract - one of the more popular banner advertisement blocking programs - can be used to anonymously relay e-mail, and therefore spam. LURHQ claims to have sent details of the problem to the AdSubtract developers in early May. After neither receiving any acknowledgement of this problem nor seeing the vendor release an updated and fixed version of AdSubtract in the ensuing month, LURHQ has decided to publicize the problem.

LURHQ recommends AdSubtract users connected directly to the Internet uninstall the software and possibly look for an alternative ad-blocking program. More details of the nature of vulnerability and how to exploit it are in the LURHQ security advisory linked below.

AdSubtract Proxy ACL Bypass Vulnerability -

* Yahoo! Audio Conferencing update fixes buffer overflow

The ActiveX control that implements Yahoo! Audio Conferencing in Yahoo! Chat and Yahoo! Messenger has an exploitable buffer overflow that can be used to execute arbitrary code on a victim's machine. Security researcher Cesar Cerrudo reported the issue, and Yahoo!'s release of a fix to the Full-Disclosure security mailing list. Users of affected Yahoo! Chat and Messenger client software should already have received a warning that an update is available, or will next time they log into the appropriate network services.

Archived Full-Disclosure list message -

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CA TechnologieseEye Digital SecurityF-SecureKasperskyKasperskyKaZaAMessageLabsMessengerMicrosoftMSNSophosSymantecTechNetTrend Micro AustraliaYahoo

Show Comments