IDGNet Virus & Security Watch Friday 30 May 2003

This issue's topics: Introduction: * IIS, Windows Media Services, GoldMine, Apache, Axis camera patches Virus News: * VirusWriting-101 Security News: * IIS cumulative patch includes four new fixes * Windows Media Services patched; is it DoS or arbitrary code execution? * MS03-007 revised * MS03-013 revised * GoldMine e-mail client has arbitrary code execution flaws * Apache 2.0.46 fixes two vulnerabilities * Updates fix authentication bypass in Axis Network Cameras

This issue's topics:

Introduction:

* IIS, Windows Media Services, GoldMine, Apache, Axis camera patches

Virus News:

* VirusWriting-101

Security News:

* IIS cumulative patch includes four new fixes

* Windows Media Services patched; is it DoS or arbitrary code execution?

* MS03-007 revised

* MS03-013 revised

* GoldMine e-mail client has arbitrary code execution flaws

* Apache 2.0.46 fixes two vulnerabilities

* Updates fix authentication bypass in Axis Network Cameras

Introduction:

Critical IIS, Windows Media Services, GoldMine Business Contact Manager and Apache web server updates are in the offing this week as are further patches for the ntdll.dll flaws for the NT 4.0 and Windows XP OSes (MS03-007). Also, the performance problems induced by installing MS03-013 on XP SP1 are reportedly resolved with the re-issue of that patch.

From the newsletter compiler's perspective, perhaps the biggest story of the week is the announcement that the University of Calgary is to teach a 'Computer Viruses and Malware' course that includes laboratory sessions and assignments that engage the students in writing malware. The antivirus industry has spent most of its life fighting the oft-made claim that the industry itself, or more specifically its technical employees, are responsible for driving the industry's growth by writing and distributing viruses so there would be something for the industry to do. Such moves by apparently distant and ill-informed academia to strengthen the public's perception of that so far quite bogus link are unlikely to go down well in the antivirus industry.

Virus News:

* VirusWriting-101

As if the world needs any more viruses or virus writers, the University of Calgary in Alberta, Canada is proposing running a 'Computer Viruses and Malware' course in which the 'assignments will involve creating malware under controlled lab conditions'.

This has, not surprisingly, stirred up quite some controversy with mainstream antivirus researchers voicing strident opposition. To date the justifications provided by the course teacher and his faculty seem shallow and distant from the experiences of those who have worked in the antivirus industry for any length of time. Extending just one of the analogical arguments that have been proposed to justify teaching the actual writing of viruses, it seems the University of Calgary Computer Science department should believe the world would be better off if police were taught not just how and why murders are committed but actually had to engage in a few before being given their badges.

A sampling of what has been written and said on this is linked below.

Computer Science 599.48 course prescription - ucalgary.ca

Computer Viruses and Malware - ucalgary.ca

Computer viruses - a viral approach - ucalgary.ca

Viruses 101: U of C to teach secrets of cybercrime - Edmonton Journal online

University of Calgary to Offer Virus-Writing Class - eweek.com

Virus-Writing Course Stirs Controversy - ziffdavis.com

Calgary should encourage security rather than diminish it - vmyths.com

Security News:

* IIS cumulative patch includes four new fixes

Microsoft has released a new cumulative patch for IIS versions 4.0, 5.0 and 5.1. As well as including all previous patches since the appropriate service pack, patches for four additional vulnerabilities are included. These vulnerabilities include a cross-site scripting problem affecting all versions of IIS this patch applies to, a buffer overflow in IIS 5.0 that can allow arbitrary code to run in a user-level security context, a denial of service (DoS) affecting IIS 4.0 and 5.0 than can cause the IIS service to fail and another DoS in 5.0 and 5.1 whose affect should be ameliorated by the service recovering by automatically shutting down and restarting.

IIS 6.0 is not affected by any of these vulnerabilities. As the remote code execution buffer overflow only allows running code in a relatively constrained security context, the overall severity rating is set at 'moderate' for IIS 4.0 and 'important' for IIS 5.0 and 5.1.

Microsoft Security Bulletin MS03-018

* Windows Media Services patched; is it DoS or arbitrary code execution?

Confusion reigns over this one. The e-mail announcement of this patch, sent by the Microsoft Security Notification Service, listed the impact of this vulnerability as 'Allow an attacker to execute code of their choice', but the text of the e-mail and the full, 'official' security bulletin announcement on the TechNet Security site (linked below) only mention denial of service, and thus rate the vulnerability as being of 'moderate' severity.

Marc Maiffret of eEye Digital Security however, claims that the remote arbitrary code execution payload is not only possible but has been demonstrated. Further, he claimed (in a message posted to the NTBugtraq mailing list, also linked below) that both by his company's researchers and Brett Moore, who originally reported the discovery to Microsoft, have demonstrated the viability of such exploitation.

As Windows Media Services 4.1 (WMS) is not installed and enabled by default on affected versions of Windows (NT 4.0 Server and all Windows 2000 server versions), this is unlikely to be a very widespread exposure. However, administrators of such machines that have WMS 4.1 installed should check the advisory carefully and consider Maiffret's warning.

Archived NTBugtraq list message (6918) - ntbugtraq.com

Microsoft Security Bulletin MS03-019

* MS03-007 revised

The vulnerability in core OS component ntdll.dll, patched in Windows 2000 in the original release of the MS03-007 security bulletin, has now been shown to be present in both NT 4.0 and Windows XP. Microsoft has revised the security bulletin to reflect this and to announce the availability of patches for both those OSes.

Recall that this is a critical vulnerability. Also recall that the initial focus on its remote exploitation via WebDAV on Windows 2000 machines running IIS tended to deflect people from its full significance. The real flaw is in a core OS component and it has been shown that this flaw is highly likely to be capable of local exploitation to obtain elevated privileges. Considering this, Microsoft's 'important' severity rating (apart from on Windows 2000 systems) may understate the significance of the flaw.

Microsoft Security Bulletin MS03-007

* MS03-013 revised

An updated patch for this 'important' (or 'critical' if you have less than 'friendly' users) severity patch has been released for Windows XP SP1 users. Readers may recall (or even have experienced) that severe performance degradation issues have been reported after installing the original version of this patch on XP SP1 machines. Administrators of XP SP1 machines who have delayed installing this security patch because of these performance issues should consider testing the revised patch.

Microsoft Security Bulletin MS03-013

* GoldMine e-mail client has arbitrary code execution flaws

FrontRange's GoldMine Business Contact Manager products include e-mail client functionality which depends on Internet Explorer for its message display capabilities, much as Outlook and Outlook Express do. Unlike the Microsoft e-mail clients though, the GoldMine client does not coordinate with Internet Explorer's security zones, opening all e-mail messages as local files. Thus IE treats all e-mail messages displayed in GoldMine as being in the 'My Computer' security zone which is, by default, almost completely unrestricted - scripts and ActiveX controls run without any warnings, and scripts having full access to any local machine resources through the Windows Scripting Host object model. Thus, all manner of serious nastiness, including all existing 'auto-execute on preview or read' e-mail borne viruses and spamming tricks will work (depending on the version of IE installed).

FrontRange has released an update for version 6.00 and its 'legacy' 5.70 version to correct this problem.

Archived NTBugtraq list message (7274) - ntbugtraq.com

* Apache 2.0.46 fixes two vulnerabilities

A new release of the Apache web server includes two security fixes which may expose denial of services in the popular server. A detailed description of one of the flaws, which can be remotely triggered through 'mod_dav' and possibly other mechanisms, is to be released 'on Friday', but of course that is 'Friday somewhere in the USA'... The other flaw can result in a failure of Basic Authentication on platforms without 'crypt_r()' and no thread-safe 'crypt()' functions (Mac OS X is one such). A configuration script error in Apache 2.0.40 through 2.0.45 inclusive means that if Apache was built with the threaded MPM option (which is not a default option) on such systems it would be vulnerable to a denial of service through improperly failed Basic Authentication.

Many other bug fixes and feature enhancements are also included in this release and Apache 2.0 administrators are recommended to update.

Apache 2.0.46 Release Notes - apache.org

* Updates fix authentication bypass in Axis Network Cameras

Axis Network Cameras capture images and transmit them, over an IP network, this allowing various forms of potentially remote monitoring. Further, administration of the cameras is via a built-in web server. CORE Security Technology researchers discovered a trivial method that bypasses the administrator login required to manage the web administration interface and which thus exposes the cameras to high-jacking and other surreptitious possibilities.

Affected camera models and firmware versions are listed in the advisory (the first of the links below), as are links to the relevant updates from Axis.

Interestingly, the posting of this advisory uncovered another issue with the Axis cameras, but that also affects many other products. The domain name 'somewhere.com' is often used as an example in documentation. Annoying as that must be to the real owners of that domain, imagine the e-mail they must get if a product such as a web camera comes pre-configured with user@somewhere.com as the address to regularly e-mail snapshots from the camera. According to Kee Hinckley from somewhere.com, which accepts all e-mail addressed to its domain and archives that addressed to non-existent addresses in the domain, older Axis cameras are pre-configured to send snaps to mail@somewhere.com and users that simply enable the e-mail option without changing that 'default' address end up sending their snaps to somewhere.com, which currently receives ten to fifteen thousands such images per day.

The correct 'example' domain names to use for testing, documentation and to satisfy 'we must put something there' designs are discussed in RFC 2606, which we've also linked below. (Of course, in general, a design that requires a configuration option that cannot sensibly be known or meaningfully configured ahead of time is a very poor design, but that is a whole different argument...)

Archived Bugtraq list messages (322877) - securityfocus.com

Archived Bugtraq list messages (323066) - securityfocus.com

Reserved Top Level DNS Names - rfc-editor.org

Join the newsletter!

Error: Please check your email address.

More about ApacheAxiseEye Digital SecurityFrontRangeMicrosoftTechNetTechnology

Show Comments

Market Place

[]