IDGNet Virus & Security Watch Friday 9 May 2003

Introduction: * WMP, MAILsweeper, Novell NetMail patches; huge Passport hole Virus News: * SARS kickin' up computer virus interest? Security News: * Windows Media Player patch fixes arbitrary code execution flaw * Pakistan CERT reveals two Passport password reset flaws * MAILsweeper patched to beat filtering bypass bugs * Multiple Novell NetMail vulnerabilities fixed

Introduction:

* WMP, MAILsweeper, Novell NetMail patches; huge Passport hole

Virus News:

* SARS kickin' up computer virus interest?

Security News:

* Windows Media Player patch fixes arbitrary code execution flaw

* Pakistan CERT reveals two Passport password reset flaws

* MAILsweeper patched to beat filtering bypass bugs

* Multiple Novell NetMail vulnerabilities fixed

Introduction:

Windows users should obtain and install the latest critical Windows Media Player (WMP) patch, even if they do not use an alternative media player. The problem with WMP skins is exploitable so long as a vulnerable version of WMP is installed and its exploitability does not depend on direct use of WMP. MAILsweeper and Novell NetMail administrators should also get the latest patches for those products as several serious flaws are fixed in these updates. The biggest (in)security news of the week may just be the two password reset holes in Microsoft's Passport service, just announced by the Pakistan CERT - all Passport users should try to access their accounts as Microsoft has reportedly locked accounts that appear to have had their passwords reset using the techniques discovered by PakCERT.

The virus front has been quiet again this week but reports of Win32/Kickin have been ramping up and it may just get some traction over the weekend due to the diverse range of 'topics of interest' it uses in attempting to social engineer recipients of its e-mails into opening them and running the attachment.

Virus News:

* SARS kickin' up computer virus interest?

Another mass-mailing and P2P worm has latched onto the SARS theme in an attempt to improve its spread. Although not (yet) widespread, Win32/Kickin.A@mm (as it is technically known) has triggered enough alert sensors for several antivirus developers to have raised their alert levels on it. One of Kickin's possible messages looks like a multiply-forwarded chain message pleading for others to forward the message because for each forward fifty cents will be donated for SARS vaccine research. Obviously bogus, but such things have worked for many non-malicious chain letters, so why not for a virus?

Aside from the SARS angle, Kickin's writer has been busy. Kickin includes many possible message bodies touching on themes that seem to have been successful in past viruses and self-mailing worms - 'install this security upgrade', 'install this e-mail worm fixer', 'Iraqi war pictures', etc.

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Symantec Security Response

Security News:

* Windows Media Player patch fixes arbitrary code execution flaw

Microsoft has released a patch for a critical severity flaw in Windows Media Player (WMP) 7.1 and 8.0 (better known as 'Windows Media Player for Windows XP'). The flaw is not in the skins themselves, but in the WMP code that handles downloading and installation of skins. A WMP skin download is requested via a URL and insufficient checking is performed on the URL such that a carefully crafted URL can cause the skin download code to place the skin in a fixed, known location. Further, the file that is downloaded need not be a WMP skin file at all.

Combined, these flaws can allow an executable (or any other type of file) to be downloaded to a known location. Attackers who can arrange for this to happen might also then be able to have that program executed. For example, a skin download might be arranged through a web page or HTML e-mail message sent to the victim and the use of scripting in such a web page or e-mail could be used to allow a download interval for the target file to arrive and be copied to the intended location, followed by an attempt to execute the downloaded file. As that file can be placed outside the Temporary Internet Files directory tree, successful execution of it will not be limited by the Internet Zone security restrictions. Another method of having the downloaded file executed would be to target the Windows Startup directory as the location to copy it to.

Jouko Pynnonen, of Oy Online Solutions Ltd, and 'Jelmer' are credited with reporting this vulnerability to Microsoft. Jelmer has released details of the flaws and how to exploit them. An archived copy of Jelmer's Bugtraq mailing list post describing the flaws and exploits is linked, along with Microsoft's security bulletin, below. Microsoft rightly rates this as a critical security vulnerability and with the release of the simple exploit details, this should be a very high priority patch for all users of affected versions of Windows Media Player. Note that the Windows Media player 9.0 Series products are not vulnerable and that versions earlier than 7.1 were not tested as they are no longer supported.

Archived Bugtraq list message - securityfocus.com

Microsoft Security Bulletin MS03-017

* Pakistan CERT reveals two Passport password reset flaws

PakCERT, the Pakistan CERT, has discovered two chronic flaws in the password resetting procedures of Microsoft's Passport service. PakCERT did not release details of how to exploit the problems, but claimed its announcement before Microsoft fixed the problems was necessary as the flaws were being actively exploited, and although it had been warned of the situation Microsoft had not done anything to protect its approximately 40 million Passport users. Within hours of the PakCERT announcement Microsoft had shored up the hole, apparently by the simple expedient of blocking all password resetting functionality, presumably until a more satisfactory fix can be implemented.

Multiple Vulnerabilities found in .Net Passport Services - pakcert.org

* MAILsweeper patched to beat filtering bypass bugs

Users of Clearswift's MAILsweeper product should obtain the latest update (Technology Update Version 1.4.7) as it includes some important patches that can allow inappropriate content to by pass filtering. A few details of the fixes are included in the 'readme' for the release, linked below.

ReadMe for MAILsweeper for SMTP Version 4.3.8 - clearswift.com

* Multiple Novell NetMail vulnerabilities fixed

Novell has released the NetMail 3.1e Update for NetWare which includes many fixes, several of a 'security nature', including the recent OpenSSL remote buffer overflow issues. Many other included patches fix abend and memory leak problems and performance issues with various antivirus and spam filtering interfaces - generally all heavily used components of modern e-mail servers.

A complete list of fixes and links to the updates can be found in the release notes for the update, linked below.

NetMail 3.1e Update for NetWare - novell.com

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaClearswift Asia PacificF-SecureMicrosoftNovellOnline SolutionsOyOy Online SolutionsSymantecTechnology

Show Comments
[]