IDGNet Virus & Security Watch Thursday 24 April 2003

This issue's topics: Introduction: * Sobig implicated in spam; IE, OE patches; MS03-007 for NT 4.0 Virus News: * New computer virus cashes in on interest in SARS * Is Sobig virus cause of recent spam increase? Security News: * Critical patch for Windows MHTML parser * Latest IE cumulative patch contains four new fixes * Update on MS03-013 and MS03-007 patch * FileMaker password exposure with hosted databases * Would your staff divulge their passwords for a cheap gift?

This issue's topics:

Introduction:

* Sobig implicated in spam; IE, OE patches; MS03-007 for NT 4.0

Virus News:

* New computer virus cashes in on interest in SARS

* Is Sobig virus cause of recent spam increase?

Security News:

* Critical patch for Windows MHTML parser

* Latest IE cumulative patch contains four new fixes

* Update on MS03-013 and MS03-007 patch

* FileMaker password exposure with hosted databases

* Would your staff divulge their passwords for a cheap gift?

Introduction:

Interest in the new human virus SARS is of such magnitude that an enterprising virus writer has tried to cash in on it with the release of Win32/Coronex. This simple mass-mailer is neither interesting nor original and should not get far. Early indications are that it is almost still-born and any media coverage you hear beyond that here is almost certainly unwarranted. Of much more interest on the virus front is the recent suggestion that the continuing, slow spread of Win32/Sobig may be implicated in the recent increase in spam e-mail.

On the security side of things, it has been a quiet week. However, Microsoft's overnight release of cumulative patches for Internet Explorer and Outlook Express means that Windows admins might have a busy weekend ahead after all. NT 4.0 admins may also be busy with the release of the MS03-007 patch for that OS.

Also, on the security front, administrators of systems with FileMaker databases shared across a network should pay special attention to the issues raised in the FileMaker item below. And, would your staff sell out access to the corporate network for a cheap pen? A recent survey suggests the answer may be 'yes'...

Virus News:

* New computer virus cashes in on interest in SARS

Win32/Coronex is a trivial mass-mailing virus that simply spreads itself by e-mailing everyone in its victims' Windows Address Book. It randomly selects one of seven e-mail Subject: lines designed to pique the interest of anyone worried or inquisitive about the biological virus SARS (Severe Acute Respiratory Syndrome). It may also spread via KaZaA and similar P2P file-sharing networks but this is not confirmed. It also changes the Internet Explorer home page to the WHO SARS information page.

Despite having been hyped in some Scandinavian news media, Coronex seems to have a very low incidence - perhaps even well below that of its biological inspiration. As this issue of the newsletter was being posted, MessageLabs does not report having seen a single copy. All major antivirus products have been updated to detect this, should it get past other, more generic policy enforcement methods (such as blocking e-mails with .EXE file attachments).

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

* Is Sobig virus cause of recent spam increase?

Joe Stewart of computer security company LURHQ Corporation has performed a detailed analysis of Win32/Sobig.A and discovered some of its previously hidden dirty little secrets.

Stewart's full analysis can be read at the page linked below, but in short what he discovered is that the URL that Sobig checks, apparently for an update or further programs to install has occasionally been altered from the bogus URL originally reported by many antivirus companies when they first analysed the virus on its discovery. From time to time this URL has pointed to a functional program that, when run by Sobig, deletes the virus and installs various other things including a copy of the WinGate proxy server. Some copies of this proxy, apparently installed and configured by this second stage of Sobig's 'advance', have been implicated in recent increases in spam.

Sobig.a and the Spam You Received Today - lurhq.com

Security News:

* Critical patch for Windows MHTML parser

Although Microsoft describes it as an Outlook Express patch, and technically that is correct, the patch described in the MS03-014 security bulletin should really be considered a 'system' patch. Remember, Outlook Express is part of Internet Explorer and 'the DoJ defense' is that IE is a crucial, integral part of the operating system and not some optional, after-market application for web browsing, e-mail and so on. Thus, even if your users do not use OE as their e-mail or Internet news client, you must keep them up-to-date with OE patches, just as you must keep IE fully patched even if you choose to use a safer web browser.

The key issue with this latest OE patch is the MHTML (MIME Encapsulation of Aggregate HTML) parser's lax handling of security zones combined with its treatment of any file passed to it as MHTML regardless of its true type. Several critical security flaws have been exploitable through these holes in OE's MHTML handler, though some of these were made much harder to exploit due to various changes in the most recent IE patches (MS03-004). The worst case scenario for exploitation of the vulnerabilities fixed by this patch is execution of arbitrary code, so Microsoft rightly rates this as a critical severity update.

As is typical of IE patches, this is a cumulative update including all OE patches since the relevant (IE) service pack. Remember that just because OE itself is not used in your organization, IE and possibly some third-party applications you use will depend on OE's MHTML parsers in certain circumstances. OE versions 5.5 and 6.0 are affected by this vulnerability and patches for those versions are linked from the security bulletin, linked below. OE 5.01 SP3 does not suffer this vulnerability.

Microsoft Security Bulletin MS03-014

* Latest IE cumulative patch contains four new fixes

Microsoft has also released a new cumulative patch for all currently supported IE versions (i.e. for IE 5.01 SP3, 5.5 SP2, and 6.0 Gold and SP1). As usual, this cumulative patch includes all updates since the relevant service pack release, and in this case four new patches. Three of these fix critical severity vulnerabilities whilst the fourth vulnerability is rated as being of moderate severity. Worst case exploits of these new vulnerabilities could allow an attacker to run arbitrary code, and several privacy exposures are also easily leveraged on machines without these patches installed.

Aside from these direct patches, several other security issues are addressed by this patch. First, the 'kill bit' is set on the 'plugin.ocx' ActiveX control. This prevents the control from being used and from being reintroduced. Microsoft says that the functionality provided by this control is no longer supported and the control has known, exploitable vulnerabilities so has chosen to 'kill' the control to prevent any possible problems with its use.

Further changes minimizing possible cross domain (particularly Internet security zone to Local Computer security zone) exploits have been introduced. These are a refinement of similar changes that were previously only introduced to IE 6.0 in its SP1 release.

Also, several issues surrounding HTML Help and the viewing of HTML Help files in the web browser are addressed in this patch by hint of its inclusion of the HTML Help patches from the MS03-004 cumulative patch. The gory details can be read in the security bulletin, but if those changes adversely affected your use of HTML Help after installing the MS03-004 patches and you subsequently installed the latest HTML Help update (described in KnowledgeBase article 811630) then you do not have to reinstall HTML Help as this patch does not reverse those HTML Help updates.

Microsoft Security Bulletin MS03-015

* Update on MS03-013 and MS03-007 patch

Last week we discussed the MS03-013 Windows kernel patch. It was released shortly before the newsletter was compiled and as the final checking of the newsletter was being done we received word that the Windows 2000 version of the update included files not mentioned in the file manifest for that update. Further, these 'mystery' files appeared to include files from the MS03-007 'ntdll.dll' patch which was known to cause problems on some SP2 installations. Microsoft revised the MS03-013 bulletin shortly after that - but after the newsletter had been 'put to bed'. The new information explained that the MS03-013 patch for Windows 2000 also superseded MS03-007 and that this was a fixed distribution of that patch, including the file that was missing from the original release and whose absence caused the problems on certain SP2 installations.

While we are speaking of MS03-007, NT 4.0 users should note that the patch for this problem on their systems has now been released. Although no remotely exploitable attacks against the ntdll.dll flaw are known for NT 4.0, local privilege escalation attacks are known, so it should probably be considered a critical severity flaw if you have NT 4.0 machines that allow any form of executable upload and local running (e.g. local user login, Terminal Services, or web hosting with user-writable CGI).

* FileMaker password exposure with hosted databases

When FileMaker shares hosted databases, it sends the database access passwords in an obfuscated form to the clients requesting to connect to the server. The client software actually authenticates that the user entered a password that matches what the server expects.

It is difficult to not simply comment 'this is extremely dumb and an inconceivably bad design'. You can read FileMaker's take on the issue at the link below or, if you really must provide open but password-protected access to a database perhaps just go out and obtain software suitable to the task at hand...

Security Considerations When Sharing Hosted Databases - filemaker.com

* Would your staff divulge their passwords for a cheap gift?

If you answered 'no', how sure are you?

An informal survey conducted on the platforms at Waterloo Station on the London Underground suggests that any confidence you have that your workers would not give up their passwords for very little incentive is probably misplaced. Nine out of ten office workers approached in the survey exchanged their password for a cheap pen. The survey included questions about other security and IT habits - more details can be found in the item by The Register, linked below.

Office workers give away passwords for a cheap pen - theregister.co.uk

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCGIFilemakerF-SecureKasperskyKasperskyKaZaAMessageLabsMicrosoftSophosSymantec

Show Comments

Market Place

[]