IDGNet Virus & Security Watch Friday 11 April 2003

This issue's topics: Introduction: * Microsoft VM, Samba, KDE and SETI@home critical updates Virus News: * Two weeks on the trot? Security News: * Critical Microsoft Virtual Machine patch released * Denial of service flaw in Proxy Server 2.0, ISA Server 2000 fixed * MS00-084 updated... * Critical Samba remote root vulnerability patched * KDE fixes arbitrary command execution via PS and PDF file viewing * Details of Apache 2.0.44 and earlier Denial of Service vulnerability * SETI@home client & server buffer overflows, information leaks fixed

This issue's topics:

Introduction:

* Microsoft VM, Samba, KDE and SETI@home critical updates

Virus News:

* Two weeks on the trot?

Security News:

* Critical Microsoft Virtual Machine patch released

* Denial of service flaw in Proxy Server 2.0, ISA Server 2000 fixed

* MS00-084 updated...

* Critical Samba remote root vulnerability patched

* KDE fixes arbitrary command execution via PS and PDF file viewing

* Details of Apache 2.0.44 and earlier Denial of Service vulnerability

* SETI@home client & server buffer overflows, information leaks fixed

Introduction:

Windows admins have a critical Microsoft VM patch to rollout this week and possibly less critical Proxy Server 2.0 and ISA Server 2000 patches. Administrators of all systems running Samba need to check into the latest updates for that product if they have not done so since Monday or Tuesday this week when the latest patches, fixing a critical remotely exploitable buffer overflow were released. Also, KDE and all SETI@home users should check the critical security items listed in this week's newsletter.

On the virus front we saw another very quiet week. There was a potentially interesting story about a virus disrupting e-voting in a US county's elections, but that did not get enough coverage to tell how much of a story it really was.

And a reminder - with Easter and Anzac Day public holidays on the next two Fridays, the next two issues of this newsletter will be posted on Thursday.

Virus News:

* Two weeks on the trot?

This past week, as with the one previous, did not seen any major virus outbreaks or virus-related stories really worth repeating. If you check MessageLabs' monthly Threatlist report (linked below) you will see that not one of the approx 153,000 detections the company has made to date this month (as of 3:00pm Friday NZT) is listed as 'new'. In MessageLabs' parlance, this means none of the malware it has detected in the first 11 days of this month was unknown before April began. That might be a good sign, or it may just mean that the days of mass-mailing being the preferred distribution method for new, network-aware viruses are waning...

One virus-related story from the last week was potentially very interesting, at least if any solid details could be located. The story of Illinois' Will County election results being disturbed by a virus interfering with a server should probably have been big news. It was originally reported, as far as we can tell, by UK-based antivirus firm Sophos, and we have linked to a newspaper's limited coverage of the story below.

Threatlist for April 2003 - messagelabs.com

Virus disrupts e-voting - theage.com.au

Security News:

* Critical Microsoft Virtual Machine patch released

A vulnerability that can allow the Microsoft Virtual Machine (VM) to execute arbitrary code has been patched in the 3810 build, which has just been released. The Microsoft VM is 'Microsoft's Java' and has shipped with most OS and IE versions since Windows 95.

The flaw fixed in the 3810 build of the VM is in the ByteCode Verifier which was not properly checking for certain malicious code when loading a Java applet. The most likely avenue of attack via this vulnerability would be through enticing intended victims to view a web page that hosted a specially created Java applet that exploited this vulnerability, so users with Java applets disabled in their browsers have reduced exposure to exploitation.

Microsoft rightly rates the severity of this vulnerability as critical.

Microsoft Security Bulletin MS03-011

* Denial of service flaw in Proxy Server 2.0, ISA Server 2000 fixed

Microsoft has released patches to fix a denial of service vulnerability in both the Winsock Proxy service of Microsoft Proxy Server 2.0 and the Microsoft Firewall service in ISA Server 2000. Both services are enabled by default in common installation configurations and mishandle certain specially crafted packets, pushing CPU usage to 100% and leaving their host machines unresponsive.

Normally this vulnerability could only be exploited from the local network (intranet or LAN) because the socket the vulnerable services are bound to is not normally bound to an external (Internet) interface. As exploiting the vulnerability is likely to cut off Internet access, it seems an unlikely attack for even the most disgruntled of employees to consider (though prank-playing students may be a different story...). Because of the limited attack scenarios and the result 'only' being a DoS, Microsoft has rated this as being of 'important' severity.

Microsoft Security Bulletin MS03-011

* MS00-084 updated...

In case you were hanging out for the MS00-084 patch for NT 4.0, Microsoft has just released it. It seems that the patch was prepared quite some time ago, but for some reason was overlooked and never released (or at least, not publicly announced through the normal security bulletin channels). As a quick recap, MS00-084 fixes a cross-site scripting flaw in the Indexing Service which is installed but not enabled by default in Windows 2000 and was included in the NT Option Pack for NT 4.0 but not installed by default with any other component in the Option Pack.

Microsoft Security Bulletin MS00-084

* Critical Samba remote root vulnerability patched

Samba developers released patches, and distributors shipping Samba update builds, early this week after security researchers at Digital Defense disclosed a remotely exploitable buffer overflow in the popular open-source implementation of SMB/CIFS networking functionality. All Samba versions prior to and including 2.2.8 are vulnerable and can exploited remotely without the attacker needing to authenticate to the server. As the daemon runs as root, any code executed through an exploitof this vulnerability also runs with those privileges.

The disclosure of this vulnerability, which is caused by an unchecked string length during a string copy of data acquired from the network, caused the Samba developers to check similar code and they discovered several more similar vulnerabilities. All these as well as the flaw found by Digital Defense are fixed in the 2.2.8a release. These are clearly highly critical vulnerabilities so the updates should be installed as soon as practicable. Digital Defense raised the Samba developers ire by releasing a working exploit of the vulnerability with their advisory describing the flaw, so obtaining and installing an updated version is all the more urgent. At least two further exploits have been released in the last few days.

Samba-TNG is also affected. Versions prior to Samba-TNG 0.3.2 are vulnerable and should be updated.

Because the Digital Defense has been unavailable, instead of linking to its copy of their security advisory, we have linked to an archived copy of advisory Digital Defense posted to the Bugtraq mailing list.

Archived Bugtraq list message - securityfocus.com

Samba home page - samba.org

* KDE fixes arbitrary command execution via PS and PDF file viewing

All KDE 2 and 3 versions up to and including 3.1.1 are vulnerable to a local and remote attack involving PS (PostScript) and PDF files. KDE uses Ghostscript for viewing such files and does so in such a way that arbitrary shell commands that can be embedded in the files will be executed with the privileges of the user viewing the files.

KDE 3.0.5b and 3.1.1a have been released to fix these problems. KDE 2.x users not wishing to update can obtain source patches against KDE 2.2.2 and recompile that version. Alternately, for those unwilling or unable to update, a workaround that restricts certain KDE functionality is described in the KDE security advisory linked below.

Vendors of distributions including KDE have released, or soon will, update packages to address these issues.

KDE Security Advisory: PS/PDF file handling vulnerability - kde.org

* Details of Apache 2.0.44 and earlier Denial of Service vulnerability

Last week we reported that a significant Denial of Service vulnerability and file descriptor leaks in Apache versions prior to 2.0.45 had been fixed in that release. Further, we noted that details of the vulnerability were due to be released on 7 April and that Apache administrators should install the update as soon as practicable.

Well, true to its word, iDefense released an advisory on its discovery of the Apache DoS. The nature of the flaw is such that describing it pretty much produces proof of concept exploit code, so not surprisingly, several exploits have been produced and publicly posted in the last few days. In short, the Apache server allocates a generous sized buffer for each blank line in an HTTP request. As very large numbers of blank lines can be relatively cheaply sent to a server (in terms of network bandwidth), a successful DoS can be realized against even quite large servers. Windows and Unix implementations are vulnerable to this DoS.

Denial of Service in Apache HTTP Server 2.x - idefense.com

Apache 2.0.45 release notes - apache.org

* SETI@home client & server buffer overflows, information leaks fixed

Berand-Jan Wever has discovered several information leaks and buffer overflows in various parts of the SETI@home client software and the main server. The worst of these flaws can allow remote shell access and arbitrary code execution. The SETI@home project has released updated versions of all affected clients which includes the Windows screensaver as well as the Windows and Unix commandline clients.

Archived NTBugtraq list message - ntbugtraq.com

SETI@home home page - berkeley.edu

Join the newsletter!

Error: Please check your email address.

More about ApacheDigital DefenseiDefenseKDEKDELANMessageLabsMicrosoftSETISophos

Show Comments
[]