IDGNet Virus & Security Watch Friday 7 February 2003

This issue's topics: Introduction: * Slammer & Leaves worms; IE, XP, Opera & Tomcat patches Virus News: * Slammer fallout * Tracking Leaves author Security News: * Cumulative patch for IE includes two new critical fixes * Fix for Windows Redirector in XP * Security fixes for Opera 7.0 * Tomcat 3.x vulnerabilities patched

This issue's topics:

Introduction:

* Slammer & Leaves worms; IE, XP, Opera & Tomcat patches

Virus News:

* Slammer fallout

* Tracking Leaves author

Security News:

* Cumulative patch for IE includes two new critical fixes

* Fix for Windows Redirector in XP

* Security fixes for Opera 7.0

* Tomcat 3.x vulnerabilities patched

Introduction:

This week sees another cumulative Internet Explorer patch, incorporating two new critical severity patches and an 'important to critical' Windows Redirector patch for XP. And, just to prove that even users of the web browser Opera, with its reputation for few security worries, are not immune from the security patch roundabout, GreyMagic software found five security vulnerabilities in the new Opera v7.0 release. These flaws have been patched in the even newer v7.01 release. Administrators of Apache Tomcat v3.x systems should obtain the latest release, v3.3.1a to fix some serious privacy and other flaws in that product.

On the virus front, Slammer has been the ongoing topic of most interest this week. More detailed analyses of various aspects of the worm, both technical and what it may have taught us about the Internet as it is today and what we may expect in the future, have been widely published. Your newsletter compiler has chosen to link to a few that have been of most interest to him. Also, an unintentionally humorous article covering the collaboration between police, other government authorities and (mainly private sector) security researchers that led to the detection and arrest of the writer of the Leaves worm is linked in this section.

Virus News:

* Slammer fallout

In the wake of the SQLSlammer worm, much has been written and said about the state of the Internet, the viability of 'keep patched and firewalled' as a defensive position and much more. Some of this talk is quite technical - for example, the analysis of the spread of the worm as can be seen and divined from network trace and specific traffic information, in the CAIDA (Cooperative Association for Internet Data Analysis) item linked below. Others are more speculative or even 'sociological', such as the news.com article suggesting that such disruptions may have to be accepted as part of the 'way of life for the Net'. (That article also covers some interesting 'collateral damage' of the worm.)

By the middle of this week no-one or no group had claimed responsibility for the worm. Thus a report in ComputerWorld US that it was the work of a Muslim fundamentalist group based in Pakistan, with ties to Osama bin Laden, and on the US State Department's list of designated terrorist groups raised much interest. Unfortunately for the reporter concerned, it was a hoax perpetrated by another reporter. ComputerWorld quickly retracted the initial report and posted an explanation of how it was duped. Richard Forno's article at SecurityFocus looked at the lessons learned from Slammer, while fellow SecurityFocus commentator Tim Mullen questioned what needs to change while mulling over the ongoing consequences of the typical 'install now, patch later' model.

On a lighter note, despite its obviously highly widespread nature, as reported by The Register, SQLSlammer did not make any of the various antivirus vendors' January 'top ten' or 'top twenty' malware lists because of its purely in memory and on the wire existence - places traditional antivirus products and services do not 'look'.

The Spread of the Sapphire/Slammer Worm - caida.org

'Slammer' attacks may become way of life for Net - news.com

Journalist perpetrates online terror hoax - computerworld.com

Lessons From the Slammer - securityfocus.com

Something Needs to Change - securityfocus.com

Slammer fails to make January AV charts - theregister.co.uk

* Tracking Leaves author

Although it surely was not intended this way, the article linked below reads more like a spoof of ill-informed technical writing than a serious account of a serious technical process. We have selected it for its unintended humour value, but if you can see past the hyperbole, there is some interesting content about cooperation between security researchers and government authorities tracking a virus writer.

The worm that turned - govexec.com

Security News:

* Cumulative patch for IE includes two new critical fixes

Microsoft has released a new cumulative patch for IE 5.01, 5.5 and 6.0. As is common, this patch not only includes all previous patches for the relevant browser version or service pack level, but includes some new patches, not available in any other form (i.e. not released as separate hotfix patches).

The new patches are rated critical by Microsoft, which seems in keeping with the fact that the security flaws they fix can allow a remote attacker to run arbitrary commands on the browser's machine. Microsoft recommends that vulnerable users 'should install the patch immediately'. As the discoverer of one of the newly patched vulnerabilities has now released demonstration exploits, 'immediately' would not be too soon.

Microsoft Security Bulletin MS03-004

* Fix for Windows Redirector in XP

A buffer overflow in the Windows Redirector in Windows XP can be exploited allowing remote arbitrary code execution. Microsoft rates the severity of this vulnerability as 'important' and recommends its customers 'consider applying the patch'.

Given the possibility of remote, arbitrary code execution however, there are bound to be situations where it will be prudent to consider the severity 'critical' and the patch's installation therefore 'necessary and urgent'. The security advisory announcing the patch's availability lists mitigating circumstances that may not be all that common, for much as it is 'cosy' to assume your local network is not a hostile place, even if you are sure your firewall and router policies protect you from 'the outside', you have to consider many possibilities of compromise from within.

Microsoft Security Bulletin MS03-005

* Security fixes for Opera 7.0

Released just over a week ago, the latest major revision of the Opera web browser already faces security problems. Researchers at the Israeli security firm GreyMagic have reported five vulnerabilities, three of which they rate as critical because they expose files local to the browsing machine to remote, possibly hostile, servers. Demonstrations of the vulnerabilities are available from the GreyMagic security advisories, linked below.

In all cases, the fix is to download the just-released Opera v7.01, links to which are readily found on the Opera home page, linked below. Although untested by the newsletter compiler, it should be sufficient to download the 'browser only' package if you have already installed v7.0 with Java support (and obviously, if you run Opera without Java support at all, that is all you would want). If the update cannot be sourced and installed in a suitably short time, disabling JavaScript in the browser prevents all of these five vulnerabilities from being exploited.

Five Opera security advisories - greymagic.com

GM002 advisory

GM003 advisory

GM004 advisory

GM005 advisory

GM006 advisory

Opera home page - opera.com

* Tomcat 3.x vulnerabilities patched

Information exposure, inappropriate server file reading and arbitrary script code execution bugs in Tomcat v3.x have been fixed in the v3.3.1a release. The new versions can either be obtained from the Tomcat web site or as suitable update packages from several vendors that ship affected versions in their standard distributions.

Apache Tomcat 3.3.1a download site - apache.org

Join the newsletter!

Error: Please check your email address.

More about ApacheComputerWorldCooperative Association for Internet Data AnalysisMicrosoftSapphireSecurityFocus

Show Comments
[]