IDGNet Virus & Security Watch Friday 24th January 2003

This issue's topics: Introduction: * Three Windows bugs, Outlook 2002, CVS & patches, virus writer jailed Virus News: * HTML Application (.HTA) causes small stir * Welsh virus writer gets two-year prison sentence Security News: * Critical buffer overflow in Locator Service patched * Cumulative patch for Content Management Server 2001 * Information exposure fix for Outlook 2002 * MS02-070 revision - XP SP1 vulnerable to SMB signing flaw after all * Patch for double-free bug in CVS server * Multiple vulnerabilities in KDE * Choosing and using a VPN * Cryptanalysis of door locks reveals easy master key extraction

This issue's topics:

Introduction:

* Three Windows bugs, Outlook 2002, CVS & patches, virus writer jailed

Virus News:

* HTML Application (.HTA) causes small stir

* Welsh virus writer gets two-year prison sentence

Security News:

* Critical buffer overflow in Locator Service patched

* Cumulative patch for Content Management Server 2001

* Information exposure fix for Outlook 2002

* MS02-070 revision - XP SP1 vulnerable to SMB signing flaw after all

* Patch for double-free bug in CVS server

* Multiple vulnerabilities in KDE

* Choosing and using a VPN

* Cryptanalysis of door locks reveals easy master key extraction

Introduction:

The third week of the new year and Microsoft releases its first three security bulletins and updates another. Among corporate IT admins the most pressing concern from the MS security bulletins would be the critical flaw in the RPC Locator Service, enabled by default on domain controllers and potentially exposing the machine to remote arbitrary code execution. Which of the others is of next greatest concern will depend on local usage patterns and the like. Administrators of Windows XP SP1 machines should note the change in MS02-070, where a patch previously thought to have already been rolled into SP1 has been found to be missing from that service pack after all.

Unix and Linux administrators of CVS and/or KDE machines have some urgent critical patches to apply, at least in the CVS case potentially allowing anonymous, remote command execution and corruption of the CVS store. We finish the week's offering with some hopefully interesting reading - an article explaining the ins and outs of getting started in VPNs and another describing the cryptanalysis of master-keyed door locks.

On the virus front there is some encouraging news from the UK jailing of another virus writer and distributor and a warning from yours truly about HTML Application files.

Virus News:

* HTML Application (.HTA) causes small stir

Working in the restless backwaters of antivirus research, one often sees small eddies of activity that are never picked up by the world at large. Generally this is a good thing, though an issue yesterday reminded me of a little known issue which deserves some wider attention.

The actual incident is utterly trivial and typically confusing, as a quick look through the linked pages at names used by the different vendors for the same thing shows. However, larger than Downloader-BO or Inor or Maz is the use of .HTA files by the dropper that has been used on at least two occasions now to distribute the Trojan. HTML Application, or HTA, files are basically HTML files intended for local scripting use. In short, .JS or .VBS files on steroids as they can contain HTML markup as well to display a more complex interface than can be easily attained with just the scripting engines.

The 'problem' with HTA files is that relatively few people seem to know what they are actually for, and thus relatively few people are aware that they can be very dangerous. Recent versions of Outlook and v6.x releases of Outlook Express (through the various security improvements added to them) include HTA files in the list of attachment types that are blocked by default, as do several third-party e-mail client programs. However, users of older versions of those programs may still be at risk - Windows supports HTA files in all versions since Windows 98 (and Windows 95 does if IE 4.0 or later has been installed).

The biggest threat that such HTA files pose to the unwary is that they typically end up being run from the local computer. Thus, although they are interpreted by IE, they are given nearly free reign on the machine being allowed to run ActiveX controls that would be prohibited access from web page or HTML e-mail message, being allowed to access the local file system directly (again, normally prohibited access from web pages and e-mails) and so on.

If you have no use for HTA files, and in reality very few people do, consider disabling their potentially damaging effects by setting the file type to open in Notepad rather than with mshta.exe.

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library (99806)

Network Associates Virus Information Library (99986)

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Welsh virus writer gets two-year prison sentence

Simon Vallor, the Welsh web designer who, in December, pleaded guilty to three offences under the UK's Computer Misuse Act. Earlier this week Vallor received a sentence of two years in prison for his role in writing and distributing the viruses known as Gokar, Admirer and Redesi.

Predictably, debate has ensued as to whether that was a stern enough sentence. However, most media commentators seem to think it was a much more appropriate sentence than the relatively short community service sentence dished out by a Dutch court last year to Jan de Wit for writing and releasing VBSWG.J (or "the Anna Kournikova virus").

Virus Writer Sentenced to Two Years in Prison - pcworld.com

Security News:

* Critical buffer overflow in Locator Service patched

Windows administrators should check their systems for exposure to this critical flaw. NT 4.0 and Windows 2000 domain controllers have the Locator Service enabled by default, whereas it is an optional service on other NT-based machines that are not running as domain controllers. In all cases, if the service is enabled and this new patch not installed, the machine is vulnerable to a remote buffer overflow that could execute arbitrary code with system privileges. Normal best practice would reduce public exposure of this vulnerability, as domain controllers should be firewalled from public networks such as the Internet.

Microsoft Security Bulletin MS03-001

* Cumulative patch for Content Management Server 2001

Microsoft Content Management Server (MCMS) 2001 is part of Microsoft's Enterprise Server range, intended to ease the development, deployment and management of e-commerce web sites. An ASP web page included with MCMS 2001 has been found to be vulnerable to a cross-site scripting (XSS) flaw that could expose personal information from user machines browsing a MCMS 2001 managed site to third parties ('attackers'). Typical XSS payloads such as 'cookie theft' and other identity stealing and impersonating attacks could also be possible.

This cumulative patch update replaces the previous MCMS 2001 cumulative patch released with the MS02-042 security bulletin and includes all fixes in that patch plus this new one, which replaces the 'ManualLogin.asp' file. Installations that have customised the original 'ManualLogin.asp' file will need to review this file after installing the cumulative update and re-apply their customisations. Note that unless your customisations corrected the XSS issue this new update addresses, simply replacing the new 'ManualLogin.asp' with the previously customised one is unlikely to be sufficient - in fact, doing that is likely to re-introduce the vulnerability.

Microsoft rates this vulnerability as being of 'important' severity and

recommends that all affected sites apply the update as soon as possible.

Microsoft Security Bulletin MS03-002

* Information exposure fix for Outlook 2002

If Outlook 2002 (the version shipped in Office XP) is configured to use V1 Exchange Server Security certificates for message encryption, it fails to encrypt messages and sends them as plain text. It correctly digitally signs messages when V1 Exchange Server Security certificates are selected for this purpose. The result is that users who believe they are sending encrypted messages will, in fact, be sending messages that can be readily intercepted and their contents read by anyone. The problem does not apply to other kinds of encryption certificates (such as the much more commonly used S/MIME certificates) nor does it apply to other supported versions of Outlook that can use V1 Exchange Server Security certificates.

Microsoft rates this issue as being of moderate severity. You may find it more pressing should your senior executives be in the habit of using V1 Exchange Server Security certificates to 'secure' their more sensitive business planning discussions... Patches are available from links in the security bulletin.

Microsoft Security Bulletin MS03-003

* MS02-070 revision - XP SP1 vulnerable to SMB signing flaw after all

Microsoft has revised its MS02-070 security bulletin. When initially published, that bulletin said that SP1 for Windows XP included the patch for the SMB signing vulnerability reported in that bulletin. Now Microsoft says that the patch was not included in SP1 and anyone using Windows XP SP1 with SMB signing enabled should download and install the patch. Note that if you downloaded the patch earlier you will need to obtain the newly released patch, as the initial release refused to install if the target system was running the supposedly not vulnerable XP SP1.

Microsoft Security Bulletin MS02-070

* Patch for double-free bug in CVS server

A remotely exploitable double-free vulnerability in the popular Concurrent Versions System (CVS) software leaves unpatched versions open to arbitrary code execution with the system privileges of the CVS server user and gives full access to the CVS code database. As CVS is probably the most widely used version control system on Unix-ish OSes and many publicly accessible version control systems on the Internet are CVS systems, there is very extensive scope for abuse through this flaw.

If you run a CVS server prior to v1.11.5, particularly one exposed to public or otherwise untrusted networks, either get the updated version from the CVS site or an updated package from your vendor as soon as possible. As this potentially affects a huge number of vendors, the CERT Coordination Center's advisory is a good starting place for further information.

CERT Advisory CA-2003-02 Double-Free Bug in CVS Server

CVS home page - cvshome.org

* Multiple vulnerabilities in KDE

The K Desktop Environment has been found to improperly quote parameters passed to the command shell for execution in several places. The upshot of this is that rather than just executing expected external programs with (optional) user-supplied arguments, specially crafted arguments can be supplied causing further commands to be executed. Some of these flaws can be exploited by remote processes. Several patches have been released that fix various such flaws and/or generally improve handling of possibly dangerous (i.e. 'untrusted') user input. Most of the popular Linux distributions that ship KDE have released updated packages by now - check with your vendor for availability.

KDE Security Advisory: Multiple vulnerabilities in KDE - kde.org

* Choosing and using a VPN

With increasing pressure to allow remote and travelling staff to access resources on the corporate network, enable better 'lifestyle' work options such working from home and greater demands from the IT staff themselves to perform secure, distributed system management on machines and LANs in geographically remote locations, more and more companies are turning to VPN technologies. The linked article, written by network security consultant, discusses the differences between trusted and secure VPNs, and the key points to consider when deciding what you need and how to configure it.

What to look for when buying a VPN - computerworld.com

* Cryptanalysis of door locks reveals easy master key extraction

AT&T Labs Research security researcher Matt Blaze has uncovered an easy method of producing master keys for typical door locks. Drawing on his computer security knowledge, he realised that certain design flaws that render computer cryptographic systems anywhere from easy to trivial to break are analogously present in common master-keyed lock designs.

In a research paper he has described how anyone with access to a master-keyed lock, the 'ordinary' key that opens it (a 'change key' in locksmith parlance) and a small supply of matching, uncut key blanks (which are apparently surprising readily obtained) can easily discover the master key. The procedure does not even require any special tools, such as a key-cutting machine. An 'attack' based on the technique Blaze describes can, once the necessary materials have been acquired, commonly be executed in just a few minutes.

Blaze's discussion of these issues can be found at his personal web site, crypto.com, linked below. A 4MB PDF file of the forthcoming research paper, containing several high-quality illustrations and describing the attack in full, can be downloaded from there. The news article we have linked also delves into the debate around the desirability of making this kind of information public, and some of the parallels between this physical security issue and computer security concerns.

Master-Keyed Lock Vulnerability - crypto.com

Master Key Copying Revealed - nytimes.com (free registration required)

Join the newsletter!

Error: Please check your email address.

More about BlazeCA TechnologiesCERT AustraliaCVSF-SecureKDEKDELinuxMicrosoftSophosSymantecTrend Micro Australia

Show Comments
[]