IDGNet Virus & Security Watch Friday 17th January 2003

This issue's topics: Introduction: * Email worms, virus fraud, DHCPD & Vim fixes, common web app flaws Virus News: * How big? Sobig... Is that really big? * Failed fraud depended on computer virus Security News: * Updates fix remotely exploitable overflows in ISC's DHCPD * Updates fix modeline issue in Vim * Checklist of web application vulnerabilities * hoax implicates RIAA in 'hack back' claims

This issue's topics:

Introduction:

* Email worms, virus fraud, DHCPD & Vim fixes, common web app flaws

Virus News:

* How big? Sobig... Is that really big?

* Failed fraud depended on computer virus

Security News:

* Updates fix remotely exploitable overflows in ISC's DHCPD

* Updates fix modeline issue in Vim

* Checklist of web application vulnerabilities

* hoax implicates RIAA in 'hack back' claims

Introduction:

Not only a rather slow week, but a slow week without a new Microsoft vulnerability (or at least, without a patch being released for one). There has been quite a bit of toil and trouble in the wake of the new mass mailing worms reported last week, and another new worm known as Sobig has also made a noticeable impact (at least among those foolish enough to accept then run arbitrary executable attachments).

More seriously, vulnerabilities in the ISC's DHCP software and in the popular test editor Vim have been, or are in the process of being, fixed and update availability should be checked (and tracked if not ready yet) with your vendor(s).

Virus News:

* How big? Sobig... Is that really big?

Hard on the heels of the viral threesome reported in last week's newsletter, yet another mass mailer was hitting the ether about the same time that issue did. Perhaps appropriately known as Win32/Sobig, this virus has became surprisingly widespread in the first few days following its release. In fact, MessageLabs reports detecting it at about 70% of the rate of the very long-standing Klez.H over the last 24 hours and their monthly report for January to date shows over 55,000 samples detected in the week since its initial detection. That is about half the number of Yaha.K samples detected since 1 January and about one sixth of the number of Klez.H since that date.

As with the initial burst of two of the viruses reported last week, it

is unclear why the sudden surge of (initial) success.

MessageLabs Virus Eye and Threat List pages - messagelabs.com

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Failed fraud depended on computer virus

A former employee of UBS Paine Weber has been charged fraud following his release of a (reputed) computer virus in his former employer's computer network. Roger Duronio is said to have felt undervalued so purchased a form of security that would rise in value to him if the company's stock price fell. Duronio is said to have hoped that news of the virus outbreak would drive the stock price down, but the event want largely unnoticed and certainly unreported. More details are available in the linked news article.

Programmer Faces Fraud Charge in Virus Attack - nytimes.com (requires registration)

Security News:

* Updates fix remotely exploitable overflows in ISC's DHCPD

Several buffer overflows have been found in ISC DHCP, the popular DHCP server and client from the Internet Software Consortium (ISC). It is thought some of these vulnerabilities may be able to be remotely exploited although no active exploits are currently known. Due to the extensive use of this software, either directly or as partial basis for other DHCP implementations, administrators of DHCP-using systems (which must be most of the Internet) should check the vendor statements in the CERT Coordination Center advisory covering this issue.

CERT Advisory CA-2003-01 Buffer Overflows in ISC DHCPD Minires Library

ISC DHCP distribution homepage - isc.org

* Updates fix modeline issue in Vim

Vim, the popular editor originally from a Unix background and now with ports popular on many platforms, was shown late last year to be vulnerable to a possible arbitrary code execution issue. Bulgarian security researcher Georgi Guninski showed how Vim's 'modeline' feature could be used in unexpected way due to a partial failure of its 'sandboxing' of the potentially dangerous commands that could be run via modelines. Many Unix and Linux distributions ship Vim and updated packages should be available for most by now.

Guninski's advisory - guninski.com

Official Vim homepage - vim.sourceforge.net

* Checklist of web application vulnerabilities

OWASP (the Open Web Application Security Project) has released a report detailing the 'top ten' web application vulnerabilities. The report aims to improve web application security by increasing awareness of these all too common flaws in the design and/or implementation of web applications and describing how to detect and correct them. Developers working on web applications and project managers overseeing the same should find the report useful. A PDF version can be downloaded from the OWASP web site, linked below.

Your newsletter compiler feels compelled to add that, as others have observed elsewhere, there is really little new in this report. Its 'top ten' is much the same 'top ten' security mistakes discovered in many similar such reviews of many fields of application programming over several decades. Perhaps the most fascinating issue is not that these are the 'top ten' but that programmers are still making the same basic mistakes and project managers are still signing-off projects riddled with same mistakes. This would seem to be an indictment of the education or professional training that put these people in the position to make such mistakes in the first place.

OWASP homepage - owasp.org

* hoax implicates RIAA in 'hack back' claims

Security research group Gobbles (no, we're not making this up) released an advisory describing a buffer overflow in a little used MP3 player earlier this week. The advisory included 'proof of concept' code that exploited the vulnerability to execute arbitrary code when the vulnerable music player tried to 'play' a specially modified MP3 file.

So far, nothing out of the ordinary. However, in the group's own rather colourful style, the advisory also claimed that similar exploits had been produced for all the popular MP3 players and that this had been done at the behest of the RIAA (Recording Industry Association of America). Further, it was claimed, those exploits formed a 'multi-headed' worm that could spread from illicit music trader to illicit music trader through its exploits of these vulnerabilities, altering any MP3 files illegally offered across networks such as KaZaA and other popular P2P file sharing networks.

The status of the claimed vulnerabilities in other MP3 players is still unknown but, not surprisingly, the RAA has denied any knowledge of the so-called 'hydra' Gobbles claimed to have created for the RIAA.

Is the RIAA "hacking you back"? - theregister.com

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaF-SecureInternet Software ConsortiumKasperskyKasperskyKaZaALinuxMessageLabsMicrosoftRecording Industry Association of AmericaSophosSymantecTrend Micro Australia

Show Comments

Market Place

[]