IDGNet Virus & Security Watch Friday 13th December 2002

This issue's topics: Introduction: * Critical Windows & Sybase patches, securing unimportant machines, Christmas viruses Virus News: * No news is good news, but beware the Christmas silly season Security News: * Multiple Microsoft VM vulnerabilities patched * SMB signing flaw can enable unauthorized group policy change * Patch fixes NT 4.0, Windows 2000 & XP WM_TIMER flaw * Microsoft ups severity rating of MS02-068 * Directory traversal vulnerabilities in FTP clients * Sybase root compromise via buffer overflow patched * Why the security of 'unimportant' computers matters

This issue's topics:

Introduction:

* Critical Windows & Sybase patches, securing unimportant machines, Christmas viruses

Virus News:

* No news is good news, but beware the Christmas silly season

Security News:

* Multiple Microsoft VM vulnerabilities patched

* SMB signing flaw can enable unauthorized group policy change

* Patch fixes NT 4.0, Windows 2000 & XP WM_TIMER flaw

* Microsoft ups severity rating of MS02-068

* Directory traversal vulnerabilities in FTP clients

* Sybase root compromise via buffer overflow patched

* Why the security of 'unimportant' computers matters

Introduction:

'Tis the season for virus silliness, but none has been spotted yet. As this is the last newsletter of the year (the first issue of the New Year will be posted on 10 January 2003), take a little extra care with your e-mail for the next few weeks and be doubly-cynical about mainstream media coverage of virus stories...

On the security front, Microsoft has released two serious patches - one fixing multiple flaws in the Microsoft VM and the other fixing WM-TIMER message processing in NT 4.0, Windows 2000 and XP. Both should be applied as soon as practicable. The other Microsoft patch is less worrisome, but could be rolled out at the same time as the above as it affects a subset of the platforms they affect. An interesting advisory on directory traversal flaws in FTP client software has just been posted and a critical remote root exploit against Sybase database server has been patched. And we close this section of the newsletter with an interesting item on why the security of 'unimportant' machines should not be neglected.

From the newsletter staff - have a merry Christmas and may your pager not go off until well after the New Year's celebrations have passed...

Virus News:

* No news is good news, but beware the Christmas silly season

Yet again there have been no virus incidents or developments worthy of note in the past week. This is good news, but the Christmas silly season is rapidly approaching. Christmas and New Year is the virus silly season for two reasons - virus writers taking advantage of the season and media outlets getting starved of juicy stories.

In the 'season of good will', users tend to drop their guards. E-cards and other silly Christmas e-mail start to flood people's inboxes, and the usual caution may not be applied (especially if it is the morning after the office Christmas party...). In past years it has not been uncommon to see several miserable mass-mailing viruses written in the hope that their apparently seasonal messages or promises of humorous, Christmas-related graphics or animations will tip the balance of user scepticism and result in their being opened by unsuspecting users. Few of these have ever made more than the faintest blip on the antivirus companies' radar screens. However, that does not seem to prevent the media picking up and running with these stories.

So, be as wary of your mailbox as usual and if the media seems to be fixated on some new virus, check the vendor sites usually listed in this section of the newsletter for a more balanced view of the real threat and spread of the beast(s).

Security News:

* Multiple Microsoft VM vulnerabilities patched

Patches fixing eight vulnerabilities in the Microsoft VM, the most serious of which is rightly rated as being of critical severity, are now available. Although a properly implemented Java VM should have very robust security because of Java's design, recent versions of Microsoft browsers and e-mail clients have recognized the seriously buggy nature of Microsoft's own implementation (known as the Microsoft VM) by disabling its use in the 'Restricted Sites' security zone and by placing Microsoft's e-mail clients in that zone by default. Further, a previous vulnerability (described in the MS00-075 security bulletin) providing a very similar exposure as the most serious of the eight fixed in this latest patch has been widely exploited by several common self-mailing viruses as a means of auto-running on a new victim's machine, and by unscrupulous web site operators to alter web browser preferences and/or to silently install 'spyware' or 'adware' on the machines of visitors to their sites.

The Microsoft VM is installed with all 'modern' versions of IE and as a standard part of the current service pack level of all Win32 operating systems since (and including) Windows 95. This patch is a cumulative update

Microsoft Security Bulletin MS02-069

* SMB signing flaw can enable unauthorized group policy change

A complex attack scenario, requiring physical network access and the ability to alter packets in transit between systems can allow the downgrading of SMB signing requirements, and thereafter the alteration of group policy information. This flaw only affects Windows 2000 and XP, and in the latter case, only the 'gold' (original) release of XP as the problem is patched in XP SP1. As the attack scenario is quite complex and has several mitigating factors, the severity rating of 'moderate' seems appropriate. In fact, many sites might normally skip installing this patch, or at least delay it until the next round of major scheduled upgrades arrives. However, as the administrators of all potentially affected systems should be very seriously considering rolling out the MS02-069 and MS02-071 patches (discussed above and below) as soon as practical, this patch may be cost- effectively incorporated into that patching session.

Microsoft Security Bulletin MS02-070

* Patch fixes NT 4.0, Windows 2000 & XP WM_TIMER flaw

Earlier in the year there was a great deal of comment and discussion of the so-called 'shatter attack' against NT-based OSes. At the root of the problem was the mixing of high and low privilege processes at the interactive desktop level and the ability of a lower privilege process to pass messages to higher privilege processes. Of particular concern was that a lower privilege process could set a timer callback for a higher privilege process through this mechanism, thereby allowing a low privilege user process to elevate its privileges to those of local system processes that had interactive desktop components (which are often necessary to provide limited configuration management, user feedback from the process and so on).

Microsoft has studied the issues involved and released patches for all NT 4.0, Windows 2000 and XP platforms. The patches mainly involve altering the handling of WM_TIMER messages which are a key component of the internal system messaging system in Windows. On Windows 2000 and XP, these changes have also required some changes in other key OS components, such as some of the system services that include interactive desktop elements. Although Microsoft rates the severity of this vulnerability as 'important', it recommends that all administrators of affected systems 'should install the patch at the earliest opportunity'. As semi-automated and automated exploits of some system configurations vulnerable to this flaw have already been released, that is good advice!

As well as the usual link to the relevant Microsoft security advisory, we have included a link to the original 'shatter attack' advisory.

Exploiting the Win32 API for privilege escalation - tombom.co.uk

Microsoft Security Bulletin MS02-071

* Microsoft ups severity rating of MS02-068

Readers may recall that last week we sided with security researcher Thor Larholm in criticizing Microsoft's 'important' rating of the latest cumulative IE patch released in conjunction with security advisory MS02-068. It seems Microsoft agrees - a few hours after the newsletter was posted, and following several other media outlets also reporting Larholm's criticism, Microsoft revised the MS02-068 bulletin, bumping the severity rating to 'critical' and updating its description of some of the possible impacts of the vulnerability.

Microsoft Security Bulletin MS02-068

* Directory traversal vulnerabilities in FTP clients

Directory traversal attacks are usually thought of as server issues. If a server 'successfully' sends the desired file in response to a request of the form '../filename' (and various more or less cunning variations on that theme), and that file is outside the normal purview of the client, then the server is said to be vulnerable to a directory traversal attack.

Security researcher Steve Christey recently realized that client software can also be vulnerable to such 'attacks'. What if a server responds to a request for a file with a filename involving some form of directory traversal, such as the one above? Are there client/server conversations that work that way? If so, are there clients that accept such 'directions' to traverse directories and potentially overwrite user files or install files into critical system locations? Christey realized that the venerable FTP protocol has just such a possibility, with its its 'mget' option in which the client effectively asks a server for the list of filenames matching a wildcard pattern supplied by the client. The server returns the list of filenames and the files, and the client is normally expected to write the files in its current local working directory.

Christey developed a test FTP server that would respond to mget commands with filenames with various forms of common directory traversal precursors to the actual filenames then tested several common FTP clients against the server. Several were vulnerable to one or more of the styles of traversal tested. Christey's full results, and the responses of some major vendors of affected products, are available in the archived copy of his advisory, posted to the Bugtraq security mailing list, linked below.

Archived Bugtraq list message - securityfocus.com

* Sybase root compromise via buffer overflow patched

The Shatter Team security researchers have posted an advisory at Application Security Inc describing a remotely exploitable buffer overflow in the database's DBCC CHECKVERIFY function. Exploitation of the overflow gives root or administrator level access to the server and can allow execution of arbitrary code with those elevated privileges.

Patches are available from Sybase and linked from the advisory.

Sybase: DBCC CHECKVERIFY Buffer Overflow - appsecinc.com

* Why the security of 'unimportant' computers matters

Len Hynds, head of the UK's National Hi-Tech Crime Unit (NHTCU) recently warned that companies with poor IT security could be unwitting and unknowing hosts of pirated software, child pornography and other undesirable content. Increasingly, 'web pirates' are searching out poorly secured computers, particularly ones with fast Internet connections and that are always on, compromising them and installing monitoring and remote administration programs. Then they copy hundreds of Megabytes, even Gigabytes, of whatever material they are in the business of peddling (pornography, pirated software, etc) to these machines and configure their main web sites to access the bulk of their content from these compromised machines. This has the effect of stealing bandwidth from the compromised machines, whose owners end up one way or the other footing the bill via increased network costs and/or via decreased performance in their own access to off-site locations.

This may seem an unlikely scenario, but in the last six weeks your newsletter compiler has assisted in three such incidents. These involved poorly secured university and business computers that were essentially wide open to the Internet and left that way as no adequate local policy or network system administration applied to the compromised machines. In all cases the old 'there is nothing of value on those machines' attitude had prevailed. Of course, this ignores that modern machines typically have massive (and mainly unfilled) hard drive capacity and fast Internet access. Add poor, or no, administration and monitoring and such machines are a web pirate's dream....

Insecure networks exploited by paedophiles - silicon.com

Join the newsletter!

Error: Please check your email address.

More about Application securityMicrosoftSybase Australia

Show Comments

Market Place

[]