IDGNet Virus & Security Watch Friday 6th December 2002

This issue's topics: Introduction: * Outlook 2002 & IE patches; IPD update; Kerberos, Sygate firewall, SAP DB weaknesses Virus News: * New CIH variant triggers every month Security News: * Fix for Outlook 2002 e-mail header bug * Critical IE cumulative security patch * Windows Kerberos password cracker released * Shutdown password protection of Sygate Personal Firewall faulty * Integrity Protect Driver update fixes two security flaws * Local root exploit in SAP DB for Unix and Linux

This issue's topics:

Introduction:

* Outlook 2002 & IE patches; IPD update; Kerberos, Sygate firewall, SAP DB weaknesses

Virus News:

* New CIH variant triggers every month

Security News:

* Fix for Outlook 2002 e-mail header bug

* Critical IE cumulative security patch

* Windows Kerberos password cracker released

* Shutdown password protection of Sygate Personal Firewall faulty

* Integrity Protect Driver update fixes two security flaws

* Local root exploit in SAP DB for Unix and Linux

Introduction:

A new CIH virus variant has been found, and although not common, it could easily get a lucky break on a fast-spreading self-mailing virus. This has been seen with several other common parasitic Windows viruses of late.

On the security front, we have yet another IE cumulative update this week including yet another critical security patch whose seriousness is being downplayed by Microsoft. The Redmond giant also released a fix for a less serious problem with Outlook 2002. Users of Kerberos logins on Windows 2000 and XP should consider the issues raised by the release of a Kerberos password sniffer and cracker that specifically targets a Kerberos weakness common to those OSes and their Kerberos implementation. Some users of Sygate Personal Firewall may be affected by a recently discovered weakness in its shutdown password protection option. Pedestal Software's Integrity Protection Driver for NT 4.0, Windows 2000 and XP has been updated to fix a couple of flaws and SAP DB for Unix and Linux has a root exposure issue for which both an exploit and a workaround has been published.

Virus News:

* New CIH variant triggers every month

CIH - the virus family that introduced arguably the most damaging payload to date - has a new member. Technically known as Win95/CIH.1106.A or Win32/CIH.1106.A, this variant is really little different than its predecessors despite being significantly rewritten, presumably to bypass the generic detection of new variants of this family that several major virus scanners perform. Like its siblings, this variant's payload is date-triggered and involves BIOS reflashing that, if successful, will render the victim machine unusable, and hard drive trashing.

This variant is, like the rest of the family, a split-cavity infector, meaning it only infects files with large enough 'gaps' or 'holes' in their structures to accommodate the virus' code. Simple cavity infectors must find a single 'hole' large enough for their whole code, but split cavity infectors do not have this limitation. The CIH family was the first to use split cavity infection, wherein the virus has a 'reassembly' function that finds and stitches the rest of the pieces of its code together. This is necessary because when a split cavity virus infects a program file, it can break its code into the reassembly function code and several arbitrarily small chunks. This allows it to infect files without a single hole large enough to hold all its code, so long as there is a hole large enough to hold all its reassembly function code and enough other holes to hold the rest. Like all cavity infection mechanisms, the main point of the approach is to prevent changing the size of files when infecting them.

Although CIH.1106 has not been seen in the wild, it should be noted that several common parasitic Win32 viruses, including other CIH variants, have been seen spreading on the coat-tails of other, self-spreading viruses. Many viruses that deliberately spread themselves via self-mailing or via copying over poorly passworded network shares, do so simply by copying their entire program file. Such viruses can become handy (although unintentional) carriers of parasitic infectors such as CIH and FunLove. Those two viruses are common enough that it is not unusual to see self-spreading viruses infected with them and thus potentially spreading both the viruses.

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Security News:

* Fix for Outlook 2002 e-mail header bug

Microsoft has released a patch for Outlook 2002 (the version included in Office XP) that fixes a flaw in the product's handling of certain malformed e-mail message headers. Left unpatched, this bug poses a denial of service threat as malformed e-mail messages cause Outlook 2002 to lock up. Once such a malformed message has been delivered to a vulnerable user's mail drop, it will continue to cause Outlook 2002 problems as Outlook processes the affected header during initial handling of messages. E-mail messages causing such problems would have to be deleted from the mail server by the mail administrator or by affected users clearing their e-mail with other, non-affected e-mail client software.

Microsoft rates this vulnerability as being of moderate severity. It only affects Outlook 2002 - not earlier versions of Outlook nor any versions of Outlook Express.

Microsoft Security Bulletin MS02-067

* Critical IE cumulative security patch

For the second time in two weeks, Microsoft has released a critical security patch for Internet Explorer. As in the previous case, this is a cumulative patch that includes all security hotfixes since, depending on the version of IE in question, the relevant previous service pack or initial release of IE. Also in common with the previous cumulative patch, it includes additional patches - in this case just one, but a serious one.

Microsoft rates the severity of the vulnerability newly patched in this latest cumulative patch as 'important' and gives the rather lukewarm recommendation that users 'should consider deploying the patch'. This is seriously misleading. According to Microsoft's new vulnerability severity rating scheme, an 'important' severity means 'A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources'. The vulnerability that this patch fixes allows arbitrary execution of local commands, including the modification of local files and the fetching of remote files (including the possibility of program files) and their execution. That is all a worm needs.

Long time IE security researcher Thor Larholm claims that the mitigating factors Microsoft lists for this vulnerability seriously downplay the possible severity of the comprises available through exploitation of this vulnerability. As Larholm said in a recent message posted to a security mailing list '... so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft'. Regular readers will recall that Larholm maintains the 'Unpatched IE security holes' list often linked from this newsletter. Larholm's list and an archived copy of his mailing list message are both linked below, as is Microsoft's spin on this latest patch.

Your newsletter compiler is clearly on Larholm's side in this. The latest patch fixes a security hole that has the potential to become the equivalent of the 'Invalid MIME header' vulnerability in the IE 5.x series of browsers. For those that have forgotten, that vulnerability and the lack of awareness that it must be patched directly contributed to the extensive 'success' of most of the highly successful viruses and e-mail worms of the last year or so.

Finally, note that this vulnerability does not affect IE 5.01.

Archived Bugtraq list message (302174) - securityfocus.com

Microsoft Security Bulletin MS02-068

* Windows Kerberos password cracker released

Arne Vidstrom has released a Kerberos password sniffer and cracker that can capture and crack Windows 2000 and XP Kerberos login credentials. It takes advantage of a long-standing weakness in the Kerberos protocol which is clearly described in Frank O'Dwyer's paper - the second item linked below. O'Dwyer's paper also lists some defensive strategies that can be employed to mitigate this weakness, although ultimately the protocol needs revising and implementers need to remove support for the weak options, or at least provide administrators a reliable way to disable support for the weaker options.

KerbCrack home page - ntsecurity.nu

Feasibility of attacking Windows 2000 Kerberos Passwords - brd.ie

* Shutdown password protection of Sygate Personal Firewall faulty

A recent message from Eitan Caspi, posted to the Bugtraq mailing list, points out a weakness in the feature that is supposed to limit the shutdown of Sygate Personal Firewall (SPF) to users who know the password. Caspi only tested this on the 'free for personal use' version of SPF and the company did not respond to his requests for more information so it is unknown whether this issue applies to the 'professional' version of SPF or not. It is advisable for any administrators of machines running SPF who depend on its shutdown password protection feature to prevent users disabling their personal firewall to read Caspi's message and make the appropriate checks of this issue in their environment.

Archived Bugtraq list message (302127) - securityfocus.com

* Integrity Protect Driver update fixes two security flaws

Pedestal Software has released an updated version of its Integrity Protect Driver (IPD) for NT 4.0, Windows 2000 and XP. IPD v1.3 fixes a problem with its startup activation delay depending on the system time for its delay timer and adds a block to a recently documented method of directly accessing physical memory. The latter was exposed in a recent article in the hacker zine Phrack. The former problem means an attacker with enough privilege to alter the system clock could simply put the time back to within twenty minutes of the last system startup and IPD would be disabled, removing its blocks to installing drivers and the various other low-level system protections it provides.

Integrity Protection Driver home page - pedestalsoftware.com

* Local root exploit in SAP DB for Unix and Linux

SAP DB for Unix and Linux has a flaw such that any user on the local machine can run any program as root. A description of this flaw was posted to a mailing list and an archived copy of that is linked below. Also, a workaround from the SAP DB developers is described in the advisory at their website.

Archived Bugtraq list message (302103) - securityfocus.com

SAP DB Security Alert - sapdb.org

Join the newsletter!

Error: Please check your email address.

More about F-SecureLinuxMicrosoftSAP AustraliaSophosSymantec

Show Comments

Market Place

[]