IDGNet Virus & Security Watch Friday 29th November 2002

This issue's topics: Introduction: * WineVar worm, Office 2000SP3, overflows in Real and Pine, Linux kernel bug Virus News: * Worm attempts to besmirch antivirus research organization Security News: * Office 2000 SP3 released * Buffer overflow fixes in RealOne and RealPlayer for Windows * Pine 4.50 fixes buffer overflow * Linux kernel bug allows local denial of service

This issue's topics:

Introduction:

* WineVar worm, Office 2000SP3, overflows in Real and Pine, Linux kernel bug

Virus News:

* Worm attempts to besmirch antivirus research organization

Security News:

* Office 2000 SP3 released

* Buffer overflow fixes in RealOne and RealPlayer for Windows

* Pine 4.50 fixes buffer overflow

* Linux kernel bug allows local denial of service

Introduction:

Viruses attacking antivirus researchers are not new - several have targeted individuals in the AV research community before, including your newsletter compiler. However, this week we saw one that tried to sully the reputation of a whole group of antivirus researchers.

On the security front, service pack 3 for Microsoft Office 2000 has been released and includes some interesting changes to functionality of the Outlook e-mail security update, originally released in Office 2000 SR1. Also, the updated version of the Pine e-mail client that fixes a buffer overflow was released, as were more buffer overflow fixes in RealOne and RealPlayer for Windows. And Linux administrators should be checking with their distributors for a kernel update that allows unprivileged local users to crash their machines.

Virus News:

* Worm attempts to besmirch antivirus research organization

Following the conclusion of the fifth annual conference of the Association of anti Virus Asia Researchers (AVAR) in Seoul, South Korea at the end of last week, a mass-mailing virus dubbed WineVar was released, apparently in Korea. Although it has not really taken off, WineVar is being seen in just noticeable numbers and has a somewhat interesting feature - it tries to besmirch AVAR and its members. It does this by referring to the organization in some of the messages it sends and including the text 'Invariably, Anti-Virus Program is very foolish' in such messages.

Aside from mass-mailing itself, WineVar may also drop and execute a copy of the FunLove virus. As with several other recent viruses, it also tries to improve its chances of spreading by exploiting two vulnerabilities in older versions of Internet Explorer that allow running of programs from web pages and HTML e-mail messages.

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Office 2000 SP3 released

As well as combining all security and other product patches since the SR1 (Service Release 1) release, Service Pack 3 for Office 2000 includes a modified version of the so-called 'Outlook 2000 SR1 E-Mail Security Update'. The original version of the e-mail security update restricts user access to various kinds of attachments that Microsoft decided posed security risks if sent through e-mail. A common complaint about that update was that it removed functionality some people found useful and its actions were not easily modifiable. The updated e-mail security feature for Outlook 2000 in the SP3 release is configurable, allowing users to modify the file attachment types that are blocked and so on.

However, there are early reports that SP3 can cause 100% ('red-line') CPU usage on machines running Outlook. Veteran Office product reviewer and author, Woody Leonhard briefly covered this issue in the latest issue of his 'Office Watch' newsletter, suggesting that Microsoft knows of this bug, which seems to have been re-introduced after being fixed early in the service pack beta testing period. Microsoft has not made any public comment on the issue as this newsletter goes to press, so we suggest that users consider Leonhard's comments before deciding whether to obtain and install the service pack. We have included a link to the relevant issue of Leonhard's 'Woody's Office Watch' below, as well as a link to Microsoft's announcement of the service pack's availability.

Woody's Office Watch Vol 7 No 54 - woodyswatch.com

Office 2000 Update: Service Pack 3 - microsoft.com

* Buffer overflow fixes in RealOne and RealPlayer for Windows

Multiple remotely exploitable buffer overflows in RealPlayer and RealOne have been patched recently. Users who have accepted the automatic updaters prompts to obtain and install these updates should have the patched versions. An archived copy of an advisory describing the problems and posted to a security mailing list is linked below, as is RealNetworks' advisory on the same issue.

Archived VulnWatch list message - neohapsis.com

RealPlayer Buffer Overrun Vulnerability - real.com

* Pine 4.50 fixes buffer overflow

As mentioned a couple of newsletter issues back, Pine 4.44 (and possibly earlier versions) has a buffer overflow when handling quoted characters in e-mail addresses in e-mail message From: headers. This has been fixed in v4.50 which has now been released by the University of Washington. Pine v4.50 contains many new and improved features aside from this security fix. Many Unix and Linux vendors ship Pine with their systems and have made, or soon will be making, updated Pine packages available. The hardy may prefer downloading the source from the University of Washington and building their own. Windows users of Pine should note that their version was also affected by this bug and their only source of updates is to download the new version of the binaries from the University of Washington.

Pine Information Center - washington.edu

* Linux kernel bug allows local denial of service

A flaw in the lcall7 handling code in the Linux kernel allows an unprivileged local user to DoS the machine. No particularly malicious uses of this are obvious, but expect to see it being fixed. To that end, many distributors have shipped updated kernel packages and patches are available from the usual places for those prepared to rebuild their own kernels.

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesF-SecureKasperskyKasperskyLinuxMicrosoftRealNetworksSophosSymantecTrend Micro Australia

Show Comments
[]