IDGNet Virus & Security Watch Monday 25th November 2002

This issue's topics: Introduction: * MDAC, IE, MS certificate validation, Samba fixes; Outlook privacy issue Virus News: * All quiet on the virus front again... Security News: * Fix for remote code execution via buffer overflow in MDAC * Cumulative patch for Internet Explorer * Updated MS02-050 patches * Microsoft revamps security bulletins and vulnerability severity rating * Privacy invasion via Outlook 2002 and 11 * Possible root exploit in Samba fixed * NASA, Pentagon hacker used popular remote control software * Is there such a thing as too much disclosure?

This issue's topics:

Introduction:

* MDAC, IE, MS certificate validation, Samba fixes; Outlook privacy issue

Virus News:

* All quiet on the virus front again...

Security News:

* Fix for remote code execution via buffer overflow in MDAC

* Cumulative patch for Internet Explorer

* Updated MS02-050 patches

* Microsoft revamps security bulletins and vulnerability severity rating

* Privacy invasion via Outlook 2002 and 11

* Possible root exploit in Samba fixed

* NASA, Pentagon hacker used popular remote control software

* Is there such a thing as too much disclosure?

Introduction:

[Apologies for the late distribution of this newsletter. Our newsletter compiler was unable to send us the contents of the newsletter until this afternoon.]

There are several important patches from Microsoft this week, plus a change in the severity ratings it applies to vulnerabilities. Further, a possible privacy invasion, or at least 'leak' in the latest and next version of Outlook is described, as is the configuration fix to prevent yourself becoming a victim. Samba has been updated to fix a possible remote root vulnerability in the popular Unix and Linux SMB networking solution and we close out the security section with a couple of interesting news articles.

On the virus front, it seems everything has gone quiet again, with nothing of any consequence to report for the last week.

Virus News:

* All quiet on the virus front again...

It seems the recent upsurge in virus and worm activity has abated somewhat. The only thing of interest about viruses worth reporting this week is that there seems to be nothing that is noteworthy enough to report on.

Security News:

* Fix for remote code execution via buffer overflow in MDAC

Multiple Microsoft platforms are at risk from a recently disclosed buffer overflow in Microsoft Data Access Components (MDAC) 2.1, 2.5 and 2.6. The overflow is in the Remote Data Services (RDS) Data Stub function. MDAC itself, or partial MDAC components including the RDS component with the vulnerable RDS Data Stub function, ship in many products apart from Windows ME, 2000 and XP which include MDAC as a default component. For example, Internet Explorer 5.1, 5.5 and 6.0 include the vulnerable RDS components, and MDAC is a redistributable meaning that it is available as a download from Microsoft's web site and may be included in products shipped by third-party developers.

Microsoft rates the vulnerability fixed by this patch as being of 'critical' severity and warns that users of vulnerable systems (which it suggests are any Windows machines used as web servers or for browsing the web -- that must be most of them) are especially likely to be vulnerable. There is an exception though - Windows XP ships with MDAC 2.7, which is not vulnerable, so even though XP also ships with IE 6.0, XP machines should not be vulnerable as the newer, non-vulnerable version of MDAC should be active on such machines.

Note that this is yet another case where a widely deployed and used ActiveX control, signed by Microsoft, has been found to contain a critical severity security flaw. In such cases, Microsoft does not set the 'kill bit' on the control, due to the enormous upheaval that would be caused by the patch removing the existing control (identified, as ActiveX controls are, by a fixed CLSID) from many (ideally all) client web browsers. The solution to that problem is to require all web pages dependent on the 'killed' control to be fixed so as to refer to the new CLSID of the 'fixed' version of the control.

All this means that a malicious person can cause the re-introduction of the buggy control that this patch fixes, so long as the user is willing to trust the control on the basis of it being genuinely signed by Microsoft. This reminds us of the grievous inadequacies in Microsoft's design of the code-signing mechanisms used with its ActiveX technology. Supposedly these mechanisms 'protect' users from malicious and other undesirable code, but their typical implementation and use provide little additional security beyond the age-old warning 'be careful what you run'. Administrators and users should be especially wary not only of the verified signer of ActiveX controls, but of the actual web pages offering them.

Microsoft Security Bulletin MS02-065

* Cumulative patch for Internet Explorer

As well as including all previous Internet Explorer patches the latest cumulative patch for IE includes fixes for six additional vulnerabilities. Microsoft has altered its vulnerability rating scheme from a three point to four point scheme and although this patch would be rated most serious under the old scheme, it is only rated 'important' and not 'critical' under the new scheme (the new severity rating scheme is covered in more detail below). Despite that, the fact that this patch fixes a vulnerability that allows a web page or HTML e-mail message to run arbitrary local programs should be sufficient to see it on most system administrator 'must do' lists in short order.

Microsoft Security Bulletin MS02-066

* Updated MS02-050 patches

Microsoft has released updated patches for the vulnerability originally reported in the MS02-050 security bulletin. These updates address two important issues. First, they include patches for a new variant of the vulnerability that, on Windows 98 and 98SE, and on NT 4.0 and 4.0 Terminal Server Edition, allow a remote system compromise. Second, the new patches fix the issue of the original patch effectively 'breaking' the signed driver feature in Windows 2000 and XP. This latter problem was caused by the fact that Microsoft-signed drivers are signed with a certificate that violates the Basic Constraints rules on certificates. The original patch, in correcting the checking of a certificate's Basic Constraints, caused Microsoft-signed drivers (including all the drivers on the Windows installation CDs and in subsequent service packs) to be seen as invalid.

Even if you have already installed the earlier patches for this problem, you are strongly recommended to install the updated fixes.

Microsoft Security Bulletin MS02-050

* Microsoft revamps security bulletins and vulnerability severity rating

Microsoft has made two important changes to its security information services. First, it is now producing end-user versions of each security bulletin, avoiding some of the more technical language (and thus details) of its standard security bulletins. The original, 'technical' bulletins will be continued, in the same form and targeted at the security professional. The new, less-technical bulletins will be linked from Microsoft's general 'Security & Privacy' page. This newsletter will continue to link to the detailed bulletins.

The second change is the first modification, since its introduction, to the severity ratings Microsoft's Security Response Center ascribes to the vulnerabilities it reports in either type of bulletin. The new scheme has four, rather than three, levels of severity. Effectively the original 'critical' severity level has been split into two levels - 'important' and 'critical' - with the latter only used for vulnerabilities 'whose exploitation could allow the propagation of an Internet worm without user action'. Thus, most remote code execution vulnerabilities should be rated 'critical' and probably little else.

Security & Privacy - microsoft.com

Bulletin Severity Rating System (Revised, November 2002) - microsoft.com

* Privacy invasion via Outlook 2002 and 11

Microsoft Office guru Woody Leonhard has discovered a privacy 'leak' in Outlook 2002 and 11 (the beta version of the next Office product release). Revolving around the integration between Outlook and Word, this problem is really a 'feature', albeit one that should probably not be enabled by default (and, given how deeply obscured the setting that controls it is buried in the configuration menus, one that seems very unlikely would ever be enabled were it shipped disabled). Leonhard describes the function of this 'feature' and why users may prefer to have it disabled, in the latest issue of his 'Office Watch' newsletter. Of course, he also describes how to disable the feature, should you find it invasive...

Woody's Office Watch Vol 7 No 53 - woodyswatch.com

* Possible root exploit in Samba fixed

Aside from thirteen non-security patches and updates, Samba 2.2.7 includes a security patch blocking a possible remote root vulnerability. The security flaw is present in versions 2.2.2 through 2.2.6 inclusive. Several vendors have already shipped new Samba packages and source code is available from the Samba distribution sites for those into building their own. Further, the release notes for 2.2.7 (linked below) include a source code diff that will apply to the 2.2.2 through 2.2.6 versions' source for those not wishing to upgrade versions yet.

Samba 2.2.7 release notes - samba.org

* NASA, Pentagon hacker used popular remote control software

Writing for Wired, technology journalist Brian McWilliams claims Gary McKinnon installed the popular RemotelyAnywhere software on Windows machines run by NASA, the Pentagon and other military and corporate targets. Once the English hacker obtained access to machines and installed RemotelyAnywhere he could easily manage most aspects of the machine's configuration, upload and download files, and even install other software if necessary.

But why RemotelyAnywhere? Unlike the perhaps better known BackOrifice, NetBus and many other remote access Trojans (commonly known as RATs in computer security circles), the commercially developed and distributed RemotelyAnywhere is not detected by antivirus products. As 'legitimate' software, detecting such commercial products would raise serious false alarm problems for a virus scanner. This probably explains why McKinnon's activity remained largely undetected for up to a year. First, his targets were, presumably, easily compromised through the usual methods used against Windows machines - weak passwords, the exposure of networking interfaces to the Internet that should not have been so exposed, unpatched IIS, SQL Server and other services (again, many of which should not have been accessible via the Internet). Then he could install remote control software he could be fairly certain would never be added to the detection databases of virus scanners. Finally, systems so poorly managed as to be vulnerable to the easily fixed and well-known flaws he probably used to gain entry are unlikely to take strong additional security and system integrity measures, so probably ran a virus scanner and perhaps a firewall.

Further details of McKinnon's alleged use of RemotelyAnywhere and its possible contribution to his eventual arrest are described in the news article linked below.

Dot-Mil Hacker's Download Mistake - wired.com

* Is there such a thing as too much disclosure?

An old issue has been revived this last week - how much detailed security disclosure information is too much?

Two issues of the newsletter back we warned of yet another new IE vulnerability that is particularly insidious, allowing a web page to run programs on the local machine of the browser. Unlike some similar previous flaws in IE, this one allowed command line parameters to be passed to the program - this is generally much more useful to a malcontent designing nasty web pages. For example, previous similar vulnerabilities allowed the standard Windows Control Panel application to be popped open or the format program to be run without parameters. This new vulnerability allows the format program to be run while specifying the drive it should format and any other parameters the format program takes (on some Windows OSes, these include options to start automatically without displaying the usual warning about possible data loss and requiring the user to accept the action).

Privacy and security researcher Richard Smith has queried the widespread public dissemination of a 'proof of concept' web page exploiting the IE vulnerability mentioned above. The page in question performs precisely the task suggested at the end of the previous paragraph - automatically formatting a specified drive on the target machine. The Wired article linked below delves into the age-old debate surrounding the issue of how much detail about exploitable security flaws (if any) should be divulged, and when.

How Much Hack Info Is Too Much?

Join the newsletter!

Error: Please check your email address.

More about LinuxMicrosoftNASA

Show Comments

Market Place

[]