IDGNet Virus & Security Watch Friday 1st November 2002

This issue's topics: Introduction: * IIS, PPTP, Kerberos updates, liberal Win2000 permissions, Kournikova sentence confirmed Virus News: * More (un)friendly greetings * 'Anna Kournikova virus' writer sentencing appeal fails Security News: * Cumulative patches for IIS 4.0, 5.0 & 5.1 * Fix for PPTP Dos in Windows 2000 & XP * Bad default permissions on Windows 2000 (& possibly XP) system root * Windows Update and Sun JRE 'conflict' * Remote buffer overflow fixed in Kerberos administration daemon * Reuters charged with 'hacking' Intentia International

This issue's topics:

Introduction:

* IIS, PPTP, Kerberos updates, liberal Win2000 permissions, Kournikova sentence confirmed

Virus News:

* More (un)friendly greetings

* 'Anna Kournikova virus' writer sentencing appeal fails

Security News:

* Cumulative patches for IIS 4.0, 5.0 & 5.1

* Fix for PPTP Dos in Windows 2000 & XP

* Bad default permissions on Windows 2000 (& possibly XP) system root

* Windows Update and Sun JRE 'conflict'

* Remote buffer overflow fixed in Kerberos administration daemon

* Reuters charged with 'hacking' Intentia International

Introduction:

*We're running late this week, so a very brief introduction...

Three Microsoft security bulletins this week, the most important of which is probably the new IIS cumulative patch. Unix and Linux users of Kerberos should check the CERT advisory in the article below and possibly also check with their distributor. Of special interest to security administrators may be the possible legal issues raised in the claim that what Reuters effectively claims was mildly inspired URL guessing on a public web server is in fact illegal 'hacking'.

On the virus front, the Friend Greetings self-advertising scam described last week has continued this week, with more servers at other domains run by the backers of the scam becoming involved. And, to my mind 'thankfully', the appeal to reduce the sentence of the Dutch writer of the 'Anna Kournikova' virus failed.

Virus News:

* More (un)friendly greetings

Further to the article reporting this last week, the number of sites involved has increased. It seems that several more domains owned or managed by the folk at Permissioned Media are now being used to supply the load of download requests for the dodgy 'browser plugin' whose EULA claims the right to mail self-advertising messages to all entries in your Outlook address book. Further, the outcry over this form of 'sleazeware' has been such that several antivirus vendors have been persuaded by customer demand to add detection of this 'plugin'. E-mail administrators who may have configured content scanners to block messages mentioning the original domain involved in this scam may want to update the list of domains they block.

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* 'Anna Kournikova virus' writer sentencing appeal fails

Jan de Wit will still have to do the 150 hours of community service or 75 days jail to which he was initially sentenced. The Dutch teenager, who admitted writing and releasing the VBS/VBSWG.J virus had appealed the sentencing of his conviction for deliberately damaging computer systems through the release of the virus, better known in the media as 'the Anna Kournikova virus' because the virus' e-mail message promised a picture of the Russian tennis player. The court did not accept de Wit's claims that he did not realize the likely impact of the virus and that he acted with no intention of causing harm thus the sentence was appropriate.

Kournikova virus author loses appeal - idg.net

Security News:

* Cumulative patches for IIS 4.0, 5.0 & 5.1

A new cumulative patch for all supported versions of IIS has just been released. As well as including all security patches for IIS 4.0 since NT 4.0 SP6a and all IIS 5.0 and 5.1 security patches since the products' releases, five new vulnerabilities are patched by this new cumulative patch pack. One of these patches only applies to IIS 5.0, another to 5.0 and 5.1 and the rest to all three supported versions. Further to this, the backlog monitoring feature of IIS 50 and 5.1 is modified to flush the socket backlog list more frequently. This should improve a server's resistance to certain kinds of denial of service attacks.

Overall Microsoft rates the severity of these vulnerabilities as moderate. At least for IIS 5.x administrators, the extra resiliency against DoS attacks may increase the desirability of installing this patch.

Microsoft Security Bulletin MS02-062

* Fix for PPTP Dos in Windows 2000 & XP

Microsoft has released a patch for a vulnerability in the Point to Point Tunnelling Protocol (PPTP) component of Remote Access Services (RAS). An unchecked buffer in the PPTP code means particular malformed packets can cause kernel memory to be overwritten. Such memory corruption seems most likely to crash the OS and Microsoft security analysts believe that this overflow cannot be exploited to run arbitrary code. In most cases of exploitation, the system is liable to promptly crash or hang. Because of the nature of the overflow, exploitation of can only be recovered from by restarting the system.

The vulnerability affects both workstation and server implementations of PPTP, but in general vulnerable server systems will be more easily exploited. The optional PPTP components in Windows 98, 98SE, ME and NT 4.0 do not have this vulnerability.

Microsoft Security Bulletin MS02-063

* Bad default permissions on Windows 2000 (& possibly XP) system root

Administrators of Windows 2000 machines, and of XP machines that are upgrades over a previous Windows 2000 installation, should check the latest Microsoft security bulletin, linked below. The default permissions on the system root directory (the root directory of the drive that Windows is installed on) under Windows 2000 is 'Everyone: F' (or 'Full access' to the 'Everyone' group).

Note that Microsoft's claim that dedicated workstations are less vulnerable is potentially very misleading. Of course, the interpretation depends on what is meant by 'dedicated workstations' but in most corporate settings that is taken to mean something like 'workstations that are not shared between users' (that is, settings where every employee has a dedicated desktop machine, or laptop). In such settings, the machines really are 'shared' if support staff ever log into them interactively (at the keyboard) to perform any kind of administrative tasks. Also, the threat is not simply limited to users with local login rights as Microsoft says. Any code run under the rights of an ordinary user will also have full rights in the system root directory and various parts of the tree under it (due to rights inheritance). Thus the strong implication from the Microsoft security bulletin that the vulnerability is only exploitable by an 'attacker' with the ability to login locally is also quite misleading. Any remotely supp

lied code will run with the rights of the logged in user and this, if it is an interactive user, will be able to write to the system root and various sub-directories due to rights inheritance.

There is no patch for this default configuration flaw. The security bulletin instead refers system administrators to Knowledge Base article Q327522 (the second link below) for directions on deciding and setting permissions appropriate to you system configuration.

Microsoft Security Bulletin MS02-064

Microsoft Knowledge Base article Q327522

* Windows Update and Sun JRE 'conflict'

Administrators of smaller systems who depend on Windows Update to keep their updates and security patches current may be puzzling over the repeated warning that MS02-013 is not installed (despite their belief that it was) and that Windows Update does not offer MS02-052 (which supplants MS02-013). It turns out that if you have installed Sun's JRE it may have modified a registry key that the Windows Update version checker uses in determining whether you need MS02-013. Worse, Windows update won't offer MS02-052 until MS02-013 is installed. The Knowledge Base article below may be useful (if read carefully) should you find yourself in this situation.

Microsoft Knowledge Base article Q331663

* Remote buffer overflow fixed in Kerberos administration daemon

Multiple implementations of Kerberos based on the MIT and KTH codebases are vulnerable to a remotely exploitable buffer overflow in the administration daemon (often known as kadmind). Kerberos is included in many Unix and Linux distributions and administrators of such systems are advised to check with their distributors regarding their vulnerability to this flaw and the availability of patches. Much of this information, plus some more technical detail is available in the CERT Coordination Center advisory linked below.

CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon

* Reuters charged with 'hacking' Intentia International

Swedish IT group Intentia International was quite peeved that its poor third-quarter results were apparently leaked to Reuters before the company publicly announced the results. Its share price fell 29 percent on the day Reuters released a 'news flash' reporting the substantially weaker than expected results and a profit warning for the year. The official Intentia announcement was presumably to include a good deal of spin-doctoring which now may be being used in its handling of the issue of how Reuters obtained the results.

Intentia's internal security investigation has found that at 12:51pm on 24 October, six minutes before the first Reuters news flash was published, 'there was an unauthorized entry via an IP-address belonging to Reuters'. Intentia maintains that at that time the results were only available from a private, password-protected site. Reuters counters that it obtained the results directly from Intentia's public web site. Reading between the lines a little, it seems that an element of URL guessing may have been involved.

Intentia has filed charges against Reuters, claiming the news agency broached various laws regarding the use of private data.

Reuters News Agency Broke into Intentia's IT Systems - intentia.com

Intentia Confirms the Filing of Criminal Charges - intentia.com

Reuters rejects Swedish company's allegations - reuters.com

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaF-SecureLinuxMicrosoftMITReuters AustraliaSophosSymantecTrend Micro Australia

Show Comments

Market Place

[]