IDGNet Virus & Security Watch Friday 25th October 2002

This issue's topics: Introduction: * Mass mailing user agreements, IE 6 & Linux Kernel patch reminders Virus News: * It's my EULA and I'll spy if I want to... Security News: * More reasons to get SP1 installed on IE 6.0 machines * Port 135 openings on Windows machines * DDoS attack on core DNS servers * Security patches for Linux kernel * Media Player for Solaris file permissions flaw

This issue's topics:

Introduction:

* Mass mailing user agreements, IE 6 & Linux Kernel patch reminders

Virus News:

* It's my EULA and I'll spy if I want to...

Security News:

* More reasons to get SP1 installed on IE 6.0 machines

* Port 135 openings on Windows machines

* DDoS attack on core DNS servers

* Security patches for Linux kernel

* Media Player for Solaris file permissions flaw

Introduction:

No major virus stories nor a flood of major patches this week, so it'll be a brief introduction too. A piece of 'sleazeware' plumbed new depths this week, requiring that users of its associated 'free' services allow software from the service owners to run on the users' machines and mass mail all e-mail address in their address books.

On the security front there have been quite a number of security fixes for the Linux kernels recently and seven more good reasons to patch IE 6.0 to SP1 were uncovered by GreyMagic Security research. We have another article this week on port 135 issues with Windows NT and related OSes, news and analysis of the attacks against most of the DNS root servers and an alert for Solaris administrators who may installed Microsoft Media player v6.3 on that platform.

Virus News:

* It's my EULA and I'll spy if I want to...

Well, not quite. However, the realms of 'sleazeware' - software that does not meet the technical requirements of 'virus', 'worm' or 'Trojan' but that few self-respecting computer users would actually want on their machines - may have plumbed new depths recently. Panama-based Permissioned Media (also known as Permedia) have adopted a new form of 'viral marketing'. When you first visit a particular page on this company's free greeting card web site, Friend Greeting, you are informed that to view the greeting cards you must install a 'viewer'. If you accept this, included among the terms you must agree to is the following clause, reproduced in its entirety here so you can appreciate its full effect.

'1. Consent to E-Mail Your Contacts. As part of the installation process, Permissioned Media will access your MicroSoft Outlook(r) Contacts list and send an e-mail to persons on your Contacts list inviting them to download FriendGreetings or related products. By downloading, installing, accessing or using the FriendGreetings, you authorize Permissioned Media to access your MicroSoft(r) Outlook(r) Contacts list and to send a personalized e-mail message to persons on your Contact list. IF YOU DO NOT WANT US TO ACCESS YOUR CONTACT LIST AND SEND AN E-MAIL MESSAGE TO PERSONS ON THAT LIST, DO NOT DOWNLOAD, INSTALL, ACCESS OR USE FRIENDGREETINGS.'

It should not be surprising that a web site brazen enough to insist that viewing the site required you to effectively surrender your e-mail address list to the site actually then installs software that does just as the license says it may. The e-mail message it sends out of course attempts to lure the recipient to the web page that starts the cycle all over again.

Perhaps, given that this clause appears right at the top of one of the two End User License Agreement (EULA) screens that have to be accepted for the viewer's installation to continue, you may imagine that many people would notice and few, if any, would actually accept the EULA. As the number of complaints about this 'viewer' increase though, it seems perhaps the terms of these EULAs are not read that carefully after all. Of course, the fact the validity of these 'licenses' is fairly uncertain does not help the hapless web user, accustomed to clicking such things to get to the next stage of the installation process. By the time they realize they may have accepted a condition they don't like, Permedia's mass advertising e-mail will likely be on its way to most of the e-mail addresses in their address list.

If your users cannot or should not be trusted with making decisions about installing browser plugins but you do not have sufficient administrative control to prevent them doing so, it may be a good idea to refresh their memories about the local policies affecting such things. (Note that the Trend Micro description linked below refers to this a 'worm', which is not strictly correct.)

Network Associates Virus Information Library

Trend Micro Virus Information Center

Security News:

* More reasons to get SP1 installed on IE 6.0 machines

GreyMagic Security Research staff have revealed that seven very dangerous IE 6.0 bugs have been fixed in service pack 1 of that product. Most of these new vulnerabilities allow full remote access to a vulnerable machine such as running arbitrary programs, reading local files and so on. The vulnerabilities can be exploited via 'malicious' web pages and/or HTML e-mails if the HTML is rendered properly (i.e. if you have not sensibly disabled HTML reading capabilities in Outlook 2002 SP1 and OE 6.0 SP1). GreyMagic says that two more, very similar vulnerabilities discovered at the same time are not fixed by SP1 - these have been reported to Microsoft and hopefully hotfixes will soon be released for these.

Vulnerable cached objects in IE (9 advisories in 1) - greymagic.com

* Port 135 openings on Windows machines

Further to last week's story about Windows Messenger Service 'spam', which is enabled through the default binding of the RPC service endpoint mapper to port 135 on all TCP/IP interfaces, an easily exploited DoS against the same port has been publicized. According to the discoverer of this flaw in the RPC endpoint mapper, the DoS effectively disables the port 135 service and 'disabling the RPC service causes the machine to stop responding to new RPC requests, disabling almost all functionality.' This was specifically tested against Windows 2000 SP3, but the exploit can be easily tuned and may well work against the RPC service in other Windows versions and service pack levels.

The possibility of such almost untraceable attacks should provide further impetus to firewall blocking of port 135. We have again included the link from last week's article to the Herve Schauer Consultants page describing detailed binding and service management for NT-class Windows OSes.

RPC Service DoS (port 135/tcp) on Windows 2000 SP3 - immunitysec.com

Minimization of network services on Windows systems - hsc.fr

* DDoS attack on core DNS servers

Nine of the Internet's top-level DNS servers were impacted by a relatively short-lived DDoS attack early this week. The attack lasted for about an hour mid-to-late morning Tuesday this week. However, the attack was not long enough and possibly not severe enough to seriously impact the whole DNS system, with few users noticing any direct impact on their normal Internet use.

Q&A: Internet Pioneer Stephen Crocker on DDOS attack - computerworld.com

Net backbone withstands major attack - computerworld.com

* Security patches for Linux kernel

Several security patches for the 2.2 and 2.4 series of Linux kernels have now made their way into packaged updates from the major distributors. Linux system administrators who do not do their own kernel patching should check with their distributors for these updates and those that do and haven't checked for kernel updates recently should check whether their current kernels may be in need of updating.

* Media Player for Solaris file permissions flaw

The executables installed by the Media Player v6.3 for SPARC/Solaris are reportedly left world-writable after the installation process completes. This was reported by Simon Tardieu to the bugtraq mailing list late last week. The fix for this should be obvious...

Archived Bugtraq message thread - securityfocus.com

Join the newsletter!

Error: Please check your email address.

More about LinuxMessengerMicrosoftPioneerTrend Micro Australia

Show Comments

Market Place

[]