IDGNet Virus & Security Watch Friday 18th October 2002

This issue's topics: Introduction: * Word/Excel & SQL Server, Symantec/Raptor firewalls, Oracle, gv, ypxfrd patches Virus News: * Antivirus developer to pay premium customers for 'late' updates * More than 80% of Chinese computers have been infected Security News: * Data theft via Word and Excel fields fixed * Patch prevents Windows XP Help & Support Center deleting files * Privilege elevation in MS SQL Server 7.0 & 2000, MSDE 1.0 & 2000 * MS Messenger service 'spam' * Symantec/Raptor firewall DoS patched * Fix to prevent ShockWave Player allowing stealing of user files * Oracle 8i & 9i DoS fixed * Patch fixes ypxfrd arbitrary file read bug * gv, ggv, kghostview PS/PDF flaws patched

This issue's topics:

Introduction:

* Word/Excel & SQL Server, Symantec/Raptor firewalls, Oracle, gv, ypxfrd patches

Virus News:

* Antivirus developer to pay premium customers for 'late' updates

* More than 80% of Chinese computers have been infected

Security News:

* Data theft via Word and Excel fields fixed

* Patch prevents Windows XP Help & Support Center deleting files

* Privilege elevation in MS SQL Server 7.0 & 2000, MSDE 1.0 & 2000

* MS Messenger service 'spam'

* Symantec/Raptor firewall DoS patched

* Fix to prevent ShockWave Player allowing stealing of user files

* Oracle 8i & 9i DoS fixed

* Patch fixes ypxfrd arbitrary file read bug

* gv, ggv, kghostview PS/PDF flaws patched

Introduction:

A serious security cum privacy exposure in several widely used versions of word have just been patched. This item raises some important points about Microsoft support policies which have just been standardized and are probably of interest to users of all Microsoft software, not just Office users. Also, administrators of SQL Server and MSDE machines will be able to put their now well worn patching procedures to the test again this weekend with another security patch for these products being available.

On the broader OS fronts, various Unix, Linux and other cross platform combinations are affected by a range of other patches and updates and an article explaining some of the ins and outs of the windows Messenger service being pressed into use as a spamming tool are also discussed.

On the virus front we have two news articles - one highlighting an interesting approach to antivirus service level agreements and the other reporting what seems like a disturbing level of computer virus infection rate in China.

Virus News:

* Antivirus developer to pay premium customers for 'late' updates

In an intriguing twist in the antivirus service market, Trend Micro Inc. has announced that it will pay 'fines' of up to US$3000 for tardy delivery of detection of new viruses. The payments will be made to corporate customers with premium support contracts if Trend does not deliver an update within two hours of receiving a genuine new virus from the customer concerned. More details are available in the news article linked below.

Trend Micro to offer cash back for viruses - computerworld.com

* More than 80% of Chinese computers have been infected

China's National Computer Virus Emergency Response Center has reported the results of a survey of computer users that found more than 80% of computers in China had been infected with a virus in the last year. About half of the infected users reported data loss or other system malfunctions as a result of these attacks.

'Digital virus' attacks rampant - chinadaily.com.cn

Security News:

* Data theft via Word and Excel fields fixed

Several weeks ago there was quite a furore about the discovery that field codes, and particularly auto-updating field codes in some earlier versions of Word, could be used to silently 'steal' the contents of other files from a Word or Excel user's computer. Further, Microsoft initially said it would not fix the problem in Word 97 as that version was no longer on product support. As was the worst affected version, with the most auto-update field problems and many large corporate sites still using it, the suggestion that Word 97 would not be patched to address this problem raised a great deal of ire among users of the very popular Office product suite.

Anyway, Microsoft has obviously re-evaluated its earlier decision to not address this issue in Word 97. It has just released patches addressing this problem for Word versions 97, 98(J), 98 (Mac), 2000, 2001 (Mac), 2002, X (Mac) and Excel 2002. Links to patches for all these versions can be found in the Microsoft security bulletin linked below. Word 97 and 98(J) users however have to jump through an extra hoop -- the update link for those products takes you to a KnowledgeBase article explaining the differences between the fix supplied for those and the later versions and requires you to contact Microsoft Product Support Services (PSS). This is standard operating procedure for products that are approaching the end of their lifecycle and are in the 'extended support' phase of their lifecycle, as Office 97 now is.

In fact, this raises an important point about product lifecycles and Microsoft support policies. Earlier this week Microsoft revised its support policies - the second link below takes you to the new support lifecycle explanation page. Basically all Microsoft software products now enjoy five years mainstream support (from the date of general availability) followed by two years extended support, where PSS will provide charged support for the product and special extended support policies may be purchased within 90 days of the beginning of the extended support period).

Security hotfixes will generally still be provided free of charge during a product's extended support period without a user having to sign up for an extended support contract. However, it seems that the old process for obtaining security patches and hotfixes for a product that has reached the extended support phase remains. Such patches (including those under discussion for Word 97 and 98(J)) can only be obtained by opening a call to PSS which then should decide to not charge you as it is a general release security patch. To quote the FAQ describing how the new product support lifecycle policy specifically affects Office products (the third link below), 'Microsoft will continue to offer current assisted support options on Office 97 through January 16, 2004. Office 97 downloads for security issues will continue to be obtainable through normal assisted support channels at no charge during this time'.

Microsoft Security Bulletin MS02-059

Product Support Lifecycle - microsoft.com

Office Family Products Support Lifecycle FAQ - microsoft.com

* Patch prevents Windows XP Help & Support Center deleting files

A flaw in the Help and Support Center function that allows uploading information to Microsoft support staff allows a malicious user to create a web page or HTML e-mail message that can delete arbitrary, known files from a victim's machine. This flaw was patched in Windows XP SP1, and Microsoft recommends that SP1 be installed to fix this, and other, issues addressed by the service pack. As the details of this flaw have been widely discussed in public security mailing lists, it would be prudent for system administrators who cannot readily install SP1 to obtain and install the standalone hotfix that removes this vulnerability from their systems.

Microsoft Security Bulletin MS02-060

* Privilege elevation in MS SQL Server 7.0 & 2000, MSDE 1.0 & 2000

Yes, it's YASSSP (Yet Another SQL Server Security Patch). Security researchers at Next Generation Security Software have uncovered yet another trivial security flaw in SQL Server 7.0 and 2000 and their associated MSDE versions 1.0 and 2000. This time it's a privilege elevation attack against the publicly accessible xp_runwebtask stored procedure. xp_runwebtask sets incorrect permissions when executed and runs with the privileges of the SQL Server user. The permissions 'PUBLIC' has over xp_runwebtask allows an attacker to, among other things, raise their privileges to 'SYSADMIN'.

Microsoft has released patches that it rightly rates as being of critical severity. These are cumulative patches, incorporating all prior SQL Server and MSDE security patches. It looks like another busy patching weekend is ahead for the SQL Server and MSDE administrators out there...

Microsoft SQL Server Webtasks privilege elevation - nextgenss.com

Microsoft Security Bulletin MS02-061

* MS Messenger service 'spam'

The last week or so has seen a great deal of interest in one of the latest 'spam' developments - the use of the Windows Messenger service to deliver messages directly to the recipient's (or is that victim's?) desktop.

Windows NT and its derivatives, by default, install and run the Messenger service. Messenger (not to be confused with MSN Messenger or any of the other popular end-user 'instant messaging' services) is an RPC (Remote Procedure Call) service. This means it does not bind to a fixed TCP/IP or UDP port, but rather grabs the next available 'high port' (above 1023) when run. Services running on such dynamically assigned ports present a problem - how does another process wishing to talk to them find them if they can be on any port from 1024 to 65535?

Enter the RPC endpoint mapper service (just listed as 'Remote Procedure Call (RPC)' in the NT through XP Services control panel/MMC). This listens on port 135 (TCP and UDP) for RPC service requests and if the requested service is running on the local machine it replies with the matching port for that service. For spamming via the Messenger service to be at all effective, it would seem that a lot of machines must not be protected by satisfactory port filtering (as a rule it is recommended that ports 135-139 and 445, TCP and UDP, should be blocked by default at the border firewall of sites running Windows TCP/IP on machines).

A page at Herve Schauer Consultants web site provides a good deal of detail of some of the finer points of Windows network services administration should any readers be interested in looking more closely at what they may not have realized they were exposing to the Internet. The page describes several steps to minimize outward exposure of TCP/IP networking services on Windows NT through XP machines and is probably worth a quick read even for very experienced system administrators. (And despite the web site being on a French domain, the page is in English!)

Minimization of network services on Windows systems - hsc.fr

* Symantec/Raptor firewall DoS patched

Symantec has released patches for a trivial DoS against multiple Symantec and Raptor firewall products. Administrators of any of the firewalls listed in the advisory below are recommended to obtain the appropriate updates and install them as soon as practicable as the vulnerability allows a low bandwidth 'attack' to pretty much shut down access via these firewalls.

Symantec Firewall Secure Webserver timeout DoS - symantec.com

* Fix to prevent ShockWave Player allowing stealing of user files

Macromedia has released updates for the Macintosh and Windows versions of its ShockWave Player to overcome a flaw that allows maliciously crafted web pages that include ShockWave content to 'steal' files from the local file system of the browser and send them to the web server. The auto-update feature of ShockWave Player may mean your copy has already been updated, but it would pay to check as the mechanism of this file theft has been publicly divulged, so may be in use.

Macromedia Shockwave URL Modification Issue - macromedia.com

* Oracle 8i & 9i DoS fixed

Security researchers at Rapid7 have discovered a trivial, remotely exploitable DoS of Oracle Net Services in Oracle 8i and 9i. Patches for several platforms are already available from Oracle. (This patch also includes the fix for another recently reported Oracle bug.)

Oracle 8i/9i Listener SERVICE_CURLOAD DoS - rapid7.com

Security vulnerability in Oracle Net Services - oracle.com (PDF)

* Patch fixes ypxfrd arbitrary file read bug

Local users of systems running ypxfrd can read any file visible to the security context of the ypxfrd daemon. The vulnerability is due to improper argument validation in the 'getdbm' procedure and is readily extended beyond '.pag' and '.dir' files by a local user creating a suitable symlink to any file readable by the daemon (which usually runs as root).

AIX, Caldera OpenLinux, SCO OpenServer and Solaris are known vulnerable for sure and have produced patches, but users of other Unix and similar OSes with ypxfrd should check with their distributors.

CERT Vulnerability Note VU#538033 - cert.org

* gv, ggv, kghostview PS/PDF flaws patched

Arbitrary code may be run with the privileges of the user invoking gv if a specially malformed PostScript or PDF file is opened by the user. The vulnerability is due to a buffer overflow in the gv code (and closely related viewers derived from it such as ggv and kghostview). Updated packages have been made available by several Linux distributors who include one or more of the affected viewers with their distributions. User of these viewers should check with their distributors for updates.

Buffer overflow in gv - idefense.com

Join the newsletter!

Error: Please check your email address.

More about CalderaCERT AustraliaExcelInc.LinuxMacromediaMessengerMicrosoftMSNNational ComputerNext Generation Security SoftwareOracleRapid7SCOSymantecTrend Micro Australia

Show Comments
[]