IDGNet Virus & Security Watch Friday 4th October 2002

This issue's topics: Introduction: Virus News: * New virus a bit of a Bugbear * Opaserv crawling into town? Security News: * Update fixes Compressed Folders bugs in Windows 98, ME & XP * Patch for two serious HTML Help bugs * Another cumulative patch for SQL Server 7.0 & 2000 and MSDE 1.0 & 2000 * XDR buffer overflow in Service For Unix 3.0 for Windows fixed * Trivial DoS and possible remote code execution against MS PPTP * SANS releases new 'Top 20' list

This issue's topics:


Virus News:

* New virus a bit of a Bugbear

* Opaserv crawling into town?

Security News:

* Update fixes Compressed Folders bugs in Windows 98, ME & XP

* Patch for two serious HTML Help bugs

* Another cumulative patch for SQL Server 7.0 & 2000 and MSDE 1.0 & 2000

* XDR buffer overflow in Service For Unix 3.0 for Windows fixed

* Trivial DoS and possible remote code execution against MS PPTP

* SANS releases new 'Top 20' list


After the veritable 'virus drought' of the last couple of months (that is not a complaint!), this week we have not one but two major virus outbreaks to report. Bugbear is more of your traditional mass mailing virus, possibly aided by slight better implemented message forging than Klez - the most 'successful' of recent viruses. Opaserv is a little quieter and less obtrusive, and only slithers around via poorly secured Microsoft networking connections.

On the security front, there are a raft of patches from Microsoft, including Compressed Folders, the HTML Help engine as shipped with recent versions of IE and a development library shipped with the obscure Service For Unix. Also, given the number and frequency of patches for the products, SQL Server and MSDE administrators should have honed their patching skills considerably this year, so the arrival of yet another cumulative patch for these products should not cause too much grief among the nation's SQL and MSDE administrators.

Aside from the patches, we have news of a serious flaw in Microsoft PPTP services for Windows 2000 and XP and a pointer to a great 'getting started' guide. The latter should help overwhelmed or under-resourced administrators get the most bang for their buck if trying to secure hopelessly neglected systems, by pointing you to the most abused system components and providing tools for testing their compliance with recommended patch levels and or configuration options.

Virus News:

* New virus a bit of a Bugbear

A new mass-mailing virus has broken out over the last few days, surpassing even Klez.H on the realtime prevalence charts. Known as Bugbear, the virus mass mails itself with randomly chosen 'Subject:' lines and randomly named attachments. As with Klez and SirCam before it, Bugbear can also include text lifted from documents and other e-mail messages on the sending victim's computer in the body of the message. This can make the virus' messages appear more legitimate to their recipients.

As well as spreading by e-mail, Bugbear will spread around a Microsoft Networking LAN via open shares, writing copies of itself to open shares in the hope the recipient will execute the program. It also looks for typical paths to system 'Startup' folders, copy itself to these if possible, ensuring it gets run the next time that system is restarted.

Bugbear's outbreak started at the very end of September, so the monthly Threat List statistics for October at MessageLabs provide a near complete overview of its early growth. As this article was written, those statistics showed MessageLabs intercepting 50% more messages carrying Bugbear than carrying Klez.H and Yaha.E (by far the two most common viruses for the last several months) combined.

One of the reasons that Bugbear spreads so well is the number of primarily personal and small business users running outdated and/or unpatched copies of Internet Explorer (IE). Like most recent vaguely successful mass mailers, Bugbear tries to take advantage of the 'Incorrect MIME Header' vulnerability in early versions of IE.

Threatlist for October 2002 -

Computer Associates Virus Information Center - Bugbear

F-Secure Security Information Center - Bugbear

Kaspersky Lab Virus Encyclopedia - Bugbear

Network Associates Virus Information Library - Bugbear

Sophos Virus Info - Bugbear

Symantec Security Response - Bugbear

Trend Micro Virus Information Center - Bugbear

* Opaserv crawling into town?

Opaserv is a 'network crawler' worm that spreads via open (non-password protected) shares on Microsoft networks. It is a fairly simple beast, but has enjoyed a degree of success in the latter half of this week. Of course, good system administration prevents open shares ever being presented to hostile networks, such as the Internet. However, the popularity of cable and DSL connections and the overly simplistic 'enable everything on every interface' default configuration approach of most Microsoft OS network installations means there are millions of high-speed connections all round the world just begging for something like Opaserv.

Because of its method of distribution being network share based, you will see Opaserv under-represented in prevalence statistics that are based on or biased by e-mail gateways detection measures.

Computer Associates Virus Information Center - Opaserv

F-Secure Security Information Center - Opaserv

Kaspersky Lab Virus Encyclopedia - Opaserv

Network Associates Virus Information Library - Opaserv

Sophos Virus Info - Opaserv

Symantec Security Response - Opaserv

Trend Micro Virus Information Center - Opaserv

Security News:

* Update fixes Compressed Folders bugs in Windows 98, ME & XP

Microsoft has released patches for two vulnerabilities in the 'Compressed Folders' component of Windows 98 Plus! Pack and Windows ME, and in the 'Compressed (Zipped) Folders' component of Windows XP. The more serious of these vulnerabilities could allow arbitrary code to be run but there are several factors mitigating against this becoming a serious threat. The other vulnerability allows files to be written to arbitrary locations on the local drive, for example, allowing a file to be decompressed from a compressed folder to the Startup folder.

Microsoft rates each vulnerability as being of moderate severity, as each requires an element of user choice. Further, the vulnerable feature is only installed by default in Windows XP. Note that these vulnerabilities do not affect the NTFS Compression features of NT, Windows 2000 and XP OSes.

Patch locations are linked from the security bulletin below.

Microsoft Security Bulletin MS02-054

* Patch for two serious HTML Help bugs

Users of Windows 98 and later should obtain and install the latest HTML Help patches from Microsoft as soon as possible. One of the patched vulnerabilities allows execution of arbitrary code via a buffer overflow and the other fixes a very long-standing flaw in the compiled HTML help (.CHM) handler's determination of security zones. The first is correctly rated by Microsoft as being of critical severity. The second should be similarly rated as it has been shown many times to be easily exploited in tandem with other flaws in IE (some of which remain unpatched despite being disclosed to Microsoft months ago).

As the HTML Help component is also implemented as an ActiveX control and 'old', buggy versions of that control are widely available, it is possible that vulnerable versions of the control could be re-introduced to patched systems. This is not the first major ActiveX control signed by Microsoft that has 'suffered' a critical security flaw and update recently. The infeasibility of setting the kill bit on these controls because much other Microsoft and third-party software is hard-coded to use them (via their CLSIDs) has prompted Microsoft to develop an alternative and more flexible mechanism for 'killing' old, 'bad' controls. Microsoft says in the security bulletin describing these patches that this new technology is now under development.

Fetch and patch soon.

Windows 95 users of IE 5.x versions are out in the cold. As Windows 95 is no longer supported, Microsoft has not tested these patches on that OS (and, the Windows 98 patch installer will not run under Windows 95).

Microsoft Security Bulletin MS02-055

* Another cumulative patch for SQL Server 7.0 & 2000 and MSDE 1.0 & 2000

Microsoft has released another cumulative patch for SQL Server 1.0 & 2000 and the versions of MSDE based on them, MSDE 7.0 & 2000. As well as including all previous patches for the products concerned, this new cumulative patch includes fixes for three further vulnerabilities all rated as being of critical severity. The patch also, to quote the security bulletin, 'changes the operation of SQL Server, to prevent non-administrative users from running ad hoc queries against non-SQL OLEDB data sources'. This configuration is part of the standard recommended hardening steps for SQL Server and makes it considerably more difficult for certain kinds of future exploits to take advantage of your severs.

Also as usual for SQL Server and MSDE cumulative patches, fixes for the associated OLAP and MDAC components are not included. Neither is the remediation tool that fixes the issue of sensitive passwords being left in installation log files and setup scripts. Details of what you need to check here are included in the security bulletin.

Microsoft Security Bulletin MS02-056

* XDR buffer overflow in Service For Unix 3.0 for Windows fixed

Administrators and software developers who have deployed programs based on the Sun Microsystems RPC library on the Services for Unix 3.0 Interix SDK should check the Microsoft security bulletin linked below. Three vulnerabilities in that library have been fixed and updates made available. Determining what systems are affected is a non-trivial task and the advice in the security bulletin needs to be taken in full to determine the likelihood of exposure to the vulnerabilities.

Microsoft Security Bulletin MS02-057

* Trivial DoS and possible remote code execution against MS PPTP

As regular readers will know, it is generally newsletter policy to not discuss vulnerabilities for which patches are not yet available. The exceptions are obviously those cases where patches are very unlikely or the flaw is so bad that knowledge ahead of a patch may be helpful. In that latter class, the availability of a useful workaround increases the likelihood of an early mention here. This is just such a case.

The Microsoft PPTP (Point to Point Tunnelling Protocol) client and server on both Windows 2000 and XP has been found vulnerable to a trivial remote denial of Service (DoS) and probable remote code execution attack. Sufficient details of how to perform the attack, which reputedly results from a buffer overflow overwriting kernel memory, have been published. There is no patch from Microsoft yet, but a workaround that should be useful for some PPTP administrators is available. The buffer overflow occurs pre-authorization, which means any machine that can see the target over the network can perform an attack without having to perform any kind of user authentication.

A workaround administrators of some affected systems will be able to apply is to block access to PPTP services for other than trusted hosts.

Microsoft PPTP Server and Client remote vulnerability -

Archived Bugtraq list message -

* SANS releases new 'Top 20' list

The Sysadmin, Audit, Network, Security Institute (SANS) has, in association with the FBI's NIPC and the US General Services Administration, has just released the latest update of its 'Twenty Most Critical Internet Security Vulnerabilities' list. The list is compiled by consensus among top security researchers and now includes a 'top 10' Windows and a 'top 10' Unix-ish vulnerabilities list. As well as releasing the list, tools to test systems for the listed vulnerabilities are available for download from the SANS site.

If you have just been 'thrown in the deep end' having to take over previously poorly maintained networked Windows and/or Unix and Unix-like systems, there are few better places to start than this list. If you are looking for more detailed background on the list and the possible applicability of it in your work, you may find the link 'GISRA Scanning Requirements and NASA Case Study' (it's a PDF) in the sidebar of the Top 20 page especially valuable.

SANS/FBI Top 20 List -

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CA TechnologiesFBIF-SecureGeneral Services AdministrationKasperskyKasperskyLANMessageLabsMicrosoftNASANIPCSophosSun MicrosystemsSymantecTrend Micro Australia

Show Comments