IDGNet Virus & Security Watch Friday 13th September 2002

This issue's topics: Introduction: * SP1 for WinXP & IE6, MS02-050, QuickTime & PHP updates, 9/11 viruses Virus News: * 9/11 viruses * Near-universal e-mail virus scanner bypass Security News: * Windows XP service pack one released * Service pack one for IE 6.0 released * MS02-050 updated - Windows 2000 patches; serious caveat added * More IE scripting woes... * Update fixes buffer overflow in QuickTime ActiveX control * PHP update fixes several security holes

This issue's topics:

Introduction:

* SP1 for WinXP & IE6, MS02-050, QuickTime & PHP updates, 9/11 viruses

Virus News:

* 9/11 viruses

* Near-universal e-mail virus scanner bypass

Security News:

* Windows XP service pack one released

* Service pack one for IE 6.0 released

* MS02-050 updated - Windows 2000 patches; serious caveat added

* More IE scripting woes...

* Update fixes buffer overflow in QuickTime ActiveX control

* PHP update fixes several security holes

Introduction:

Service packs for IE and Windows XP, both the first for their respective products, were released this week, and both contain security patches that are not otherwise available. (Both have also raised concern over the further 'rights' included in their EULAs allowing Microsoft to access users' system and software configuration information.) Security bulletin MS02-050 has been updated, providing Windows 2000 administrators with critical certificate validation patches and promising yet further revisions of the patches it documents to work around a problem caused by a standards non-conformant certificate Microsoft has used to sign many device drivers.

Aside from this major Microsoft patch news, the security of IE, a QuickTime plugin for IE and the PHP scripting language was seriously questioned and/or bolstered during the past.

On the virus front, almost predictably, viruses trying to take advantage of the heightened awareness of 9/11 events were sighted. Slightly less predictably they turned out to be non-events. Also, we report on a serious new revelation about the little-known 'message/partial' MIME component type that may render your e-mail virus scanner impotent...

Virus News:

* 9/11 viruses

For better or worse, such high-visibility occasions as the 9/11 commemorations not only draw the attention of the world's media, but also that of the lesser life forms that comprise the virus and Trojan writers. Thus it was not surprising that at least two (intended) viruses drawing on 9/11 themes to boost their social engineering appeal appeared in the middle of the week.

Neither made much of an impact, with one barely working at all. Known variously as VBS/Amalad and VBS/Nedal, the second of these viruses is a trivial VBS script whose intended mass-mailing code does not work - hardly a credible threat. The other virus, Win32/Chet works slightly better, though on many 'typical' machines it will crash before ever sending copies of itself or altering the registry so that it runs at each startup.

Were the quality of code in these two viruses anything to go by, we would have another possible explanation for the marked fall-off in viruses that make an impact, as discussed in this column in the last few weeks!

Computer Associates Virus Information Center - Win32.Chet

F-Secure Security Information Center - Chet

Kaspersky Lab Virus Encyclopedia - I-Worm.Chet

Network Associates Virus Information Library - W32/Chet@MM

Network Associates Virus Information Library - VBS/Amalad.a

Sophos Virus Info - W32/Chet-A

Sophos Virus Info - VBS/Nedal-A

Symantec Security Response - W32.Chet@mm

Trend Micro Virus Information Center - WORM_CHET.A

Trend Micro Virus Information Center - IRC_NEDAL.A

* Near-universal e-mail virus scanner bypass

Although no viruses are currently known to exploit the following trick, all users of e-mail virus scanners (and other 'content management' products) are recommended to check with their vendors and possibly to take workaround reconfigurations of their systems. This applies to users of desktop antivirus products that scan incoming e-mail messages, particularly ones that act as 'e- mail gateways' or proxies.

Aviram Jenik from Beyond Security recently reported that few e-mail virus scanners properly handle e-mails with attachments split across multiple messages. At one level this hardly surprising as there are all manner of manual mechanisms for achieving this, but these pose little threat as no e-mail client automatically detects the multiple pieces and 'stitches them back together'. There is, however, an RFC suggesting one such scheme as a possible standard for splitting large attachments across multiple messages.

Section 5.2.2.1 of RFC2046 suggests a standard for 'message fragmentation and re-assembly' and although not supported by many e-mail client programs, this mechanism is supported by perhaps the most widely used of those, Outlook Express. Although Beyond Security's advisory suggests Outlook is not affected, that does not seem entirely likely for, as with Outlook Express, most of Outlook's message handling is actually accomplished by Internet Explorer components which seem the likely location of code implementing this message fragmentation and re-assembly functionality. (Further support for the notion that at least some later Outlook versions support message fragmentation and re-assembly is provided in Menashe Eliezer commentary about Finjan's product, an archived copy of which is also linked below.)

The Beyond Security advisory lists several products known to 'ignore' messages with attachments of the standard MIME media type 'message/partial'. Additionally, a few products are known to block or quarantine such messages. Until the vendors of your e-mail virus scanner or other content filtering product update their products to either properly handle or block such messages, it would be advisable to manually add a filter to block messages with 'message/partial' MIME components or to remove such components (depending on the capabilities of your filtering product).

Bypassing SMTP Content Protection with a Flick of a Button - securityteam.com

Archived Bugtraq list message - securityfocus.com

Security News:

* Windows XP service pack one released

Expectations of its release this Monday, as reported in last week's newsletter, were fulfilled and Windows XP SP1 is now available. Aside from many feature enhancements and the typical bug fixes, WXPSP1 includes all security hotfixes released by its code freeze date _plus_ some additional security updates Microsoft deemed insufficiently serious to warrant a hotfix.

One example of such a security fix is the patch for the 'XP Help deleter' vulnerability. This flaw allows a web page or HTML e-mail message to delete arbitrary files from the local system and Microsoft was first informed of it in June this year, with details of the problem and a sample exploit being publicly released in June. Also, for XP Pro users taking advantage of Software Restriction Policies, SRP has been fixed so that 16-bit applications now fall under SRP's purview.

Windows XP Service Pack 1 - microsoft.com

* Service pack one for IE 6.0 released

Service pack one for IE 6.0 was released a few days ago. Although not heralded in a security bulletin, IE6SP1 includes at least two security patches that are not available in any other security rollup release or hotfix for IE 6.0, as can be seen from the 'Unpatched IE security holes' page also linked below. The unpatched vulnerability count at that page was further reduced by one with the release of service pack one for Windows XP, which includes a fix for the so-called 'XP Help deleter' vulnerability (a scriptable ActiveX control that can be directed to

delete arbitrary files via a web page or HTML e-mail).

Aside from these security fixes, perhaps the best reason to get this service pack is for die-hard Outlook Express users [is there any other kind?], who can now also enable a 'view messages as plain text only'. This feature was added to Outlook 2002 in SP1 of Office XP and is thus long overdue in OE 6.0. It would be nice to think MS may add a similar option for the huge number of OE users running earlier versions, but it seems unlikely at this juncture.

Unpatched IE security holes - pivx.com

Internet Explorer 6 Service Pack 1 - microsoft.com

* MS02-050 updated - Windows 2000 patches; serious caveat added

Further to last week's coverage of the certificate validation flaw in multiple Microsoft OSes and applications for the Macintosh, Microsoft has updated the relevant security bulletin. The good news is that Windows 2000 patches for this problem are now available, but Mac application users still have to wait.

Also, Microsoft has disclosed that a certificate it has used to sign many hardware device drivers, although validly issued, does not meet the full technical certificate requirements. As those requirements are now properly tested on patched systems, this certificate fails validation. The affected certificate has been used to validate drivers that have passed Windows Logo Testing, so the symptom users will notice is that adding or updating system hardware devices may result in a warning that the necessary driver has not passed Windows Logo Testing, even though in reality it has. Rather than obtaining a new certificate, re-signing all existing drivers and re-releasing them, Microsoft plans to produce yet another version of the certificate validation patch that will specifically work around just this issue regarding the flawed Windows Logo Testing certificate. There is no indication of a likely timeframe regarding the release of this whole new set of patches.

Microsoft Security Bulletin MS02-050

* More IE scripting woes...

Researchers at GreyMagic Software have found a 'universal' cross-frame scripting attack. This attack works across all versions and patch levels of Internet Explorer from the original release of v5.5 through to the latest, 6.0SP1. GreyMagic recommends disabling scripting to prevent exploitation of the vulnerabilities that go into their proof of concept, but this will render the browser pretty useless due to the typical design of modern web sites. Until Microsoft fixes this latest snafu you are faced with that old conundrum - security versus a vaguely usable product; something Microsoft users have wrestled with for years...

GreyMagic Security Advisory GM#010-IE

* Update fixes buffer overflow in QuickTime ActiveX control

Security researchers at @stake have discovered an exploitable buffer overflow in the QuickTime v5.0.2 ActiveX control. Internet Explorer users who have the QuickTime control installed should obtain the v6.0 player from Apple, and web sites hosting Apple's 'qtplugin.cab' should also upgrade that to v6.0, which is not vulnerable to this overflow.

However, note that simply installing the updated ActiveX control may not be enough to entirely protect you from exploitation of this vulnerability. Copies of the older control, which remain signed by Apple and thus apparently 'trustworthy' can be hosted on any site and may be downloaded and installed by users who decide to trust Apple. The @stake advisory talks about working around this problem by possibly setting the kill-bit for the QuickTime control in the system registry, but this is not practical for most users who probably wish to continue using QuickTime. (The problems associated with 'killing' such a control are legion and underlie the reasons that Microsoft did not set the kill-bit on the faulty Office Web Components a few weeks back, and why Microsoft was exhorting users hosting certificate authorities dependent on its Certificate Enrollment [sic] Control to alter their web pages so as to force users to download the replacement control the following week.)

Apple QuickTime ActiveX v5.0.2 Buffer Overrun - atstake.com

Apple QuickTime home page

* PHP update fixes several security holes

All users of PHP, and particularly those hosting it on Windows boxes, should get the latest PHP update, v4.2.3. It includes many small fixes and enhancements, but most notably several serious vulnerabilities have been fixed.

PHP 4 ChangeLog

Official PHP 4 download site

Join the newsletter!

Error: Please check your email address.

More about AppleApple.Beyond SecurityCA TechnologiesFinjanF-SecureKasperskyKasperskyMicrosoftSophosSymantecTrend Micro Australia

Show Comments

Market Place

[]