IDGNet Virus & Security Watch Friday 6th September 2002

This issue's topics: Introduction: * Critical Windows OS and MS Mac updates, FoxPro & PGP patch Virus News: * If there are no new viruses, why are their regular scanner updates? Security News: * FoxPro 6.0 patch eliminates autorun vulnerability in Internet Explorer * Updates fix grievous validation flaws in MS OSes & Mac Office, IE, OE * Windows XP Service Pack 1 expected Monday * Patch fixes buffer overflow in PGP * White paper on threat-profiling SQL Server * ISC^2 target of anti-Semitic slur campaign * 'Net abuse' top for UK workers' disciplinary hearings

This issue's topics:

Introduction:

* Critical Windows OS and MS Mac updates, FoxPro & PGP patch

Virus News:

* If there are no new viruses, why are their regular scanner updates?

Security News:

* FoxPro 6.0 patch eliminates autorun vulnerability in Internet Explorer

* Updates fix grievous validation flaws in MS OSes & Mac Office, IE, OE

* Windows XP Service Pack 1 expected Monday

* Patch fixes buffer overflow in PGP

* White paper on threat-profiling SQL Server

* ISC^2 target of anti-Semitic slur campaign

* 'Net abuse' top for UK workers' disciplinary hearings

Introduction:

The introduction is very short this week because I took time out to watch the basketball...

If nothing else, you must get and apply the patches for the certificate validation flaw in Windows and various Microsoft applications for the Mac as exploits of this vulnerability are doing the rounds.

Virus News:

* If there are no new viruses, why are their regular scanner updates?

Following last week's comment in this section of the newsletter that the apparent 'virus drought' was continuing, a reader e-mailed and asked if that was so, was his antivirus vendor still pumping out at least three 'signature file' updates a week.

Granted, it is apparently anomalous for us to claim 'there have been no new viruses' for several weeks but for the AV developers to have kept shipping updates through that period. Having been through the exercise of explaining to that reader why the two observations actually make a great deal of sense, your newsletter compiler thought it may be worth explaining to the broader readership. As is often the case, when we work in a highly specialized area, we tend to assume what is 'common knowledge' to us because of our daily exposure to it is at least vaguely understood by others.

So, if we have not reported any new viruses for several weeks, why are the AV developers still shipping updates for all they are worth?

The resolution of this apparent contradiction lies in two facts that are obvious to the newsletter compiler. The first is that few new viruses are actually 'newsworthy'. Unlike some media outlets that report anything an AV developer may deign to issue a press release on, your newsletter compiler works deep inside the AV industry, doing antivirus research, malware analysis and related consulting to antivirus developers. This gives him a real insiders view of the industry and what is happening. If it's a slow week (or month!) it will be reported as such, but you can (generally) bet your bottom dollar the AV companies will not make press releases those weeks saying 'not much happened this week'. After all, they want to look dynamic and 'on top of things' in this fast changing industry sector.

And that leads to the second point - what is a 'slow week' in the AV industry?

Estimates for that vary, but on average over the last few years, the AV industry has 'discovered', and added detection to its products, an average of around 500-800 new viruses and Trojans per month (that may seem like a fair range, but different developers count differently because of differences of opinion as to 'how different' two samples must be to count as separate variants, but that is a religious debate we will not get into here). Taking the lower bound, that's 125 per working week or 25 per work-day.

Availability of such figures tends to lag the actual work, so it is difficult to say for sure yet, but the feeling is that over the last several weeks (perhaps even going back a couple of months) the rate of appearance of new viruses and Trojans has fallen lower than is normal even for this time of year (as reported a couple of weeks back, the Northern Hemisphere summer generally sees the rate of new malware tailing off somewhat). Still, in the last week, your newsletter compiler has found four or five new variants of various Trojans and viruses.

'Obviously' then, in the past when this section of the newsletter has carried stories of new malware, it hasn't tried to cover all new viruses and Trojans that become known to the industry. The focus is on 'important' new malware the readership should know about. This may be a mass mailer or other fast spreading virus that may pose a threat to readers, or it may be something using a new 'trick' or attack methodology even if the specific instance does not seem particularly 'successful'.

However, regardless of the assessment your newsletter compiler makes as to the significance or newsworthiness of an item of malware, the AV developers will still add detection of many, many more things to their products each day. True, few if any of those are expected to ever be much, if any, threat to the users of AV products, but their detection is essential 'just in case' one of them gets a lucky break - if it is not detected when it otherwise could have been, it may be the next virus to 'take off'. Predicting such events is all but impossible, so the developers add detection of everything new they obtain and analyse, and as they have efficient means by which to ship updated detection files to their customers on a regular basis, they keep shipping those files. (and, as the reader who asked about this suggested in reply to my response, 'perhaps those customers expect to see regular updates to feel they are getting their value for money').

Security News:

* FoxPro 6.0 patch eliminates autorun vulnerability in Internet Explorer

FoxPro 6.0 does not properly register its associated file types with Internet Explorer. Coupled with a flaw in the way FoxPro evaluates application filenames passed to it however, a specially formed FoxPro application name could be linked in a web page or HTML e-mail and, when the link was followed by IE, the .app file could be opened and run in FoxPro without warning or giving the user any chance to prevent it.

Microsoft has released a patch for FoxPro 6.0 to address this issue, and all users of FoxPro 6.0 or of other applications that bundle the FoxPro 6.0 runtime should obtain and install the update, or apply the workaround described in the Microsoft security bulletin (linked below). It may not be immediately obvious you have FoxPro 6.0 installed - for example, it is shipped and installed by default with Visual Studio 6.0, yet many users of that product probably do not consider themselves 'FoxPro users'. FoxPro 7.0 is not affected, nor are users with 'side by side' installations of FoxPro 6.0 and 7.0 (i.e. machines with concurrent installations of both products). Microsoft rates the severity of this vulnerability as 'moderate' for affected desktop users, but that seems a little light given it is yet another remote arbitrary code execution mechanism. Your newsletter compiler suggests you treat this as closer to 'critical'.

Microsoft Security Bulletin MS02-049

* Updates fix grievous validation flaws in MS OSes & Mac Office, IE, OE

Microsoft has released the first batch of patches for a critical flaw in its core certificate validation technology. The affected components are at the heart of Microsoft's much-touted code-signing technology (Authenticode), establishing secure web (SSL) and other network connections (including some forms of user validation) and the message signing features of Outlook and Outlook Express. On Windows platforms the flawed component is part of the core CryptoAPI (sometimes abbreviated further to CAPI).

This vulnerability revolves around the failure to properly check the Basic Constraints field of a certificate - specifically failing to act appropriately depending on whether a certificate is a Certificate Authority or an end-entity certificate. As Microsoft says, this vulnerability 'could enable an attacker who had a valid end-entity certificate to issue a subordinate certificate that, although bogus, would nevertheless pass validation'.

Aside from Windows OSes, the Macintosh versions of Microsoft Office, Internet Explorer and Outlook Express also include components derived from similarly flawed code. Patches for all affected Windows OSes except the Windows 2000 family are available now, linked from the security bulletin. Patches for Windows 2000 OSes and the affected Mac products are 'to be released shortly', so users of those products should regularly check the security bulletin for updates.

Microsoft's severity ratings for this flaw are 'critical' across all applications of the affected OSes and 'moderate' for the Macintosh products.

Microsoft Security Bulletin MS02-050

* Windows XP Service Pack 1 expected Monday

That will almost certainly be 'Northern Hemisphere Monday' and the time (and time zone) are not clear, but several sources are reporting that Microsoft is ready to release WXPSP1 this coming Monday. Aside from conveniently amalgamating security patches, SP1 will add some functionality, perhaps the most important from a security standpoint being the 'program access' components already seen Windows 2000 SP3. This feature is part of the agreement struck between Microsoft and DoJ to allow 'middleware' components such as the web browser and media player to optionally default to third-party products.

* Patch fixes buffer overflow in PGP

There is very little information about the vulnerability, but a long filename buffer overflow exists in PGP Corporate Desktop 7.1, PGP Personal Security and PGP Freeware 7.0.3. Although NAI recently sold the product to start-up PGP Corp., NAI has released a hotfix for the affected versions of the product to fix this vulnerability.

PGP Hotfix page - nai.com

* White paper on threat-profiling SQL Server

The SQL Server security experts at Next Generation Security Software (NGSS) have published a white paper on threat profiling SQL Server. The paper summarizes the types of approaches NGSS staff have taken in finding several recently patched vulnerabilities in SQL Server and starts with the researcher assuming the role of an attacker looking to break into a system and steal valuable data from it. The white paper available in PDF format from the NGSS web site.

Threat Profiling Microsoft SQL Server - nextgenss.com (PDF)

* ISC^2 target of anti-Semitic slur campaign

IT security training and professional certification organization ISC^2 has been targeted by a spammer spreading malicious and hateful e-mail. Analysis of the headers of these messages shows this is clearly an attempt to implicate ISC^2 in the campaign and to slur its reputation. ISC^2 has issued a statement about this activity. Anyone who has received such messages and is concerned about the ISC^2's possible involvement should read the statement, linked below.

Abuse: Forgery of ISC^2 E-mail Addresses - isc2.org

* 'Net abuse' top for UK workers' disciplinary hearings

UK IT watchdog The Register reported this week that a in a June survey of 212 firms, 'net abuse' topped the reasons given for holding staff disciplinary hearings. In fact, it was such an issue that more cases were heard in those 212 firms because of net abuse than for dishonesty, violence and health and safety issues combined. You can read more details at the link below.

Net abuse top reason for the sack - theregister.com

Join the newsletter!

Error: Please check your email address.

More about MicrosoftNAINext Generation Security SoftwarePGP

Show Comments
[]