IDGNet Virus & Security Watch Friday 30 August 2002

This issue's topics: Introduction: * Critical Windows update, FTM, Mozilla and KDE updates Virus News: * 'Summer' virus drought continues... Security News: * Critical update for all supported Microsoft Windows OSes * Remember WinNuke? Now it is SMBnuke and SMBDie... * Update patches FTM bug * Mozilla 1.1 release includes several security fixes * KDE update fixes SSL vulnerability

This issue's topics:

Introduction:

* Critical Windows update, FTM, Mozilla and KDE updates

Virus News:

* 'Summer' virus drought continues...

Security News:

* Critical update for all supported Microsoft Windows OSes

* Remember WinNuke? Now it is SMBnuke and SMBDie...

* Update patches FTM bug

* Mozilla 1.1 release includes several security fixes

* KDE update fixes SSL vulnerability

Introduction:

Still nothing worth reporting on the virus front, and generally a quiet week on the security front too. Microsoft released a critical update for all its supported OSes and a less critical one for the little used, specialist FTM ActiveX control. Updates for Mozilla and KDE both fixed SSL security bugs, among others and the urgency of rolling out MS02-045 updates (first reported last week) may have increased somewhat with the public distribution of at least two 'proof of concept tools' exploiting the vulnerability reported in that bulletin.

Virus News:

* 'Summer' virus drought continues...

As reported over the last few weeks, the non-appearance of new viruses gaining a minimally 'newsworthy' footing has continued this past week. Perhaps to prevent their 'new viruses we saved the world from' web pages from stagnating, it seems the major antivirus vendors have taken to posting descriptions of utterly insignificant discoveries that would otherwise go uncommented. Dull as it threatens to render this section of the newsletter, we can only hope the drought continues.

Security News:

* Critical update for all supported Microsoft Windows OSes

Microsoft has released patches for a critical flaw in the Windows Certificate Enrolment control. This ActiveX control, shipped with all versions of Windows, can be used to delete digital certificates in a user’s certificate store, rendering a denial of service attack against the user. A similar flaw was also uncovered in the SmartCard Enrolment control shipped with Windows 2000 and XP.

Installation of the update requires Internet Explorer 5.0 or later to already be installed on the target machine. Despite its claims that successful exploitation of this vulnerability is 'an extremely complex process' Microsoft has rated the vulnerability as being of critical severity and recommends administrators of machines running affected OSes should install the patches 'immediately'.

Windows 95 is no longer on the supported platforms list but it seems a reasonable bet that it is also affected, at least if IE 4.0 or later has been installed. Also note that some web pages will have to be modified as this patch sets the 'kill-bit' on the earlier versions of the affected controls, requiring web pages calling the controls to be recoded to call the updated versions, now identified via a new CLSID. The details of these modifications are included in the Microsoft security bulletin linked below.

Microsoft Security Bulletin MS02-048

* Remember WinNuke? Now it is SMBnuke and SMBDie...

Last week we reported the release of the MS02-045 security bulletin and its related patches. Since then at least two attack tools have been released to exploit the vulnerability mentioned in that bulletin. As a common result of exploitation of this vulnerability is a blue-screen crash, it is now probably more critical to get the MS02-045 patches rolled out, or at least suitable border protection (such as firewall filters) implemented if internal (LAN) users can be trusted to behave themselves.

Microsoft Security Bulletin MS02-045

* Update patches FTM bug

Microsoft's File Transfer Manager (FTM) was updated in June to fix some security flaws. Recently these flaws were highlighted in a message posted to a public computer security mailing list. The FTM control is only used by a select group of Microsoft customers and although it is a Microsoft-signed ActiveX control, exploitation of its remote code execution flaw is technically very challenging. Microsoft e-mailed known users of FTM early in August to warn them of the problem and explained obtaining the update or disabling the software was advisable.

Microsoft File Transfer Manager (FTM) - microsoft.com

* Mozilla 1.1 release includes several security fixes

Users of the Mozilla web browser should upgrade to the v1.1 release to obtain the latest security fixes. Of course, this upgrade also provides several feature enhancements.

Mozilla 1.1 Release Notes - mozilla.org

* KDE update fixes SSL vulnerability

KDE v3.0.2 and all prior versions fail to properly check basic constraints on SSL certificates. This enables a man-in-the-middle attack against web browsers (such as Konqueror) and other applications using the KDE SSL library functions. The KDE Security Advisory, linked below, describes the problem in a little more detail and includes download links for the updates.

Konqueror SSL vulnerability - kde.org

Join the newsletter!

Error: Please check your email address.

More about KDEKDELANMicrosoftMozilla

Show Comments
[]