IDGNet Virus & Security Watch Friday 16 August 2002

Introduction: Virus News: * No more viruses? Security News: * Critical flaw patched in Windows 2000 * Cumulative Patches for SQL Server 7.0/2000, MSDE 1.0/2000 * SSL bug in IE can allow spoofing of 'secure' web connections * XSS problem in Help Center deletes Windows XP files from web page * Novell announces security bug policy * Two security updates for Macromedia Flash Player * Patch fixes format string exploit in Oracle 8i, 9i Listener Control * Update fixes chunked data encoding flaw in Sun ONE iPlanet web server

This issue's topics:

Introduction:

Virus News:

* No more viruses?

Security News:

* Critical flaw patched in Windows 2000

* Cumulative Patches for SQL Server 7.0/2000, MSDE 1.0/2000

* SSL bug in IE can allow spoofing of 'secure' web connections

* XSS problem in Help Center deletes Windows XP files from web page

* Novell announces security bug policy

* Two security updates for Macromedia Flash Player

* Patch fixes format string exploit in Oracle 8i, 9i Listener Control

* Update fixes chunked data encoding flaw in Sun ONE iPlanet web server

Introduction:

Last week's tip that IE 6.0 SP1 seemed imminent was precipitous. A week

has passed and we have seen no further evidence of the release of this

service pack. The week also saw inordinately little activity on the

(new) virus front, but Klez and Yaha just kept going and going. In fact,

things have been so quiet that your newsletter compiler is the not the

only person wondering what is happening, as can be seen in the only news article we link to in the virus section this week.

On the security front things were more 'business as usual', with three

important security fixes for Microsoft products - a critical privilege

elevation patch for Windows 2000 and cumulative patches for SQL

Server/MSDE. Further, Novell has 'updated' its product security handling

processes so that security-specific patch information is not only

available by sifting through all the rest of its patch and update

information and Microsoft responded to the exposure of a serious sounding SSL flaw in IE. Windows XP admins will also want to look into the Help Center issue described below, for although there is no patch yet, several workarounds are available and one should suit. Cross-platform, Macromedia Flash Player, Oracle and iPlanet web server bugs have been fixed.

Virus News:

* No more viruses?

Surely not, but again, it has been a very quiet week on the virus

front. So quiet, that all we will link to this week is a news article

pondering the apparent large decline in the growth of new computer

viruses - that is, there are still new viruses being written, but

apparently not at anything like the rate seen in the last few years.

Computer virus threats on the decline - electricnews.net

Security News:

* Critical flaw patched in Windows 2000

Administrators of Windows 2000 machines that allow interactive user

logins should obtain and apply the latest patch from Microsoft as soon

as practicable. Microsoft code security review uncovered a flaw in the

Network Connection Manager mechanism in Windows 2000 that can allow

less-privileged users (perhaps even 'guest', although this is not

confirmed in the security bulletin) to elevate their privileges to those

of the local system 'user' (which is effectively administrator).

Microsoft has released no details of this weakness and it is not known

to be actively exploited. However, announcements such as this often

prompt people to dig into various possibilities that may be vaguely

hinted at in the security bulletin, so applying the patch now, rather

than once it is known to be actively exploited is highly advisable.

Microsoft Security Bulletin MS02-042

* Cumulative Patches for SQL Server 7.0/2000, MSDE 1.0/2000

Following the plethora of recent SQL Server and MSDE patches, Microsoft

has released new cumulative patches for SQL Server 7.0 and the

associated MSDE 1.0, and for SQL Server 2000/MSDE 2000. As well as

including all previous SQL Server/MSDE patches this release bundles a

patch for a new privilege elevation flaw. Rated as being of moderate

severity by Microsoft, this new flaw depends on some of the standard,

Microsoft-supplied extended stored procedures having weak permissions

that incorrectly allow unprivileged users to execute them.

System administrators faced with patching their SQL Server and MSDE

installations should carefully read the security bulletin and 'readme'

files supplied with the appropriate patches before attempting to install

the upgrades. Also note that not all SQL Server/MSDE-related security

issues are directly dealt with just by installing this latest patch.

Microsoft Security Bulletin MS02-043

* SSL bug in IE can allow spoofing of 'secure' web connections

A flaw in the way Internet Explorer performs certificate checks can

allow 'man-in-the-middle' spoofing of supposedly secure web connections.

The problem was described by Mike Benham in a message posted to the

Bugtraq mailing list. Aside from sparking an interested discussion,

Benham's message also drew a response from the Microsoft Security

Response Center. In short, IE 5.x and to some extent IE 6.0, does not

perform sufficient checks on the 'Basic Constraints' of a certificate

and thus, in certificates where signing authorities have been delegated,

a form of forgery, and thus spoofing, is possible. As Benham says in his

advisory 'anyone with a valid CA-signed certificate for ANY domain can

generate a valid [to IE] CA-signed certificate for ANY OTHER domain'.

There are, of course, some limitations on the extent to which this is

likely to be widely exploitable. The initial requirement of such

spoofing is that an attacker must have a valid CA-signed certificate for

any domain and, at least in theory, this means that person should be

readily traceable (although a past problem with Verisign releasing

code-signing certificates in Microsoft's name to non-Microsoft staff

raises some questions about the extent of trust we should hold in this,

at least for that CA). Microsoft's response plays long and hard on

pointing out such difficulties, but does acknowledge there is a problem.

Links to the archived Bugtraq thread and to Microsoft's response are

provided below.

Information about Reported Web Security Vulnerability

Archived Bugtraq message thread - securityfocus.com - 286895

* XSS problem in Help Center deletes Windows XP files from web page

According to an advisory posted to the Bugtraq mailing list, Microsoft

is aware of a cross-site scripting (XSS) flaw in some of the Help Center

components of Windows XP and plans to ship fixes in the approaching SP1 for XP. Normally we would not report such things, but details of the problem's existence, how to exploit it to delete files, and the suggestion there may be further, related problems have been made public, as have workarounds to protect against possible exploitation of the problem. Help Center is installed as a default component of Windows XP, so all administrators of XP machines should read the advisory linked in the Bugtraq archive and decide which of the workarounds best suits their needs.

Archived Bugtraq list message - securityfocus.com - 287482

* Novell announces security bug policy

Breaking with its long-standing position of only including security bug

information among with information about all other product bug fixes,

(free) feature enhancements and service packs, Novell announced

mechanisms whereby Novell system administrators can now quickly locate

security-related information relevant to its products. The details are

in the archived e-mail message posted to the Bugtraq mailing list,

linked below. More security-anxious Novell administrators may prefer to

immediately check the Novell web page dedicated to security issues, also

linked below.

Archived Bugtraq list message - securityfocus.com - 287147

Novell security alerts page - novell.com

* Two security updates for Macromedia Flash Player

Macromedia released, in quick succession, v6,0,40,0 and v6,0,47,0 of its

popular Flash Player software to remedy two serious security holes.

Specially malformed fields in the headers of SWF files can cause buffer

overflows that in turn can allow local execution of remotely provided,

arbitrary code. Such code would run in the security context of the

current user. The second vulnerability is more insidious, allowing a

malicious web site operator to read the contents of files on the local

hard drive of the user displaying an SWF file. This flaw is due to an

error in the way Macromedia Flash Player handles certain ActionScript

commands that can result in bypass of the same-domain security

restriction. Exploitation of this flaw could result in such a malicious

web site sending copies of the local files back to the server.

Users of Macromedia Flash Player should obtain the latest version update

for their OS from the links in the Macromedia security bulletins linked

below.

Macromedia security bulletin MPSB02-09

Macromedia security bulletin MPSB02-10

* Patch fixes format string exploit in Oracle 8i, 9i Listener Control

Oracle has released patches for the Listener Control utility for all

platforms supporting Oracle 8i and 9i. This was in response to the

discovery by Next Generation Security Software of a format string bug in

the Listener Control that could be exploited by any user, due to a lack

of authentication checks. The NGSSoftware advisory and Oracle's security

alert on the issue are linked below. The patches are available from

Metalink, as described in the Oracle security alert (which also details

some workarounds to alleviate the exploitability of this flaw should

patching not be immediately possible).

Oracle Net Listener Vulnerabilities - oracle.com (PDF)

Oracle Listener Control Format Strings - NGSSoftware Security Advisory

* Update fixes chunked data encoding flaw in Sun ONE iPlanet web server

Yet another remotely exploitable buffer overflow related to a chunking

data encoding bug has been found in yet another popular web server. This time it is the turn of Sun's iPlanet Web Server 4.1 and 6.0. eEye Digital Security researchers discovered exploitable heap overflows in the web server and the vendor has posted a security alert and updates correcting the problem in Sun ONE Web Server 4.1 SP11 and 6.0 SP4, available from the download link in the Sun ONE security alert linked

below.

Sun ONE/iPlanet Web Server 4.1 & 6.0 Remote Buffer Overflow - eeye.com

Buffer Overflow in Transfer Encoding - sun.com

Join the newsletter!

Error: Please check your email address.

More about eEye Digital SecurityiPlanetMacromediaMetalinkMicrosoftNext Generation Security SoftwareNovellOracleWeb Security

Show Comments
[]