IDGNet Virus & Security Watch Friday 2 August 2002

This issue's topics: Introduction: * SP3 for Win2K, SQL Server, Pegasus Mail, libpng, OpenSSL, FreeBSD patches Virus News: * Klez.H - four months in a (not so) leaky boat... Security News: * MDAC patch removes SQL Server compromise option * SP3 for Windows 2000 released * Pegasus Mail 4.02 release fixes DoS * libpng update fixes remotely exploitable buffer overflow * Trojaned version of OpenSSH distributed * OpenSSL updated to fix multiple security vulnerabilities * FreeBSD has another shot at fixing suid/sgid file handle problem * Firewalls circumvented, web content misappropriated by web browsers

This issue's topics:

Introduction:

* SP3 for Win2K, SQL Server, Pegasus Mail, libpng, OpenSSL, FreeBSD patches

Virus News:

* Klez.H - four months in a (not so) leaky boat...

Security News:

* MDAC patch removes SQL Server compromise option

* SP3 for Windows 2000 released

* Pegasus Mail 4.02 release fixes DoS

* libpng update fixes remotely exploitable buffer overflow

* Trojaned version of OpenSSH distributed

* OpenSSL updated to fix multiple security vulnerabilities

* FreeBSD has another shot at fixing suid/sgid file handle problem

* Firewalls circumvented, web content misappropriated by web browsers

Introduction:

On the virus front, perhaps no news is not necessarily good news. It is the height of summer in the Northern Hemisphere and traditionally this is a quiet period for new virus activity. This is often attributed to college and university students (believed to be the most prolific creators of new viruses) being away from school and having less motivation to wreak the kind of habit allowing them to congregate in computer labs seems to produce. However, the lack of anything new and notable to report perhaps emphasizes that bad does not necessarily equate with new in the malware and virus market. Klez is still rampaging through the SOHO set and showing only the slightest of signs of slowing down. Further, given it is the height of the Northern Hemisphere summer, perhaps this small slow down is purely an artefact of more of the SOHO set being away on vacation for any given week?

SQL Server administrators can get some more practice at patching their systems following the release of MS02-040, meaning the Redmond giant has been averaging about a patch a week for its SQL Server product over the last two months. Pegasus Mail v4.02 for Windows has been released and includes a security fix for a denial of service and service pack 3 for Windows 2000 finally ships in all its 128MB glory.

Unix, Linux and *BSD system administrators have a wealth of patches to deal with too, at least if they use any of the OpenSSL or libpng offerings, and FreeBSD admins have a kernel patch to fix a bug that was previously thought fixed. Also, people who have downloaded OpenSSH in the last few days need to check whether to instigate a Trojan hunt.

Finally, an interesting disclosure of the mismatch between expectation and reality when security-impacting policies are decided in different places based on data that may not be reliable enough for the job. The 'Firewalls circumvented, web content misappropriated by web browsers' item introduces a couple of message threads that should interest all network administrators who thought their firewalls would keep their intranet content out of the hands of Internet web browsers and may provide a surprise to those who thought 'content theft' should be obvious from browsing their server access logs. Of course to the cynic like yours truly, this story is just another entry in the 'browsers plus scripting equals trouble' ledger.

Virus News:

* Klez.H - four months in a (not so) leaky boat...

It should hardly be surprising for anyone with an Internet e-mail address that is not behind a virus scanning gateway or corporate server, nor for those responsible for filtering viruses and other unwanted ephemera from corporate e-mail systems, that Klez has topped the 'most seen' lists for a fourth month. Although the relative levels vary depending on the reporting agency and the timeframes, most sources of virus prevalence statistics on the Internet show the Klez family, or specifically the Klez.H variant, as by far the most commonly seen virus for the last three or four months.

Some people have speculated on the lack of large-scale media attention on Klez. For example, according to data from UK e-mail ASP MessageLabs,Klez.H is the biggest virus event it has seen, measured in terms of the total number of messages it has intercepted bearing the virus. Yet Klez has not gained a fraction of the publicity of Melissa or LoveLetter. Several reasons for this have been proposed, not least of which are the relative complexity of the virus' spread mechanism, the fact that it did not make an immediate and huge 'splash', and that there is not a 'quick fix' that can be expressed in a conveniently packaged 'sound bite'. Finally, corporate mail server administrators are not running round gnashing their teeth, downing servers and pulling network connections to protect themselves. Thus Klez, which mainly affects less sophisticated 'system administrators' such as small businesses and home users, is likely to keep spreading at a gradually slowing rate for quite some time to come.

Klez tops the virus charts - theregister.com

Security News:

* MDAC patch removes SQL Server compromise option

A server component of the Microsoft Data Access Components (MDAC) that handles the OpenRowSet SQL functionality has been found vulnerable to a buffer overflow that may allow remotely supplied arbitrary code to execute. Only SQL Server administrators need apply the patch, for although MDAC has client (workstation) components, the flaw is only present in code that runs on the server. MDAC 2.5, 2.6 and 2.7 were tested by Microsoft and found vulnerable - earlier versions are unsupported and may remain vulnerable as no patches are provided for unsupported products. SQL Server administrators are recommended to check the security bulletin for more details to determine if their configurations are vulnerable.

Microsoft Security Bulletin MS02-040

* SP3 for Windows 2000 released

Microsoft has released the long-awaited Service Pack 3 for Windows 2000. Although service packs are not obviously security related, there are two major security implications in a service pack release. First, it is not uncommon for several of what Microsoft considers to be low grade or less urgent security fixes to be held over for the next service pack rather than being released as hotfixes. Thus, there are bound to be some security fixes that you can only get by installing this service pack. One example of such a fix is the WinHelp buffer overflow discovered by security researchers at Next Generation Security Software - we've linked to their advisory on this matter below.

The second security-related issue with service packs is that, shortly after they are released, new hot fixes and 'rollups' start to require the 'new' service pack level to install on that OS. Your newsletter compiler has not seen any official statement of Microsoft's position on this, but it seems that within a few months of an OS service pack being released, Microsoft assumes you will have installed it and then starts requiring that SP level in any subsequent patches. (A similar policy, but with perhaps a shorter grace period also seems to apply to service packs for major applications such as Exchange, IIS, SQL Server, Internet Explorer and Office.)

SP3 is a 128MB download and users should read the privacy statements and EULA carefully before downloading it as there are some interesting clauses therein regarding the updated Windows Update service.

Winhlp32.exe Remote Buffer Overrun - NGSSoftware Security Advisory

Windows 2000 Service Pack 3 home page

* Pegasus Mail 4.02 release fixes DoS

New Zealand's very own e-mail client - long time favourite of many educational institutions - Pegasus Mail, has just shipped an upgrade. Along with the many feature improvements and bug fixes is a repair for a trivial denial of service caused by improper handling of certain e-mail headers. Although the likelihood of this DoS being widely used seems fairly low, its existence was publicized on a security mailing list a little over a week ago.

Archived Bugtraq list message - securityfocus.com

Pegasus Mail download page - pmail.com

* libpng update fixes remotely exploitable buffer overflow

Unrelated to the zlib double-free memory handling error earlier this year, which also affected it, the latest release of libpng fixes a remotely exploitable security flaw. A buffer overflow can be triggered in the library code when handling specially malformed PNG data. All systems running applications dependent in libpng should obtain updated versions of the library and restart affected applications.

Libpng 1.2.4 README.txt - libpng.org

* Trojaned version of OpenSSH distributed

Developers of OpenSSH have confirmed overnight reports that a some of the source code in the official distribution of the current OpenSSH versions was modified on the source FTP server at openbsd.org. The Trojan, contained in OpenSSH 3.2.2p1, 3.4p1 and 3.4, is built and executed as part of the standard compilation of the package, opening a backdoor on victim machines. This backdoor periodically tries to connect to a hardcoded IP address and understands three commands that can be sent back in response to that connection - one kills the backdoor process, another puts it to sleep and the third executes an arbitrary command supplied by the remote machine. The Trojaned code is thought to have been placed on the server around 30-31 July and was replaced with confirmed good copies on 1 August (remember, these dates are local to Canada).

Administrators who have downloaded affected OpenSSH versions during the last few days are advised to check the security advisories linked below. It is known that several mirrors of the official distribution automatically updated themselves with the Trojaned code and it would be advisable to consider all OpenSSH code downloads this week to be potentially 'dirty'.

CERT Advisory CA-2002-24 Trojan Horse OpenSSH Distribution

OpenSSH Security Advisory (adv.trojan)

* OpenSSL updated to fix multiple security vulnerabilities

Several vulnerabilities, most of them remotely exploitable, have been fixed in OpenSSL following an extensive code review and security audit. Aside from updating OpenSSL installations, many applications depend on the OpenSSL ASN1 parser library, which is the source of one of these vulnerabilities. All programs that statically link that library should also be rebuilt after the appropriate OpenSSL update has been installed.

SSLeay is also believed to be affected by most of these vulnerabilities, so should be updated too.

CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL

OpenSSL Security Advisory [30 July 2002]

* FreeBSD has another shot at fixing suid/sgid file handle problem

Past issues of this newsletter have mentioned the 'insecure handling of stdio file descriptors' vulnerability discovered some months back by Georgi Guninski. A FreeBSD kernel update has been released to fix another twist in this issue on that OS. Previously procfs and linprocfs file systems were thought to not be vulnerable to this attack, and that has now been corrected. The FreeBSD security advisory with all the gory details of patch availability is linked below.

Insecure handling of stdio file descriptors - freebsd.org

* Firewalls circumvented, web content misappropriated by web browsers

Browser scripting and DNS trickery can be easily combined to allow remote (Internet) access to intranet web servers supposedly protected by a firewall and 'content theft' (providing another site's content as if it were one's own). An interesting thread (under two titles) erupted on the Bugtraq mailing list when Adam Megacz of XWT posted a message explaining how to beat firewall policies at a victim site to siphon local intranet content off to a remote ('attacker') web site. Megacz' message was followed by an official response from Microsoft, which had considered his original advisory and felt there was nothing of immediate concern in the issue; certainly nothing requiring a hotfix. Microsoft was waiting to fix the issue in the next Internet Explorer service pack. Some more inventive exploits were quickly dreamed up by some of the web browser security gurus who read the mailing list, including a message posted by Grey Magic Software, discoverers of some serious IE security flaws. The links below point to the '

index' pages of the two threads which include various suggestions for workarounds that can reduce the severity of impact this flaw may have on your web servers whether in a firewalled intranet or in the open Internet information serving role.

Firewall circumvention possible with all browsers - Bugtraq thread

Microsoft Security's official response - Bugtraq thread

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaLinuxMagic SoftwareMessageLabsMicrosoftNext Generation Security SoftwarePegasus

Show Comments

Market Place

[]