IDGNet Virus & Security Watch Friday 26 July 2002

This issue's topics: Introduction: * SQL Server & MSDE, MMS, GroupWise, PHP patches, KaZaA worm, 'xtra' virus scanning Virus News: * Worm spreads through KaZaA network. * Xtra introduces e-mail virus scanning * Have you had your annual performance 'reviewuation' yet? Security News: * Updated MS02-032 now includes all necessary patch files * Fix for privilege elevation bug in Microsoft Metadirectory Services * Exploitable buffer overflow in Exchange 5.5 SMTP code patched * More SQL Server 2000 and Microsoft Desktop Engine 2000 patches * And yet another SQL Server 2000 patch * Portcullis retracts advisory about old Exchange bug in IIS 4.0 & 5.0 * Denial of service in GroupWise 6.0 * Update for PHP fixes critical vulnerability * US government Windows 2000 security standards available

This issue's topics:

Introduction:

* SQL Server & MSDE, MMS, GroupWise, PHP patches, KaZaA worm, 'xtra' virus scanning

Virus News:

* Worm spreads through KaZaA network.

* Xtra introduces e-mail virus scanning

* Have you had your annual performance 'reviewuation' yet?

Security News:

* Updated MS02-032 now includes all necessary patch files

* Fix for privilege elevation bug in Microsoft Metadirectory Services

* Exploitable buffer overflow in Exchange 5.5 SMTP code patched

* More SQL Server 2000 and Microsoft Desktop Engine 2000 patches

* And yet another SQL Server 2000 patch

* Portcullis retracts advisory about old Exchange bug in IIS 4.0 & 5.0

* Denial of service in GroupWise 6.0

* Update for PHP fixes critical vulnerability

* US government Windows 2000 security standards available

Introduction:

The last 24 hours has seen 'Attack of the Killer Security Bulletins', with Microsoft releasing four new bulletins and associated patches and updating an earlier one. SQL Server, and to a lesser degree, MSDE administrators will be particularly busy. Administrators of systems running GroupWise 6.0, or PHP 4.2.0 or 4.2.1 should get check the items covering patches for their systems too.

This week we also carry news of Xtra's introduction of a e-mail virus scanning for all customers, some buggy software at Yahoo coining new words and a new worm spreading via KaZaA. Portcullis retracted an earlier warning that some Microsoft SMTP servers may be open to unexpected message relaying and the Center for Internet Security releases an updated version of its Windows 2000 security benchmarks and its benchmark scoring tool to cater to the new US government standard for such things.

Virus News:

* Worm spreads through KaZaA network.

Although not apparently widespread, some media attention has focused on yet another virus that spreads by planting multiple copies of itself on a victim machine and sharing them over the KaZaA P2P network. Variously known as Supova and Surnova (both are contractions of 'supernova' - the name of a registry value the virus sets to have itself run at each system startup), it also tries to propagate by sending messages to the people in the victim's MSN Messenger contact list.

Computer Associates Virus Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Xtra introduces e-mail virus scanning

Xtra has become the first major New Zealand ISP to provide free antivirus scanning of incoming and outgoing e-mail to all its customers. Ihug has had an opt-in, added cost virus scanning option for some time using Trend Micro's e-mail gateway virus scanning products. This is the same product family chosen by Xtra which claims it has spent close to one million dollars to provide the service (the press release does not make it clear how much of that is software licensing costs and how much additional hardware for beefing up its e-mail server facilities to handle the overhead of message scanning.

Although such services are helpful, particularly in stemming very fast and widespread mass mailing viruses, the temptation to 'oversell' them is quite high. Antivirus researchers have been noting for some time that virus writers seem to be looking for new ways to spread and/or to beat the increasingly effective measures that now dramatically slow or even prevent many massive outbreaks. For example, changes in Microsoft Outlook itself, in e-mail gateway policies for 'acceptable' attachment types and so on means that no virus using Melissa's or LoveLetter's techniques could probably not become even one-tenth the problem those 'trailblazer' examples were.

Reflecting this, however, of late several viruses have been written and released to spread via P2P networks and/or via file transfer functions built into chat applications. A couple of these have become surprisingly widespread, with their true 'success' somewhat hidden from view because a good proportion of P2P and ardent chat users do not use updated antivirus software. If oversold hype about Xtra's virus scanning of e-mail messages deters some Xtra users from updating their traditional desktop virus scanners they may be getting themselves into worse trouble while believing they are 'doing the right thing'...

Xtra service 'won't end all viruses' - idg.net.nz

Xtra trashes email viruses (press release) - idg.net.nz

* Have you had your annual performance 'reviewuation' yet?

What?

Yes, you read it right - 'reviewuation'. Search the web for that monstrosity of a 'word' and you'll find many documents that are the hapless victims of a programming blunder at Yahoo. In its attempts to defang various nasties in scripts embedded within HTML e-mail messages, thereby possibly saving its clients some grief, Yahoo rolled some of its own script-sanitizing filters. Among others, script commands 'eval' and 'expression' were replaced with 'review' and 'statement' respectively.

This alone suggests that Yahoo may not have been sure that its filtering efforts would be limited to just the scripts embedded within messages, as to defang the scripts all that is needed is a replacement identifier that is syntactically invalid or unknown (in the script language/s being targeted). Use of syntactically correct _and_ meaningful (in English) replacements is unnecessary if only script contents would be changed. Unfortunately, the problem was not just that sometimes text from the messages was changed, but also that 'eval' would be changed when part of a word, rather than just as a whole word. Hence the appearance of 'reviewuation' and several other non-words described in the linked news article. Hopefully Xtra (see previous item) is not tempted to make similar mistakes by enhancing its new virus scanning service!

Yahoo reevaluates its mail filters

Security News:

* Updated MS02-032 now includes all necessary patch files

The Windows Media Player 6.4, 7.1 and Windows Media Player for Windows XP 'cumulative patch' released on 26 June and described a few issues of this newsletter back, has been updated. Apparently Microsoft missed packaging a file from the MS01-056 Windows Media Player (WMP) cumulative patch, so the initial MS02-032 cumulative patch was not quite as 'cumulative' as it should have been.

If MS02-032 was installed on a system already patched with MS01-056, there should be no problems. However, if you are unsure or have been installing only MS02-032 over 'fresh' system installations containing affected versions of WMP, obtaining the new cumulative patch and re-installing it is recommended.

Microsoft Security Bulletin MS02-032

* Fix for privilege elevation bug in Microsoft Metadirectory Services

An authentication flaw in Microsoft Metadirectory Services (MMS) is fixed by the patch described in Microsoft security bulletin MS02-036. MMS allows centralized coordination of several diverse directory and database services, providing a mechanism to synchronize the contents of several otherwise separate data repositories. A flaw in the security checks performed in certain circumstances when a user connects to the MMS data repository using LDAP can enable such a user to access and modify the MMS configuration. If exploited, this vulnerability could be used to elevate a user's privileges or to replicate bogus data across the MMS-managed repositories.

If usual best practice guidelines have been followed, this vulnerability should not be able to be exploited from the Internet and successful exploitation should require extensive local knowledge of the MMS system under attack. Overall Microsoft rates this a moderate severity on Internet and intranet servers and recommends administrators of MMS 2.2 machines to obtain and install the patch as soon as practicable. MMS 2.1 is no longer supported and so was not tested for this vulnerability.

Microsoft Security Bulletin MS02-036

* Exploitable buffer overflow in Exchange 5.5 SMTP code patched

Security researchers at Internet Security Systems (ISS) have discovered a remotely exploitable buffer overflow in the Exchange 5.5 Internet Mail Connector (IMC - the component that allows Exchange servers to talk with SMTP servers on the Internet). A buffer used by the IMC code when composing its response to an SMTP 'EHLO' command can be overflowed if the reverse-DNS lookup of the SMTP client's IP address resolves to a sufficiently long domain name. As both the client machine starting an SMTP conversation with a vulnerable Exchange 5.5 SMTP server and the DNS server responsible for the SMTP client's domain could both be under the control of an 'attacker', it is not too hard to imagine situations in which this could be exploited. The IMC buffer overflow is in a process that runs with local system privileges, so any code that could be run via this buffer overflow would have unhindered access to the Exchange server's system.

Although situations in which this could be exploited are imaginable, there are some fairly challenging technical hurdles that an attacker trying to exploit this vulnerability would have to overcome. Thus, Microsoft's assessment of the severity of this vulnerability as moderate seems reasonable, despite the possibility of a remote exploit running arbitrary code as local system. Aside from obtaining and installing the patch, a workaround that disables IMC performing reverse-DNS lookups when constructing its replies to 'EHLO' commands is also described in the Microsoft security bulletin. Exchange 2000 is not similarly affected.

Remote Buffer Overflow in Microsoft Exchange Server - iss.net

Microsoft Security Bulletin MS02-037

* More SQL Server 2000 and Microsoft Desktop Engine 2000 patches

Database administrators running these common Microsoft products should have patching their systems down to a fine art following the series of patches for these products over the last few weeks... If so, they'll be able to put the experience to good use in testing and rolling out yet another SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 patch. (And the cynics might say, if they not accustomed to patching these products yet they'll be able to get some more hands-on experience with this new patch to ease their workload on the inevitable next one.)

Two more SQL Server 2000 & MSDE 2000 vulnerabilities have been found, with an overall severity rating of moderate. Mitigating factors and best practice suggest that the likelihood of real-world harm arising from either is not that high, but administrators of affected systems should check the security advisories carefully. The supplied patch is a cumulative one, including most SQL Server and MSDE patches since the last SQL service pack (but read the fine print in the advisory carefully!). SQL Server 7.0 (and its associated MSDE 1.0) are not affected by either of the vulnerabilities fixed by this patch.

Microsoft Security Bulletin MS02-038

* And yet another SQL Server 2000 patch

Still itching to improve your SQL Server patching skills after reading

the previous item? Well, try this one for size...

David Litchfield of Next Generation Security Software has found several security flaws in SQL Server 2000. Microsoft rates two of these vulnerabilities as being of critical severity, which seems fitting given they allow remote arbitrary code execution. Such an exploit would run with full SQL database privileges, but the underlying OS should be relatively safe as the default SQL Server 2000 installation runs the server as a quite limited domain user.

The patch is presumably not a cumulative one, as this is not mentioned at all anywhere in the advisory. Presumably this patch is best applied after installing the cumulative patch mentioned in the previous item in this newsletter.

Microsoft Security Bulletin MS02-039

* Portcullis retracts advisory about old Exchange bug in IIS 4.0 & 5.0

We reported last week that UK-based Portcullis Computer Security claimed that an 'old' Exchange Server 5.5 vulnerability, known as the 'encapsulated SMTP address vulnerability' was also present in the Microsoft SMTP Service component of IIS 4.0 and 5.0. After that issue of the newsletter was posted, Portcullis retracted the claims, following further testing.

IIS SMTP vulnerability claim retraction - portcullis-security.com

* Denial of service in GroupWise 6.0

A buffer overflow leading to a denial of service (by ABEND'ing the server), and possibly allowing remote execution of arbitrary code, has been found in the mail server of GroupWise 6.0.1. When raised with Novell it was discovered that this flaw was already fixed in the beta release of the GroupWise 6 Support Pack 2. As this information has been publicly posted to the 'Full-Disclosure' mailing list, and the overflow is trivial (apparently only requiring a few hundred bytes supplied as an argument to the SMTP 'RCPT' command), administrators of GroupWise boxes facing the Internet may wish to update even though Support Pack 2 is still a pre-release version.

Archived Full-Disclosure list message - netsys.com

Product Updates - novell.com

* Update for PHP fixes critical vulnerability

Stefan Esser, a security researcher at German web developers e-matters, discovered a serious remote code execution vulnerability in the popular web server scripting language, PHP. Affecting v4.2.0 and v4.2.1, exploitation of this vulnerability is said to only allow denial of service through crashing PHP on Intel architecture OSes supporting the language. However, on other architectures it is believed that arbitrary code may be able to be supplied with the overflow and be executed as the web server user.

PHP v4.2.2, which fixes this critical security flaw, has been released.

PHP remote vulnerability - e-matters.de

Vulnerability in PHP versions 4.2.0 and 4.2.1 - php.net

* US government Windows 2000 security standards available

In past issues of the newsletter we have mentioned various of the security benchmarks and scoring tools available from the US Center for Internet Security (CIS). The advantage of the CIS approach over many other formal specifications of 'best practice' configuration procedures is that aside from documenting the standard, CIS also provides tools for concerned administrators to check whether their systems are 'up to scratch' or not. Further, the scoring tools and guidelines provide good advice on what needs doing for a system currently failing the standard to reach an acceptable configuration.

In April a move began to draw up security standards for US government PCs running Windows 2000 (the most commonly deployed OS across US government computers). The CIS, NSA and National Institute for Standards and Technology (NIST) deliberated over the individual standards and guidelines each had previously drawn up for their own catchments, and a week ago the finalized set of standards was released. Fortunately for US government system administrators who will now be required to show their systems are up to scratch, the new standards adopted the CIS approach, modifying the specifications and CIS scoring tools to make it relatively easy for system administrators to run an audit tool against their machines and obtain a measure of their compliance with the standard.

If you have previously used the CIS Windows 2000 security benchmark tool and are interested in the changes made to the security baselines for US government work, or if you are looking for handy tools to use as the basis of your own in-house security standards for Windows 2000 machines, you may want to look around the CIS web site, linked below.

The Center for Internet Security - cisecurity.org

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesIntelInternet Security SystemsISS GroupKaZaAKillerMessengerMicrosoftMSNNext Generation Security SoftwareNovellNSASecurity SystemsSophosSymantecTechnologyTrend Micro AustraliaXtraYahoo

Show Comments
[]