IDGNet Virus & Security Watch Friday 12 July 2002

Introduction: * Malware firing, IE, PGP plugin, SQL Server, MSDE, Sun ONE web server patches Virus News: * Aberdeen council worker fired for releasing virus * Worming into the news... Security News: * Cumulative patch for SQL Server 2000 and MSDE 2000 * Patch for installation security hole in SQL Server 7 & 2000, MSDE 1.0 * More reasons to dump Internet Explorer? * Update for PGP plugin for Outlook * Service packs fix buffer overflow in Sun ONE (formerly iPlanet) web server * No verification in Mac OS X SoftwareUpdate * SQL Server database security

This issue's topics:

Introduction:

* Malware firing, IE, PGP plugin, SQL Server, MSDE, Sun ONE web server patches

Virus News:

* Aberdeen council worker fired for releasing virus

* Worming into the news...

Security News:

* Cumulative patch for SQL Server 2000 and MSDE 2000

* Patch for installation security hole in SQL Server 7 & 2000, MSDE 1.0

* More reasons to dump Internet Explorer?

* Update for PGP plugin for Outlook

* Service packs fix buffer overflow in Sun ONE (formerly iPlanet) web server

* No verification in Mac OS X SoftwareUpdate

* SQL Server database security

Introduction:

Shortly after posting last week's newsletter we learned of the firing, earlier last week, of a council worker at Aberdeen City Council for his involvement in a virus infection incident. What little more is known is discussed below. We also explain why any concern about the Gunsan worm can be shrugged off.

On the security front, it seems to be the week for Microsoft SQL Server admins to worry. Aside from two security bulletins about the product from the Redmond software giant, we link to a couple of recently published security research papers that details further concerns about the product. While the techniques described in those papers depend on a heightened level of access to a server than a typical non-administrative user would have, they show how easily SQL Server security is compromised if such access can be obtained.

These Microsoft security bulletins highlight another issue. MSDE is closely related to SQL Server and installed either as a standard or optional component of several other products, and often on desktop machines. Thus, MSDE is often vulnerable to the same problems as best SQL Server, but being more likely to be installed on a 'non-administrative' machine or outside the more controlled environment of the typical corporate 'server room' may be more prone to neglect. (These security bulletins also highlight another issue with MSDE - there is apparently no agreement within Microsoft as to what MSDE stands for. One of the bulletins refers to 'Microsoft SQL Server Desktop Engine' and the other to 'Microsoft Data Engine'...)

Microsoft administrators should also be worrying about their Internet Explorer desktop users. A newly discovered cross-site scripting flaw in IE blows the standard 'Internet' security zone wide open, allowing any web page to spoof as any other, stealing cookies, local or remote files and more. If you have not tightened the default security zone restrictions in IE yet, then maybe it is time you did...

We also cover patches for a remotely exploitable buffer overflows in the Sun ONE (formerly iPlanet) web server and in the PGP Plugin for Outlook. Finally, administrators of Mac OS X systems should carefully consider the implications of the lack of verification in that platform's SoftwareUpdate function, uncovered this week.

Virus News:

* Aberdeen council worker fired for releasing virus

Aberdeen (UK) City Council fired a temporary worker following a virus outbreak that reportedly crippled the council's IT infrastructure for one day and involved several days of follow up repair work last week. Few details are forthcoming beyond the suggestion that the virus was not introduced through infected e-mail - by far the most common vector of virus infections these days - and that the virus is known as 'Metrion Cascade 111'. The matter is being investigated by the local police.

Worker gets sack after computer virus traced - Aberdeen Press and Journal

Computer Associates Virus Information Center

Sophos Virus Info

Trend Micro Virus Information Center

* Worming into the news...

Win32/Gunsan.A@mm - a fairly standard mass-mailing worm that is not going anywhere fast - received some undue media attention the last few days. Aside from attempting to disable various antivirus, personal firewall and debugging programs, which is becoming standard fare, Gunsan's most interesting trick is possibly searching for .KIX files used by the Kixtart scripting program and adding calls to execute a copy of the worm to these scripts (Kixtart is still popularly used as a much more functional scripting language than NT's command language and Win9x batch, because it runs on both OSes, and because it predated VBS and JS). The worm also alters the 'hosts' file on infected machines, effectively disabling their users access to several popular antivirus and security web sites by pointing those sites' domains to the localhost IP address (127.0.0.1).

This last trick was mostly responsible for Gunsan garnering its media attention. Aside from several popular antivirus and security sites, it also blocks 'www.theregister.co.uk' - the web site of the UK online IT 'newspaper' 'The Register'. Despite the media attention in the last few days, this worm has been detected by most antivirus programs for several weeks already and there are very few, if any reliable, reports of Gunsan being found in the wild.

Computer Associates Virus Information Center - Win32.Gunsan

Network Associates Virus Information Library

Sophos Virus Info - W32/Gunsan-A

Symantec Security Response

Trend Micro Virus Information Center - WORM_GUNSAN.A

Security News:

* Cumulative patch for SQL Server 2000 and MSDE 2000

Many administrators of machines running Microsoft SQL Server 2000 or Microsoft Data Engine (MSDE) 2000 will wish to obtain and install the latest cumulative update for these products after checking the security bulletin linked at the end of this item. Aside from including all previously released patches for these products, the new cumulative update also includes patches for three newly announced security flaws with potentially wide-ranging implications. Each of the new security holes is somewhat ameliorated by standard configuration options or best practices, but of course, not all installations are able to work under such limitations. Microsoft rates the severity of each of the new flaws as moderate with the scope of attack ranging from privilege escalation (to that of the user the Server service runs as) through possible remote code execution via a buffer overflow.

Microsoft Security Bulletin MS02-034

* Patch for installation security hole in SQL Server 7 & 2000, MSDE 1.0

Another Microsoft SQL Server and MSDE security flaw is fixed with the patch linked from the MS02-035 security bulletin. This is not bundled with the cumulative patch mentioned in the previous item; perhaps because it is more a standalone utility than a patch and it applies to a slightly different range of SQL Server-related products.

The issue here is an old one, rehashed in newer versions of SQL Server and its service packs. Way back (just shortly before we started the Virus & Security Watch Newsletter) Microsoft released security bulletin MS00-035 to fix an unfortunate side-effect of a couple of features of the SQL Server and SQL Server service pack installers - their logging of administrative passwords to files that could be read by more than just administrative users. Administrators of machines running any of the Microsoft SQL Server 7, 2000 or Microsoft Data Engine (MSDE) 1.0 products should read the Microsoft security bulletin linked below and decide to what extent, if any, they are 'exposed' by this feature of those products and the appropriate course of action.

Note that MSDE can be installed on 'client' or 'workstation' machines, not just servers. Also note that although MSDE 1.0 is based on SQL Server 7.0 and both products are vulnerable, MSDE 2000 is based on the vulnerable SQL Server 2000 but is not affected by this flaw.

Microsoft Security Bulletin MS02-035

* More reasons to dump Internet Explorer?

Not yet convinced that IE and applications dependent on it for displaying arbitrary HTML content are bad for corporate IT health?

Perhaps the latest IE security vulnerability will change your mind. Thor Larholm, one of folk behind the 'Unpatched IE holes' web page often featured in our discussions of IE security problems has discovered a gross cross-site scripting flaw in IE's handling of the HTML 4 'Object' element. In short, the security zone checking on such elements is grossly inadequate and easily spoofed, allowing several forms of cross-site scripting attacks. Larholm's demonstration page provides the examples of his page reading a visitor's passport.com cookie (whoops!), reading a text file from the visitor's hard drive (the page simply displays the file in the browser, but could do pretty much anything with it such as send a copy to another server) and starting an application on the visitor's machine (this is somewhat limited - not a full arbitrary code execution attack). And, just before posting this issue of the newsletter, another researcher showed how Larholm's file-reading example could be extended via the trick (previously mentioned here in relation to other vulnerabilities) of adding a dot character to the end of the requested filename.

Due to the gravity of this cross-site scripting flaw and the fact it works in the Internet security zone of default configuration, fully patched, current versions of IE, all IE users are advised to disable the 'Script ActiveX controls marked safe for scripting' security option in IE's 'Internet' zone and to reconsider the sites they consider 'trustworthy' for inclusion in the 'Trusted Sites' zone. (This is, of course, recommended practice anyway - it's just not actually practised all that much...) Fortunately current versions of Outlook and Outlook Express are in the 'Restricted Sites' security zone by default, so protected by the default configuration of that zone.

This flaw takes the tally of known, currently unpatched security flaws in IE to 19 - note the new location of the 'Unpatched IE security holes' page.

IE allows universal Cross Domain Scripting - pivx.com

Unpatched IE security holes - pivx.com

* Update for PGP plugin for Outlook

NAI has released a patch for PGP Desktop v7.0.4 and PGP Freeware v7.0.3 that fixes a remotely exploitable buffer overflow in its popular encryption software. This vulnerability was discovered by security researchers at eEye Digital Security whose advisory, along with NAI's PGP hotfix download page, is linked below. Note that the PGP Corporate Desktop version of the product is not affected by this vulnerability.

Remote PGP Outlook Encryption Plug-in Vulnerability - eeye.com

PGP Hotfix page - nai.com

* Service packs fix buffer overflow in Sun ONE (formerly iPlanet) web server

A remotely exploitable buffer overflow in the Sun ONE (formerly iPlanet) web server that enables execution of arbitrary code supplied by an attacker has been discovered by David Litchfield of NGSSoftware. This overflow, along with a typical assortment of non-security bugs, is fixed in the latest service packs for the Sun ONE web server - SP10 for v4.1 and SP3 for v6.0. Although fixed buffer overflow is in code disabled by default, as it is in the web server's built-in search engine, it seems likely a fair proportion of iPlanet servers will be open to exploitation of this bug. Administrators of iPlanet web servers are advised to obtain and install the service packs as soon as practicable if they have the native iPlanet search engine enabled on their servers.

iPlanet Search Buffer Overflow - NGSSoftware Security Advisory

Release Notes for Sun ONE Web Server service packs - iplanet.com

Release Notes for Sun ONE Web Server service packs - iplanet.comn

Sun ONE web server service pack download site

* No verification in Mac OS X SoftwareUpdate

computer Science student Russell Harding posted an exploit of the Mac OS X SoftwareUpdate process last week. SoftwareUpdate, by default, checks once a week for updates and if there are any installs them as the root user. Unfortunately, there is no verification of the updates. The process simply involves an HTTP connection to swscan.apple.com and some trivial parsing of the 'page' returned. Note this is done over plain HTTP and doesn't even use HTTPS. Thus, the process is vulnerable to DNS spoofing style attacks and as there is no verification of the file content of retrieved updates (such as a cryptographic signature) the integrity of the update process depends entirely on the assumptions that the client's DNS is always reliable and that swscan.apple.com has not been hacked. Hopefully Apple will remedy these flaws in short order (and presumably ship the update via SoftwareUpdate...).

MacOS X SoftwareUpdate Vulnerability - Harding's personal web site

* SQL Server database security

Security researchers at Next Generation Security Software (NGSSoftware) have posted a couple of research papers at the company's web site detailing various aspects of Microsoft SQL Server database security and the cracking thereof. In light of the vulnerabilities described elsewhere in this newsletter, SQL Server admins may be interested in reading these.

Microsoft SQL Server Passwords: Cracking the password hashes (PDF)

Violating Database-Enforced Security Mechanisms (PDF)

Join the newsletter!

Error: Please check your email address.

More about AppleCA TechnologieseEye Digital SecurityiPlanetMicrosoftNAINext Generation Security SoftwarePGPSophosSymantecTrend Micro Australia

Show Comments
[]