IDGNet Virus & Security Watch Friday 28 June 2002

Introduction: * Media Player, Commerce Server, OpenSSH, mod_ssl patches, web security Virus News: * Yaha.E slow to take off but... Security News: * Critical Windows Media Player updates * Patches for critical bugs in Microsoft Commerce Server 2000 & 2002 * Windows Software Update Services simplifies patch process * Critical OpenSSH upgrade * Update fixes remote code execution in mod_ssl * Linux (& other Unix?) Acrobat reader 5.05 temp file insecurity * Security guidelines for web application and service developers

This issue's topics:

Introduction:

* Media Player, Commerce Server, OpenSSH, mod_ssl patches, web security

Virus News:

* Yaha.E slow to take off but...

Security News:

* Critical Windows Media Player updates

* Patches for critical bugs in Microsoft Commerce Server 2000 & 2002

* Windows Software Update Services simplifies patch process

* Critical OpenSSH upgrade

* Update fixes remote code execution in mod_ssl

* Linux (& other Unix?) Acrobat reader 5.05 temp file insecurity

* Security guidelines for web application and service developers

Introduction:

There is nothing of much significance to report on the virus front this week so long as you heeded last week's warning about Yaha.E. On the security side though, several 'big' applications need patching. Following on the heels of last week's major Apache security hole many administrators of the Apache 1.3 systems will be busy again patching mod_ssl to remove a remote code execution hole. And another encryption product, OpenSSH, also has a remote code execution hole to patch. Be aware that several other products with components built from the open source OpenSSH project are also affected by this OpenSSH bug. As the products mentioned so far are largely deployed on Unix and Linux platforms, we'll also mention that the Adobe Acrobat reader for those OSes has a rather ugly temp file problem that can be easily worked around (at least for the less technical of your 'typical users') with a wrapper script.

Windows administrators with Media Player users or Commerce Server 2000 and/or 2002 machines also have critical patches to apply. For both products, potential remote code execution bugs have been patched. Also, Windows system administrators may be interested in reading about Microsoft's Software Update Services products that allow you to bring much of the Windows Update service 'in house', reducing Internet traffic and allowing you to stage and schedule the roll out of critical patches and security updates for your Windows 2000 and XP servers and desktops.

Finally, regardless of your preferred OS, organizations involved in designing or maintaining web sites should find something of interest in the security advice provided in the first guide released by the Open Web Application Security Project.

Virus News:

* Yaha.E slow to take off but...

Our prediction last week that Yaha.E may just have had the cunning and luck to take off seems to have been borne out. Although far from reaching the level of infection being reported for Klez, Yaha.E has achieved a rate of infection in the last week that we have seen very few times for new viruses this year.

Computer Associates Virus Information Center - Win32.Yaha.E

F-Secure Security Information Center - Yaha.E

Network Associates Virus Information Library - W32/Yaha.g@MM

Sophos Virus Info - W32/Yaha-E

Symantec Security Response - W32.Yaha.F@mm

Trend Micro Virus Information Center - WORM_YAHA.E

Security News:

* Critical Windows Media Player updates

Windows Media Player 6.4, 7.1 and Windows Media Player for Windows XP are vulnerable to several newly announced security flaws given a combined severity rating of critical and fixed with the latest cumulative patch for the affected products. Aside from containing all previously released Media Player fixes for the supported versions of the software, fixes for an information disclosure bug (which could easily be used for more serious maliciousness), a script execution bug that can defeat the security zone model and, only on Windows 2000, a privilege escalation bug that delivers local system privileges to anyone who can locally logon to a vulnerable machine, are also included in this latest cumulative patch.

As usual, more details and patch locations are available from the

Microsoft security bulletin linked below.

Microsoft Security Bulletin MS02-032

* Patches for critical bugs in Microsoft Commerce Server 2000 & 2002

Microsoft has released a patch that fixes four vulnerabilities in Commerce Server 2000 and 2002. In the worst case, remote arbitrary code execution via an exploitable buffer overflow is possible, deserving the 'critical' severity assessment from Microsoft. Administrators of systems running either version of Commerce Server should obtain and install the patches as soon as practicable. Neither the standard nor 'Commerce Edition' of Microsoft Site Server 3.0 are affected by these vulnerabilities as the affected components are not shipped with the Site Server 3.0 products.

Microsoft Security Bulletin MS02-033

* Windows Software Update Services simplifies patch process

Microsoft has released its Software Update Services (SUS). SUS is a set of Windows 2000 server and workstation tools that effectively updates the Windows Update service in Windows 2000 to the functionality offered in its Windows XP iteration. The server part of SUS runs on a Windows 2000 server with IIS and allows system administrators to set up a local update server rather than having all their workstation clients head off to Microsoft's Windows Update servers. Implementing SUS is not a trivial task, so Microsoft does not envisage that small businesses are very likely to undertake its implementation (but may do so through a third-party service provider, such as their usual software supplier or maintenance service).

Note that SUS does not support Win9x, ME or NT clients and the SUS server cannot be installed on an Active Directory domain controller nor the Small Business Server edition. SUS also does not support rolling out service packs nor will it provide patches for 'non-OS products' such as Office, SQL Server and Exchange Server. It appears that SUS is intended to be a fairly simple mid-range service that will not put much pressure on sales of Microsoft's Systems Management Server (SMS) product. However, SUS may be worthwhile simply in terms of the Internet bandwidth it could save a modest-sized company network. The SUS home page, itself providing a series of whitepapers, FAQs and, of course, links to the download locations, is linked below for those interested in SUS.

Software Update Services - microsoft.com

* Critical OpenSSH upgrade

This has garnered a huge amount of attention, and not all of it favourable, during the week. A remote root vulnerability in many widely deployed versions of OpenSSH was discovered by ISS security researchers, who alerted the OpenSSH maintainers and worked with them to develop a fix before publicly announcing their findings. However, prior to announcing details of the flaw and the availability of fixes for it, early this week the OpenSSH maintainers publicly announced there was a (then) unfixed critical security flaw but upgrading to a version with privilege separation (or enabling privilege separation in deployed versions supporting the option) prevented the flaw from being exploited (despite that the pre-v3.4 code still had the unpatched vulnerability).

The upshot of this was that many OpenSSH administrators upgraded or rebuilt their OpenSSH code and redeployed OpenSSH with privilege separation. In some cases this caused problems with other authentication processes (such as some Kerberos and PAM components). This should not have been surprising - the OpenSSH maintainers acknowledged in their 'get privilege separation working' advisory that such problems should be all but expected in some cases because, in the OpenSSH folk's view, many third-party developers had been reticent in cooperating with efforts to iron out the implementation issues with getting privilege separation working properly. (Privilege separation splits the daemon process code into more than one process, leaving just that code which must run with raised privileges to run with such and running the rest of the code as a very restricted user. It's a form of 'divide and conquer' where most code - and therefore, hopefully, most exploitable bugs - runs under the least-privilege principle. If an exp

loitable bug is found in a daemon the odds are that it will occur in code that runs without sufficient privilege to do any damage.)

So, at the beginning of the week, OpenSSH users were scrambling to evaluate and/or implement a privilege separated version of the service. Now, come the end of the week, the security advisories for the actual vulnerability and for the accompanying patches have been released, so it's 'update OpenSSH again' time. (The earlier 'get privilege separation working' advisory had said the new OpenSSH version patching this remote exploit would not be released until 'early next week'.)

Whether you have already implemented privilege separation in OpenSSH or not, there is now a patch to fix a remotely exploitable buffer overflow that allows a remote attacker to obtain the privileges of the sshd process (usually root). OpenSSH users should update to v3.4. Finally, note that the vulnerability only affects certain configurations of OpenSSH. The OpenSSH advisory clearly identifies the ChallengeResponseAuthentication config option, but the suggestion is that some other configurations may also be susceptible.

Revised OpenSSH Security Advisory (adv.iss)

* Update fixes remote code execution in mod_ssl

A remote code execution vulnerability has been found in systems running Apache 1.3 with mod_ssl v2.8.9 and earlier. Apache 2.0 is thought not to be vulnerable. The vulnerability depends on the 'backward compatibility' compilation option, but this is enabled in the default mod_ssl build. Administrators of Apache 1.3 systems running mod_ssl should upgrade to mod_ssl v2.8.10 as soon as practicable as at least one proof of concept exploit (for OpenBSD) has been written for this vulnerability.

Archived Bugtraq list message - securityfocus.com - mod_ssl

mod_ssl ChangeLog - modssl.org

* Linux (& other Unix?) Acrobat reader 5.05 temp file insecurity

Although temp file permissions flaws are legion, we seldom mention them in the newsletter because so many of them affect such 'minority' products. Adobe Acrobat hardly fits that bill and as proprietary software, it will only be 'properly fixed' with the release of a subsequent product upgrade. Further, a workaround (involving a wrapper script) is possible in this case, so it seems worth mentioning. Below we link to an archived copy of a message posted to the Bugtraq mailing list describing the problem and suggesting a workaround to cover users until Adobe releases a fixed version of this popular application.

Archived Bugtraq list message - securityfocus.com - Acrobat 5.05 temp file insecurity

* Security guidelines for web application and service developers

The Open Web Application Security Project (OWASP) is a collaborative effort involving web developers from around the world developing tools and documentation to improve the security of web applications. OWSAP has just released its 'Open Web Application Security Project Guide to Building Secure Web Applications'. It is available online, under the GNU documentation license, in pdf and HTML formats. As a collection of agreed best practice, this should be a useful resource for any web developers. We have linked to the OWSAP home page which (currently) sports prominent links to the guide itself.

The Open Web Application Security Project home page

Join the newsletter!

Error: Please check your email address.

More about Adobe SystemsApacheCA TechnologiesF-SecureISS GroupLinuxMicrosoftOpenBSDPAMSophosSymantecTrend Micro Australia

Show Comments

Market Place

[]