IDGNet Virus & Security Watch Friday 21 June 2002

This issue's topics: Introduction: * Office, Gopher hole, MS Jet, Apache and CISCO VPN Client patches; Xbox hacking Virus News: * New Yaha variant ramping up * Much ado about Nimda... Security News: * Cumulative patch for Word/Excel/Office 2000, 2002 & XP security flaws * Closing a Gopher hole * Microsoft Jet 4.0 Service Pack 6 release includes security fixes * Major Apache security hole fixed * Privilege escalation in Cisco VPN Client for non-Windows platforms * Hacking the Xbox...

This issue's topics:

Introduction:

* Office, Gopher hole, MS Jet, Apache and CISCO VPN Client patches; Xbox hacking

Virus News:

* New Yaha variant ramping up

* Much ado about Nimda...

Security News:

* Cumulative patch for Word/Excel/Office 2000, 2002 & XP security flaws

* Closing a Gopher hole

* Microsoft Jet 4.0 Service Pack 6 release includes security fixes

* Major Apache security hole fixed

* Privilege escalation in Cisco VPN Client for non-Windows platforms

* Hacking the Xbox...

Introduction:

Despite a new variant of the Win32/Perrun virus being released this week, there were no accompanying press releases. Perhaps the vendor agreed with the general criticism following last week's press release, or perhaps 'virus infects text files' is sufficiently mundane and 'unsexy' as to not have the media appeal of a 'JPEG infector'? Staying with viral issues, we briefly cover a new Yaha variant which just may be heading for a weekend ramp up and a mention the furore over Microsoft shipping a CD with the Nimda virus on it...

Turning to security matters, there is a cumulative patch for Office 2000 and XP, Word and Excel 2000 and 2002 users, patches from MS for two of the three platforms affected by the Gopher hole mentioned in last week's coverage of MS02-027, and an update for MS Jet 4.0 has been slipped out that includes some security fixes.

The Apache web server has been found vulnerable to a data chunking security exploit and the Cisco VPN Client software on all but the Windows platforms has been found vulnerable to a local privilege escalation bug. Finally, we include a couple of links to show the extent to which hardware hackers will go when presented with a 'challenge' such as the 'uncrackable' Xbox gaming console.

Virus News:

* New Yaha variant ramping up

Although it should not take hold like Klez (which is still going strong) has, Yaha.E has shown a small spurt in the last 24 hours, suggestive of a modest outbreak somewhere. Yaha.E (or Yaha.F or Yaha.G depending on which antivirus developer you listen to) is a mass-mailing virus that sends messages with Subject lines, message bodies and attachment names randomly selected from a large list of strings it carries in its body for just this purpose. Although the numbers currently being reported at prevalence tracking sites are not high enough to suggest a full scale alert, they have been slowly but steadily climbing. There may be enough such activity to expect a number of samples to arrive over the weekend. If you haven't already, make sure your Email scanners are up-to-date and/or your attachment filtering policies working properly before heading home this weekend.

Computer Associates Virus Information Center - Win32.Yaha.E

F-Secure Security Information Center - Yaha.E

Network Associates Virus Information Library - W32/Yaha.g@MM

Sophos Virus Info - W32/Yaha-E

Symantec Security Response - W32.Yaha.F@MM

Trend Micro Virus Information Center - WORM_YAHA.E

* Much ado about Nimda...

Microsoft was reported this week to have shipped the Nimda virus on the Korean language version of Visual Studio .NET (VS .NET) developer tools. Despite the extent of coverage the story garnered, it is very unlikely any customers who receive the affected CDs will become infected. The affected files are compressed help files of a format only supported in recent versions of some Microsoft tools. Further, these files are not installed as part of the VS .NET installation and are not linked to from any other help files in the distribution.

Further, if the files were found and extracted manually by an inquisitive user, running them would not automatically activate the virus. The form Nimda is present in on the affected disks depends on a pre-IE 6.0 security hole and the .NET development environment requires IE 6.0 or later, so that would have been installed on VS .Net machines.

In the unlikely event any of our readers are using the Korean language version of VS .NET, as well as a news story covering the issue in more detail, we have included a link to the Microsoft patch for this problem. The Microsoft page also links to a KnowledgeBase article explaining how affected customers can order replacement CDs that do not carry the viral files at all.

Microsoft Inadvertently Shares Nimda Worm - pcworld.com

Important Korean Visual Studio .NET Help File Update - microsoft.com

Security News:

* Cumulative patch for Word/Excel/Office 2000, 2002 & XP security flaws

Microsoft has released new cumulative patches for Word, Excel and Office product versions in the Office 2000 and XP suite (just to confuse issues, the Word and Excel 2002 are the version numbers of these products in Office XP). These patches repair several flaws in Word and Excel that can allow macro and script code in documents or spreadsheets to bypass the normal macro security checks that should alert the user or prevent the code running. Most of the exploit scenarios are fairly contrived or, under default configurations, require the user to agree to continue with the action due to some form of warning prompting that the action may not be safe. In light of this, Microsoft rates none of the vulnerabilities higher than moderate severity, and that is also the combined severity rating it ascribes the set pf vulnerabilities.

Microsoft Security Bulletin MS02-031

* Closing a Gopher hole

Further to last week's description of its official response and workarounds to the Gopher protocol problem affecting Microsoft has released patches for two of the three product families open to this vulnerability. Patches addressing this vulnerability in Proxy Server 2.0 and ISA Server 2000 are now available from the relevant links in the security bulletin. IE patches are still being developed or tested.

Microsoft Security Bulletin MS02-027

* Microsoft Jet 4.0 Service Pack 6 release includes security fixes

David Litchfield of NGSSoftware recently discovered a remotely exploitable buffer overflow in the OpenDataSource function of SQL Server 2000. Further testing, confirmed by Microsoft security response staff, shows that the problem is actually in the MS Jet database engine and Microsoft recommends installing the latest service pack release for Microsoft Jet 4.0 to remove this vulnerability. Note that although this flaw was discovered while testing SQL Server, the problem is actually in the MS Jet Engine, so any product using that database engine is also potentially at risk. We have linked to NGSSoftware's Security Advisory and the Microsoft KnowledgeBase article describing the Microsoft Jet 4.0 Service Pack 6 upgrade process.

OpenDataSource Buffer Overflow - NGSSoftware Security Advisory

Updated Version of Microsoft Jet 4.0 Available - microsoft.com

* Major Apache security hole fixed

Versions of the Apache web server based on v1.2.2 and above have been found vulnerable to remotely exploitable buffer overflows in their handling of 'chunk encoding' of large data transfers. The impact of exploits of this vulnerability differ with the platform and version of Apache, ranging from possible denial of service through remote execution of arbitrary code. Several exploits of the vulnerability have been published, and with Apache running over 50% of all publicly accessible web servers, obtaining the updates and patching this hole should be a top priority for all Apache administrators. As there are many and varied ways of obtaining and maintaining Apache web server code, we have only provided links to the CERT Coordination Center advisory, which summarizes many vendors' positions on patch availability, and to the Apache Security Bulletin.

Apache Security Advisory 20020617 - apache.org

CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability

* Privilege escalation in Cisco VPN Client for non-Windows platforms

Cisco has released fixes for a local privilege escalation vulnerability discovered in VPN Clients for Linux, Solaris and Mac OS X. Details of the vulnerability, which involves a buffer overflow via an overlong command line option, have been made public but no publicly available exploit is known yet. Updates to v3.5.2 of Cisco VPN Client software are freely available to all customers - details of how to obtain the updates are in the Cisco Security Advisory, linked below. Note that this vulnerability is thought to affect v3.5.1 and all previous versions for the Linux, Solaris and Mac OS X platforms, but does not affect any Windows version of the software.

Cisco Security Advisory: Buffer Overflow in UNIX VPN Client

* Hacking the Xbox...

What lengths will determined hackers go to break new systems or ones they are especially motivated to crack? Perhaps MIT student Andrew Shane ('bunnie') Huang's exploits breaking the encryption system that was supposed to prevent reverse-engineering of Microsoft's new gaming consoles is a good example. After early trial and error, he discovered how to snoop an internal data bus in the Xbox using a US$50 programmable signal analyser and a fair whack of ingenuity. Some of his other games console hacking exploits can be seen at other pages linked off his Xbox hacking page (linked below). This is no weekend hacker cakewalk though - bunnie is the kind of person who thinks little of 'decapping' expensive CPU and other ASIC chips, dissolving chip packages in sulphuric acid and taking to the motherboards of these devices with soldering irons so fine you need a microscope to be sure to do the job properly.

bunnie's adventures hacking the Xbox - mit.edu

Keeping Secrets in Hardware - mit.edu (PDF format)

Join the newsletter!

Error: Please check your email address.

More about Andrew Corporation (Australia)ApacheAustralian Securities & Investment CommissionCA TechnologiesCERT AustraliaCiscoExcelF-SecureLinuxMicrosoftMITNimda virusSophosSymantecTrend Micro AustraliaXbox

Show Comments

Market Place

[]