IDGNet Virus & Security Watch Friday 14 June 2002

This issue's topics: Introduction: * Your JPEGs are safe, MSN Chat control, BlackICE, IIS, SQL & Oracle Server patches Virus News: * JPEG files still not 'infectible' Security News: * Microsoft's official word on the 'Gopher hole' * Patch for remote arbitrary code execution flaw in IIS 4.0 & 5.0 * RAS allows local privilege escalation on NT, Windows 2000 & XP * Patch fixes two Microsoft SQLXML vulnerabilities * Updated patch for MSN Messenger Chat control buffer overflow * Two more remote code execution vulnerabilities in Oracle servers * BlackICE Agent may not resume from standby

This issue's topics:

Introduction:

* Your JPEGs are safe, MSN Chat control, BlackICE, IIS, SQL & Oracle Server patches

Virus News:

* JPEG files still not 'infectible'

Security News:

* Microsoft's official word on the 'Gopher hole'

* Patch for remote arbitrary code execution flaw in IIS 4.0 & 5.0

* RAS allows local privilege escalation on NT, Windows 2000 & XP

* Patch fixes two Microsoft SQLXML vulnerabilities

* Updated patch for MSN Messenger Chat control buffer overflow

* Two more remote code execution vulnerabilities in Oracle servers

* BlackICE Agent may not resume from standby

Introduction:

I suspect it's the beginning the northern hemisphere silly season for virus stories. The only item worth noting on the virus front this week is the non-issue (though possibly brewing into a media item as I write) about the so-0called 'first JPEG file infector'. This is all abject nonsense and the less said about it the better. Of course, with a press release out from one of the biggest antivirus developers. it's not likely to go away without adding more unnecessary confusion to the mix.

For the security conscious however, we have several big-ticket items requiring immediate attention. It seems forever since there were four new Microsoft security bulletins released in one week, and to top thatan earlier one was revised with a set of updated patches being released for the month-old MSN Chat control vulnerability reported in MS02-022.

As for the new MS bulletins, there is the official position on the gopher protocol vulnerability mentioned last week - it affects more than just IE, plus critical patches for IIS 4.0 and 5.0 and for RAS and a patch for a moderately severe SQL Server option.

Oracle server administrators have some patching to do with two new vulnerabilities. Both are critical for Windows systems, with the first affecting all systems running Oracle and the other only affecting Windows hosts. Lastly, a problem with BlackICE not always restarting properly following a standby/resume 'power cycle' has been fixed.

Virus News:

* JPEG files still not 'infectible'

Despite recent hype started by antivirus developer Network Associates (parent company to McAfee.com and makers of the virus detection engines used by McAfee brand antivirus products), JPEG image files are not 'infectible'. Apparently some Network Associates staff, and those at other antivirus developers, have misunderstood the implications of a new virus known as Win32/Perrun.

While Perrun does modify JPEG files by copying part of its code to the end of the image file, passing that file to another user does not result in their system becoming infected. The other part of Perrun will load the code added to a JPEG file into memory and run it _if Perrun is already active on the system viewing the JPEG file_. Thus, JPEG files modified by Perrun are not infective to other systems (ones not already infected) and it is dubious that anything meaningful is being said when a file modified by a virus can only infect a system if the system is already infected.

Security News:

* Microsoft's official word on the 'Gopher hole'

Last week we reported the discovery by Online Solutions, Finland of an exploitable buffer overflow in Internet Explorer's handling of the gopher protocol. Microsoft has now released a security advisory, describing the problem and acknowledging that it also affects its ISA Server 2000 and Proxy Server 2.0 products.

ISA server and Proxy Server independently include the same vulnerable gopher protocol handling code as used in IE. Microsoft is still working on patches and until they are released it recommends users of any of the affected products to make workarounds to protect their installations. Configuration options available in all affected products allow effective blocking of the gopher protocol, thus removing any potential exposure to attack via this vulnerability, but at the expense of blocking gopher functionality entirely. Microsoft severity rating for this vulnerability is critical on all platforms that normally run the affected products, so following the workaround advice in the security bulletin is highly advised.

However, note the comment in the bulletin that blocking the gopher protocol port (TCP 70) at perimeter firewalls will protect against attempts to exploit this vulnerability is short-sighted, naive even. Port 70 is the conventional default gopher port, but the gopher protocol can run over any port, so relying only perimeter blocking of port 70 is far from a sufficient solution. Also, some users have reported subsequent problems with Windows Media Player (and possibly some other third-party Internet-aware applications) after applying the IE workaround. It is suspected this may be because the step explaining to ensure that making the gopher proxy the default proxy (which is enabled by default) has not been followed.

Microsoft Security Bulletin MS02-027

* Patch for remote arbitrary code execution flaw in IIS 4.0 & 5.0

A flaw in the HTR chunked encoding functionality of IIS 4.0 and 5.0 has been patched. Similar to another vulnerability patched in the previous IIS cumulative update, this one can be exploited to open the possibility of the server executing remotely supplied code. On a vulnerable IIS 4.0 server such code would run under the local system security context, and although such an exploit would not gain local system privileges under IIS 5.0, it would still run with privileges significantly elevated relative to a normal user.

Microsoft rates the severity of this vulnerability as moderate. Despite this, unless HTR scripting functionality is necessary (in which case the patch should be installed) the better course of action would be to lock down your servers by removing unnecessary functionality, as per standard best practices guidelines. IIS v5.1, nor any of the v6.0 beta releases, are vulnerable to this flaw.

Microsoft Security Bulletin MS02-028

* RAS allows local privilege escalation on NT, Windows 2000 & XP

Microsoft has released a patch for a serious local privilege escalation attack. Although Microsoft rates this vulnerability as critical on some Intranet servers, its severity rating of 'moderate' on client systems downplays the seriousness of this vulnerability in the newsletter compiler's opinion. Although no exploits are known to be in circulation, as soon as one is released, this vulnerability allows anyone with local login rights and the ability to alter a RAS phonebook entry the ability to trivially raise their privileges to administrator level. As well as the standard Microsoft security bulletin link, we link to the security advisory written by the discoverer of this vulnerability. The latter provides more details of the flaw and how easily it could be used to subvert local security should an exploit become available. (Unfortunately, the Next Generation Security Software advisory had not been posted at the company's web site by submission time for the newsletter, so we have linked to an archived copy th

at was posted to a security mailing list.)

The vulnerability results from a buffer overflow in Remote Access Service (RAS) code that handles RAS phonebook entries. A suitably constructed, 'overlong' entry can be added to a RAS phonebook and when selected for use as a dial-up connection, the overflow occurs in a RAS service component that runs with local system privileges and thus can do pretty much anything, such as elevate the current user to be a member of the Administrators group. Administrators of all NT, Windows 2000 & XP systems should consider carefully whether they need this patch.

Microsoft Security Bulletin MS02-029

Archived Bugtraq list message - securityfocus.com

* Patch fixes two Microsoft SQLXML vulnerabilities

Vulnerabilities allowing a remote code execution exploit and a possible client-side script privilege elevation are fixed with an SQLXML patch released by Microsoft. Despite one opening the possibility of a remote code execution exploit, both vulnerabilities are rated as moderate severity due to the mitigating circumstances raising complexities to slow or prevent an attacker hoping to exploit them.

SQLXML is only available for SQL Server 2000 and all versions are vulnerable. However, version 1 of SQLXML is no longer supported and users of that version are commended to upgrade to a later version and then install the appropriate patch. Note that the version shipped with SQL Server 2000 is not version 1 and has its own patch.

Microsoft Security Bulletin MS02-030

* Updated patch for MSN Messenger Chat control buffer overflow

About a month ago we reported the release of MS02-022 and the associated patches to fix a remotely exploitable buffer overflow in the MSN Chat control. Microsoft has revised that patch to prevent older, vulnerable versions of the MSN Chat control being reintroduced to a patched system. Anyone who installed the original patches and updates distributed with MS02-022 should obtain the new patches and updates and apply them.

Microsoft Security Bulletin MS02-022

* Two more remote code execution vulnerabilities in Oracle servers

Perhaps cementing its position as the most over hyped 'unbreakable' server of the year, Mark Litchfield of Next Generation Security Software, has released security advisories describing two more remote code execution vulnerabilities in Oracle 9i and 9iAS. The first vulnerability is a buffer overflow in a 9iAS CGI script that allows code injection into a process running with the privileges of the web server. On Unix machines this is typically a fairly constrained account, but on Windows servers it may be a highly privileged account or even LocalSystem, depending on the web server Oracle runs atop.

Litchfield reports the second vulnerability is a buffer overflow in the Oracle TNS Listener. an attack against this vulnerability may be especially pernicious because the overflow occurs _before_ the network request causing the overflow is logged, making detection of such attacks much harder.

Oracle has released patches for both vulnerabilities. These are available from MetaLink under patch numbers 2356680 and 2367681 respectively.

Oracle 9iAS Reports Server - NGSSoftware Security Advisory

Oracle TNS Listener Buffer Overflow - NGSSoftware Security Advisory

* BlackICE Agent may not resume from standby

Security researchers at KPMG discovered that BlackICE Agent v3.1eal running on a Windows 2000 laptop did not always reactivate when the laptop resumed from standby mode. This means that, following a standby/resume cycle, the firewall may be inactive but the user would not be aware of this. The v3.1ebh release fixes this flaw and is available from Internet Security Systems' web site. The reports linked below suggest that this may only be a problem with the specific version of BlackICE Agent, but users of any v3.1 build should probably check. Also, considering that it is increasingly common to use the power-saving features in desktop machines, including standby options, this problem may not be restricted just to laptop users.

Archived Bugtraq list message - securityfocus.com BUG-ID: 2002019

BlackICE Agent may not reactivate after standby - iss.net

Join the newsletter!

Error: Please check your email address.

More about CGIInternet Security SystemsKPMGMcAfee AustraliaMcAfee.comMessengerMicrosoftMSNNext Generation Security SoftwareOnline SolutionsOracleSecurity Systems

Show Comments

Market Place

[]