IDGNet Virus & Security Watch Friday 7 June 2002

This issue's topics: Introduction: * ASP.NET patch, BIND & sendmail updates, IE configuration fixes and two worms Virus News: * Would you look a gift singer in the mouth? * And be wary of World Cup gift offers too... Security News: * Patch fixes buffer overflow in ASP.NET StateServer mode * Cross-site scripting bug in IE v5.5 & v 6.0 * Gopher hole in Internet Explorer... * BIND 9.2.1 fixes denial of service in earlier releases * Update addresses sendmail file locking issues, among others

This issue's topics:

Introduction:

* ASP.NET patch, BIND & sendmail updates, IE configuration fixes and two worms

Virus News:

* Would you look a gift singer in the mouth?

* And be wary of World Cup gift offers too...

Security News:

* Patch fixes buffer overflow in ASP.NET StateServer mode

* Cross-site scripting bug in IE v5.5 & v 6.0

* Gopher hole in Internet Explorer...

* BIND 9.2.1 fixes denial of service in earlier releases

* Update addresses sendmail file locking issues, among others

Introduction:

Although a relatively quiet week in terms of the number of serious issues to deal with, the scale of a couple of them may mean a busy day or two on the horizon... First, the stalwarts of Unix OS DNS and mail server software - BIND and sendmail - have both been updated. In both cases this is to deal, among other things, with security issues. Also, Microsoft has made the first security patch release for its ASP.NET services, fixing a buffer overflow in an optional component of its much-touted web application services framework. Finally, desktop Windows system administrators should consider changing a couple of IE settings across all desktops under their control to block two remote arbitrary code execution holes - one in IE's gopher protocol handling and one due to a cross-site scripting flaw in IE's ftp protocol handling.

On the virus front, we have seen a sudden surge in numbers of a minor script virus that seemed to be going nowhere when discovered a week ago. Also, we and have a warning about the first, but surely not the last, virus trying to get famous through social engineering tricks related to the World Cup.

Virus News:

* Would you look a gift singer in the mouth?

Officially known as VBSWG.AQ, this new VBS mass mailer has made a brief, and hopefully short lived, appearance. A relative of VBSWG.J - the so-called 'Anna Kournikova virus' - that swept the world in a few hours in February 2001, VBSWG.AQ is another trivial, kit-generated VBS mass-mailer. Perhaps taking a hint from the success of VBSWG.J, this new variant follows a similar formula, promising pictures of a current popular culture icon. If it becomes more widespread it may also follow its more famous predecessor by making a splash in the broader media under a name reflecting the person who would be depicted in the promised, but undelivered pictures - popular singer, Shakira.

This e-mail worm was first isolated a week ago, but showed up in such small numbers on the various prevalence charts, it seemed likely it had pretty much come and gone in a couple of days. However, over the last 24 to 36 hours there has seen a large upswing in reports of this virus being detected in circulating e-mail. Most virus scanners were updated to detect it a week ago, so it should not pose a significant threat and typical corporate attachment blocking policies will see it blocked because of the attachment name even if a virus scanner does not detect it.

Computer Associates Virus Information Center - VBSWG.AQ

F-Secure Security Information Center - VBSWG.AQ

Network Associates Virus Information Library - VBSWG.AQ

Sophos Virus Info - VBSWG.AQ

Symantec Security Response - VBSWG.AQ

Trend Micro Virus Information Center - VBSWG.AQ

* And be wary of World Cup gift offers too...

Russian antivirus developer Kaspersky Labs has warned that 'World Cup fever' sets the scene for obvious exploitation via social engineering that taps into the hype and interest surrounding the event. Just as the writer of the VBSWG.AQ virus, described above, presumably hopes to prey on interest in a popular music performer, a variant of another previously successful virus has been found trying to trade in on the huge interest in the World Cup. Variously known as VBS.Brit.G and VBS/Chick.F, this particular virus is unlikely to make the big time, but that is due more to its technical shortcomings and oddities in the environment required for its success. It seems unlikely it will be the only virus to target success via World Cup-related themes.

Beware of Virus Authors Exploiting World Cup Themes - kaspersky.com

Security News:

* Patch fixes buffer overflow in ASP.NET StateServer mode

Microsoft has released a patch for ASP.NET to fix a potentially remotely exploitable buffer overflow in cookie handling code of StateServer mode. The vulnerability only affects servers using StateServer Mode and then only such servers running ASP.NET applications that use cookies. Other ASP.NET servers need not be patched unless their configuration is changed in future to include use of StateServer mode. Microsoft rates this vulnerability as being of moderate severity on Internet and intranet servers.

Servers attacked via this vulnerability would see their vulnerable ASP.NET applications restart as a result of the overflow and current state information would be lost. Although not conclusively proven, even if the buffer overflow is exploitable for running arbitrary code, that code would only run under the security context of the ASP.NET worker process, which defaults to an unprivileged account.

Microsoft Security Bulletin MS02-026

* Cross-site scripting bug in IE v5.5 & v 6.0

Japanese security researcher Eiji James Yoshida has discovered a cross-site scripting (XSS) vulnerability in IE v5.5 and v6.0. The problem arises because by default the Windows Explorer 'enable web content in folders' option is enabled and Internet Explorer's 'enable folder view for FTP sites' is enabled. Combined, these settings mean an erroneous FTP URL causes a user-supplied string to be passed into the FTP.HTT where it is included into the HTML to be displayed in the error message without being escaped.

Thus, a classic XSS scenario arises where an attacker may be able to fashion a web page or HTML e-mail message to lure the intended victim to click a link that ends up running script code supplied by the attacker. Because the FTP.HTT file is not stored in the Temporary Internet Files directory tree, IE handles this code in the essentially wide-open 'My Computer' security zone. This makes matters much worse.

Yoshida claims to have first alerted Microsoft to this flaw on 21 December 2001, but apparently nothing has been done about it. Yoshida points out that the problem is easily fixed by disabling either, or both, of the Explorer and IE options mentioned above, although the ideal fix is to improve the HTML and code in FTP.HTT to prevent the possibility. This brings the current tally of unpatched IE security vulnerabilities to eighteen.

'Folder View for FTP sites' Script Execution Vulnerability - geocities.co.jp

Unpatched IE security holes - jscript.dk

* Gopher hole in Internet Explorer...

The rather archaic and now little-used gopher protocol and its associated gopherspace was a forerunner of HTTP and the modern WWW. It is, however, still supported in modern web browsers and Finnish security researcher Jouko Pynnonen of Online Solutions has discovered a buffer overflow in IE's support of the protocol. When connecting to a gopher server, IE incorrectly handles 'overlong' replies from the server, overflowing an internal buffer. Often such overflows are tricky to reliably exploit because some form of decoding or other sanity checking is applied to the received data before the overflow occurs. This is turn means attackers have to write the code they want to inject and run via the overflow so it will survive such 'scrubbing'. In this case Pynnonen suggests very little scrubbing is done before the overflow occurs, so writing successful arbitrary remote code execution exploits should be simple.

Pynnonen claims to have informed Microsoft of his discovery on 20 May this year and that although Microsoft told him it is now working on a fix, he is not happy with the lack of a deadline from the developer as to when the expected patch will be available. As gopher is now seldom used a useful workaround until Microsoft releases a patch would be to block Gopher URLs by directing IE to use a non-existent proxy for them. The details are explained in Pynnonen's security advisory, linked below.

Buffer overflow in Internet Explorer gopher code - Online Solutions

* BIND 9.2.1 fixes denial of service in earlier releases

BIND, the mainstream DNS implementation particularly for large Unix-ish OSes, has been updated to fix a denial of service condition caused by its improper handling of specially malformed packets. On receipt of such packets, an internal consistency check would fail and vulnerable versions of BIND would stop serving DNS requests. BIND would have to be stopped and restarted to restore service. BIND v9.2.1 should be installed to replace any earlier BIND 9 releases in production. BIND 9.2.1 source (and binaries for NT & Windows 2000) is available from the official BIND home at the Internet Software Consortium (ISC) linked below. Further, several distributors ship BIND as a standard OS component and should have binary upgrade packages available - check with your vendor(s).

CERT Advisory CA-2002-15 Denial-of-Service Vulnerability in ISC BIND 9

ISC BIND 9.2.1 - isc.org

* Update addresses sendmail file locking issues, among others

Sendmail 8.12.4 has been released. As well as a host of minor functionality additions and bug fixes, it addresses some concerns that a local user may be able to enact a denial of service against sendmail due to problems inherent in some Unix OS file locking procedures. The download locations and update list for the v8.12.4 code, and a description of the file locking issues and sendmail's interaction with them are both linked below. Unix sendmail administrators are advised to check the file locking issue carefully.

Sendmail 8.12.4 - sendmail.org

File Locking Local Denial of Service Impact on sendmail - sendmail.org

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaF-SecureInternet Software ConsortiumKasperskyMicrosoftOnline SolutionsSophosSymantecTrend Micro Australia

Show Comments

Market Place

[]