IDGNet Virus & Security Watch Friday 31 May 2002

This issue's topics: Introduction: * Fast worms, Exchange 2000 & JRun 3.x patches, EWS & Tomcat flaws and Wi-Fi Woes Virus News: * Klez.H tops off MessageLabs' all time prevalence list * How to own the Internet in your spare time - future worm techniques Security News: * Patch for Exchange 2000 DoS via malformed messages * Update for ISAPI buffer overflow in JRun v3.0 & 3.1 for Windows * NetWare Enterprise Web Server sample programs problematic * Apache Tomcat sample programs problematic * More on Wi-Fi insecurity woes...

This issue's topics:

Introduction:

* Fast worms, Exchange 2000 & JRun 3.x patches, EWS & Tomcat flaws and Wi-Fi Woes

Virus News:

* Klez.H tops off MessageLabs' all time prevalence list

* How to own the Internet in your spare time - future worm techniques

Security News:

* Patch for Exchange 2000 DoS via malformed messages

* Update for ISAPI buffer overflow in JRun v3.0 & 3.1 for Windows

* NetWare Enterprise Web Server sample programs problematic

* Apache Tomcat sample programs problematic

* More on Wi-Fi insecurity woes...

Introduction:

It's been quiet in the virus field this week apart from Klez.H's claim to have become the most prevalent virus ever seen through MessageLabs' e-mail virus scanning service. And, as if Klez.H is not spreading fast enough, three security researchers have published a paper explaining how some more akin to CodeRed could be much faster - that paper is linked in the second item in our Virus news section.

Virus News:

* Klez.H tops off MessageLabs' all time prevalence list

Not surprisingly, given that it is still seeing an average of about 20,000 infected messages a day, and has been more than six weeks since the virus' release, Klez.H is now atop the e-mail ASP's all time prevalence list. Klez.H overtook the previously 'stellar' SirCam early in the week and has kept going at around the 20,000 instances per day rate since...

When will it ever end?

MessageLabs VirusEye all time prevalence statistics

* How to own the Internet in your spare time - future worm techniques

As there has been nothing of significant note on the virus front this week, we are directing you to some interesting reading on what one possible future involving superfast Internet worms may be like.

Last year we mentioned the theories behind the concepts of Warhol and Flash worms. In case you've forgotten, Warhol worms could, in theory, take over the whole Internet in 15 minutes, whereas Flash worms refine the speed improvement techniques and some more of their own reducing that theoretical takeover time considerably. The authors of the original papers suggesting the Warhol and Flash techniques have combined to write a paper for the 11th USENIX Security Symposium. Aside from refining some the basic ideas behind their earlier suggestions of what may be to come, they also tackle the issue of setting up a 'cyber Center for Disease Control' to assist in the early detection and rapid response to such beasties as Warhol and Flash worms. Happy reading...

How to 0wn the Internet in Your Spare Time - icir.org

Security News:

* Patch for Exchange 2000 DoS via malformed messages

Microsoft has released a patch for Exchange 2000 fixing an error in its handling of specially malformed SMTP messages. If such a message is received, the message store service temporarily consumes 100% of the host machine's CPU resources, resulting in a temporary denial of service. A flood of such messages may leave an Exchange 2000 server in a very sad state, as simply rebooting the server does not help, as the message store service will resume trying to process the remaining, queued messages following the service's restart.

Microsoft rates the severity of this vulnerability as critical for all Internet and Intranet Exchange servers. The patch is available from the Microsoft security bulletin linked below. Note that Exchange 5.5 was tested and found not vulnerable - the state for earlier versions of Exchange is unknown as they are no longer supported by Microsoft.

Microsoft Security Bulletin MS02-025

* Update for ISAPI buffer overflow in JRun v3.0 & 3.1 for Windows

Macromedia has released an update for its JRun v3.0 and v3.1 for Microsoft IIS web server products. The JRun ISAPI component has a remotely exploitable buffer overflow that could allow for execution of arbitrary code under the local system security context. Version 4.0 of the application contains the fixes for this problem, and updates for v3.0 and v3.1 users are available from Macromedia's security bulletin, linked below. JRun v3.x users should also note that if they have installed previous security updates for some Macromedia products they may already have fixed versions of the faulty JRun components and thus will not need these updates, Specifically, if your JRun v3.0 is build 25232 or JRun v3.1 is build 26414 you are not vulnerable. Macromedia advises that all JRun builds prior to these versions are vulnerable.

Macromedia security bulletin MPSB02-02

* NetWare Enterprise Web Server sample programs problematic

As if further warnings were necessary that you should remove sample web applications from servers before putting them into production, ProCheckUp security researchers have discovered multiple undesirable information disclosures in the NetWare Enterprise Web Server package due to poorly written sample programs installed by default with the web server. Such information as the physical path to the server's webroot, Ethernet interface configuration details and much more can be exposed by remotely requesting (i.e. via a web browser) simple invalid URLs that invoke these sample programs. As usual, the 'fix' is to remove all non-critical functionality from production machines.

ProCheckUp vulnerability reports:

ProCheckUp Security Bulletin PR02-01

ProCheckUp Security Bulletin PR02-03

* Apache Tomcat sample programs problematic

Deja vu? Much as for the NetWare Enterprise Web Server, ProCheckUp security researchers also discovered similar undesirable information disclosures in the Apache Tomcat package due to poorly written sample programs installed by default with the product. Such information as directory listings that should be restricted and the physical path to the server's webroot can be exposed via simple, invalid URLs that invoke the vulnerable sample programs. As usual, the 'fix' is to remove all non-critical functionality from production machines.

ProCheckUp vulnerability reports:

ProCheckUp Security Bulletin PR02-05

ProCheckUp Security Bulletin PR02-06

ProCheckUp Security Bulletin PR02-07

* More on Wi-Fi insecurity woes...

Further to the problems of WEP being weak and the suggested security 'improvements' probably not being much better reported previously in this newsletter, it seems Wi-Fi (802.11 wireless LAN) implementers are not listening to the warnings, or perhaps not even hearing them. The piece linked below, a recent summary piece on the scale and scope of basic problems with typical Wi-Fi implementations, should be a salutary warning of the pitfalls still open to anyone considering implementing this technology.

Wireless Vendor Woes and Shame - sysinfo.com

Join the newsletter!

Error: Please check your email address.

More about ApacheLANMacromediaMessageLabsMicrosoft

Show Comments

Market Place

[]