This issue's topics:
* Bogus virus warnings & Xbox emulators, IE, Opera, NWFTPD, Netfilter patches
* Bogus Kaspersky Klez warning installs backdoor
* Xbox emulator really a Trojan running up web hits
* Cumulative patch for IE incorporates six new patches
* Update to MS02-019 - now includes PowerPoint 98 for the Mac
* MSN Chat Control recap
* XMLHttpRequest vulnerability patched in Netscape update
* Denial of service patch for multiple NetWare NWFTPD bugs
* Patch for Netfilter bug revealing real address of NAT'ed machines
* Japanese researcher spoofs fingerprint recognition devices
Little new activity, and none worth significant mention, on the virus from this week, though Klez continues its rampage more or less unabated... A couple of bogus software items are mentioned in the virus section however; one being relevant to Klez and the other being a broader tale of caution about software that 'seems too good to be true'.
On the security scene, all three of the 'big name' web browsers - IE, Netscape and Opera - were patched for serious security flaws. Although I decided not to mention it in the main newsletter because as it is still pre-release software (and thus hopefully those using it are more aware of security and stability issues and monitor the appropriate development lists), Mozilla was also updated to fix, among other things, a security flaw discovered last week (the same one fixed in the Netscape 6.2.3 release mentioned below). Apart from that, Macintosh users of PowerPoint 98 should garb the patch for a previously mentioned remote code execution flaw in that product and the MSN Chat Control patch from last week is briefly revisited as I am not sure the full extent of who is at risk from it was clear from last week's coverage.
NetWare users running the FTPD service should check for a security and stability update and Linux Netfilter (iptables) users taking advantage of the address obscuring features of that product's NAT functionality should check a possible information leak in Netfilter. Finally, the application of a little ingenuity by a Japanese security researcher has cast doubt on the reliability of fingerprint detection type biometric devices.
Bogus Kaspersky Klez warning installs backdoor
Some miscreant has been e-mailing bogus Klez warnings, claiming to be from well-known antivirus developer Kaspersky Labs. Aside from the message that Klez is very prevalent and (real) cleaning utilities are available from a Kaspersky Labs URL provided in the message, the bogus message also contains some scripting code. If run, this retrieves other files from a remote web page and displays them in separate windows. These exploit various IE exploits, including the old 'incorrect MIME header' security vulnerability (which is also used by Klez) to download and run a remote access Trojan known as SmokeDown on the victim's machine. So, aside from Klez.H's own bogus 'Worm Klez.E immunity' and 'W32.Elkern removal tools' messages, complete with a copy of the virus, users now have to be wary of this fake as well.
Xbox emulator really a Trojan running up web hits
A claimed Xbox emulator distributed on the Internet over the last few weeks has been found to be a simple Trojan horse that tries to scam extra advertising revenue for its writer's web site. Although very few of their web sites have descriptions of this Trojan, most of the major antivirus products have been updated to detect it. If the claimed emulator was downloaded and run, it installed two programs on the victim's PC, one of which was set to run at each system start. Once a day this program would hit a web page owned by the Trojan's writer in the hope that the high hit-rate would boost advertising returns from 'pay-per-click' web advertisements.
As the linked news articles explain, this ploy was apparently not as successful as the Trojan's writer had hoped, with the online advertising suppliers suspecting the faking and refusing to pay up. Also, do not accept the Trojan writer's claim that the program is not a Trojan because a 'Trojan is by definition harmful to the end user'. Amongst the technical experts your newsletter compiler works with, the definition of a Trojan is generally something like 'a program is designed to perform one or more activities its users are unaware of and would not approve of'.
Cumulative patch for IE incorporates six new patches
Six previously unreleased patches have been rolled into the latest cumulative patches for Internet Explorer v5.01, v5.5 and v6.0. New vulnerabilities fixed with this patch include several that can be used to effect 'auto-detach attachments' and similarly serious security zone crossing flaws - the sort of thing that viruses such as Klez have depended on for their success.
Also note that despite claiming to fix six new vulnerabilities, the counter at jscript.dk has only been reduced by two, to twelve, following the release of this patch. Further, that site notes that Microsoft's claim to have fixed one of the vulnerabilities listed on the site is incorrect, as the 'fix' shipped in the cumulative patch is only a partial fix and only for IE v6.0 at that.
Update to MS02-019 - now includes PowerPoint 98 for the Mac
Several weeks ago when we announced the multiple patches across a host of Microsoft Macintosh products, we noted that the PowerPoint 98 patch was not yet available. This patch has now been released and the MS02-019 security bulletin updated to include its download location.
MSN Chat Control recap
In case last week's coverage of the severity of this vulnerability was not clear enough on this point, the MSN Chat Control vulnerability patched by MS02-022 does _not_ depend on users actually running MSN Chat MSN Messenger or Exchange Messenger. Reading an HTML e-mail message or visiting a suitable web page and clicking an appropriately constructed URL will cause the vulnerable MSN Chat Control to be loaded if the security context of the e-mail or web page does not block use of ActiveX controls. Thus, users with any of the affected messaging components _installed_ on their machines must obtain and install the patch.
XMLHttpRequest vulnerability patched in Netscape update
Netscape versions 6.1 through v6.2.2 are vulnerable to a flaw in their XMLHttpRequest handler that can allow a remote reading of files on the user's computer. This vulnerability was discovered a couple of weeks earlier by GreyMagic Software, whose security advisory is also linked below. In essence, this flaw is similar that found earlier in IE and described in MS02-008. The XMLHttpRequest handler incorrectly follows redirections to local or other remotely located URLs without correctly updating its view of the relevant security zone. Netscape Navigator v6.2.3 patches this vulnerability.
Denial of service patch for multiple NetWare NWFTPD bugs
Multiple bugs in handling high loads, 'invalid commands' and the like in the NWFTPD.NLM supplied with NetWare v5.1 and v6.0 have been fixed. Exploitation of these flaws could lead to denial of service and even server ABENDs. Users of these versions of NetWare whose configurations include NWFTPD.NLM should download the patch and install it as soon as practicable, but take note of the service pack requirements listed in the Technical Information Document, linked below.
Patch for Netfilter bug revealing real address of NAT'ed machines
Netfilter (or iptables) has been found to leak 'internal' addresses that are supposed to be hidden by Netfilter's NAT functionality when the NAT'ed box responds to an external source with an ICMP error. All iptables package previous to v1.2.6a are vulnerable to this exposure, as are all Linux kernel versions up to and including v2.4.4.
An unofficial patch (i.e. it has been refused for inclusion in the kernel) is available from the Netfilter security advisory linked below. Administrators wary of unofficial kernel patches may prefer implementing the workaround of filtering out untracked local packets detailed in the security advisory.
Japanese researcher spoofs fingerprint recognition devices
Tsutomu Matsumoto from Yokohama National University in Japan has demonstrated how a little ingenuity and some simple and cheap ingredients can be 'cooked up' to reliably fool fingerprint biometric sensors. Such sensors have widely been claimed, at least by their developers, to be resilient to exactly the types of attacks that Matsumoto demonstrated. Unfortunately, Matsumoto's paper is not directly available on the Internet, but we have linked to the coverage given his findings by reputed cryptographer and computer security expert Bruce Schneier in his monthly Crypto-Gram newsletter.