IDGNet Virus & Security Watch Friday 17 May 2002

This issue's topics: Introduction: * Bogus virus warnings & Xbox emulators, IE, Opera, NWFTPD, Netfilter patches Virus News: * Bogus Kaspersky Klez warning installs backdoor * Xbox emulator really a Trojan running up web hits Security News: * Cumulative patch for IE incorporates six new patches * Update to MS02-019 - now includes PowerPoint 98 for the Mac * MSN Chat Control recap * XMLHttpRequest vulnerability patched in Netscape update * Opera update fixes JavaScript security flaw * Denial of service patch for multiple NetWare NWFTPD bugs * Patch for Netfilter bug revealing real address of NAT'ed machines * Japanese researcher spoofs fingerprint recognition devices

This issue's topics:

Introduction:

* Bogus virus warnings & Xbox emulators, IE, Opera, NWFTPD, Netfilter patches

Virus News:

* Bogus Kaspersky Klez warning installs backdoor

* Xbox emulator really a Trojan running up web hits

Security News:

* Cumulative patch for IE incorporates six new patches

* Update to MS02-019 - now includes PowerPoint 98 for the Mac

* MSN Chat Control recap

* XMLHttpRequest vulnerability patched in Netscape update

* Opera update fixes JavaScript security flaw

* Denial of service patch for multiple NetWare NWFTPD bugs

* Patch for Netfilter bug revealing real address of NAT'ed machines

* Japanese researcher spoofs fingerprint recognition devices

Introduction:

Little new activity, and none worth significant mention, on the virus from this week, though Klez continues its rampage more or less unabated... A couple of bogus software items are mentioned in the virus section however; one being relevant to Klez and the other being a broader tale of caution about software that 'seems too good to be true'.

On the security scene, all three of the 'big name' web browsers - IE, Netscape and Opera - were patched for serious security flaws. Although I decided not to mention it in the main newsletter because as it is still pre-release software (and thus hopefully those using it are more aware of security and stability issues and monitor the appropriate development lists), Mozilla was also updated to fix, among other things, a security flaw discovered last week (the same one fixed in the Netscape 6.2.3 release mentioned below). Apart from that, Macintosh users of PowerPoint 98 should garb the patch for a previously mentioned remote code execution flaw in that product and the MSN Chat Control patch from last week is briefly revisited as I am not sure the full extent of who is at risk from it was clear from last week's coverage.

NetWare users running the FTPD service should check for a security and stability update and Linux Netfilter (iptables) users taking advantage of the address obscuring features of that product's NAT functionality should check a possible information leak in Netfilter. Finally, the application of a little ingenuity by a Japanese security researcher has cast doubt on the reliability of fingerprint detection type biometric devices.

Virus News:

Bogus Kaspersky Klez warning installs backdoor

Some miscreant has been e-mailing bogus Klez warnings, claiming to be from well-known antivirus developer Kaspersky Labs. Aside from the message that Klez is very prevalent and (real) cleaning utilities are available from a Kaspersky Labs URL provided in the message, the bogus message also contains some scripting code. If run, this retrieves other files from a remote web page and displays them in separate windows. These exploit various IE exploits, including the old 'incorrect MIME header' security vulnerability (which is also used by Klez) to download and run a remote access Trojan known as SmokeDown on the victim's machine. So, aside from Klez.H's own bogus 'Worm Klez.E immunity' and 'W32.Elkern removal tools' messages, complete with a copy of the virus, users now have to be wary of this fake as well.

Be On Guard for a False Klez Fix - kaspersky.com

Xbox emulator really a Trojan running up web hits

A claimed Xbox emulator distributed on the Internet over the last few weeks has been found to be a simple Trojan horse that tries to scam extra advertising revenue for its writer's web site. Although very few of their web sites have descriptions of this Trojan, most of the major antivirus products have been updated to detect it. If the claimed emulator was downloaded and run, it installed two programs on the victim's PC, one of which was set to run at each system start. Once a day this program would hit a web page owned by the Trojan's writer in the hope that the high hit-rate would boost advertising returns from 'pay-per-click' web advertisements.

As the linked news articles explain, this ploy was apparently not as successful as the Trojan's writer had hoped, with the online advertising suppliers suspecting the faking and refusing to pay up. Also, do not accept the Trojan writer's claim that the program is not a Trojan because a 'Trojan is by definition harmful to the end user'. Amongst the technical experts your newsletter compiler works with, the definition of a Trojan is generally something like 'a program is designed to perform one or more activities its users are unaware of and would not approve of'.

Xbox web hoax installs Trojan horse - vnunet.com

Scorpion takes sting out of Xbox hoax - vnunet.com

Trend Micro Virus Information Center

Security News:

Cumulative patch for IE incorporates six new patches

Six previously unreleased patches have been rolled into the latest cumulative patches for Internet Explorer v5.01, v5.5 and v6.0. New vulnerabilities fixed with this patch include several that can be used to effect 'auto-detach attachments' and similarly serious security zone crossing flaws - the sort of thing that viruses such as Klez have depended on for their success.

As Microsoft's combined rating of the new patches is critical on all types of machines (client workstations, intranet servers and Internet servers), it should be obvious this cumulative patch should be obtained, tested and rolled out with due haste. However, note that some users have reported problems after installing this patch. Aside from non-specific 'it broke my machine' claims, two posts to the Bugtraq mailing list have described problems with IE not correctly running JavaScript code that worked in IE as expected prior to applying the patches. Note that this cumulative patch supersedes the previous cumulative patch for IE described in the MS02-015 security bulletin.

Also note that despite claiming to fix six new vulnerabilities, the counter at jscript.dk has only been reduced by two, to twelve, following the release of this patch. Further, that site notes that Microsoft's claim to have fixed one of the vulnerabilities listed on the site is incorrect, as the 'fix' shipped in the cumulative patch is only a partial fix and only for IE v6.0 at that.

Microsoft Security Bulletin MS02-023

Unpatched IE security holes - jscript.dk

Update to MS02-019 - now includes PowerPoint 98 for the Mac

Several weeks ago when we announced the multiple patches across a host of Microsoft Macintosh products, we noted that the PowerPoint 98 patch was not yet available. This patch has now been released and the MS02-019 security bulletin updated to include its download location.

Microsoft Security Bulletin MS02-019

MSN Chat Control recap

In case last week's coverage of the severity of this vulnerability was not clear enough on this point, the MSN Chat Control vulnerability patched by MS02-022 does _not_ depend on users actually running MSN Chat MSN Messenger or Exchange Messenger. Reading an HTML e-mail message or visiting a suitable web page and clicking an appropriately constructed URL will cause the vulnerable MSN Chat Control to be loaded if the security context of the e-mail or web page does not block use of ActiveX controls. Thus, users with any of the affected messaging components _installed_ on their machines must obtain and install the patch.

Microsoft Security Bulletin MS02-022

XMLHttpRequest vulnerability patched in Netscape update

Netscape versions 6.1 through v6.2.2 are vulnerable to a flaw in their XMLHttpRequest handler that can allow a remote reading of files on the user's computer. This vulnerability was discovered a couple of weeks earlier by GreyMagic Software, whose security advisory is also linked below. In essence, this flaw is similar that found earlier in IE and described in MS02-008. The XMLHttpRequest handler incorrectly follows redirections to local or other remotely located URLs without correctly updating its view of the relevant security zone. Netscape Navigator v6.2.3 patches this vulnerability.

Reading local files in Netscape 6 and Mozilla - greymagic.com

XMLHttpRequest Vulnerability - netscape.com

Opera update fixes JavaScript security flaw

A flaw in the way the security domain for JavaScript protocol URLs is determined in the Opera web browser has been patched; at least for Opera users on Windows operating systems. Andreas Sandblad discovered this flaw, but only tested it on Windows versions of the popular alternative to Microsoft's browser. Although it benefits from the impression that its browser is inherently more secure than IE, neither Opera software's web page announcing the v6.02 release nor the changelog page it links to mention the update patches a security problem. Thus, it is unclear whether the Linux and other OS versions of Opera are also vulnerable to this flaw, although that seems a reasonable assumption given the nature of the project. Although there are no known current exploits of this flaw in the wild, Opera users on Windows OSes should upgrade as soon as practicable.

Archived Bugtraq list message - securityfocus.com

Opera home page

Denial of service patch for multiple NetWare NWFTPD bugs

Multiple bugs in handling high loads, 'invalid commands' and the like in the NWFTPD.NLM supplied with NetWare v5.1 and v6.0 have been fixed. Exploitation of these flaws could lead to denial of service and even server ABENDs. Users of these versions of NetWare whose configurations include NWFTPD.NLM should download the patch and install it as soon as practicable, but take note of the service pack requirements listed in the Technical Information Document, linked below.

NWFTPD.NLM High Utilization fix - novell.com

Patch for Netfilter bug revealing real address of NAT'ed machines

Netfilter (or iptables) has been found to leak 'internal' addresses that are supposed to be hidden by Netfilter's NAT functionality when the NAT'ed box responds to an external source with an ICMP error. All iptables package previous to v1.2.6a are vulnerable to this exposure, as are all Linux kernel versions up to and including v2.4.4.

An unofficial patch (i.e. it has been refused for inclusion in the kernel) is available from the Netfilter security advisory linked below. Administrators wary of unofficial kernel patches may prefer implementing the workaround of filtering out untracked local packets detailed in the security advisory.

Linux Netfilter NAT/ICMP code information leak - netfilter.org

Japanese researcher spoofs fingerprint recognition devices

Tsutomu Matsumoto from Yokohama National University in Japan has demonstrated how a little ingenuity and some simple and cheap ingredients can be 'cooked up' to reliably fool fingerprint biometric sensors. Such sensors have widely been claimed, at least by their developers, to be resilient to exactly the types of attacks that Matsumoto demonstrated. Unfortunately, Matsumoto's paper is not directly available on the Internet, but we have linked to the coverage given his findings by reputed cryptographer and computer security expert Bruce Schneier in his monthly Crypto-Gram newsletter.

Crypto-Gram Newsletter, May 15, 2002 - counterpane.com

Join the newsletter!

Error: Please check your email address.

More about KasperskyLinuxMessengerMicrosoftMozillaMSNTrend Micro AustraliaXboxYokohama National University

Show Comments

Market Place

[]