IDGNet Virus & Security Watch Friday 3 May 2002

This issue's topics: Introduction: * Melissa writer gets jail & fine, serious AIX and SAP flaws Virus News: * Melissa man gets 20 months jail * It keeps on going and going and going and... * New CIH variant Security News: * NT Server 4.0 TSE security rollup package * MS02-006 updated again * MS02-021 doesn't completely fix the problem... * Security patches for AIX * Unprivileged user access to SAP R/3 data

This issue's topics:

Introduction:

* Melissa writer gets jail & fine, serious AIX and SAP flaws

Virus News:

* Melissa man gets 20 months jail

* It keeps on going and going and going and...

* New CIH variant

Security News:

* NT Server 4.0 TSE security rollup package

* MS02-006 updated again

* MS02-021 doesn't completely fix the problem...

* Security patches for AIX

* Unprivileged user access to SAP R/3 data

Introduction:

Administrators of 'big' systems may be busy this weekend with serious flaws in AIX and SAP to consider. Windows admins have no new patches to apply, but there is some concern that the latest update from Microsoft does not do the full job. On the virus scene, Klez.H shows little, if any, sign of abating and has picked up a nasty hitch-hiker - a new variant of the CIH family. Becoming infected with a parasitic virus and then spreading that much further and faster than it would otherwise have gone is a serious additional risk posed by the recent increased success of binary (executable) mass mailers.

Although not strictly Virus & Security Watch-related, if you are planning visiting the ComputerWorld Expo in Auckland next week, on Tuesday you'll be able to chat with the compiler of this newsletter. I will be speaking at 4:00pm and apart from that will be spending the day at or around the Applied Insight stand (stand 149). If you'd like to chat about anything, just bowl up to that stand and ask for Nick.

ComputerWorld Expo information site

Virus News:

* Melissa man gets 20 months jail

David L. Smith has been sentenced to 20 months in federal prison and a US$5000 fine for releasing the Melissa virus. Smith admitted writing and releasing the Melissa Word macro virus in 1999 and pleaded guilty when tried on related computer crime charges. There has been much speculation about the close to three year delay between Smith's arrest and initial court appearance and his sentencing. Many felt the delay was because Smith was assisting the FBI, US Attorneys' office and/or local (New Jersey) authorities with enquiries into other computer crimes. A statement from a US Attorney following Smith's sentencing on Wednesday suggests this is the case. The prosecutors did not seek the full extent of the allowable maximum sentence despite estimates of Melissa's damages being over the US$80 million upper limit mentioned in sentencing guidelines for the crimes Smith admitted.

Aside from the federal charges, Smith is still awaiting sentencing on

some related state crimes to which he also pleaded guilty. A sentencing

hearing for those convictions is due Friday (New Jersey).

Creator of 'Melissa' Computer Virus Sentenced - ComputerWorld

Melissa Virus Writer Is Latest to Be Convicted - InfoWorld

Cooperation Nets Melissa Author Lower Sentence - Newsbytes

* It keeps on going and going and going and...

At the risk of repeating ourselves, the latest variant of the Klez family, Klez.H, is still multiplying furiously. The UK-based e-mail virus scanning ASP, MessageLabs, blocked nearly 300,000 Klez.H infected messages from passing through its e-mail servers in April; all the more 'impressive' given that the first samples were intercepted mid-month (on the 15th to be precise). This, of course, does not match the number or rate of infected messages seen at the height of the LoveLetter and some other huge outbreaks of the past, but given that most large (in fact, just most) corporate e-mail systems will now simply not let messages with attachments such as those used by Klez.H into their systems, this amount of Klez-infected e-mail being detected by MessageLabs suggests a huge infection rate among the small business and home user community.

There are further worries about the damage that such outbreaks can cause. For example, it appears that a new variant of the highly damaging CIH virus has happened to infect a copy of the Klez.H executable passing through a machine already infected with CIH.1049. Because the infection mechanisms of these two viruses are complimentary (i.e. neither gets in the other's way or 'upsets' it typical operation), this CIH variant is now being spread by infected copies of Klez.H. The following article describes CIH.1049 in more detail.

MessageLabs' Threatlist for April 2002

* New CIH variant

As mentioned in the previous item, a new variant of the highly damaging CIH virus has been found 'piggybacking' on the Klez.H distribution mechanism. CIH is the hard-drive trashing, Flash BIOS overwriting 'PC killer' that reputedly 'destroyed' hundreds of thousands of machines in Asia on its trigger dates in 1998 and 1999. CIH.1049 is a minor variant of the earlier family members, with the most important issue being that its destructive payload is triggered on 2nd August. Although this was first seen by several antivirus companies as a 'tag-along' infection on some Klez.H samples received mid-week, it appears that the CIH-ed copies of Klez have not got terribly far to date. Let's hope it remains that way.

Computer Associates Virus Information Center - Win95.CIH.1049

Sophos Virus Info - W95/CIH-1049

Symantec Security Response - W95.CIH.1049

Trend Micro Virus Information Center - PE_CIH.1049

Security News:

* NT Server 4.0 TSE security rollup package

The first security rollup package (SRP) for NT Server 4.0, Terminal Server Edition was released just after last week's newsletter was posted. The rollup includes most NT 4.0 TSE security patches since SP6. However, note that it does not include some recent patches released after the cut-off date for inclusion and testing in TSE SRP1, nor some security patches that should only be installed in specific circumstances. These are all listed in the "Patches not included in TSE SRP1" section of the bulletin, which obviously should be carefully studied before redesigning your installation or rollout procedures to take advantage of this bundled patch installation option. The SRP does not include any new updates, so it is not necessary to obtain and apply it now as you should already have installed the patches it contains that pertain to your systems and configurations.

NT Server 4.0, Terminal Server Edition Security Rollup Package

* MS02-006 updated again

We have not reported most of the ongoing revisions to the Microsoft security bulletin covering updates to the SNMP services shipped with all their Windows 95 and later OSes (except ME). Aside from the fact that few users install and enable this optional component, we warned that users of all affected systems, which includes virtually the whole spectrum of TCP/IP capable devices and not just Microsoft products, should check with their vendors for updates. In mid-February when the widespread SNMP flaws were reported, Microsoft's MS02-006 security bulletin suggested that the Windows 95 SNMP service would be patched along with all other affected systems. As Windows 95 went off any form of official support on 1 December 2001, it seems unusual that the revised versions of MS02-006 continue to hint that a fix will be forthcoming for that platform.

Windows Desktop Product Lifecycle Guidelines

Microsoft Security Bulletin MS02-006

* MS02-021 doesn't completely fix the problem...

Last week we announced the release of the MS02-021 security bulletin and its associated patch. Microsoft describes the vulnerability fixed by that patch as a WordMail problem, but Bulgarian bug hunter Georgi Guninski claims that MS02-021 is really only a partial fix of a larger problem he announced over a month ago. Guninski has updated his security advisory #53 to detail how that problem is still open and exploitable through Excel, and hints that other Office applications may also (still) be vulnerable even if users have installed the MS02-021 patch.

Georgi Guninski security advisory #53 - guninski.com

Microsoft Security Bulletin MS02-021

* Security patches for AIX

APAR IY30431 for AIX 4.3.3 has been released by IBM. It fixes several critical security flaws including a potentially exploitable remote buffer overflow. This APAR is intended to be installed atop the current recommended maintenance package. This is what is known as a packaging APAR, meaning it is a bundle of several specific fixes. The individual security fixes included in APAR IY30431 are:

IY28880 SECURITY: Buffer overflow vulnerability in pioout

IY29516 SECURITY: mail and mailx core dump when given long argument

IY29517 SECURITY: namerslv coredumps when given extremely long argument

IY29518 SECURITY: Buffer overflow vulnerability in uucp

IY29583 SECURITY: template.dhcpo linked with insecure linker argument

IY29589 SECURITY: Buffer overflow vulnerability in lsmcode

* Unprivileged user access to SAP R/3 data

A German SAP R/3 consultant, Jochen Hein, has discovered that unprivileged users only need network access to the Oracle listener port on the SAP database host to be able to read and write any SAP data. This presumably works with SAP hosted on other databases, but Hein has not tested other combinations. Hein's archived message to the Bugtraq mailing list contains details of two possible workarounds, as SAP has acknowledged the bug but not yet provided a fix.

Archived Bugtraq list message - securityfocus.com

Join the newsletter!

Error: Please check your email address.

More about Applied InsightCA TechnologiesComputerWorldCreatorExcelFBIIBM AustraliaInsightMessageLabsMicrosoftNetsOracleSAP AustraliaSNMPSophosSymantecTrend Micro Australia

Show Comments
[]