IDGNet Virus & Security Watch Friday 26 April 2002

This issue's topics: Introduction: * WordMail patch, sudo update, ColdFusion check and Klez.H on rampage Virus News: * Klez.H goes for gold... Security News: * Patch for Outlook/WordMail message-editing flaw * ColdFusion path disclosure workaround for IIS * sudo updates for various Unixes/Linuxes * UK security survey shows greater threat from outside for first time

This issue's topics:

Introduction:

* WordMail patch, sudo update, ColdFusion check and Klez.H on rampage

Virus News:

* Klez.H goes for gold...

Security News:

* Patch for Outlook/WordMail message-editing flaw

* ColdFusion path disclosure workaround for IIS

* sudo updates for various Unixes/Linuxes

* UK security survey shows greater threat from outside for first time

Introduction:

Another relatively quiet week, that was just livened up by Microsoft releasing a patch for a serious HTML e-mail scripting flaw in ... not Outlook but Word. Well, in a sense both share the blame, but the patch is an update to Word. Given how many corporates use Outlook as their standard e-mail client, that will no doubt keep many a Windows administrator busy for a few days. Administrators of Windows IIS machines also running ColdFusion should also check their configurations to ensure they are not vulnerable to a system configuration leak. Linux and other Unix-ish system admins running sudo should get the latest patches for that popular utility or obtain an updated sudo package from their distributors when they become available, as a possibly exploitable heap overflow has just been fixed in the latest release.

On the virus front, things have been very quiet this last week apart from a huge explosion in Klez.H infections. I have occasionally alluded in earlier issues of this newsletter to the elusive 'get lucky' factor that propels some viruses to 'stardom'. Antivirus researchers have not yet isolated this (if, in fact, there is a single or identifiable set of such causes) but Klez.H must have it. As it is a quiet week, I've included some hopefully interesting reading - the report from the UK's Department of Trade and Industry on their 2002 Information Security Breaches Survey.

Virus News:

* Klez.H goes for gold...

Klez.H, the latest variant in this family of mass mailing viruses and mentioned in last week's newsletter, seems to have hit the mass mailer mother lode. MessageLabs' prevalence statistics show the e-mail ASP has seen approximately five times as many copies of Klez.H as it has of either SirCam.A or Klez.E, respectively the second and third most-detected viruses in e-mail passing through its servers. If that is not staggering enough, note that while the second and third place getters have been around for more than a month, the high number of Klez.H detections have only been recorded since that variant's release about a week ago. MessageLabs has been reported as claiming this is the largest outbreak of a single virus since the 'Anna Kournikova' (officially VBS/VBSWG.J) virus.

Also, several of the antivirus developer website descriptions have been updated to reflect further features of this variant that were not immediately discovered and thus not included in their initial descriptions. For example, perhaps borrowing the idea from the recently successful SirCam mass mailer, Klez.H can (though does not always) select a file from the victim's machine and add that as an attachment to the 'infected' messages it sends. Add to this data stealing/privacy invasion the fact that Klez.H sends HTML e-mail messages that exploit an old Internet Explorer bug which allows automatic detachment and execution of the attached copy of the virus just from reading or previewing the message and that a substantial number of users still have such old and unpatched versions of IE and it is not surprising Klez.H is doing so well.

MessageLabs Threatlist page

Computer Associates Virus Information Center - Klez.H

F-Secure Security Information Center - Klez.H

Kaspersky Lab Virus Encyclopedia - Klez.H

Network Associates Virus Information Library - Klez.H

Symantec Security Response - Klez.H

Trend Micro Virus Information Center - Klez.H

Security News:

* Patch for Outlook/WordMail message-editing flaw

Word 2000 and 2002, when editing e-mail messages for Outlook, will run scripts that are otherwise blocked by the Outlook's default security zone settings. The problem is that Word edits such messages in the 'My Computer' security zone, which intentionally has very lax security restrictions (basically, 'anything goes'). Since Outlook 2000 and 2002 (the latter is the version shipped with Office XP) place e-mail in the 'Restricted Sites' zone, any malicious scripts included in HTML e-mail messages will not be run when the messages are read because the default 'Restricted Sites' security zone settings prevent running scripts.

However, if a user has Word set as their e-mail message editor (often referred to as the WordMail option - this is the installation default in Outlook 2002) and they reply to, or forward, messages containing scripts, the scripts are run by Word. Any malicious action that could otherwise have been taken when reading such messages with scripting enabled in Outlook can be performed from the opportunity Word affords the script to run. Microsoft rates this vulnerability 'moderate', but given that WordMail is the default in Outlook 2002 and popular among a significant number of Outlook users anyway _and_ the number of severe security vulnerabilities currently available and being actively exploited which are either scripting vulnerabilities or depend on scripts running to exploit some other Microsoft product vulnerability, a severe rating seems more appropriate. Regardless of your position on this, if you have Outlook 2000 or 2002 users who have WordMail enabled, obtain and install the patches linked from the Microsoft security bulletin post haste...

Microsoft Security Bulletin MS02-021

* ColdFusion path disclosure workaround for IIS

A security researcher at KPMG uncovered a path disclosure flaw in ColdFusion that exposes the full physical path to the web root. Whilst such path disclosures are not dangerous in themselves, the leakage of such information can be useful to those planning an attack through some other mechanism which may not, itself, allow path determination but benefit greatly from knowing where to look for certain files. Macromedia/Allaire suggested a configuration workaround to prevent the class disclosure. The steps to apply this workaround to IIS 5.0 on Windows 2000 are described in a message posted to the Bugtraq security mailing list - an archived copy of that message is linked below. The same problem and a similar workaround has been reported to also affect ColdFusion running with IIS 4.0. Coldfusion and IIS 3.0 have also been reported to suffer the same problem but there is no known workaround. This problem may not affect ColdFusion running with Apache on Windows.

Archived Bugtraq list message - securityfocus.com

* sudo updates for various Unixes/Linuxes

An update for the sudo package has been released which, among other things, fixes a security flaw which may allow local root compromise. sudo allows 'ordinary users' to run specified commands with superuser privileges. The potential security flaw fixed in the latest release, v1.6.6, is a heap overflow, and whilst inherently more difficult to exploit than stack overflows, heap overflows have been successfully exploited under some Linux distributions. If this flaw can be exploited successfully, it may allow an ordinary user to gain root privileges.

If you use sudo, check the package's home site (linked below) for update details or check with your vendor for a packaged update to version 1.6.6 (these should become available in the next few days).

Security hole in sudo 1.5.7 - 1.6.5p2 - sudo web site

* UK security survey shows greater threat from outside for first time

The UK Department of Trade and Industry has just published a report based on its 2002 'Information Security Breaches Survey', performed by PricewaterhouseCoopers. Aside from showing an unsurprising increase in the number of security incidents, boosted by the number and scale of virus outbreaks in the previous year, the survey is interesting in that it confirms a recent trend in other security surveys suggesting the old axiom of 'most computer security problems are caused by insiders or recently ex-employees' is waning. This result is somewhat complex to analyse though, as the question asked was whether the most serious incident was caused by inside or external sources, which is not the same as determining the source of all incidents or of determining the total costs (or severity) of internally vs. externally sources incidents. Further complicating this issues, a considerably greater proportion of large businesses said their most serious incident was caused by internal activity. Exactly what these results mean, the full 36-page report makes interesting, and not over-long reading. A PDF format version of the whole report (or the just of the executive summary for those in a hurry) can be downloaded from the page linked below.

Information Security Breaches Survey web site

Join the newsletter!

Error: Please check your email address.

More about AllaireApacheCA TechnologiesDepartment of Trade and IndustryF-SecureKasperskyKasperskyKPMGLinuxMacromediaMessageLabsMicrosoftPricewaterhouseCoopersSymantecTrend Micro Australia

Show Comments

Market Place

[]