IDGNet Virus & Security Watch Friday 19 April 2002

This issue's topics: Introduction: * Patches for Oracle91, SQL Server, IE/OE/Entourage/Excel/PowerPoint for Mac Virus News: * First SAP virus an exercise in futility? * Worm writer a Klez-tomaniac... Security News: * Critical patches for IE, OE, Entourage, Excel, PowerPoint on Mac * Unchecked buffer patch for SQL Server 7.0, 2000 * The 'back button attack' in IE * Patch for critical Oracle9i bug * Update fixes syncache/syncookie denial of service in FreeBSD

This issue's topics:

Introduction:

* Patches for Oracle91, SQL Server, IE/OE/Entourage/Excel/PowerPoint for Mac

Virus News:

* First SAP virus an exercise in futility?

* Worm writer a Klez-tomaniac...

Security News:

* Critical patches for IE, OE, Entourage, Excel, PowerPoint on Mac

* Unchecked buffer patch for SQL Server 7.0, 2000

* The 'back button attack' in IE

* Patch for critical Oracle9i bug

* Update fixes syncache/syncookie denial of service in FreeBSD

Introduction:

This week saw the release of critical patches for several non-Windows systems. But that does not mean Microsoft was not involved - there are patches for remotely exploitable buffer overflows in SQL Server 7.0 and 2000 and several HTML flaws in various Microsoft products for the Macintosh. Affecting other vendors, a very serious flaw was found and patched in Oracel9i that allows any user to read any data. The 'unbreakable' claim in Oracle's advertising dating from late last year has already been questioned and more recently lampooned - perhaps this will finally kill it? The FreeBSD developers also discovered a couple of easily exploitable flaws in different parts of their networking code that allow relatively easy remote denials of service. As that is not a good look for an OS that touts its security and reliability as a network server OS, patches for these problems were promptly released.

If Windows desktop users feel left out by all this, don't worry. Another nasty security zone flaw has been found in Internet Explorer. There is no patch yet, but it is described below and a link provided to a site that tracks known but unfixed security flaws in IE.

On the virus front it was a fairly quiet week with a new Klez variant gaining quite some distribution since its discovery late Wednesday night (NZ time). Aside from that, less than the usual interest seemed to accompany the discovery of 'proof of concept' code for the first virus for a computing platform not previously infected. One of the programming and scripting environments within SAP's R/3 business software has been (almost) 'virused', but few people seem concerned due to severe limitations on the likely success such code could achieve.

Virus News:

* First SAP virus an exercise in futility?

News broke at the end of last week of the discovery of the first virus written for the SAP R/3 business software system. Known officially as ABAP/Rivpas.A, it was written in SAP's Advanced Business Application Programming (ABAP) language. Rivpas' code is a simple ABAP script that searches the standard location for SAP report and function scripts and is designed to inject a copy of its code into reports and functions that do not already contain the viral code. At least, that is how it was intended to work. As the writer of this script deliberately 'crippled' it so it would not replicate properly, it is what is known as an 'intended virus' (or just 'intended' for short).

Although the discovered code and the comments in it provide a clear proof of concept of at least one way to write a virus in ABAP, SAP users probably have little to fear. Normally SAP production systems will not allow stored report and function scripts to be altered, and attempts to do so should be audited. Thus, even if such code were unwittingly entered into a system (say, by a SAP administrator or programmer being too trusting with some code obtained from another SAP programmer), the attempted security breaches should be quickly alerted to. (In fact, SAP officials are confident that such would not get as far as a production environment as sites following expected SAP development protocols should discover such rogue code during the QA step before ever introducing it into a production system.)

Note that although several virus scanners (perhaps all now) have added detection of the proof of concept code, they only detect this code in source form and not once it is stored as a procedure or report in SAP's (possibly proprietary) database format.

Computer Associates Virus Information Center - SAP virus

F-Secure Security Information Center - SAP virus

Network Associates Virus Information Library - SAP virus

Symantec Security Response - SAP virus

Trend Micro Virus Information Center - SAP virus

* Worm writer a Klez-tomaniac...

Following the recent burst of activity from the MyLife worm writer, as reported in the last couple of issues of the newsletter, the writer of Klez has released a new variant of this worm which has also been surprisingly 'successful'. Win32/Klez.H@mm, as it is officially known, mass mails itself with randomly constructed Subject: lines and 'forges' the From: address in its messages, randomly choosing an address found on the victim's machines. The attachments on such messages are randomly renamed copies of itself. It can also send messages claiming to be a program that makes the computer immune from its sibling, Klez.E, which it warns the reader is the most widespread worm and antivirus products have trouble detecting it. While the first of these claims is probably not too far from the truth, the latter is incorrect and of course, this is just an attempt at social engineering naive users into running the new variant. More of the myriad details of this worm's functionality are described in the various antivirus

developer links provided.

Computer Associates Virus Information Center - Win32/Klez.H@mm

F-Secure Security Information Center - Win32/Klez.H@mm

Kaspersky Lab Virus Encyclopedia - Win32/Klez.H@mm

Network Associates Virus Information Library - Win32/Klez.H@mm

Symantec Security Response - Win32/Klez.H@mm

Trend Micro Virus Information Center - Win32/Klez.H@mm

Security News:

* Critical patches for IE, OE, Entourage, Excel, PowerPoint on Mac

Various versions of Internet Explorer, Outlook Express, Entourage, Excel and PowerPoint on various Mac OS 8.x, 9.x and OS X platforms are vulnerable to one or more security flaws fixed in a new cumulative patch for Internet Explorer for the Macintosh. As with cumulative patches for the Windows version of IE, this cumulative patch for IE for the Mac contains all previous security hotfixes for the supported version of IE (v5.1 in this case). As is also common with IE for Windows cumulative updates, it also includes patches for some newly discovered vulnerabilities. In this case, two additional bugs are fixed -- one is a buffer overflow potentially allowing for remote execution of arbitrary code and the other can allow a web page to bypass the security checks that should normally prevent, or at least prompt the user before allowing, the running of AppleScripts already on the machine.

The first vulnerability not only affects IE for the Mac but various components based on the same code used in several versions of products in the Office for Macintosh suite. The full list of what is affected and how severely should be checked in the Microsoft security bulletin, linked below, if your users run any of the following Macintosh products: Internet Explorer 5.1 for OS X or for Mac OS 8.x and 9.x, Outlook Express 5.0.-5.0.3, Entourage 2001 or v. X, PowerPoint 98, 2001 or v. X, Excel 2001 or v. X. (As this issue of the newsletter is being finalized for posting, the PowerPoint 98 patch is not yet available.)

Microsoft Security Bulletin MS02-019

* Unchecked buffer patch for SQL Server 7.0, 2000

Several weeks ago we reported the discovery of several buffer overflows in the extended stored procedures supplied with SQL Server 7.0 and 2000. Microsoft has now patched these and released updates which are available from the security bulletin linked below. Microsoft rates the overall severity of this vulnerability as 'moderate' because although it could be used to run arbitrary code on a remote server, typical system configuration options should prevent that. Full details, and the patch, are available from the Microsoft security bulletin. Note that the patch's installation does not require a reboot (just a restart of the SQL service) and that earlier versions of the product were not tested (as they are no longer supported) and may well be vulnerable to the same kinds of problem.

Microsoft Security Bulletin MS02-020

* The 'back button attack' in IE

Andreas Sandblad, a Swedish security researcher, has discovered that Internet Explorer will run JavaScript from the URLs stored in its history list. The real flaw here is that IE runs such scripts in the security zone of the page that was current when the back button was clicked, the Alt-Left Arrow key combination pressed or the item selected from the history lists on IE's back and forward navigation buttons. (That IE will run script code from within the text of a URL was already known and apparently is considered a 'feature'.)

'How can that be a problem?' we hear you asking. Easily - Sandblad noticed that many of the error pages displayed in IE are actually local resources (using the 'res:' protocol) and thus run in the local machine ('My Computer') security zone. The security setting dialog box in Internet Explorer does not provide an interface for altering the options of the 'My Computer' zone and, not surprisingly, by default nearly every option is enabled for this zone. The assumption is that if you copy something to your local disk (outside the Temporary Internet Files, and a few other specially monitored locations which IE considers to be 'part of the Internet') you will take responsibility for its security and integrity, so IE should not have to 'care' about such issues when handling it. Of course, having a mechanism that allows code to 'break out' of any of the 'secured' zones and into the 'unprotected' local machine zone is a serious security flaw. Sandblad has shown this vulnerability can be exploited easily so long as an IE user can be tempted into clicking an invalid link and counted on to then hit the back button. The latter is a very common response to such errors.

Further research into this flaw shows that putting the res: protocol in the Restricted Sites security zone does not work as it did for the about: protocol when a similar vulnerability affecting it was discovered late last year. Microsoft has not responded to this latest public disclosure of yet another IE scripting bug breaking security zones. This is also only one of several security flaws in IE that have been publicly disclosed recently and not yet addressed by Microsoft. Aside from an archived copy of Sandblad's message announcing this flaw to the Bugtraq mailing list, we have included a link to the 'unpatched IE security holes' page, which tracks publicly described security hols in IE that have not yet been patched.

Archived Bugtraq list message - securityfocus.com

Unpatched IE security holes - jscript.dk

* Patch for critical Oracle9i bug

IT security consultant Pete Finnigan has discovered an enormous security hole in Oracle9i's support for the ANSI outer join syntax. This vulnerability allows any user to view any data. Oracle has posted a security alert announcing patch availability to correct this flaw. That alert and the archived copy of Finnigan's announcement of the bug to the Bugtraq mailing list are linked below. Because Oracle9i is the first Oracle product to support ANSI outer joins, it is the only product affected. However, all v9.0.1.x releases for all platforms are vulnerable, and as there is no practical workaround, all Oracle9i administrators should check Oracle's alert to determine their best path of action as soon as possible.

User Privileges Vulnerability in Oracle9i - oracle.com (PDF)

Archived Bugtraq list message - securityfocus.com

* Update fixes syncache/syncookie denial of service in FreeBSD

Two bugs affecting the syncache and syncookie mechanisms in FreeBSD can cause the machine to crash when processing legitimate TCP/IP network traffic. As the syncache and syncookie mechanism was designed to harder the machine against SYN flood-style denial of service attacks, this bug is rather ironic, as it opens the machine to a deliberate attack targeted at the vulnerability it opens. A kernel patch is available to fix this bug and is linked from the first FreeBSD security advisory linked below.

If you will be applying the syncache/syncookie patch and rebuilding your FreeBSD kernels, you may also want to grab another recent FreeBSD-specific kernel patch. Linked from the second FreeBSD security advisory below, this patch fixes a memory leak in the routing table code and could also be exploited for a remote denial of service attack.

syncache/syncookies denial of service - LinuxSecurity.com

Routing table memory leak - freebsd.org

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaExcelF-SecureKasperskyKasperskyMicrosoftOracleSAP AustraliaSymantecTrend Micro Australia

Show Comments

Market Place

[]