IDGNet Virus & Security Watch Friday 12 April 2002

This issue's topics: Introduction: * IIS and Sambar patches, NetWare Remote Manager fix, check IE security zones Virus News: * New virus installs web server; uses IRC and instant messaging * MyLife writer still doesn't have one? Security News: * Cumulative update for IIS 4.0, 5.0, 5.1 contains new critical patches * Patch fixes buffer overflow in NetWare Remote Manager * free.aol.com takes liberties with IE security zone settings * Patch fixes remote code execution and other bugs in Sambar server

This issue's topics:

Introduction:

* IIS and Sambar patches, NetWare Remote Manager fix, check IE security zones

Virus News:

* New virus installs web server; uses IRC and instant messaging

* MyLife writer still doesn't have one?

Security News:

* Cumulative update for IIS 4.0, 5.0, 5.1 contains new critical patches

* Patch fixes buffer overflow in NetWare Remote Manager

* free.aol.com takes liberties with IE security zone settings

* Patch fixes remote code execution and other bugs in Sambar server

Introduction:

A quiet week for Unix-ish administrators this week, with no major security issues. Updates of the perennial favourites Sendmail and Apache were released, but neither fixed any outstanding or new security holes in either product, both of which represent the majority position in their respective server markets.

Windows administrators, however, may be busier, at least if they run Microsoft's IIS web server. Microsoft has released the next IIS cumulative update and it is the only source of eight new patches, most of which affect all three currently supported versions of IIS -- 4.0, 5.0 and 5.1. The severity of these patches is such that this update is rated as 'critical' over all supported versions of IIS on all platforms. There is also an update for another popular Windows web server, Sambar. This update also patches a remote code execution vulnerability, so should be considered a critical update by Sambar administrators. Aside from their web servers, Windows administrators may want to check their clients' web browsers following publicity about AOL silently adding on of its servers to IE's 'Trusted Sites' security zone.

Although not the force it once was in the PC server market, NetWare still has a devoted following in some quarters. In case they have not already heard, NetWare server admins should obtain and install the 'HTTPSTK vulnerability fix', described below.

On the virus scene, the writer of the MyLife mass mailers still does not seem content with his or her efforts to date and churned out a couple more new variants this week. We also mention a new virus that sets up its own web server on victims' machines as a distribution mechanism.

Virus News:

* New virus installs web server; uses IRC and instant messaging

The Aplore worm discovered at the beginning of the week is a further example of malware writers employing multiple spread mechanisms to increase the chances of their handiwork spreading. Not only does it mass mail itself using a standard Microsoft Outlook routine, but it sets up a mini web server and sends messages to IRC channels and/or AOL Instant Messenger (AIM) contacts directing them to a URL that resolves to the virus' web server. Visitors to that page are presented with a bogus warning that they need to install a plugin to view the page. Of course, the 'plugin' is actually a copy of the virus offered by the virus' web server, rather than being a real browser plugin.

Despite the effort Aplore's writer obviously expended on it, the virus has not been very successful in terms of spreading widely through e-mail. However, it may have been more successful with its 'person to person' spread via its mini web server and instant messaging but it will take longer for evidence of such 'success' to show up as this mode of distribution is more likely to succeed among home and smaller business users who are also less likely to use antivirus and personal firewall software which would otherwise quickly detect or block it.

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* MyLife writer still doesn't have one?

Last week we mentioned in the newsletter's introduction that the writer of MyLife had been busy over the Easter weekend creating and releasing several new variants of this mass mailing worm. Apparently still not happy to let it rest, two more variants were released mid-week, with one of these seeing a modest level of 'success'. Known as MyLife.G, this variant has two nasty payloads. When first run and after it attempts to mass mail itself, it deletes several randomly chosen files. Then it sets up its second payload, which will attempt to wipe the contents of drives C: through I: inclusive, to run at the next system restart.

Computer Associates Virus Information Center

Network Associates Virus Information Library

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Cumulative update for IIS 4.0, 5.0, 5.1 contains new critical patches

Microsoft has released a new cumulative patch for IIS versions 4.0, 5.0 and 5.1. As well as including all IIS security patches since NT 4.0 SP6a and all security patches for IIS 5.0 and 5.1, it also includes eight (or ten, depending how you count them) new patches which have a combined rating of critical for all IIS systems. The new patches cover a range of flaws from cross site scripting bugs allowing client information disclosure (such as cookie stealing) through easy denial of service attacks to remote arbitrary code execution.

As always, you should test such updates on non-production systems that as closely as possible match the configuration of the production systems to be patched. There have been various reports of some ancillary services failing after this cumulative update has been applied. Read the 'caveats' section of the Microsoft security bulletin carefully and if at all possible, thoroughly test the update on non-production systems before installing it on machines providing critical services.

Microsoft Security Bulletin MS02-018

* Patch fixes buffer overflow in NetWare Remote Manager

NetWare Remote Manager (NRM), which is included in NetWare 5.1 and 6 server installs by default, allows web-based remote server management. Security researchers at iXsecurity discovered buffer overflows in the authentication mechanism, involving sending overlong username or password information. Depending on the length of authentication data supplied, the main SERVER.NLM or HTTPSTK.NLM would ABEND. Situations where it may be possible to inject arbitrary code that would then be run as a result of the buffer overflow were also found, but the viability of writing a successful exploit of these cases was not tested.

Novell has released an update to the HTTPSTK.NLM to remedy this.

iXsecurity Security Vulnerability Report

HTTPSTK Vulnerability Fix - novell.com

* free.aol.com takes liberties with IE security zone settings

Recent versions of AOL Instant Messenger (AIM), including the version bundled with the v6.x releases of the Netscape web browser and various other bundled or 'integrated' versions, have been found to modify Internet Explorer's security zone settings without asking or warning the user. The 'free.aol.com' domain is added to the Trusted Sites zone. As the Trusted Sites zone is, by default, allowed to do pretty much anything on the computer, this is very unwelcome - even rude - behaviour. The Trusted Sites zone is intended solely to reflect the user's view of trust. Thus, to date, not even Microsoft has had the gall to add *.microsoft.com or even the Windows Update domains to that zone as part of its default configuration of Internet Explorer.

There is no suggestion that AOL has done anything else improper by way of exploiting the fact AIM has been 'loosening' IE users' Trusted Sites zone settings, but the fact it is done at all thrusts AOL's motives into question. Hopefully this is not the thin end of the proverbial wedge and we do not see other vendors taking the fact you chose to trust their software installer by running it as leave to silently alter any of the security settings on your machine...

* Patch fixes remote code execution and other bugs in Sambar server

An updated version of the popular Sambar web server patches multiple buffer overflows. Most of these overflows probably only allow for denial of service type attacks, crashing the server process but at least one allows the possibility of the much more serious remote arbitrary code execution. The security advisory from NGS Software and acknowledgement of these issues from Sambar are linked below. The NGS Software security advisory also has the location of patch download.

NGS Software security advisory

WWW Server Security Alert - sambar.com

Join the newsletter!

Error: Please check your email address.

More about AOLApacheCA TechnologiesF-SecureMessengerMicrosoftNovellSophosSymantecTrend Micro Australia

Show Comments
[]