IDGNet Virus & Security Watch Friday 5 April 2002

This issue's topics: Introduction Virus News: * Is virus scanning obsolete? Security News: * Cumulative update for IE includes fixes for new vulnerabilities * Patch prevents group policy lockout on Windows 2000 * Fix for buffer overflow in NT/2000/XP * 'DebPloit' allows local users to gain system privileges on NT/2000 * Update fixes bug in ZoneAlarm Pro's MailSafe

This issue's topics:

Virus News:

* Is virus scanning obsolete?

Security News:

* Cumulative update for IE includes fixes for new vulnerabilities

* Patch prevents group policy lockout on Windows 2000

* Fix for buffer overflow in NT/2000/XP

* 'DebPloit' allows local users to gain system privileges on NT/2000

* Update fixes bug in ZoneAlarm Pro's MailSafe

Introduction:

After several weeks of no security advisories and patches from Microsoft, we have three this week. The most important, in terms of distribution, is the latest cumulative security patch for Internet Explorer, which apart from including all security hotfixes since the last service pack for the respective supported versions of IE, also includes some brand new and badly needed IE patches. System admins running Windows 2000 with group policies should check the MS02-016 advisory and all NT, Windows 2000 and XP administrators should consider rolling out the Multiple UNC Provider buffer overflow fix. Further, the recent 'DebPloit' vulnerability, allowing any NT or Windows 2000 user to run any application as an administrator-equivalent user should raise some cause for concern as a publicly released exploit is available and there is no sign of an official patch from Microsoft. Finally, ZoneAlarm Pro users who depend on the MailSafe option to 'disable' possibly dangerous attachments should note there has been an update

to fix several shortcomings in this functionality of the popular firewall.

On the virus front this week it has been very quiet, despite a concerted effort by the writer of the MyLife mass mailers. Several new variants were created and released over the Easter weekend, with most failing to reach even minor nuisance levels. As these are really not worthy of 'column inches', I have chosen instead to direct our readers to an opinion piece on the advisability of continued use of the technology at the core of most current antivirus software.

Virus News:

* Is virus scanning obsolete?

Your list compiler is an antivirus researcher and industry critic with many years experience either observing, or directly involved in, the antivirus industry. Having presented a paper at the de facto industry conference a couple of years back titled 'Why You Should Stop Using Scanners', it should not be surprising that the article linked below was of interest to me. Although it is a controversial topic, the writing is on the wall for scanning as a viable 'solution' to the problem of providing antivirus protection. The main question most developers debate behind closed doors is how long they can continue as they have for so long, rather than if they can...

Past its Prime: Is Anti-Virus Scanning Obsolete? - securityfocus.com

Security News:

* Cumulative update for IE includes fixes for new vulnerabilities

The latest cumulative security update for Internet Explorer includes fixes for two acknowledged new security flaws, but also seems to patch some other recently discovered vulnerabilities that opened IE or other products using IE to display HTML content (notably Outlook and Outlook Express, but also many third-party products) to remote code execution exploits.

Enhancing the view that Microsoft has a convoluted and ever-changing policy regarding the provision of security support for 'older' products, IE 5.01 SP2 is covered by this update, as it was with the previous IE patch, but some earlier ones. However, as the security advisory notes 'IE 5.01 SP2 is supported only via Windows 2000 Service Packs and Security Roll-up Packages and on Windows NT? 4.0'.

Overall Microsoft rates the severity of the vulnerabilities fixed in this cumulative update as 'critical' for all versions of IE covered by the update and across all forms of deployment. This is not surprising given that some of the new vulnerabilities patched (both admitted to and not) can be used in combination to produce further 'auto-detach and execute' type attacks that breach IE's security zones model.

Microsoft Security Bulletin MS02-015

* Patch prevents group policy lockout on Windows 2000

A mechanism exists whereby a bona fide domain user can lock access to group policy files and login again from a second machine and not have new polices applied to that login. This is a rather esoteric 'attack' and in general it does not appear that substantial benefit could be gained by exploitation of the flaw unless substantial changes to group policies have been made. Microsoft rates this vulnerability of moderate severity and only on intranet servers (and specifically, domain controllers at that). More details and the patches can be obtained from the Security advisory linked below.

This vulnerability only affects Windows 2000 servers.

Microsoft Security Bulletin MS02-016

* Fix for buffer overflow in NT/2000/XP

Microsoft has just released an update to fix a possible buffer overrun problem in NT 4.0, Windows 2000 and XP in both workstation and server versions where applicable. The problem lies in an unchecked buffer in the Multiple UNC Provider (MUP) service on these platforms that, if exploited, could result in code of the attacker's choice being run with elevated (system) privileges. Microsoft rates the overall severity of this problem as moderate and points out that it can only be exploited by local users and not remotely.

Microsoft Security Bulletin MS02-017

* 'DebPloit' allows local users to gain system privileges on NT/2000

This newsletter seldom describes security flaws for which vendor-provided patches, or at least reasonable workarounds, are not already available. The occasional exception is for flaws of such a scale or affecting such huge numbers of systems that silence seems negligent.

DebPloit is such a case. DebPloit's writer has taken advantage of a flaw in NT and Windows 2000 security that allows any user to duplicate a handle to almost any running process via the debugging API. As processes running with system privileges can be hijacked this way, non-administrator users can effectively escalate their privileges to administrator equivalent and run arbitrary code with those permissions. An exploit has been publicly released, along with its source code, demonstrating the use of this technique to allow any logged in user - even 'guest' - to run any other program with system privileges.

As Microsoft has not publicly acknowledged this security flaw, there is clearly no official patch. However, at least two independent Windows security experts have produced patches that assign a more stringent ACL to the affected debug procedure call port. One is the discoverer of the vulnerability and writer of the exploit, 'Radim "EliCZ" Picha'. The download from his web site includes both the exploit mentioned above and 'DBFix' (and source code for both). Alternately, the University of Stuttgart developed a utility named 'chsystem' that sets the ACLs of specified objects to 'system-only'. This can be used to modify the ACL on the DbgSsApiPort that DebPloit exploits. 'chsystem' is available from a page under the home page of the manager of the University of Stuttgart's internal CERT, Florian Weimer.

Please note that the OS/2 sub-system has been reported to malfunction after running these tools to alter DbgSsApiPort's ACL. No other problems associated with these fixes are known at this time but as these are not Microsoft supplied or 'sanctioned' patches, their use must be carefully considered.

'Radim "EliCZ" Picha' DebPloit page

Florian Weimer's 'chsystem' page

* Update fixes bug in ZoneAlarm Pro's MailSafe

A patch has been released to correct several security flaws in the popular personal firewall ZoneAlarm Pro. Most of these are described, by Edvice Security Services who discovered them, as well known e-mail filter bypass tricks, but one in particular is described in detail in the Edvice security advisory.

ZoneAlarm Pro offers a feature known as MailSafe, which renames 'dangerous' e-mail attachments by altering their filenames to have 'odd' extensions that are, in turn, associated with the ZoneAlarm application. Thus, if a user attempts to open an attachment with such a renamed extension, ZoneAlarm Pro displays a warning, preventing the possible disaster of running an unwanted or unknown program. It has been reported that MailSafe fails to rename attachments with extensions on its 'dangerous' list if the extension has an extra dot character appended to it. Thus, while 'example.exe' would be renamed by ZoneAlarm, 'example.exe.' would not. As most e-mail client software depends on the Windows shell (usually Explorer) to determine what to do with attachments that are executed (or 'opened') direct from the mailer and Explorer happily ignores such 'superfluous' dot characters, this flaw opens an interesting avenue of attack.

ZoneAlarm Pro v3.0.118 has been released and fixes most of the problems discovered by Edvice, but note the advisory warns of at least one more flaw they discovered that has yet to be patched in MailSafe.

Edvice security alert

New and improved features in ZoneAlarm Pro v3.0.118 - zonealarm.com

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaMicrosoft

Show Comments
[]