IDGNet Virus & Security Watch Friday 8 March 2002

This issue's topics: Introduction: * Three more worms, JVM bugs, critical OpenSSH update and some reading Virus News: * 'Britney worm' spawns bad puns; no action * Another 'Microsoft security update' worm fails to jibe with users * A life less interesting... Security News: * Microsoft ships more SNMP patches * Fix for arbitrary code execution vulnerability in Windows shell * Patches for Sun and Microsoft Java applet information disclosure bug * Netscape cookie stealing hole patched * Patch fixes OpenSSH root compromise * NIST releases draft guidelines on securing web servers * New paper exploring viability of non-stack based overflows

This issue's topics:

Introduction:

* Three more worms, JVM bugs, critical OpenSSH update and some reading

Virus News:

* 'Britney worm' spawns bad puns; no action

* Another 'Microsoft security update' worm fails to jibe with users

* A life less interesting...

Security News:

* Microsoft ships more SNMP patches

* Fix for arbitrary code execution vulnerability in Windows shell

* Patches for Sun and Microsoft Java applet information disclosure bug

* Netscape cookie stealing hole patched

* Patch fixes OpenSSH root compromise

* NIST releases draft guidelines on securing web servers

* New paper exploring viability of non-stack based overflows

Introduction:

Probably the biggest issue this week is the patch for root privilege escalation bug in most versions of OpenSSH still likely to be in production. Administrators with Netscape users should check their users have installed the updates for the cookie stealing and JVM bugs, and the latter affects most Windows and IE users. Windows administrators should also check the just released MS02-014 security bulletin describing a bug in the Windows shell that can, in unlikely situations open a remote arbitrary code execution hole. On top of that we have a trio of unsuccessful (and somewhat hyped in two of the cases) worms and some security reading material that should be of interest. One of the latter weighs in at around 140 pages, but should be worth the read for those concerned with the security of web servers.

Virus News:

* 'Britney worm' spawns bad puns; no action

A new VBS mass mailer, using Outlook to send itself, was discovered late last week. Its writer clearly hoped it may spread more widely through offering the virus as pictures of teen pop idol, singer Britney Spears. This approach worked for the VBS/VBSWG.J virus, better known in the popular media as 'the Anna Kournikova' virus because it offered pictures of the popular Russian tennis player. However, aside from failing, in this instance, to improve the virus' chances of success (no confirmed 'in the wild' infections have been reported) the ploy certainly caused naming confusion among antivirus researchers and led to many media reports involving bad puns based on Spears' song titles and lyrics.

Officially named VBS/Chick.A@mm, this virus has variously been dubbed Breetnee, BritneyPic, Brit and Britney. Its only point of technical interest is that the virus' script code runs from inside a compiled HTML help (.CHM) file. Normally this requires allowing an ActiveX control to run that is otherwise blocked by the default security zones policy. The virus writer was well aware of this and included a plea in the help file for the user to enable the ActiveX control when prompted as the image viewer required to see the promised pictures of Britney needed it. Fortunately, it seems few users are dumb enough to proceed under such conditions and enable the ActiveX control. Perhaps things are looking up after all?

Computer Associates Virus Information Center - britney worm

F-Secure Security Information Center - britney worm

Kaspersky Lab Virus Encyclopedia - britney worm

Network Associates Virus Information Library - britney worm

Sophos Virus Info - britney worm

Symantec Security Response - britney worm

Trend Micro Virus Information Center - britney worm

* Another 'Microsoft security update' worm fails to jibe with users

Several recent mass mailing worms have tried to improve their chances of spreading by using the ruse of masquerading as an official Microsoft security update. Win32/Gibe.A@mm is another, and although there have been limited numbers spotted in the wild, it seems unlikely Gibe will take off of from where it is now. Gibe is a little unusual in that, as well as having a (buggy and non-functional) Outlook mass mailing mode, it also has its own SMTP client code which does send copies of itself from victim machines, using the default SMTP server configured in the system registry. The curious may read more technical details in the linked antivirus developer descriptions.

As a reminder, Microsoft has a strict policy of _not_ e-mailing security updates. If it e-mails information about the availability of security updates it will include links to the updates at the official www.microsoft.com and/or ftp.microsoft.com distribution sites. A link to Microsoft's statement of this policy is provided below.

Microsoft Software Distribution Policy - Win32/Gibe.A@mm

Computer Associates Virus Information Center - Win32/Gibe.A@mm

F-Secure Security Information Center - Win32/Gibe.A@mm

Network Associates Virus Information Library - Win32/Gibe.A@mm

Sophos Virus Info - Win32/Gibe.A@mm

Symantec Security Response - Win32/Gibe.A@mm

Trend Micro Virus Information Center - Win32/Gibe.A@mm

* A life less interesting...

Yet another dull mass mailer is starting to generate user, and thus probably eventually media, attention. Your newsletter compiler's usual standard for deciding whether such things are likely to be real threats - the Virus Eye and Threat List pages at MessageLabs' online statistics pages -- suggests Win32/MyLife.A@mm will not be much of a story, but as it is too close to deadline to wait for more data, we will mention it in passing. MyLife arrives in an e-mail message with a Subject: line of 'my life ohhhhhhhhhhhhh', an inane message body and an attachment named 'My life.scr'. Running the attachment displays an image of a small girl holding a flower and, in the background, the virus uses Outlook to send a copy of itself to all users in Outlook's address book. MyLife also adds a registry setting to start itself at system (re)start. When run this way, it does not e-mail itself again but may delete program, driver and library files from important system directories, causing system failure on subsequent restarts.

F-Secure Security Information Center - Win32/MyLife.A@mm

Network Associates Virus Information Library - Win32/MyLife.A@mm

Sophos Virus Info - Win32/MyLife.A@mm

Trend Micro Virus Information Center - Win32/MyLife.A@mm

Security News:

* Microsoft ships more SNMP patches

With the initial hysteria over the mass SNMP flaws having died right down, it now seems reasonable to specifically mention that any Microsoft OS administrators wishing to use the SNMP components of those systems should keep an eye on the MS02-006 security bulletin. Microsoft first released this when news of the widespread SNMP problems broke, but had no patches ready to ship. Since then the bulletin has been updated twice, as patches for Windows XP and 200, and this week for NT 4.0, have been released. A little reading between the lines suggests that eventually patches for the SNMP components of Windows 95, 98, 98SE and NT Terminal Server (ME does not ship with an SNMP component) will also be released. We note that (for now) the text of the security bulletin has not been edited as carefully as it should have - for example, as this is being written the 'Recommendation' heading at the top of the bulletin strongly suggests that NT 4.0 patches are not available and the appropriate stance for NT 4.0 users is to disable SNMP.

Microsoft Security Bulletin MS02-006 (Revision 3)

* Fix for arbitrary code execution vulnerability in Windows shell

An unchecked buffer in the shell component that locates improperly removed applications is vulnerable to an arbitrary code execution overflow. Normally this would not be remotely exploitable, but under unusual conditions this vulnerability could be exploited remotely. As the security bulletin advising of this vulnerability and fix literally arrived as the newsletter compiler was about to post the final copy, we will leave it to readers to check the details on Microsoft's site. Patches are only available for Windows 98, 98SE, 2000 and NT 4.0 and NT 4.0 Terminal Server but may apply to Windows 95, which was not tested. Windows ME and XP were tested by Microsoft and found to not be affected.

Microsoft Security Bulletin MS02-014

* Patches for Sun and Microsoft Java applet information disclosure bug

Both Sun and Microsoft have released patches that fix a long-standing information disclosure bug in their respective Java Virtual Machine (JVM) and Microsoft Virtual Machine (Microsoft VM) components. The bug in both VMs is a session hijacking flaw that allows a Java applet to redirect traffic from a proxy server, should a victim machine connect to the web via a proxy. This redirection would be invisible to the user and could be used for information stealing, spoofing and related information integrity attacks.

Popular products affected by this flaw include most Microsoft OSes, most releases of Internet Explorer, most versions of Netscape and of course, Sun's SDK, JRE and JDK products. Microsoft shipped affected versions of the Microsoft VM with Windows 95, 98, ME, 2000, XP and NT 4.0, and with all versions of Internet Explorer before v6.0. Microsoft rates this vulnerability as being of critical severity on workstations. An update for the Microsoft VM is available from the Microsoft security bulletin (linked below) describing the vulnerability and its fix. Sun's security bulletin, also linked below, lists the Java SDK, JRE and JDK versions affected and the download locations for the fixed versions of those releases. Netscape advises that users of its v6.2 and v6.2.1 browsers are unaffected, as those new versions shipped with the updated JVM components from Sun. However, it recommends users of all earlier Netscape browser versions should update to the latest release, v6.2.1, as earlier versions of the browser with Java support are vulnerable.

Further, Sun's bulletin warns that other vendor's Java implementations that are derived from its SDK and JDK source may also be affected and that it has supplied details of the necessary fixes to all its Java licensees. Administrators of systems running non-Sun and non-Microsoft Java implementations should check with their vendors on the status of this vulnerability in their products for the availability of updates.

Microsoft Security Bulletin MS02-013

Netscape Security Center

Sun Security Bulletin #00216

* Netscape cookie stealing hole patched

Firmly on the heels of the release of the Netscape v6.2 browser package, an update was released to patch a privacy threatening information disclosure bug. The flaw allows web pages from one domain to obtain cookies from other domains which could compromise access to information stored on other web servers than that hosting the current page (where do you think all the details for those 'Remember me' web page options are stored?). Users with SmartUpdate enabled should already have been prompted to install the update.

Netscape Security News

* Patch fixes OpenSSH root compromise

Joost Pol of PINE Internet has discovered an 'off by one' error in OpenSSH. It has been established that this bug affects all OpenSSH versions from v2.0 to v3.0.2 inclusive. The bug allows any user who can authenticate to an OpenSSH server to obtain root privileges and it is suggested that such a root compromise may be possible without the malicious user having to authenticate. The OpenSSH project has released OpenSSH v3.1 to address this critical security flaw and all OpenSSH users should update immediately by downloading the source from the OpenSSH site and rebuilding or by applying the source patch from the OpenSSH security advisory. Alternately, affected users of systems that package OpenSSH may wish to check for the availability of updated OpenSSH packages from their system vendors.

PINE Internet Security advisory

OpenSSH home page

OpenSSH Security Advisory

* NIST releases draft guidelines on securing web servers

The US National Institute of Standards and Technology (NIST) has released a draft of its 'Guidelines on Securing Public Web Servers' for public comment. These guidelines describe the design, installation and maintenance of secure, publicly accessible web servers. Although they should be considered as still in draft form and likely to be altered following the current round of public comment, from a brief perusal, the guidelines seem a good starting point for anyone embarking on a web server design and implementation project or beginning a review of an existing web server project. A copy of the 140 page document in PDF format (approximately 1.3 MB) is available from the NIST draft documents page linked below.

NIST Draft Publications

* New paper exploring viability of non-stack based overflows

David Litchfield, discoverer of several recent Oracle security flaws and many other security problems across a range of popular applications has just released a research paper describing non-stack buffer overflows. Buffer overflows, particularly those injecting their overflows onto the stack, have long been the 'stock and trade' of hackers. However, recently development tools and processes to help protect against overflows, and particularly stack overflows, have become more common. In light of that, Litchfield has considered other types of buffer overflows and presents the results of some of this work, with a specific focus on Windows systems, in his 'Non-Stack Overflows on Windows' paper, a PDF of which is linked below. While probably more understandable to readers of a technical bent, it is important for all IT staff responsible for managing security issues to keep an eye on (likely) developing trends and this short (5 page) paper should be worth the read for all concerned with security.

NGSSoftware Security Research Paper (PDF format - requires Acrobat Reader)

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesF-SecureKasperskyKasperskyMessageLabsMicrosoftOracleSNMPSophosSymantecTechnologyTrend Micro Australia

Show Comments

Market Place

[]