IDGNet Virus & Security Watch Friday 15 February 2002

Introduction: * Multiple IE and SNMP flaws, BlackICE, Telnet server & mIRC updates, CoolNow worm Virus News: * JS/CoolNow worms its way through MSN Messenger users Security News: * Patch fixes buffer overflow in Windows 2000/Interix v2.2 Telnet server * IE cumulative update includes patches for v5.01 SP2, 5.5 & 6.0 * Fix for ISS BlackICE and RealSecure Server Sensor for Windows 2000/XP * mIRC update fixes buffer overflow * Multiple SNMP vulnerabilities affect hundreds of products * Beginner security advice for home and small business users

Introduction:

* Multiple IE and SNMP flaws, BlackICE, Telnet server & mIRC updates, CoolNow worm

Virus News:

* JS/CoolNow worms its way through MSN Messenger users

Security News:

* Patch fixes buffer overflow in Windows 2000/Interix v2.2 Telnet server

* IE cumulative update includes patches for v5.01 SP2, 5.5 & 6.0

* Fix for ISS BlackICE and RealSecure Server Sensor for Windows 2000/XP

* mIRC update fixes buffer overflow

* Multiple SNMP vulnerabilities affect hundreds of products

* Beginner security advice for home and small business users

Introduction:

Despite suggestions of imminent Internet meltdown, in the first few days of knowledge of multiple serious security flaws affecting most SNMP implementations life seems to have continued much as it was. Network and system administrators will have to make extensive and careful checks of innumerable products from virtually all of their network hardware and software vendors 'just to be sure', but extensive outages or other disruptions to the Internet as a result of exploitation of these vulnerabilities seems a remote likelihood.

Aside from the SNMP checks, which affect all systems, Windows administrators also have major Internet Explorer updates to obtain and rollout and should check whether the latest Telnet server security flaw affects their installations. The IE patches are made all the more urgent by the latest worm, JS/CoolNow to hit the net exploiting one of the vulnerabilities fixed in that set of patches. This IE patch set is a cumulative update but also includes half a dozen fixes for serious vulnerabilities that are not available elsewhere. Windows users of mIRC should also check they have the latest version of this popular IRC client to prevent exposing themselves to a remotely exploitable buffer overflow. Users of ISS' BlackICE, and the related RealSecure Server Sensor, for Windows 2000 and XP should also be checking for the latest updates to correct a nasty remote denial of service and arbitrary code execution attack via a buffer overflow in earlier versions of these products. Finally, we include a link to an introductory computer security page which may of use should you have new computer users in need of some security guidance.

Virus News:

* JS/CoolNow worms its way through MSN Messenger users

Early on Thursday afternoon, messages about a new worm affecting MSN Messenger users started to arrive at various antivirus developers and security mailing lists and monitoring points. The worm is very simple, depending on users to click a URL in an MSN Messenger message exhorting the reader to urgently visit the web site in the link. Internet Explorer users who visit the web page and who are not patched with the latest batch of IE security updates (see item in the Security News section, below) will have MSN messenger send the same message to all contacts in the victim's contact list.

Several variants running from different web servers have been located and most of those web pages were promptly shut-down (hopefully all are by the time you read this). As with a few other worms that made brief splashes last year, having its code centrally located means CoolNow is easy to shut down, but it also means that fewer users may become motivated to obtain and install the necessary updates because the attack

will stop as abruptly as it started.

Various antivirus developer descriptions:

Computer Associates Virus Information Center

F-Secure Computer Virus Information Pages

VirusList.com Virus Encyclopedia

McAfee Security

Sophos Virus Analysis

Symantec Security Response

Trend Micro Virus Encyclopedia

Security News:

* Patch fixes buffer overflow in Windows 2000/Interix v2.2 Telnet server

Microsoft has released a patch for the Telnet servers in Windows 2000 and in its Interix v2.2 product. Buffer overflows in the telnet options- handling code of these servers leaves them vulnerable to at least denial of service attacks (the telnet server will hang) and possibly to remote execution of arbitrary code.

Microsoft rates this vulnerability as moderate on Windows 2000 systems and low on other systems running Interix. However, in the newsletter compiler's opinion, the prospect of remote arbitrary code execution should see these flaws considered as being toward the more serious end of the spectrum. The Telnet service is installed, but not enabled, by default under Windows 2000 and it is not included in the default Interix v2.2 installation. Sites that have enabled either service, and particularly if this is visible to the Internet or if you cannot trust local network users, should install the update as soon as practicable.

Microsoft security bulletin: ms02-004

* IE cumulative update includes patches for v5.01 SP2, 5.5 & 6.0

Several new critical security patches for Internet Explorer are included in the latest IE cumulative patch released by Microsoft. These are among six new updates, all of moderate or critical severity, available only in this latest cumulative update. It does not seem worth outlining each flaw here -- suffice it to say that most of them are non-issues if you have scripting disabled in IE, but few users or administrators will actually use IE so configured. That one of them allows scripts to run despite a user having scripting disabled, or having it set to 'prompt' and having disallowed scripts on a given page must rank as one of the more egregious of all IE bugs, even given Microsoft's appalling record for scripting and scripting-related flaws in this product. The details of each flaw can be read in the very long security bulletin.

Despite its usual 'current and previous major release' policy for supporting products with security (or any!) updates, Microsoft has included patches for IE 5.01 SP2 in these latest IE updates. However, note that this support is 'only via Windows 2000 Service Packs and Security Roll-up Packages', so IE 5.01 SP2 is only supported if you run it on Windows 2000.

As a warning about this update, it was uploaded then removed from the Windows update servers a couple of times since it was first announced -- hopefully whatever problems the update had are now resolved.

Microsoft describes one of the patches as only of moderate severity and describes a minor exposure it opens unsuspecting users to. However, the vulnerability can in fact be exploited to steal all MSN Messenger contact list details from a vulnerable user and generally perform any MSN Messenger action that could be performed if the attacker had local console access to the victim's machine. This obviously includes sending MSN messages as the victim. All this can be done from a web page under the default IE security settings and from an HTML e-mail message under default pre-Outlook 2000 Security Update security settings. In fact, since writing the initial draft of this item, the JS/CoolNow worm (referred to above in the Virus News section of this newsletter), which exploits just this possibility of this vulnerability, was released and has spread widely.

While Microsoft claims (in MS02-005) that this latest cumulative patch 'eliminates all known security vulnerabilities affecting Internet Explorer 5.01, 5.5 and 6.0', we have included a link to a site that documents known and publicly discussed but as yet unpatched security flaws in IE. It should be noted that the so-called 'codebase localpath' vulnerability listed on that page allows remote execution of arbitrary existing local programs.

Microsoft security bulletin: ms02-005

Unpatched IE scripting flaws

* Fix for ISS BlackICE and RealSecure Server Sensor for Windows 2000/XP

An exploitable buffer overflow across ISS firewall products has been patched. Download links for the corporate and consumer versions of BlackICE, and for the RealSecure Server Sensor components are available from the ISS home page, linked below.

Following an initial report that a ping flood with packets around 10,000 bytes caused machines running BlackICE to blue-screen, more detailed research revealed the presence of a remotely exploitable buffer overflow. This allows the injection and execution of arbitrary code inside a kernel mode process of the firewall software. Users of these products should upgrade as soon as practicable or follow the advice on the ISS site regarding implementing workarounds.

Internet Security Systems home page

* mIRC update fixes buffer overflow

An independent researcher has uncovered a remotely exploitable buffer overflow in the popular Windows IRC client, mIRC. This overflow can be exploited to run arbitrary code on the victim machine if the attacker has control of the IRC server the victim connects to. This can be facilitated by miRC's handling of irc:// URLs that can be included in web pages or HTML e-mail messages sent to potential victims. The v6.0 release of mIRC, and the subsequent v6.01 update, correct the buffer overflow vulnerability.

mIRC Security advisory

mIRC download page

* Multiple SNMP vulnerabilities affect hundreds of products

The network security story of the week must be the furore that has erupted around the results of some research performed by a Finnish university computer security team. The Oulu University Secure Programming Group (OUSPG) has researched extensive boundary test cases against many implementations of the Simple Network Management Protocol version one (SNMPv1). SNMPv1 is widely used in many network devices, including standard workstation OSes, as a means for devices to report problems to central management consoles and for those consoles to send management commands to the devices under their control. For example, a router or network switch or hub, buried deep in a distant wiring closet can report that a fault has developed on one of its interfaces or can have its operation remotely reconfigured, providing early alerting to the source of some otherwise obscure problem or removing the need for a technician to locate the device and reconfigure it in situ.

The number, range and extent of flaws discovered in OUSPG's testing defies summarizing here. As nearly all network device manufacturers have produced at least one SNMP-capable device at some time, network administrators are advised to first compile a list of all hardware and software that connects to their TCP/IP networks then check the CERT advisory, where many manufacturers known to have some affected devices or OSes briefly list the situation for their products. If a device you have is not listed in the CERT advisory, check with its manufacturer or distributor. If a vulnerable device is attached to a public or other untrustable network, disabling SNMP on that device as quickly as possible (unless it can be patched) is probably advisable. Don't overlook less obvious devices such as print servers -- this problem is not limited to just large items such as hardware firewalls, routers and server OSes.

Of course, if existing firewall rules do not block external access to internal SNMP devices, that policy should be re-assessed and corrected with great haste. To firewall SNMP, block traffic to TCP and UDP ports 161 and 162, and if you are using Cisco products also block UDP port 1993. This last point raises another issue -- it is not uncommon for SNMP to be used on other than the standard ports, so check the documentation of all your network devices and OSes carefully (again, the general advice that you should design your firewall rules starting from a 'deny all' position and then only enabling the bare minimum of known and absolutely necessary additional service provides a good payoff if you have already followed this approach).

A real problem for some will be that some external-facing SNMP interfaces may not be under your control. Some network connectivity providers insist in maintaining their side of the outermost network devices and their policies may include SNMP management of these devices. This can leave SNMP interfaces on equipment in your network enabled and facing the Internet. If you face such a set up, about all you can do is hope your service providers are as conscientious about patching their vulnerable systems as you are and if not, pray these 'outside' devices are not vulnerable...

As a final note, although Microsoft has stated that no Windows OSes install and enable the available SNMP services under default Microsoft installations, many OEM installations of these OSes do install and enable SNMP. For example, it is common for Compaq machines to have SNMP enabled as it is used by Compaq's Insight Manager, and the OEM Windows installations of several other large PC manufacturers similarly include SNMP, at least in their server builds.

OUSPG report

CERT/CC advisory

* Beginner security advice for home and small business users

Although squarely aimed at (US) Americans -- 'Securing your personal computer plays a crucial role in protecting our nation's Internet infrastructure. It’s the responsibility of every American to ensure that these cyber security needs are met' -- a recently opened web site may be a useful resource for absolute beginner computer and Internet users. Much of the advice is pretty light-weight by the standards of those this newsletter is targeted at, but as the old saying goes, everyone was a beginner once.

Some aspects of the site clearly need some work. For example, although the main site is usable under 'paranoid' web browser settings (read 'scripting disabled'), the self test page depends on scripting for the final form submission and score calculation. Given that by far the bulk of Internet users will be using Internet Explorer and that by far the most worrying of IE security bugs revolve around scripting issues, it seems inappropriate for a security advice site to require the use of a scripting-enabled browser. Further shortcomings, again from the self test, are the rather loose and ambiguous nature of some of the questions, or at least the options for their answers. Replying as honestly as possible within those limits, your newsletter compiler only obtained a 'middling' score. After enabling scripting on the self test page and submitting his replies, he was informed:

You are fairly security-conscious, but you still need to do more!

Based on the results of your answers, you have a basic knowledge of

how to stay safe online. However, there is more that you could be

doing to keep your computer, and our nation's computers, out of

harm's way. You may know the Security Tips, but do you follow them

all? How about being extra vigilant when it comes to all the pieces

of the puzzle? And spread the word about being cyber secure!

Still, if the neighbours, relatives or new staff member in Accounts ask for security advice for their new PC, you could do worse than point them to this site as a starting point.

Stay Safe Online site

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaCiscoCompaqF-SecureInsightInternet Security SystemsISS GroupMcAfee AustraliaMcAfee SecurityMessengerMicrosoftMSNSecurity SystemsSNMPSophosSymantecTelnetTrend Micro Australia

Show Comments
[]