Office X and Exchange fixes, multiple updates from Oracle, Domino DOS fix

* Office v.X for Mac denial of service * Update fixes over-generous registry permissions in Exchange 2000 * Cross site scripting bug in .NET fixed in release version * Sample scripts strike again -- Microsoft SiteServer * Patches/workarounds for Multiple Oracle security flaws * Securing an Oracle application server * Upgrade fixes Lotus Domino denial of service via DOS device names


Another very quiet week on the virus front means we have nothing of

import to report in this issue.

This is compensated for (hmmmm...) on the security side, with a couple

of low priority Microsoft security updates and some more important

Microsoft security checks that there are not patches for, but rather

reminders of the importance of applying best practices to everything we

do. Also, a few weeks back we warned that David Litchfield had a raft of

Oracle security flaws waiting for Oracle to release patches. Well, the

patches are ready so information about the vulnerabilities has been

released. Oracle 8 users should note that one of these flaws affects

them as well as 9iAS. Finally, a rather serious denial of service

potential has been patched in the 5.0.9a release of Lotus Domino.

Virus News:

All quiet on the virus front?

Again, nothing happened this week that is sufficiently worthy of

reporting in this section of the newsletter. This does not, of course,

mean that nothing is happening in the virus world. For example, the

newsletter compiler runs a bogus 'web server' on his machine which

records all attempts to 'talk' with it. Such conversations are

inherently odd as this machine is not a web server and its network

address is never advertised anywhere or linked anywhere as being a web

server -- it just sits quietly in its corner of the world (usually

Christchurch, but right now Surfer's Paradise) and takes note of everyone

trying to connect to it and logging everything sent to it. It is still

logging a phenomenal number of IIS directory traversal attempts that

match those hard-coded into the many Nimda variants and the occasional

CodeRed IIS buffer overflow probe.

I suspect that few corporate e-mail administrators would say things were

'dead quiet' either. In the last week, again if your newsletter

compiler's experience is anything to go by, several BadTrans.B and Nimda

samples have arrived 'naturally' in my private e-mail as have a couple

of Klez.E samples. And, even Hybris made its first showing in many, many

weeks. I guess the 'scourge of news' is that reporting such ongoing

events doesn't really count, and as there is nothing 'new' worth

mentioning, our readers will just have to move on to the security

section, where news of several important patches awaits!

Security News:

Office v.X for Mac denial of service

The Network Product Identification Checker component in Office v.X for

Mac OS X is vulnerable to a network-based denial of service. Certain

malformed packets cause the network PID checker to crash, and in doing

so, the first-loaded Office application that is still running will also

crash. Any unsaved data in the application at the time of the crash will

be lost but any other Office applications still running and launched

subsequent to the launch of the application that crashes will continue

running as normal.

Microsoft rates this vulnerability as being of low severity and only on

client systems (as best practise suggests typical end-user applications

such as office productivity programs should not be installed and run on


Microsoft security bulletin - MS02-002


Update fixes over-generous registry permissions in Exchange 2000

The Exchange 2000 System Attendant inappropriately grants the Everyone

group permissions on the 'WinReg' key in the registry. This change

allows members of the Everyone group the ability to remotely connect to

the registry on the Exchange servers managed with System Attendant.

Further access to the contents of the server's registry should be

controlled by appropriate ACLs, but simply allowing a user who should

not have such access to remotely connect to a server's registry is

concern enough.

Microsoft rates this issue as being of low severity for typical Internet

and intranet servers, and clearly it is no consequence to workstations.

Microsoft points out that best practice for firewall policies means this

should not be able to be remotely exploited because NetBIOS or Direct

Host port access is required for remote registry services and these

should be blocked at the firewall. Further, good system administration

practices should mean that intranet users who do connect to a server

through this flaw should not be able to gain any information they should

not have access to, nor should they be able to alter anything as the

affected key simply enables remote connection and does not grant any

additional rights to someone who does connect.

Note that versions earlier than Exchange 5.5 (which is not vulnerable)

were not tested under Microsoft's usual 'current and previous versions'

rule, so administrators of systems running earlier Exchange versions are

advised to check the ACL on the WinReg key in their systems.

Microsoft security bulletin - MS02-003


Cross site scripting bug in .NET fixed in release version

Although not posted at its security site, Microsoft claims (in an e-mail

message posted to the bugtraq security mailing list) that a recently

discussed cross site scripting bug in .NET is fixed in the release

version of the .NET Framework. Of course, this raises the issue of

whether developers and early adopters should even be deploying such a

large, complex and _new_ software system as .NET to production servers

or otherwise on the Internet when the software was still in clearly

marked beta and testing iterations. .NET developers can download the

release version of the framework from the MSDN site and definitely

should do so before deploying anything based on .NET.


Sample scripts strike again -- Microsoft SiteServer

Tristan Brotherton of Fluidjuice Digital has discovered that the

'viewcode.asp' script, included in Microsoft's SiteServer sample files,

and installed by default, allows anyone with access to the SiteServer

box to read the source of any server-side script. It is a long-standing

security axiom that one should not install anything that is not

absolutely imperative to the correct running of the intended service and

this is partly reflected in the modern advice 'do not install sample

files on production systems'. Surprised that a script such as this was

installed by default, Tristan went searching around Microsoft's own web

servers and found several that were exploitable via the existence of

this sample script, presumably left there after a default installation.

Tristan recommends, in line with much good security advice from many

others over the years, that if you use SiteServer, you should delete the

sample sites that were probably installed with it and which include this

rather unpleasant script.

Tristan's article in the NTBugtraq archives


Patches/workarounds for Multiple Oracle security flaws

As reported a couple of weeks ago, security researcher David Litchfield

of Next Generation Security Software, has uncovered a number of serious

security vulnerabilities in Oracle 9iAS. Oracle released patches for a

couple of these vulnerabilities early in January and has now released

further patches as it tests and repairs the vulnerabilities. Several of

these flaws are rated as high severity by Litchfield as they allow

remote arbitrary code execution and the like. The PL/SQL vulnerability

(described in the first advisory linked below) also affects Oracle 8 and

patches are available for that too. Most of these vulnerabilities exist

on all OS platforms supported by Oracle.

Next Generation security advisories

Security advisory - Oracle Remote Compromise

Security advisory - Oracle PL/SQL Apache Module

Security advisory - OracleJSP

Oracle patches - OracleMetaLink


Securing an Oracle application server

David Litchfield of Next Generation Security Software and discoverer of

several recently found security flaws in Oracle database products has

written a white paper titled 'Hackproofing Oracle Application Server'.

This paper covers areas of security vulnerability and explains what

Oracle administrators should do to improve the security their machines.

The white paper, in PDF-format, is available for free download from the

NGSSoftware site, linked below,

Next Generation security white paper - Hackproofing Oracle Application Server

(PDF format)


Upgrade fixes Lotus Domino denial of service via DOS device names

Security researcher Peter Grundl has discovered two trivial invalid URL

request scenarios that crash Domino servers hosted on Windows servers.

Both exploits depend on the fact that Domino apparently does not

correctly parse DOS device pseudo-filenames from some URLs, and attempts

to access files with such names as CON, NUL, LPT1, etc can lock a

process making such a request. Thus, 400 such requests will quickly

exhaust Domino's default maximum working set of 400 threads. (in fact,

fewer such 'invalid' requests may be required if the server runs out of

memory before reaching the 400 thread limit.)

Lotus has released an updater to take Domino to v5.0.9a to fix these

issues. The issue is 'described' (not!) at the SPR page for this issue,

JCHN4UMKLA, linked below.

Lotus SPR description

Lotus v5.0.9a download page

Join the newsletter!

Error: Please check your email address.

More about ----ApacheMicrosoftNext Generation Security SoftwareOracleParadise

Show Comments