IDGNet Virus & Security Watch Friday 1 February 2002

NT/Win2K domain controller patch, Netscape, CatchUp, VAIO, RealPlayer patches


The first Microsoft security bulletin issued in 2002 has hit the

streets. It documents a rather esoteric flaw in NT 4.0 and Windows 2000

domain controller security authorization processes between domains

involved in a trust relationship. Regardless of whether the patch for

that flaw is necessary though, the update linked in that bulletin may be

of interest to NT 4.0 and/or Windows 2000 administrators because it is

not just a patch for that problem but the next security roll-up for

the two OSes.

Netscape 6.x and Mozilla users should be patching a serious privacy hole

in their browser's cookie handling and CNet's CatchUp users and

RealNetwork's RealPlayer and RealOne Player users should have been

alerted to the availability of product updates that fix security

problems in the respective products. Although I do not usually post

security warnings about hardware products, the Sony VAIO range affected

by a newly discovered vulnerability is probably widely enough used in

New Zealand to justify a mention _and_ few of these users are likely to

be on any sort of sort contract with the vendor that would have seen

them alerted to the need for the upgrade.

On the virus front, the week's big (and almost only) story was the

Win32/MyParty.A@mm mass mailer. And, for light relief there is a story

about Internet-enabled kitchen appliances and a news article that shows

not everyone is blind to the risks of Wi-Fi after all...




No -- not a soft porn scam, but the latest 'successful', albeit

short-lived, mass mailing virus to make the rounds. Monday and Tuesday

this week saw significant distribution of this Windows executable virus

-- e-mail ASP MessageLabs intercepted over 13,000 copies within 24 hours

of the virus first being isolated.

The main thing Win32/MyParty.A@mm had going for it was a social

engineering trick. Although already used unsuccessfully about a year

ago, this trick clicked this week, with many e-mail users being fooled

into thinking the program file named '' attached to

the virus' e-mail messages was a actually a URL shortcut to a web site.

Of course, the Subject: line of 'new photos from my party!' and the

accompanying message suggesting the party was 'absolutely amazing!' and

that the sender had 'attached my web page with new photos!' were likely

to enhance the misperception. (Readers accustomed to spying hoaxes

should have their 'too many exclamation marks' sensors tingling by now!)

Users so fooled double-clicked the attachment and ran the program. The

virus promptly copied itself to their hard drives and started mailing

itself to addresses culled from the Windows Address Book and from .DBX

files (normally Outlook Express e-mail and news message folders) found

on the host machine. MyParty was short-lived though; even more so than

most mass mailers. Before running its mass mailing routine, MyParty

checks the system date and only continues if it is between the 25th and

29th of January 2002. Obviously, we are seeing few new reports of this

virus now. Users of NT, Windows 2000 & XP who run the virus also face

another issue -- on these NT-based OSes MyParty drops and installs a

remote access Trojan (RAT) which potentially opens the machine to

further indignities from across the network. Unlike the viral component,

this RAT is not date-constrained once the virus has installed it.

Various antivirus developer descriptions:


So this item's title is a little whimsical, but the much vaunted

'Internet-connected kitchen' may be closer than you think. The UK

technology watchers at The Register spotted this report of Matsushita

and Toshiba, among others, teaming up to 'offer internet access services

to next-generation home appliances'.

If our kitchen appliances get computer viruses, will we get sick as a

result? Imagine destructive payloads that start your microwave oven when

there is no food in it, set your freezer to 'defrost' during your annual

holidays, have your toaster taking part in denial of service attacks

against major web sites or run your espresso machine as an open SMTP

relay for spammers...

New article:




System administrators with NT 4.0 and/or Windows 2000 domain controllers

that participate in trust relationships with other such servers should

carefully read the linked Microsoft security bulletin. The weakness

fixed by these newly released updates requires a quite daunting set of

pre-conditions -- even for a determined attacker -- including domain

administration privileges and probably advanced system programming, so

probably does not pose much risk in many real-world situations.

You may think that an attack that requires domain administrator

privileges cannot constitute a vulnerability; after all, if attackers

have domain admin rights they can do anything, right? Well, they should

only be able to do anything _in the domain they have administrative

rights over_. This flaw allows skilled attackers with domain admin

rights in one domain to arbitrarily promote themselves to domain

administrator equivalent in any other domain with a trust relationship

with the attacker's domain, and that is the flaw.

Although Microsoft rates this a moderate level threat for intranet

servers, it is important for all system administrators considering

deploying the patch for this vulnerability to carefully read the

security bulletin. Specific things to note are that just installing the

patch does not enable the new feature -- SID filtering -- Microsoft has

introduced to correct this vulnerability, and that choosing to enable

SID filtering will break an important backwards compatibility feature

that eases NT 4.0/Windows 2000 migration and can, depending on the

complexity of your network, have other undesirable side-effects. As well

as reading the security bulletin, administrators who think they may be

affected by this should read the white paper and KnowledgeBase article

referenced in the security bulletin.

Microsoft security bulletin:


As part of its commitment to easing the installation of all security

fixes for its major applications and OSes, mid last year Microsoft

committed to releasing quarterly security roll-ups for its OSes, whereby

all security patches since the previous service pack would be made

available in one easy to install package. So, even if you are a system

administrator on NT 4.0 and/or Windows 2000 systems and the trusted

domain authorization vulnerability discussed above does not affect you,

you should consider downloading the update from the MS02-001 security

bulletin anyway, because the patch for that vulnerability is the latest

security roll-up for NT 4.0 and Windows 2000.

Microsoft security bulletin:


Security researcher Marc Slemko discovered a flaw in the Netscape and

Mozilla browsers' cookie handling that allows easy access to cookies

from arbitrary domains other than that hosting the current page. Given

many web sites use cookies to cache identifying information about those

browsing the site, this bug in turn provides opportunities for

impersonation through identity theft. The Netscape 6.2.1 and Mozilla

0.9.7 releases fix this bug and users of either browser are strongly

advised to update to those versions.

Note that this flaw, and therefore the necessity of obtaining the update

applies to all OS versions of the two browsers.

Slemko's security advisory:

Mozilla and Netscape download pages:


Although not explicitly mentioned at CNet's CatchUp site, the newly

released CatchUp v1.31 fixes a security hole in earlier versions of the

software according to the CatchUp Dispatch newsletter released on 23

January 2002. CatchUp is a third-party software and driver update and

patch checking program based on the popular software download site's own

update and software version tracking. It monitors itself for updates and

should have suggested updating itself, so affected users who accepted

that recommendation will be patched.

CNet has not released a detailed description of the security problem.

About all that is known is what was said in the CatchUp Dispatch

newsletter 'CNET recently discovered a security vulnerability in its

CatchUp software that could allow a malicious person to launch CatchUp

and execute arbitrary code on a user's system. The vulnerability affects

all previous versions of CatchUp. Updating to CatchUp 1.31 will resolve

the issue. Existing users who choose not to update can change their user

settings to protect against unauthorized launches of CatchUp. To change

the launch settings, click the Abort button, followed by the Options

button, when CatchUp launches. By unchecking the "Start Scan of Execute"

option, users will be required to click the Start Scan button before any

scan proceeds.'

News article:

CNet CatchUp download page:


Software preinstalled on some models of Sony VAIO PCs sold into the

Asian, Pacific and Middle Eastern markets since May 2001 have been found

to contain a remotely exploitable security vulnerability. Details of the

vulnerability are very sketchy, but Sony has said that malicious

exploitation of this flaw could allow 'access to these VAIO Personal

Computers through hidden programs in an Internet web page or Email

message'. This suggests to your newsletter compiler that an ActiveX

control installed by Sony is improperly flagged as 'safe for scripting'

and thus can be called from an HTML page viewed in Internet Explorer's

Internet zone (which, by default, loads and runs 'safe for scripting'

ActiveX controls without warning or prompting the user).

Similar flaws have been found in the past in controls installed by HP

and Compaq to ease their the workload on their tech-support staff and a

similar flaw in a Microsoft ActiveX control allowed the creation and

extensive distribution of the phenomenally 'successful' JS/Kak virus.

All Sony VAIO users who bought their machines in New Zealand since

November 2001, or who have purchased VAIOs elsewhere since May 2001 are

advised to check the Sony security announcement page for a list of

affected models and download links for the update, should their machines

be vulnerable.

Sony security announcement:


RealNetworks has released updates for most current versions of

RealPlayer and RealOne Player that have been found to be vulnerable to a

remotely exploitable buffer overflow which may allow execution of

arbitrary code. This flaw is present in versions of the software across

the OS platforms supported by RealNetworks. Older versions of the

software have not been updated and users of those versions are advised

to update to the latest RealPlayer v8.x or RealOne Player releases for

their platform.

Technical details are available in Tim Morgan's security advisory and

RealNetworks' FAQ on the issue details the vulnerable versions and

upgrade options for obtaining the fix. Affected current RealNetworks

products that have AutoUpdate features should already have pulled the

fix for this vulnerability from RealNetworks.

Security advisory:



The linked article from USA Today details some high-profile sites

official doubts about the advisability of using Wi-Fi where critical

data or mission critical systems may be within reach of those connecting

via the wireless link.

News article:

Join the newsletter!

Error: Please check your email address.

More about CNET NetworksCompaqHPMatsushitaMessageLabsMicrosoftMorganMozillaRealNetworksSonyToshiba

Show Comments