Nothing worth mentioning happened on the virus front this week (which may just about be newsworthy in itself!). To compensate, there are lots of system upgrades, especially for the administrators of Unix and/or Linux machines -- so many in fact, I'll leave it for you to pick the most important ones from the table of contents yourself. Windows administrators get off relatively lightly unless they happen to use ICQ, disk wiping utilities and did not make some privacy-related configuration changes suggested in a Microsoft security bulletin from early last year. Many Windows admins will, however, be interested in getting the latest update to HFNetChk.
Virus News - No news is good news?
Honestly, nothing that seems vaguely worthy of mentioning here happened this week. There were no new viruses discovered that managed to get more than a tiny handful of copies of themselves into the field. There was no seriously over hyped media coverage of any of those non-entity viruses that were discovered and mentioned on so many antivirus developer web sites and there were no sufficiently entertaining or informative commentary or satire pieces worthy of mention either. Desperate to not leave this section of the entirely devoid of links, your newsletter compiler has decided to point you to a SatireWire piece from a few weeks ago. It is only weakly virus-related but we suspect it will strike a chord with the some administrators out there...
Security News - Windows Media Player 'SuperCookie" hocus pocus...
Much heat, but little light, was spilled late last week over so-called 'SuperCookies' enabled by Windows Media Player. While your newsletter compiler is quite clearly no great fan of Microsoft's record on product security issues in general, or its security practices in the real computing world, even he has to question the motives of a 'security expert' milking extensive media coverage for 'discovering' SuperCookies when Microsoft itself warned about the issue and suggested disabling the feature back in May of last year...
For those with dimmer memories of such things, Microsoft's MS01-029 security bulletin noted 'In addition, this patch provides a solution to a potential privacy vulnerability that was recently identified ....... de-selecting "Allow Internet sites to uniquely identify your player".'
We won't the shame the ill-informed by quoting any news articles that failed to notice. Our newsletter readers should note that the real lesson here is to read the whole security bulletin, not just cruise to the page then look for the patch download link!
File wiping utilities do not handle NTFS properly
Security researcher Kurt Seifried has discovered that none of the currently available popular file or disk wiping utilities he tested properly handle disk space allocated to NTFS alternate data streams. The implications of this are discussed in his advisory, where a list of tested file and disk wipe utilities, and their developers' responses, can be checked by anyone using such utilities. If you currently use such a utility that is not mentioned in the advisory, a simple method of testing whether alternate data streams are properly handled is described in the advisory.
Microsoft has released another update to its automated security patch checking tool, HFNetChk, bringing it to v3.31. Administrators who use this tool are advised to check the KnowledgeBase article linked from the HFNetChk page.
Sambar web server DoS
Recent versions of this modestly popular web server have been shown to be vulnerable to a simple DoS through the sample cgi script testcgi.exe. Sambar's developer recommends that users remove this sample application from any production servers. As a rule, vendor supplied samples of all sorts should be removed from all production machines (i.e. ones exposed to potentially hostile networks). Several other recent, minor security issues with the Sambar server are also documented on the developer's security page.
Windows ICQ users urged to update
Versions of ICQ for Windows prior to 2001b Beta v5.18 Build #3659 are vulnerable to a buffer overflow attack that can result in the execution of arbitrary code. This is the type of vulnerability that CodeRed so successfully exploited last year, and given the size of the installed base of ICQ users, it may just be attractive enough to some attackers. Although there is no evidence of this vulnerability currently being
exploited on the Internet, users of affected versions should update.
Pine URL handler bug patched
Pine, the popular text-mode mailer on Unix and Linux systems, can spawn a web browser (such as Lynx) if its URL handler options are enabled. However, v4.43, and earlier versions, do not properly filter significant characters from the URL Pine passes to the shell starting the browser, and thus could spawn other commands than just the browser if a cunningly formed URL was supplied. Pine v4.44 has been released to fix this problem, and can be obtained from the download links on Pine home page. Further, many Linux vendors who ship Pine have, or will soon, release their own updated packages.
EnGarde Secure Linux kernel update fixes LIDS vulnerabilities
Guardian Digital, developers of the security hardened EnGarde Linux distribution, have released a kernel update to fix several vulnerabilities in the Linux Intrusion Detection System (LIDS). LIDS is a core component in the security hardening offered in EnGarde.
EnGarde users should read the security advisory linked below and obtain the appropriate updates. Users of LIDS on other Linux distributions may be interested in TESO's security advisory describing the vulnerabilities
NetBSD patches fix local privilege escalation vulnerability
A vulnerability allowing ptrace to gain control over setuid binaries and the ptrace process owner to abuse those elevated privileges has been patched in NetBSD. It is likely that other BSD-based distributions are similarly affected, so administrators of other BSD systems are advised to check with their vendors too. The NetBSD security advisory is rather thin on details of the exploit because other distributions were not patched when the advisory was released, but it also says that procfs can be similarly exploited, so a patch has also been made available for it.
at, cipe, groff, sudo, others -- vulnerabilities on several Unix/Linux platforms
Several popular and widely used Unix/Linux utilities have been found to contain serious locally and/or remotely exploitable vulnerabilities, allowing arbitrary code execution or privilege escalation. It is, in fact, pretty much par for the course that such holes are found from time to time, but with several popular utilities being shown to be vulnerable in such a short time, it may be the right time for Unix and Linux administrators to take stock of recent security advisories affecting all their systems and having a patching spree...
Cybersleuths at work
Some of the cybersleuthing that has led to successful outcomes in three significant cases last year is described in the ComputerWorld article linked below. Hopefully this is of further interest to some of our readers...