Welcome back and hopefully the festive season has not taken too heavy a toll on our readers...
Database administrators running either Microsoft's SQL or Oracle 9iAS servers have critical updates to apply to their machines, with both having remotely exploitable buffer overflows. The popular Unix mailer Mutt likewise has an exploitable buffer overflow in its message header parsing and the Unix and Windows SSL wrapper Stunnel also needs updating or patching to fix a format string bug that, at a minimum leads to denial of service possibilities. Also making the news recently was another exploitable remote buffer overflow -- this one in AOL's Instant Messenger client for Windows. The 'fix' offered for this is only partial, as described in the article below.
And, since we last put one of these newsletters together, the first viruses that infect (and potentially spread via) SWF files, and that target programs created for Microsoft's much-hyped .NET platform, have been discovered. Although the first of these is technically 'the first SWF virus', the second is more a standard Win32 virus with a .NET attitude than really being a native .NET infector.
First 'dot Net' virus is really 'not yet'...
Win32/Donut is the first .NET-aware virus, but does not deserve the title of 'the first .NET virus', as it is really a fairly standard Win32 parasitic virus. It is .NET aware however, as it has been written to only infect files compiled for the .NET framework (and probably only the Beta2 version of the framework at that!). Further, it includes a snippet of 'native' .NET MSIL (Microsoft Intermediate Language) code, although this is only used to display a dialog box with a brag message from the virus' writer.
The virus' replication code is standard x86 Windows and takes advantage of the fact that EXE files built for the early test versions of the .NET framework must include some native x86 code. Even though that may only be a 5-byte stub that calls the .NET MSIL program loader, that is enough for a virus to patch a call to its own code, added to the program file during infection. Realistically, it seems very unlikely Win32/Donut will be seen in the field.
Various antivirus developer descriptions:
First Shockwave Flash virus no real threat
The first virus to infect and spread via Shockwave Flash (.SWF) files was discovered a few days ago. Given the rather unalluring moniker LFM.926, it is (like the 'first .NET virus' described above) a simple 'proof of concept' virus. LFM.926 rather unsurprisingly demonstrates that the Shockwave Flash scripting language, ActionScript, can be used for nefarious purposes. The virus depends on an ActionScript function that is _not_ available in the web browser 'plugin' SWF player and only available in the standalone player and in so called 'projector files'.
If an SWF file infected with LFM.926 is viewed in a standalone Windows player (or bound into a 'projector file' and that program is run) on Windows NT, 2000 or XP, the virus' script causes a program file named 'v.com' to be created and executed in the directory where the infected SWF is located. This program is the main viral routine, which searches the current directory for SwF files, checks whether they are infected already and if not attempts to recreate the script that dropped 'v.com' and insert that into them. This will fail if the SWF file is write-protected. The insertion procedure is buggy and will corrupt large SWF files so that they most likely will not play properly after infection.
As standalone SWF players are usually only found on machines used by Shockwave developers and the virus does not work in SWF players implemented as web browser plugins (such players do not support the scripting functions used by the virus) LFM.926 and its ilk pose no real threat to typical users. However, SWF developers must now exercise more caution than they may have in the past.
Macromedia has an unusual take on the issue, suggesting SWF developers download a utility from its web site that breaks any associations between .SWF files and applications, so .SWF files cannot be launched by double-clicking them.
Various antivirus developer descriptions:
Several P2P programs ship spy-ware Trojan
Grokster, LimeWire and reputedly some versions of KaZaA were recently discovered to include what many have classified as a Trojan Horse program. The 'free' versions of these programs, like many other free programs these days, include various 'ad-ware' and similar programs that are expected to generate click-through revenue. One such program bundled with the aforementioned peer-to-peer file sharing clients contained more than just ad-ware though -- it was 'spying' on its users, collecting usernames and passwords, sending these back to 'home base' and it opened a backdoor to the machine running the software so it could be controlled remotely across the Internet.
Not surprisingly, there was a great deal of outrage when this was discovered (although the cynical wonder how much that was related to the fact that a huge amount of illegal software and music trading occurs across the informal peer-to-peer networks supported by these programs). The makers of Grokster, LimeWire, etc promptly repackaged their products without the offending spy-ware. Astute readers will note a resonance with the AIM Filter issue in the 'AOL Instant Messenger' item in the Security section, below.
SQL Server 7.0 and 2000 updates
Just before Christmas 2001, Microsoft released its final security patch for the year. Rounding out at 60 (compared with precisely 100 in 2000), it was still a busy year for Windows server and workstation system administrators.
Security bulletin MS01-060 describes two security problems in Microsoft's SQL Server 7.0 and 2000 versions (other versions may be affected, but have not been tested as per Microsoft's standard support policy). Exploiting either of these vulnerabilities is far from straightforward, and although both vulnerabilities are related to improper string handling in function returns, only one opens the possibility of a buffer overflow exploit. The severity of this first vulnerability has been rated as moderate by Microsoft and it is recommended that administrators of vulnerable servers apply the SQL Server patches appropriate to their software versions.
Microsoft claims the second bug (technically a format string vulnerability) is not exploitable to run arbitrary code and, at worst, could be exploited as a denial of service attack. Because it rates this vulnerability as low severity _and_ because the patch is actually a fix to a core C language runtime library (DLL) used by many other processes -- especially key OS functions -- Microsoft is recommending that adminstrators only 'consider' applying this patch. The reasoning is that, although the patch has been tested, it has not been through complete regression testing, as would be required of it before it could be included in a service patch.
AOL Instant Messenger for Windows buffer overflow
The idiosyncratically named 'w00w00 Security Development' group released a security advisory just after the New Year outlining an exploitable buffer overflow in Recent Windows versions of AOL Instant Messenger (AIM). This vulnerability does not affect non-Windows versions of AIM nor Windows versions prior to the introduction of the games request feature of the AIM protocol -- probably versions prior to 4.7.
The w00w00 advisory claimed that AOL had ignored the group's initial attempts to warn of the flaw, so w00w00 publicly released its advisory with functional exploit code to prove its point. AOL responded the next day, claiming that it fixed the flaw by modifying its servers so the overlong, 'malformed' requests necessary to exploit the vulnerability cannot be passed through the servers. This clearly fails to fix the actual vulnerability, which is still present on all Windows 4.7.x and 4.8.x beta versions of AIM and can still be exploited via direct games requests to a vulnerable machine. Such requests can only be made from the machines of people on an AIM user's 'buddy list', so the risk is mitigated somewhat.
Your newsletter compiler recommends Windows users of vulnerable AIM versions to consider rolling back to a slightly earlier version. Hopefully the next release of AIM will actually fix this vulnerability, rather than putting a Band-Aid over only part of the would, but as AOL's public statements suggest it considers the problem solved, that may not be a safe bet.
Note: The 'AIM Filter' workaround, originally suggested by w00w00 as a solution (and now only mentioned peripherally in its revised security advisory), has been reported to contain a 'backdoor Trojan'.
AOL Instant Messenger vulnerable to hackers - Computerworld.com
Brief: AOL patches hole in Instant Messenger - Computerworld.com
Two Oracle PL/SQL vulnerabilities patched
Oracle 9iAS uses the Apache web server for its HTTP service and the PL/SQL Apache module included with it has a buffer overflow vulnerability on all supported platforms. Further, the Windows NT/2000 version of this module has a directory traversal bug that allows non-privileged users to break out of the web root via a specially-formed URL request. Both vulnerabilities were discovered by Next Generation
Oracle has confirmed both bugs and released patches for all affected systems. Earlier versions of the software may also be affected but have not been (and Oracle says will not be), tested. Updates are available to supported customers from Oracle's metalink site.
Remote exploit in Mutt patched -- various Unix-like OSes
The popular Unix mail client Mutt was updated on 1 January to fix a remotely exploitable buffer overflow. Users of v184.108.40.206 was released for users sticking with v1.2.x, and v1.3.25 was released for those wishing to go with current release versions. Mutt is widely distributed with Linux and most vendors should have updated packages available by now if you do not prefer building your own...
Update fixes format string bugs in Stunnel-- Unix, Windows
Users of Stunnel should upgrade to v3.22 or at least apply the patches to fix a serious format string bug and rebuild their current version. Some Linux vendors have updated packages or check the Stunnel home page for new versions and code patches.