Aliz comes alive, MSSQL worm, Windows Media player patches, ActivePerl update

Is it Aliz?; Microsoft SQL worm; Virus numbers dwindle, but impact increases; Critical Windows Media Player updates; Update fixes ActivePerl buffer overflow; and more...

An old e-mail worm turned this week and, rather surprisingly, started spreading. Win32/Aliz has been detected by most virus scanners since sometime in July this year, so it was quite unusual to see it start to spread in the middle of November. Also, Microsoft SQL database server administrators who have Internet-accessible servers should check the preliminary story about a possible new worm that targets poorly configured Microsoft SQL servers.

Speaking of Microsoft, only one security bulletin from it this week -- a critical update to Windows Media Player. Of interest to some IIS administrators, the popular ActivePerl scripting language has been updated to correct a remotely exploitable buffer overflow. IIS administrators may also be interested in potentially 'incorrect' logging of server activity -- several such flaws affecting IIS, Terminal Services and CITRIX MetaFrame have been discussed this week. And we close the newsletter this week with further evidence of lax wireless LAN security and an interesting article about the possible legal consequences of not properly securing your IT infrastructure.

Virus News

Is it Aliz?

There has been a little excitement over Win32/Aliz this week. Small but consistent numbers were being reported earlier in the week, but these numbers have picked up in the last couple of days. Aliz is a small executable mass mailer that obtains victim addresses from the Windows Address Book. It then sends copies of itself as an attachment to e-mail messages it sends via an SMTP mail server configured in the Internet Account Manager.

The messages have Subject: lines composed by combining randomly chosen words and phrases from several lists inside the virus but the attachment is always named 'whatever.exe'. Aliz was discovered several months ago and most virus scanners have been able to detect it since late-July, so

it is unusual that it has suddenly taken off as it has.

Various antivirus developer descriptions: ca.com, f-secure.com, vil.nai.com, sophos.com, sarc.com

Microsoft SQL worm

Dubbed by some as 'Voyager Alpha Force', a new hacking tool targeting Microsoft SQL database servers has been discovered. The tool searches for Internet-facing Microsoft SQL servers that are in a default installation state, without the recommended 'hardening' applied to them. Specifically, the tool exploits the fact that following a default installation of Microsoft SQL, the database system administrator user, 'sa', has a blank password. Systems installed following best practice recommendations would, of course, change that password and normally also configure a network firewall to prevent access to the database server's management port, 1433.

Initial reports of the working of 'Voyager Alpha Force' are unclear as to whether it is a worm, automatically seeking out and infesting new targets or whether it is manually targeted and installed. The payload though is described as a new version of the DDoS tool 'Kaiten' and is 'manually' controlled via IRC messaging (although that could be semi-automated via scripting).

- News article

Virus numbers dwindle, but impact increases

An antivirus product developer spelt out the apparent recent trends in virus developments and suggested PDAs were likely the next big target, and thus area of concern for corporate IT security staff.

- News article

Security News

Critical Windows Media Player updates

Microsoft has released a cumulative patch for Windows Media Player (WMP) v6.4 that patches all previously known security issues with WMP v6.4, some addition issues Microsoft discovered during its own testing and code review, _and_ a new remote code execution flaw. This new flaw results from an unchecked buffer that can be overflowed by having WMP play a suitably malformed .ASF (Advanced Streaming Format) media file.

Although this update sounds as if it is WMP v6.4-specific, Microsoft recommends that users of WMP v7.0 and v7.1 also obtain and install it, as the later versions of WMP include some of the v6.4 components for backwards compatibility reasons. To further confuse the issue, even though Media Player for Windows XP includes WMP v6.4 components (for -- you guessed backwards compatibility reasons) XP users are recommended to obtain and install the 25 October 2001 Critical Update for Windows XP.

Microsoft's severity rating for these patches is 'critical' on all platforms.

- Microsoft security bulletin

Update fixes ActivePerl buffer overflow

Windows versions of ActiveState ActivePerl earlier than v5.6.1.630 are vulnerable to a remotely exploitable buffer overflow. Discovered by NSFOCUS security researchers, this vulnerability potentially allows remote execution of arbitrary code. This affects both IIS 4.0 and 5.0 servers and was fixed in the recently released build 630.

- ActivePerl download site

- NSFOCUS security advisory

Microsoft log file flaws

In the last week or so, several issues with Microsoft products not properly logging what they should have been discovered. Given log files are increasingly likely to be used as evidence in disciplinary and legal proceedings, it is important to understand these issues and be sure to not be affected by them or worse, fooled into misinterpreting what you find in your own logs. To this end, it is recommended that IIS, Terminal Services and CITRIX MetaFrame administrators read the original descriptions of these issues, linked below.

Archived mailing list messages: ntbugtraq.com 1 | 2 and securityfocus.com

Multiple JS vulnerabilities in Opera

Opera, many people's favourite non-Microsoft web browser due to its small size and reputed speed and security, has been found to suffer several security flaws in its JavaScript implementation. Discovered by Georgi Guninski, these flaws allow access to URLs in the browser's history list and cache, cookies from other domains and similar 'information leakage' problems. Although none of these problems are as serious as a remotely exploitable buffer overflows or errors in attributing a page to a security zone, the maintenance of information privacy is of increasing concern to many computer users, and similar problems in IE and Navigator have been quickly corrected in the past.

At 'press' time, no mention of these problems nor what Opera software plans to do about them could be found on Opera's web site. A workaround that may prevent all vulnerabilities is described in Guninski's security advisory.

- Guninski's security advisory

Lessons of wireless LAN insecurity not learned in London

Cryptography vendor RSA recently commissioned a survey of the vulnerability of wireless LANs in London's financial district to 'driveby hacking'. The results suggest, once again, that the convenience of the LANs' owners, rather than the exercise of due care over the data they are charged with protecting, is the driving force behind the majority of WLAN installations. (Perhaps some of the firms uncovered by RSA should consider the implications of the next article?)

- News article

Good article covering legal risks of lax IT security

The article from CIO magazine, linked below, introduces many of the issues of legal liability facing companies that do not pay enough attention to system security may face. Admittedly, the article is oriented to the US situation and legal system, but the broad principles are likely to be much the same here.

- CIO magazine article

Join the newsletter!

Error: Please check your email address.

More about ActiveStateActiveStateAlphaLANMicrosoftRSA

Show Comments
[]