An old e-mail worm turned this week and, rather surprisingly, started spreading. Win32/Aliz has been detected by most virus scanners since sometime in July this year, so it was quite unusual to see it start to spread in the middle of November. Also, Microsoft SQL database server administrators who have Internet-accessible servers should check the preliminary story about a possible new worm that targets poorly configured Microsoft SQL servers.
Speaking of Microsoft, only one security bulletin from it this week -- a critical update to Windows Media Player. Of interest to some IIS administrators, the popular ActivePerl scripting language has been updated to correct a remotely exploitable buffer overflow. IIS administrators may also be interested in potentially 'incorrect' logging of server activity -- several such flaws affecting IIS, Terminal Services and CITRIX MetaFrame have been discussed this week. And we close the newsletter this week with further evidence of lax wireless LAN security and an interesting article about the possible legal consequences of not properly securing your IT infrastructure.
Is it Aliz?
There has been a little excitement over Win32/Aliz this week. Small but consistent numbers were being reported earlier in the week, but these numbers have picked up in the last couple of days. Aliz is a small executable mass mailer that obtains victim addresses from the Windows Address Book. It then sends copies of itself as an attachment to e-mail messages it sends via an SMTP mail server configured in the Internet Account Manager.
The messages have Subject: lines composed by combining randomly chosen words and phrases from several lists inside the virus but the attachment is always named 'whatever.exe'. Aliz was discovered several months ago and most virus scanners have been able to detect it since late-July, so
it is unusual that it has suddenly taken off as it has.
Microsoft SQL worm
Dubbed by some as 'Voyager Alpha Force', a new hacking tool targeting Microsoft SQL database servers has been discovered. The tool searches for Internet-facing Microsoft SQL servers that are in a default installation state, without the recommended 'hardening' applied to them. Specifically, the tool exploits the fact that following a default installation of Microsoft SQL, the database system administrator user, 'sa', has a blank password. Systems installed following best practice recommendations would, of course, change that password and normally also configure a network firewall to prevent access to the database server's management port, 1433.
Initial reports of the working of 'Voyager Alpha Force' are unclear as to whether it is a worm, automatically seeking out and infesting new targets or whether it is manually targeted and installed. The payload though is described as a new version of the DDoS tool 'Kaiten' and is 'manually' controlled via IRC messaging (although that could be semi-automated via scripting).
Virus numbers dwindle, but impact increases
An antivirus product developer spelt out the apparent recent trends in virus developments and suggested PDAs were likely the next big target, and thus area of concern for corporate IT security staff.
Critical Windows Media Player updates
Microsoft has released a cumulative patch for Windows Media Player (WMP) v6.4 that patches all previously known security issues with WMP v6.4, some addition issues Microsoft discovered during its own testing and code review, _and_ a new remote code execution flaw. This new flaw results from an unchecked buffer that can be overflowed by having WMP play a suitably malformed .ASF (Advanced Streaming Format) media file.
Although this update sounds as if it is WMP v6.4-specific, Microsoft recommends that users of WMP v7.0 and v7.1 also obtain and install it, as the later versions of WMP include some of the v6.4 components for backwards compatibility reasons. To further confuse the issue, even though Media Player for Windows XP includes WMP v6.4 components (for -- you guessed backwards compatibility reasons) XP users are recommended to obtain and install the 25 October 2001 Critical Update for Windows XP.
Microsoft's severity rating for these patches is 'critical' on all platforms.
Update fixes ActivePerl buffer overflow
Windows versions of ActiveState ActivePerl earlier than v184.108.40.2060 are vulnerable to a remotely exploitable buffer overflow. Discovered by NSFOCUS security researchers, this vulnerability potentially allows remote execution of arbitrary code. This affects both IIS 4.0 and 5.0 servers and was fixed in the recently released build 630.
Microsoft log file flaws
In the last week or so, several issues with Microsoft products not properly logging what they should have been discovered. Given log files are increasingly likely to be used as evidence in disciplinary and legal proceedings, it is important to understand these issues and be sure to not be affected by them or worse, fooled into misinterpreting what you find in your own logs. To this end, it is recommended that IIS, Terminal Services and CITRIX MetaFrame administrators read the original descriptions of these issues, linked below.
Multiple JS vulnerabilities in Opera
At 'press' time, no mention of these problems nor what Opera software plans to do about them could be found on Opera's web site. A workaround that may prevent all vulnerabilities is described in Guninski's security advisory.
Lessons of wireless LAN insecurity not learned in London
Cryptography vendor RSA recently commissioned a survey of the vulnerability of wireless LANs in London's financial district to 'driveby hacking'. The results suggest, once again, that the convenience of the LANs' owners, rather than the exercise of due care over the data they are charged with protecting, is the driving force behind the majority of WLAN installations. (Perhaps some of the firms uncovered by RSA should consider the implications of the next article?)
Good article covering legal risks of lax IT security
The article from CIO magazine, linked below, introduces many of the issues of legal liability facing companies that do not pay enough attention to system security may face. Admittedly, the article is oriented to the US situation and legal system, but the broad principles are likely to be much the same here.