IE patches, XP data deletion bug, multiple lpd and CDE patches and false alarms

Norton AntiVirus false alarms on InstallShield; Norton AntiVirus false alarms on InstallShield; Multiple updates for IE 5.5 & 6.0; Windows XP bug can delete user data during reinstall/repair/upgrade; and more...

Another quiet week on the virus front with the only noticeable excitement caused by Norton AntiVirus wrongly detecting the Nimda virus in setup programs packaged with the popular InstallShield program. This was made all the worse by the false alarm being triggered on the installer for a competing antivirus product.

On the security front, Microsoft has released un updated version of the Windows ME Universal Plug and Play patch mentioned a couple of weeks back and several critical Internet Explorer patches are available via cumulative patches for these products. Although not strictly a security issue, I thought our readers should be made aware of a potential problem with preinstalled copies of Windows XP that can lead to loss of user data files during standard OS update or repair procedures. This flaw affects both the professional and home versions of XP, and given the latter point and that most home XP users will likely have OEM installed systems, I'm surprised this issue has not received wider attention. For our Unix and Linux administrators, there are some serious vulnerabilities in CDE and lpd that need patching.

Finally, I have included some material about the possibility of estimating a 'return on investment' index for security expenditure that I found interesting.

Virus News

Norton AntiVirus false alarms on InstallShield

Symantec, makers of the popular Norton AntiVirus (NAV) product family, had egg on its face this week after releasing an emergency definitions file update last Friday that incorrectly detected the Nimda virus in two executable files that are part of the very common InstallShield package. The upshot of this false alarm was that many NAV users received false warnings that a nasty virus had infected other software they had just downloaded from the net. This included the rival antivirus software F-PROT, whose installer happens to be packaged with the version of InstallShield falsely detected as infected.

Various perspectives:,,

Security News

Update for Windows ME patch in MS01-054

Further to it embarrassment over the botched Windows 2000 patch for MS01-052, reported in the newsletter a couple of weeks back, Microsoft had to withdraw the Windows ME patch for the Universal Plug and Play denial of service. As that patch has now been corrected and re-issued, affected users of Windows ME machines should obtain the new patch and (re-)apply it. Should you have obtained the original patch, there is no need to uninstall it before applying the updated fix -- it will correctly install over the top of the earlier, flawed patch.

- Microsoft security bulletin

Multiple updates for IE 5.5 & 6.0

Two weeks ago we reported that, by default, Internet Explorer treats all about: URLs as if they were in the Internet zone. Coupled with the finding that about: URLs can have their own cookies _and_ script code in the URL text itself is interpreted and run, several worrying scenarios seemed likely. Subsequently, it was discovered that about: URLs could be used to steal cookies from other domains, which was finally enough to spur Microsoft to act. Patches that fix these issues for IE 5.5 and 6.0 (the only versions currently under maintenance) are now available.

As well as fixing the cookie exposure bug, these patches fix two other vulnerabilities. The first of these is another zone spoofing flaw that can also expose cookie data to stealing and/or modification and second is a new variant of the MS01-051 vulnerability, whereby a specially malformed URL using a dotless IP address is incorrectly treated as being in the Local Intranet zone, allowing active content in those pages to run with fewer restrictions. Microsoft rates all these vulnerabilities as being of moderate severity.

Aside from fixing these newly discovered vulnerabilities, this is a cumulative patch, fixing all known vulnerabilities in IE 5.5 since the SP2 release and in IE 6.0 since its initial release.

- Microsoft security bulletin

Windows XP bug can delete user data during reinstall/repair/upgrade

According to Microsoft, Windows XP machines with the OS preinstalled by a computer manufacturer may suffer a nasty fate should they be updated or the OS reinstalled. The Microsoft KnowledgeBase article acknowledging the flaw in the Redmond software giant's latest OS says 'You may lose data that is stored in the All Users folder and default program templates and settings that are stored in the Default User folder after you reinstall, repair, or upgrade Windows XP. You may be missing Start menu shortcuts, items in the Startup group, and documents, pictures, or music files that are stored in the Shared Documents folder.'

The cause of this potential disaster is the file Undo_guimode.txt, present in the Windows\System32 folder of vendor preinstalled Windows XP machines. This file is not created by a normal user installation and has no special function once the user setup wizard (which creates it during final user configuration of the OS) has finished running. As this file has no special function, it is safe to delete it, or at least rename it so as to prevent the problems attributed to its presence while performing any of the maintenance or upgrade tasks described in the KnowledgeBase article.

- News article

- Microsoft KnowledgeBase article

Multiple vulnerabilities in lpd on various Unix and Linux systems

Over the past few months, several vulnerabilities in the widely used Unix and Linux line printer demon (lpd) have been uncovered. The exposures represented by these numerous flaws vary, but most are remotely exploitable, giving root level access and/or allowing arbitrary code execution. CERT/CC has released an 'omnibus advisory' covering all recent lpd vulnerabilities and the status of patching efforts on the OSes each vulnerability affects in an effort to draw all lpd vulnerability information together.

Because of the number and diversity of these vulnerabilities and the OSes affected by each, it seems quite possible that many administrators may have overlooked one or more critical lpd patches for some of their systems. Further, there is some evidence of increased lpd port scanning of late and systems being compromised via lpd exploits.

- CERT/CC advisory

Remote root exploit in CDE on various Unix and Linux systems

The popular Common Desktop Environment (CDE) graphical user interface for various UNIX and Linux operating systems is vulnerable to a remote root exploit. This flaw allows arbitrary code to run in the same context as the CDE Subprocess Control Service (dtspcd) daemon -- usually root. More details about the flaw and the availability of patches for affected systems can be found in the CERT/CC advisory on this vulnerability.

- CERT/CC advisory

Calculating returns on investment in computer security

Several experts in various fields have been trying to put a monetary value on the costs and value of proper security design in computer systems. This allows them to produce that so important statistic for the bean-counters -- a return on investment index. Although some of this work has been positively reported of late, it seems there is still some way to go...

Various perspectives:,,

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CERT AustraliaLinuxMicrosoftNimda virusNortonSymantec

Show Comments