Mac IE patch, Linux kernel patches, Oracle and Sun updates and more

'bin Laden' virus hyped; Red Cross warns of uncharitable Trojan Horse; Windows 2000 patch from MS01-052 updated; Mac IE 5.1 for OS X auto-executes some downloaded applications; and more....

First, my apologies that 'this week's issue' is late arriving. I am in Austria and ended the week devoid of Internet connectivity -- a most 'uncomfortable' place for me... Anyway, one 'positive' to come from this is that much happened on Friday in Europe and the US, which is late on Friday and into Saturday in New Zealand and normally too late for inclusion in the newsletter, but 'this week' it is in the newsletter...

On the Microsoft front, the corrupt patch that caused trouble for Windows 2000 users last week has been updated, and a patch has been released for the Mac OS X/IE 5.1 issue that we also mentioned last week. Linux users have critical kernel security updates to apply this week as do Sun and Oracle users.

Virus News

When ANTS become worms...

An e-mail worm, purporting to be the much-awaited v3.0 release of the popular German language Trojan detection software ANTS has been reported extensively in Germany. The worm may be less likely to be successful outside German-speaking countries, where it is most popular. The message the worm uses to social engineer users to run the attachment is a short paragraph presented in German and then in English, however, so it may entice enough on-German speakers into trying the attached program anyway. It is to be hoped that users should be sufficiently skeptical of unbidden executable attachments by now, particularly ones claiming to be updates for software they do not use, that this worm should not spread much further than it already has.

As of this writing, three variants are known to exist. Although two different e-mail message bodies are used, all three variants use the name ants3set.exe for the message's attachment. If you have attachment filtering at your e-mail gateway and are not already preventing all EXE attachments, you should add a specific filter to prevent attachments of this name entering.

Despite the worm's e-mail message apparently being from Andreas Haak, the author of the real ANTS Trojan scanner, this e-mail worm has nothing to do with Haak, who has posted a message to this effect on his web site. It is unclear at this juncture whether the message is a deliberate attempt to besmirch Haak's reputation or simply included because the writer of the worm saw it as 'necessary' to the worm's success.

- ANTS author statement

Various antivirus developer descriptions:

ca.com, f-secure.com, vil.nai.com, sophos.com 1 | 2, sarc.com, antivirus.com

Elkern & Klez -- a modern 'Odd Couple'

Win32/Klez is a trivial mass mailing worm which drops and runs a copy of the Win32/Elkern virus. The latter is entirely independent of the mass mailer, hence the choice of 'unrelated' names for the two. Klez has a 'hidden' message, perhaps directed by the virus' writer to antivirus developers in the vain hope of getting a better paying job than the norm in China (or some similarly poor Asian country). Aside from that, Klez will also take advantage of the Internet Explorer security flaw detailed in the MS01-020 security bulletin. This vulnerability causes an EXE file attached to a suitably 'malformed' e-mail message to be automatically run when the message is viewed in Outlook, Outlook Express and possibly some third-party mailers that use IE for viewing HTML e-mails and is the

same flaw that Nimda recently used to such good effect.

Elkern is a multiple-cavity and appending virus. Using the trick first employed by CIH, Elkern can break its code into several smaller pieces, insert them into inter-segment 'gaps' in PE format EXE files and re-assemble itself when run. Unlike CIH however, it can also infect files that do not have sufficient inter-segment slack space for its multiple cavity trick by using the older and simpler appending infection method.

Various antivirus developer descriptions:

f-secure.com: 1 | 2, vil.nai.com: 1 | 2, sophos.com: 1 | 2, sarc.com: 1 | 2, antivirus.com: 1 | 2

'bin Laden' virus hyped

Further to last week's story about the hyped rather than threatening 'Anthrax virus', this week saw another unfortunate incident of the media jumping on a 'terrorism related' malware incident and giving it unnecessary airtime. Variously named, Toal, AntiWar and 'the bin Laden virus', this simplistic mass mailer is unlikely to go far.

Win32/Toal introduces an interesting twist to the mass mailing bag of tricks, using the ICQ 'White Pages' to find e-mail addresses to which to send itself. Although the e-mail message carrying Toal has a Subject: line randomly chosen from a very long list (most of which refer to Osama bin Laden and/or other aspects of the current Afghanistan conflict or reputedly related terrorist acts), the message body is always blank and the file attachment named 'BINLADEN_BRASIL.EXE'. The attachment's size varies because it is an infected copy of the standard Windows HH.EXE file, which varies across Windows' releases and updates.

It was the attachment name, the initial choice of 'AntiWar' as a name for the virus by the Korean antivirus developer who discovered it and that company issuing a press release despite very limited evidence of the virus spreading extensively that led to the media interest.

Various antivirus developer descriptions:

ca.com, f-secure.com, vil.nai.com, sophos.com, sarc.com, antivirus.com

Red Cross warns of uncharitable Trojan Horse

Despite dating back to the middle of the previous week, several media outlets picked up on the 'old' story of the Septer data stealing Trojan Horse program during the week. Discovered on 17 October, Septer depends on users willingly mailing it on to friends or others whose e-mail addresses they have and is not self-mailing or otherwise replicative. If the Septer Trojan is run, it displays a fill-in form asking for the user's details including name, company, address, ZIP code and credit card details then sends that data to an Internet server. The 'donation form' is made to look as if the donation is going to the American Red Cross in support of the United Way and The New York Community Trust donations for victims of the 11 September terrorist attacks in the USA.

The server receiving the stolen data was promptly shut-down once the fraud was reported to the FBI and American Red Cross, so the potential for the data stealing actually succeeding has long since been nullified. However, given that the Trojan seems to represent what is, in most people's judgement a 'worthy cause', it is conceivable that copies of it may still be circulating.

Following its usual tradition of confusing the hell out of users, several different names have been assigned to this Trojan, but the most common are Septer (which is the only name your newsletter compiler has seen used in media reports) and KWM.

- American Red Cross warning

Various antivirus developer descriptions:

vil.nai.com, symantec.com, antivirus.com

Security News

Windows 2000 patch from MS01-052 updated

Almost as last week's newsletter was posted, the first reports of problems with the just-released MS01-052 patches were received. As posted, we noted two such reports, but within a couple of hours the NTBugtraq mailing list moderator reported that he had received several dozen more similar reports, but it appeared only the Windows 2000 patch was causing problems. Around the same time, Microsoft pulled the Windows 2000 patch. A couple of days ago the MS01-052 security bulletin was updated to reflect that the original Windows 2000 patch had been discovered to cause serious side-effects on some systems and a new version of the patch had been released.

Microsoft recommends that anyone who installed the original MS01-052 patch on Windows 2000 machines should obtain the new patch and install it. Such users should do this even if they have not noticed any side-effects from installing the original patch. That is Microsoft speak for 'if you don't install the new patch you may have trouble in future', so anyone who was quick enough to get the original Windows 2000 patch in question and installed it even after it tested OK should get the updated patch and install that on all machines the previous patch was applied to.

There are no confirmed reports of problems with the NT 4.0 version of this patch and that patch has _not_ been updated. This advisory only applies to administrators of Windows 2000 systems.

- Microsoft security bulletin

Mac IE 5.1 for OS X auto-executes some downloaded applications

As reported in last week's newsletter, IE 5.1 for Mac OS X automatically executes downloaded files if in BinHex or MacBinary format. This week Microsoft released a security bulletin discussing this 'feature' and claimed that the problem arises 'because of a flaw in the way Mac OS X and Mac IE 5.1 interoperate'. To clarify last week's report, this problem arises with all IE 5.1 versions prior to v5.1.3 on all versions of OS X, whereas last week's newsletter suggested, based on a preliminary investigation of this security flaw, that it may have only applied to OS X 10.1.

Microsoft has confirmed this flaw with IE for Macintosh v5.1 and v5.1.2. Although earlier versions may be vulnerable, the 'current and previous release are supported' rule means Microsoft has not tested and has no plans to fix them should any earlier versions be vulnerable. Affected users must install the 'Internet Explorer 5.1 Security Update' via Apple's Software Update. Microsoft rates this security vulnerability as being of moderate seriousness to affected workstations and of no consequence to intranet or Internet servers (best practice decries running complex -- and traditionally more buggy -- user applications such as web browsers on servers or when running with raised privileges, such as a system administrator login).

- Apple Software Update information

- Microsoft security bulletin

Security zone problems with about: URLS in Internet Explorer

Several messages on the bugtraq mailing list this week discussed a weakness in Internet Explorer's handling of about: protocol URLs. It was pointed out that the URL itself can included script code that will be executed by the browser when the URL is visited and that the default security zone for about: URLs is the Internet Zone, rather than a more restricted one (remember, the Internet Zone enables scripting by default). A poster in this threat pointed out that all about: protocol URLs could apparently be forced into the Restricted Sites Zone by setting the DWORD value 'about' to '4' in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults registry key.

Initial and solution message in bugtraq archive: 1 | 2

Linux 2.2 and 2.4 kernel updates

A couple of security holes in the Linux kernel have just been patched. One is a local root exploit involving ptrace and suid root binaries and the other allows for a relatively trivial denial of service using deeply nested symlinks which can irrecoverably push CPU usage to 100% for disturbingly long periods. Administrators of Linux machines are advised to obtain the new kernels, build and install them. Although the popular Linux distributions have automated updating tools few, if any, of these support updating the kernel via update packages -- check with your distributor if you are not sure of the appropriate update method for your kernel. While you are checking this update, also check for updated util-linux packages, as some distributions also have a serious security hole in the PAM package whereby user credentials are incorrectly cached, allowing user privilege escalation.

Three critical Oracle security patches

The first two of these vulnerabilities affect all Oracle database server releases, v8.0.x, v8.1.x and v9.0.1, running on all Unix platforms and allow running arbitrary code as the Oracle database user and allow other forms of operating system user privilege escalation. The third affects Oracle Label Security v8.1.7 on the Sun Solaris platform and may allow an Oracle database user to obtain higher privileges within a database application. More details, including how to obtain the patches are available in the following security alerts.

Oracle security alerts:

http://otn.oracle.com/deploy/security/pdf/otrcrep.pdf

http://otn.oracle.com/deploy/security/pdf/oracle_race.pdf

http://otn.oracle.com/deploy/security/pdf/OLS817alert.pdf

Four security updates from Sun

In the last few days, Sun has released four security bulletins covering the Java runtime environment (JRE) allowing untrusted applets access to the system clipboard, a buffer overflow in yppasswordd allowing local and remote root exploits, a local root access possibility in ufsrestore and a possible remote root vulnerability via a buffer overflow in xntpd.

The gory details of precisely which platforms and versions of these products, and where to obtain patches for vulnerable systems, are available in the respective security bulletins on the page below.

- Sun security bulletin archive

Join the newsletter!

Error: Please check your email address.

More about AppleFBIICQLinuxMicrosoftOraclePAM

Show Comments

Market Place

[]