MS Office and IE updates, iptables firewall patches, Symantec LiveUpdate update

Nimda.B variant not going far; Antivirus research conference in Hong Kong; alt.config virus a 'hoax'; plus a bunch of updates and patches

Although things have been quiet on the virus front this week, there are a couple of important Microsoft patches to install, affecting Internet Explorer and a raft of Excel and PowerPoint versions. Also, users of Symantec's LiveUpdate technology, shipped with many Symantec products, should check the item about security vulnerabilities in some older versions of this product. It seems Apple has made a half-hearted attempt to fix a permissions problem in OS X and users of 'roll your own' firewalls based on Linux 2.4 kernels and iptables should check the relevant article below.

Virus News

Nimda.B variant not going far

Just after filing last week's newsletter, a minor variant of Nimda was reported. Although a small number of samples were reported from the field in South America, this variant does not seem to have taken hold like its forerunner. However, if you have not updated your virus scanners DAT/DEF/signature/etc files since late last week, it would be prudent to do so, as most antivirus vendors have updated their products to detect this new variant.

Antivirus research conference in Hong Kong

Although at first glance its content may seem a little esoteric for the 'troops in the trenches', the Association of anti Virus Asia Researchers (AVAR) conference in Hong Kong in December may be worth considering. Many of the top antivirus researchers from all round the world will be present, both as speakers and as delegates. This would be a great opportunity to meet and talk with some of the principle designers of your antivirus software (and don't be put off by the apparently high prices as the NZD/HKD exchange rate is approximately three-to-one in the NZD's favour at the moment).

AVAR 2001 conference site:

alt.config virus a 'hoax'

Readers of Internet newsgroups have seen a marked increase in the posting of HTML messages containing trivial, but annoying, JavaScript programs. If such messages are read with a browser that supports JavaScript, these programs run, doing whatever they were designed to do. Aside from multiple potential security exposures, particularly in Internet Explorer-related newsreaders such Outlook Express, these JavaScript programs embedded in HTML messages can have troubling effects. These include creating thousands, or even endless numbers, of dialog boxes displaying inane or offensive messages.

In the last year or so, two or three of these 'nuisance' JavaScripts have become quite common. Earlier this year, such a script that launched endless instances of the victim's default Email program with new messages addressed to a single Email address became common. However, in the last few weeks, antivirus researchers have seen many questions about a purported 'alt.config' virus which turned out to be a new example of this genre. In this case, message repeated in an endless JavaScript loop is '** WARNING ** Virus Scan has detected the alt.config virus on your hard drive. If you have recently opened an email or newsgroup message and see this alert your system is infected.'

While not really a hoax, the hapless user who sees such a warning should not be concerned about the claims of the warning itself, but should be concerned that its display indicates they have their newsreader (and/or possibly their web browser) badly configured. As these embedded scripts can do much more damage than just display endless messages, affected users should check their newsreader security settings. Users of Outlook Express should place their Email and News in the Restricted Sites' zone and ensure that scripting is disabled, or at least set to 'Prompt'. Netscape Communicator users should disable JavaScript in Email and News.

Security News

More major macro security flaws in multiple Office products/versions

At the end of June we reported that specially malformed Word documents can be created so as to allow macros in the documents to run, regardless of the macro security settings in Word and that this bug affected all versions of Word from Word 97 on, including Word 98 and 2001 on the Macintosh. Although the inner details of that security flaw were not publicly released at the time (and, to the list compiler's knowledge, fortunately still have not been), antivirus and some other computer security researchers were provided with those details by the discoverer of that bug.

An antivirus researcher at Symantec considered the nature of that bug and decided it would be worth checking similar mechanisms in Excel and PowerPoint. To the cynical, or those with several months history of observing the development of security issues in Microsoft products, it was not surprising that very similar problems with the macro security checking of Excel and PowerPoint files were uncovered by that effort.

Microsoft has now released a fix for this issue in Excel and PowerPoint 98, 2000, 2001 and 2002. Users of Excel and/or PowerPoint 97, which are known to be affected by this serious macro security flaw (see Symantec's security response on the issue, linked below) have been left in the cold because of Microsoft's standard position that 'only current and one previous versions are supported'. There is still a large installed base of Office 97 users and given the design flaw that was uncovered by the Word bug reported in the MS01-034 security bulletin was likely to affect the other products in the Office 97 family because of the likelihood of shared or related designs, it seems reasonable to expect that Microsoft itself should have found and fixed the Excel and PowerPoint versions of the this bug while researching the issue for the Word 97 fix. Instead, it waited a month or so until Symantec's researchers pointed the problem out, but after Office XP was released.

Patches for Excel and PowerPoint 98, 2000, 2001 and 2002 are available from the MS01-050 security bulletin, linked below, as is some typical Microsoft spin-control on why this is not a serious problem -- get and install the patches and ignore the spin. Also, if you have not already applied the related patches for any and all Word 97 through 2002 versions referenced in the MS01-034 security bulletin, get and apply them too.

Symantec security response:

Microsoft security bulletin:

Internet Explorer security patches

Microsoft has released patches for Internet Explorer 5.01, 5.5 and 6.0 to correct three security flaws in the browser. These flaws can allow web pages to be rendered in the intranet security zone rather than the internet security; cause information leakage and possibly have malicious commands run on remote web sites as the current user; and, allow a file to be written to the local file system by visiting a malicious site. The first flaw is not present in IE 6.0 and only applies to the earlier versions of the browser. The third flaw is a variation of the problem initially addressed in the MS01-015 security bulletin and discussed in earlier issues of this newsletter. This flaw only affects users who have installed Services for Unix (SFU) 2.0 under NT 4.0 or Windows 2000 and use the SFU telnet client as their default telnet client program.

Microsoft security bulletin:

Update for Symantec's LiveUpdate (multiple products)

Several Symantec products incorporate the company's LiveUpdate technology to check for and automatically install product updates across the web. Weaknesses in some of LiveUpdate's crucial functions mean that various versions of it could be used to rapidly distribute malicious code to LiveUpdate users, prevent LiveUpdate correctly updating virus detection files or use machines running LiveUpdate as a network of DDoS agents. Symantec has fixed these problems in LiveUpdate and the latest release of LiveUpdate v1.6 should be obtained and installed to fix these problems. Note that earlier releases of LiveUpdate 1.6 should have automatically updated themselves to this version, but LiveUpdate v1.4 (shipped with Norton AntiVirus v5.x) is reported to _not_ update itself to LiveUpdate v1.6 and users of v1.4 are recommended to manually download and install the latest LiveUpdate v1.6 version from the LiveUpdate update page linked below.

bugtraq article:

Symantec security response and LiveUpdate update pages:

iptables bug in Linux 2.4 may reduce firewall security

A recently discovered bug in the iptables component of the Linux 2.4 kernel's Netfilter architecture could leave a hole in firewalls based on iptables functionality. A module, supplied by default, for MAC address matching has been found to not correctly match addresses in very small packets. An interim source code patch has been supplied to rectify this problem and a properly tested update for iptables should be available soon. The source patch (which is very small) is included in the bugtraq post that described the problem and an archived copy of that message is linked below. Alternatively, consider applying the workaround from the post that sounds best for your network and keep a close eye on your vendor(s) for an iptables update.

bugtraq article:

OS X 10.1 desktop folder permissions problems

A problem with permissions on the '/Users/<admin-login>/Desktop' directory in earlier versions of OS X is reported to have been fixed in the 10.1 update. However, part of the original problem remains. New users, added to the system following the 10.1 update have the correct permissions set on this directory, but the permissions are not corrected for existing users. The original report of this problem lists the French, German, Italian and Spanish versions of the 10.1 update as affected, but does not make it clear if they are the _only_ affected versions or if they were the only versions where the reporter had _confirmed_ the problem.

bugtraq article:

NSA releases update to 'Security-enhanced' Linux

The NSA, in cooperation with several software research and development companies, has been working on porting some its mandatory access control technology from earlier, proprietary and/or research operating systems to a more widely accepted and used OS. The result -- the so-called 'Security-enhanced Linux' or 'SE Linux' -- is a set of patches and loadable kernel modules that have been tested with standard Red Hat Linux distributions. SE Linux has been available for free download from the NSA for some time now, and a recent development is the first release of a version that is tested as compatible with the 2.4.10 kernel.

The SE Linux project is _not_ an attempt to audit the standard distribution and patch known and newly discovered security flaws. Rather, it is a technology demonstrator, showing how (and that) mandatory access controls can be built into an accepted and widely used OS while maintaining most of the expected functionality of that OS. Thus, it is still essentially an experimental platform where the emphasis is on providing mechanisms enforcing 'the separation of information based on confidentiality and integrity requirements'. Most commercial, and all 'popular', OSes that have security mechanisms focus their security sub-system on the who/what/where issues familiar to discretionary access control systems. SE Linux, however, aims to confine program capabilities and user access rights in such a way that any damage that may be caused by traditional security threats such as buffer overflows, invalid user inputs, etc is strictly limited to only that sub-set of system resources and data that the compromised process needs access to in order to complete its tasks. Thus, a buffer overflow in a network service should not be able to compromise the whole machine, as is commonly seen with remote root exploits in currently popular OSes.

News article:

SE Linux home page:

Security challenges posed by new mobile network devices

The article linked below discusses some of the issues surrounding the increasing complexity of ensuring security and data integrity as corporate users increasingly expect to access content via more and more diverse devices, such as PDAs, television set-top boxes, smart phones and so on. Aside from the higher risk of theft of such devices, the high turnover and obsolescence of their often embedded and uneconomical to update technology tend to reduce testing and increase risk.

News article:

ISP taking security lead with users

British ISP Telewest is taking a proactive stance to help its users with security patches and related system configuration issues. Telewest seems to have started this initiative in response to the number of its users infected with Nimda, which is still causing large problems due to its multiple spread mechanisms. The ISP's protective measures include temporarily blocking Internet access from machines known to be harbouring network-spreading malware such as Nimda.

Until very recently, it has been common for victims of worms like CodeRed and Nimda, or of mass-mailing viruses such as Melissa and LoveLetter to report little or no cooperation from ISPs in tracking and blocking their customers who are (often unknowingly) spreading such things. Perhaps this move by Telewest is a sign things are changing for the better? Aside from reading the linked news article, some readers may be interested in what the Internet 'standards' folk have to say about system maintenance and security configuration as it applies to users and administrators of Internet services and Internet-connected machines. Such recommendations are spelled out in RFC 1281, 'Guidelines for the Secure Operation of the Internet'.

News article:

RFC 1281:

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AppleExcelLinuxMicrosoftNortonNSARed HatSymantecTelewest

Show Comments