Some important locally exploitable sendmail vulnerabilities are patched with the the v8.12.1 update detailed below. While generally not as urgent as remotely exploitable vulnerabilities, these patches should be applied as soon as practicible on 'exposed' servers. SANS has released an updated 'Top 20' security vulnerabilities list -- this is a web page that should provide something useful or interesting to most security professionals. Almost as an antidote to the SANS page, Microsoft has released a 'how to do security better' page and toolkit (although the cynical will say it is more of a 'how we should have done it in the first place' page). And it was something of relief to hear that the judges ruling in the case against the writer of VBS/VBSWG.J (better known as the 'Annaa Kournikova virus') were not swayed to the side of sentencing leniency by the virus writer's claims of 'I did not know what I was doing...'. However, lack of evidence of significant damage and losses due to the virus did work to the virus writer's advantage.
Kournikova virus writer gets 150 hours community service
Two weeks ago we reported the beginning of the trial of 20 year old Dutch man, Jan de Wit, who admitted writing VBS/VBSWG.J (better known as 'the Anna Kournikova virus'). Late last week, de wit was sentenced to 150 hours. Although that sentence may seem rather light, few of the virus' victims came forward to identify themselves or the cost of the damages and losses inflictyed by the virus. The court heard that the FBI had identified 55 victims suffering total damage of US$166,827. Fortunately, the judges gave little or no weight to de Wit's claims that he had no idea of the likely extent of spread or scope of the damage the virus could cause.
Antivirus vendors to supply Microsoft patches?
The suggestion that antivirus vendors might deploy critical Microsoft patches along with their usual scan string and detection engine updates has drawn quite a deal of commentary over the last few days. Some have suggested that automatically applied OS and critical application updates are anathema to well-managed systems -- for example (and at it's most basic), many Microsoft patches require a reboot to take affect and having critical servers semi-randomly restarting as patches are applied hardly seems like a picture of managed IT service!
However, the contrary position is that CodeRed, Nimda and other recent worms have shown quite clearly that a significant number of Microsoft product users are unaware of (or simply do not care to apply) security patches. That such users are able to connect machines to a public network like the Internet then unwittingly particiapte in attacks on many other users hardly seems fair or right. As some portion of these 'uncaring' or naive users do use antivirus software that automatically updates itself leads to the idea that it may be worthwhile to have the naive users automatically patched 'for the good of the Internet'. It seems unlikely we have seen the end of this debate, and the initial reaction of antivirus vendors to the suggestion seems lukewarm, at best.
Microsoft launches 'Strategic Technology Protection Program'
A collection of 'best practice guides, information on securing your system, and service packs and patches that can help ensure your system is protected against attacks' has been compiled by Microsoft and released as the Strategic Technology Protection Program. Initially shipped on CD and available through Microsoft's web site, the guides walk an adminstrator through installing a new machine from scratch and patching it to current security levels or tackling the often more challenging job of ensuring an installed and 'functional' machine is properly secured.
Microsoft Strategic Technology Protection Program:
When is a patch not a patch?
ZDNet assocaite editor Robert Vamosi uncovered an interesting twist in Microsoft's myriad patch and update options recently. While trying to update older versions of Internet Explorer to secure them against the 'automatic execution of embedded MIME types' bug used by Nimda, he discovered that not all update paths resulted in the desired (and expected) result. In short, he discovered that when using Windows 95, 98, or ME and updating IE 5, 5.01, 5.01sp1, 5.5 or 5.5sp1 to IE v6.0 you could end up with a still vulnerable IE installation. How could this happen? Shouldn't the 'latest and greatest' IE version be free of this 'old' bug? Robert thought so too. He found the 'problem' involved choosing the 'Custom Install' or 'Minimal Install' options, which bypass Outlook Express and thus bypass installing the patched component that fixes the 'automatic execution of embedded MIME types' vulnerability.
As always, test, test and test again... Vamosi's full article is linked below.
sendmail 8.12.1 for various Unix-like OSes
Have you recently updated to sendmail 8.12.0? If so, it's time to update again... Three possible local exploits against sendmail 8.12.0 have been fixed in 8.12.1. More details about the update can be obtained from the sendmail page linked below, and those who build their own executables can obtain the source from the FTP link. Others should check with their vendor(s) for updated packages...
SANS updates 'Top 20' computer security issues list
The updated list contains detailed descriptions of the most unpatched security holes that are actively exploited and of some general security design and policy issues. The list is a good read, even if all it does is reassure that you are on top of the most exploited problems being seen at the moment...
SANS 'Top 20' list: