This week the Vote e-mail worm received much more media attention than it deserved, but this was probably largely indicative of heightened awareness of issues surrounding terrorism and the events in the US in the last two weeks. Vote tries to prey in concerns about those events, so even though it was apparently quite unsuccessful, it caught the media's, and the public's, attention.
On the security front, there is another patch for Exchange 2000 servers running Outlook Web Access and an important update for OpenSSH. Also, concerns have been raised over Baltimore's MAILsweeper and its handling of some 'malformed' HTML scripts and a Gartner Group analyst has recommended sites using IIS should reconsider that product choice.
Finally, we look at a new move in the US that would impose severe penalties on hackers.
Electioneering worm fizzles
In light of (or perhaps because of) the FBI's warning to be especially aware of potential malware that may try to take advantage of the recent 'bombings' in the US, three variants of a mass mailing worm have been seen this week. The first of these, Win32/Vote.A@mm was seriously overhyped by an antivirus developer and received extensive media attention despite only being seen at a small handful of locations. Subsequently, two variants -- Vote.B and Vote.C -- have been isolated, with Vote.C being uncovered only a few hours before this issue of the newsletter was posted.
All variants include short message bodies suggesting that the attachment in some way helps in the aftermath of the attacks on the World Trade Center and the Pentagon. Running the attachment results in copies of the attached executable being sent to all addresses in the Outlook address list, various attempts being made to delete and otherwise corrupt the contents of the local file system and some web pages and messages being displayed. Further, an attempt is made to download and run a backdoor Trojan hosted on a Yahoo user's web site.
Again, despite the media attention Vote has received, very few instances of it have been detected or reported from the field.
Various antivirus vendor descriptions:
Nimda set to ride again?
Last week's extensive coverage of Win32/Nimda -- the joint virus and network worm -- failed to mention one important aspect of Nimda's behaviour. Ten days after initially infecting a machine and distributing itself via e-mail Nimda will, if still running on the infected machine, run its e-mail distribution mechanism again. Thus it seems likely we will see a surge in the number of Nimda detections today and over the next couple of days, it being the tenth day after Nimda first struck.
Users who have updated their antivirus software have nothing to worry about from such a surge, but it may help to be forewarned as to why you see a upswing in Nimda detections, should this happen. However, another school of thought is there may not be a sizable increase in its activity. The reasoning here is that, because Nimda is so intrusive, it seems unlikely sufficient machines will have been left infected that long for there to be a noticeable increase in activity.
Update for Exchange 2000 OWA denial of service
Microsoft has released an update for Exchange 2000 that fixes a denial of service possibility if Outlook Web Access (OWA) is enabled on the server. The denial of service can only be performed an authenticated user and involves repeatedly requesting a non-existant but deeply nested folder. That the user has to be authenticated, and sevral other mitigating factors, suggests this is a low risk vulnerability for most Exchange 2000 with OWA systems unless their users should be considered particularly hostile. More details and the patch download location are available from the usual place.
Gartner recommends avoiding IIS
John Pescatore, a Gartner Group analyst, has reportedly recommedned that users of Microsoft's web server software, Internet Information Server (IIS) should "investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache". Microsoft has responded with claims about how much more secure the next release of IIS, version 6.0, will be following an extensive rewrite of the product. However, that rewrite reputedly also includes moving some core functionality into the OS kernel via a system device driver. This raises concerns for even greater comprises, and/or the 'blue-screening' of the server should that code be buggy.
Baltimore MailSweeper does not properly filter scripts
Similar to problems reported several months ago in eSafe Gateway, Baltimore's MAILsweeper has been reported to fail to remove some specially malformed scripts embedded in HTML e-mail messages. Missing malformed scripts may not seem like much of a problem, but some web browsers, including Microsoft's Internet Explorer, are rather 'tolerant' in what they will accept, and 'correctly' interpret (and therefore run) the malformed scripts of the type MAILsweeper is claimed to miss.
Patch for OpenSSH
OpenSSH v2.9.9 has been released to patch a weakness in source IP address access controlS for the SSH v2 protocol. This weakness could allow users to login from what the administrator would have expected to be disallowed IP addresses, thus circumventing site login policies. OpenSSH versions from v2.5.0 and prior to v2.9.9 contain this flaw. Whether a site running OpenSSH is vulnerable depends on the actual access controls that are employed at the site.
The bug is fixed in OpenSSH v2.9.9 which is available from the OpenSSH site linked below. Precompiled packages should be available for the popular Linux and Unix ports shortly.
Life imprisonment for US hackers?
Stringent new proposals that include the elevation of computer hacking crimes to 'acts of terrorism' carrying a mandatory life sentence are currently under consideration in the US. These are part of an attempt several commentators see as unconstitutional moves to limit basic US freedoms and are being pushed for quick adoption, riding on the coattails of the security concerns that have followed the recent terrorist attacks in the US. More details and commentary are available in the linked news articles.