There is little of concern on teh virus front this week, but Microsoft returns to the fray with two security advisories covering patches to NT 4.0 and Exchange 5.5. Major encryption product developers, RSA, also alerted to a problem in a product the license to other developers. This potentially comprises the assumed security of SSL network connections and Cisco has released a patched version of its iCDN product to fix this problem in that product. Macintosh administrators running web servers should read the bugtraq discussion thread linked in the 'More Mac OS X web server security issues' article for some important information about further securing those servers.
IRC 'worm' attacks Steve Gibson's site
Steve Gibson's web site has again been made the target of a malware-originated attack. Known as 'Gribble', a Visual basic script embedded in a web page takes advantage of the Java exception vulnerability in old and unpatched copies of Internet Explorer to write script files to the victim's machines. These scripts, in turn, use the Windows ping program to fire massive numbers of huge ping packets at Gibson's web server and to flood the server with requests for its web pages. To work fully, Gribble requires the victim to have the popular Windows IRC client, mIRC, installed and when on IRC, it attempts to entice others joining the channel a victim is on to visit the web pages that were distributing the script-carrying page.
The web sites carrying the malicious scripts have all been closed, so there will not be any new victims. However, any victims who visited any of those sites before they were closed will continue to bombard Gibson's site in a partial denial of service attack. As the newsletter was posted, no antivirus developers had yet posted descriptions of Gribble, but expect a few to appear at the usual places in the next few hours.
Trick to avoid e-mail viruses may be more hoax than help
Virus myth-buster Rob Rosenberger has described the recent widespread distribution of advice to 'prevent' e-mail-borne malware from using ones Outlook or Outlook Express address list as 'poor advice from a non-expert'. The exact advice varies slightly, depending on which of several variations on the original version of the message suggesting this is received, but the basic idea is to create a contact that sorts to the top of the address list and which contains no e-mail address. Outlook and Outlook Express raise a warning to the user when an attempt is made to address a message to a contact without an e-mail address.
The compiler of this newsletter mentioned this general tactic in a Usenet newsgroup many months ago, but did not claim it would protect users. Some further investigation seems called for and we will hopefully be able to report the results next week. In the meantime, check what Rosenberger has to say about the issue...
Update fixes serious Exchange 5.5 information leak
Microsoft has released a patch that fixes a serious e-mail address leak on Exchange 5.5 servers running Outlook Web Access (OWA). The function in OWA that allows interrogating the global address list (GAL) does not properly require user authentication for the actual lookup. Thus, an unauthenticated user who knows the format of the GAL search URL could send such a URL directly to the server, bypassing the login sequence (which does require proper authentication) in the OWA web interface.
This flaw could allow rapid and extensive 'address mining' of OWA sites running on Exchange 5.5 servers exposed to the Internet. Spammers and others interested in compiling large lists of e-mail addresses could take advantage of vulnerable servers to add addresses to their lists.
This vulnerability does not affect Exchange 2000 servers running OWA.
Denial of service against NT 4.0 RPC patched
Flaws in NT 4.0's handling of certain invalid Remote Procedure Call (RPC) requests expose the platform to potential denial of service attacks through failure of the entire RPC service. Specifically, the RPC endpoint mapper fails when processing queries containing a particular form of malformed data. Should this happen, the machine requires a reboot to restore normal service.
Usual firewall configurations prevent port 135 -- the RPC endpoint mapper's port -- from being exposed to the Internet, so normally this vulnerability should only be exposed on the local network. Neither Windows 2000 nor XP are affected by this vulnerability and a patch for NT 4.0 has been released.
Serious flaw in RSA BSAFE SSL-J may open holes in several products
RSA's BSAFE SSL-J v3.0, v3.0.1 and v3.1 have a bug in their SSL session caching feature. This may allow unauthorized clients to impersonate authorized clients, and thereby have access data to which they are not authorized to see.
Cisco has acknowledged that its Internet Content Distribution Network (iCDN) v2.0 product is affected and has released an updated version that fixes the problem. iCDN is the only Cisco product claimed affected by this RSA bug.
More Mac OS X web server security issues
A few months back we reported a case-sensitivity issue for Apache web server file permissions serving web content from HFS+ file systems. Jacques Distler has reported another security issue for Mac OS X web server administrators to be aware of. In short, various non-server processes on the Mac create hidden files in folders when performing various tasks and these can be the source of extensive information leaks about material in those folders that is otherwise hidden from the web browser. An interesting discussion raising sevral other related security issues with Mac OS X web servers ensued. Mac OS X web server administrators are advised to read the whole bugtraq thread on this.
CodeBlue more hype than threat?
Despite some fairly dire-sounding claims for its likely effectiveness, a new IIS worm seems to have all but fizzled out. Announced just after last week's newsletter was posted, CodeBlue has been touted by some to have the potential to spread faster than CodeRed and do more damage. Despite the hyperbole, a week later there have been very few confirmed sightings of Code Blue 'in the wild', although it is reported as having compromised 300,000+ servers in China alone.
Its failure to spread, or at least, its failure to spread out from China, if those reports of 300,000+ infested machines is to be believed, is likely due, in part, to the fact that Code Blue spreads via a different security vulnerability in IIS than Code Red. That vulnerability has been extensively used in the past by several other worms and to perpetrate thousands upon thousands of web site defacements. Such heavy prior exploitation means that more servers are likely to have been patched against that vulnerability prior to CodeBlue's release. Further, detailed technical analysis of the worm suggests some design flaws that are also likely to slow its spread.
On balance, any competent IIS administrator (the only kind reading this, right? 8-) ) will be long patched against the vulnerabilities Code Blue depends on. Thus, Code Blue should be of no concern to readers of this newsletter.
'Mafiaboy' jailed for eight months
The Canadian teenager, self-styled as 'Mafiaboy', who claimed responsibility for last year's massive distributed denial of service attacks against some the web's largest sites -- eBay, Yahoo and CNN among others -- was sentenced to eight months prison earlier this week. He will spend the time in a youth detention centre and be allowed occasional home visits.