It has been a very quiet week, with almost nothing of any consequence worth reporting. In fact, this issue would be even slimmer had the sendmail update not slipped through the cracks, missing inclusion in last week's newsletter...
sendmail is the almost certainly the most used SMTP server and probably in terms of number of installations and volume of e-mail processed, and historically was the source of much security concern. It rose to prominence for its security issues because of the 'Morris worm' -- the first Internet worm that, directly or indirectly, took out a sizable chunk of the net in November 1988. This current problem is not so threatening, as it is not remotely exploitable, requiring an interactive (local) logon to exploit, but as always, such vulnerabilities are better patched sooner than later, as several small flaws can be built into bigger and more damaging things.
On the e-mail client side of things, Microsoft has released an update to the Outlook 2000 E-Mail Security Update. Sites using Outlook 2000 should consider installing the security update, and those already running the earlier version of it should install the new version. Microsoft also released something it is calling the IIS Lockdown Tool but I'm seeing conflicting commentary about its usefulness, so have not included an entry on it this week -- I hope to have a better perspective of it to include discussion in next week's newsletter.
There have been no developments of interest on the virus front this week, so the only item I've included in the Virus News section is an editorial from arch-cynic George Smith.
Of Trojans, and other (info-)warriors...
As noted in the Introduction, there has been nothing of significance in the virus scene worthy of reporting this week. Pressed for something to include, the newsletter compiler has chosen an item from one of his personal favourite critical observers of the security scene, George Smith of Crypt Newsletter, and now Vmyths, fame.
Smith's piece is (arguably) on-topic for this section, as it starts with his dissection of a silly 'news' item about a Trojan horse program from late last week. However, it also broaches issues of particular interest to Smith -- the US defense establishment's bizarre double-speak and strange views about 'information warfare'. If you have not read Smith's editorializings before, this is an excellent introduction to his style and worldview. You may not like his approach or view, but the Vmyths site is one your newsletter compiler keeps a close watch on...
sendmail update for various Unix-ish OSes
Sendmail Inc. recommends that all sendmail administrators update their installations to the latest version of sendmail, following the discovery of a locally exploitable arbitrary code execution bug in what is probably the world's most-used SMTP server. As sendmail runs with elevated privileges, and commonly root, this is a serious vulnerability. Several exploits of the vulnerability have already been publicly posted, so it is reasonable to assume that malicious or nefarious users may be tempted to try their hand with this exploit.
All versions of sendmail from 8.10.0 through 8.11.5 inclusive, and all 8.12.0beta releases previous to beta19 are vulnerable. As well as the source distributions from sendmail.org, many Unix and Linux vendors have already built updated sendmail packages, so check with your vendors for availability.
- Latest sendmail releases (FTP)
Update for Outlook 2000 security update
Microsoft's Outlook 2000 E-Mail Security Update, released in the aftermath of VBS/LoveLetter, et al. has been updated. The security update, whose features have been incorporated into the default installation of Outlook 2002 in Office XP, prevents users from accessing certain kinds of file attachments, prevents running some other types of attachment directly from Outlook and strengthens various security options in Outlook 2000 from their installation defaults.
This update to the security update strengthens the attachment-blocking feature by having it check attachment types not just by standard filename extension ('.exe', '.vbs', '.pif', '.scr', etc) but also by checking for CLSID-style extensions. We reported on the threat of CLSID-style extensions back in the 20 April newsletter. Since then a couple of viruses using CLSID-style extensions have been found but they were not widespread.
As Office XP is now out, Outlook 98 is outside Microsoft's 'current and previous version' support window and thus the Outlook 98 security update has not also been updated with similar enhancements.