Three Microsoft security bulletins are covered this week, all covering server vulnerabilities, some serious. We also have news of the fix for an urgent, though unspecified, Novell GroupWise vulnerability and more news of hackers and virus writers beiung arrested or sentenced. However, perhaps the largest security news for the week, at least for Microsoft shops, is the release of two security checking tools for Microsoft OSes and critical server applications. The virus arena has been quite quiet, with a low level of activity from several e-mail worms, but little else. Perhaps users are being more cautious about opening unheralded attachments, even when they come from people they know or offer particularly 'desirable' incentives? (Or maybe it's still the northern hemisphere's summer vacation season?).
Several e-mail worms fail to spark
It hardly seems worth providing URLs for these beasties, because they really have failed to spark, but we've included one description of each anyway. In the last few days we have seen several minor incidents with self-mailing worms. Win32/Modnar (aka Win32.DocPif) simply mails itself under a random name (but always with the 'double extension' of '.doc.pif') to all addresses in your Windows Address Book. VBS/European is a simple Visual Basic Script that attempts to mail itself to every address accessible to Microsoft Outlook. You'd have thought the world at large would be suitably wary of VBS file attachments in e-mail these days -- perhaps it is, as this thing has made little impact either.
VBS/Loding adds an interesting (at least from a technical perspective) twist, by depending on code on a web page and an Internet Explorer security vulnerability, to do its work. Such schemes are inherently weak though, as they have a single point of failure for all replication and the web page Loding depends on was closed soon after the virus' discovery. While not an e-mail worm, Win32/Annoying (aka, Win32/Choke.B, JerryMsg, Newpic and probably others...) spreads via MSN Messenger. This one may yet become the most successful of the bunch, based on the previous MSN Messenger worms, but should not pose much of a threat to business or corporate sites.
Several e-mail worms fail to spark
Win32/Leave writer arrested in the UK
The FBI and Scotland Yard worked jointly on tracking and arresting a 24-year old man who is alleged to have written the Win32/Leave worm. The worm, reported in several earlier newsletters spreads by attacking machines already compromised by a version of the widespread SubSeven remote access Trojan (RAT). Although largely ignored by the antivirus community and generally reported as of little or no significance by antivirus researchers, Win32/Leave may be much more prevalent than reported. This is because Win32/Leave will only successfully infect machines that are already running a RAT which all modestly up-to-date virus scanners will detect. This means that victims of Leaves will generally be people not running antivirus software, so antivirus vendors are unlikely to be aware of its true distribution.
Man arrested in Britain in hacking case - CNN.com
FBI, Scotland Yard Arrest Hacker - Yahoo.com
Patch for NT and Windows 2000 NNTP service
The NNTP service which ships as an optional component of the NT 4.0 Option Pack and as an optional service with Windows 2000 server has a memory leak when processing certain kinds of malformed NNTP messages. Repeated processing of such malformed messages by the service could see it deplete system memory resources sufficiently to degrade machine performance or possibly even to halt the server.
Patches are available that rectify the memory leak and should be seriously considered by administrators running affected servers that accept NNTP postiongs from the Internet. Aside from the systems described above, Exchange 2000 servers that have had the NNTP service enabled are also vulnerable, as Exchange 2000 does not have its own NNTP server and simply installs and enables the vulnerable Windows 2000 NNTP service. Exchange 5.5 does have its own, independent NNTP server code and is not affected by this vulnerability.
Important IIS patches
Two weeks ago we reported on the 'security rollup package' (SRP) for NT 4.0 that was released instead of a service pack (SP). The justification seemed to be something along the lines that an SP was not warranted at this time (meaning Windows Xp is close enough to release that Microsoft did not want the headaches that come with doing a full SP release of an OS that is probably about to be 'retired' from official support). However, there were a number of important post-SP6a security hotfixes and installing them all on freshly (re-)built machines was a real pain. Thus, the SRP was born to provide a convenient way to ensure all necessary security fixes were in place.
Now Microsoft has done a similar thing for IIS 4.0 and 5.0. Called simply a 'cumulative patch', this latest update includes all security hotfixes for IIS 4.0 released since NT 4.0 SP5 and all security hotfixes for IIS 5.0. The IIS 4.0 version of the patch will install on NT 4.0 machines running SP5 or SP6a and the IIS 5.0 version on Windows 2000 with either SP1 or SP2 installed.
However, Microsoft has also released five new IIS patches and is only making them available in the cumulative patch. The details of these additional patches can be read in the Microsoft security bulletin,
linked below, but it seems that all IIS 4.0 and/or 5.0 administrators will need at least one of these patches, so the cumulative patch should be considered a 'must have' and installed at the earliest convenience for sites connected to public networks.
Please not two things about the cumulative patch. Although it includes all recent security hotfixes, some security issues with IIS are not addressed via hotfixes and require administrative configuration changes. Such issues are not dealt with by the cumulative (or any other!) patch. Closely related to this is the fact that several security vulnerabilities that may be exposed through IIS are also not included
in this latest patch. The only exception to this is the patch addressed in MS01-033 -- the index service issue the CodeRed worm exploited. All other such issues should still be checked and patched as necessary.
Finally, if you read nothing else from the Microsoft security bulletin linked below, please read the 'Caveats' section near the very bottom of the page (you will have to expand the 'Additional information about this patch' section to see it). There are critically important issues you must consider about applying this patch to ensure that all the components you need updated do get updated and they are only discussed in that section of the bulletin.
Update fixes three ISA Server 2000 vulnerabilities
Two denial of service vulnerabilities and a cross-site scripting flaw in various components of Internet Security and Acceleration (ISA) Server 2000 are patched by the latest Microsoft security update. The relevant security bulletin arrived literally minutes before this newsletter was due for submission, so we will leave it as an exercise to readers to check the gory details of which ISA server components are vulnerable.
Two Microsoft security checking tools released
Shavlik Technologies has developed two tools for checking security settings on Windows machines. Aside from the 'bells and whistles' commercial versions of these products, Shavlik has released slightly simplified versions of these tools to Microsoft for public release and distribution. The Microsoft versions of these tools check for appropriate service packs and post-service pack hotfixes for the OS (NT 4.0 and Windows 2000) and all system services (including IIS), and for some 'critical' installed applications such as SQL 7.0 and 2000 and IE 5.01 and later. The Shavlik web site suggests the commercial version also checks for service packs and hotfixes to Microsoft Office and Outlook. Aside from these differences, the Shavlik versions of the tools have fancier reporting options and both tools are enterprise oriented, whereas the Microsoft version of the 'security advisor' tool will only report on the machine it runs on. A good feel for the differences between the publicly available, Microsoft-released tools and the commercial versions from Shavlik is available by comparing the product descriptions at the Shavlik and Microsoft web sites linked below.
Focussing on the publicly distributed versions of these tools now, the first is the Microsoft Personal Security Advisor (MPSA). MPSA is an ActiveX control that runs from a Microsoft web page and runs on NT 4.0 and Windows 200 machines only with Internet Explorer 5.0 or higher. It obviously requires you allow IE to accept signed Active-X controls, suggesting to your newsletter compiler that Microsoft still does not understand the inherent security weaknesses in ActiveX. Perhaps Microsoft has forgotten about its past problems with certificate authorities issuing Microsoft signing certificates to non-Microsoft staff, the security breaches of Microsoft's internal LAN and the fact that Microsoft cannot keep its own web servers patched against 'old' vulnerabilities, such as saw some of its web server farm infested with Code Red (and was responsible for several earlier defacements of Microsoft web sites). Oh well...
The second tool is more likely of use to readers of this newsletter. The MPSA is a single-machine use tool, meaning its fine if you have a small number of machines to administer and can conveniently get to each of them and visit the MPSA web page. Administrators of larger networks, where such 'spoon feeding' of individual machines is impractical, or worse, should be interested in HFNetChk -- a commandline tool that can scan anything from a specific machine, to a workgroup or domain to all the machines within your LAN, or just selected machines. To do this you must have remote administration enabled on the target machines, but the tool can also be run from a login script or via other scheduled maintenance activities.
If you are interested in using HFNetChk, there are two important KnowledgeBase articles you should read. The first is linked from the main HFNetChk page (itself linked below) and apart from including directions for using HFNetChk, it also links to the second article you should read -- a frequently asked questions document about HFNetChk.
Urgent fix for Novell GroupWise users
Novell is advising all users of GroupWise 5.5 Enhancement Pack (EP) and GroupWise 6.0 to install an important security fix as soon as possible. Novell has not released any details about the nature of the
vulnerability the so-called 'Padlock Fix' patches. GroupWise 4.x, 5.0, 5.2 aND 5.5 users are said to not be affected by this problem and there is no patch foir such users. GroupWise 5.5 EP administrators may alternatively choose to upgrage their whole installation by installing the SP3a service pack which also includes the Padlock Fix. Once your GroupWise servers have been patched there is a client patch that optimizes client/server performance and should be installed on your GroupWise clients.
Web site defacer sentenced
Further in the trend of seeing more 'realistic' sentences for 'e-crime', a disgruntled former employee who defaced his former employer's web site has been sentenced to six months prison and been ordered to pay US$38,000 in restitution.