Windows SMTP server bug and new Win32/Leaves variant

New Win32/Leave variant distributed via bogus security bulletin; Update for Windows 2000 SMTP service; Hole in Check Point firewall; Top spooks' Windows 2000 security guides available; Welsh hacker sentenced

It has been yet another quiet week -- being the height of northern hemisphere 'summer holiday season' may partly account for this... Anyway, there is little of note to report. In fact, rather than trying to highlight something from the meagre pickings, I'd suggest you read the whole newsletter (as if you don't normally anyway!).

Virus News

New Win32/Leave variant distributed via bogus security bulletin

Two weeks ago we reported on the hype over the Win32/Leave worm, which spreads to new machines by finding hosts already compromised by SubSeven. A new variant has recently been placed on the web and its download location referenced via an obfusctaed URL in a bogus Microsoft security bulletin. The faked security bulletin appears to have been created by altering the MS01-037 bulletin (referenced in the first item in the Security section of this newsletter issue). The Microsoft security bulletins are electronically signed, so this is a timely reminder to check such signatures on those bulletins.

Security News

Update for Windows 2000 SMTP service

An error in the authentication mechanism used by the Windows 2000 SMTP server can allow users who should not be able to authorize use of the service to successfully send e-mail via the service. The primary use of this flaw is likely to be mail relaying, as commonly used by spammers. Because of the nature of the flaw, it is only a problem for standalone Windows 2000 servers and workstations -- machines that are domain members are not affected by the authentication error.

The SMTP service is installed and enabled by default on server versions of Windows 2000, and can be enabled on Windows 2000 Professional (workstation). A patch is available from Microsoft, linked from the security bulletin.

- Microsoft security bulletin

Hole in Check Point firewall

Default management rules for Check Point's VPN-1 and Firewall-1 products allow arbitrary RDP connections through the firewall. This could allow traffic to pass across the firewall on UDP port 259 in violation of implied rules and may allow unexpected tunelling of data into or out of the network.

The CERT Coordination Center has released an advisory covering this vulnerability and Check Point has released an alert, which includes links to patched versions of its firewall software.

- CERT/CC advisory

- Check Point technical alert

Top spooks' Windows 2000 security guides available

The normally ultra-secret NSA has released its Windows 2000 security configuration guidleines for public download. Although these were initially made available several weeks ago, they seemed to 'disappear' (some wopuld say not entirely surprising given the reputation of the top US spy agency...). It appears a higher bandwidth distribution point was being arranged, suggesting that the guides have been popular.

- NSA Windows 2000 security guides

Welsh hacker sentenced

In recent issues of this newsletter, we have reported that the courts seem to be catching up with the severity of hacking and virus-related crimes. Further evidence of this is seen in the sentence handed down to the Welsh hacker who broke into numerous web sites, stole the details of over 20,000 credit cards and sent Bill Gates a large shipment of Viagra, paid for with Gates' credit card.

- News article

Join the newsletter!

Error: Please check your email address.

More about BillCERT AustraliaCheck Point Software TechnologiesMicrosoftNSA

Show Comments
[]