No staggering IIS security hole this week -- what's wrong with the world?
In fact, it is rather encouraging to see that he courts may be starting to take a tougher -- and more 'deserving' -- line with cyber-criminals. Instead of treating DDoS attacks and 'revenge hacks' as 'nuisances' or 'pranks' these events may be starting to get the judicial recognition their seriousness deserves. This is not to say that the system designers and implementors should not keep working at making the systems more resilient, but just because it is easy to attack the Internet's infrastructure does not make doing so acceptable.
Win32/Leave worm overhyped?
The FBI released another apparently over-anxious advisory warning of yet another cyber-plague it thought was threatening society as we know it. It seems that, like several earlier 'the sky is falling' virus and Trojan alerts from the FBI, they may have got this one wrong too.
Win32/Leave (or 'Leaves' -- there is disagreement over whether the name should be singular or plural) searches for machines already compromised with a common version of the SubSeven remote access Trojan and sends itself to such machines via SubSeven's file transfer function and commanding the receiving copy of SubSeven to run the worm's executable. As well as spreading thus, Leave has distributed denial of service agent (or 'bot) functionality, such that it reports its whereabouts and availability via IRC and can be remotely commanded to attack other sites. also via IRC.
Multiple advisories against Trend InterScan Virus Wall products
In slightly less than a month, the Computer Security Laboratory (CSL) at LAC has released eight advisories covering various flaws in Trend's popular InterScan Virus Wall products. Users of any Trend InterScan products are advised to check the CSL's SecureNet Service SNS) advisory page for links to these (and other) advisories, which include details of the bugs and availability of patches/updates.
Following on the heels of 'viral marketing', we appear to be entering the age of viral art, at least if some of the people quoted in the Wired article linked below are to be believed. Of course, a healthy dose of cynicism should tell us claims that randomly cruising the streets shooting people was 'art' because it reflects trends reported in contemporary news media or was otherwise a 'reflection of life' would be laughed into oblivion (or the nut house). The compiler of the newsletter wonders why this has not been the universal reaction to this latest publicity stunt?
Yet another Microsoft Word macro security flaw
All versions of Word, starting from Word for Windows 97 and Word for Macintosh 98 and all later versions to date for either platform, have a serious, though obscure, macro security bug. Regardless of the setting of the 'macro virus protection' or 'macro security' options in the respective products, a specially modified Word document file that contains macros can be loaded and the macros enabled (or run if they are auto macros or event handlers) without any user warnings being displayed or the macros disabled because they are not appropriately signed.
To exploit this bug, specific details of internal structures of the Word document file format, which have not been publicly released, need to be known. This is a particularly insidious bug, because a user who expects to be 'protected' by judicious use of the built-in macro protection options in those versions of Word may receive no warning of the presence of macros when opening a document that does, in fact, contain macros. This undermines the value and trust the user caqn have in the so-called 'macro virus protection' options that have been present in Word (and later versions of Excel and other Office suite, and related Microsoft products) since the 'c' release of Word 95. Because Word's macro security options are trivially disabled by a Word macro, the presence of such holes in the 'protection' offerred by those settings shows that the presence of those settings may have lulled users into a false sense of security.
As Word 95c (sometimes referred to as Word 7c), Word for Macintosh 5.x and earlier versions on both platforms, are no longer supported by Microsoft, they have not been tested for this hole. It is a fair bet they suffer similar vulnerabilities (though few of those versions had any macro security options, so the point is largely moot).
Users who have already applied the patches mentioned in MS01-028 for the RTF remote template macro vulnerability, mentioned in this newsletter about six weeks back, need not update their versions of Word between 97 and 2001 (inclusive). Those were the only versions of Word covered by that patch, which also removes this new vulnerability. MS01-028 specifically excepted Word 2002 (the version in the recently released Office XP) but unlike MS01-028, this problem applies to Word 2002 as well as to the earlier versions.
Update for FrontPage server extension
Microsoft has released a patch for a buffer overflow that can allow remote execution of arbitrary code. The overflow is in the option Visual Studio RAD (Remote Application Deployment) Support sub-component of FrontPage Server Extensions. This component is primarily intended for easing testing and development work and attempts to install it raise a warning that it should not be installed on production servers.
This should not affect many production servers, but you are recommended to check your IIS servers with FrontPage Server Extensions installed, to ensure this sub-component is not installed. The gory details and patch downlaod location are avialable from the security bulletin below.
Updated patch for NetMeeting desktop sharing vulnerability
Microsoft has revised the security bulletin for this patch from last year, to cover a newly discovered variant of the vulnerability the original patch does not correct. The updated bulletin should be checked and the new patch downloaded and applied if you have NetMeeting installed on NT or Windows 2000 machines.
Patches for two Oracle 8i bugs
The COVERT Labs security researchers at NAI have released advisories on two flaws they have discovered in relation to the Oracle 8i TNS (Transparent Network Substrate) implementation. The TNS Listener has an exploitable buffer overflow and the implementation of TNS over the Net8 (SQLNet) protocol improperly handles some malformed connection requests.
Exploiting the first of these vulnerabilities can allow execution of arbitraty code under a security context with full control of Oracle database services and potentially full control of the host operating system. The second vulnerability allows remote denial of service attacks against any Oracle services dependent on the Net8 protocol. Oracle 8i Standard and Enterprise Editions Version 8.1.7 and all earlier versions for all operating system platforms are vulnerable.
Oracle has produced patches for these vulnerabilities under bug numbers 1489683 and 1656431. These patches are available from Metalink.
- COVERT Labs security advisories
'Mafiaboy' should go to jail says social worker
The court-appointed social worker on the case of 'Mafiaboy' -- the Canadian teenager who pleaded guilty to 58 charges of computer-related crime associated with the high-profile February 2000 denial of service attacks against Amazon, CNN, eBay and others -- recommended the teenager be sentenced to at least five months in prison.
The social worker disputed claims made in Mafiaboy's defence that he was just trying to help the affected companies by showing how vulnerable they were. More revelations about the state of Mafiaboy's thinking, as revealed in the hearing, are available at the link below.
Man jailed for 'revenge' system cracking
The Boston Globe has reported that a US man, who broke into his former employer's systems from his home computer and deleted files, sent fake e-mail messages to customers and altered accounting information, was sentenced to two years in US federal prison (without possibility of early release) and fined ordered to pay more than US$13,000 in restitution. More details in the linked news story.