It has been another comparatively quiet week on the security scene. Several IIS web sites were defaced earlier in the week - the thing they had in common (apart from an inadequtely patched IIS installation) was the word 'secure' or 'security' in the site name. Some had nothing to do with computer security, but some did - whoops...
To be fair to these sites, it is not known with any certainty yet which of the numerous IIS security holes were used to compromise them. The defacements had the hallmarks of other recent ones involving 'PoizonBox' (and the (reputed) Chinese/US 'hacking war') and previous defacements in that series have used old, well-known and long-patched vulnerabilities but perhaps this latest crop used the new IIS/Index Server vulnerability described in this week's newsletter?
Aside from this new IIS hole, there is not a great deal of concern to highlight apart from the grievous WEP/802.11b Access Point hardware device problems announced by ISS X-Force a few days ago.
Choke worm hits New Zealand
The second MSN Messenger worm, Win32/Choke, reported in the newsletter two weeks ago, seems to have been more 'successful' than its predecsessor. Amongst widespread reports of it affecting MSN users, the newletter compiler has confirmed incidents in New Zealand, not that geographic location means much when dealing with Internet-distributed malware. Much sillyness has been said about this worm though, perhaps the worst being the implication that if use MSN Messenger you can "just get it" by being online when another machine afflicted with Choke is chatting with you. This is, of course, rubbish. Like any program the Choke worm has to be executed, and MSN Messenger asks the user if they wish to accept files being offerred for transfer - it is then up to the user to decide whether to accept the program file, and if they do, they also have to decide to run it.
Just like ancient beliefs in the spontaneous generation of mice in grain stocks, reports of choke spontaneously afflicting a PC are wrong-headed. Unfortunately, such tales also deflect focus from the user's responsibility to make decisions about what files to accept and run (or perhaps that is why such tales arise in the first place...).
Kournikova writer to face trial in September
The self-confessed 20 year old Dutch man who made the VBS/VBSWG.J virus (which became commonly known as "the Anna Kournikova virus") is to face trial on 12 September. Although earlier stories suggested the maximum penalty for the charges he will face could be as much as four years
prison and/or a 200,000 Euro fine, current expectations are the prosecutor may seek around six months prison.
Update for yet another IIS remote code vulnerability
Despite the claims at the beginning of the security bulletin announcing this latest Microsoft patch that the problem it fixes is in Index Server (NT 4.0) and the Indexing Service (Windows 2000 and XP beta), this update only really applies to IIS 4.0 and 5.0 machines. This is quite clear as you read the bulletin further -- 'Microsoft strongly urges all web server administrators to apply the patch immediately'. Despite that recommendation, it really only applies to web server administrators running Microsoft's own web server, IIS, as exploiting this vulnerabilty depends on the ISAPI mapping of .ida and .idq script extensions to IIS.
Although .ida requests are supposed to be checked for proper (administrative level) authentication, this vulnerability occurs very early in the code's program flow and before the appropriate authentication checks are made. To exploit the vulnerability, all an attacker needs to be able to do is submit a carefully fashioned URL request to a vulnerable server. As idq.dll runs in the System context, this vulnerability opens complete control of the host.
Note the warning in the FAQ section of the bulletin about the weakness of the 'diable .ida and .idq script mappings' workaround and how easily Microsoft's 'we know better' software will turn around and undo legitimate system configuration changes without so much as a 'by your leave' or any kind of warning that this is happening.
Web bugs exposed
Although more of a privacy issue than a security one, web bugs are of interest to the security-aware. The Privacy Foundation has exposed how web bugs can be made to work in Word and other Office products, and has described the extensive use of web bugs in web pages (and that this use is largely unmentioned in the privacy policies of affected sites and apparently contrary to the expressed intent of those policies).
Following on from its earlier work on and interest in web bugs, the foundation led a project to develop a browser extension for Internet Explorer that 'exposes' some image-based web bugs (particularly so-called 'invisible GIF' web bugs). Further, at the user's behest it can send an e-mail message to the bug-ger (if the bug is tied to a known web bug site) expressing the bug-ees displeasure with the practice. Known as Bugnosis, this browser extension has its own site, linked below. Due to limits to the Privacy Foundation's resources, Bugnosis is only available for the Windows versions of IE v5.0 or later. The current version only exposes web bugs, but it sounds as if a future version may be able to block the bug's work, at least preventing the cookie associated with the bug from being transmitted back to the bug-ger.
iMode phone malware warnings
Although of no particular concern in the immediate, short or medium term in New Zealand (and perhaps never...), Japanese telecommunications giant NTT DoCoMo warned customers of its iMode wireless Internet service late last week of the potential of malicious e-mail messages. It was revealed
that specially crafted e-mail messages can lock-up the phone, dial emergency numbers or phone large numbers of other people simply by opening the messages to read them.
Such capabilities are strongly suggestive that the designers of the service itself, the client (iMode phone) sofwtare, or both in combination, have not learnt the rather obvious lessons that should be abundant from desktop systems. In general, it is known by security experts that incorporating 'data' (e-mail should be 'only data') and 'code' (scripting), in-band is highly prolematic. This is particularly so when the user interface is 'enhanced' by such a combination, because then, even if the design allows the disabling of interpretation or execution of code embedded in the data, few users will actually disable the feature as it is seen as reducing the functionality of the units.
As iMode is under close scrutiny as the most advanced (at least in terms of actually implemented and deployed systems) of the integrated mobile phone/mobile Internet systems, perhaps likely future systems will be improved from lessons learnt here. (But then again, has that happened yet with all the very badly designed and implemented desktop and server computer systems and product so regularly mentioned in this newsletter?)
More wireless LAN problems...
Security researchers at Internet Security Systems (ISS) have uncovered serious security implementation flaws in some popular 802.11b Access Point hardware. Some Atmel devices (which are OEMed under LinkSys and NetGear brands) do not implement proper SNMP security, allowing anyone to alter the configuration of the Access Points and to remove evidence of their tampering by disabling SNMP traps sent from the device. Some 3Com and Symbol Access Point products have a different problem -- they readily divulge the WEP key that is used to encrypt wireless traffic between the Access Point and the wireless devices it services. Although weaknesses in the WEP protocol itself and others in its implementation allow recovery of this key simply by sniffing a modestly large amount of traffic off an Access Point are known, devices with this flaw can be made to immediately reveal the key, allowing all traffic from the Access Point to be decrypted. Symbol devices affected with this problem are
manufactured under OEM agreements and branded and sold as apparently distinct products.
Firmware updates are available, or soon will be, from the relevant manufacturers/distributors of devices affected by either problem. Please read the two ISS X-Force alerts for more details.
- ISS X-Force alerts