Another fairly quiet week, punctuated with two virus-related 'firsts' -- the first AppleScript worm for the Macintosh and a password stealing Trojan that exploits the RTF remote template vulberability we reported a few issues back. On the security front, Microsoft has had all manner of trouble getting the patch for last week's Outlook Web Access vulnerability in Exchange right, and has had to release two updates to the original patch. Microsoft also released an update for a bevy of holes in its Windows 2000 Telnet service and a privilege escalation bug in SQL server. The popular University of Washington imap server has seen a couple of security holes fixed and people using Apache on Mac OS X should look at the final item.
First AppleScript e-mail worm hites Macs
The first MacOS AppleScript e-mail worm was reported late last week (after the newsletter was posted, of course!). Variously dubbed Mac/Simpsons and AplS/Simpsons, this worm uses AppleScript's ability to script Outlook Express and Entourage (the version of 'Outlook' in Office 2002). Much along the lines of Windows' VBS/LoveLetter and the like, the Simpsons worm sends copies of itself, as an e-mail attachment to all addresses in the e-mail program's address list. The e-mail message itself promises the chance to view Simpsons episodes online
Password stealer uses RTF remote template vulnerability
Three weeks ago we reported the release of an update for Word versions 97, 98, 2000 and 2001 that fixed the RTF remote template vulnerability. At the time there were no known exploits of the vulnerability, which was discovered by Microsoft's internal testing. Word 2002, the newest version of Word that is included in the recently released Office XP, does not suffer from this vulnerability.
This morning that changed. Russian antivirus developer, Kaspersky Labs, has announced the discovery of a password stealing Trojan Horse program that depends on code delivered to the victim machine via the RTF remote template vulnerability. Kaspersky Lab has tentatively named this Trojan 'Goga', but this name may not be used by other developers.
Updated Outlook Web Access update
Further to the report in the previous newsletter about the Exchange 2000 update that fixes an error in the way Outlook Web Access (OWA) handles attachments, Microsoft has now twice updated the patch. The initial release of the patch contained a regression error and it was discovered that despite the original claims that it was not vulnerable, it turns out that Exchange 5.5 also suffers a form of this vulnerability. So, shortly after last week's newsletter was distributed, Microsoft pulled the first version of the patch from their web site. A second release of the patch was posted later on Friday (US West Coast time).
However, this patch also contained errors and was itself replaced on 13 June (US West Coast). Several sites have reported that installing the second patch caused Exchange's store.exe to consume 100% of CPU and it stopped processing the incoming mail queue. If you installed either of the patches released before 13 June (US West Coast), you should run (not walk!) to the URL below and download and istall the latest release of the patch even if you have not noticed any obvious problems with your Exchange 5.5 or 2000 systems.
Patch fixes multiple Windows 2000 Telnet server holes
The Telnet service shipped with all Windows 2000 versions contains seven security holes that are patched with this update. All users of any Windows 2000 system who have enabled the Telnet service on Internet-connected machines are recommended to obtain and apply the patch as soon as practicible. The security threats these seven holes expose range from information disclosure through privilege elevation to denial of service. The privilege elevation threat is likely to be greater from internal users than across the Internet, though could be exploited either way depending on various conditions reflecting security policy on the machine running the Telnet service. The gory details are available in the Microsoft security bulletin, linked below. Microsoft claims none of the vulnerabilities are present in the NT version of the Telnet service.
SQL Server 7 & 2000 update prevents privelege escalation
One of SQL Server's query methods has a flaw such that carefully timed submission of a query using that method can result in the query assuming the cached client connection, and thus security credentials, of the administrator. This can only occur on SQL Servers configured to use Mixed Mode authentication, rather than Microsoft's recommended Windows Authentication mode. The vulnerability is limited to users who have already authenticated and their actions will be audited if auditing is enabled.
If you run SQL Server 7 or 2000 and must run it in Mixed Mode, obtain and install the patch as soon as practicible.
imap update for various Unix/Linux distributions
Several buffer overflows that may allow remote shell access to servers running the UW-IMAP package have recently been fixed. As a result, updated imap packages for several Linux and Unix OSes are now available from their respective vendors. Alternatively, you may wish to grab the source from the University of Washington and build your own.
Apache on case-insensitive Mac OS X HFS+ volumes
A recent post to the bugtraq mailing list raised the issue of how to make Apache's directory protection work properly on case-insensitive file systems such as Mac OS X's HFS+. If you run Apache on OS X, it may be a good idea to read the whole thread.