It has been another relatively quiet week, with only one security bulletin from the Redmond giant and little else. Several Linux vendors have release updated GPG packages and some interesting flaws in the script filtering of eSafe Gateway are also covered. Also, Oracle has released a patch for the bug reported in the newsletter several weeks ago. Even the worm writers seemed to be taking things easy this week, or perhaps the lack of 'news' on that front indicates that companies are filtering more 'unnecessary' crud out of their e-mail and individual users are becoming more careful about what they click on?
With so little emergency security updating to do on your machines, I recommend you some of that unexpected 'spare time' to read the following article about the fragility of the Internet by Steve Gibson:
New worm misses its mark?
There has been some interest in a new mass mailing worm during the last 48 hours. However, this worm, which tries to entice users into running it with the promise of pictures of recent Miss World contestants, has only been confirmed at a few dozen sites to date. As most of those were corporate sites that intercepted the executable on its way into their sites as an e-mail attachment and, as a matter of policy, blocked its delivery, it seems that this one is not going anywhere.
An interesting thing to note about this 'Miss World worm' is that several different filenames have been reported, yet the worm itself does not have code to alter its name. This suggests a deliberate, albeit
miserable, attempt to manually distribute the worm under different names to provide some confusion and presumably increase its chances of spreading.
Second MSN Messenger worm
A second MSN Messenger worm has been discovered. As with the first such worm, Win32/FunnyFile, this should not pose much of a threat to corporate networks and seems more likely to be of concern to individuals and perhaps small business users. The filename this worm presents as when sent over the MSN instant messaging system varies, but includes 'ShootPresidentBUSH.exe' and 'Choke.exe' -- the latter matching the name chosen for this worm, although the name was chosen because 'Choke' appears elsewhere, including in the file 'about.txt' it writes in the root of the victim's C: drive. The content of that file probably tells us a great deal about the mental state of the writer of this worm and is reproduced below:
Choke , Copyright * 1886 ... A MAD CHRISTIAN
Go talk swearwords about God
You all will die, stupid humans.
You fools didn't see what you have done
Bye ****, go talk **** about me.
(Call me a 'psychophatt', but I respect the Creator of life...)
' Consider your earth'
(Note that indenting has been added, a couple of mild profanities have been replaced with '****' and the single asterisk in the first line of the message is standing in for a copyright symbol. Aside from hopefully bypassing corporate e-mail content filters, these measures will also hopefully prevent this message being detected as part of the worm by already updated virus scanners, as some of them will probably detect the message file as well as the executable.)
Update for Outlook Web Access attachment vulnerability
An error in Outlook Web Access' (OWA) handling of attachments could allow an attacker to run script code embedded in an HTML attachment to a message. For such an attack to work the message's recipient would have to access the message's attachment via OWA (and using Internet Explorer) rather than via Outlook. A patch for Exchange Server 2000 has been released and administrators of such machines are recommended to install this update (OWA is included in the default Exchange Server 2000 installation).
The version of OWA in Exchange 5.5 is not vulnerable and earlier versions were not tested as they are no longer supported.
Aladdin eSafe Gateway script filtering bypass
As a result of its product testing, eDvice Security Services has discovered three flaws in the script filtering of Aladdin's eSafe Gateway products. eSafe Gateway allows an administrator to, among other things, block script code embedded in HTML documents, however the testing revealed three relatively trivial methods to bypass such filtering, that could easily be used by attackers were they aware their targets felt they were 'safe' behind an eSafe Gateway.
The first filtering flaw, which applies to v2.x releases of the product and not the more recent v3.0, involves nesting script tags inside script tags. The other flaws affect all versions and involve embedding script tags inside some other HTML tags (where they will be interpreted and run fine by a web browser) and 'encoding' some of the characters in the tags that eSafe Gateway looks for (but again not preventing a web browser from correctly seeing and interpreting the script tags).
GPG update for various systems
GPG (Gnu Privacy Guard), the popular open source PGP replacement, has recently been updated. Significant patches include fixes for the keyfile format weakness that was discovered by Czech security researchers at ICZ (and reported in the newsletter a couple of months ago) and for a format string bug that can result in arbitrary code execution just from decrypting an encrypted file with a specially (mal)formed name.
Many Linux vendors are now supplying updated GPG packages, so check with your vendor(s). Prebuilt packages for other OSes may be available from the usual places too. (Of course, security purists should prefer to build their own versions of such tools, so the GPG home page is provided for those looking for the source code.)
Update on serious Oracle Financials account exposure bug
Four weeks ago we reported on this bug. Due to an oversight we missed reporting two weeks later that Oracle had officially commented on this issue and released patches to correct the error. The root cause of the problem was said to be that a debug version of a DLL was shipped with the release of a patch to Applications Desktop Integrator (ADI) v7.x.
Affected Oracle users should read the whole announcement, because there are several options for working around and patching this problem, and which is best will depend on local issues.