Surprise, surprise -- no IIS or IE updates this week, but perhaps the next most popular web server on NT/Windows 2000 (and the most commonly used across all platforms), Apache has an updte for a denial of service vulnerability on Win32 and OS/2 platforms. The most important Microsoft updates this week are the Word and Media player ones, as both allow remote 'attackers' to run arbitrary code on your machine. On the virus front, things were fairly quiet, but an ineffectual attack agaist a well-known antivirus researcher reminded me of a good article about why people write viruses and mass mailing worms, and there was a 'flip side' story to that...
What makes Johnny (and Jane) write viruses?
An interesting article of that title can be read at the URL below. It based largely on the research of sarah Gordon, the only antivirus researcher to have focussed on what makes virus writers tick.
Although neither the article nor its research findings are new, this article is rumoured to be the motivation behind a newly released VBS mass mailing worm (VBS/Sargo) which has entirely failed to make any impact. Such measured and considered responses by the virus writing community are, of course, only further evidence of the some of the contentions in the research findings...
Sauce for the goose?
Just to show that antivirus researchers are not the only likely targets of the often petty peeves of virus writers, a mass mailing worm that went absolutely nowhere at the end of last week was also intended to 'attack' a UK virus writer. Variously named 'Repah' and 'Weather', this e-mail worm sends copies of itself as 'weather.txt.exe' to the first 1000 addresses in each Outlook address list. It also installs a mIRC script that will distribute copies of the executable via dcc to users joining channels the infected user is on if mIRC is installed in either 'c:\mirc' or 'd:\mirc'. Although copies were distributed (apparently
'manually' rather than by the worm itself), it failed to take off. Hopefully that is because people are now sufficiently wary of EXE attachments (and many corporate sites filter all such attachments from incoming and outgoing e-mail).
Security updates for Word 97, 98, 2000 & 2001
Several years ago, a prominent member of the antivirus research community pointed out to Microsoft several shortcomings in the 'macro security' features of Word. Although one can question the adequacy of the measures taken to address these shortcomings, it was thought they had all been considered by Microsoft. Earlier this week, however, Microsoft itself broke the news that its earlier fixes for two of those 'problems' were, in fact, incomplete or poorly implemented.
The previous generation of fixes for two vulnerabilities involving word's failure to check and/or alert to macros in templates on which a document is based have been found to also affect RTF files. One of these security holes is known as the 'remote template' vulnerability while the other has no accepted name, but could be described as the 'global templates are not security checked' vulnerability. Both problems revolve around the fact that macros in the template on which an RTF format document is based do not pass through Word's normal macro security checking procedures. Precisely what those checks are supposed to entail depends on the version of Word involved -- for example, versions prior to Word 2000 make no checks and raise no alerts when templates stored in the configured template file locations contain macros, whereas Word 2000 (and later versions) are supposed to apply the current 'macro security policy' (which can be 'only allow signed macros from accepted signers to run' or the equivalent of the only Word 97 policy, 'anything goes'). This new discovery strongly suggests that the security checking mechanisms in earlier versions of Word are built into the wrong parts of the program and depend on the code calling the 'open and load a template' function to first call the 'security check a template' function. Robust security checking would build the latter function into the former, thus ensuring that all calls to 'open and load a template' are properly security checked...
By far the worse problem of the two raised by this new discovery is the remote template vulnerability. Using this, an attacker could send a suitably formatted RTF file to a victim and, if it was opened on an Internet-connected machine, word would retrieve a template from anywhere on the Internet via a standard ('http') URL. The macro virus W97M/Nail was written to take advantage of exactly this vulnerability as it applies to Word document files. It would be trivial for a similar virus that saves its victim documents in RTF format to do much the same thing.
Microsoft has released patches addressing these vulnerabilities in Word for Windows 97 and 2000. Similar updates for Word 98, 98(J) and 2001 for Macintosh will be available soon. The updates that are already available are linked from the Microsoft security bulletin.
Windows Media Player bugs
Two separate security vulnerabilities in both v6.4 and v7.0 of Windows Media Player have been pathced. One is a buffer overflow that can be remotely exploited, allowing an attacker to run arbitray code on affected machines. The other allows dropping of files with a known name in a known location -- these could subsequently be called from a web page or HTML e-mail and would run in the local system security zone despite originating from the Internet.
Users of Media Player v6.4 should download the patch linked from the security bulletin and v70 users are encouraged to upgrade to Media Player v7.1, also linked from the security bulletin.
Windows 2000 SP2 rolling back post-SP2 hotfixes?
It shouldn't happen but some users have reported that installing SP2 seems to have 'undone' some post-SP2 hotfixes they had applied to a Windows 2000 machine before SP2 was released. This has not been confirmed, so as always, it would be prudent to recheck all post-SP2 hotfixes after installing SP2. The update locator at the URL below may be of assistance in this.
Apache web server update for Win32 and OS/2 platforms
A simple remote denal of service is possible against the Win3 and OS/2 releases of v1.3.x through to and including v1.3.19 of the Apache web server. An interim patch to the affected DLL was released with the advice to upgrade the entire package to v1.3.20 when it was released. That version is now available.
Patches by OS:
Apache v1.3.20 now available: http://httpd.apache.org/
Apple launches security site
In last week's newsletter we commented that Apple's latest OS, Mac OS X, was likely to harbour common Unix-ish security issues because of its developmental background. Searching Apple's main web site for 'security' at the time turned up no promising looking pages, but Mac users should be pleased to hear that Apple has now set up a security site. The first of the two URLs below leads to a description of the product security incident tracking procedures Apple has in place, while the second leads to brief descriptions of the security updates incorporated into the recent OS X updates.
Apple product security sites:
Samba updates for most Unix-ish platforms
If you administer Unix or Linux machines that run Samba and have not already updated to samba v2.0.9 you should check with your vendor for update package availability or obtain the source (or patches) and build and install it. Also note that no further releases of Samba v2.0.x are planned.
Upgrade against iPlanet web server denial of service
iPlanet recently advised of two denial of service attacks that work against all v4.x releases up to and including the recent SP7. Although one of these attacks is only viable against the Windows veersion of the product, all users are recommended to update their servers.