Multiple IIS and IE problems, SP2 and a VBS worm (of course!)

Sri Lankan protest worms it way through the net; Windows 2000 SP2 contains many security updates; Serious IIS 4.0 & 5.0 vulnerability patched and more digital certificate woes for Microsoft

Unfortunately, serious international routing problems with the newsletter compiler's ISP have curtailed the contents of this week's newsletter somewhat, with most of it having to be written from security bulletins and other material received via e-mail during the week and without the aid of supplementary web access (this also means some of the URLs did not receive their last-minute, pre-posting check...). Our apologies for this...

Microsoft is fairly heavily in the spotlight this week, partly because of the quality of its e-mailed security bulletins and partly because it has featured in some of the truly most significant security flaws again.

It almost seems a week cannot go by of late without some serious IIS or related web service being found grievously insecure, and this last week was no exception. Cap that with the eventual release of Service Pack 2 for Windows 2000 and I guess Microsoft should be expected to feature prominently. We also briefly describe yet another VBS mass mailing worm that shouldn't have gone anywhere, but overnight reprts from Europe and increasingly in the US suggest there are still plenty of fools out there...

Virus News

Sri Lankan protest worms it way through the net

Rather blandly named VBS/VBSWG.Z, the latest VBS mass mailing worm seems to have gained a foothold in teh net. The worm arrives as an attachment to an e-mail message, with teh Subject: line of 'Mawanella' and a short message 'Mawanella is one of the Sri Lanka's Muslim Village'. Oddly, that seems to have been enough of a 'hook' to entice many recipients of the message to run the 'Mawanella.vbs' attachment.

That program is a fairly standard VBS worm, based on code apparently created by the same generator kit as was used by the 'writer' of the so-called AnnaKournikova worm earlier this year and the Homepage worm reported in last week's newsletter. If you are not filtering VBS attachments from incoming and outgoing e-mail, be prepared to be part of the problem with this one...

Security News

Windows 2000 SP2 contains many security updates

The long awaited Windows 2000 Service Pack 2 has been released. Aside from myriad fixes for general bugs and installation problems, SP2 conglomerates most of the post-SP1 security patches except a few released in recent weeks. However, of particular importance to the newsletter's readership is that some security patches that have not been individually released as hotfixes are also included in SP2.

An example of the latter is a memory leak in IIS WebDAV. This can be exploited as a remote denial of service by an attacker sending a stream of WebDAV requests to lock non-existant files. It is not clear what Microsoft's position is on such security fixes that have, to date, only shpped in SP2, but the author of an advisory describing this security hole claims Microsoft said of this particular fix "it will ship with each IIS5 hotfix that we release going forward".

- Windows 2000 SP2 download page

Windows 2000 SP2 contains many security updates

Index server and Indexing service patches

Index Server v2.0 from the NT 4.0 Option Pack has a buffer overflow, allowing remote execution of arbitrary code on affected servers. Index Server 2.0 runs by default on machines it is installed on. On Windows 2000 machines, the same functionality is provided by the native Indexing Service, which is not affected by this security hole. As this vulnerability allows running of arbitrary code, its corrective patch should be installed immediately on machines running teh affected software (at least on Internet-connected servers).

However, Indexing Service is affected by another, different security hole, which also affects Index Server 2.0. This hole allows an attacker to read files from the web server that the server is not supposed to make available to the public. The specific concern here is that 'include files' for server-side scripts and similar files often include information about the names of internal servers, and even account names and passwords for accessing some of their services so the information they provide can be obtaied and then served as web pages. Obviously, such information can be very useful to a determined attacker trying to dig further into your network.

More detailed descriptions of these vulnerabilities, and patches for both, are available from the URL below.

- Microsoft security bulletin

Serious IIS 4.0 & 5.0 vulnerability patched

A patch has been released for a vulnerability affecting IIS 4.0 and 5.0 servers. This is of extreme urgency, as several remote code execution exploits have been released and are actively being investigated by the 'underground hacker' community. This security hole is being referred to as 'the IIS decode vulnerability'.

The seriousness of this vulnerability cannot be overstated -- it is as bad a hole as last year's Unicode vulnerabilities and the recent Internet Printing hole (although the latter only ffects IIS 5.0). There are reports that this vulnerability also affects IIS 3.0, although Microsoft's position on supporting 'obsolete' versions means that IIS 3.0 users should not expect a patch.

In an unusual move, Microsoft has released an 'omnibus patch'. The update available from the URL below not only patches the IIS decode vulnerability and the two other new vulnerabilities described in the security bulletin. The IIS 5.0 patch also incorporates all IIS 5.0 security patches and the IIS 4.0 one incorporates all IIS 4.0 security patches released since NT 4.0 SP5.

The decode bug alone makes installing this update an absolute priority for any administrators with IIS 4.0 or 5.0 machines on the Internet.

- Microsoft security bulletin

More digital certificate woes for Microsoft

Aside from having code-signing certificates in its name released to someone who should not have had them and the problems that raised due to the incomplete implementation of CRL (Certificate Revocation List) support in its code-signing technology, Microsoft has now issued updates for Internet Explorer v5.01 and v5.5 to correct further problems with signing and CRLs.

The gory details can be found in the security bulletin, below (although the list compiler wonders why anyone in their right mind would use IE or IIS given the legion, sever, security problems they continue to manifest).

- Microsoft security bulletin

Join the newsletter!

Error: Please check your email address.

More about MicrosoftUnicode

Show Comments

Market Place

[]