More Microsoft buffer overflow issues, Mac OS X, and the worms keep turning

Kournikova's sister on the rampage; IPP hole also affects Windows 2000 Professional; Two flaws in Mac OS X; Plus a serious Oracle bug

Who could have missed the 'Homepage' virus (more correctly, VBS/VBSWG.X) story during the week? At its height, Xtra claimed it was intercepting two infected messages per second! This week we also cover updates on the latest major IIS security hole from last week, a new problem with Kerberos in Windows 2000 server and several issues for Mac OS X users to be aware of, now that they have an OS with a real security model built into it. Also, a rather worrying bug in Oracle Financials clients.

Virus News

Kournikova's sister on the rampage...

It seems unlikely many computer users could not have already heard about VBS/VBSWG.X (widely referred to as 'Homepage' in the media). The virus was apparently created with the assistance of the same 'worm generator kit' as was used by the Dutch teenager who created and released VBSWG.J or 'the AnnaKourniva virus' in February. Somewhat surprisingly -- the optimistic among us like to believe that people learn from past mistakes -- this variant spread further and faster than its tennis-playing 'sister' approaching the distribution of LoveLetter, and almost exactly on the one-year anniversary of that virus' outbreak.

Unlike LoveLetter, VBSWG.X has no seriously damaging payload. Aside from mass-mailing itself to all addresses in all Outlook address books, it sets the start page of the user's web browser to one of four randomly selected pornography web sites. It also checks for messages in the users inbox with the Subject: line of 'Homepage' (as used by the virus) and deletes them, presumably in the hope of reducing the likelihood of discovery. The reason for the surprise over the apparent success of VBSWG.X is that the message it distributes simply says 'You've got to see this page! It's really cool ;O)' and required the user to run the attached VBS program. There was no promise of enticing pictures of nubile tennis players or love messages or free access to X-rated web sites (the social engineering 'hooks' used by VBSWG.J (or 'AnnaKournikova'), LoveLetter and Melissa respectively).

Finally, recent reports suggest that a small group (some reports say three, some four) of Dutch teenagers have anonymously claimed reponsibiility for VBSWG.X. These youths claim it is something of a publicity stunt attempting to draw attention to their 'skills' and the viability of truly 'viral marketing'. Hopefully sanity will prevail and no-one will choose to employ these vandals.

Various antivirus developers' descriptions: cai.com, viruslist.com, vil.nai.com, sophos.com, sarc.com, antivirus.com

Security News

IPP hole also affects Windows 2000 Professional

In last week's coverage of the latest IIS security hole, which uses an Internet Printing Protocol buffer overflow, it was strongly implied that this hole only affects the various plvaours of Windows 2000 Server and not Windows 2000 Professional (the "workstation" version of Windows 2000). This implication was based on the Microsoft security bulletin as posted when the article was last checked, just moments before posting the newsletter.

Murphy being Murphy though, Microsoft updated the page shortly after the newsletter was posted. That being the case, most readers probably saw the updated version and checked any potentially vulnerable Windows 2000 Professional machines as well. As this vulnerability has been widely exploited during the last week or so (including the suspicion that three Microsoft regional web sites were defaced via it) you should make any and all such checks if they have not been made yet. Also, that update confirmed that group policies could 'interfere' with disabling the Internet Printing service through the Internet Services Manager (ISM) and explained how to remove Internet Printing from group policies and the ISM and to be sure it would stay disabled.

And, Murphy being Murphy, the bulletin was updated again yesterday! This latest change covers a minor operational issue when disabling IPP on Exchange 2000 machines. This should remind us that IIS 5.0 may be installed, running and vulnerable via this hole on Exchange 2000 servers if web access to Exchange has ever been enabled on the server!

Finally, SP2 for Windows 2000 has been delayed to allow this critical patch to be added and properly regression tested with the rest of the service pack.

- Microsoft security bulletin

Update fixes Kerberos memory leak in Windows 2000 server

Microsoft has released a patch that removes a possible resource depletion attack against all versions of Windows 2000 server. The attack could be instigated by sending a sufficient number of invalid Kerberos service requests to a server running as a domain controller, eventually depleting memory to the point the server became completely unresponsive. Should this happen, a reboot would be necessary to correct things.

Normal best practice for network configuration should mean that such an attack is limited to machines on the local network. This update will be included in SP3 for Windows 2000. The vulnerability only affects domain controllers as it is in a core security service only used by DCs.

- Microsoft security bulletin

sadmind/IIS worm -- hits Solaris; defaces IIS sites

CERT/CC has warned of a new worm that infests Solaris systems. It spreads from successfully attacked machines to other vulnerable Solaris machines and has two payloads. First, it launches attacks against IIS web servers, defacing sites hosted on them and after it has defaced 2000 such IIS sites it attempts to deface a web site on its Solaris host.

It uses the 18+ month old sadmind hole on Solaris machines and one of the Unicode holes in IIS that has been patched for at least seven months. Unsurprisingly, its exploitation of this combination of vulnerabilities has seen it dubbed the 'sadmind/IIS worm'. The web site defacements replace index.htm[l] files with a simple anti-US government message and crudely implicate China as the source of the attack (bear in mind the attrition.org article from last week when deciding the likely verisimilitude of this). CERT/CC and vendor bulletins relevant to this worm and its security exploits are linked below.

- CERT/CC advisory

- Sun security bulletin

- Microsoft security bulletin

Mac OS X shows its Unix roots

The new and much heralded Mac operating system, OS X, is based on a Unix (BSD) kernel. As such, it will likely be vulnerable to many of the same security issues as its Unix/BSD/Linux brethren are. Two examples that have come to light in the last week or so are a potential local root compromise in sudo and the version of SSH shipped with OS X is rather 'old'. Both issues are discussed at the SecureMac site and should be readily found from the link below.

- SecureMac homepage

Mac OS X Timbuktu security flaw

While talking of Mac OS X security, the Timbuktu Preview for Mac OS X has a rather gaping hole, compromising the best of localized security configurations for machines running the newset version of the Macintosh oeprating system. Again, the details can be found at the SecureMac site (direct link to the article below). In short, at a Mac OS X login screen, anyone can access the Apple menu and System Preferences therein and is able to alter (or remove!) the root user's password (or that of any other users) without having to login at all.

- SecureMac article

Serious Oracle Financials account exposure bug

It was reported on the bugtraq mailing list that the version of Application Desktop Integrator (ADI) -- v7.1.1.10.1 -- that shipped with Oracle's Financial Applications v11.5.3, should be 'downgraded' to an earlier version. The v7.1.1.10.1 ADI release decrypts privileged database account and password information and writes it in plain text into the dbg.txt file on the user's local hard drive. Any user who can

(and does) access that informaton may then be able to gain higher privilege access to the database than they are supposed to be have.

A newer release of ADI (v7.1.2) is available for download and may resolve this serious security snafu. However, there are reports of other (non-security) problems with that version so you may be better off downgrading as the author of the initial public warning of this problem suggested. Oracle users or admins with access to Metalink may be able to find more details of this issue there.

- Bugtraq message

Join the newsletter!

Error: Please check your email address.

More about ADIAppleCERT AustraliaIntegratorInternet ServicesISMLinuxMetalinkMicrosoftOracleSSHUnicodeXtra

Show Comments
[]