Serious IIS 5.0 bug, US/China cyberwar, wireless worries and worms

Hardening Windows 2000 systems; Cyberwar with China a self-fulfilling prophecy?; Growing wireless networking concerns; Not so FunnyFile... and not so HappyTime

Short introduction this week -- if you deploy IIS 5.0 and have not already fixed the latest IIS security hole, read the item in the newsletter then get onto it! Also, a couple of interesting articles on wireless netorking security issues are pointed out plus a good op-ed piece on reports of the US/China "cyberwar". And what would the newsletter be without a couple of new Windows worms??

Virus News

Not so FunnyFile...

A worm that should probably be of no concern to corporate networks has received some media attention, so is probably worth mentioning in passing here. Win32/FunnyFile (aka Win32.FunnyFiles, Win32/Hello) spreads via the MSN Messenger program, sending a "greeting" to other users on teh Nessenger service and offering them copies of a "funny file". As MSN messenger seems an unlikely tool to be widely installed and used in business situations, this worm should be of only academic interest to business computer users.

- Various antivirus vendor descriptions: cai.com, vil.nai.com, symantec.com, antivirus.com

...and not so HappyTime

A fairly trivial VBS self-mailing virus, VBS/HappyTime, has been spotted in very small numbers doing the rounds the last few days. This virus is very "fragile", failing to work at all on many systems, but some Windows and Ineternet Explorer version combinations see the virus successfully replicate. The only notable thing HappyTime does is alter the Outlook Express configuration so new HTML messages are made based on a template ("stationery" in OE terms) that includes the HTML embedded script form of the virus. This form has been occasionally noted by some e-mail virus scanning services.

As is not unusual, this thing has been given a wide variety of names by different antivirus vendors...

- Various antivirus vendor descriptions: cai.com, vil.nai.com

Security News

Yet another remote exploit of IIS 5.0

Researchers at eEye Digital Security discovered another serious hole in IIS 5.0 a little over two weeks ago. They informed Microsoft of the problem and a patch was released a couple of days ago. This is a very serious problem, being a remotely-exploitable buffer overflow of a process that runs in the local system security context. An attacker exploting this vulnerability gains full control of the machine and could run any code they wished.

In short, there is an unchecked buffer in the Internet Printing Protocol (IPP) support shipped with IIS 5.0. The affected buffer is used in processing parameters that are supplied as part of the URLs that

initiate an IPP session. Thus, a URL request can be specially formed to overflow the parameter-handling buffer and include code of the attacker's choice which will be run under with the heightened rights and system privileges of the web server. Submitting such a URL request to a vulnerable IIS system cannot be prevented by a firwall as this is only dependent on HTTP access to the server.

The vulnerability is in the Internet Printing ISAPI module, which is installed by default. As few users probably need IPP support, one approach to fixing this vulnerability is to disable Internet Printing and details of that workaround are in the Microsoft security bulletin, linked below. Sampe exploit code, exercising this vulnerability, has been publicly posted on the Internet, so it is strongly recommended that anyone running IIS 5.0 servers either apply the workaround or the patch immediately. Microsoft advises installing the patch regardless of whether Internet Printing is needed -- that is good advice..

Further, should you have vulnerable IIS 5.0 servers, it would appear that typical standards of "best practice" have not bn followed in their setup and configuration (in general, running an "unneeded" service reflects poor design and implementation). In this case, you should probably peruse Microsoft's IIS 5.0 Security Checklist and/or consider using the Windows 2000 Internet Server Security tool to "test" your Windows 2000 IIS 5.0 server(s). This vulnerability does not affect IIS 4.0 or earlier versions -- IPP was first suppported in IIS 5.0.

Finally, although Microsoft suggests that extensive LAN-wide compromise should be mitigated by standard security practices such as putting public web servers in network DMZs and not running security critical services such as corporate LAN PDCs on web servers, that is of little comfort to the typical smaller enterprises in markets the size of New Zealand. How do you separate those functions in a typical Small Business Server configuration?

Post Script: Just before submitting this issue of the newsletter, several reports arrrived of trouble with IPP "coming back" after being disabled. This seems to be tied to system policy issues. Installing the patch would appear to be the wise approach. Also, an exploit that produces a "remote shell" on a vulnerable IIS 5.0 machine has just been made public. Use of this exploit gives a remote user ("attacker") the ability to effectively run a command prompt on the vulnerable machine, with system administrator privileges but controlling it from across the Internet. Patch those boxes!

- eEye Digital Security advisory

- Microsoft security bulletin

Microsoft IIS security/configuration resources:

microsoft.com/technet/security/tools.asp

microsoft.com/technet/security/iis5chk.asp

Hardening Windows 2000 systems

The "Windows 2000 Security Handbook" by Philip Cox and Tom Shelton was published by Osborne McGraw-Hill late last year. One of the authors of that book (Cox) has made his "Hardening Windows 200 Guide" available electronically from the URL below. This is a very good source of much critical Windows 2000 security information and probably well worth the read even if you have already implemented Windows 2000.

- Hardening Windows 200 Guide

Cyberwar with China a self-fulfilling prophecy?

An interesting article by Brian Martin, available at attrition.org, suggests the recent spate of articles in the mainstream (IT) media painting a picture of a "cyberwar" raging between US and chinese hackers is a self-fulfilling prophecy. Using attririon.org's extensive database of hacked/defaced web sites, Martin suggests that ongoing hacking and web site defacements have been given a veneer political motivation due to media interest that has been building since the recent "spy plane" saga involving the two countries.

- Martin's article at attrition.org

Growing wireless networking concerns

Recently there have been growing concerns about both the inherent weaknesses in the security measures defined in wireless networking standards and the reckless abandon with which such networks are setup without even those weak security options enabled. Below are links to two news articles dealing with these issues. The first is about how easy it is to "surf" wireless networks in the Silicon Valley and San Francisco areas with standard laptops and wireless networking equipment and a vehicle, while the second takes a more technical look at the issues and points to several resources documenting the development of the problems and some of the steps that can be taken to improve upon what ppears to be current "standard" wireless networking practice (i.e. take it out of the box and just plug it in is not good enough!).

- News Articles: msnbc.com, zdnet.com

Join the newsletter!

Error: Please check your email address.

More about eEye Digital SecurityLANMessengerMicrosoftMSN

Show Comments

Market Place

[]