iPlanet, FTPD and MS patches and CLSIDs

More worms going (almost) nowhere, CLSID extensions raise concern, Lots of updates for Microsoft products, iPlanet web server data security upgrade, Buffer overflow in FTPD globbing code -- multiple Unixes

First, my apologies for neglecting to mention there would be no Virus & Security Watch newsletter on Easter Friday in the previous issue.

Today we have a couple of Microsoft patches of particular relevance to anyone whose users brwose the web or use Microsoft e-mail or Usenet newsreader client software such as Outlook or Outlook Express. Also, an apparently urgent update for iPlanet Web Server users and a bad bug in several popular Unix FTP servers. Also, a very important (poetntial) change to your virus scanners may be necessary due to recent publicity about CLSIDs.

Virus News

More worms going (almost) nowhere

It seems the message for corporate e-mail system administrators to simply block unknown executable content at their e-mail gateways may finally be beginning to bite. Sine the previous newsletter, a couple of binary executable mass-mailing worms have briefly hit the headlines, but then almost entirely fizzled out to nothing. In the last few days it was Win32/Matcher and previous week it was Win32/Badtrans. Both showed early signs of 'taking off' -- both quickly disappeared.

CLSID extensions raise concern

Although not used to its full extent in a virus yet, the latest 'discovery' by Bulgarian bug-hunter Georgi Guninski clearly has some implications for virus detection efforts. Guninski's latest security advisory points out the previously little-known facts abuot using CLSIDs as file extensions. CLSIDs are a mechnism for identifying an object's type and the proper handler for it. Guninski pointed out that files named with a CLSID extension are treated by Explorer (and various other applications) as files of the type the CLSID is associated with.

Thus, for example, renaming a plain text file from 'test.txt' to 'test.{00020906-0000-0000-C000-000000000046}' causes it to be opened in Word (if it's installed on your machine) when the file is double-clicked in Explorer. More insidiously though, although Explorer will display the file with a Word document icon, Explorer does not (nor can it be made to) display the file's extension. Extending this, if 'test.txt' is renamed to 'test.txt.{00020906-0000-0000-C000-000000000046}', it still opens in Word but Explorer diaplays its name as 'test.txt' (although it still uses the Word document icon.

This is not being actively 'exploited' in any viruses or other malware (yet) but if you do not have your virus scanner set to its 'scan all files' option and will not enable that option for whatever reason, please at least add '.{*' to the list of extensions to scan.

Security News

Correct URL for 'Important update for Internet Explorer'

In the previous newsletter, the URL for the wrong Microsoft security bulletin was given in the 'Important update for Internet Explorer' item. Hopefully the correct bulletin was readily located at Microsoft's security web site, but to set the record straight, the correct URL is linked below.

- Microsoft security bulletin

Upgrade for Windows ISA Server 2000

An upgrade that fixes a denial of service attack against Windows Internet Security and Acceleration (ISA) Server 2000 has been released. ISA Server 2000 has been found vulnerable to both internal and external attacks that cause the Web Proxy service to fail. The attack depends on the service improperly handling a very long URL request and results in the Web Proxy service failing, requiring that service to be restarted. Until the service is restarted, all web proxying would be disabled.

Microsoft's security bulletin suggests the possibility of external attack is low. Certainly if reverse proxying is disabled on a vulnerable ISA server, it cannot be directly attacked by simply submitting a suitable 'invalid' request to the proxy server. However, an external 'attack' of this sort can easily be directed through an internal user by having them issue the request. Despite the suggestion in the security bulletin that this is something of a complex feat, it is easily achieved in an HTML e-mail message or external web page. So, if you can prevent your users reading HTML e-mail as HTML e-mail (you cannot if you use Microsoft e-mail clients such as Outlook or Outlook Express) and prevent them browsing external web sites you are safe. Thus, the tone the security bulletin sets on this is clearly ludicrous which is obvious from the recommendation elsewhere in the bulletin that all ISA administrators consider applying the patch.

- Microsoft security bulletin

Microsoft releases patch for another WebDAV hole

Microsoft has released an update for its Microsoft Data Access Component Internet Publishing Provider (msdaipp.dll) to fix a serious security hole wehereby it does not correctly differentiate requests generated by scripts running in the user's browser from requests made by the user. This component is installed with Windows ME and 2000, and as part of various other Microsoft products including some versions of Office, so is likely to be installed across the full spectrum of Microsoft OSes still used in production environments.

The Microsoft Data Access Component Internet Publishing Provider supports Web Distributed Authoring and Versioning (WebDAV). WebDAV is a standard for using Internet file sharing mechanisms to enable collaborative document authoring, web publishing and the like. The flaw this patch fixes would allow attackers with sufficient knowledge of the locations and filenames of their victims' WebDAV documents to read or modify any of those documents in keeping with the victims' level of access to those documents. To achieve this, the attacker would have to 'entice' a victim to read an HTML document containing the attacker's (malicious) scripts. If you think that sounds terribly unlikely, read the previous item for a reality-check.

The Microsoft security bulletin explains how to locate any copies of msdaipp.dll that may be installed on your machines and check their version to determine whether the update is needed or not.

- Microsoft security bulletin

Buffer overflow in FTPD globbing code -- multiple Unixes

Security researchers at NAI's COVERT Labs uncovered two separate, but related problems surrounding globbing code used in or by common FTPD code. These bugs allow for remotely and locally exploitable stack and/or heap overflows in the FTP daemons of several popular Unix OSes. Several vendors of affected systems have already shipped patches or updates. Some of these are detailed on the CERT Coordination Center page below, or you should check with your vendor(s).

- News article

- NAI COVERT Labs' advisory

- CERT CC advisory

iPlanet web server data security upgrade

iPlanet recommends all users of any v4.x releases of its enterprise edition web server to upgrade to v4.1sp7 immediately. If that is impractible, an NSAPI module is available to correct the problem but iPlanet warns the potential performance impact of the NSAPI module means it should only be considered a short-term solution while planning a full upgrade.

The nature of the problem is not detailed at all on iPlnet's web pages, but the company says that without installing the patch or upgrade "the problem will persist and affect your site's data security, potentially leading to a data corruption event".

- iPlanet product alert

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaiPlanetMicrosoftNAI

Show Comments

Market Place

[]