Last week I closed the introduction to the newsletter by observing that there seems to be something of a tendency for new vulnerabilities and/or patches to be released around the time this newsletter is dispatched. When you consider the mechanisms behind the scenes this is, actually, rather unsurprising. First, the newseltter is mailed out early enough on Friday that anything you may not have already known about and planned to work on after close of business Friday is bought to your attention, perhaps for "emergency consideration". Second, New Zealand is nearly a day ahead of the US West Coast -- the home of the major IT developers. Third, "late in the week" is the traditional release time for
vulnerability information and patches, at least when the discoverer and the affected vendor cooperate. The target is to get this information out to those who need it "in time for the weekend" under the assumption that, in general, large corporate sites have fewer staff to possibly inconvenience while affecting the necessary repairs, upgrades, etc. Unfortunately, as we have come to expect down under, the timeframe by which the US West Coast IT vendors decide "late in the week" is, naturally, that of the US West Coast...
Perhaps it was not so much tempting fate as a recognition of this reality that I ended the introduction to the previous issue of the newsletter with the question "I wonder what will arrive in my e-mail during the next few hours?". Thus, I was not entirely surprised that, within six hours of despatching that newsletter last Friday morning one of the biggest security holes in Internet Explorer was announced via Microsoft's product security announcement mailing list. If you have seen or heard of this already, and even if you think you have taken the necessary steps to patch the hole, please carefully read the item about this issue, as apparently many people have been fooled by a silly "feature" of the standard Microsoft patch installer and have not patched their vulnerable systems because the installer refused to run saying that their systems do not need the patch.
We also have news of yet another Linux worm and a couple of serious remote root compromises for Solaris and Linux/Unix in general.
Another Linux worm not so adorable?
Close on the heel of the Lion worm announced in the previous newsletter, there has been some interest this week in the Adore worm (also known as the Red worm). Reported from the field, Adore is similar to the Ramen and Lion worms, exploiting several well-known and long-patched remote root exploits of services commonly installed on Linux systems.
The worm attempts to send various configuration files (including the shadow password file) to these e-mail addresses -- firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com. As the service providers have not yet responded to attempts to close those accounts, blocking them at your outgoing e-mail server would or blocking all traffic to/from those doamins at a corpoaret firewall may be justifiable. As with the Lion worm last week, SANS has a detection script for the known variants of Adore.
Important update for Internet Explorer
A major security flaw in Internet Explorer was announced just after last week's newsletter was posted out. The title of the Microsoft security bulletin announcing the availability of a patch to fix this flaw rather downplays its significance -- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment". It sounds like a bunch of techo-weenie gibberish and sounds less "threatening" because of the use of the word "can".
What Microsoft is trying to say is that you can be toasted from anywhere on the Internet if you allow your users to read e-mail with Outlook or Outlook Express (and possibly some other e-mail clients that also use IE to render HTML e-mail messages).
Has that got your attention?
Yep -- Outlook is bad for your corporate IT health. You can tell that, deep down, Microsoft is more than slightly concerned about the threat this latest IE hole opens its users to through their e-mail client
software from this statement in the security bulletin "Customers using IE should install the patch immediately". Given that IE "is part of the operating system" (the DoJ investigation defense) and is installed on millions upon millions of computers worldwide, that is Redmond code for "what a monumental &*^% up".
But, if you think that is bad, wait till you try to patch it... First, despite the confusion and some claims to the contrary, it must be noted that Microsoft was very up-front about the following from the outset. Despite IE v4.0x being installed out of the box on millions upon millions of (never updated) Windows 98 machines, Microsoft has a firm policy on its maintenance of IE -- it only maintains the current and
previous official release (and maybe betas of new versions). Thus, if you do not have IE 5.01SP1 or IE 5.5SP1 installed, you cannot install this latest security update. Unfortunately, there is no easy way to tell for sure whether you have those versions without jumping through some hoops (see the Internet Explorer version decoder page below for the definitive word on this). Worse, if you have a version of IE that the patch does not support (i.e. any of dozens of versions of IE other than those two) the patch installer will incorrectly tell you that you do not need the patch. Although Microsoft has not released a definitive list of the versions of IE that suffer this vulnerability, it is a fair bet that every version from v4.0 does (and possibly even versios back in the v3.x series of IE as well). So, if you have not yet updated to IE 5.01SP1 or IE 5.5SP1, installing this latest very necessary security patch could involve a fairly significant effort.
Finally, in case all that is not enough, there is some debate about another issue with IE that is closely related to this one. It involves spoofing the content type of file attachments and the appropriate warning dialog for IE to display. In short, executable type attachments (or file donloads) can be presented to the user without the usual GUI indications that the attachment is, in fact, an executable program. A quick and dirty workaround for both this latter (unpatched by Microsoft) and the earlier vulnerability is to disable the "File Download" option in all IE security zones.
Microsoft security patch locator
Are you tired of battlng with the bizarre system of patch naming that Microsoft uses, whre the patch is named after the apparently random KnowledgeBase article discussing the issue? Can you quickly tell whether patch Q290108.EXE needs to be applied to your NT 4.0 boxes that have SP6a installed?
Well, Microsoft has finally taken this ugly bull by the horns and posted a "what do I need to get up to date" locator on its security web page. When using this service, just remember that service packs only update the installed components of the OS or application they update, so even though you may have applied all the latest service packs for your systems, if you subsequently alter any of the core installed components from the original installation disks or your network installation locations, you will have to re-apply the service packs.
ntpd vulnerability on multiple Linuxes (and Unixes?)
Versions 4.0.99k and prior of the ntpd (Network Time Protocol Daemon) are vulnerable to a remote root exploit due to a buffer overflow attack. As ntpd usually runs with superuser privileges, exploiting the overflow allows a root compromise. If you run ntpd and must leave it running, check with your vendor(s) for the availability of patches.
Solaris snmpXdmid remote root exploit
CERT has warned of a remote root vulnerability of Solaris snmpXdmid that is actively being exploited on the Internet. Several compromised machines have had rootkits installed, making discovery of the exploit that much harder for all but the most experienced and security-aware administrators.