Until a few minutes ago, this introduction started with concerns that an apparently trivial attack against OpenPGP secret key files has been uncovered and this was the biggest security concern of the week. However, in e-mail received at 7:38 Friday morning was news that Verisign has issued not one but two fraudulent certificates to someone claiming to be a Microsoft employee who was not. If you think that is bad (it is -- it is really, really bad), read the article below because not only is Verisign's mistake about the worst thing it could have done, but the whole mess is made worse by the lack of adequate key revocation mechanisms in affected Microsoft products...
By the time you've worked out whether any bogus code signed with either of those fraudulent certificates has been run on any of your machines (oh -- there's a kicker... you can't), you won't have time to read the rest of the newsletter, but in case you do, there are a couple of other Microsoft web server security issues you should be aware of and a remotely exploitable buffer overflow in Netscape Directory Server (which is also shipped as part of Netscape and iPlanet Messaging Server products). And a couple of minor virus-related stories.
VBS Worm Generator kit "discontinued"?
Further to last week's reports that "[K]" had released an "enhanced" version of the generator kit that produced the VBS/VBSWG.J (or "Anna Kournikova") e-mail worm, [K] subsequently removed all copies of the kit from public access on his web site and requested other sites carrying it to also remove it. [K] claimed that pressure from people who wanted him arrested and held accountable for the damages caused by code made with is kits was behind his decision.
And, even better news -- in the last 36 hours, [K]'s personal web site has been closed by the company on whose servers it was hosted.
Linda a trivial LoveLetter variant...
Who, these days, would be fooled into running a VBS attachment to an e-mail, especially if it was actually a "double-extension" filename such as "KellyInWhite.jpg.vbs"? Regardless that (well, more "because of") many would double-click such an attachment, what corporate e-mail administrators would ever let it through to their users to find out which were that foolish?
Despite the almost total lack of instances of the virus affecting anyone, VBS/LoveLetter.CH gained some press coverage this week. To cloud the fact that it was a boringly trivial variant of the original (and now very old-hat) LoveLetter (remember May 2000?), several antivirus vendors felt it necessary to jazz the virus up with a new name and called it VBS/Linda. Yawn...
Verisign issues fraudulent Microsoft digital certificate
The most fundamental error a public certification agency can make is to issue a certificate to someone who is not who they say. Public key infrastructures can only work well if the end users make validity
judgements by extending their trust to the certificate issuers. Thus, issuing a certificate to John Doe claiming he is James Doe breaks that most crucial trust relationship.
The only thing worse than issuing John Doe a certificate "validating" him as a James Doe representative when he is not, is to issue John Doe a certificate "validating" him as a representative of a large and influential software developer that heavily pushes code-signing as _the_ solution to mobile code security and integrity issues.
If you use Microsoft products and depend at all in any way on code-signing you must read the Microsoft security bulletin, linked below. To give you some idea of how seriously Microsoft is treating this issue
(quoted from the bulletin):
We will waive normal support guidelines to provide remediation for all operating systems that are still in widespread use, regardless of whether they are normally supported or not.
As all versions of Windows 95, 98, ME and 2000 and NT include code-signing certificate validation components and Microsoft has heavily pushed code-signing as the security solution for inherently insecure technologies such as ActiveX, it has to act on a broad front on this.
Unfortunately, although Verisign has revoked the fraudulent certificates, there are no mechanisms in the Microsoft/Verisign signing and certificate checking protocols that allow automatic checking for
revoked certificates. Thus, if an ActiveX control or Word macro or other executable signed with one of these fraudulent certificates is encountered and its certificate checked, all the user will be told is
that the code was signed by "Microsoft Corporation". To _manually_ test the bona fides of such a certificate you have to check its issue date. If it is 29 or 30 January 2001 it is a fraudulent certificate as the real Microsoft was not issued any certificates on those dates.
Oddly, Verisign's home page carries no news or other indication of this snafu...
Search method overflow in IIS 5.0
In last week's newsletter we reported the malformed WebDAV denial of service vulnerability in IIS 5.0 with the WebDAV extensions enabled. Another related but different exploit has since been published but it is also corrected with the same patch as discussed last week. The discovery of further flaws that allow IIS to be temporarily disabled remotely, simply by submitting a URL with a very long argument to IIS' search engine suggests that keeping as up to date as possible with IIS patches is even more advisable than usual if you have IIS machines on the Internet.
Personal Web Server also vulnerable to Unicode security flaws
Several directory traversal and remote command execution security holes in IIS 4.0 and 5.0 that have been reported here in the past are also apparently present in Microsoft's Personal Web which is included on the Windows 98 CD and has been available for download from Microsoft's web site fro some time. It is likely (although the newsletter compiler has not seen any tests reported) that some of these vulnerabilities also apply to Peer Web Services for NT.
Microsoft's official response to this discovery, delivered by the head of its Security Response Team, was to blow it off by saying that PWS was not intended for use on the public Internet or other insecure network environments and therefore no fixes were planned. This should be news to others at Microsoft outside the Security Response Team, as the documentation for PWS makes several mentions of connection PWS machines to the Internet and nowhere does it appear that Microsoft has suggested
that PWS is inappropriate for such uses. A short discussion thread on this can be read in the Security Focus archive of the Bugtraq mailing list -- the link below is to the first message in the thread.
Netscape Directory Server buffer overflow
@Stake security researchers have discovered a buffer overflow in Netscape (iPlanet) Directory Server 4.11 and 4.12. Although related, the overflow in 4.12 does not allow remote execution of arbitrary code, but both allow remote denial of service attacks. Aside from the "bare" forms of the Directory Server products, affected versions of Directory Server are bundled with Netscape Messaging Server 4.15 and iPlanet Messaging Server 5.0. Netscape/iPlanet recommend updating all affected Directory Server installations to Directory Server 4.13 and further, that Netscape Messaging Server 4.15 users update to patch 4 (v4.13p4).