"Naked Wife" fizzled quickly

This weeks newsletter carries details of several important updates for IIS servers on the Internet, all Internet Explorer users and a serious issue for IBM WebSphere sites. Two e-mail worms that didn't make the grade earlier in the week are also discussed.

Virus News

"Naked Wife" fizzled quickly

Fortunately - and despite some early indications of likely trouble - the e-mail worm Win32/Naked@mm (aka "Naked Wife" or NakedWife.exe) did not come to much. After mailing a copy of itself to every address in its victim's Outlook address book, Win32/Naked sets about deleting crucial files from the Windows and system directories. Perhaps the message to not run "unexpected" attachments is getting through, or perhaps corporate system administrators are finally taking a harder line on executable file attachments. Perhaps not in the US military though, where most of Win32/Naked's hits are rumoured to have been...

Various antivirus vendor descriptions: viruslist.com, cai.com, vil.nai.com, sophos.com, sarc.com, antivirus.com

Vierika worm put down but pops back up...

Early this week, a new mass-mailing VBS worm was discovered.

Fortunately, much like the Davinia virus described a few issues back in this newsletter, the actual replicative code of this worm was located in a web page on a single web server. This makes stopping such worms easy, as all one has to do is obtain the site administrator's cooepration and have the replicative code removed (which is usually done by the admin closing that site). Like Davinia, Vierika was "dead" before more than a small number of people fell victim to it, but unlike Davinia, the antivirus company respnsible for that did not make a big song and dance about this "terrible new threat" (which was good, because it wasn't).

Last night, a new variant of Vierika was isolated. The only change was that the site hosting the replicative code has been changed. Unfortunately this time, a very large hosting site was chosen and it typically takes a few days to get through the "abuse queue" to get sites removed from this hosting service. Members of the antivirus ressearch industry are working to have that site removed, but until it succeeds, VBS/Vieriks.B@mm may have a chance to spread its wings.

Sites that block VBS attachments at the Email gateway will, of course, be safe, and the updates of several products to detect the first Vierika also detect this new variant. Descriptions of the original Vierika are below (although some of these may soon be updated to include mention of this new variant). Should you be hit by this worm, please note that its first part downgrades your Internet Explorer security settings to allow ActiveX controls not marked safe for scripting to run without any warning or prompting if accessed in the Internet Zone. This opens a gaping security hole on your machine and it should be rectified following disinfection.

Various antivirus vendor descriptions: cai.com, vil.nai.com, sophos.com, sarc.com, antivirus.com

Security News

Update for IIS 5.0 and Exchange 2000

Specially constructed URLS sent repeatedly to an IIS server can lead to memory allocation errors in the IIS service and the failure of the service. The web-mail interface in Exchange 2000 is dependent on the same URL-handling code in two places - through its use of IIS 5.0 and in some Exchange-specific code. This vulnerability opens both product to a denial of service style attack, though both affected services should automatically restart in the event of this kind of failure.

Such an attack against an Exchange server would only disrupt access to it via web-mail clients. Further, the recommended configuration of Exchange means that in most implementations an attacker would have to authenticate as a valid user before gaining access to the server.

IIS 5.0 and Exchange 2000 servers exposed to the Internet should be patched as soon as practicible. Exchange 2000 users must apply both the IIS and Exchange patch - both patches are not included in the update kit for Exchange.

- Microsoft Security Bulletin

Update released for Internet Explorer and Windows Scripting Host

Microsoft has release patches fixing several issues in Internet Explorer and Windows Scripting Host (WSH), some of which have been known and occasionally exploited for some time. In the newsletter compiler's opinion, the seriousness of some of teh problems this update addresses are rather under-rated in Microsoft's discussion.

Suffice it to say, Internet Explorer 5.01 and 5.5 users must install the IE and WSH patches covered in the security bulletin below and should do so sooner rather than later. The "Telnet invocation" patch is really only needed on NT and Windows 2000 systems where the optional Services for Unix 2.0 has been installed, but that said, installing that patch now and adding it to your standard build routines means it is just one more thing you don't have to remember for those "oddball" machines.

Users of Internet Explorer 4.0x are not immunce from some of the problems described in this Microsoft security bulletin. However, Microsoft has a policy of only supporting the two most recent releases of IE. Internet Explorer 4.0 users should seriously consider updating or switching to another browser.

- Microsoft Security Bulletin

IBM Net.Commerce and WebSphere Commerce Suite security warning

IBM has warned its customers using IBM Net.Commerce and IBM WebSphere Commerce Suite v4.1 and earlier of crucial security configuration procedures for those products. These warnings have been made in the past, but many NET.Commerce and WebSphere sites appear to have not implemented these recommendations. They are now especially urgent as a utility has been released in the hacking community that can harvest and crack account names and passwords from sites running affected versions of the software. If you wish to check whether this warning applies to you, read the pages linked from the WebSphere security page, below.

Further, note that IBM will soon be releasing a utility to customize the merchant key, as part of the weakness lies in the fact that most sites using this software use the default, installation key.

This warning does not apply to users of the current relase of those products, v5.1.

- IBM WebSphere security tips and hints

PalmOS passwords offer no security whatsoever

An @Stake security researcher has uncovered a gaping security hole in all versions of PalmOS to date. The system lockout feature can easily be circumvented by anyone with physical access to the PDA, a synching cable and suitable PalmOS debugging tools. The latter are readily available from several sources and the rest is stock-in-trade for someone intent on getting their hands on valuable data your company may keep in its PalmOS PDAs.

The heart of the problem is that PalmOS will enter a debugging mode via special Graffiti keystroke even though the unit has been "locked". Via its serial port debugger interface, all the contents of its memory can be accessed and dumped to the debugging computer. Included in that data is the obfuscated system password block which can be cracked (thanks to earlier work by the same researcher). This means all the cntents of all databases in the device can then be decoded.

Palm says this flaw will be addressed in PalmOS v4.0.

- @Stake security advisory

Update for IIS 5.0 and Exchange 2000

Update released for Internet Explorer and Windows Scripting Host

IBM Net.Commerce and WebSphere Commerce Suite security warning

PalmOS passwords offer no security whatsoever

Study of the uptake of recent BIND patches

An Icelandic security firm has studied the level of application of the

recent security-crucial BIND DNS server patches by Fortune 1000 and

selected other .com sites. The results show an initially high level of

uptake which quickly tailed off leaving a surprisingly percentage of

sites surveyed still running old, vulnerable versions. The details can

be found in the news story linked below.

- News story

Join the newsletter!

Error: Please check your email address.

More about IBM AustraliaMicrosoftPalmTelnet

Show Comments

Market Place

[]