This last week saw the release of only one Microsoft security bulletin and it introduced the new format for these missives. The main impact this will have on the newsletter is that henceforth there will be only one URL to Microsoft's bulletins as the associated FAQ information that used to be on a separate page is incorporated into the main bulletin. Aside from a low priority patch for Windows 2000 domain controllers, Unix/Linux SSH users should be checking into recent developmets that may affect the security of your SSH sessions and the author of PGP has left NAI to work on OpenPGP initiatives.
On the virus front, we report on a couple of new self-mailing script viruses embedded in HTML format e-mail that depend on the old Scriptlet.TypeLib bug and the increasing popularity of code generator
kits amongst wannabe virus writers.
San and Valentin -- two new self-mailing viruses
A month back we informed you of the Davinia virus, which was going nowhere fast due to its replication depending on a single Internet download site which was closed within hours of the virus' discovery. The writer of Davinia has recently written and released two VBS script viruses that depend on different ploys for "success".
Named VBS/San and VBS/Valentin, both depend on the Scriptlet.TypeLib security hole in older versions of Internet Explorer and thus in the corresponding versions of Outlook Express. A patch to rectify this problem has been available for close to 18 months now. Aside from spreading "quietly" in infected, HTML e-mail messages (as JS/Kak has done very successfully for over a year now) VBS/Valentin has a mass-mailing function like Melissa and LoveLetter.
During the last week, the writer of these viruses has been trying to encourage their distribution by deliberately posting infected HTML messages in various Usenet newsgroups. Some subsequent infections have been noted as result of this. Most virus scanners that detect these viruses did not have detection added until after the VBS/VBSWG.J ("Anna Kournikova") "emergency update", so if you have not updated your scanner since then, now would be a very good time to update again.
Various antivirus vendor descriptions of VBS/San:
Various antivirus vendor descriptions of VBS/Valentin:
Virus kits tempt script kiddies
In the wake of the VBS/VBSWG.J ("Anna Kournikova") virus, focus quickly turned on the apparent writer of the virus, a 20 year-old Dutchman using the handle "OnTheFly". The virus writer admitted to having no programming skills and using a "worm generator kit", which wrote the virus for him. Such virus and/or worm generator kits are not uncommon, but have tended to not be popular with "real virus writers" as traditionally their has been little glory within the hacker and virus writing communities for cranking code from a generator. The point of the "art" was that writing your on code "proved" your skills.
Unfortunately, the media publicity surrunding this case and its highlighting of the availability of these kits seems to have sown the idea that "maybe I could do it too" more widely than has been the case
after similar incidents (such as LoveLetter and Melissa).
Somewhat fortunately, the kit used to produce VBS/VBSWG.J and its predecessors are quite buggy and tend to produce non-functional, or only partially working "worms". Several such examples have been seen by antivirus researchers since this story broke.
Update for Windows 2000 domain controllers prevents DoS
Microsoft has released an update for Windows 2000 Servers that can run as domain controllers. If a vulnerable machine is running as a domain controller, it can be attacked causing loss of service due to CPU resource consumption. It is caused by erroneous, CPU-intensive processing of an invalid packet when the malformed packet should be quickly detected as invalid and dropped. If a steady stream of such packets can be directed to a domain controller, it can suffer a denial of service.
There are several mitigating factors in the effectiveness of this as an external DoS attack method. Most notably, best practice would prevent remote access to domain controllers on the network ports necessary to effect the attack. More details can be found in the Microsoft security bulletin, linked below. Microsoft recommends that system administrators consider installing the patch on any Windows 2000 Server, Advanced Server and Datacenter Server machines they have running as domain controllers. This vulnerability does not affect any other Windows 2000 platforms or any NT 4.0 platforms.
- Microsoft Security Bulletin
Microsoft favours Macs over Windows in security snafu
Have you ever wondered why you cannot entirely disable viewing of HTML components in e-mail messages when using Outlook or Outlook Express? The newsletter compiler knows of no good explanation, and is not writing this item because that has just changed...
However, Dan Gillmor of the San Jose Mercury recently noted in his weblog that Entourage, Microsoft's Personal Information Manager offering to Macintosh Office 2001 users, has two useful security-enhancing options regarding the rendering of HTML in e-mail messages it displays. For one, Entourage users can disable display of HTML message components entirely (which would get the newsletter compiler's vote!) and secondly, Entourage users can allow display of HTML but without allowing the viewing application to access the Internet.
Gillmor's discussion is primrily couched in terms of concern over web bugs in HTML e-mail (reported in this newsletter two weeks ago) and avoiding them. However, the insistence of Outlook and Outlook Express to pour externally sourced "code" (even if it is "only HTML") through Microsoft's notoriously buggy and security-shy Internet Explorer HTML parsers raises the possibility of all kinds of nastiness sensible system administrators would rather avoid.
It is interesting that within Microsoft there is something of a double-standard over this issue between the Mac and Windows e-mal client camps. However, the most telling item Gillmor turned up was Microsoft's explanation of why Windows users have not been given options similar to those in the latest Macintosh Office release -- apparently we do not want such an option, or if we do, we have not been asking for it. If that concerns you, contact your Microsoft representatives ASAP and explain that you would like to be able to disable all HTML functionality in your e-mail client software...
SSH update for various Unix/Linux systems
Over the last couple of weeks there has been discussion of two serious flaws in the SSH1 protocol. As a result, most Unix and Linux vendors are working on, or have already released, updates to products based on or that incorporate certain SSH code.
Precisely which versions and configurations of what are effected produces a rather complex grid which the newsletter compiler fears he would not get correct, so the best thing would be to check with your
vendor if you run any products that implement the SSH1 protocol.
Note that both problems only affect the SSH1 protocol. As some versions of SSH packages can be compiled without any support for SSH1, some "older" versions of these packages may, in fact not be vulnerable (unless they were to be rebuilt with different options). Check carefully with your vendor...
Phil Zimmermann leaves NAI
The creator of PGP, Phil Zimmermann, has left the PGP Security division of NAI. Network Associates Inc purchased PGP Inc in December 1997 and Zimmermann stayed on, much to the surprise of many because of NAI's public committment to key-recovery and key-escrow initiatives -- something seen as anathema to many "purists".
Zimmermann has published a personal statement, citing diverging visions for the future development and direction of the product and his desire to strengthen the OpenPGP standard as his reasons for leaving.