Virus for tennis fans and a typical bunch of patches

Kournikova virus writer surrenders, to be charged; Update for Windows 2000 and another hole in Windows Media Player skins

The "Anna Kournikova" e-mail virus hit the heights early this week, but by Thursday its writer was facing charges which could lead to four years or more in a dutch prison. Alas, there are several Windows patches and some "catch up" reminders of things that may have slipped by during the

Christmas vacation.

Users and potential users of wireless networking should also be aware of the shortcomings found in the WEP (Wired Equivalent Privacy) protocol that is part of the 802.11 standard for wireless networks. The final item in this week's newsletter points to a research paper suggesting there may be some serious weaknesses in WEP, reducing the security of wireless networking.

Virus News

Anyone for tennis?

Everyone within the reach of traditional media or any online news services this week must have heard of the so-called "Anna Kournikova virus" that swept the globe early in the week. Of course, the antivirus

vendors didn't help clear up the confusion with nearly every different vendor referring to the virus by a name different from those used by all the other antivirus vendors... Thus, the virus was variously called the Anna Kournikova virus (mainly by the media), VBS/SST.A, VBS/VBSWG.J, VBS_Kalamar, VBS/OnTheFly and I-worm.Lee amongst many minor variations on these themes.

In many ways similar to the VBS/LoveLetter (or LoveBug) virus of May 2000, this virus only spread via e-mail rather than including the file deletion payload of LoveLetter. It is also like many other similar e-

mail worms since LoveLetter, but with the big difference that it was moderately "successful", spreading more widely and more quickly than anything since LoveLetter. This is attributed to the promise of a

picture of the Russian tennis player Anna Kournikova and the large interest in her, particularly among younger computer users.

Various antivirus vendor descriptions:

Kournikova virus writer surrenders; to be charged

After releasing the virus described in the previous story, a young Dutch man surrendered himself to local authorities, admitting writing the virus. A self-proclaimed non-programmer, he confirmed that he "created" the virus with a "worm generator" program. He has been released from custody for the time being, but is expected to face charges under Dutch computer crime laws.

Newstory -

Security News

Update on Windows 2000 privilege elevation vulnerability

In the previous newsletter, we reported that Microsoft and the @Stake security researcher who uncovered the "Network DDE Agent Request" vulnerability believed the risk it posed on terminal servers was substantially reduced. This opinion was revised by both parties shortly after last week's newsletter was posted out. Microsoft has now added Windows 2000 Terminal Server administrators to the list of users it "urges" to apply the update as soon as possible.

The patch available from Microsoft is still the same as the original one, so if you downloaded that but did not apply it to your Terminal Server machines, consider doing so. Although the URLs listed below are the same as in last week's newsletter, each contains updates (and the FAQ at the Microsoft site still has the (now erroneous) sentence "Terminal servers are not affected by the vulnerability").

- @Stake security advisory

- Microsoft Security Bulletin and FAQ

Patches for PPTP denial of service on NT 4.0 Server

Microsoft has acknowledged a potential denial of service attack against NT 4.0 servers due to a kernel memory leak assocated with the PPTP service. PPTP (Point-to-Point Tunneling Protocol) allows secure remote sessions, typically between remote users (travelling staff or small remote offices) and resources on the main corporate network. An error in how the PPTP service handles certain malformed packets means that some memory resources are not properly returned to the operating system -- if enough of these malformed packets are processed, a resource depletion denial of service may be achieved against the server hosting the PPTP service. Only servers with the PPTP service active are vulnerable and this service is not installed by default. Further, firewalling is not a viable defense against this attack, as PPTP is intended for exposure to the broader Internet.

Microsoft recommends all users of PPTP services on NT 4.0 install the patches when they are made available. More details are available from the usual places, linked below.

- Microsoft Security Bulletin and FAQ

Another remote code exploit in Windows Media Player skins

In the 24 November 2000 newsletter we noted the potential for abuse due to Microsoft's inclusion of scripting abilities into the files containing skins for Windows Media Player v7.0 (MS00-090). The "Windows Media Player Skins File Download" vulnerability is not related to that earlier issue. Rather, the problem arises because skins are actually ZIP format files and are downloaded into a known directory. Coupled with the fact that Java applets can also be packaged in ZIP format files and can be run directly from them, Java code could be packaged into a Media Player skin file and then run under the (very lax) settings of the local computer security zone.

All Windows Media Player v7.0 users should install this update.

- Microsoft Security Bulletin and FAQ

Multiple vulnerabilities in BIND

Four security holes that affected either or both of the previous v4.x and v8.x releases of BIND have recently been patched by most affected Unix and Linux vendors. BIND is the most widely deployed DNS server on those platforms and, perhaps more significantly, the DNS server software used on all critical "infrastructure" DNS servers.

Any system admins of machines running BIND who have not updated that software since 26 January, should check the "vendor comments" appendix in the CERT Coordination Center's advisory or directly with their vendor or obtain the updated BIND sources from the ISC and build and install an updated package with some urgency. As the CERT advisory suggests, exploits of these vulnerabilities have started to appear now the holes have been disclosed.

- CERT advisory

- ISC BIND home page

Multiple issues with Oracle database server

The Oracle Technology Network "Security Alerts" page lists several current and recent concerns with unintended behaviour in the Oracle database server and/or in related software commonly used to interface Oracle databases to web pages and e-commerce applications. Some of these vulnerabilities are quite serious and Oracle administrators would be well-advised to keep up-to-date with the recommendations and patches posted there.

- Oracle security alerts

WEP encryption weaknesses may be exploitable

Anyone using, or planning to use, wireless networking based on the 802.11 standard should seriously consider the issues discussed in the URL below. Two researchers have found worrying weaknesses in the encryption used to "secure" broadcast network traffic. These mainly revolve around too small a keyspace and the not uncommon reuse of keys.

- Research paper

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CERT AustraliaLinuxMicrosoftOracleTechnology

Show Comments