The newsletter compiler is unexpectedly out of the office this week, so this issue is a little more to the point than usual...
A couple of Windows privilege elevation vulnerabilities are discussed which allow local users to obtain Local System privileges for arbitrary code and a new twist to electronic eavesdropping was widely uncovered this week. On the virus front, be aware that with Valentine's Day approaching, the amount of unnecessary and potentially dangerous junk code e-mailed between users will increase immensely...
Be wary of Valentine's affections...
We've seen it in the past and it's sure to happen again -- some of the computing world's sociopaths are almost bound to try to take advantage of other computer user's proven inability to apply good judgement when the "lure of love" is hinted at. The LoveLetter virus outbreak last year showed how readily computer users would disobey good computing practices and several pieces of malware were very "successful" over the Christmas/New Year period by exploiting appeals to typical seasonal
So, with Valentine's Day approaching, be especially wary of the deluge of executable jokes, greeting cards and the other digital detritus that multiplies around such events. Corporate e-mail gateways that are not already blocking such content as a matter of habit should perhaps be revisited? If your observations of your staff's behaviour with "dubious" e-mail content does not convince you more drastic steps than depending on them to remember, apply and enforce policies are needed, perhaps the results of a recent survey of user attitudes to e-mail, at the following URL, will change your mind...
Patch available for Windows 2000 privilege elevation
Microsoft has released a patch to fix the "Network DDE Agent Request" vulnerability which allows a local user of a Windows 2000 machine to run code under the Local System security context. This vulnerability is not present in NT 4.0 because there the Network DDE Agent runs with the user's security context. As this exploit requires not only locally run code but also access to the same window station and desktop as launched the Network DDE Agent, the risk on terminal servers is substantially
reduced, as each terminal session has its own window station. Best practices should prevent unprivileged users from logging into servers and other security-critical machines from their consoles, so the risk from this vulnerability should be limited to workstations.
The vulnerability was discovered by security researchers at @Stake, whose security advisory contains more technical details of the issue. Patches are available from Microsoft.
Update for Windows NT 4.0 privilege elevation
The "NTLMSSP Privilege Elevation" vulnerability allows users who can interactively log into an NT 4.0 machine and run arbitrary code to obtain Local System privileges. The NTLM Securty Support Provider
(NTLMSSP) is a standard component of NT 4.0 that handles NTLM authentication requests -- its Windows 2000 implementation does not have the code flaw discussed here.