First, some administrivia... The Virus & Security Watch newsletter will, along with the other IDG (NZ) newsletters, take a break for the next few weeks. The first Virus & Security Watch issue for the new year is planned for 26 January 2001.
What is the world coming to? Another week with no new or re-issued Micrososft Security Bulletins! Actually, it has been quiet all round -- maybe the black hats and white hats have been busy with their Christmas shopping?
Researchers at @stake have uncovered several security vulnerabilities in the AOL Instant Messenger (AIM) and claim that AIM is installed and used in a surprising proportion of corporate systems (it has been bundled with Netscape Communicator for some time and installed by default with it). And the security news that has caused the biggest stir this week, at least among users of Windows-based personal computers, is Steve Gibson's exposure of how little extra security most popular Windows
"personal firewall" products really provide -- see "What use is a firewall that leaks?".
13 December 2000 -- "Black Wednesday" for some
Several antivirus vendors received many reports on Wednesday and Thursday this week of Windows systems being wiped of almost all files. Further investigation of several of these unfortunate cases showed that the affected users had been infected with W97M/Thus.A -- a Word 97 macro virus. This virus has a nasty payload that attempts to delete all files on the C: drive of its host whenever it runs on 13 December.
In the cases where affected users had a scanner installed, it was often found to be out of date. Many scanner users seem unaware that not only do the virus definition (or data, scan string or signature) files need regular updating for their scanners to be much use, but the detection engine has to be kept up to date too. Unfortunately, many of people affected by W97M/Thus were running very outdated engines that simply cannot detect viruses of Thus' type and/or they had not updated their virus definition files for fifteen months or more (W97M/Thus was first identified about fifteen months ago).
Aside from recommending that users keep their virus scanners up to date, anyone running Office 97 systems should put mecanisms in place to monitor the so-called "macro virus protection" option in those products. Reset the option if it should ever be disabled on machines of users who cannot be totally trusted and, more importantly, investigate why it was disabled on such machines, particularly if it keeps being disabled "mysteriously", as most macro viruses attempt to disable this setting. In Office 2000 shops, similar tests should be perfomed for the macro security level setting.
NAI/McAfee v4.0.2 detection engine problems
Over the last few weeks, there have been several problems with DAT updates for Network Associates virus scanners when installed on systems running the v4.0.2 detection engine. A couple of DAT updates have caused 100% CPU utilization, effectively locking up affected machines and most recently, the 4110 DAT update has caused partition corruption on machines with NTFS drives. As many system administrators are in the habit of automatically downloading and installing these upgrades, such effects can be quite catastrophic.
The v4.0.2 NAI detection engine is now very old (in virus detection terms) and is no longer supported by the company, but many corporate (and no doubt private users) still run it. As with many virus scanners,
you cannot tell the scanning engine version from the product version number and normally have to select the About item from the Help menu (or similar program information options elsewhere) to find the full list of version numbers for the various parts of your scanner.
Regardless of the virus scanner you run, automatically installing definition file updates without testing them first is as bad an idea as is automatically installing any kind of product update without testing.
Despite the appearance of such files being "just data" they are much more like "runtime-interpreted patches" and thus should be treated as any other software patch or update.
What use is a firewall that leaks?
Hard drive guru and renowned Internet security investigator Steve Gibson has released a small utility named LeakTest that shows how easy it is to poke gaping holes in most so-called "personal firewall" products. What Gibson has uncovered is that very few of the current crop of personal firewall products offer much real protection against outgoing network traffic -- the kind of thing you should be warned of if you were unwise enogh to run one of the many mass-mailing worms that have featured in the Virus News section of this newsletter for the last few weeks.
Gibson explains this in some detail in a series of web pages on his site and includes a "vendor feedback" page for responses from the makers of these products. Anyone who uses, or is considering using, a personal firewall should read up further on this issue at Gibson's site.
Multiple AIM security holes
A security advisory released by security researcers, @stake Inc, outlines multiple vulnerabilities in versions of AOL Instant Messenger (AIM) prior to v4.3.2229. The vulnerabilities do not require a machine to be using AIM -- merely having it installed can be enough. Attack scenarios include the receipt of malicious html e-mail or a visit to a malicious web site. As the vulnerabilities involve buffer overflows, an attacker would be able to execute arbitrary code on a vulnerable machines. The full advisory is linked below and a refresh version of AIM is expected to be available from the AOL link soon.