Urgent IIS 5.0 patch and not so merry Christmas news
- 12 November, 2000 22:00
Further to the Microsoft hack reported in last week's Virus Watch, news of another "hack attack" against Microsoft was released just after that newsletter was posted. This time content on a "decomissioned" web server inside Microsoft's network was altered by an attacker probing for IIS web servers that had not yet been patched with the MS0-078 update which in turn was fixed by an "old" patch (MS00-057) from a couple of months back.
The moral of this story? "Do as I say, not as I do" perhaps?
In general, Microsoft (as many other large vendors) is often criticized for the lack of urgency it publicly attributes to some serious security holes in its products. In light of this, I cannot stress enough the
severity of the MS00-086 update discussed below ("Patch for serious security vulnerability in IIS 5.0").
There are several other serious Microsoft security patches covered this week, plus news of a new Windows worm doing the rounds at the moment.
Navidad worm on the loose
This worm -- known variously as Win32/Navidad, I-Worm.Navidad and W32/Watchit.intd -- is making the rounds. Despite a rather serious bug (which may be why it is being reported!), this worm successfully sends copes of itself to many people as if the message was sent by the user of the host machine.
The worm program arrives as an e-mail attachment to a blank message. A "trick" that has also been used successfully by a few previous worms is that these messages are sent by the worm as if they are replies to messages in the host's inbox. Thus, the recipients receive the worm's message with the same Subject: line as a message they recently sent to an affected user and may be more likely to double-click the attachment.
A bug in the worm means that after the first restart following the worm's installation on a host, users will be unable to run many programs. This apparently serious symptom is easily fixed with a simple
registry patch. Refer to the detailed descriptions referenced below for details on handling this, should this worm affect any of your machines.
Of course, the usual standards for preventing attacks from unknown executable e-mail attachments will prevent Navidad getting to you. If possible, block all executable attachments at the mail server or a
gateway and if you cannot do this, reiterate to staff that they must not run (or "open") such attachments no matter how much they think they can trust the apparent sender.
Various antivirus developers' descriptions:
Update for serious buffer overflow vulnerability in Windows 2000
All versions of Windows 2000 ship and install an ActiveX control that is vulnerable to a buffer overflow that allows the execution of aribitrary code on the hosting machine. As this can be used in a remote attack via carefully crafted HTML (in a web page or HTML Email), it should be patched as soon as practicable.
If the number of such overflows and other security problems associated with ActiveX in the past has not been enough to convince you that ActiveX should be disabled -- at a minimum in the Internet and
Restricted Sites security zones -- perhaps this latest one will. After testing this update, consider adding the disabling ActiveX in the appropriate zones to your rollout of this update. Also, if they have not
already done so, users of Outlook and Outlook Express should put those applications in the Restricted Sites zone so e-mail and News are treated as liberally as Microsoft seems to think the whole Internet should be.
Patch for serious buffer overflow in NT 4.0 Terminal Server
An update to patch the "Terminal Server Login Buffer Overflow" vulnerability has been released by Microsoft. Terminal Server's logon prompt has an unchecked buffer that could allow an attacker to run
arbitrary code on the server including uploading and running other programs and accessing files they should normally not be able to access. This vulnerability does not require the user to be able to logon as an authenticated user -- access to the logon prompt is all that is needed.
As Terminal Server logons can be enabled over the Internet, this vulnerability is remotely exploitable on Terminal Server 4.0 machines that expose this service to the Internet (the default port for Terminal
Server logon is 3389 and this should be blocked at the firewall or router on the boundary of networks that should have access to this service). Users who must expose Terminal Server logons to the Internet should install this update as soon as practicable.
Cross-site scripting patch for Microsoft Indexing Services
Further to earlier cross-site scripting updates for various Microsoft web server and client products, Microsoft Indexing Services for Windows 2000 have been found to have such vulnerabilities. Microsoft has released an update to address this vulnerability. Indexing Services are installed by default on Windows 2000, but is not enabled by default. Sites that have enabled, or plan to enable, Indexing Services should apply the update to remove potential exposure to this vulnerability.
Patch for serious security vulnerability in IIS 5.0
Microsoft has released a patch that corrects the so-called “Web Server File Request Parsing” vulnerability in IIS 5.0. This vulnerability allows an attacker to run operating system commands on the hosting web server. The security, and data and business integrity, implications of this should be obvious. To quote the Security Bulletin announcing the release of this patch "Microsoft strongly urges all customers using IIS 5.0 to apply the patch immediately". It is uncommon ofr Microsoft to release patches with such strong recommendations for immediate action.
Users who have still not applied the patch for the “Web Server Directory Traversal” vulnerability, mentioned in Virus Watch three weeks ago, get a bonus -- this patch includes that previous one.
Note that IIS 4.0 users are not affected by this vulnerability.
Pegasus Mail security update
Due to its commandline interface, the Windows versions of Pegasus Mail can be used to "steal" files from a user's machine through a file reading vulnerability. Exploiting this vulnerability requires a
aspecially crafted URL and knowledge of the exact path and filename of the files to be stolen, but is still a potentially serious security threat to Pegasus Mail users.
David Harris, author of Pegasus Mail, has released a Pegasus Mail add-on that improves the integration of his mailer with web browsers and adds Pegasus Mail to the Send To menu. Called WSend, this add-on also adds protection from the file reading vulnerability. Due to limitations in
some standard Windows DLLs WSend depends on, WSend should only be installed on Windows 95 OSR2 (aka Windows 95B) or later, NT 4.0 or Windows 2000. WSend works with both 16- and 32-bit versions of Pegasus Mail. Users of pre-OSR2 versions of Windows 95 may find the required DLLs have been updated on their machines by careful testing of the WSend add-on, but this should not be tried on production machines.
- Pegasus Mail announcement of WSend