INTRODUCTION
The first Microsoft security bulletin issued in 2002 has hit the
streets. It documents a rather esoteric flaw in NT 4.0 and Windows 2000
domain controller security authorization processes between domains
involved in a trust relationship. Regardless of whether the patch for
that flaw is necessary though, the update linked in that bulletin may be
of interest to NT 4.0 and/or Windows 2000 administrators because it is
not just a patch for that problem but the next security roll-up for
the two OSes.
Netscape 6.x and Mozilla users should be patching a serious privacy hole
in their browser's cookie handling and CNet's CatchUp users and
RealNetwork's RealPlayer and RealOne Player users should have been
alerted to the availability of product updates that fix security
problems in the respective products. Although I do not usually post
security warnings about hardware products, the Sony VAIO range affected
by a newly discovered vulnerability is probably widely enough used in
New Zealand to justify a mention _and_ few of these users are likely to
be on any sort of sort contract with the vendor that would have seen
them alerted to the need for the upgrade.
On the virus front, the week's big (and almost only) story was the
Win32/MyParty.A@mm mass mailer. And, for light relief there is a story
about Internet-enabled kitchen appliances and a news article that shows
not everyone is blind to the risks of Wi-Fi after all...
VIRUS NEWS:
===============
PARTY PHOTOS TOO HOT TO HANDLE!
No -- not a soft porn scam, but the latest 'successful', albeit
short-lived, mass mailing virus to make the rounds. Monday and Tuesday
this week saw significant distribution of this Windows executable virus
-- e-mail ASP MessageLabs intercepted over 13,000 copies within 24 hours
of the virus first being isolated.
The main thing Win32/MyParty.A@mm had going for it was a social
engineering trick. Although already used unsuccessfully about a year
ago, this trick clicked this week, with many e-mail users being fooled
into thinking the program file named 'www.myparty.yahoo.com' attached to
the virus' e-mail messages was a actually a URL shortcut to a web site.
Of course, the Subject: line of 'new photos from my party!' and the
accompanying message suggesting the party was 'absolutely amazing!' and
that the sender had 'attached my web page with new photos!' were likely
to enhance the misperception. (Readers accustomed to spying hoaxes
should have their 'too many exclamation marks' sensors tingling by now!)
Users so fooled double-clicked the attachment and ran the program. The
virus promptly copied itself to their hard drives and started mailing
itself to addresses culled from the Windows Address Book and from .DBX
files (normally Outlook Express e-mail and news message folders) found
on the host machine. MyParty was short-lived though; even more so than
most mass mailers. Before running its mass mailing routine, MyParty
checks the system date and only continues if it is between the 25th and
29th of January 2002. Obviously, we are seeing few new reports of this
virus now. Users of NT, Windows 2000 & XP who run the virus also face
another issue -- on these NT-based OSes MyParty drops and installs a
remote access Trojan (RAT) which potentially opens the machine to
further indignities from across the network. Unlike the viral component,
this RAT is not date-constrained once the virus has installed it.
Various antivirus developer descriptions:
http://www3.ca.com/virus/virus.asp?ID=10930
http://www.f-secure.com/v-descs/myparty.shtml
http://vil.nai.com/vil/content/v_99332.htm
http://www.sophos.com/virusinfo/analyses/w32mypartya.html
http://www.sarc.com/avcenter/venc/data/w32.myparty@mm.html
http://www.antivirus.com/vinfo/virusencyclo/default5.asp
FAMILY FRIDGE TO BE NEXT VIRUS TARGET?
So this item's title is a little whimsical, but the much vaunted
'Internet-connected kitchen' may be closer than you think. The UK
technology watchers at The Register spotted this report of Matsushita
and Toshiba, among others, teaming up to 'offer internet access services
to next-generation home appliances'.
If our kitchen appliances get computer viruses, will we get sick as a
result? Imagine destructive payloads that start your microwave oven when
there is no food in it, set your freezer to 'defrost' during your annual
holidays, have your toaster taking part in denial of service attacks
against major web sites or run your espresso machine as an open SMTP
relay for spammers...
New article:
http://www.theregister.co.uk/content/54/23878.html
SECURITY NEWS:
===================
PATCH FOR SECURITY AUTHORIZATION WEAKNESS IN NT 4.0 / WINDOWS 2000 DOMAINS
System administrators with NT 4.0 and/or Windows 2000 domain controllers
that participate in trust relationships with other such servers should
carefully read the linked Microsoft security bulletin. The weakness
fixed by these newly released updates requires a quite daunting set of
pre-conditions -- even for a determined attacker -- including domain
administration privileges and probably advanced system programming, so
probably does not pose much risk in many real-world situations.
You may think that an attack that requires domain administrator
privileges cannot constitute a vulnerability; after all, if attackers
have domain admin rights they can do anything, right? Well, they should
only be able to do anything _in the domain they have administrative
rights over_. This flaw allows skilled attackers with domain admin
rights in one domain to arbitrarily promote themselves to domain
administrator equivalent in any other domain with a trust relationship
with the attacker's domain, and that is the flaw.
Although Microsoft rates this a moderate level threat for intranet
servers, it is important for all system administrators considering
deploying the patch for this vulnerability to carefully read the
security bulletin. Specific things to note are that just installing the
patch does not enable the new feature -- SID filtering -- Microsoft has
introduced to correct this vulnerability, and that choosing to enable
SID filtering will break an important backwards compatibility feature
that eases NT 4.0/Windows 2000 migration and can, depending on the
complexity of your network, have other undesirable side-effects. As well
as reading the security bulletin, administrators who think they may be
affected by this should read the white paper and KnowledgeBase article
referenced in the security bulletin.
Microsoft security bulletin:
http://www.microsoft.com/technet/security/bulletin/ms02-001.asp
NEW 'SECURITY ROLL-UPS' FOR NT 4.0 AND WINDOWS 2000
As part of its commitment to easing the installation of all security
fixes for its major applications and OSes, mid last year Microsoft
committed to releasing quarterly security roll-ups for its OSes, whereby
all security patches since the previous service pack would be made
available in one easy to install package. So, even if you are a system
administrator on NT 4.0 and/or Windows 2000 systems and the trusted
domain authorization vulnerability discussed above does not affect you,
you should consider downloading the update from the MS02-001 security
bulletin anyway, because the patch for that vulnerability is the latest
security roll-up for NT 4.0 and Windows 2000.
Microsoft security bulletin:
http://www.microsoft.com/technet/security/bulletin/ms02-001.asp2
UPDATES FOR NETSCAPE/MOZILLA COOKIE SECURITY BUG
Security researcher Marc Slemko discovered a flaw in the Netscape and
Mozilla browsers' cookie handling that allows easy access to cookies
from arbitrary domains other than that hosting the current page. Given
many web sites use cookies to cache identifying information about those
browsing the site, this bug in turn provides opportunities for
impersonation through identity theft. The Netscape 6.2.1 and Mozilla
0.9.7 releases fix this bug and users of either browser are strongly
advised to update to those versions.
Note that this flaw, and therefore the necessity of obtaining the update
applies to all OS versions of the two browsers.
Slemko's security advisory:
http://alive.znep.com/~marcs/security/mozillacookie/
Mozilla and Netscape download pages:
http://www.mozilla.org/releases/
http://home.netscape.com/computing/download/index.html
CNET CATCHUP PATCHES SECURITY HOLE
Although not explicitly mentioned at CNet's CatchUp site, the newly
released CatchUp v1.31 fixes a security hole in earlier versions of the
software according to the CatchUp Dispatch newsletter released on 23
January 2002. CatchUp is a third-party software and driver update and
patch checking program based on the popular software download site's own
update and software version tracking. It monitors itself for updates and
should have suggested updating itself, so affected users who accepted
that recommendation will be patched.
CNet has not released a detailed description of the security problem.
About all that is known is what was said in the CatchUp Dispatch
newsletter 'CNET recently discovered a security vulnerability in its
CatchUp software that could allow a malicious person to launch CatchUp
and execute arbitrary code on a user's system. The vulnerability affects
all previous versions of CatchUp. Updating to CatchUp 1.31 will resolve
the issue. Existing users who choose not to update can change their user
settings to protect against unauthorized launches of CatchUp. To change
the launch settings, click the Abort button, followed by the Options
button, when CatchUp launches. By unchecking the "Start Scan of Execute"
option, users will be required to click the Start Scan button before any
scan proceeds.'
News article:
http://www.newsbytes.com/news/02/173906.html
CNet CatchUp download page:
SECURITY PATCH FOR SONY VAIO MODELS SOLD IN NZ
Software preinstalled on some models of Sony VAIO PCs sold into the
Asian, Pacific and Middle Eastern markets since May 2001 have been found
to contain a remotely exploitable security vulnerability. Details of the
vulnerability are very sketchy, but Sony has said that malicious
exploitation of this flaw could allow 'access to these VAIO Personal
Computers through hidden programs in an Internet web page or Email
message'. This suggests to your newsletter compiler that an ActiveX
control installed by Sony is improperly flagged as 'safe for scripting'
and thus can be called from an HTML page viewed in Internet Explorer's
Internet zone (which, by default, loads and runs 'safe for scripting'
ActiveX controls without warning or prompting the user).
Similar flaws have been found in the past in controls installed by HP
and Compaq to ease their the workload on their tech-support staff and a
similar flaw in a Microsoft ActiveX control allowed the creation and
extensive distribution of the phenomenally 'successful' JS/Kak virus.
All Sony VAIO users who bought their machines in New Zealand since
November 2001, or who have purchased VAIOs elsewhere since May 2001 are
advised to check the Sony security announcement page for a list of
affected models and download links for the update, should their machines
be vulnerable.
Sony security announcement:
http://www.vaio.co.nz/vaio/announcement/notice.htm
UPDATES FIX BUFFER OVERFLOW IN REALPLAYER AND REALONE PLAYER
RealNetworks has released updates for most current versions of
RealPlayer and RealOne Player that have been found to be vulnerable to a
remotely exploitable buffer overflow which may allow execution of
arbitrary code. This flaw is present in versions of the software across
the OS platforms supported by RealNetworks. Older versions of the
software have not been updated and users of those versions are advised
to update to the latest RealPlayer v8.x or RealOne Player releases for
their platform.
Technical details are available in Tim Morgan's security advisory and
RealNetworks' FAQ on the issue details the vulnerable versions and
upgrade options for obtaining the fix. Affected current RealNetworks
products that have AutoUpdate features should already have pulled the
fix for this vulnerability from RealNetworks.
Security advisory:
http://sentinelchicken.com/advisories/realplayer/
RealNetworks
http://www.service.real.com/help/faq/security/bufferoverrun.html
WI-FI INSECURITY MESSAGE SLOWLY GETTING THROUGH?
The linked article from USA Today details some high-profile sites
official doubts about the advisability of using Wi-Fi where critical
data or mission critical systems may be within reach of those connecting
via the wireless link.
News article:
http://cgi.usatoday.com/usatonline/20020129/3809438s.htm