Continuing the post-vacation catch-up, we cover all Microsoft's January 2001 security updates and an important upgrade for Lotus Notes users. Last week I mentioned several database updates and patches/updates of importance to Linux/Unix users -- they will be covered in next week's newsletter. Also this week, we saw two miserable attampts to launch a new Windows worm based on the rather "successful" Hybris. Fortunately, the writer of this new worm was rather inept in his efforts and failed to grasp some of the finer details of why Hybris became so successful.
Virus News
Universe no Hybris
A virus writer released a new virus this week modelled after the successful Hybris (as reported in previous newsletters). This new virus, known as Universe, had web-enabled updating and plugin capabilities, much like Hybris. Unfortunately for its writer, it was quickly found, analysed and the web site it depended on for updates was promptly closed. The latter action cut the few copies of the virus that may have been distributed by then off from its only source of updates, thus seriously hampering its chances of becoming anything like the size of problem Hybris has become.
A few days later, a new variant was releeased which was almost identical to the first except it used a different web site. That site was closed just as quickly and thus that variant also became toothless.
-- Symantec's technical virus description
Security News
Office/Windows update for NTLM credentials exposure hole
Microsoft has released an update to patch the so-called "Web Client NTLM Authentication" vulnerability, which affects all Windows machines running Office 2000 and all Windows 2000 and Windows ME machines, independent of whether Office is installed. The heart of this issue is that the Web Extender Client (WEC) will perform NTLM authentication with any server that requests it and does so regardless of Internet Explorer security settings which may appear to be configured to prevent this. WEC is part of Web Folders and extends the basic HTTP protocol so that a web client can obtain sufficient information from a web server to allow displaying the contents of a server directoy in a similar way to the Explorer view of drives and directories on the client machine.
The risk here is that NTLM challenge/response authentication details can be passed through a brute-force cracking program and (eventually) return the user's password. Thus, a malicious web site operator could setup a server to deliberately ask for and capture this data and then brute-force username/password details from the sites visitors.
Microsoft recommends all effected customers apply the appropriate patch. If you have Office 2000 installed, apply the Office 2000 version of the patche regardless of your OS. If you do not have Office 2000 installed, install the Windows 2000 or ME version of the patch, as approrpiate.
-- Microsoft Security Bulletin and FAQ
Updated update for PowerPoint 2000 released
The original patch for the "PowerPoint file parsing" vulnerability has been withdrawn and replaced with an updated patch. If you downloaded the PowerPoint file parsing patch prior to 26 January (NZ), you should return to the update sites, otain the corrected patch and apply that.
The "PowerPoint file parsing" vulnerability is a buffer overflow in code that parses PowerPoint slideshow files as they are opened and read into memory. A maliciously created PowerPoint slideshow file could contain extraneous data that would cause PowerPoint 2000 to crash when opening the file. The worst case scenario is that a specially created PowerPoint slideshow file could cause any code of the file creator's design to be run on the machine opening the slideshow. This code could do anything the PowerPoint user could. Microsoft recommends all PowerPoint 2000 users should "consider installing the patch". This update will be included in the next Office 2000 service pack, so if you and your staff are not in the habit of obtaining and using PowerPoint files from outside your own company and plan installing the next Office 2000 service pack, it would be reasonable to wait until then.
PowerPoint 97 may crash when trying to open such maliciously created slideshow files. However, under PowerPoint 97 there is no ability for code to be run from this buffer overflow, so Microsoft says it has no plans to issue a patch for PowerPoint 97.
-- Microsoft Security Bulletin and FAQ
Patch available for Winsock mutex vulnerability in NT 4.0
A mutex governing access to Winsock networking resources on NT 4.0 has "inappropriately loose permissions" (to use Microsoft's own, refreshingly frank assessment). The upshot of this is that interactive users of NT 4.0 machines can run an application that will lock all other processes out of using Winsock network functions.
Microsoft's assessment of the risk factors associated with this is that NT 4.0 Terminal Server users have the worst risk due to the nature of the server's shared resources. The official line is that workstation users would just perform a local denial of service on themselves, were they to implement this "attack". From the point of view of a lone, interactive attacker, that is true, but a distributed denial of service attack is possible by e-mailing many users within a company a Trojan and depending on a good proportion of them to run it (as we know many of them will). Combined with some of the registry twiddling tricks some remote access Trojans and the like use these days, the Trojan could be set to run at each startup (and many other times too) and the cost of downtime and tech support time for the cleanup could be very high.
In light of this and the further possibility that now it is known this trick could easily be used as a trivial payload in a virus (it could even be implemented in an Office macro virus) your newsletter complier
recommends that all NT 4.0 users install this update when practicable.
-- Microsoft Security Bulletin and FAQ
Patch for new variant of "File Fragment Reading via .HTR" vulnerability
IIS 4.0 and/or IIS 5.0 users have hopefully long-since applied the pathces mentioned in Microsoft Security Bulletins MS00-031 and MS00-044. However, a new variation on the same vulnerability has been uncovered and Microsoft has released another patch to cover this twist on the theme. IIS users are recommended to take heed of Microsoft's warning about .HTR functionality -- unless you have an identified, business-critical need to keep the faunctionality, it should be disabled. If you have disabled .HTR functionality, this update is of no relevance to you (unless you re-enable the functionality in the future). More details at the usual places in the URLs below.
-- Microsoft Security Bulletin and FAQ
Office/Windows update for NTLM credentials exposure hole
Updated update for PowerPoint 2000 released
Patch available for Winsock mutex vulnerability in NT 4.0
Patch for new variant of "File Fragment Reading via .HTR" vulnerability
Windows 2000 hotfix packaging anomalies
English language hotfixes released since Service Pack 1 for Windows 2000 and until 18 December 2000 were all packaged with the same version number. Under certain circumstances, this can lead to these hotfixes being removed by the System File Checker. Microsoft has released a tool and patch that will diagnose whether any given installatin is affected and rectify the problem. Anyone who has installed any post-Service Pack 1 hotfixes (whether they were security pathes or fixes for other issues)
on English language versions of Windows 2000 should visit the URLs below, download and run the checking tools and follow their recommendations.
-- Microsoft Security Bulletin and FAQ
Windows 2000 Terminal Services update available
A patch is available for the "Invalid RDP Data" vulnerability in Windows 2000 Terminal Services, which could allow a denial of service attack against Windows 2000 Terminal Server or Windows 2000 running Terminal Services. This denial of service is seen as a lock-up, so any unsaved work would be lost and the machine would have to be restarted.
This vulnerability is in the Terminal Services, which does not properly handle a particular sequence of packets intended for the Remote Desktop Protocol (RDP). This vulnerability does not allow an atatck against RDP clients, per se, althugh as already noted, any unsaved work will be lost on the RDP server should it be attacked in this manner. To exploit this vulnerability an attacker does not have to be able to establish a terminal sessin with the server.
All Windows 2000 users of Termnal Services should install this update.
-- Microsoft Security Bulletin and FAQ
Lotus Domino 5.0.6a release fixes serious flaw
The latest release of Lotus Domino server includes an update that fixes a serious security hole discovered early in January. The hole allowed what is known as a "directory traversal" out of the root directory of the web server. This potentially exposes sensitive information to remote web users who know, or can easily guess, the paths to files on the drive holding the webroot directory. Lotus rapidly announced a server configuration workaround to prevent exploitation of this hole and recently shipped Domino v5.0.6a which includes a patch fixing this problem. More details and the location for downloading the update are available by following the obvious path from Lotus' Security page, below.