The Geeks Blog

I just posted this to the Security Services list:

Microsoft yesterday released a new cumulative patch covering 6 new
vulnerabilities in Internet Explorer from version 5.01 all the way to
the newest releases. The MS TechNet article is here and the patch is
here.

Vulnerability identifiers:
a) Cross-Site Scripting in Local HTML Resource: CAN-2002-0189
b) Local Information Disclosure through HTML object: CAN-2002-0191
c) Script within Cookies Reading Cookies: CAN-2002-0192
d) Zone Spoofing through Malformed Web Page: CAN-2002-0190
e) "Content Disposition" Variants: CAN-2002-0193, CAN-2002-0188

The most serious is reported by The Register as the cross site scripting one which allows someone to execute code based only upon the built in error pages. This is marked as Critical and is not as of yet on the Windows Update page, so go get it now. I rate this as a high recommendation if you use anything from IE 5 on.

This is going to also be posted to the still subscriberless Security Service List. Yes, I am stubborn. I first heard about this from Bob Thompson's post to his Subscribers, and The Register provided a little more info on this. It appears that the excellent Opera browser has a problem. The vulnerability occurs in versions 6.01 and 6.02 of the Windows edition.

The bug allows a malicious Web site to grab any file off a client's local drive without a problem. I will not, unlike The Register, show you the code that does this, but I will simply recommend that all of you who do run these versions go out immediately to the Opera site and download the patched version, 6.03.

There are two new vulnerabilities in the Yahoo Messenger program which could be major security risks. The first point is that a new version of Yahoo Messenger is available, which fixes both of these vulnerabilities. If you run YIM, please go now and download this update immediately. this advisory on this list is due to an article on The Register by Thomas C. Greene.

The first vulnerability allows any URL beginning with ymsgr: to call the messenger program, crash the program, and run malicious code. Not a good thing, for those who want to be safe online. the overflow only needs 268 bytes, and when the commands are run like that they run with the active users privileges, which is usually equal to administrator if on a desktop version of Windows like 95 or 98. The 'call', 'sendim', 'getimv', 'chat', 'addview' and 'addfriend' function calls can be exploited.

The next problem is with the addview function of YIM, which allows the program to view web content on it's own. this is, obviously, not a good thing as it makes you open to bad scripts and malicious pages. Vietnamese researcher Phuong Nguyen found both of these, and more can be read in his advisory. This problem is fixed by simply removing the function until they have a chance to fix it properly.

A new patch is out on Windows Updates, which should be run immediately to prevent a malicious user from gaining elevated privileges through the debugging facility, and then running code of their choice on your computer. The update is titled Q320206, and the corresponding security bulletin is MS02-024.

"This update resolves the "Authentication Flaw in Windows Debugger can Lead to Elevated Privileges" security vulnerability in Windows 2000. This vulnerability is the result of a flaw in the authentication mechanism for the Windows debugging facility that allows unauthorized programs to gain access to the debugger. Download now to prevent a malicious user from gaining elevated privileges through the debugging facility, and then running code of their choice on your computer."

So, if you run Windows 2000(or NT 4), go to the Windows Update page(http://windowsupdate.microsoft.com/) and install it. you can also download the patch for Windows 2000, NT 4, or NT 4 Terminal Server Edition. Please, go now. On a side note, both of these pere posted earlier to the Security Service list. the length between posting there and posting here will continue to lengthen.

Ok, so I was just running my usual Windows update, and I realized something. they added something to critical that I am not really sure is critical, at least not for me, and in fact may be more damaging then helpful. it is labelled as 'Windows Automatic Update'. It is described as "This Windows feature notifies you when critical updates are available for your computer. This feature replaces Critical Update Notification if it is already installed. Critical Update Notification will no longer offer critical updates. Download now to receive notifications of critical Windows updates."

I, as one who has more then once experienced many problems from a critical update, cannot in good conscience recommend anyone in stall this because of the fact it does not tell you when an update has been done, and there is no evidence from what I have read that they have any intentions to wait to see if there are problems before it is force don people. I really have to recommend against installation of this. At worst stick with Critical Update Notification and use it when necessary.

I know, most of those reading this(assuming anyone is) will know that when directions in a install process say to delete a file, specifically warning of security risks, that one really should do so. I occasionally forget or skim over a part that says that kind of stuff myself. I know I did in this case, until a few weeks ago when I started hearing of MT hacks going on out there. I just found out that the two files, mt-load.cgi and mt-upgrade.cgi, were still in the folder they came in. I knew I had put them somewhere else, but I think I forgot to delete them from the other folder. Doh!

"It is OF THE UTMOST IMPORTANCE that you remove mt-load.cgi after you run it the first time. If you did not delete mt-load.cgi when you installed MT, DO IT NOW.There is a hacker (or a group of hackers) hacking MT sites by running mt-load.cgi to gain access to the system. You are not vulnerable to this if you deleted mt-load.cgi.As the installation instructions say, and as mt-load.cgi itself says, you must remove mt-load.cgi from your server after you run it to prevent this security hole. So, do it now, if you haven't done so already."(http://www.movabletype.org/support/ib3/ikonboard.cgi?act=ST;f=17;t=3)

As I said before, this also includes mt-upgrade.cgi, so please, make sure you delete these two file immediately so as to prevent someone taking over your blog, and make sure you also check out your registered authors to make sure no one has registered any other authors with full access. this is important, unless of course you don't care about your Moveable Type blog, and want it to be taken over, forcing you to start over.

This from Kevin there is a new virus that targets both Windows and Linux in a very complex way.

Called Win32,Linux}/Simile.D, it is described as "is a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic decryption. It is the first known polymorphic metamorphic virus to infect under both Windows and Linux. The virus contains no destructive payload, but infected files may display messages on certain dates. It is the fourth variant of the Simile family. This variant introduces a new infection mechanism on Intel Linux platforms, infecting 32-bit ELF files (a standard Unix binary format). The virus infects Portable Executable (PE) files as well as ELFs on both Linux and Win32 systems. So far Symantec has not received any submissions of this virus from customers."

The virus was confirmed to infect successfully under versions 6.2, 7.0 and 7.2 of Red Hat Linux, and it very likely works on most other common Linux distributions. The solution to an infection is simple, for those on Windows at least, which is to run your anti virus program. I have not found a way to remove the virus if it is a Linux infection. Simple way to avoid that is to turn off unessential services, and adhere to all of the best practices for Linux and Windows.

That means Yet Another IE Exploit, and it means we have yet another problem with the world's favorite browser. this one is in the implementation of the Gopher protocol, which is outdated and was essentially replaced by web pages. I never used the protocol, but apparently once again Microsoft's attempt to forgo security in favor of usability bites them in the butt as their attempt to support old and unused protocols leads to a security hole which can allow a hacker to take control of your computer.

There is yet a patch for this, but Microsoft claims they are working on it and have only known about it for something like 15 days. Hmm. A Linux patch never takes this long. In the meantime, I will agree with Bob Thompson in his recommendation to subscribers that people move quickly, run, don't walk, to the Mozilla and Opera sites to try out those browsers.

The group has their own page which describes the exploit and gives a good tip on how to eliminate the problem. The only problem I have is that this allows people to continue using IE, which I would have to say is a bad thing. Yes, I use it only because my readers use it and I feel a need to support you all in any way I can. If you all move to Mozilla, so will I. I won't move to Opera with you, but I will run it to verify claims of exploits if they arise.

Yesterday :bob: mentioned that there had been a bug found in the Apache web server software. Apache was complaining, just as other software makers have, about not being given time to fix it before the bug was announced. Unlike Microsoft, though, it was not given any warning of the bug. They were in fact complaining about warning, not about lack of time. Bob then pondered how long it would take Apache to fix the bug, compared to the 2-4 months it takes Microsoft. This was, as I said, yesterday.

In the light of today, or actually last night, we see a new version of the Apache web server available on the Apache web site, with the fix applied. Less then 24 hours. That is all that was needed. 2-4 weeks, if not months for Microsoft. Now, the advantage of Windows is...?? Where was the problem of security with Open Source? I mean it looks to me, based upon months of watching and use, that Open Source patches come about quicker, the bug's are fixed sooner and are more trusted. To quote Bob "Take that, Microsoft."

I mentioned awhile back that Apache had put out a new version after a bug had been announced that affected all versions. Apparently many admin's, like the admin of the Kremlin's newly relaunched web site, missed that notice, and while The Kremlin says it's site is super secure, it is vulnerable to this bug and thus easily hackable.

So, therefore, I will again point you to the Apache site, and tell you to upgrade to 2.0.39. It is easy, and your httpd daemon will not be offline more then a few short minutes. Trust me, it is more then worth it. I have done it, but then again my server is LAN not internet accessible. In fact it isn't even LAN, it is solely accessible on that computer. Oh never mind. Just upgrade!

Ok, so The Register reports that the hotmail servers, whihc claim to have built in anti virus suppor, are not stopping the Yaha-E worm which comes embedded in a real, viewable(although grainy) image in the JPEG format. This virus is not a shock and the fact that just like with SirCam, the server's are nto stopping this virus, and in fact helping in the spreading of this insideous virus. This means that once again, please turn preview pane off.

"W32.Yaha.E@mm is a mass-mailing worm that sends itself to all email addresses that exist in the Microsoft Windows Address Book, the MSN Messenger List, the Yahoo Pager list, the ICQ list, and files that have extensions that contain the letters ht. The worm randomly chooses the subject and body of the email message. Depending upon the name of the Recycled folder, the worm either copies itself to that folder or to the %Windows% folder.

The name of the file that the worm creates consists of six randomly generated numbers."

Please, update your definitions immediately. As well, please turn off the preview pane in your chosen client.

:bob:<http://www.ttgnet.com> emailed his subscribers, which I am proudly one, and informed us all of the following critical update. This one is a bug that will allow others to run code of choice on your machine through a bad implementation of DRM in Windows Media Player. It is recommended that you go to Windows Update immediately and update your computer.

Please, though, be wary of the still resident and repeated requests for installation of the Automatic update feature. This is still very dangerous and should be avoided. Unfortunately there is no way to stop it from asking to install, so it is best to just make sure you keep deselecting it.

[Update: Not a big thing, but an annoying one. See, I don't use WMP often. In fact unless I am watching Windows video files, I don't use it at all. Therefore, to conserve desktop space which I coincidentally increased to 1280x1024 last night, I put the WMP icon in a folder of icons that are never used, but worth keeping around for that once in a blue moon anyway. Well, the patch for WMP replaces the desktop icon without even asking. Annoying but not critical. I would simply remove it again.]

Ok, I know I am likely late in this, but I will let those of you who don't know. those machines that have not been cleaned from possible Yaha.E virus infections are currently performing a distributed denial of service attack on the web site for the Pakistani government. The web site is, at this time, offline, so it is clear that the attacks from drone's were successful. the bug may have other hidden payloads, so if you got any grainy looking images in email lately, update your virus definitions and run a scan for the virus. Check out Sarc for removal instructions.

Posted to the Security Service List.

Ok, so there is a new flaw, one of the few, in PGP. Thankfully, while NAI, the owners of PGP, are not doing any more work on new and better versions of the Public Key Encryption package, they have release a hotfix for the affected commercial and freeware packages.

The Register reports that the new flaw is in the plug in that allows people like me to integrate PGP right into Outlook(or Outlook Express) but could also allow a malicious script to be run with the level of permissions that the user has. It could also expose your passphrase and allow others to unscramble your messages and reveal potentially sensitive data.

Wired takes a more extensive approach, explaining what the plug in does, how it is exploited, and why PGP is a target of attackers. Both articles are decent and after reading both you get a good feel for why PGP is important, and why it is important The issue was discovered by eEye's Marc Maiffret.

Josh, The Register, and many other have mentioned a vulnerability in PHP. According to The Register, the exploit is vulnerable on all platforms, but is worse on Sparc hardware, where memory can be controlled more easily. It can still cause a DDoS on all other platforms, and the new upgraded fixed versions replacing 4.2.0 and 4.2.1.

Ok, so these are a little fruitless when I am offline, but this is worth mentioning. I have for a long time tried to avoid designing Flash based web sites, along with Shockwave and other multimedia plug-in's. The reason for this, for the most part, is that anything that is so powerful, and widespread, is bound to be a method of viral package delivery, and a target of massive hack attempts, just like audio and JavaScript have been in the past. Well, not for the first time, but Macromedia announced today that the Flash player has a bug that could allow unscrupulous folks who wish to do harm to run bad code that can execute files and scripts off your hard drive, instead of off the server only. It is good to see Macromedia admit this, and I advise patching immediately after reading about this because I would expect a virus out in a very short time, as soon as next week, that will exploit this. virus writers are getting quicker in the writing to try to catch as many as possible without patched versions.

Code Red, which many of you have heard about, exploited month's old vulnerabilities in IIS. Nimda went even further back, and took a hydra approach to the attacks in that it had many avenue's of delivery, and exploited many different vulnerabilities. Viruses now are not looking so far back into the past, but instead are going for delivery as soon as possible after the vulnerability is written. Now, I am sure :bob: is advising you to remove the Flash Player all together, which is not a bad idea, but there are still many useful sites who have not learnt the lesson of at least making one Flash and one non Flash based site, for those who cannot or will not use flash. I don't allow any Flash to be executed unless I implicitly trust a site, and my browser is directed to ask me every time it is asked to run any Active X controllers. this is also a good recommendation, and I might just write up how to do this soon. Either way, Flash is a security risk, and should at least be patched immediately, if not removed!

They mentioned on Tech Live at 10:30 that the Google Toolbar has apparently been discovered to have a bug in it that allows hackers to send your browser to a specific page, which might allow them to run malicious code as has been found on a good number of other sites, some of which are dead and an example of which I actually have snuck away on a CD with nothing else on it. There is already a patch out for it, so go to Google to get an update with the patch, so that you are secure. Again, this is not likely to be new by the time you read it, nor will it be useful to most of you, but if one of these tips helps prevent on person from getting hacked, infected or otherwise harmed technologically, it is worth the few minutes to write it, spell check it, post it to the web, and rebuild the files to get it created.

I have included the headers for an email I got while at work, thankfully not previewed. I know I have not sent any email to that address, and usually returned emails are actual attachments. this one is a bunch of code in the email, which usually signifies a virus. Does anyone know of a virus like this? I have not kept up, but naturally delete anything with code in the body of the email, or attachment, no matter who it comes from. I would really appreciate a low cost service that alerts for new virii out in the wild.

Ok, this won't be going to the mail list, well, because no one is subscribed, so I will just post it here. There is a new worm attacking Apache running Linux machines that use SSL. The Linux.Slapper.Worm virus is apparently set up to give the control of the computer to the creator of the worm, and it appears that as of Monday morning the creator had a cadre of 11, 000 or more willing machines, at least as was reported. The virus protection community is widely separated between those who feel Slapper will be huge, and those who feel it won't be. Compared to Code Red for the last few months of it's peak this worm is not a huge nuisance, but it is worse then Code Red at that point.

Ok, 1 point to the first one to remember where this file name is from 'Jdbgmgr.exe'. Ok, sorry, too many people shouting at once. Yes, you in the back, from vmyths. Yes, you are right, it is the file name you were rushed into deleting in the email that turned out to be a hoax that my mother and sister both fell for last May. So, why am I mentioning it? Because Trend Micro emailed me, and Sarc cross checked that a new virus does go after that file, among many others. w32.recory@mm named that by Sarc, is a mass mailer, as the name denotes, and does Klez like social engineering by saying it is a recovery tool. DO NOT OPEN!

Ok, do not go to the following URL, and I really mean this. This domain www.powermac.com has been discovered by :brad: to be infected with a virus, Nimda, and the file that is offered up in download should not be done so. If anyone know the owner, please inform them of this infection, and please have them take the server down. Brad found this out the hard way, by downloading it, and executing it(I think), and was nice enough to warn us all. I though this damned virus was gone by now!

The Avril-A virus, a new worm that uses a year old exploit that does nt require the user to open the attachement, is spreadign around wildly, and when it is executed it attempts to disabl the user's anti virus, and The Register says "On infected machines, Avril-A opens IE on the Canadian singer's Web site, www.avril-lavigne.com, on the 7th, 11th and 24th of the month." but Mac and Linux users are safe.

Do you run Microsoft SQL Server? Please, patch it or kill it, because right now it is quite possibly scanning me, or others, if it is not patched. The net slowdown last night was not just my end of the net, instead it was actually the W32.SQLExp.Worm, which brought down a lot of server's, routers, and is still causing some sites, like Internet Traffic Report, to be down hard. The Washington Post reports that the worm is considered responsible for killing almost all internet service in South Korea, and I have to agree that the effect last night was very similar to Code Red and nimda, though it's method is different.

I cannot honestly recall the last time a big mass mail worm hit the net, but yesterday The Register reported that the Fizzer worm as spreading via email, but it's likely propagating far quicker, that being that it spreads through Kazaa like a knife through butter. "Fizzer carries a dangerous payload that can cause confidential data to be leaked from infected computers. The worm installs a keyboard-logging program that intercepts and records all keyboard strokes in a separate log file. To transmit this information, Fizzer loads a back-door utility that allows crackers/VXers to control a computer via IRC channels." It also tries to shut down the infected machines installed and running anti virus, making the user have to find a way to update definitions, run a scan, all without the virus execute itself again. Safe mode is your friend. [Update: Wired also reports here]

Virus writers and black hats have one thing in common. They thrive on social engineering. When someone like my parent's, or my sister for that matter, get an email from someone like Support@Microsoft.com, they are 100 times more likely to open it than if it is from Bob5345231@hotmail.com. It's not their fault, most people trust the name Microsoft, and would see the types of messages that the Palyh (AKA Mankx) worm is showing as to be a good thing, of Microsoft being proactive, instead of reactive. Well, that worm has shown up in my inbox so many times I am beginning to wonder who I know that has it, and I hope it is not one of the above listed folks, because I would really hate to have to go do a cleaning. In the end, the rule of 'Never ever open attachments stands strong.

As I predicted long ago, when the Nimda virus hit with it's multiple attack vectors and infection method's, more and more worm's that are hitting the press lately, few that there are, are really making noise because they have multiple attack methods. The Register has a piece that analyzes the Fizzer worm, which spread through Kazaa and email as well as flooding IRC with bots, installing a keylogger, and trying to disable the infected machine's anti virus program, and shows that while it was a new generation of worms that use the MAV method, it doesn't seem to have been well written or planned, proving it may have been a virus accidentally released in the wild.

The first sign of this is that the IRC-Unity group of IRC admins found that given the right commands, the worm can be told to uninstall itself completely from the infected machines. Interesting idea, a virus with an uninstall command. "John McGarrigle of RealmNET started the project only a week ago, bringing in over a hundred IRC admins, and in that time the group has developed a way of uninstalling fizzer from infected hosts in large numbers. The group has "collected more information on the fizzer virus than one network and it's staff could ever manage on it's own," McGarrigle says." While I know some people with trouble on IRC, this proves that even such a loose knit group of people can get together and work to rid the community of a problem.

A new variant of the BugBear virus, called Win32.Bugbear.B, is spreading very rapidly through the internet, and slamming networks almost as hard as the original only 4 days after the Sobig worm's latest variant, W32.Sobig.C@mm, hit. "Like the first worm, Bugbear.B is a mass-mailing virus that infects Windows PCs. After it infects a PC, the virus searches the machine for e-mail addresses and sends a message out to each address, with a copy of itself attached. Bugbear also grabs a random address from those found in the e-mail program on the PC and uses it in the "From:" line of the messages it sends. This disguises where the actual e-mails are coming from and makes it difficult to alert someone that his or her system is infected. The virus also attempts to spread by copying itself to other computers that share their hard drives with the infected system."

As for Sobig, "Sobig.C infects Windows 95, 98, Me, NT, 2000 and XP systems when users open an attachment after receiving an e-mail generated by the program. The e-mail appears to come from several different addresses--including bill@microsoft.com--and contains any of the following subject lines: "Approved," "Re: 45443-343556," "Re: Application," "Re: Approved," "Re: Movie," "Re: Screensaver," "Re: Submited (004756-3463)," and "Re: Your application." Once opened, the virus program will spread to any networked hard drive shared with the compromised system and search the current computer for e-mail addresses to which it will send a copy of itself. If the date is June 8 or later, the virus won't try to spread."

Ever since the critical RPC vulnerability was announced to exist in almost all versions of Microsoft Windows on July 16th, and the many patch warnings that followed close behind, the once question has always been not if there would be a virus to exploit it, but how quickly. Earlier today that was answered. The W32.Blaster.Worm was discovered by SARC this morning, and in the relatively few hours since it's discovery the virus has become a 3 rating(2nd highest) in threat, and it has made everyone realize how quickly virus writers can act when prompted with a very tempting target.

The latest info I have culled from the SecFoc mail lists is that there have been several infections on previously patched systems, all of which seem to have been when there were multiple patches applied at the same time. The same is true on my system, though there is no infection as far as I can tell. I will, though, run a scan overnight, and hope things are good. Therefore, I must concur with all the experts on this one. Please go download the patch, even if you already did, and ensure you are safely protected. It is far better to patch a second time than to get infected once. Right? Good. Practise Safe Computing.

Happy New Worm. That is the title of the welcoming piece of the new year that sees a new worm, the Jitux.A virus, which is spread by MSN Messenger. This is a sign that the new year shall begin just like the last ended, virus riddled and infested. CNet reports about the new worm "When executed, the file becomes resident in memory and sends messages to other MSN Messenger users every five minutes, prompting them to download the virus' code, contained in a file called jituxramon.exe. The virus started to spread more rapidly Friday, affecting mainly Portugal, Spain and Mexico, said Panda Software. It affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP. Users can remove the virus simply by scanning their PCs with antivirus software that has up-to-date virus definitions, from Panda, Symantec, McAfee or others."