|
|
Windows/Java | Internet Software | Mass-Mailing Worms | Servers | Telnet | SNMP | Internet Explorer | NT/2000 | Outlook 2002 | References
Joyce Winslow
jwins@oregon.uoregon.edu
Despite Microsoft's resolve to tighten security in 2002 (see "Microsoft
Gets Serious About Improving Security" on page 18) security flaws in
Microsoft products continue to surface. This article summarizes some of the
exploits reported in recent months.
Note: You can get the jump on most Microsoft vulnerabilities like the ones cited
here by routinely running Windows Update. From your Start menu, go to Windows
Update -> Product Updates. Pay particular attention to critical updates and
service packs.
Microsoft acted quickly to fix two Java-related security problems uncovered
in March. Because of their potential for harm, both these vulnerabilities were
rated "critical" even though no exploits have as yet been reported
and most home users will not be at risk.
Both vulnerabilities involve some versions of Java Virtual Machines (JVMs),
a common application that allows Windows users to run programs written in Java.
(The Microsoft VM is designed to run on the Microsoft Windows 95/98/Me/NT
4.0/2000/XP operating systems or later.) One of these vulnerabilities could
allow a malicious applet on a website to track a victim's web surfing until
the browser window is closed; the other could permit malicious Java code to
run outside a restricted area on your computer.
Get the fix: Microsoft's update to its JVM plugs both of these security holes. You may download it from http://www.microsoft.com/java/vm/dl_vm40.htm
In late February, Microsoft released patches for critical security problems
with their Internet Explorer web browser and XML Core Services 2.6 (shipped
with all copies of Windows XP). These problems and their solutions are briefly
described below.
Internet Explorer VBScript bug. A problem with the way IE handles security
for VBScripts potentially puts sensitive information, such as credit card numbers
and passwords typed into a third-party web page, at risk. Because VBScript is
used to access the content of other browser frames from a frame in a different
domain, this glitch could be exploited to allow an attacker to read information
from a victim's local drive, or from third-party web pages a user visits.
The problem affects IE 5.01, SP2, 5.5 SP1, 5.5 SP2, and 6.0.
Get the patch. The patch is available through Windows Update,
as well as from http://www.microsoft.com/windows/ie/downloads/critical/q318089/default.asp
XML Core Services bug. This flaw occurs in an ActiveX control called XMLHTTP,
which allows web pages to exchange XML data via HTTP, the standard web transfer
protocol. The bug affects IE 6.0, SQL Server 2000, and all copies of Windows
XP. It is similar to the IE VBScript bug, in that an attacker could gain access
to a user's hard drive via malicious code imbedded in a web page, but it has
several key differences. One of these is that the attacker would have to cause
a user to visit a specific web page, whereas the VBScript exploit does not.
Another difference is that HTML email cannot be used to carry out an attack.
For more details, see Microsoft Security Bulletin MS02-008 (on their TechNet site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-008.asp).
Get the patch. The patch is available through Windows Update, as well as from http://www.microsoft.com/windows/ie/downloads/critical/q317244/default.asp
Two mass-mailing worms surfaced last February that take advantage of flaws
in Microsoft applications. One exploits MSN Messenger, and the other sends itself
to email addresses found in Microsoft Outlook addressbook and local files.
MSN Messenger worm. This worm uses Microsoft's instant messenger application
to propagate and arrives in an "URGENT" message with instructions
to open a link to a web page that contains malicious JavaScript code.
Variously known as "JS.Menger.Worm" and "Coolnow," the
worm does no damage to the victim's site, but floods the network with the messages
it propagates, sending the same message to all MSN Messenger users on the victim's
contact list.
Microsoft released a "cumulative patch" for IE that fixes the flaw
used by the MSN Messenger worm (see Microsoft Security Bulletin MS02-005 at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-005.asp),
and both Symantec and F-Secure have updated their antivirus products to detect
the worm.
Microsoft Outlook worm. Known as W32.Yarner.A@mm, this worm has the
potential to delete all files on an affected computer. It sends messages written
in German with the subject "Trojaner-Info Newsletter" and the current
date. The malicious attachment is named yawsetup.exe.
As always, a good protection against such viruses is never to open an unexpected
attachment, especially one that contains an executable file (i.e., one with
the suffix .exe).
You should also install Norton Antivirus (included on your UO Duckware CD)
and run LiveUpdate.
For full details on the W32.Yarner.A@mm worm, see
http://www.symantec.com/avcenter/venc/data/pf/w32.yarner.a@mm.html
These vulnerabilities affect the Microsoft Commerce Server 2000, SQL
Server 7.0 and 2000, and Exchange 2000 server software.
Commerce Server 2000 flaw. A flaw in the server's default AuthFilter,
which handles some authentication procedures, has the potential to compromise
the control of your server. Attackers can exploit this flaw to launch Denial
of Service (DoS) attacks that can either crash the server or run malicious code
on itÑin some cases, even wreaking havoc upon other computers on the
network.
Get the fix. A patch will be included with Commerce Server 2000
Service Pack 3. It is also available from
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36683
SQL Server 7.0 and 2000 vulnerabilities. These versions of SQL are vulnerable
to a buffer overflow glitch that can either crash the server or give an attacker
sweeping system privileges to run code on it.
Get the 7.0 fix. The patch is available from
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318268&
Get the 2000 fix. The patch is available from
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&
Exchange 2000 Server. This vulnerability could allow hackers to read
or alter critical information in the server's system registry, possibly leading
to an attack on the Exchange server itself.
Get the fix. Microsoft's patch for this problem is available
at
http://www.microsoft.com/downloads/release.asp?ReleaseID=35462
Two Microsoft Telnet products, Windows 2000 Telnet Service and the Telnet Daemon
in Microsoft Interix 2.2, have been found to contain unchecked buffers. This
vulnerability leaves the Telnet server open to denial of service attacks and
also have the potential to give hackers an opportunity to execute code on the
system.
Get the Windows 2000 patch. To install the patch, you must already have
Windows 2002 Service Pack 1 or 2. See
http://www.microsoft.com/windows2000/downloads/security/q307298/default.asp
Get the Interix 2.2 patch. Go to http://www.microsoft.com/downloads/release.asp?ReleaseID=35969
The Simple Network Management Protocol (SNMP) for Windows 2000 and Windows
XP has security holes that could result in denial of service attacks or allow
an attacker to take control of another's computer system.
For more details, and to get the patches for both Windows 2000 and XP, see
Microsoft Security Bulletin MS02-006 at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-006.asp
Cookie-Based Script Execution and Local Executable Invocation via Object
Tag. At the end of March, Microsoft released a second comprehensive patch
to fix two critical new security holes that surfaced in Internet Explorer 5.01,
5.5, and 6. In addition to eliminating all earlier known vulnerabilities addressed
in Microsoft Security Bulletin MS02-055, this patch is intended to cover newly
discovered cookie and object tag vulnerabilities and supersedes MS02-055.
Without the patch, an attacker could cause script embedded in a cookie to execute
in the Local Computer Zone, or maliciously invoke an executable file already
present on the user's system. For complete details, see Microsoft Security Bulletin
MS02-015 at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-015.asp
Codebase Localpath Vulnerability (IE 6). This flaw has the potential
to allow attackers to shut down a computer just by getting users to visit a
malicious website. As of April 1, Microsoft had not issued a patch for this
flaw. Systems with the Logoff.exe or Shutdown.exe installed are particularly
vulnerable. More details are available in the April 1 TechRepublic article "IE
Codebase Localpath threat remains unpatched," which is available to subscribers
at http://www.techrepublic.com/
SID filtering gap. An authentication glitch in Windows 2000 and NT 4.0
server operating systems leaves servers vulnerable to abuse by someone with
administrator privileges. Because these server environments loosely allow users
in one domain to access resources in another domain without strict security
authentication, an attacker could extend his administrator privileges to other
domains.
Microsoft offers a new security identifier (SID) filtering tool to fix this
problem. See Security Bulletin MS02-001 at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q289246
Software debugging glitch. A software debugging component of Windows
2000/NT has a security hole that can allow an attacker to take over a system
without having system privileges. This hole allows any program to bypass a security
gateway and initiate a debugging session
This flaw was first reported by Entercept Security Technologies and was posted
on the Bugtraq security list on March 14. Microsoft has not yet released a patch,
but in the meantime users can protect themselves by downloading the workaround
code from
http://cert.uni-stuttgart.de/people/fw/tools/chsystem
For more details, see Sam Costello's InfoWorld article at http://www.infoworld.com/articles/hn/xml/02/03/28/020328hnhole.xml?0329frnetworking
Despite Microsoft's efforts to improve security in its email program, Outlook
2002 still has some problems. On March 21, Internet privacy researcher Richard
Smith released a list of four vulnerabilities that make Outlook prone to virus
attacks.
The problems center around email that includes HTML. One of the more critical
glitches involves a special HTML tag known as an IFRAME, which has the ability
to run an attached progam. Another HTML problem is the ability to run JavaScript
in emails as well as read and set cookies via such email.
As of this writing, Microsoft has not yet issued technical solutions to these
problems.
For more details, see Robert Lemos' article, "Just how safe is Outlook
2002?" in ZDNet News at
http://zdnet.com.com/2102-1105-866329.html
For more information on these Microsoft security topics, see the following articles. Also note the National Security Agency recommendations for configuring Windows:
ZDNet News, Feb. 11, 2002: "MS server bugs open the door to hackers"
by Matthew Broersma.
http://zdnet.com.com/2100-1104-834113.html
InfoWorld, Feb. 14, 2002: "IE flaw exploited for MSN Messenger
worm" by Joris Evers.
http://www.infoworld.com/articles/hn/xml/02/02/14/020214hnworm.xml?0214alert
InfoWorld, Feb. 15, 2002: "Microsoft releases patch for SNMP flaw"
by Matt Berger.
http://www.infoworld.com/articles/hn/xml/02/02/15/020215hnsnmpflaw.xml?0218mnbiznews
ZDNet News, Feb. 25, 2002: "MS warns of 'critical' flaws"
by Matthew Broersma.
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,5103757,00.html
National Security Agency Windows Configuration Guides: http://nsa2.www.conxion.com/win2k/