Security Watch
Microsoft Drops Ball on Patch Notification
Who ever heard of knocking before entering?
Hacking
Microsoft released six new security patches,
but only five official
Security Bulletins.
For some strange reason a patch released on the same day as the
normal monthly patches—for Windows XP SP2 only—didn't
rate a full Security Bulletin. Instead, Microsoft Knowledge Base
article
886185
was quietly created and the patch pushed via Windows Update alone.
This is precisely the sort of action that many people grumbled
about when Automatic Updates was turned on in XP SP2 back in August;
the fear that they would receive silent updates without explanation.
I've always felt that was a rather lame fear. Automatic Updates
are intended to do just that—update without user knowledge
or action. That said, I didn't think it was going to lead to a reduction
in the number of Security Bulletins published by the Microsoft Security
Response Center. The e-mail notification service can be sent to
pagers and other similar devices, and is the expected channel for
such notices.
If it's a security patch—and this one definitely was—Microsoft
should make sure there's a proper Security Bulletin published. That
it's for XP SP2 shouldn't change that equation.
For the KB article referenced above, some may argue that this really
isn't a bug in the Microsoft Firewall. Basically, the "My
Network (subnet)" scope is
an option when choosing how rules will apply. It's supposed to limit
access to only hosts on your subnet, like computers in your house.
The problem is that some Internet service providers (ISPs) provide
ridiculous subnet specifications when dynamically assigning you
an IP address after connecting over dial-up via a modem. They don't
actually assign you a subnet, instead giving you 0.0.0.0 as your
subnet mask. That means that the entire Internet is on the same
subnet as you. It's easy to see how the "My Network (subnet)"
scope becomes useless when connecting to one of those ISPs.
Unfortunately, Microsoft uses that scope limitation by default
for File and Print Sharing. It's also
referenced as the preferred choice in the help documentation, and
is also recommended by several large companies that sell computers.
The other bulletins released Tuesday:
- MS04-041.
Word for Windows 6.0 Converter buffer overflow.
This is a rather boring buffer overflow which could lead to code
of the attacker's choice running in the context of the victim
user. Look out for .WRI (Windows Write) files you receive as attachments.
If you don't have Word, be careful with .DOC and .RTF files, too.
Word and other Microsoft Office products aren't affected.
- MS04-042.
This is a rather ugly vulnerability in the Dynamic
Host Configuration Protocol (DHCP) server on Windows NT
4.0 only. Someone who can send malicious packets to a compromised
DHCP server could cause code to run in the context of the service,
typically SYSTEM (which is the most powerful context).
- MS04-043.
Another buffer overflow, this time in HyperTerminal.
For this to work, you'd have to invoke an .HT file type, which
is a HyperTerminal saved session file. There's been chatter about
this being exploitable across the Internet, but you'd have to
have associated HyperTerminal with the Telnet protocol first for
this to be possible (and that isn't the default). Remove HyperTerminal
if you don't need it; otherwise, remove the association with .HT
files. See the bulletin for details.
- MS04-044.
This combined two vulnerabilities, one in the Windows
kernel (the core of the OS) and the other in the Local
Security Authority Subsystem Service (LSASS), the same
service attacked by the Sasser worm. The difference this time
is that neither of these can be attacked remotely; someone would
have to be logged into a current session to be able to invoke
an attack. That puts Terminal Servers at the most risk.
- MS04-045.
A Windows Internet Naming Services (WINS)
vulnerability. This protocol is so old it has whiskers. I've discussed
this one over the last couple of weeks, since the vulnerability
information was announced. A buffer overflow could allow an attacker
to remotely cause code of his choice to run in the security context
of the WINS service, typically SYSTEM. Get rid of WINS and use
LMHOSTS files if you must.
Gnutella, a formerly very popular peer-to-peer
(P2P) file sharing network protocol, saw a significant spike in
traffic recently. Spikes don't always indicate malicious traffic,
but the use of P2P networks for spreading malware has significantly
increased this year, so spikes are watched closely.
Malicious Code
W32/Zafi.D@mm was released last week and
spread significantly, primarily in non-English speaking countries.
Seems that many non-English speaking countries have gotten used
to malware coming in English, or broken English, and since Zafi.D
was distributed in many languages it managed to make people think
it was legitimate. That it was a Christmas greeting with music didn't
help any either.
Remember the rule: "Attachments are malware, regardless of
what they are." If someone really wants to send a Christmas
greeting they should phone—or better still, visit with some
real Christmas cheer. There will likely be many hoaxes and viruses
coming in the form of Christmas greetings.
New variants of Maslan were released,
including versions that attempted to perform a distributed denial-of-service
attack against sites alleged to be supporting Chechen rebels. Hactivism?
Nope, just another piece of useless malware created by yet another
demented mind.
Physical
The U.S. president will soon have the
ability to shut down the Global Positioning System
(GPS) network in the event of a national emergency. The idea
that some terrorists may use GPS to direct an attack is nothing
new, but I seriously doubt whether full consideration has been given
to precisely how many systems need GPS. For example, numerous Network
Time Protocol servers rely upon the GPS network for their time,
so it's possible that a network using Kerberos might not be able
to retrieve network time in such an event. The side effects of bringing
down the GPS network may very well exceed the effects of not taking
it down.
The Open Security Exchange was announced.
It's a consortium of vendors developing vendor-neutral specifications
and guidelines for the convergence of physical and electronic security.
It's hard to say whether this is a good idea or not. Certainly,
defining "best practices" for how the two forms of security
should work hand-in-hand is useful, but the idea that the two become
one leads to concern about single points of failure. Do we want
perimeter gate cameras and guards to stop working because someone
in the office double-clicked on a virus? We'll see how this develops.
Privacy/Governance
Look for Health Insurance Portability Accountability
Act of 1996 (HIPAA) compliance
guidelines to be published by the end of the year by The
Healthcare Security Workgroup (HSW), which includes members
from the Workgroup for Electronic Data Interchange (WEDI) and the
National Institute of Standards and Technology (NIST). That leaves
less than four months to implement compliance, if you haven't already.
It seems that many smaller organizations have chosen to revert to
pen and paper rather than spending the money on compliance. I can't
say I feel bad about that.
The U.S. Supreme Court has agreed to
hear a case which should determine whether or not peer-to-peer network
providers are responsible for the content which traverses their
networks. This will be a critical ruling for many aspects of content
distribution, so expect to hear all sorts of arguments against making
providers responsible. I'm very much in favor of assigning more
responsibility to those who facilitate illegal activities.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.