Security Watch

Microsoft Drops Ball on Patch Notification

Who ever heard of knocking before entering?

• By Russ Cooper
• 12/20/2004

Hacking
Microsoft released six new security patches, but only five official Security Bulletins. For some strange reason a patch released on the same day as the normal monthly patches—for Windows XP SP2 only—didn't rate a full Security Bulletin. Instead, Microsoft Knowledge Base article 886185 was quietly created and the patch pushed via Windows Update alone.

This is precisely the sort of action that many people grumbled about when Automatic Updates was turned on in XP SP2 back in August; the fear that they would receive silent updates without explanation. I've always felt that was a rather lame fear. Automatic Updates are intended to do just that—update without user knowledge or action. That said, I didn't think it was going to lead to a reduction in the number of Security Bulletins published by the Microsoft Security Response Center. The e-mail notification service can be sent to pagers and other similar devices, and is the expected channel for such notices.

If it's a security patch—and this one definitely was—Microsoft should make sure there's a proper Security Bulletin published. That it's for XP SP2 shouldn't change that equation.

For the KB article referenced above, some may argue that this really isn't a bug in the Microsoft Firewall. Basically, the "My Network (subnet)" scope is an option when choosing how rules will apply. It's supposed to limit access to only hosts on your subnet, like computers in your house. The problem is that some Internet service providers (ISPs) provide ridiculous subnet specifications when dynamically assigning you an IP address after connecting over dial-up via a modem. They don't actually assign you a subnet, instead giving you 0.0.0.0 as your subnet mask. That means that the entire Internet is on the same subnet as you. It's easy to see how the "My Network (subnet)" scope becomes useless when connecting to one of those ISPs.

Unfortunately, Microsoft uses that scope limitation by default for File and Print Sharing. It's also referenced as the preferred choice in the help documentation, and is also recommended by several large companies that sell computers. The other bulletins released Tuesday:

• MS04-041. Word for Windows 6.0 Converter buffer overflow. This is a rather boring buffer overflow which could lead to code of the attacker's choice running in the context of the victim user. Look out for .WRI (Windows Write) files you receive as attachments. If you don't have Word, be careful with .DOC and .RTF files, too. Word and other Microsoft Office products aren't affected.
• MS04-042. This is a rather ugly vulnerability in the Dynamic Host Configuration Protocol (DHCP) server on Windows NT 4.0 only. Someone who can send malicious packets to a compromised DHCP server could cause code to run in the context of the service, typically SYSTEM (which is the most powerful context).
• MS04-043. Another buffer overflow, this time in HyperTerminal. For this to work, you'd have to invoke an .HT file type, which is a HyperTerminal saved session file. There's been chatter about this being exploitable across the Internet, but you'd have to have associated HyperTerminal with the Telnet protocol first for this to be possible (and that isn't the default). Remove HyperTerminal if you don't need it; otherwise, remove the association with .HT files. See the bulletin for details.
• MS04-044. This combined two vulnerabilities, one in the Windows kernel (the core of the OS) and the other in the Local Security Authority Subsystem Service (LSASS), the same service attacked by the Sasser worm. The difference this time is that neither of these can be attacked remotely; someone would have to be logged into a current session to be able to invoke an attack. That puts Terminal Servers at the most risk.
• MS04-045. A Windows Internet Naming Services (WINS) vulnerability. This protocol is so old it has whiskers. I've discussed this one over the last couple of weeks, since the vulnerability information was announced. A buffer overflow could allow an attacker to remotely cause code of his choice to run in the security context of the WINS service, typically SYSTEM. Get rid of WINS and use LMHOSTS files if you must.

Gnutella, a formerly very popular peer-to-peer (P2P) file sharing network protocol, saw a significant spike in traffic recently. Spikes don't always indicate malicious traffic, but the use of P2P networks for spreading malware has significantly increased this year, so spikes are watched closely.

Malicious Code
W32/Zafi.D@mm was released last week and spread significantly, primarily in non-English speaking countries. Seems that many non-English speaking countries have gotten used to malware coming in English, or broken English, and since Zafi.D was distributed in many languages it managed to make people think it was legitimate. That it was a Christmas greeting with music didn't help any either.

Remember the rule: "Attachments are malware, regardless of what they are." If someone really wants to send a Christmas greeting they should phone—or better still, visit with some real Christmas cheer. There will likely be many hoaxes and viruses coming in the form of Christmas greetings.

New variants of Maslan were released, including versions that attempted to perform a distributed denial-of-service attack against sites alleged to be supporting Chechen rebels. Hactivism? Nope, just another piece of useless malware created by yet another demented mind.

Physical
The U.S. president will soon have the ability to shut down the Global Positioning System (GPS) network in the event of a national emergency. The idea that some terrorists may use GPS to direct an attack is nothing new, but I seriously doubt whether full consideration has been given to precisely how many systems need GPS. For example, numerous Network Time Protocol servers rely upon the GPS network for their time, so it's possible that a network using Kerberos might not be able to retrieve network time in such an event. The side effects of bringing down the GPS network may very well exceed the effects of not taking it down.

The Open Security Exchange was announced. It's a consortium of vendors developing vendor-neutral specifications and guidelines for the convergence of physical and electronic security. It's hard to say whether this is a good idea or not. Certainly, defining "best practices" for how the two forms of security should work hand-in-hand is useful, but the idea that the two become one leads to concern about single points of failure. Do we want perimeter gate cameras and guards to stop working because someone in the office double-clicked on a virus? We'll see how this develops.

Privacy/Governance
Look for Health Insurance Portability Accountability Act of 1996 (HIPAA) compliance guidelines to be published by the end of the year by The Healthcare Security Workgroup (HSW), which includes members from the Workgroup for Electronic Data Interchange (WEDI) and the National Institute of Standards and Technology (NIST). That leaves less than four months to implement compliance, if you haven't already. It seems that many smaller organizations have chosen to revert to pen and paper rather than spending the money on compliance. I can't say I feel bad about that.

The U.S. Supreme Court has agreed to hear a case which should determine whether or not peer-to-peer network providers are responsible for the content which traverses their networks. This will be a critical ruling for many aspects of content distribution, so expect to hear all sorts of arguments against making providers responsible. I'm very much in favor of assigning more responsibility to those who facilitate illegal activities.