Security Watch

Instant Mess(enger)

Even chatting online can expose you and your network to viruses and the like.

• By Russ Cooper
• 02/28/2005

MALICIOUS CODE
More W32.Bropia variants are being seen. Bropia is a worm that spreads via MSN Messenger. If you haven't already closed access to MSN, consider doing so. Microsoft Knowledge Base article 889829 describes how to prevent access to MSN within a corporate environment.

Remember, instant messaging services like MSN and AOL Instant Messenger (AIM) are the leaky holes in your otherwise tight perimeter. With more and more malicious code seeking to use them as conduits, we become very reliant on the messaging service providers to filter out such malware. The best situation is to black-hole it with a proxy that understands the protocol and denies it access to the sites. This way the protocol won't search for alternative ways to get out (as MSN will do), and instead just think the service is unavailable.

HACKING
More buffer overflows that you can shake a stick at—that's the best description of Microsoft's 12 new security bulletins and one reissue this month. Several stand out:

• MS05-011 is a buffer overflow in SMB (server message block) response packet handling. Although the client has to initiate a request to a malicious system in order to receive the packets that could overflow the buffer, it's still the type of vulnerability that could very well turn into a significant worm.
• MS05-012 is a buffer overflow in the handling of OLE (object linking and embedding) objects, specifically those objects with a MIME type of MS-TNEF. This is particularly worrisome on Exchange servers, as they'll interpret those MIME types when they're presented at the server. Details have thus far been withheld.
• MS05-010 is an overflow in the License Logging Service, typically enabled on a server (only Windows Server 2003 has it disabled by default). The service is defunct, so make sure it's been disabled.
• MS05-009 is an overflow in the PNG (portable network graphics) format handler in MSN Messenger and Windows Media Player. Proof of concept code has been published, and W32.Bropia already uses similar attack methods. This one could very well turn into a new series of viruses.
• The widely-publicized Internet Explorer "Drag-n-Drop" vulnerability has finally been fixed. It required two patches—MS05-008 for the OS, and MS05-014 for IE.
• MS04-035 was re-issued. This was a problem in the way Exchange Server handled DNS response packets when it did a reverse lookup on an IP address for incoming SMTP messages. The bulletin was re-issued because a version was made available for Exchange 2000, which was previously not thought to be vulnerable.

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

PRIVACY
The World Cup 2006 will be one of the first events to incorporate Radio Frequency Identification (RFID) technology in its tickets. A lot of information is recorded into the ticket, including name, date of birth, address, nationality, team loyalty and banking information. If all this data is all tied to the RFID, it opens the door to possible massive privacy invasion.

Imagine if local bars figured out how to read the information and installed sensors at their doors to only allow in followers of certain teams, or of certain nationalities. The mind boggles at the potential for abuse here. That said, it's unlikely that all this data would be readable off of the ticket, as opposed to stored in a database for lookup. Still, despite the problems associated with hooligans, is it necessary to gather this sort of information in advance? I would hope it isn't.