Security Watch

Microsoft Re-Releases Security Advisory

A recent Windows PnP vulnerability is hyped to be more dangerous than it really is.

• By Russ Cooper
• 09/12/2005

Although there has definitely been a lot of media coverage for the worm(s) exploiting this vulnerability, the actual effects may be overstated. There’s no doubt that a number of large companies appeared to be affected, but the impact seems to be mostly that they had to do emergency patch pushes to their systems.

Microsoft themselves stated that infections due to the worm(s) were low and damage minor. There was only one report to NTBugtraq regarding infections, and that report indicated that one bank in Malaysia may have been infected. Also, it’s interesting to note that despite there not being a patch for Windows 2000 SP3 or below, there has been very little hue and cry about that patch not being available. Generally, when there’s an extreme threat customers who aren’t running a supported version of an affected OS will scream for a patch. This didn’t happen this time, strongly suggesting the actual threat was lower than being reported.

One final note, the vulnerability does affect Microsoft Windows NT 4.0 also. Customers who have a service agreement directly with Microsoft for security hotfix support for that OS have received a patch.

After a vulnerability and exploit were released exploiting a buffer overflow in the MSDDS.DLL ActiveX control, research suggests the control should not be prevalent on systems. The control is only installed as part of Visual Studio, but may also be installed if a complete installation of Office Professional is done because it too includes Visual Studio components in order to allow for the development of Digital Dashboard applications.

Doing a complete installation of Office happens far too often, unfortunately. Administrators, unclear what their users actually need, may just install everything to avoid having to revisit the system. This is where the Microsoft Office group has failed miserably, failing to provide relatively simple methods to do corporate-wide installations.

Best practice says you should decide which options are required for every installation you do. Having various images of your corporate builds allows you to pre-define what options are going to be given to each person in your company, while at the same time ensuring that installations are minimal. Do you really think everyone in your company may author a Digital Dashboard application? Probably not.

Malicious Code
Trojan: Backdoor.Mousey -- F-Secure and Symantec have released virus definitions to detect W32.ESBot.A, a variant of Backdoor.Mousey. This variant attempts to exploit the Microsoft Windows plug-and-play remote code execution vulnerability.

Trojan: SDBot (a.k.a. RBot) -- Multiple vendors have released new virus definitions that detect aliases of SDBot variants. Reports indicate the new SDBot variants may exploit the Microsoft vulnerability associated with MS05-039.

Once again we’ll restate our contention that bots are the first to implement new attacks against a given vulnerability. Bots are modular today and are connected to sites which allow them to be instructed to pick up and execute new modules that exploit the new vulnerabilities. There is nothing new with this process only taking a couple of days, unfortunately. That said, typically, you need to already have a bot running on your network for a new vulnerability to be exploited ... unless, of course, you have unprotected roving laptops or home office worker systems which are equally unprotected.

It’s also worth reminding everyone that Cybertrust’s Anti-Virus Policy Guide has for several years recommended that personal firewalls be installed and conservatively configured on all systems used outside of the enterprise. As such, the vulnerable ports (445 and/or 139) would be closed to Internet traffic, thereby preventing an infection from anywhere other than from inside your own organization.

Reports suggest that mobile viruses, such as Cabir, were prevalent at the recent World Athletics’ Championships, and that the 2006 World Cup of Soccer in Germany may be "fertile ground" for the new viruses.

In my opinion, someone was just looking to make some headlines here. Let’s accept that the World Cup will be used as a launch pad for new viruses. However, one need not be at an event with 100,000 other people in order to come close to so many people with mobile devices. Consider the effects of someone traveling up and down an elevator in any office building, or standing outside a Starbucks or the subway in any busy part of town. So what’s so special about the World Cup or sporting events?

Privacy
The Australian Broadcasting Corporation program "Four Corners" recently aired a show claiming that it received a sales offer for the personal details of 1,000 Australians, including names, addresses, telephone numbers, birth details, Medicare numbers, driver's license numbers, bank card numbers and passport information. The seller claimed the details were gathered from Indian call centers. Four Corners did not buy the information, but was able to confirm its authenticity, saying it appears to come from a call center in Gurgaon, in the Haryana state of India.

The U.S. FCC has said the Communications Assistance to Law Enforcement Act (CALEA) is going to be applied to IP telephony. Where they really expect to apply it is to facilities-based services which interface to the public switched telephone network. The act gives the Department of Justice (DoJ) the discretion to impose on telecoms the responsibility to provide them with a service that they can use to wiretap remotely without going anywhere, at its discretion without the cooperation of the telco. Thus, in theory, the DoJ will police itself to insure that its use is lawful. The DoJ wants to project that onto Vonage and Skype. However, it looks to us as though if you use Skype-to-Skype, that is PC-to-PC, Skype has no responsibility and doesn't have to provide any wiretap capability.