Worms, Viruses, Flaws, And Vulnerabilities Keep Security Pros On Alert - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Worms, Viruses, Flaws, And Vulnerabilities Keep Security Pros On Alert

Microsoft has issued two vulnerability bulletins, and the latest variation of the Sobig virus continues to spread.

It's been a busy couple of days for security gurus assigned to keep their companies safe and sound.

On Wednesday, Microsoft posted a pair of vulnerability bulletins warning of potential problems in its Windows 2000 server operating system and its Windows Media 9 video and audio player.

The Windows 2000 Server vulnerability stems from Windows Media Services, a component that lets servers multicast streaming multimedia to users. The DLL that Media Services uses to log client data during multicasts is flawed, and a determined attacker could cause a buffer overflow by sending a specially crafted HTTP request to the server, and gain control of the machine.

Only those Windows 2000 systems with Windows Media Services installed are at risk; Media Services is not a default component of the operating system. Potential targets are systems running Windows Server 2000 Server, Advanced Server, and DataCenter Server; Windows Server 2003 is not affected, nor are machines running Windows NT, Windows 2000 Professional, or Windows XP.

A patch for the vulnerability, which Microsoft rated as 'Important,' its second-most dangerous ranking, is available for downloading from the Microsoft's TechNet Web site

In a second alert released Wednesday, Microsoft warned that its Windows Media Player 9, the vendor's newest multimedia utility, has a security hole that attackers can exploit. An attacker could get access to the target PC's media library--the list of media files played by Windows Media Player and information on those files, including details such as the recording artist and album name--by posting a malicious Web site and enticing users to visit it. The flaw does not allow attackers to view the contents of anything but the media library, Microsoft said, the reason why it rated the problem only as 'moderate.'

Although Windows Media Player 9 ships with Windows Server 2003, that server software is only at risk if administrators have disabled its default Internet Explorer Enhanced Security Configuration. IT staffs that use Windows Server 2003 as a Terminal Server are likely at risk, since they would typically turn off the Enhanced Security to allow Internet Explorer to browse in unrestricted mode.

A fix for this defect is also available on Microsoft's TechNet Web site.

In other news about Microsoft product vulnerabilities, published reports said that Internet Explorer 5 and 6 suffers from a flaw that crashes the browser on viewing malicious Web sites, and may be the prelude to a worm that further exploits the vulnerability to do some real damage.

A poster to the Bugtraq security mailing list has outlined how a malicious Java script can be embedded in an HTML document, which would in turn cause a buffer overflow and crash the viewer's IE 5 or IE 6 browser.

Although a buffer overflow is often the starting point for nastier attacks--including those that take control of the target machine or even delete files -- there's no evidence as of yet of a worm that exploits the flaw. Microsoft is said to be aware of the problem, but has not yet released a patch or fix.

And then there's more. Another in the Sobig worm series--a run that's been plaguing users for several weeks--the just-named Sobig.e started spreading Wednesday and has been gaining some steam.

Like its forerunners, Sobig.e is a mass-mailed worm that propagates after the recipient opens the attached file, in this case a ZIP archive containing an executable file with a .pif or .scr extension. Spoofing addresses--it can sport any return address--Sobig.e originally carried the [email protected] address and uses a variety of subject lines that include 'Re: Attachment' and 'Re: Submitted,' according to security firm Symantec Corp.

As with other Sobig variants, this one deactivates itself on an internally coded schedule: as of July 14, it will not propagate.

The quick-spread of Sobig.e has caused several antivirus vendors to raise the worm's risk level since it debuted on Wednesday. Symantec, for instance, pushed Sobig.e from a '2' on its 1-to-5 scale to a '3' late Wednesday, while McAfee bumped it from a 'low' to a more dangerous 'medium' threat around the same time. MessageLabs, which has so far tracked more than 26,000 instances of the worm, approximately the same number as Sobig.d produced in its first 24 hours, rates the worm as a 'High' risk.

The continued flood of Sobig worms gives additional credence to the theories that virus writers are using spam-style techniques to quickly flood the globe with their work, and/or that spammers are using viruses to map vulnerable systems, which they can then turn to their advantage, and use to send their junk mail anonymously.

Even security firms have been plagued by security gaffes this week. In an embarrassing development, Symantec has had to admit that its own Security Check, a tool on its Web site that tests systems for common vulnerabilities, including firewall reliability, had introduced an ActiveX control to users' systems which could be exploited by attackers.

Although Symantec rushed to correct the problem and has posted a repair to its Web site, several security experts claim that users who accessed Security Check could still be at risk and chided the company for not doing more to publicize the problem.

As of Thursday afternoon, Symantec still hadn't placed a warning of the Security Check vulnerability on its home page, instead touting a seven-day-old overflow threat that affects Sun Microsystems' database. Users unaware of the problem would literally have to stumble upon the alert, since it had not been posted at the Security Check section of its Web site.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
Study: Cloud Migration Gaining Momentum
John Edwards, Technology Journalist & Author,  6/22/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll