In-Depth

Briefs: Windows Server 2003 patch, worm aimed at financial institutions; Symantec's top 10 threats

Microsoft patches two Windows Server 2003 holes; Bugbear targets financial institutions; Symantec lists worst vulnerabilities from last month

• By Mathew Schwartz
• 06/11/2003

Just a few months into its existence, Windows Server 2003 got its first patch. The cause: the server ships with a version of Internet Explorer (IE) that is subject to a previously identified threat. IE versions 5.01, 5.5, 6.0, and 6.0 for Windows Server 2003 are affected. In the worst-case scenario, an attacker could execute code on a user’s system.

The patch also eliminates two newly discovered vulnerabilities for those same versions of IE. The first is a buffer overrun vulnerability that occurs because IE doesn’t properly determine the object type returned from a Web server, which could also allow an attacker to execute code on the affected system. The attack could be triggered by an HTML e-mail or when the user visited a Web site with specially crafted code.

The second vulnerability involves an IE flaw—the file dialog download box lacked an appropriate safeguard. In particular, by visiting a malicious Web site or receiving a specially formed HTML e-mail, a flaw in IE can cause the browser to open a file if a Web page opens multiple file download dialogs. Forcing a user to open a file could, of course, let an attacker remotely execute code on a user’s machine.

Microsoft urges all users of IE to upgrade immediately. More information is available on the company's Web site: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-020.asp

Worm: Bugbear Targets Financial Institutions

Symantec Security Response upgraded its threat assessment level for W32.Bugbear.B.

The worm, a variation of one discovered last year, contains a list of more than 1,300 financial institution’s domain names worldwide. If a system is infected with W32.Bugbear.B, and the default e-mail address at the infected computer matches that of a banking company, then the worm initiates auto dialing. Auto dialing could allow the hacker to gain control of the machine by making the machine connect to the Internet and follow additional instructions. The combination of auto dialing and keystroke logging is also likely an attempt to just steal passwords more effectively.

Symantec Security Response reports that W32.Bugbear.B submission numbers—the number of companies that report seeing it—are still increasing, with Symantec recording 1,002 submissions in just the first 48 hours. By contrast, the original W32.Bugbear@mm worm, discovered on Sept. 30, 2002, peaked in its fifth day with 6,888 submissions.

Symantec's Top Ten Threats

Symantec released last month’s top 10 malicious code threats:

1. W32.Klez.H@mm
2. W32.Sobig.B@mm
3. HTML.Redlof.A
4. W32.HLLW.Fizzer@mm
5. W95.Hybris.worm
6. W32.HLLP.Spreda
7. W32.Nolor@mm
8. W32.HLLW.Lovgate.G@mm
9. W32.Nimda.E
10. W32.Pinfi