In-Depth

Alerts: Oracle Patch; Top Viruses for November; Yahoo Messenger Vulnerability

Oracle releases most, but not all patches, necessary to protect against SSL vulnerability. Kaspersky Labs reveals the top troublemakers in November. Yahoo's popular instant messaging program vulnerabilities.

• By Mathew Schwartz
• 12/10/2003

Oracle Patches SSL

Oracle says several of its products are vulnerable to Secure Sockets Layer (SSL) vulnerabilities.

Security vulnerability information provider Secunia notes that exploit of the vulnerability could lead to “exposure of sensitive information” as well as denial-of-service attacks and remote access to the system.

Affected products are: Oracle HTTP Server 8.x, Oracle HTTP Server 9.x, Oracle8i Database, Oracle9i Application Server, Oracle9i Database Enterprise Edition, and Oracle9i Database Standard Edition.

The SSL vulnerabilities, notes Oracle, “can be exploited when carefully crafted X.509 certificates are presented by clients, even when X.509 client certificates are not enabled.” In addition, “risk to exposure is high,” the company says. “Any client that is able to access the server may exploit the vulnerabilities.”

Oracle released patches that will minimize the risks associated with SSL vulnerability exploitation, but warns that “there are no workarounds that fully address these potential security vulnerabilities.” Note that for some products, multiple patches must be applied.

Some patches, such as for Oracle9i Application Server version 9.0.2 and 9.0.3, haven’t been released yet. The company says to expect them before year’s end. Its recommendation is to “follow best practices for Oracle9i Application Server and Oracle9i Database Server, and consider deployment of firewalls.” Those best practices can include implementing single sign-on—Oracle Advanced Security is one such option—to authenticate external users before giving them access to the system.

Virus “Top 20” for November

Kaspersky Labs named its “Virus Top 20” for November last week.

The month’s number-one worm was the new I-Worm.Mimail.c (also known as Worm/MiMail), which accounted for 35 percent of all viruses reported, though the I-Worm family only debuted last month.

“Several new variations of the Mimail network worm” appeared, the company says, together accounting for about 62 percent of all viruses and worms seen. “This dominating performance is the result of the code from the Mimail family's first variant being published on the Internet.”

Besides its prevalence, the worm’s intent is an above-normal threat, says Steven Sundermeier, vice president of products and services at Central Command. “As is the case with Worm/MiMail.I and Worm/MiMail.J, we are beginning to see the emerging pattern of writing computer viruses for financial gain … [where] confidential information such as credit card and bank account information is regularly sought.”

On a positive note, two spyware (backdoor)-carrying worms, Agobot and Sdbot, declined. Curiously, according to Kaspersky, two worms—Dumaru and Lovelorn—resurged.

Kaspersky Labs offers advanced products for protection against viruses, hackers and spam. Their full Top 20 list can be found at: http://www.kaspersky.com/news.html?id=2481438

Alert: Yahoo! Messenger “Highly Critical” Vulnerability

Secunia warns that the popular instant messaging program Yahoo! Messenger 5.x (versions 5.6.0.1347 and before) is vulnerable to a buffer overflow. The company characterizes the problem as “highly critical” since it could give an attacker access to a remote system, at which point the attacker could execute arbitrary code (such as wiping clean the user's hard disk drive).

Secunia says, “The vulnerability is caused due to a boundary error in the ActiveXcomponent ‘yauto.dll’ in the 'Open()’ function. This can be exploited to cause a buffer overflow by supplying an overly long argument to the vulnerable function via a malicious Web page."

The solution? Secunia suggests you remove the vulnerable file, an ActiveX component. The company also recommends disabling ActiveX control and Active Scripting anytime, just to be safe. They should only be allowed on an opt-in, i.e., “site per site basis.”