In-Depth

Briefs

New Mydoom variants; Vulnerabilities in IE browser, Checkpoint products; January a banner month for threats.

• 02/11/2004

Mydoom Variants Come On Strong

Kaspersky Labs unveiled details about variants of last week's Mydoom vulnerability that target Microsoft's Web site. See http://esj.com/news/article.asp?EditorialsID=855 for details.

Just after announcing it would only release patches once a month (to ease management for IT administrators), Microsoft broke the cycle by warning of a trio of highly critical vulnerabilities in all versions of its Internet Explorer browser and released a patch.

The first vulnerability, the company said in a statement, “involves the cross-domain security model of Internet Explorer (IE).” While IE is supposed to prohibit windows in different domains from sharing information, it doesn’t. Thus a non-trusted domain could exploit the vulnerability to run a malicious script in the “Local Machine” zone.

The second vulnerability lets an attacker auto-save a file to a user’s computer, though the user only clicks a link. It’s a problem with drag-and-drop “function pointers” in dynamic HTML, says Microsoft. Note users might be unaware; they get no dialog box allowing them to deny or approve the save-to-disk operation.

The third vulnerability “involves the incorrect canonicalization of URLs thatcontain special characters.” In other words, URLs constructed with a "username:password@" at the beginning—a basic method of building URLs—can spoof Internet Explorer into displaying incorrect site information. Cue the threat of social engineering attacks whereby users click a link in an e-mail to view their bank statement and end up at a site that looks and says it’s their bank, or auction site, or favorite name-brand e-commerce retailer—only it’s not.

Link: http://www.microsoft.com/technet/security/bulletin/ms04-004.asp

ISS Spots Checkpoint Vulnerability

Internet Security Systems (ISS) X-Force warned of “two serious vulnerabilities” in some Checkpoint computer security products.

The first concerns CheckPoint Firewall-1 --in particular, “HTTP Application Intelligence designed to prevent potential attacks or detect protocol anomalies targeted at servers behind the firewall.” The threat: Attackers can alter “firewall rules and configurations” to make attacks on a network or intrusion easier. The HTTP Security Server application, which ships with the firewall, has the same vulnerability.

The second vulnerability can allow attackers to “remotely compromise any VPN-1 server [or] client system running Securemote/SecureClient,” says ISS. Those products provide remote users with VPN access to enterprise networks.

The extent of the problem isn’t known, but as of late 2002, according to IDC, Checkpoint products accounted for roughly half of all VPN and firewall products in use.

One complication, however, is that “Checkpoint no longer supports the versions of VPN-1 and SecureRemote/SecureClient affected by this vulnerability. Checkpoint recommends that all affected users upgrade to Firewall-1 NG FP1 or greater,” says ISS.

January a Banner Worm Month

With the close of January, it’s official: 2004 is already off to a bad start for Internet worms. No surprise for security managers that the culprit was MyDoom, which only appeared on January 27. “In only a few days, the hefty volume of circulating MyDoom emails caused pandemonium for computer users worldwide," notes Steven Sundermeier, vice president of products and services at anti-virus software maker Central Command Inc. In fact, MyDoom accounted for 77 percent of infections for the month.

MyDoom strongly overshadowed the other top-10 viruses and worms, including Bagle, MiMail.I, MiMail.A, Klez, and BugBear.

One surprise, notes anti-virus provider Kaspersky Labs, is that “last year's leader, Sobig.f has still not surrendered.” Sobig was in the top 10 for the past two months (in ninth place). “This is especially interesting as Sobig.f was scheduled to de-activate on September 10, 2003.”

Also, three macro-viruses made the top 20, reports Kaspersky, making it a good time to remind Microsoft Office users not to run just any Office macro. “Rumors of the demise of MS Word macro-viruses are premature,” the anti-virus maker says.