In-Depth

Security Briefs

Despite Arrest, Worm Exploits Continue; Microsoft Help Vulnerability Revealed; Symantec Firewall Management Improved

• By Mathew Schwartz
• 05/19/2004

Despite Arrest, LSASS Worms Live On

A new worm, Cycle.A, targets and exploits the Microsoft LSASS buffer overflow vulnerability, the same flaw exploited by the Sasser worm. As detailed previously (see http://info.101com.com/default.asp?id=7024), the LSASS vulnerability was patched by Microsoft in April 2004. Affected software includes Windows XP and all Windows NT service packs.

Cycle.A is 10.2 Kbytes large. If executed, the worm attempts to delete several programs, including a variation of Blaster. If the computer’s date is May 18, it also attempts a denial of service attack against two sites, www.irna.com , the Islamic Republic News Agency, and www.bbcnews.com, home of BBC News.

Symantec notes the worm also listens on TCP port 3332. “This open port is used as an infection marker. The worm will accept connections on this port and immediately close them. This notifies other instances of the worm that the computer is already infected.”

“Even though the alleged author of Sasser has been apprehended, it was only a matter of time before someone else integrated a public LSASS exploit into another worm. Besides the potential denial-of-service side effects of infected hosts, the payload of Cycle is mostly benign, carrying with it a political message that it deposits on the infected host’s hard drive,” says David Endler, director of digital vaccine for TippingPoint.

The technical expertise needed to “to convert a point-and-shoot exploit into a worm” such as Sasser or Cycle is declining, he notes, due to overall availability of security information and improved security expertise. “For those with moderate-to-advanced programming skills, integrating these published exploits into their own worm creations is made easier due to pre-built generic worm skeleton source code publicly available for download.”

“The Internet community has been given yet another short reprieve to patch until an individual or group decides to create a worm like Witty that corrupts and destroys data on a wide scale through the LSASS vulnerability.”

More information on Cycle.A:
http://www.symantec.com/avcenter/venc/data/w32.cycle.html

- - -

Microsoft: New Help and Support Center Vulnerability

A vulnerability in the Help and Support Center could allow remote code execution, warns Microsoft. Vulnerability information provider Secunia warns it is a “highly critical” vulnerability.

Affected software includes Windows XP and Windows XP Service Pack 1, Windows XP 64-Bit Edition Service Pack 1, Windows XP 64-Bit Edition Version 2003, Windows Server 2003, and Windows Server 2003 64-Bit Edition. “Other versions of Microsoft Windows do not support the HCP protocol and are therefore not affected,” says Secunia.

An unspecified input validation error is to blame. “This can be exploited via the HCP protocol on Microsoft Windows XP and Microsoft Windows 2003 through Internet Explorer or Outlook,” says Secunia.

Link to Advisory:
http://www.microsoft.com/technet/security/bulletin/MS04-015.mspx

- - -

Symantec Boosts Firewall Management

Officials at Symantec Corp. are pushing scalable Web-based management and Java-based remote access as major additions to the newest version of its enterprise firewall.

The management tools that come with Symantec Enterprise Firewall 8.0 allow an information technology manager to create a rule and then push it to hundreds or even thousands of the company's security gateway devices from a single console.

Read the full story here, courtesy of Federal Computer Week:
http://info.101com.com/default.asp?id=7202