In-Depth

In Brief

Delaying XP Upgrades, AOL IM Buffer Overflow, Virus Source

• By Mathew Schwartz
• 08/18/2004

Ready, Set, Wait: Experts Advocate XP Upgrade Delay

With Microsoft rolling out SP2 for XP Professional, experts recommend treating the service pack, well known for the security improvements it brings to XP, with caution.

While the term “service pack” sounds innocent enough, and security managers have been clamoring for a more-secure out-of-the-box Windows OS, the reality is rolling out SP2 will likely be a major undertaking, say analysts.

“For enterprises, mass deployment of SP2 isn’t a practical reality, and firms should treat SP2 as an OS [operating system] upgrade and not just a service pack update. During the rollout, firms need to use the same procedures and tools as a full-scale OS upgrade—including maintaining dual SP1 and SP2 images and using client management systems to deploy the new OS to the desktop,” warn Forrester analysts Simon Yates and David Friedlander in a research brief.

Those proper procedures include vigorous testing of SP2 to discern compatibility with all applications currently in use in the enterprise, especially including any applications developed in-house. Note many vendors haven’t yet released SP2-certified versions of their applications.

After careful vetting, of course, IT managers can begin their organization’s SP2 rollout. Don’t expect a quick fix, however, since the typical time needed to build new PC images and distribute them can be weeks, if not months, for large organizations.

IBM, for example, reportedly advised its employees to abstain from updating their XP installations to SP2 until IBM could test it for interoperability. IBM, like many hardware manufacturers, installs a number of custom-built software programs onto its PCs to handle everything from managing video controls on the laptop to updating IBM-built applications and drivers. Such applications often don’t weather a major OS upgrade.

AOL IM Buffer Overflow Vulnerability

Secunia warns of a “highly critical” vulnerability in AOL Instant Messenger (IM) 5.x. A too-long “away” message—more than about 1024 bytes worth of information—can cause a boundary error due to the way AOL IM handles away messages.

“A malicious Web site can exploit this via the ‘aim:’ URI handler by passing an overly long argument to the ‘goaway?message’ parameter,” says Secunia. If a user was also using a browser with known vulnerabilities, the attack could piggyback to make the compromised computer execute arbitrary code.

Experts say organizations without an IM policy and IM monitoring tools should assume the vulnerability exists in their organization, given the increasing popularity of IM. IDC predicts corporate users will swap over 4.3 million messages by the end of the year.

Hate Viruses? Blame This Guy

Antivirus vendor Sophos reports 70 percent of virus activity in the first half of 2004 is linked to a single German teenager. According to police, Sven Jaschan confessed to authoring the Netsky and Sasser worms.

“If one of Jaschan’s friends had not informed Microsoft about his identity, then the situation may have been even worse,” says Graham Cluley, senior technology consultant for Sophos. “The German virus-writing community has been relatively quiet ever since.”

Despite over 4,600 new viruses appearing, the Sasser worm and the variant Netsky-P alone accounted for 50 percent of virus activity in that time period. Bagle also figured prominently.

“Following in the footsteps of last year’s hard-hitting Blaster worm, Sasser exploited a critical vulnerability in Microsoft’s operating system in order to spread. This type of worm is proving to be extremely successful, as Microsoft is finding it tough to ensure computer users apply patches as soon as the flaws are discovered,” says Cluley.

Moving beyond Sasser, and Netsky variants, the fifth-most-damaging virus was MyDoom, which attempts to keep infected PCs in reserve—so-called “zombies”—for launching attacks.

The good news is, summer is the quiet season. “Maybe it’s because virus writers are people too … [and] take vacations,” notes Kaspersky Labs.

Kaspersky recapped the month in viruses in July, which looks a lot like June. It does, however, include something odd: Zafi.b, July’s leading worm with 57 percent prevalence. Kaspersky calls the worm a “paradox” on account of it being “an average worm, with nothing interesting in the code or the social engineering methods used to trick users into opening infected attachments.” Part of its success may have to do with its “changing the language of the incoming e-mail in accordance with the recipient’s country.” Despite its “success,” Kaspersky says “this is Zafi.b’s only interesting feature.”

Windows XP SP2-Related Articles

Top 10 Security Modifications in Windows XP Service Pack 2
http://www.esj.com/security/article.asp?EditorialsID=1077

Microsoft Says Security Improvements Coming
http://esj.com/news/article.asp?editorialsId=875