Old Security Hole Persistent as Threat to NT Machines

• 12/08/1999

An 18-month-old vulnerability in the Remote Data Services (RDS) component of Microsoft Corp.’s Internet Information Server (IIS) platform is becoming a popular springboard for system attacks. From mid-October to mid-November, more than 300 commercial and military NT servers were penetrated and vandalized via this method, according to ICSA.net (www.icsa.net), an affiliate of GartnerGroup (www.gartner.com) that provides security consultation services. With a fourfold increase in activity, the RDS exploit is the No. 1 vehicle for successful attacks against NT-based servers, ICSA.net officials say.

"The exploits have been reduced to cookbook instructions and scripting tools. Since the RDS attack involves normal Web server instructions, it is likely to go unnoticed," said Peter Tippett, chief technologist at ICSA.net, in a statement.

RDS are intended to ease application integration with Microsoft’s IIS 3.0 and 4.0 Web server platforms. By exploiting the RDS vulnerabilities, unauthorized users can execute shell commands on an IIS system as privileged users; can use MDAC to tunnel SQL or other ODBC data requests through public connections to private internetworks; and can facilitate unauthorized access to unpublished files on an IIS system.

The RDS problem is critical because many Windows NT administrators may have deployed RDS services without realizing it. The default installation options on the Windows NT Option Pack installs RDS and the sample Microsoft Data Access Components (MDAC) Web site.

Microsoft released a security bulletin -- Microsoft Security Bulletin MS98-004 -- and a fix for the underlying vulnerability back in July 1998. The patch is available at www.microsoft.com/security/bulletins/MS99-025faq.asp.

After the so-called security professional -- known only by the moniker Rainforest Puppy -- discovered the breach and released details on how to successfully exploit it, several Web sites were victimized, including the official Web presence of the state of Colorado (www.colorado.com), says David Kennedy, vice president of research services at ICSA.net.

The RDS vulnerability remains an issue because Microsoft has not incorporated the fix into any of the three service pack (SP) releases -- SP4, SP5 and SP6 -- that have shipped since last July. Although Microsoft officials could not be reached for comment, security professionals speculate that this is because the patch can break some of the underlying functionality that many organizations who use both RDS and MDAC require. Consequently, these sources say, categorically applying the patch at the time of a service pack installation could cause problems in some environments.

The fix is available on CD-ROM versions of the service pack, however.

Security professionals across the industry agree the vulnerability has to be eliminated, Microsoft’s unwillingness to include the patch in service pack downloads notwithstanding.

"This is plain and simple the fault of NT administrators for failing to heed Microsoft’s security advisories in the first place," Kennedy maintains. "If you’re an NT administrator, you ought to be receiving these bulletins and you ought to be heeding them."

Russ Cooper, president of R.C. Consulting and moderator of the Windows NT Bugtraq mailing list, says Microsoft has been more than reasonable in its attempts to redress this exploit.

"Microsoft told everybody a year and a half ago, and we had it covered in NT Bugtraq when the first variation of this was found. So I think that they did a very good job," Cooper says.

Cooper says administrators must learn to take more responsibility for their Web environments. He points to the example of the MDACs sample Web site that is installed by default in the Windows NT Option Pack setup as a proof-of-concept. "Why are you running sample files on a production server? There’s no reason for them to be there."

Of the two new highly publicized viral threats, BubbleBoy and FunLove, there have been no reports of system damage. BubbleBoy exists thus far in a laboratory setting and is not a malicious virus, security professionals say. If embedded in an HTML e-mail message, however, BubbleBoy can exploit two ActiveX controls -- scriptlet.typelib and Eyedog -- to automatically send itself to all addresses in a Microsoft Outlook or Outlook Express address book.

In a twisted homage to the sitcom Seinfeld, the virus also changes the name of a computer’s registered owner to BubbleBoy, changes a computer’s company information to Vandelay Industries, and features the name Soup Nazi in its source code.

Ironically, the difficulties of BubbleBoy need not exist. Security professionals say Microsoft released a patch to fix the ActiveX vulnerabilities that are exploited by the virus in early August 1999. The Microsoft fix is available at www.microsoft.com/security/bulletins/ms99-032.asp.

Frank Knobbe, a security professional and president of Knobbe IT Services Inc. (www.advisent.com), says BubbleBoy isn’t new or special. The virus should, however, serve as a warning to administrators to safeguard their systems against potentially more dangerous threats.

"It is common knowledge -- and if it isn’t, it should be -- that previewing an e-mail in the Preview Pane has the same effect as opening the email in another window," Knobbe points out. "[If nothing else] this should serve as a reminder for administrators to configure the Restricted Zone under the Security Section of Internet Explorer and set the e-mail zone in Outlook to Restricted Sites."

Another e-mail-borne threat, the FunLove virus, is not technically malicious, either. It adds extraneous data to files, making them gradually grow larger. Anti-virus vendors are expected to release update software capable of eradicating FunLove, which is reputed to be very difficult to kill in Windows NT environments.