OS/400 Alert: Major Outlook 2002 Vulnerability Discovered
March 17, 2004 Shannon O'Donnell
In this week’s “OS/400 Alert,” we’ll tell you about a major new vulnerability in Outlook 2002 that Microsoft has announced. Microsoft Windows Media Services are also being targeted. In addition to these latest threats, as usual, there are a number of major viruses floating around the Web that you should be aware of.
OUTLOOK 2002 VULNERABILITY FOUND
On March 9, Microsoft issued a Critical Security Warning for users of Outlook 2002. On March 10, Microsoft issued an additional warning about this same security exposure. What happened is that Microsoft discovered a vulnerability in Outlook 2002 that can allow Internet Explorer to execute script code in the “local machine zone” of an infected system. This script is activated by parsing specially formatted “mailto” URLs by Outlook 2002. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then entice a user to visit that Web page. In addition, the hacker could also create an HTML-formatted e-mail message designed to exploit the vulnerability by persuading the user to read the e-mail in HTML format. Once activated, the hacker can access files on the user’s Windows XP system or run arbitrary code on that system. More information on this latest Microsoft vulnerability can be found on Microsoft’s Web site. To close this vulnerability, download the latest security patch.
WINDOWS MEDIA SERVICES VULNERABILITY
The following information is from Microsoft Security Bulletin MS03-022.
Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server, and is also available in a downloadable version for Windows NT 4.0 Server. Windows Media Services contains support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming, the server has no connection to or knowledge of the clients that may be receiving the stream of media content coming from the server. To facilitate logging of client information for the server, Windows 2000 includes a capability specifically designed to enable logging for multicast transmissions.
This logging capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension–nsiislog.dll. When Windows Media Services are added through add/remove programs to Windows 2000, nsiislog.dll is installed in the Internet Information Services (IIS) Scripts directory on the server. Once Windows Media Services is installed, nsiislog.dll is automatically loaded and used by IIS. There is a flaw in the way nsiislog.dll processes incoming client requests. A vulnerability exists because an attacker could send specially formed HTTP request (communications) to the server that could cause IIS to fail or execute code on the user’s system.
Windows Media Services is not installed by default on Windows 2000. An attacker attempting to exploit this vulnerability would have to be aware of which computers on the network had Windows Media Services installed on it and send a specific request to that server.
THIS WEEK’S NASTY WINDOWS WORRIES
The following information is from Symantec’s Web site, at www.symantec.com.
Trojan.Mitglieder.E is a variant of Trojan.Mitglieder. The Trojan opens a proxy on the system, attempts to stop security software, and is able to update itself.
W32.Beagle.M@mm is a polymorphic mass-mailing worm that uses its own SMTP engine to spread through e-mail. Like previous Beagle variants, this worm opens a backdoor (it listens on TCP port 2556) and attempts to spread through file-sharing networks by copying itself to folders that contain “shar” in their names. W32.Beagle.M@mm also infects files with the EXE extension.
Trojan.Etsur monitors and records certain user activity and sends information back to its creator. In particular, it may record online-banking user names and passwords.
Trojan.Noupdate is a Trojan horse that attempts to prevent users from updating their computer with the latest Microsoft Windows patches.
Trojan.Gipma is a Trojan horse program that displays obscene messages and makes the desktop and task bar invisible. Trojan.Gipma is written in Microsoft Visual Basic.
W32.Cone.D@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it gathers from files on an infected computer. The e-mail attachment will have a .exe or .zip file extension. This threat is written in Microsoft Visual C++ and is compressed with UPX.
W32.Netsky.M@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it finds when scanning hard drives and mapped drives. The “sender” of the e-mail is spoofed, and its subject, message body, and attachments vary. The attachment has a .pif extension.
Trojan.Simcss.B is a variant of Trojan.Simcss that terminates processes and downloads and executes files from the Internet.
PTF’S AND FIXES FOR OS/400 AND RELATED PROGRAMS
IBM released the latest cumulative package for V5R2 customers on January 21.
The latest HIPER package was released March 3.