On April 13th, Microsoft released three Security Bulletins, which address 18 new vulnerabilities and included updates for three existing vulnerabilities:

• MS04-011 provides a Security Update for Windows that rectifies 14 new vulnerabilities, many of which are highly critical.
• MS04-012 is a Cumulative Update for Microsoft RPC/DCOM Security and details 3 new vulnerabilities and 1 previously known vulnerability.
• MS04-013 provides a cumulative patch for Microsoft Outlook Express that addresses two new vulnerabilities.

April 30th saw the release of the first version of the Sasser worm. W32.Sasser.Worm is a blended threat that attempts to exploit the LSASS vulnerability, described in Microsoft Security Bulletin MS04-011. It spreads by scanning randomly selected IP addresses for vulnerable systems. This worm and its variants are estimated to have infected millions of PCs worldwide. See later in the Newsletter for more details on the worm and the LSASS vulnerability.

Prison Time for Cyber Stock Swindler
By Kevin Poulsen May 6th 2004
A young investor, with more wiles than trading luck, was sentenced to 13 months in prison Wednesday for using a Trojan horse program and someone else's online brokerage account to sell thousands of worthless stock options to an unwilling buyer... >>

Attack Trend Highlights

• In the first half of 2003, only one sixth of the companies analyzed reported a serious breach. In the second half of the year, half of the companies reported a serious breach.
• Worms remained the most common source of attack activity.
• Almost one third of all attacking systems targeted the vulnerability exploited by Blaster.
• Attackers increasingly targeted backdoors left by other attackers and worms.
• Companies detecting severe attacks rose from 17% to 45%.
• Financial services, healthcare, and power and energy were among the industries hardest hit by severe events.
• Increased client tenure continues to result in a decrease of severe events. Over 70% of clients with tenure of more than six months successfully avoided a severe event.

Vulnerability Trend Highlights

• Symantec documented 2,636 new vulnerabilities in 2003, an average of seven per day.
• Symantec data indicates that the rate of vulnerability disclosure has leveled off.
• Newly discovered vulnerabilities are increasingly severe and easy to exploit.
• 70% of vulnerabilities in 2003 were classified as easy to exploit.
• The percentage of vulnerabilities for which exploit code was publicly available increased by 5%.
• The percentage of vulnerabilities that do not require specialized tools to exploit them increased by 6% in 2003.

Malicious Code Trend Highlights

• Blended threats make up 54% of the top ten submissions over the past six months.
• Two and a half times the number of WIN32 viruses and worms were submitted to Symantec than over the same period in 2002.
• Within the top ten malicious code submissions, the number of mass-mailer worms with their own mail engine increased by 61% over first half of 2003.
• Threats to privacy and confidentiality were the fastest growing threat, with 519% growth in volume of submissions within the top ten.

In April, the Threat Analyst team released an analysis of the peer to-peer intercommunication structure of the Gaobot-based Phatbot. Unlike traditional IRC-based bots, Phatbot permits its operator to obscure the location of its communication nodes in order to create multiple levels of fault tolerance. The protocol utilized by Phatbot is based on WASTE, an open source peer-to-peer sharing protocol that has been augmented with Phatbot-specific extensions. Phatbot, like other variants of Gaobot, provides full access to compromised hosts, the ability to gather information from these hosts, and the ability to launch Denial of Service attacks against targets selected by the owner of the botnet. Phatbot also permits its controller to sniff for authentication tokens and determine if the infected computers are able to use AOL as a gateway for spam.

The following are some of the significant vulnerability alerts Symantec released in the past two months.

Multiple Vendor HTTP Response Splitting Vulnerability
http://online.securityfocus.com/bid/9804
A paper (Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics) was released to describe various attacks that target Web users through Web applications, browsers, Web or application servers, and proxy implementations. These attacks are described under the general category of HTTP Response Splitting and involve abusing various input validation flaws in these implementations to split HTTP responses into multiple parts in such a way that response data may be misrepresented to client users. Exploitation would occur by injecting variations of CR/LF sequences into parts of HTTP response headers, which the attacker may control or influence. The general consequences of exploitation are that an attacker may misrepresent web content to the client, potentially enticing the user to trust the content, and then take actions based on this false trust. While the various implementations listed in the paper contribute to these attacks, this issue will most likely be exposed through web applications that do not properly account for CR/LF sequences when accepting user-supplied input that may be returned in server responses. This vulnerability could also aid in exploitation of cross-site scripting vulnerabilities.

Microsoft MSN Messenger Information Disclosure Vulnerability
http://online.securityfocus.com/bid/9828
MSN Messenger has been reported to be prone to an information disclosure vulnerability. This could allow a remote user to view the contents of files on the vulnerable user's computer. The issue presents itself when a remote user initiates a malformed file transfer request to an MSN user. This malformed request could allow the remote user to view the contents of a file on the computer, provided they already know the location and name of the file. The vulnerable MSN user would also have to have permission to access the file. The attacker would also have to know the MSN Messenger sign-on name of the user in order to send the malformed request.

Apache Mod_Access Access Control Rule Bypass Vulnerability
http://online.securityfocus.com/bid/9829
Apache mod_access has been reported to be prone to an access rule bypass vulnerability. The issue is reported to occur only when the affected service is run on big-endian 64-bit platforms. When an Allow or Deny rule is specified and an IP address is used in the rule without a corresponding netmask, the affected module may fail to match the rule. As a result of this vulnerability, access controls may not be enforced correctly. This could lead a system administrator into a false sense of security where it is believed that the server is not exposed to malicious traffic. A remote attacker may exploit this issue to bypass access controls on the affected server.

Yahoo! Messenger YInsthelper.DLL Multiple Buffer Overflow Vulnerabilities
http://online.securityfocus.com/bid/10199
Yahoo! Messenger is a freely available chat client distributed and maintained by Yahoo! It is available for the Microsoft Windows platform. When Yahoo! Messenger is installed it registers "yinsthelper.dll." This library adds the following COM objects:

• YInstHelper.YInstStarter.1
• YInstHelper.YAcs1
• YInstHelper.YSearchSetting2

It has been reported that the COM objects YInstHelper.YInstStarter.1 and YInstHelper.YSearchSetting2 are prone to remote memory corruption vulnerabilities, most likely due to buffer overflow conditions. The condition occurs in YInstHelper.YInstStarter.1 when the properties "DesktopIcon", "AppId", and "Test" are given values that are 255 bytes or longer. By crafting a HTML page that invokes this COM object, and passing data to one of these properties, an attacker may overwrite values that are crucial to controlling program execution flow. Ultimately an attacker may exploit these issues and then execute arbitrary instructions in the context of the user who is running an instance of Internet Explorer used to view the malicious Web page.

• Causes significant performance degradation.

Attack Vectors

• TCP 445, 5554, 9996
  5554/tcp
  Utilized by the built-in FTP server thread.
  9996/tcp
  The victim binds a command shell to this port and awaits a connection from the attacker.
  

Mitigating Strategies

• Apply updated AntiVirus Definitions.
• Apply patches available from Microsoft Security Bulletin MS04-011.
• Filter out traffic targeting UDP ports 135, 137, 138, and 445 as well as TCP ports 135, 139, 445 and 593 and any ports above 1024.
• Monitor incoming traffic for packets targeting TCP port 9996 and outgoing traffic destined for TCP port 5554.
• Additionally, the following two processes are believed to prevent exploitation, but are as of yet untested by the Threat Analyst Team.
  • Create a file named "dcpromo.log" in the %systemroot%\debug directory. This file must be marked read-only.
  • Stop the server service (net stop server /y).

Symantec Solutions: Symantec Vulnerability Assessment, Symantec Enterprise Security Manager.

Mitigating factors

• Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
• Local attack vectors are reported to exist for this vulnerability. Do not permit untrusted individuals to have interactive access to the system. This will reduce exposure to privilege escalation attacks via this or other latent vulnerabilities.
• Block external access at the network boundary, unless external parties require the service.
• Regulate external or untrusted network traffic by using multiple network access control layers. This will help to limit exposure to exploitation of this and other latent vulnerabilities. This includes blocking RPC ports such as UDP ports 135-139 and 445 and TCP ports 138-139, 445, and 593.
• Deploy network intrusion detection systems to monitor network traffic for malicious, anomalous, or suspicious activity. This may help in detecting attack attempts or activity that is the result of successful exploitation of this or other latent vulnerabilities.
• Microsoft has released fixes to address this issue.

Credits
Vulnerability discovery credited to eEye Digital Security.

References
Source: Microsoft Security Bulletin MS04-011
URL: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Source: Windows Local Security Authority Service Remote Buffer Overflow
URL: http://www.eeye.com/html/Research/Advisories/AD20040413C.html

Multiple Vendor TCP Sequence Number Approximation Vulnerability
Risk: High
Date: April 20, 2004
Components Affected: Many, listed here: http://securityresponse.symantec.com/avcenter/security/Content/10183.html
Overview
A vulnerability in TCP implementations has been reported that may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. This vulnerability may permit TCP sequence numbers to be more easily approximated by remote attackers.

The cause of the vulnerability is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial of service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port.

There are a few factors that may present viable target implementations, such as those which depend on long-lived TCP connections, those which have known or easily guessed IP address endpoints and those implementations with known or easily guessed TCP source ports. It has been noted that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms.

Recommendations

• Block external access at the network boundary, unless external parties require the service.
• Employ ingress and egress filtering to verify source IP addresses at the network gateway.
• Communicate sensitive information over encrypted channels.
• Implementing IP Security (IPSEC) to encrypt TCP traffic can help against an attack. Authenticated BGP may also be deployed to mitigate attacks versus BGP implementations.
• Review and adjust according to policy any default configuration settings.
• Limiting TCP source port information may conceal sensitive information from an attacker that may be useful in carrying out an attack.

Credits
Discovery of this vulnerability has been credited to Paul A. Watson.

References
Source: NetBSD 2004-006 TCP protocol and implementation vulnerability
URL: http://online.securityfocus.com/advisories/6610

Source: SGI 20040403-01-A Vulnerabilities in long-lived TCP connections
URL: http://online.securityfocus.com/advisories/6612

Source: Cisco cisco-sa-20040420-tcp-ios Cisco Security Advisory: TCP Vulnerabilities in Multiple IOS-Based Cisco Products
URL: http://online.securityfocus.com/advisories/6604

Source: Cisco cisco-sa-20040420-tcp-nonios Cisco Security Advisory: TCP Vulnerabilities in Multiple Non-IOS Cisco Products
URL: http://online.securityfocus.com/advisories/6603

Source: announce_en_20040421_01: TCP protocol vulnerability in SEIL series products
URL: http://www.seil.jp/en/ann/announce_en_20040421_01.txt

Source: Cisco Security Advisory: TCP Vulnerabilities in Multiple IOS-Based Cisco Product
URL: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml

Source: Multiple Vendor TCP Denial of Service Vulnerability
URL: http://xforce.iss.net/xforce/alerts/id/170

Source: NISCC Vulnerability Advisory 236929
URL: http://www.uniras.gov.uk/vuls/2004/236929/index.htm

Source: Security Advisory: TCP Vulnerability CAN-2004-0230
URL: http://www.bluecoat.com/support/knowledge/advisory_tcp_can-2004-0230.html

Source: TA04-111A Vulnerabilities in TCP
URL: http://www.us-cert.gov/cas/techalerts/TA04-111A.html

Source: TCP RFC Alert
URL: http://www.checkpoint.com/techsupport/alerts/tcp_dos.html

ACNS 2004: 2nd Conference of Applied Cryptography & Network Security
Date: June 8-11th, 2004
Location: Yellow Mountain, China

Blackhat USA 2004 Briefings and Training
Date: July 26-29th, 2004
Location: Las Vegas, United States

13th Usenix Security Conference
Date: Aug 9-13th, 2004
Location: San Diego, United States

For more events go to our online Events Calendar:
http://enterprisesecurity.symantec.com/content/globalevents.cfm