Security Watch

Read about the latest developments in security every month

Microsoft patch for flaw in its Java VM
Microsoft has alerted users about two software flaws that could allow an attacker to take control of PCs running the Windows operating systems. The flaws lie in Microsoft's Virtual Machine (VM) software for running Java applications on Windows computers.

All Windows users should patch their software to correct the flaws, which has been described as critical by Microsoft. Through the flaw an attacker can send the user an e-mail in HTML format or lure a user to a specially crafted website.

Microsoft has warned of the two flaws in a feature that supports remote terminal connections to PCs running Windows 2000 and Windows XP.

These flaws affect users of terminal services and remote desktop. The first flaw lies in a feature that allows Java applications to connect to databases and the second in a function that supports the use of XML by Java applications.

Microsoft also disclosed a third, less serious flaw in the database support functions of its Virtual Machine (VM). Java usually enforces a sandboxing model so you can run code in a safe manner. But Microsoft's VM allows any programmer to escape that secure model.

Systems affected
Versions of the Microsoft VM are identified by build numbers, which can be determined using the JVIEW tool. All builds of the Microsoft VM up to and including build 5.0.3805 are affected by these vulnerabilities.

The virtual machine (VM) is a standard part of most versions of Windows and is delivered with the Internet Explorer Web browser. It is also available as a separate download. The VM is installed if a program starts.

Solution/Patches
Users seeking an alternative to Microsoft's VM can install Sun's Java VM for Windows.

Other security patches
Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for 'security patch'. Patches for consumer platforms are available from the Windows Update web site

BugBear attacks port 137/UDP
Reports have been received of increase in scanning activity directed at port 137/UDP. This port is commonly used for NetBIOS name resolution by Windows networking. Reports suggest that this activity is related to a piece of
malicious code known as W32/BugBear.

W32/BugBear is a malicious code designed to send itself out in a file attached to an e-mail message. The name of the attachment and the e-mail subject and message vary. Once the attached file is run, BugBear creates several files with a random name in the affected computer. Some of these files are copies of the worm, like %sysdir%\????.exe or %startup%\???.exe, where each '?' symbol corresponds to a different character.

Several anti-virus vendors have published signatures and additional information about this worm.

Systems affected
BugBear can open port 36794 in the affected computer and stop applications like anti-virus programs and personal firewalls. As a result, the worm opens a backdoor that could allow an attacker to access a remote computer or network. Finally, the worm enters the Windows Registry in order to ensure it is run every time the system is started.

Solution/Patches
In order to avoid infection it is recommended that users update their anti-virus solutions immediately. The update, which detects and removes Bugbear, can be downloaded from /www.pandasoftware.com.

Buffer Overflows in Resolver Libraries
Buffer overflow vulnerabilities exist in multiple implementations of DNS resolver libraries. The DNS protocol provides name, address, and other information about IP networks and devices. To access DNS information, a network application uses the resolver to perform DNS queries on its behalf. Resolver functionality is commonly implemented in libraries that are included with OS.

Multiple implementations of DNS resolver libraries contain remotely exploitable buffer overflow vulnerabilities in the code used to handle DNS responses. Two sets of responses could trigger buffer overflows in the vulnerable DNS resolver libraries: responses for host names or addresses, and responses for network names or addresses. BSD (libc) and ISC BIND (libbind) resolvers are vulnerable to both types of responses.

An attacker who is able to send malicious DNS responses could exploit the vulnerabilities to execute arbitrary code or cause a denial of service on vulnerable systems. Any code executed by the attacker would run with
the privileges of the process that calls the vulnerable resolver function.

Systems affected
Applications using vulnerable implementations of the DNS resolver libraries:

• Internet Software Consortium (ISC), Berkeley Internet Name Domain (BIND) DNS resolver library (libbind)
• Berkeley Software Distribution (BSD) DNS resolver library (libc)
• GNU DNS resolver library (glibc)

Solutions/Patches
Upgrade to a corrected version of the DNS resolver libraries. DNS resolver libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications.

Applications that are statically linked must be recompiled using patched resolver libraries. Applications that are dynamically linked do not need to be recompiled. System administrators should consider the following process when addressing this issue:
1. Patch or obtain updated resolver libraries.
2. Restart any dynamically linked services that use the resolver libraries.
3. Recompile any statically linked applications using the patched or updated resolver libraries.

Caldera
Caldera OpenLinux is affected (glibc):
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-034.1.txt

Caldera UnixWare is affected: ftp://ftp.caldera.com/pub/security/UnixWare/CSSA-2002-SCO.37.txt

FreeBSD
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:28.resolv.asc

IBM Corporation
A temporary patch is available through an efix pacakge. Efixes are available from ftp.software.ibm.com/aix/efixes/security.

Internet Software Consortium
Updated BIND releases can be found at:
ftp://ftp.isc.org/isc/bind/src/4.9.9/
ftp://ftp.isc.org/isc/bind/src/8.2.6/
ftp://ftp.isc.org/isc/bind/src/8.3.3/
ftp://ftp.isc.org/isc/bind/contrib/
ntbind-8.3.3/

Sun Microsystems
http://sunsolve.sun.com/security