about the latest developments in security every month
patch for flaw in its Java VM
Microsoft has alerted users about two software flaws
that could allow an attacker to take control of PCs
running the Windows operating systems. The flaws lie
in Microsoft's Virtual Machine (VM) software for running
Java applications on Windows computers.
All Windows users should patch their software to correct
the flaws, which has been described as critical by Microsoft.
Through the flaw an attacker can send the user an e-mail
in HTML format or lure a user to a specially crafted
Microsoft has warned of the two flaws in a feature that
supports remote terminal connections to PCs running
Windows 2000 and Windows XP.
These flaws affect users of terminal services and remote
desktop. The first flaw lies in a feature that allows
Java applications to connect to databases and the second
in a function that supports the use of XML by Java applications.
Microsoft also disclosed a third, less serious flaw
in the database support functions of its Virtual Machine
(VM). Java usually enforces a sandboxing model so you
can run code in a safe manner. But Microsoft's VM allows
any programmer to escape that secure model.
Versions of the Microsoft VM are identified by build
numbers, which can be determined using the JVIEW tool.
All builds of the Microsoft VM up to and including build
5.0.3805 are affected by these vulnerabilities.
The virtual machine (VM) is a standard part of most
versions of Windows and is delivered with the Internet
Explorer Web browser. It is also available as a separate
download. The VM is installed if a program starts.
Users seeking an alternative to Microsoft's VM can install
Sun's Java VM for Windows.
Other security patches
Security patches are available from the Microsoft Download
Center, and can be most easily found by doing a keyword
search for 'security patch'. Patches for consumer platforms
are available from the Windows Update web site
BugBear attacks port 137/UDP
Reports have been received of increase in scanning activity
directed at port 137/UDP. This port is commonly used
for NetBIOS name resolution by Windows networking. Reports
suggest that this activity is related to a piece of
malicious code known as W32/BugBear.
W32/BugBear is a malicious code designed to send itself
out in a file attached to an e-mail message. The name
of the attachment and the e-mail subject and message
vary. Once the attached file is run, BugBear creates
several files with a random name in the affected computer.
Some of these files are copies of the worm, like %sysdir%\????.exe
or %startup%\???.exe, where each '?' symbol corresponds
to a different character.
Several anti-virus vendors have published signatures
and additional information about this worm.
BugBear can open port 36794 in the affected computer
and stop applications like anti-virus programs and personal
firewalls. As a result, the worm opens a backdoor that
could allow an attacker to access a remote computer
or network. Finally, the worm enters the Windows Registry
in order to ensure it is run every time the system is
In order to avoid infection it is recommended that users
update their anti-virus solutions immediately. The update,
which detects and removes Bugbear, can be downloaded
Buffer Overflows in Resolver Libraries
Buffer overflow vulnerabilities exist in multiple implementations
of DNS resolver libraries. The DNS protocol provides
name, address, and other information about IP networks
and devices. To access DNS information, a network application
uses the resolver to perform DNS queries on its behalf.
Resolver functionality is commonly implemented in libraries
that are included with OS.
Multiple implementations of DNS resolver libraries contain
remotely exploitable buffer overflow vulnerabilities
in the code used to handle DNS responses. Two sets of
responses could trigger buffer overflows in the vulnerable
DNS resolver libraries: responses for host names or
addresses, and responses for network names or addresses.
BSD (libc) and ISC BIND (libbind) resolvers are vulnerable
to both types of responses.
An attacker who is able to send malicious DNS responses
could exploit the vulnerabilities to execute arbitrary
code or cause a denial of service on vulnerable systems.
Any code executed by the attacker would run with
the privileges of the process that calls the vulnerable
Applications using vulnerable implementations of the
DNS resolver libraries:
Internet Software Consortium (ISC), Berkeley Internet
Name Domain (BIND) DNS resolver library (libbind)
Berkeley Software Distribution (BSD) DNS resolver
GNU DNS resolver library (glibc)
Upgrade to a corrected version of the DNS resolver libraries.
DNS resolver libraries can be used by multiple applications
on most systems. It may be necessary to upgrade or apply
multiple patches and then recompile statically linked
Applications that are statically linked must be recompiled
using patched resolver libraries. Applications that
are dynamically linked do not need to be recompiled.
System administrators should consider the following
process when addressing this issue:
1. Patch or obtain updated resolver libraries.
2. Restart any dynamically linked services that use
the resolver libraries.
3. Recompile any statically linked applications using
the patched or updated resolver libraries.
Caldera OpenLinux is affected (glibc):
Caldera UnixWare is affected: ftp://ftp.caldera.com/pub/security/UnixWare/CSSA-2002-SCO.37.txt
A temporary patch is available through an efix pacakge.
Efixes are available from ftp.software.ibm.com/aix/efixes/security.
Updated BIND releases can be found at: