Worms, Viruses, Flaws, And Vulnerabilities Keep Security Pros On AlertWorms, Viruses, Flaws, And Vulnerabilities Keep Security Pros On Alert

It's been a busy couple of days for security gurus assigned to keep their companies safe and sound.

On Wednesday, Microsoft posted a pair of vulnerability bulletins warning of potential problems in its Windows 2000 server operating system and its Windows Media 9 video and audio player.

The Windows 2000 Server vulnerability stems from Windows Media Services, a component that lets servers multicast streaming multimedia to users. The DLL that Media Services uses to log client data during multicasts is flawed, and a determined attacker could cause a buffer overflow by sending a specially crafted HTTP request to the server, and gain control of the machine.

Only those Windows 2000 systems with Windows Media Services installed are at risk; Media Services is not a default component of the operating system. Potential targets are systems running Windows Server 2000 Server, Advanced Server, and DataCenter Server; Windows Server 2003 is not affected, nor are machines running Windows NT, Windows 2000 Professional, or Windows XP.

A patch for the vulnerability, which Microsoft rated as 'Important,' its second-most dangerous ranking, is available for downloading from the Microsoft's TechNet Web site

In a second alert released Wednesday, Microsoft warned that its Windows Media Player 9, the vendor's newest multimedia utility, has a security hole that attackers can exploit. An attacker could get access to the target PC's media library--the list of media files played by Windows Media Player and information on those files, including details such as the recording artist and album name--by posting a malicious Web site and enticing users to visit it. The flaw does not allow attackers to view the contents of anything but the media library, Microsoft said, the reason why it rated the problem only as 'moderate.'

Although Windows Media Player 9 ships with Windows Server 2003, that server software is only at risk if administrators have disabled its default Internet Explorer Enhanced Security Configuration. IT staffs that use Windows Server 2003 as a Terminal Server are likely at risk, since they would typically turn off the Enhanced Security to allow Internet Explorer to browse in unrestricted mode.

A fix for this defect is also available on Microsoft's TechNet Web site.

In other news about Microsoft product vulnerabilities, published reports said that Internet Explorer 5 and 6 suffers from a flaw that crashes the browser on viewing malicious Web sites, and may be the prelude to a worm that further exploits the vulnerability to do some real damage.

A poster to the Bugtraq security mailing list has outlined how a malicious Java script can be embedded in an HTML document, which would in turn cause a buffer overflow and crash the viewer's IE 5 or IE 6 browser.

Although a buffer overflow is often the starting point for nastier attacks--including those that take control of the target machine or even delete files -- there's no evidence as of yet of a worm that exploits the flaw. Microsoft is said to be aware of the problem, but has not yet released a patch or fix.

And then there's more. Another in the Sobig worm series--a run that's been plaguing users for several weeks--the just-named Sobig.e started spreading Wednesday and has been gaining some steam.

Like its forerunners, Sobig.e is a mass-mailed worm that propagates after the recipient opens the attached file, in this case a ZIP archive containing an executable file with a .pif or .scr extension. Spoofing addresses--it can sport any return address--Sobig.e originally carried the [email protected] address and uses a variety of subject lines that include 'Re: Attachment' and 'Re: Submitted,' according to security firm Symantec Corp.

As with other Sobig variants, this one deactivates itself on an internally coded schedule: as of July 14, it will not propagate.

The quick-spread of Sobig.e has caused several antivirus vendors to raise the worm's risk level since it debuted on Wednesday. Symantec, for instance, pushed Sobig.e from a '2' on its 1-to-5 scale to a '3' late Wednesday, while McAfee bumped it from a 'low' to a more dangerous 'medium' threat around the same time. MessageLabs, which has so far tracked more than 26,000 instances of the worm, approximately the same number as Sobig.d produced in its first 24 hours, rates the worm as a 'High' risk.

The continued flood of Sobig worms gives additional credence to the theories that virus writers are using spam-style techniques to quickly flood the globe with their work, and/or that spammers are using viruses to map vulnerable systems, which they can then turn to their advantage, and use to send their junk mail anonymously.

Even security firms have been plagued by security gaffes this week. In an embarrassing development, Symantec has had to admit that its own Security Check, a tool on its Web site that tests systems for common vulnerabilities, including firewall reliability, had introduced an ActiveX control to users' systems which could be exploited by attackers.

Although Symantec rushed to correct the problem and has posted a repair to its Web site, several security experts claim that users who accessed Security Check could still be at risk and chided the company for not doing more to publicize the problem.

As of Thursday afternoon, Symantec still hadn't placed a warning of the Security Check vulnerability on its home page, instead touting a seven-day-old overflow threat that affects Sun Microsystems' database. Users unaware of the problem would literally have to stumble upon the alert, since it had not been posted at the Security Check section of its Web site.