*******************************************************
*NEW* May 28th, 2002
Yahoo scrambles to fill Messenger hole
By Jim Hu
May 28, 2002, 1:25 PM PT
A security vulnerability that could allow hackers to delete files on someone's computer has prompted Yahoo to issue a fix for the latest version of its popular instant messaging software. The vulnerability allows hackers to impose a "buffer overflow" attack, meaning they could imbed a potentially harmful executable program on someone's computer. Using Yahoo Messenger as its conduit, hackers could delete files or cripple a computer's security.
Yahoo updated the 5.0 version of its service Friday after the exploit was discovered. A Yahoo spokeswoman said the company began Tuesday to encourage Messenger users to download the new build of the software, which includes a fix for the vulnerability, from Yahoo's Web site.
"Upon learning of the issue, we responded quickly by making an updated version of Yahoo Messenger available," Yahoo spokeswoman Mary Osako said in an e-mail.
Osako declined to say how many Yahoo users were affected, but she reiterated that the update was released for all Yahoo Messenger users. In April, 19.1 million people in the United States used Yahoo Messenger, according to Web measurement company Jupiter Media Metrix. Because Yahoo has many international users, the total number of people potentially affected by the vulnerability is likely much greater.
As of noon Tuesday, there was no information on the Yahoo site about the security hole. The vulnerability was first discovered by Vice Consulting, an information technology consulting firm based in Ho Chi Minh City, Vietnam.
Buffer-overflow vulnerabilities are common flaws in IM services. AOL Time Warner has been troubled by such security holes in its AOL Instant Messenger application. Microsoft also issued a warning on its Web site earlier this month informing people of a similar weakness that affected MSN Messenger software. Microsoft Chairman Bill Gates has earmarked security as a top priority for the company largely because of the company's increased reliance on its .Net initiative, which will offer software and services over the Internet.
*********************************************************
*NEW* Report: Hole found in Excel
May 28, 2002
A security hole in Microsoft's Excel XP spreadsheet application could allow hackers to take over a user's PC by using specially formed XML stylesheets.
According to security expert Georgi Guninski, the problem occurs when a user opens an Excel spreadsheet file and chooses to view it with an XML stylesheet. If the stylesheet contains specially formed code, said Guninski in a security note on his Web site, the PC will try to run that code.
"As script kiddies know, this may lead to taking full control over a user's computer," said Guninski. "Excel does not give any warning to the user--just asks whether to use the style sheet or not." However, Guninski added, by default Excel does not display spreadsheet files with the stylesheet.
XML, or Extensible Markup Language, is a system for defining specialized markup languages that are used to transmit formatted data.
On his site, Guninski has posted a sample piece of code that would fool Excel XP into thinking it contains a link to a stylesheet but which in fact runs a command that lists directory contents on the user's PC.
To be safe, said Guninski, users should not use XML stylesheets. Guninski said that Microsoft was notified of the flaw on 23 May. Microsoft did not immediately respond to requests for comment.
The flaw is the latest in a slew of security alerts to hit Microsoft products. Last week the company warned Windows NT and 2000 users of a new flaw in its debugger tools that could give attackers complete control of a system once they've gained basic access to that system.
A week before, Microsoft urged Windows users to download a fix for Internet Explorer after six new flaws were found in the Web browser. The software company called three of the flaws critical, but only one of them--a cross-site scripting error that affects only Internet Explorer 6.0--would allow an attacker or a worm to run a program on the victim's computer.
See: NEW FLAW IN DEBUGGER TOOLS at: http://zdnet.com.com/2100-1104-921107.html
See: FIX IT at: http://zdnet.com.com/2100-1104-914836.html
********************************************************
*NEW* May 28th, 2002
Klez.h appears to be overtaking SirCam as the most virulent computer virus to date.
According to antivirus outsourcing firm MessageLabs, which scans e-mails for corporate clients, Klez.h overtook SirCam on Sunday and continues to spread, with the company's servers blocking up to 20,000 copies every working day. To date, MessageLabs has stopped over 800,000 copies of Klez.h.
This particular version of the virus, which surfaced in April, is also known as Klez.g and Klez.k, depending on the security advisory that is referring to it.
The remarkable spread of Klez.h is largely attributed to the different methods it uses to disseminate. "There are a lot of people on the Internet without any virus protection whatsoever, and they tend to avoid viruses by recognizing subject lines and content," said Alex Shipp, antivirus technologist at MessageLabs. "But with Klez.h, this approach does not work."
The problem is that Klez.h arrives in an e-mail message with one of 120 possible subject lines. There are 18 different standard subject headings, including "let's be friends," "meeting notice," "some questions" and "honey." On top of those, seven other patterns exist, such as "a x game" and "a x patch," where "x" can be one of 16 different words, including "new," "WinXP" and the name of any of six major antivirus companies.
In many circumstances, the worm doesn't need the victim to open it in order to run. Instead, it takes advantage of a 12-month-old vulnerability in Microsoft Outlook--known as the Automatic Execution of Embedded MIME Type bug--to open itself automatically on unpatched versions of Outlook.
The malicious program will find any network storage available on the infected PC and copy itself to the remote disk drives using a random file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension. Occasionally, the file name will include a double extension.
The program will also cull e-mail addresses by searching a host of different file types on the infected PC. Using its own mail program, the worm will send itself off to those e-mail addresses. In addition, it will use the addresses to create a fake "From:" field in the e-mail message, disguising the actual source of the e-mail.
Finally, the worm attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files.
It is unclear why Klez.h, and all the variants of the original Klez virus, have been so effective. On the same day that Klez.h was released into the wild, said Shipp, another similar variant called Klez.i was released.
"But we only ever saw two copies of Klez.i, and Klez.h meanwhile has gone bananas," he said. "Why one has made it and the other not we don't know. It might be that the virus writer seeded the different versions to different e-mail groups, and one was more active, so that virus reached a critical mass."
Another problem with Klez.h is that many people are unaware that their PCs are infected. That's because when Klez sends out e-mails it forges the sender's address, picking one from the address book on the infected PC.
"It sends e-mails to people in the address book of the infected PC that appear to come from other people in the address book of the infected PC," said Shipp. "All this creates a hell of a lot of confusion, and everybody who receives the virus is alerting everybody else, but the person who owns the infected PC remains blissfully unaware because everybody is alerting the wrong person. In the past, someone would eventually tell you if you had a virus, but you cannot count on this happening any more."
Nearly all of the copies of Klez.h making the rounds now are coming from home users and small businesses, said Shipp. "There appear to be very few (corporations) infected."
It took about three days for Klez.h to build up to a significant level, and since then the numbers have been fairly flat. MessageLabs has been intercepting about 20,000 copies of the Klez virus each working day since late April.
"SirCam has died off, but we're still seeing somewhere between 500 and 1,000 copies a day," said Shipp. "We do have more customers now than when SirCam was out, but even adjusting for that we believe Klez is the more widespread."
"Back to Main Entry Page for other Sections"
