Windows Worm, Multiple Bugs Haunt MS Users

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Multiple vulnerabilities have been detected in versions of Microsoft’s SQL,
Outlook, Outlook Express and Internet Explorer products and the company is
urging that patches be installed to plug the holes.

In separate warnings, Microsoft issued a cumulative
patch to eliminate three newly discovered vulnerabilities affecting SQL
Server 2000 and MSDE 2000 (but not any previous versions of SQL Server or
MSDE) and confirmed a cross domain scripting flaw in Internet Explorer that
leaves WebBrowser applications like Outlook, Outlook Express and IE open to
hackers.

To add insult to injury, a worm targeting MS Windows users is squirming its
way around the Internet. The e-mail worm, which masquerades as ‘copyrighted
Microsoft code,’ is claiming to be a Microsoft Windows update and security
experts are warning it can spread through open networks.

MS SQL VULNERABILITIES

Regarding the MS SQL vulnerabilities , Microsoft warned of
a buffer overrun flaw in a procedure used to encrypt SQL Server credential
information that would let an attacker “gain significant control over the
database and possibly the server itself depending on the account SQL Server
runs as.”

The company said another buffer overrun vulnerability in a procedure that
relates to the bulk inserting of data in SQL Server tables has also been
identified.

The cumulative patch (available for download her
e) also covers a privilege elevation but that results because of
incorrect permissions on the Registry key that stores the SQL Server service
account information. Microsoft said an attacker could gain greater
privileges on the system than had been granted by the system
administrator — potentially even the same rights as the operating system.

Meanwhile, as Microsoft was urging installation of its latest patch,
security firm NGSSoftware issued a
separate warning that
Microsoft’s SQL Server 2000 contains functionality that allows a database
owner to populate a table with data with one fell swoop using the ‘BULK
INSERT’ query. NGSS said this functionality contains a remotely exploitable
buffer overrun vulnerability that can be exploited by an attacker to run
arbitrary code.

NGSS said the ‘BULK INSERT’ query will take a user supplied file name and
insert the contents of this file into a specified table. By supplying an
overly long
filename to the query, a buffer is overflowed and the saved return address
stored on the stack is overwritten. This allows the attacker to gain control
over the process’ execution.

It said SQL Server 2000 can be run in the security context of a domain
account or LOCAL SYSTEM, so depending upon the particular setup, an attacker
may be able to gain complete control over the vulnerable system.

CROSS SCRIPTING FLAW

Newport Beach, Calif. security consultants PivX
Solutions announced the discovery of “extremely high-risk”
vulnerabilities within Microsoft’s flagship Internet Explorer browser
product. It said the bug uses universal cross domain scripting, allowing the
arbitrary execution of programs, unprivileged reading of files, and stealing
of server cookies.

PivX, which released vulnerability alert ahead of a fix from Microsoft, has
ruffled the feathers of the software giant, but the security firm maintained
support for immediate full disclosure of flaws as soon as they are
discovered.

The company, which credited Danish researcher Thor Larholm with discovering
the bug, released a workaround/fix on its home
page to allow users to plug the holes ahead of a Microsoft patch.

The company said the vulnerability leaves apps that use WebBrowser control
vulnerable to a variety of attacks but can be circumvented if ActiveX
scripting is disabled.

WINDOWS WORM

To add to Microsoft’s security headaches, a worm comprising three
components — MSVXD.exe, MSVXD16.dll and MSVXD32.dll — is on the prowl,
masquerading as legitimate MS code. Security experts say the worm can drop
copies of itself in all subfolders and network folders and is unusual in the
way it masks and hides itself without networks.

Software security firm BitDefender, which issued the worm warning, said the
Win32.Worm.Datom.A virus resembles the FunLove worm and uses the same
spreading methods and is “troubling large, insufficiently protected
networks.”

“Taken separately, the (three components of the worm) cannot be considered
as malware, but together, they form a pretty malicious code” said Costin
Ionescu, Virus Researcher at BitDefender. “The worm has also the ability to
hide its Windows Registry keys in normal mode and to disable certain
security software installed on the system. This could mark an evolution for
viruses’ modus operandi,” he added.

BitDefender said the virus attempts to connect to the Microsoft’s home page
and drops copies of itself in all shared folders and subfolders in the
victim’s network. The company has issued a free removal tool
for the worm. Technical details on the worm’s threat and removal is
available at BitDefender’s viru
s section.