Windows Worm, Multiple Bugs Haunt MS Users

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Multiple vulnerabilities have been detected in versions of Microsoft's SQL, Outlook, Outlook Express and Internet Explorer products and the company is urging that patches be installed to plug the holes.

In separate warnings, Microsoft issued a cumulative patch to eliminate three newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000 (but not any previous versions of SQL Server or MSDE) and confirmed a cross domain scripting flaw in Internet Explorer that leaves WebBrowser applications like Outlook, Outlook Express and IE open to hackers.

To add insult to injury, a worm targeting MS Windows users is squirming its way around the Internet. The e-mail worm, which masquerades as 'copyrighted Microsoft code,' is claiming to be a Microsoft Windows update and security experts are warning it can spread through open networks.

Regarding the MS SQL vulnerabilities , Microsoft warned of a buffer overrun flaw in a procedure used to encrypt SQL Server credential information that would let an attacker "gain significant control over the database and possibly the server itself depending on the account SQL Server runs as."

The company said another buffer overrun vulnerability in a procedure that relates to the bulk inserting of data in SQL Server tables has also been identified.

The cumulative patch (available for download her e) also covers a privilege elevation but that results because of incorrect permissions on the Registry key that stores the SQL Server service account information. Microsoft said an attacker could gain greater privileges on the system than had been granted by the system administrator -- potentially even the same rights as the operating system.

Meanwhile, as Microsoft was urging installation of its latest patch, security firm NGSSoftware issued a separate warning that Microsoft's SQL Server 2000 contains functionality that allows a database owner to populate a table with data with one fell swoop using the 'BULK INSERT' query. NGSS said this functionality contains a remotely exploitable buffer overrun vulnerability that can be exploited by an attacker to run arbitrary code.

NGSS said the 'BULK INSERT' query will take a user supplied file name and insert the contents of this file into a specified table. By supplying an overly long filename to the query, a buffer is overflowed and the saved return address stored on the stack is overwritten. This allows the attacker to gain control over the process' execution.

It said SQL Server 2000 can be run in the security context of a domain account or LOCAL SYSTEM, so depending upon the particular setup, an attacker may be able to gain complete control over the vulnerable system.

Newport Beach, Calif. security consultants PivX Solutions announced the discovery of "extremely high-risk" vulnerabilities within Microsoft's flagship Internet Explorer browser product. It said the bug uses universal cross domain scripting, allowing the arbitrary execution of programs, unprivileged reading of files, and stealing of server cookies.

PivX, which released vulnerability alert ahead of a fix from Microsoft, has ruffled the feathers of the software giant, but the security firm maintained support for immediate full disclosure of flaws as soon as they are discovered.

The company, which credited Danish researcher Thor Larholm with discovering the bug, released a workaround/fix on its home page to allow users to plug the holes ahead of a Microsoft patch.

The company said the vulnerability leaves apps that use WebBrowser control vulnerable to a variety of attacks but can be circumvented if ActiveX scripting is disabled.

To add to Microsoft's security headaches, a worm comprising three components -- MSVXD.exe, MSVXD16.dll and MSVXD32.dll -- is on the prowl, masquerading as legitimate MS code. Security experts say the worm can drop copies of itself in all subfolders and network folders and is unusual in the way it masks and hides itself without networks.

Software security firm BitDefender, which issued the worm warning, said the Win32.Worm.Datom.A virus resembles the FunLove worm and uses the same spreading methods and is "troubling large, insufficiently protected networks."

"Taken separately, the (three components of the worm) cannot be considered as malware, but together, they form a pretty malicious code" said Costin Ionescu, Virus Researcher at BitDefender. "The worm has also the ability to hide its Windows Registry keys in normal mode and to disable certain security software installed on the system. This could mark an evolution for viruses' modus operandi," he added.

BitDefender said the virus attempts to connect to the Microsoft's home page and drops copies of itself in all shared folders and subfolders in the victim's network. The company has issued a free removal tool for the worm. Technical details on the worm's threat and removal is available at BitDefender's viru s section.