"New critical update" virus
Posted: Thu Mar 08, 2001 4:55 pm
This virus caused a bit of a stir here on my machine and in my company (because nobody had seen it before) until everyone realized I hadn't released the payload. I got this suspicious-looking e-mail a few weeks ago, and basically saved it rather than open it. Symantec hadn't even known of its existence at the time I got the e-mail. Fortunately - for a number of good reasons - I never opened the attachment and triggered the virus. Yesterday the company updated my Norton virus files, and my daily machine scan found the unexecuted virus in my saved file.
The e-mail contained an attachment labeled "26705-i386-update.exe". This is what Symantec says about it.
http://service1.symantec.com/sarc/sarc.nsf/html/PWSteal.Coced240b.Tro.html
This is what the e-mail looked like <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>From: support@microsoft.com
Sent: Monday, February 12, 2001 5:17 AM
To: **********
Subject: New critical update
Microsoft Security Bulletin (MS01-001)
Patch Available for "Web Client NTLM Authentication" Vulnerability
Originally posted: January 11, 2001
Summary
Microsoft has released a patch that eliminates a security vulnerability in a
component that ships with Microsoft® Office 2000, Windows 2000, and Windows
Me. The vulnerability could, under certain circumstances, allow a malicious user
to obtain cryptographically protected logon credentials from another user when
requesting an Office document from a web server.
Frequently asked questions regarding this vulnerability and the patch can be
found at http://www.microsoft.com/technet/security/bulletin/fq01-001.asp
Issue
The Web Extender Client (WEC) is a component that ships as part of Office 2000,
Windows 2000, and Windows Me. WEC allows IE to view and publish files via
web folders, similar to viewing and adding files in a directory through Windows
Explorer. Due to an implementation flaw, WEC does not respect the IE Security
settings regarding when NTLM authentication will be performed - instead, WEC
will perform NTLM authentication with any server that requests it. If a user
established a session with a malicious user’s web site - either by browsing to
the site or by opening an HTML mail that initiated a session with it - an
application on the site could capture the user’s NTLM credentials. The malicious
user could then use an offline brute force attack to derive the password or, with
specialized tools, could submit a variant of these credentials in an attempt to
access protected resources.
The vulnerability would only provide the malicious user with the
cryptographically protected NTLM authentication credentials of another user. It
would not, by itself, allow a malicious user to gain control of another user’s
computer or to gain access to resources to which that user was authorized
access. In order to leverage the NTLM credentials (or a subsequently cracked
password), the malicious user would have to be able to remotely logon to the
target system. However, best practices dictate that remote logon services be
blocked at border devices, and if these practices were followed, they would
prevent an attacker from using the credentials to logon to the target system.
Affected Software Versions
Microsoft Office 2000
Microsoft Windows 2000
Microsoft Windows Me
Patch Availability
Microsoft Office 2000 (All Platforms): http://officeupdate.microsoft.com/2000/downloaddetails/wecsec.htm
Microsoft Windows 2000 (Without Office 2000): http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26889
Microsoft Windows Me (Without Office 2000): http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26705
Note: Since the affected component ships with the above products independent of
Office 2000, we have provided patches for affected systems that may not be
running Office 2000. As discussed in the FAQ, the patch and vulnerability only
affect machines running Internet Explorer 5.0 or later with Web Folders enabled.
Note: This patch will be included in Windows 2000 Service Pack 2.
Note Additional security patches are available at the Microsoft Download Center
More Information
Please see the following references for more information related to this issue.
Frequently Asked Questions: Microsoft Security Bulletin MS01-001, http://www.microsoft.com/technet/security/bulletin/fq01-001.asp
Microsoft Knowledge Base article Q282132, http://www.microsoft.com/technet/support/kb.asp?ID=282132
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Product
Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
Microsoft thanks the following people for working with us to protect customers:
David Litchfield of @stake.
Matt Scarborough (matt.scarborough@gte.net)
Revisions
January 11, 2001: Bulletin Created.
January 15, 2001: Correction to Acknowledgement section.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.<HR></BLOCKQUOTE>
- Bill
The e-mail contained an attachment labeled "26705-i386-update.exe". This is what Symantec says about it.
http://service1.symantec.com/sarc/sarc.nsf/html/PWSteal.Coced240b.Tro.html
This is what the e-mail looked like <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>From: support@microsoft.com
Sent: Monday, February 12, 2001 5:17 AM
To: **********
Subject: New critical update
Microsoft Security Bulletin (MS01-001)
Patch Available for "Web Client NTLM Authentication" Vulnerability
Originally posted: January 11, 2001
Summary
Microsoft has released a patch that eliminates a security vulnerability in a
component that ships with Microsoft® Office 2000, Windows 2000, and Windows
Me. The vulnerability could, under certain circumstances, allow a malicious user
to obtain cryptographically protected logon credentials from another user when
requesting an Office document from a web server.
Frequently asked questions regarding this vulnerability and the patch can be
found at http://www.microsoft.com/technet/security/bulletin/fq01-001.asp
Issue
The Web Extender Client (WEC) is a component that ships as part of Office 2000,
Windows 2000, and Windows Me. WEC allows IE to view and publish files via
web folders, similar to viewing and adding files in a directory through Windows
Explorer. Due to an implementation flaw, WEC does not respect the IE Security
settings regarding when NTLM authentication will be performed - instead, WEC
will perform NTLM authentication with any server that requests it. If a user
established a session with a malicious user’s web site - either by browsing to
the site or by opening an HTML mail that initiated a session with it - an
application on the site could capture the user’s NTLM credentials. The malicious
user could then use an offline brute force attack to derive the password or, with
specialized tools, could submit a variant of these credentials in an attempt to
access protected resources.
The vulnerability would only provide the malicious user with the
cryptographically protected NTLM authentication credentials of another user. It
would not, by itself, allow a malicious user to gain control of another user’s
computer or to gain access to resources to which that user was authorized
access. In order to leverage the NTLM credentials (or a subsequently cracked
password), the malicious user would have to be able to remotely logon to the
target system. However, best practices dictate that remote logon services be
blocked at border devices, and if these practices were followed, they would
prevent an attacker from using the credentials to logon to the target system.
Affected Software Versions
Microsoft Office 2000
Microsoft Windows 2000
Microsoft Windows Me
Patch Availability
Microsoft Office 2000 (All Platforms): http://officeupdate.microsoft.com/2000/downloaddetails/wecsec.htm
Microsoft Windows 2000 (Without Office 2000): http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26889
Microsoft Windows Me (Without Office 2000): http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26705
Note: Since the affected component ships with the above products independent of
Office 2000, we have provided patches for affected systems that may not be
running Office 2000. As discussed in the FAQ, the patch and vulnerability only
affect machines running Internet Explorer 5.0 or later with Web Folders enabled.
Note: This patch will be included in Windows 2000 Service Pack 2.
Note Additional security patches are available at the Microsoft Download Center
More Information
Please see the following references for more information related to this issue.
Frequently Asked Questions: Microsoft Security Bulletin MS01-001, http://www.microsoft.com/technet/security/bulletin/fq01-001.asp
Microsoft Knowledge Base article Q282132, http://www.microsoft.com/technet/support/kb.asp?ID=282132
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Product
Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
Microsoft thanks the following people for working with us to protect customers:
David Litchfield of @stake.
Matt Scarborough (matt.scarborough@gte.net)
Revisions
January 11, 2001: Bulletin Created.
January 15, 2001: Correction to Acknowledgement section.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.<HR></BLOCKQUOTE>
- Bill
