Windows & .NET Magazine Security UPDATE--June 11, 2003

1. In Focus: Windows 2003 Patches; Responsible Vulnerability Reporting

by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

You're probably aware by now that Microsoft recently released security patches for Internet Explorer (IE) 6.0, IE 5.5, and IE 5.01, including IE 6.0 for Windows Server 2003. The problems relate to unchecked buffers that could let arbitrary code execute on a user's machine. Patching your machines against these problems is probably critical. You can read about the problems in the article, "Buffer Overruns in IE," in this issue of Security UPDATE.

The patch represents the first for the new Windows 2003 OS, and it came less than 2 months after the initial release. It's good to know that the company has taken care of that particular problem quickly, but apparently another patch for the new OS might be necessary soon.

According to SecurityFocus, \[http://www.securityfocus.com/bid/7788\] a user reported that Windows systems might be vulnerable to Denial of Service (DoS) attacks under certain conditions. If a Windows 2003, Windows XP, or Windows 2000 system has IP version 6 (IPv6) enabled, an attacker might be able flood the server with Internet Control Message Protocol (ICMP) packets resulting in a DoS condition for the target system.

Microsoft is undoubtedly aware of the problem, but at the time of this writing, the company hasn't released a bulletin or patch. The problem is probably moderate and won't affect a huge number of systems because IPv6 isn't as widely deployed as IPv4. Nevertheless, we can probably expect Microsoft to issue a patch soon. Both the recently patched problems with IE and this DoS problem point out that faults found in code used across multiple versions of products families will, more often than not, carry over into the Windows 2003 OS, as has been the case with previous product versions.

Speaking of newly reported vulnerabilities, the Organization for Internet Safety (OIS) has finally released its long-awaited draft proposal that outlines a process that security researchers and vendors can use to coordinate their efforts to patch security vulnerabilities.

You recall that in 2001, Guardent, Foundstone, BindView, @stake, and Internet Security Systems (ISS) established OIS, which now counts the SCO Group, Network Associates, Oracle, and Symantec among its members. The group initially submitted a draft proposal to the Internet Engineering Task Force (IETF) as a Request for Comments (RFC). However, the IETF decided its forum wasn't suited for guideline proposals about responsible reporting. So the group struck out on its own to finish its draft, "Security Vulnerability Reporting and Response Process," \[http://www.oisafety.org/resources.html\] now available to the public.

According to an OIS press release, the draft "provides specific, prescriptive guidance that establishes a framework in which researchers and vendors can collaborate to improve the speed and quality of security investigations, thereby helping better protect Internet users and infrastructure." OIS is offering a period of time (until July 7) for the public to provide its own commentary about the draft. According to OIS, it will respond to the comments as best it can and post the comments to its Web site for everyone to read (excluding the commentators' personal contact information, of course).

The draft proposal suggests that researchers not disclose their findings to the public until either a patch is released or researchers have exhausted their efforts to interact with a vendor and have reached an irreconcilable impasse. Symantec is a member of OIS and also owns SecurityFocus along with various mailing lists now associated with SecurityFocus, including the popular BugTraq list.

Historically, BugTraq has offered researchers a place to openly reveal any information they feel necessary, including demonstration code, even if that code could lead to exploitation of a given vulnerability. SecurityFocus also operates a mailing list called Vuln-Dev, in which researchers can and do discuss possible security problems with various products. The discussions sometimes include code used to test particular would-be security problems and sometimes include considerable detail about researcher findings.

I wonder whether the OIS proposal, which Symantec obviously supports, will eventually affect the operation of those mailing lists and other mailing lists operated by other entities? We'll have to wait and see.

One final note about vulnerabilities: Be sure your systems are protected against the Bugbear.B worm. It's a nasty one. You can learn more about it in the associated "Virus Alert" in this issue of the newsletter.

Correction: In last week's Security UPDATE commentary, we inadvertently included an incorrect link. Here is the correct link to more information about Bayesian filtering. \[http://www.paulgraham.com/articles.html\]