Security News

24/09/2006: Update for Apple AirPort drivers

Apple has published three critical updates for its AirPort driver in order to fix a series of vulnerabilities that could allow an attacker to run arbitrary code on Mac OS X systems through a wireless network.

An attacker could inject especially malformed packets into the wireless network, causing a buffer overflow on Mac OS X systems with the vulnerable AirPort driver and running arbitrary code with maximum privileges.

For practical purposes, an attacker in local proximity (depending on the reach of the wireless network) could be able to compromise the Mac OS X system and gain control over it.

Due to the critical status of these vulnerabilities, users of Apple computers are advised to check whether they are affected and update their systems.

21/09/2006: Vulnerabilities with diverse effects in Cisco IPS

Cisco has confirmed the existence of vulnerabilities in the Cisco Intrusion Prevention System (IPS) which could allow a remote user to cause denial of service conditions, or evade detection mechanisms.

According to Cisco, at
http://www.cisco.com/warp/public/707/cisco-sa-20060920-ips.shtml, the flaw lies in the failure of the mainApp process (for remote access) when the administration interface processes an SSLv2 Client Hello packet that has been specially modified by a remote attacker. This would prevent further administration requests through the Web administration interface, the commandline interface or the console.

The device would have to be restarted to allow administrative communication again.

Cisco has acknowledged that the following versions are vulnerable:
* Cisco IDS 4.1(x) prior to 4.1(5c)
* Cisco IPS 5.0(x) prior to 5.0(6p1)
* Cisco IPS 5.1(x) prior to 5.1(2)

A second problem could allow a remote attacker to send specially-crafted sequences or fragmented IP packets to evade detection. This problem affects versions:
* Cisco IPS 5.0(x) prior to 5.0(6p2)
* Cisco IPS 5.1(x) prior to 5.1(2)

Cisco has released updated versions 4.1(5c), 5.0(6p2) and 5.1(2).

20/09/2006: Remote buffer overflow in Microsoft Internet Explorer

Microsoft has published a security advisory confirming a vulnerability in Microsoft Internet Explorer (IE) that could allow a remote user to run arbitrary code on the system affected.

The problem lies in the fact that a remote user can create a special HTML page so that when it is loaded onto a user's system, it would cause a buffer overflow in 'Vgx.dll' in the processing of Vector Markup Language (VML) text and the consequent execution of arbitrary code on the affected system.

There is evidence that the vulnerability is being actively exploited. Microsoft reports that it is currently working on developing and testing the necessary update to prevent this problem and it will be published within the usual cycle of updates, on October 10 (or before).

15/09/2006: Firefox and Thunderbird update to version 1.5.0.7

Mozilla Foundation has released version 1.5.0.7 of the Firefox browser and the Thunderbird mail client. The improvements in this new version include the correction of several security vulnerabilities.

The new version corrects a total of eight vulnerabilities. The impact rating of four of them is 'critical' as they could allow an attacker to run arbitrary code or install software without user interaction, one is rated as 'high', two 'moderate', and one 'low'.

14/09/2006: Multiple vulnerabilities in Adobe Flash Player

Adobe has published a security bulletin reporting several critical vulnerabilities in Flash Player 8.0.24.0 and earlier versions, which could allow an attacker to take control of vulnerable systems.

The bulletin reports several input validation errors in the affected player versions, which could lead to execution of arbitrary code. These flaws could be exploited through contents delivered via the user's web browser, the mail client or any other application that includes or references the Flash player.

Adobe recommends all users upgrade their player to version 9.0.16.0, available from the Adobe website, or using the product's automatic update mechanism.

13/09/2006: Microsoft security bulletins

Microsoft, in line with its policy of publishing security bulletins on the second Tuesday of every month, has released three updates to its products. The bulletins, from MS06-052 to MS06-54, resolve problems considered 'moderate', 'critical' and 'important'.

- MS06-052: security update to correct a vulnerability in Pragmatic General Multicast (PGM) that could allow remote code execution. This is considered important and affects Windows 2000, XP and Server 2003.

- MS06-053: solution for a cross-site scripting problem in the Indexing Service that could cause information to be revealed. It affects Windows 2000, XP and Server 2003. This problem is classified as moderate.

- MS06-054: an update classified as critical aimed at preventing a remote code execution vulnerability in Office Publisher. It is aimed at Office 2000, XP and 2003.

NSES advises all customers to visit the Windows Update to access the updates.

12/09/2006: New vulnerabilities in IBM Lotus Notes

Two new vulnerabilities have been reported in IBM Lotus Notes. The first of these allows erroneous sending of emails, while the second could allow remote execution of code.

The first of these problems occurs when a user response to an email message in which identical user names have been included in the "To:" and "Cc:" fields, which could mean that the values in the AltCopyTo and INetCopyTo fields are out of sync with the CopyTo field. As a result, messages could be incorrectly addressed.

This only occurs if the "Default display name" preference is configured to "Display alternate names."

IBM will shortly release updates to prevent the problem in versions 6.5x and 7.0x. Until then, the IBM advisory, at http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21243602 includes a workaround to correct the affected template.

In the second problem in IBM Lotus Notes, consisting of remote execution of arbitrary code, lies in a buffer overflow in dunzip32.dll, when a specially modified zip file is processed.

The IBM advisory and the necessary updates are available at
http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21229932

12/09/2006: Large-scale phishing attack targeting Barclays Bank clients

PandaLabs has detected a large-scale phishing attack targeting clients of Barclays Bank's online services and involving at least 61 variants of a spoof email. The scale of this attack has seen the number of fraudulent emails detected increase by 30% in just a few hours. In fact, of all phishing messages currently analyzed, some 64% target Barclays' clients. Given the number of variants detected, estimates put the number of these emails in circulation at several million.

The false emails received by users are designed to appear as if they have been sent from Barclays' customer services, with the subject field chosen at random from a list of options. Some of these options include: Barclays bank official update, Barclays bank - Security update, Please Read or Verify your data with Barclays bank.

The message text, imitating Barclays' corporate image, informs users that the bank is upgrading software and that they should go to a link in order to confirm their bank details.

Users that click on the link will access a form, similar to those used by the bank, requesting their account number, credit card number or PIN.

It is significant that not all of the email messages point to the same Internet address in order to collect stolen data, but in fact the criminals have prepared at least five false domains to host the spoofed web pages(all located in Korea) and to hinder attempts to close all of them down.

08/09/2006: Vulnerability in Cisco IOS implementation of GRE

Cisco has released a security advisory in response to a vulnerability detected in its implementation of the Generic Routing Encapsulation (GRE) protocol. Cisco IOS versions 12.0, 12.1 and 12.2 configured with GRE IP are affected by the bug. The vulnerability can be exploited to by-pass Access Control Lists by sending a series of specially-crafted GRE packets. Details of the vulnerability are available in the original advisory published by Phenoelit at http://www.phenoelit.de/stuff/CiscoGRE.txt

Cisco has also released an advisory containing workarounds for affected products, including enabling Cisco Express Forwarding (CEF), establishing anti-spoofing mechanisms, or encrypting the GRE IPSec tunnel. Administrators of Cisco devices are advised to read the original advisory available at: http://www.cisco.com/warp/public/707/cisco-sr-20060906-gre.shtml

07/09/2006: Microsoft investigates a vulnerability in Word 2000

Microsoft has published a security advisory informing that it is investigating public reports of “zero-day” attacks using a new vulnerability in Microsoft Word 2000.

According to Microsoft, for this attack to be carried out, the user must first open a malicious Word file received as an attachment to an email message or through other means. The advisory does not provide any information about this problem, except that it occurs when the word processor opens a specially crafted Word file with a malformed string, which could corrupt the memory and allow arbitrary code to be executed.

Microsoft reports that the update for correcting this flaw is under development and offers the use of Word Viewer 2003 to open and read this type of document as a workaround. Word Viewer 2003 does not include vulnerable code and is not susceptible to attack. Word Viewer 2003

In any case, as always, users are advised not to open or save Word file received from un-trusted sources and to make sure that they have a security solution installed that integrates a firewall, to prevent direct attacks on the system, and a good, constantly updated antivirus, to protect against malicious code.

05/09/2006: New spam technique that uses subliminal messages

At first glance, it is an advertisement that gives the user the opportunity to buy certain stocks online. However, the user not only sees a static image, but also a sequence of images that are displayed extremely rapidly. To be more specific, there are four images, three of which show the word Buy in different positions.

Subliminal advertising techniques have been used for a long time and are based on composing images that users perceive, even though they are not aware of it. In the case of this email message, the word Buy appears on screen for a maximum of 40 milliseconds, and in some cases, for only 10 milliseconds. By doing this, although the recipient is not consciously aware of the Buy message, the subconscious levels of perception receive it and store it, influencing the recipient.

This is the first Internet threat that uses subliminal techniques, although more are expected as cyber-criminals introduce new strategies of increasing sophistication to boost the effectiveness of their attacks. In any case, in spite of the controversy surrounding its effectiveness, almost all worldwide legislation bans the use of subliminal techniques in advertisements.

To protect against these types of threats, it is essential to have the appropriate security tools, which include anti-spam and content filtering technologies. This will help prevent threats like this from reaching users' mailboxes.

31/08/2006: Important update for Java

Sun has released update 8 for J2SE Runtime Environment (JRE) 5.0. It is recommended that users running Java on their browsers to install the patch, as it corrects important security problems.

The main vulnerability corrected is the possibility for a Java applet to call previous versions of JRE installed on the system and exploit known vulnerabilities. This was possible because previous versions of JRE were not uninstalled automatically when a new version was installed.

Among the known vulnerabilities that could be exploited there are some that could allow remote execution of arbitrary code. In practice, users could be infected by malware when visiting specially-crafted web pages.

The latest updates to Sun Java, and Java Runtime Environment (JRE) 5.0 Update 8, can be downloaded from:
http://java.sun.com/javase/downloads/index.jsp

29/08/2006: 88% of new malware detected during the second quarter of 2006 was related to cyber-crime

One of the conclusions of this report is the confirmation of the new malware dynamic, based on the main objective of obtaining financial returns. The statistics leave no room for doubt: of all the new examples of malware detected by PandaLabs, over 54 percent were Trojans, compared to 47 percent in the previous quarter. This type of malicious code is highly versatile and can be used to take a series of actions on infected computers (stealing confidential data such as bank details, downloading other malicious applications, etc.). Bots on the other hand, a type of malicious code used to build networks which are then sold or rented to the highest bidder, were in second place, representing 16 percent of the total, a four point increase on the previous quarter. New backdoor Trojans accounted for 12 percent, while dialers represented just 3.8 percent of all malware. Finally, adware and spyware accounted for 1.7 percent.

28/08/2006: Buffer overflow in an Internet Explorer ActiveX Control Malware Awareness

A vulnerability has been reported in Microsoft Internet Explorer (IE), which could allow a remote user to run arbitrary code on the target system.

The vulnerability, reported at http://www.securitytracker.com/alerts/2006/Aug/1016764.html, can allow a remote user to create specially-crafted HTML code that, when loaded by the target user, will cause a buffer overflow in the 'daxctle.ocx' ActiveX control and execute arbitrary code. The code will run with the privileges of the target user.

This flaw can be exploited through DirectAnimation.PathControl. An update to resolve this problem is not available and therefore, it is advisable to avoid browsing untrustworthy websites. There is a demonstration exploit of the vulnerability that causes the browser to crash.

28/08/2006: Remote denial of service in Sendmail

According to http://www.securitytracker.com/alerts/2006/Aug/1016753.html, a vulnerability has been reported in Sendmail that could be used by remote attackers to cause a denial of service.

Sendmail is one of the most popular MTAs (Mail Transfer Agent), widely implemented in Internet mail servers (specially in Unix environments, even though there is also a Windows version).

The flaw lies in the fact that a remote user could send an email message with specially crafted, very long header lines in order to cause a denial of service.

The Sendmail Consortium has published version 8.13.8 of Sendmail, which fixes this vulnerability, at: http://www.sendmail.org/releases/8.13.8.html

26/08/2006: Weekly summary

Patches for Windows security updates (08/21/06) Recent security updates released by Microsoft can cause Internet Explorer and other programs for Windows to malfunction on certain occasions. Microsoft has reported these problems and released additional patches through its support service.

Local denial of service in Solaris 10 (08/10/06) Sun has reported a vulnerability in Solaris 10 systems that could allow a local user to cause denial of service conditions. A local user could exploit a race condition to stop listener programs for databases or any other network applications that use the libnsl(3LIB) or TLI/XTI APIs. This flaw only affects Solaris 10 systems, as previous versions of the operating system are not vulnerable..

Vulnerability in Internet Explorer with MS-042 (08/23/06) an error detected after installation of update MS06-042, which caused Windows XP SP1 and Windows 2000 SP4 users to report errors when browsing certain web pages with Internet Explorer 6. However, this error seems to have far more serious consequences and could even be exploited remotely.

Password modification in Cisco PIX Firewall (08/24/06) Cisco has announced, a vulnerability in Cisco PIX Firewall that could cause certain passwords to be modified by the system. The problem lies in a software bug that could cause passwords stored in the startup configuration to be modified without user intervention. EXEC passwords, locally defined user passwords and the "enable password" are all potentially affected.

Vulnerabilities in Asterisk (08/25/06) Two vulnerabilities have been detected in Asterisk telephony software, which could allow remote code execution and compromise the system. Asterisk administrators are advised to install the corresponding security patch.

22/08/2006: Local denial of service in Solaris 10

Sun has reported, at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102576-1, a vulnerability in Solaris 10 systems that could allow a local user to cause denial of service conditions.

A local user could exploit a race condition to stop listener programs for databases or any other network applications that use the libnsl(3LIB) or TLI/XTI APIs.

This flaw only affects Solaris 10 systems, as previous versions of the operating system are not vulnerable.

For systems on the x86 platform, and until the corresponding security update is published, Sun recommends to disable TCP fusion by adding the following line to the "/etc/system" file: set ip:do_tcp_fusion = 0x0.

21/08/2006: Patches for Windows security updates

Recent security updates released by Microsoft can cause Internet Explorer and other programs for Windows to malfunction on certain occasions. Microsoft has reported these problems and released additional patches through its support service.

The first case is related with the MS06-040 update. It has been detected that programs which require large amounts of contiguous memory, 1 gibabyte or more, can return an unexpected error after installing this security update on Windows 2003.
Secondly, after installing MS06-042, some Windows XP SP1 and Windows 2000 SP4 users have had problems browsing certain web pages with Internet Explorer 6. Specifically, the problem has been detected when visiting web sites using HTTP 1.1 and compression.

Users affected by any of these problems can find more information in the Microsoft advisories at:

• Programs that return errors after installing MS06-040 on Windows Server 2003: http://support.microsoft.com/kb/924054/
• Internet Explorer closes unexpectedly after installing MS06-042: http://support.microsoft.com/kb/923762/

18/08/2006: Vulnerabilities in MySQL

MySQL, the popular open-source database management system, has announced the correction of two vulnerabilities in the forthcoming 5.0.25 version.

The first vulnerability would allow a user to access a stored routine using the GRANT EXECUTE command, and execute it with the privileges of the original user that defined the routine.

The second vulnerability affects Linux and other case-sensitive file systems. In this case a user with rights on the database could create or access different databases with the same name as the original, but where one or more letters differ in case. Under certain circumstances, a user can access databases to which they are not authorized.

In both cases the vulnerabilities can only be exploited by users with authenticated access to the system, minimizing the risk of indiscriminate attacks from third parties.

More details about the vulnerabilities and other corrections included in MySQL 5.0.25 are available in the original advisory at: http://dev.mysql.com/doc/refman/5.0/en/news-5-0-25.html

16/08/2006: Physical data security in corporate environments

When talking about IT security we are normally talking about logical security, i.e. about software. However, in large corporations in particular, just as much attention should be paid to the physical security of IT systems.
 
The most common threats include:

• Physical theft of laptop computers or other devices that are easily carried such as mobile phones, PDAs, DVDs, CDs, floppy disks, etc.
• Theft or access to confidential information kept on paper.
• Indiscriminate access to network points or printers and photocopiers.
• Lack of business contingency plans in the face of incidents or events which could range from power cuts to natural disasters.

To mitigate such risks organizations should have an integrated security plan including passive and active controls to minimize these and other threats. This should include establishing restricted areas, promoting employee awareness and using more advanced monitoring and security systems.

15/08/2006: Multifactor authentication

Today, most Internet services require user authentication using the simple system of entering user names and passwords. The emergence of malware specialized in stealing these credentials, such as keyloggers or banker Trojans is giving rise to more widespread use of multifactor authentication.

Authentication or identification of a user is normally based on the following methods:

• User name and password, i.e., something that the user knows.
• Digital certificates or tokens, i.e., something that the user has.
• Biometrics, based on the physical aspects of the user.

Each of these methods has inherent risks or conditions, and the user name and password system is used most frequently given its simplicity and low cost. However, the proliferation of malware specialized in theft of confidential data has prompted greater attention to authentication systems, and reemphasized the need for up-to-date antivirus applications.
A more secure method would be one that combines two of the above systems, known as "double factor" systems. Some financial entities now give clients cards with coordinates or digital certificates that are used jointly with traditional passwords or PINs to access online banking services.

More sophisticated systems that require greater security can combine all three methods (multi-factor). For example, a system could require a password, a digital certificate on a smart card and fingerprint scanning.