Hardware Hacking Gets All Too Real

Posted on March 12, 2008 by Brent Huston

Hardware and wireless hacking have combined in a pretty scary way. This article talks about security researchers that have found ways to monitor, attack and exploit the most popular of pacemakers used today. According to the article, the attackers were able to gain remote access to the data and control system of the device. Once they tapped into it, they were able to siphon off health-related information and even cause the pacemaker to apply voltage or shutdown – essentially killing the human host of the device.

It really doesn’t get more scary than that. While the odds of such an attack occurring in real life against a specific person are very slim, it is simply another side effect of the integration of technology into our daily lives. As I have written about many times before, the integration of technology into so many aspects of our lives is a powerful thing. On one hand, it frees us up to do other work, makes our lives easier, more healthy, perhaps even longer than life would have been otherwise. However, many vendors simply fail to realize the implications of the risks that are inherent in their products. They fail to comprehend the basic methodologies of attackers and certainly fail to grasp how the combination of technologies in many of their products can create new forms of risk for the consumer.

I am quite sure that the company who created the pacemaker was truly interested in advancing the art of healthcare and extending the human life. They simply wanted to make things better and saw how adding remote management and monitoring to their device would allow patients to be diagnosed and the device operation modified without the need for surgery. That is quite an honorable thing and is sure to make patients lives easier and even reduce the rate of death since patients would no longer undergo the stressful and dangerous operations that used to be needed to make changes to the implanted pacemakers. These are very noble ideas indeed.

Unfortunately, the creators of the heart system were so focused on saving lives and so focused on medical technology, that they seem to have missed the idea of securing their pacemaker against improper access. This is certainly understandable, given that they are a medical company and not an IT firm, where such risks have been more public in their discussion. The problem is, in many cases today, there is essentially no difference between IT and other industries, since many of the same technologies are present in both.

Again, there is little to truly be immediately concerned about here. While the attack is possible, it does require technical knowledge and the vendors will undoubtably work on improving the product. However, upgrading existing users is unlikely. But, unless you happen to be a high profile target, you are obviously much safer with the device than without it. The big lesson here and the one I hope vendors, consumers and the public are learning is that we must add risk management and security testing processes to any device with a critical role, regardless of industry. Today, there are simply too many technologies that can impact our daily lives to continue to ignore their risks.

US-CERT Issues Warning for Excel Trojan

Posted on March 11, 2008 by Nathan Grandbois

The US-CERT has issued a warning in response to a Trojan actively exploiting MS08-014. First off, MS08-014 is for Microsoft Excel. The patch was released today that fixes critical vulnerabilities in MS Excel. These vulnerabilities could be exploited via a maliciously crafted Excel file to take complete control over a users system. Secondly, the Trojan they speak of is spreading through email with Excel attachments. The two attachment file names that US-CERT is aware of are OLYMPIC.xls and SCHEDULE.xls. These files may also contain Windows executables that can compromise an affected system. Patch now please.

RealPlayer Active Exploitation, MaxDB, others

Posted on March 11, 2008 by Nathan Grandbois

A vulnerability has been reported in RealPlayer. An activex control, rmoc3260.dll, is vulnerable to remote code execution. This can be exploited when a user browses to a malicious page, and will execute code in the context of the user running the application. SANS reports that this vulnerability is being actively exploited in the wild. If you have RealPlayer installed on your system, it is highly recommended that you update to the latest version, however there is no patch available for the issue. The only current work around is to disable the affected activex control.
Two vulnerabilities have been reported in SAP’s MaxDB. These vulnerabilities can be exploited remotely and could result in code execution under the context of the running user. SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1140135.
Multiple vulnerabilities have been reported for IBM Informix Dynamic Server. These vulnerabilities can be exploited to cause a buffer overflow. These vulnerabilities can be exploited remotely. There is not currently a patch available. For more information see CVE-2008-0727 and CVE-2008-0949.

March Windows Updates

Posted on March 10, 2008 by Adam Hostetler

Looks like Microsoft has released 4 critical Microsoft Office updates this month. All four updates are resolving issues that could lead to remote code execution. There are also several other non security related updates for Windows, WSUS, and Windows Update. Of course, as always, we recommend that you test the updates immediately and then deploy them to production.

Panda Dos

Posted on March 10, 2008 by Nathan Grandbois

Panda Antivirus and Firewall is vulnerable to a denial of service and system compromise. The kernel driver included with Panda Antivirus and Firewall 2008 does not handle IOCTL requests correctly. This can result in a local denial of service or execution of code on the local system. There is currently a hotfix available for this issue. If you, or anyone you know, runs Panda Antivirus give them a heads up to run the update utility.

Checkpoint VPN XSS, Multiple Java Vulns

Posted on March 6, 2008 by Nathan Grandbois

Checkpoint VPN-1 UTM Edge is vulnerable to cross site scripting. This particular XSS vulnerability allows for reflective cross site scripting pre authentication. This could allow attackers to embed the login form in an html form for deceptive and malicious purposes. The latest firmware version, 7.5.48, reportedly does not contain this vulnerability.

There are multiple vulnerabilities in Java. This includes Java Web Start, the JRE and SDK. These vulnerabilities could lead to a Denial of Service or system compromise. All of the more recent versions of Java are vulnerable, so if you haven’t updated your Java install in a few weeks, now would be the time to do so.

Lighttpd, a popular light open source web server, is vulnerable to CGI source exposure and potential denial of service. Version 1.4.18-r2 is affected and a newer version is available.

New Advanced Botnets Discovered

Posted on March 3, 2008 by Adam Hostetler

Previously undetected botnets have been found to be running under the radar. The largest one has gained the name “MayDay”. MayDay has not infected a lot of systems yet, like Storm has, but has advanced capabilities to evade detection. Notably, it’s able to send HTTP traffic through an enterprises proxy. The bot also uses peer-to-peer technology, through two channels, to stay in contact. The bot appears to be using both TCP and ICMP for data transmission.Even though this bot isn’t a large threat yet, it shows that bot development isn’t going to stop any time soon. Bot writers are getting smarter and more clever, while detection and analysis techniques are lagging behind.

Increase in European “Options” HTTP Scans from Linux Systems

Posted on March 3, 2008 by Brent Huston

Over the weekend, we saw a large increase in HoneyPoint captures of HTTP fingerprinting scans using the “Options *” technique. Even more interesting was that nearly all of these scans originated in Europe. The scans were all originated from Linux boxes and simple port probes show all of the boxes to be running OpenSSH 4.3 (some with p2). Other ports show no consistency on the originating systems.

Clearly, it could be a coincidence, but for multiple hosts to show only that correlating port, it could also be a specific exploit for OpenSSH 2.4. Additional research shows a few known issues with this version of OpenSSH. Perhaps a new bot-net is being launched by leveraging this vulnerability?

We are deploying additional SSH HoneyPoints to try and capture more data about possible exploitation of systems meeting these implementations.

Editor’s Note: The current version is OpenSSH 4.7/4.7p1 – so if you are using older versions (including 4.2/4.3) you should upgrade as soon as possible to the current revision.

Post revised to update for identified existing OpenSSH issues.

Multiple IBM AIX Vulnerabilities

Posted on February 28, 2008 by wstoner

Vulnerabilities have been discovered in AIX’s X server and inet_network libc library that can lead to a number of threats. These include the execution of arbitrary code in a root context, Denial of Service, or exposure of sensitive data. The original IBM advisories are located at:

AIX X server multiple vulnerabilities

AIX libc inet_network buffer overflow

Thunderbird 2 MIME vulnerability

Posted on February 28, 2008 by wstoner

Mozilla Thunderbird 2.0.0.9 has been found to contain a heap buffer overflow vulnerability due to the way it handles external-body MIME types. Systems running this version of Thunderbird are vulnerable to compromise or the execution of arbitrary code via specially crafted email messages. You should update to Thunderbird 2.0.0.12 as soon as possible.

Mozilla’s advisory is located at: http://www.mozilla.org/security/announce/2008/mfsa2008-12.html

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Emerging Threats