Yesterday was patch Tuesday for Microsoft. This time around only two security fixes were released, one of them fixed a critical issue though. That would be MS07-061, which is known to be exploitable. The exploit allows command execution on the host, so this is a very important update. Make sure all desktop systems are patched immediately. The other updates fixes a potential DNS spoofing issue, described in MS07-062.
Avaya is getting hit again with multiple vulnerabilities. Over the past month, there have been several, so it’s pretty obvious that attackers are digging deep into Avaya’s systems. Fortunately these new vulns are limited to DoS and local information leakage. The DoS affects Avaya CM 3.0, Intuity, MSS, Message Networking, CCS/SES, and AES. The info leakage issue affects Avaya CMS R12, R13(.1), R14, and Avaya IR 1.3 and 2.0, on Solaris 8, and 2.0 and 3.0 on Solaris 10. All of these issues have already been fixed by Avaya, get the latest versions if you haven’t already.
An exploit has been released into the wild that takes advantage of an Internet Explorer bug described in MS-07-055. The exploit currently only works on Windows 2000 with IE 5.0, 5.5 and 6.0 SP1, but attackers are sure to be working on a version for XP which would cause a much larger issue. Vista is not affected by this vulnerability, so if you’re running on that platform, there’s no cause for alarm here.
Some new tools have also been released into the public. The Metasploit project is continuing to be developed, and causing headaches for system admins everywhere. A new version was released in beta, so look forward to new exploits being developed for that framework. Some new SIP attack tools were also released. SIPVicious is an attackers tool package that’s able to scan, war dial and crack SIP PBX’s. VOIP is still getting hit hard, and we don’t see any calming in the future.
A vulnerability in the handling of the jar: URI handler has been announced. The way that browsers, notably Firefox, handle the jar: handler allows for persistent cross site scripting. Any file with the MIME type of zip can be used to exploit this vulnerability, even without the .zip extension. There’s no workaround for this issue right now. Some options include never visiting jar: links in web pages, or installing the development version of NoScript extension for Firefox. The Firefox development team is working on a resolution, but one is not available at this time. For more information, visit the Mozilla bugs page at https://bugzilla.mozilla.org/show_bug.cgi?id=369814.
In other vulnerability news, a PoC has been released for a stack overflow in Adobe Shockwave. Sun Solaris’ version of Mozilla (1.7) is vulnerable to several issues and should be upgraded.
Oracle Database 10g Release 2 is vulnerable to a buffer overflow. This vulnerability is due to an error in the processing of the NAME and OWNER arguments sent to the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure. If the combined length of the two arguments is of a certain length, a buffer overflow will occur and allow the execution of arbitrary code. This vulnerability can only be exploited by authenticated users. Oracle has a fix slated for release in the next Critical Patch Update.
An exploit has been released for an AIX format string vulnerability. The exploit is coded to address CVE-2006-4254. A patch has been available for quite some time. If you’re an admin of an AIX system and haven’t applied any APAR’s lately, now would be the time to consider doing it.
MacOS X Leopard has issues with the firewall. For starters, the firewall is deactivated upon installation. Next, the firewall has changed so that it now operates that the application level and performs signature checks. If Apple does not have a digital signature for an application, it will sign the application itself. If at any time, the binary changes, it will be denied internet access. This is causing problems with applications that change their binaries, such as Skype and World of Warcraft. Users having issues with these applications have reported a reinstall fixing the issue. There’s much discussion about this on the WoW forums.
In other news, a new blind SQL injection tool has been released, http://sqlmap.sourceforge.net/. I haven’t personally used this tool but it looks promising. Also, the “cyber jihad” rumored to start on 11/11 is nothing more than a rumor. I remember the last time they tried this and it fizzled out to nothing, just like it likely will this time. At best they may be able to pull off some DoS attacks, but no extra precautions are required if you are regularly vigilant.
In a pretty rare occurrence, a remote buffer overflow in OpenBSD has been identified. The vulnerability exists in “dhcpd”, the DHCP daemon, and allows denial of service and arbitrary code execution on 4.0 – 4.2. This issue was originally published in May, but new developments have been made in refining the exploits and in details about the issue. Patches are available, and should be installed as soon as possible.
Apple updated QuickTime to fix several identified issues, including some security problems. The updates are now available, and if you use the Apple update service, you should get them applied automatically. The big problem repaired in this release is a heap overflow that can be used to seize control of machines. We mention this update because QuickTime is one of those pesky applications that seem to turn up everywhere, in many organizations. It would likely be wise to check not only workstations, but also any servers that are used in training, multi-media or presentations. QuickTime seems to be a common tool for these mechanisms.
Lastly, Solaris 10 systems have proven to be vulnerable to a new buffer overflow in the monitoring package “srsexec”. This is installed in many Solaris systems, especially those leveraging the centralized console management and administrative console applications. Attackers with local access to the Solaris system can exploit this issue to execute arbitrary code as “root”, since the binary is suid by default. Patches are already available and should be applied as soon as practical.
Day light savings time caused us to fall back an hour this weekend. Unfortunately it looks like some gadgets and systems missed the memo. Be sure to check all of your systems, routers, firewalls, and other devices to make sure they’re all in sync.
Also, Sonicwall VPN has been found vulnerable to a few issues. The issues could allow an attacker to delete arbitrary files on a host computer, or possibly even compromise the system. Sonicwall has already released an update, so get the newest firmware to mitigate these problems.
First, a couple of new tools are available specifically geared at cracking Oracle 11g password hashes. These are specifically aimed at attacking the newest features that 11g introduces to better protect the passwords. They also have some short cuts for those folks still making the old style DES passwords available (likely for backwards compatibility with older apps or uses). Essentially, these new mechanisms are slower than old hash attacks, but are still effective. In today’s world of computational power and bot-net distributed password cracking capability, it is pretty darn safe to assume that if the attacker can get the hash – they can get the password.
Another issue that is likely to be an annoyance for some folks is that a new remote Denial of Service attack has been identified in Ubuntu 6.06 DHCP server. While the attacker can’t really gain access to the system using it, they can replace the dead DHCP server with their own, which could include malicious entries and other annoyances. This DHCP server is popular in many cyber cafes I have visited – particularly outside of the US. Just another reminder that you have to pay attention to network connectivity. It might seem like ubiquitous wireless access is a boon, but without the capability to trust the network you use, you have little reason to trust the content you receive! — Just a reminder!
Similar to previously reported vulnerabilities, Symantec’s Mail Security Appliance is vulnerable to denial of service and a buffer overflow. This is due to insecurity in a third party tool. The exploit can be triggered when the appliance checks a specially crafted file. Administrators are recommended to update to version 5.0.0-36 or later.
Two ActiveX controls installed on client systems using SonicWALL SSL VPN contain vulnerabilities. The first, NeLaunchCtrl, contains boundary errors in a number of functions that could result in a buffer overflow by visiting a malicious site. The WebCacheCleaner control contains an insecure “FileDelete()” method that can be exploited to delete arbitrary files on a system. Firewall admins should update to firmware version 2.5 for SonicWALL SSL VPN 2000/4000, and version 2.1 for SonicWALL SSL-VPN 200.
Hewlett-Packard OpenView Radia Integration Server contains a vulnerability that could allow remote attackers to access arbitrary files on the system. The issues is within the HTTP server running on TCP port 3456 and can be exploited without authentication. Attackers could use this to access configuration or log files which could aid in furthering an attack.
In other news, Firefox update 2.0.0.9 has been released. This is not a security fix, but a stability release. Users should be running at least version 2.0.0.8.
A mac based Trojan, a malicious video codec, is in the wild. Spam emails directing people to pornographic websites are hoping to lure users in to downloading a required codec to watch videos. Once downloaded, no codec is actually installed but a Trojan virus instead.