Threats vs. Vulnerabilities: Addressing the Aftermath -- Microsoft Certified Professional Magazine Online

Threats vs. Vulnerabilities: Addressing the Aftermath

Also: RealPlayer, HelixPlayer flaws show hackers casting wider OS net; open-source imaging software gets fix.

By Russ Cooper
08/13/2007

According to the chemical giant DuPont, by way this article in The News Journal, managing risk means ensuring economic resilience, and should be an integral component of the U.S. Department of Homeland Security’s mandate.

Citing generic terms like “security breach” or “broad computer systems failure” to describe his top concerns, DuPont Chairman Charles O. Holliday Jr. said his company analyzes events daily to keep abreast of new threats. Holliday also acknowledged that it was impossible to attempt to mitigate against every possible risk.

This definitely supports the concept of addressing threats, not vulnerabilities. Holliday acknowledged that it would be extremely difficult, if not impossible, to try to protect factories from plane attacks. Instead, he thinks companies need to make sure they can endure such attacks, and that they would be able to continue conducting business if such an attack were to occur.

Buffer Overflow Flaw Casts Net Across Windows, Linux
Vulnerabilities in RealNetwork's RealPlayer and the open source counterpart, Helix Player, have been patched, according to iDefense, the company who discovered the flaws. The vulnerabilities could be exploited if a victim visits a criminal Web site and allows the control to run.

Here's one of those rare situations where a similar component in both Windows and Linux is vulnerable to the same attack. Any criminal Web site that exploits visitors will likely seek to implement exploitation for this vulnerability, as it may net them more victims.

If you allow these controls to be installed, and have individuals in your organization that have previously fallen victim to a drive-by download (or infection from a criminal’s Web site), then make sure they receive the updated version within the next 30 days.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

GD Library Flaws Patched, But Check for Updates Anyway
Number vulnerabilities have been patched in the open-source imaging program, GD Library, the most serious of which is an integer overflow in the gdImageCreateTrueColor() function. Exploitation could occur by convincing a victim to open a TrueColor image in an application which relies upon gdLib to render the image.

While the library has been patched, this doesn't mean that potentially vulnerable applications are patched. This may require updates from the vendor or recompilation of the affected application using the newly patched library. Most commercially available applications will provide their own patches. However, if you're using a lesser-known third-party application, verify whether updates are required. Despite a huge volume of image-processing vulnerabilities in a plethora of image formats, exploitation hasn't been observed.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.