Security Watch

RealVNC, WebLogic, Caucho Resin Vulnerabilities

Plus search engine threats, and the end of security as we know it?

• By Russ Cooper
• 06/12/2006

We have been seeing numerous probes specifically intended to identify RealVNC servers over port tcp 5900. If the RealVNC authentication protocol is the only method by which you determine who can remotely access the RealVNC server, ensure that the patches are applied immediately.

Eleven vulnerabilities and/or security issues have been reported in WebLogic Server/Express, which can be exploited to disclose system and sensitive information and bypass certain security restrictions.

Among the issues is the potential for the admin password to be stored in cleartext, the source content of compiled .jsp pages might be disclosed, as well as numerous other potentially sensitive information disclosures.

Caucho Resin Windows Directory Traversal Vulnerability: The Caucho Resin Web application server for Windows contains a directory traversal vulnerability that allows remote unauthenticated users to download any file from the system. It is possible to download files from any drive on the system.

Only Caucho Resin on Windows is vulnerable. The application can be directed to supply the contents of any known file name on the system it is running on. Speculation exists that the vulnerability was introduced in Resin v3.0.17, and has been patched as part of v3.0.19.

Denial of Service
Blue Security, a service intended to stop spammers, has closed its doors. Its service offered customers a way to opt-out of spam, but in the process were seen by many to be performing denial of service attacks upon the companies spammers were trying to sell products for.

Security folks have come out on both sides in this controversy. Many media reports suggested that Blue Security’s business model was based on performing Denial of Service attacks against spammers. In that light, certainly security folks would be correct in thinking they, Blue Security, are “bad guys.” However, Blue Security’s people have stated emphatically that this was not their business model. Instead, they provided their customers with the ability to send an e-mail to a spamming company so those customers could opt-out of future spam runs. One can certainly question Blue Security’s motives in having those hundreds of thousands of e-mails be sent at one moment in time, but the act of opting out is something preserved in the U.S. CAN-SPAM act, and therefore isn’t illegal or even unethical.

That all said, if Blue Security got it wrong, and directed e-mails from their users, they would certainly make an attractive legal pinata.

Malicious Code
According to McAfee, the volume of malware found in search engine results is enormous. Their SiteAdvisor product has found that up to 72 percent of sites a search engine suggests for such simple searches as “free screensavers,” “digital music,” and ”popular software” should be considered "risky.” Possibly more important is that “sponsored links” returned far more risky sites than others. According to the report, people are reaching these malicious sites 285 million times each month.

It’s certainly interesting to see the words “risky” and “malicious” being used interchangeably. McAfee is obviously hoping to hype their SiteAdvisor software, which Edelman helped create. I wish McAfee’s study included the methodology of how they came up with the belief that 285 million malicious links a month are being clicked on by living human beings, but alas, they don’t mention anything about it other than it’s their “estimate.” Further, its worth noting that just because a site contains a malicious piece of software, possibly as part of a repository of free software, does not mean that a visit to the site results in an infection. Many anti-spyware applications treat the presence of a cookie from a bad site equal to the presence of actual malware. SiteAdvisor, it seems, is no different.

Human Factors
Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security: According to the author of this article, our attempts at securing the Internet have totally failed and every idea we have to do better is worthless.

Anyone remember that we recently stated that using PHP on a public Web site, particularly one that allows users to post their own commentary, is a scary proposition? Here we have a security professional decrying the failure of our own business, while ignoring the risks himself.

Mr. Eppel’s lengthy description of how every form of eBusiness is going to fail by the end of 2006 is nothing short of amazing FUD. From his perspective, nothing works, nor will work, in terms of computer security. Unfortunately many of the “facts” he cites are out and out wrong, and others are spun to drive his theory. If there’s much to be gleaned from this work its that there is far more reporting of breaches and issues than in the past…that’s it, as there’s certainly no reliable statistics to prove that people are actually being affected more than before.

Finally, it’s worth pointing out that Mr. Eppel falls short of providing any sort of suggestion as to what must be done in the future, beyond presumably us just giving up. He leaves that for what he says will be his “part 2” story…ah, yet again, someone hyping FUD with no viable solutions to offer. Where have we seen that before?

Privacy
A furor has been raised over the British Government’s stated intent to turn on police powers granted to them in 2000 via the Regulation of Investigatory Powers Act (or RIPA), giving them the power to demand that data be decrypted by the owner, or for the police to seize the encryption keys used to encrypt the data.

The controversy is over whether the police should have the power to seize keys, not that they should be able to force decryption of data. Seized keys could be lost, stolen or abused while in police hands. If they (the police) are merely seeking to examine some encrypted data, then forcing the owner to decrypt said data should be enough.

On the other hand, there’s been significant discussion over the fact the police can jail someone for up to two years for refusing to turn over keys or decrypt data. But how is something determined to be encrypted in the first place? A .gif image makes no sense when viewed as text within an e-mail program, so how is it determined that some blob of data is actually encrypted prior to jailing you?

The government is still in the consultation phase of determining whether or not to enable this part RIPA. We’ll have to wait and see.