Security Watch

'Advisories' Are Not Enough

Microsoft's security alerts will be lost on most ordinary users.

• By Russ Cooper
• 06/13/2005

Microsoft Security Advisory 892313 warns about a Windows Media Player vulnerability. It has to do with the automatic acquisition of media licenses in Media Player 9 and 10, which can be abused to cause unsuspecting users to visit sites other than those they thought they were visiting. The automatic acquisition feature allows media authors (attackers, in this case) to specify malicious sites as the location to receive a license; when the browser visits the alleged license site, malicious software is downloaded instead.

Expect to see more of these advisories. Unfortunately, Microsoft has decided that such updates don't warrant the same treatment as vulnerabilities. It has a point—the Media Player situation, for example, is not a vulnerability per se, since the attacker must be able to specify the location of his license repository. In practice, however, the question is whether or not this feature should ever be completely silent—triggered without some type of warning for the user. Given the number of existing browser vulnerabilities, and the fact that license retrieval is done via browser, you have to ask whether it's prudent to allow browsers to be sent to any site silently. Also, since this won't appear in Windows Update, the vast majority of consumers—those most likely to be attacked—will remain unaware of the potential for problems.

Corporations obviously don't want to receive updates too frequently; and for those using appropriate content filtering (for example, by prohibiting media file downloads from the Internet, preventing attempts at license acquisition), there shouldn't be a problem. However, given the current state of affairs, Microsoft should be erring on the side of caution and pushing such updates like this to all consumers via Automatic Updates. The update's new feature (the ability to decide whether you will or won't be prompted when retrieving licenses) should be turned on by default.

The UK National Infrastructure Security Co-ordination Center (NISCC) has announced a flaw in IPsec, a widely-used VPN protocol suite, that could allow attackers to intercept secure network communications. The vulnerability affects certain configurations of IPsec that use Encapsulating Security Payload (ESP) in tunnel mode with confidentiality; configurations with integrity protection being provided by a higher layer protocol; and some IPSec configurations using the key Authentication Header (AH) protocol. If exploited, it's possible that some plain text portions of the secure communication may be sent back to the attacker, thus allowing the attacker to view the confidential communication. If ICMP (Internet Control Message Protocol) error messages are prevented from being sent back to tunnel participants, the leakage can be prevented.

RSA Authentication Agent for Web 5.3 and earlier versions contain a buffer overflow vulnerability which could be exploited by a remote attacker. The hole is yet another example of a chunked encoding vulnerability. Chunked encoding has been heavily scrutinized of late, resulting in numerous vulnerabilities in various products. This vulnerability could result in a remote attacker obtaining "System" privileges on the server hosting the RSA Web Agent. Such a server typically would be a critical system in your security infrastructure. RSA has released a patch for the vulnerability.