Security Watch
Bad Java
While only Russian-language Web sites have been exploited by the Java vulnerability, it'll only be a matter of time.
Hacking/Denial of Service
MS05-037,
"JVIEW/javaprxy.dll Remote Code Execution Vulnerability"
This patch addresses the vulnerability in the javaprxy.dll COM object used by
the Microsoft Java Virtual Machine. Although the MSJVM has been removed from
current distributions of Windows XP and Windows Server 2003, any system upgraded
from a previous OS, installed with XP Gold, or which has loaded an application
requiring the MSJVM will have it installed.
Two problems exist with this object. The first is that it can be invoked from
within the Internet Security Zone -- in other words, from any site on the Internet.
The second is that it improperly validates information being passed to it, so
a buffer overflow is possible that would allow an attacker to run any code on
the compromised machine.
In the Security Bulletin, Microsoft outlines numerous methods to restrict or
disable the MSJVM. It has also produced the MSJVM Diagnostic Tool to assist
customers in scanning their networks to determine which systems have the MSJVM
installed. Another tool, the Java Removal Tool, will allow customers to remove
the MSJVM completely.
Reports exist that this vulnerability is being actively exploited, and proof
of concept exploit code has been published. So far, all sites which have been
discovered attempting to exploit the vulnerability have been Russian-language
sites, and it appears they can only exploit Russian-language versions of Windows;
attempts to infect English-language systems have simply resulted in system crashes.
If form holds, it will be only a matter of time before some miscreant will tweak
the exploit to cause it to work on other language versions.
MS05-036,
"Color Management Module Buffer Overflow Vulnerability"
Reports of in-the-wild exploits exist, but have so far been limited to inclusion
in e-mails to a very few domains. Proof-of-concept exploits are certainly expected,
but not widespread distribution. Image vulnerabilities are certainly not new,
but so far they haven't been exploited en masse.
Initially it looked like only complex document types might be vulnerable. The
Windows Color Management Module (CMM) interprets a value known as the International
Color Consortium (ICC) profile, contained within the image header. This value
would, typically, be used to instruct hardware devices, such as monitors and
printers, how to translate color values from the author's system to the rendering
devices system. This would allow an author to ensure that a color scheme was
being matched as closely as possible by the rendering devices.
However, it now appears that many authoring programs permit this mapping to
be embedded into images, including relatively simple image formats such as JPEG.
JPEG permits numerous "extensions" to be embedded within the image,
which Windows interprets. As such, it's possible to include an extension which
includes an ICC Profile in a JPEG, then abuse this extension to invoke the buffer
overflow.
Regardless, easier buffer overflows exist in the JPEG format, and while this
is yet another, it's unlikely to be the method of choice since it requires extensions
to be included in the image format (thereby possibly making it easier to detect
as malicious, or at least potentially malicious.)
MS05-035,
"Word Font Parsing Arbitrary Code Execution Vulnerability"
Microsoft Word contains a vulnerability in the font parsing functionality that
could allow a remote attacker to invoke a buffer overflow. Attacks against this
vulnerability would result in the victim causing the attacker's code to be invoked
in the security context of the victim.
Vulnerabilities in Office documents have in the past been largely ignored,
but recent discussion has suggested there may be an increased use of such documents
for targeted attacks. The fear is that criminal rings may be attempting to steal
intellectual property from corporations, although anti-virus companies have
been extremely effective at detecting not only "macro" viruses, but
also other malware within structured documents such as Word docs.
Oracle July Critical Patch Release
The best count so far is that Oracle's patch includes 49 new and cumulative
patches for multiple products and vulnerabilities. The most serious appear to
be possible remote SQL Injection vulnerabilities. Very little information is
currently available, and no known detailed technical information or exploits
exist. Depending on how you count them, there are more than 100 unpatched vulnerabilities
in Oracle.
Port 80 Suspect Traffic Spikes
So far, our best information suggests that the spikes are due to attacks against
ASN.1 vulnerabilities and older, pre-existing attacks on that port.
Denial of Service
Microsoft ASP.NET Malformed SOAP Message Denial of Service Issue
A remote DoS condition can be created by sending a malformed SOAP (Simple Object
Access Protocol) message to an IIS Web server RCP/Encoded Web method which accepts
arrays via an IList (or anything derived from an IList object.)
An ASP.Net site should not be exposing this functionality directly; if so,
it should be re-coded to avoid such an exposed method.
Cisco Security Agent Denial-of-Service Issue
An attack against the Cisco Security Agent could result in a DoS of the host
Windows system.
Governance
The Anti-Spyware Coalition, which includes Microsoft, EarthLink, McAfee
and Hewlett-Packard, has released the first draft of the consensus document
"Spyware Definitions and Supporting Documents" for a 30-day public
comment period.
Want
More Security? |
This
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here. |
|
|
Failure is the most likely outcome of this effort, given how vague such a definition
must be in order to avoid classifying legitimate software was spyware. Software
will either have an End User License Agreement (EULA) or it won't. If it does,
it can state whatever it wants in terms of what the software will do. This can
including using spyware tactics; even then, users are still likely to install
it.
ICANN's Security and Stability Advisory Committee (SSAC) has released
a paper outlining several famous and recent thefts of Web sites, including Panix.com,
Hushmail.com and HZ.com, and listed where the system went wrong and what can
be done to correct the flaws.
We assume they're attempting to show that there is some way to prevent your
domain from being hijacked, but such papers are just as likely to provide those
with malicious intent the methods to hijack a domain.
Following a review of the U.S. Department of Homeland Security (DHS)
structure he began after taking over in February, Homeland Security Secretary
Michael Chertoff elevated the cybersecurity chief at DHS several levels
on the agency's organizational chart by creating the position of assistant secretary
for cyber and telecommunications security.
We can hope that this allows someone to accept the position and actually stay
there for a while and get something concrete done.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.