Security Watch
Exchange Server Vulnerable to Buffer Exploit
An e-mail targetting the CDO for buffer overflow can cripple a secured Exchange Server.
Hacking
Microsoft Security Bulletin MS05-048:
Collaboration Data Objects (CDO/CDOEX): Of all of the recent Microsoft Security
Bulletins, we here at Cybertrust believe this one has the greatest potential
for abuse. Exchange Server uses CDO with Event Sinks in order to notify other
software that some action should be taken. Some anti-virus and anti-spam software
rely upon Event Sinks to determine when to process an e-mail. Prior to processing,
the message is passed to CDO so its component parts can be handled. When this
occurs, the buffer overflow can be exploited. As such, it is possible that an
exploit e-mail could compromise a secured Exchange Server prior to the security
software, resident on the box, detecting the malicious e-mail.
Exchange Servers are not the only servers that rely on CDO -- IIS, SQL and
many third-party products use it. Exchange Servers are, however, the most likely
target.
The vulnerability exists in the parsing of the “Content-Type” value
contained in the message header. This field length is not constrained by RFCs
related to e-mail. Cybertrust testing suggests that Content-Type values should
not be longer than 512 bytes.
The vulnerability is similar to the ESMTP vulnerability patched by MS05-021.
To date, no known attempts against this vulnerability have occurred. This suggests
that this vulnerability may not get attacked either, but its attractiveness
coupled with the high value of the victim systems dictates prudence.
It’s reasonable to expect working exploits within 30 days. Proof of concept
has already been published, although that code is benign.
BEA recently released 24 patches for WebLogic Server and WebLogic
Express. The patches cover vulnerabilities ranging from remote DoS, XSS,
unauthorized access and admin lockout.
One has to wonder why BEA held so many of these patches to release them together.
Although most of the vulnerabilities were low impact, certainly BEA WebLogic
administrators should pay attention given that several involve the ability to
modify or obtain the administrator password. So far, we haven’t seen an
exploit code.
OpenSSL versions 0.9.7h and prior contain vulnerabilities that could
allow a remote attacker to force an arbitrary connection to use a less secure
OpenSSL version or forge valid certificates.
While the attack requires a lot of different issues to align properly, an attack
against such a critical piece of security infrastructure should not be ignored.
The current workaround is to simply disable SSL 2, which is pretty straightforward.
Denial of Service
For some unknown and unfathomable reason, Pennsylvania State University
researchers not only decided to study but also publish "Exploiting
Open Functionality in SMS-Capable Cellular Networks." The work
outlines how many SMS messages it would take to overwhelm a cell-tower or SMS
switch in order to prevent phone use.
What on earth were they thinking? All networks are funnels, so pour enough
in and you can always find a way to overflow it. That should be a given, so
the only real research was just how much must be sent to achieve the expected
(and certain) result. Their findings were not, however, based on some fundamental
flaw in the way SMS messages are formed, interpreted or even handled, but instead
simply a demonstration of the capacity of the site being testing against. As
with any attack that attempts to overwhelm resources, increase the available
resources and you thwart the attack … until someone sends even more data
at it. Gee, did we really need to see a study of that age-old theory!
Physical Security
Two biometric solution providers, Pay By Touch Solutions and BioPay,
are convinced that retailers could save up to 75 percent in processing fees
if fingerprints were used to identify accounts that transactions should be charged
to. According to the companies, security concerns that their method of identifying
the fingerprint could lead to that data being used to reconstitute an actual
fingerprint are unfounded.
Were that the only concern, one might think this is a great idea. Sure, there’s
no doubt that the ability to create an actual replica of someone’s fingerprint
from data stored/received by a biometric device is a security concern. However,
when such biometrics are being used to authenticate and authorize a transaction,
the bigger concern should be whether or not the stored data can be replayed.
Marketing will have to overcome images like a stolen finger being pressed against
glass, or the idea that a fingerprint may be as identifiable as your DNA. You
must overcome the fear that the data will be abused for such a system to obtain
widespread adoption, and this may be more difficult in the United States than
most anywhere else given the population’s strong concerns over privacy.
Biometrics work best in places where you have someone watching you use the
biometric device. This holds true for some point-of-sale transactions, but certainly
not all. Further, should such devices become widely deployed, less and less
scrutiny would be given to the people using the devices, opening the way for
gummy bear attacks … not to mention dismemberment.
Privacy
Javelin Strategy & Research reported that, according to a study they
conducted, only 2.2 percent of all bank-related fraud was due to computer viruses
or hackers. Twenty-six percent of victims knew the person who had perpetrated
the fraud, and 29 percent said their personal information was gleaned though
a lost or stolen wallet, checkbook or credit card.
This is further evidence that crime is still more effective person-to-person
rather than electronically. While reports of 40 million records being stolen
by hackers get the headlines, if you have money stolen from your bank account,
an acquaintance, friend or family member is more likely to be the culprit. No
wonder “Law and Order” investigators always look at relatives and
friends first!
Want
More Security? |
This
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here. |
|
|
Governance
Three men were recently arrested by police in the Netherlands
and accused of using a botnet of more than 100,000 computers to blackmail
companies in the U.S. with the threat of denial-of-service attacks. The three,
ages 19, 22 and 27, allegedly used computers infected with W32.toxbot
in the scheme.
Toxbot was not stressed by any anti-virus company, demonstrating yet again
that the slow-moving, under-the-radar attacks are extremely effective. Also,
press releases don’t necessarily demonstrate threat or severity.
European Commission officials have warned that if the U.S. doesn't surrender
some control of the Internet, countries such as China, Russia, Brazil and some
Middle Eastern countries could set up their own nets. The Internet is currently
controlled by the Internet Corporation for Assigned Names and Numbers under
the authority of the U.S. Department of Commerce. The U.S. argues that control
by other countries could result in net censorship. Gee, does that mean we won’t
get spam, phishing attacks, spyware and other malware from these locations if
they make this move?
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.