Security Watch

Think Microsoft’s Slow? Check Out These Patches

Microsoft is diligent compared to these vendors who release their fixes a year after the fact.

• By Russ Cooper
• 11/28/2005

If anyone thinks to criticize Microsoft for taking some time to release a patch for a given vulnerability, remember this one. The vulnerability being patched here was first announced in May of 2004, and proof-of-concept exploit code was published in that same month. It took more than one year for the first patches to be released (for Ubuntu) and 18 months for Mandriva to get around to it.

zlib Buffer Overflow Vulnerability: Re-amplified to announce the release of patches by Trustix.

And it gets better: Trustix waited more than 2.5 years to patch this one.

Multiple PHP issues:

• PHP ext/curl and ext/gd Security Restriction Bypass Issues
• PHP glob Safe Mode Information Disclosure Vulnerability
• PHP virtual() Function Security Restriction Bypass Issue
• PHP parse_str Security Configuration Bypass Issue
• PHP phpinfo Cross-Site Scripting Vulnerability
• phpMyAdmin Cross-Site Scripting and Local File Inclusion Vulnerabilities
• phpMyAdmin Cross-Site Scripting Vulnerabilities
• PHP File Upload GLOBAL Variable Overwrite Vulnerability

By crafting a special upload file, it’s possible to overwrite the global array of PHP allowing attackers to inject different content into PHP global variables. By generating multiple requests to a code that uses parse_str(), attackers can open the register_global to be activated in PHP. A XSS in the phpinfo() function of PHP allows attackers to steal information from users. phpBB lets remote users bypass the global 'deregistration' code, inject SQL commands, execute PHP code and conduct cross-site scripting attacks.

Generally speaking, the biggest threats to PHP come as a result of doing a default installation and leaving it without reducing the privileges it installs with. Far too many development and test systems install everything, including PHP, yet never get secured. As a result, insecure PHP may be all over your environment unbeknownst to you.

PHP is a very common target for Web site defacers and those looking to own systems they can use in phishing attacks.

Cisco IOS Heap-Based Overflow Vulnerability in System Timers: The Cisco Internetwork Operating System (IOS) may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software that are intended to reduce the likelihood of arbitrary code execution.

This is another vulnerability found in IOS following the discovery announced at the Black Hat Conference back in July. While it’s not a significant threat, it’s further proof that IOS can be made into a platform for running malicious code.

Jargon watch: USA Today recently ran a story about online trading accounts or online banking accounts being incredibly insecure. In the story, the phrase "hijack Trojan" was used to denote a new piece of malware. The malware lays dormant, waiting for a successful authenticated connection to a trusted (presumably financial) Web site, at which time it then injects a transaction into the session.

We haven’t yet seen such a piece of malware, although it’s not unreasonable to believe that many of today’s bots could do such a thing.

Malicious Code
Oracle "Voyager" worm: This worm, exploiting the default password vulnerability in Oracle servers, has been published. The proof-of-concept worm creates an empty database table. If you have your database directly accessible from the Internet with default passwords, a lot worse could happen.

Sony DRM Rootkit: As you probably heard last week, Sony was discovered to have been installing a rootkit -- software that stealthily hides its existence from the user of the computer -- as part of its CD protection scheme. According to reports, the rootkit itself is fairly benign. However, rootkits are evil pieces of malware, no matter who makes them or for what purpose. They are the same as a good virus -- it doesn’t exist. They should never be contemplated by any company who hopes to have consumers trust them. Any company found installing them without informed consumer consent should, in my opinion, be shunned like a DoS extortionist or a virus writer.

Sony has made a utility available for consumers to uninstall the rootkit. This is the equivalent of an “opt-out” list, in that you must realize you have the rootkit (and that a utility exists to remove it) before you can make the decision to take this unknown piece of software off of your machine). Further, the uninstaller had a vulnerability of its own, allowing malicious Web sites to instruct a control it uses to uninstall anything on a victim’s system.

There is no reason for anti-spyware not to detect it and offer to remove it. Since it is software installed without the consent of the user, it falls squarely in the common definition of spyware … even if it doesn’t actually send any information to anyone.

Human Factors
Several public and private organizations banded together to launch a new anti-Internet fraud initiative for consumers, officials announced Monday. The FBI, Monster Worldwide, the National White Collar Crime Center (NW3C), the U.S. Postal Inspection Service, Target Corp. and the Merchant Risk Council established LooksTooGoodToBeTrue.com, a Web site containing a variety of educational tools to keep consumers safe from fraudsters.

It wouldn't be unrealistic to see fraud attempts using a similar looking domain name in the near future, exploiting the trust the organizers have tried to paste together.

The site is thus far not up, so you are instead redirected to a Network Solutions search page telling you it’s still under construction. Guess they had the chicken before the egg …

Physical Security
The Cybertrust Intelligence group recently considered a simple question, namely: “Is a computer that's off 12 hours a day at 50 percent of the risk of a computer that's on 24x7?”

From the Cybertrust Essential Practice perspective that every layer, regardless how significant, helps improve security … sure, half-off should have some impact on overall risk. The system will not be exposed to as many attacks, and should be attended when attacks do occur … possibly helping to identify infected machines in a more timely fashion. Further, outbreaks in the wee hours of the morning should be less likely, leading to reduce overtime expense and unattended interruptions in systems or your networks.

Some institutions, such as the U.S. Navy, have already implemented such a strategy, although not for security reasons. The Navy does this simply as an energy conservation measure.

Of course if any machines are on, and are vulnerable to an attack that’s present, the infection will still occur. As such, even if most other systems are turned off, they may well get infected the minute they’re powered on. If it were possible to have all systems on a given network segment turned off for the same period of time, then security improvements may well prove significant.

It’s also worth noting that remote administration would not be possible on systems which are turned off. That means patch deployment, for example, would have to wait for the users to turn on the computers. For some corporations that could mean exposing systems to an existing network worm prior to being patched.

The consensus seemed to be that it may improve security some, and would definitely help conserve power. Providing that remote administration or patch management can be handled with systems off, turning systems off is a sensible approach to increased security.