Security Watch

More MS Buffer Image Vulnerabilities, but Are They Really a Threat?

The ability to embed malware in Office documents might provide a new avenue for hackers to exploit.

• By Russ Cooper
• 12/05/2005

Yet more image buffer overflows, this time in enhanced metafile and Windows metafile file formats (.EMF and .WMF). They can be rendered in a lot of different ways, including via Internet Explorer, Outlook, Word, PowerPoint and Excel. A malicious image could be delivered by a Web page or e-mail; however, through these transports, the image could be detected. When delivered as part of an Office document, the image is most likely embedded and therefore more difficult to detect unless anti-virus heuristics are enabled.

We’ve been anxious over image vulnerabilities since the first .JPG buffer overflow disclosures and concerned that malware authors might pick up the attack vector. We have yet to see them abused, however, so there’s no reason to believe that this one will be any more attractive.

If there’s reason for concern, it may be that unlike previous image format vulnerabilities, such as those affecting .GIF and .JPG, the fact that these image formats can be embedded in Office documents may create new allure. Malware authors appear to be seeing fewer and fewer new and easy victims, as suggested by the recent malware containing a .RAR attachment. They’re trying new social engineering hooks because the old ones don’t seem to be working as well as they used to; ergo, embedding malware into Office documents may prove attractive.

Veritas NetBackup Enterprise Server contains a buffer overflow vulnerability that could allow a remote attacker to create a denial-of-service condition or execute arbitrary code on the system. Patches are available. Requires access to port 13701.

Malicious Code
XML-RPC for PHP Worm Linux.Plupii (Symantec), which other vendors are naming Linux/Lupper, with two identified variants. Plupii generates Web requests to many different URLs in hopes of exploiting one of three different vulnerabilities: the XML-RPC for PHP vulnerability, the AWSTATS Rawlog vulnerability or the Webhints Remote Command Execution vulnerability. If successful, it creates a backdoor shell on UDP port 7222, sends a notification to an attacker on that port and saves itself in tmp/lupii.

Thus far the actual number of infections in the wild seems very low, although there have been rumblings that people are seeing more and more “get” requests in their Web server logs.

According to anti-virus vendor Sophos, Troj/Stinx-E is a trojan which uses pieces of the Sony DRM rootkit to hide its components. The Sony DRM rootkit hides all files that begin with the characters $SYS$, in an effort to maintain its stealth. The only people that could fall victim to this trojan are those who have already run a Sony CD containing the DRM rootkit installer. Otherwise, the files will be visible to the victim.

The concern now will be if file-sharing software networks start employing a similar technique to hide their copyright violations.

Governance
Microsoft took a position this week favoring national privacy legislation. In particular, they emphasized three points: The current and coming patchwork of state, federal and international laws is too complex; consumer fear about identity fraud may dampen e-commerce; and consumers’ desires for more control over the information that has been collected about them. To this end, they’ve proposed four core principles: Create a baseline standard for collection and storage; create simplified and consumer-friendly notifications and access services; provide consumers with meaningful control over their data; and ensure a minimum level of security for storage and transport of the data.

As with all such proposals, there’s something for everyone -- what will matter is the final draft should this proceed. Businesses can both benefit and suffer as a result of a single standard: It may be more than they currently have to do, or it may make it easier to have a single system across all borders. Consumers may benefit by increased access to the data that has been collected on them, but in the process phishing schemes may become more commonplace as the standardized access methods are spoofed by criminals.

The European Commission hopes a meeting next week, the World Summit on the Information Society, will come up with an agreement to allow governments more direct influence over the domain name system that guides traffic around the Internet. A U.N. report has put forward a more multi-national approach to running the Internet, which serves a billion users worldwide, saying this would be more democratic and transparent, a view the 25-nation European Union shares.

Sigh…can anyone really explain what’s at issue here other than posturing? The EU doesn’t want to seem under the control of the U.S.-dominated DNS environment. Is it that they feel they could make a ton of money doing it themselves? The strange thing is that nobody is prevented from using a domain name they create entirely themselves. The only time the worldwide DNS environment comes into play is when you rely upon the U.S.-controlled root servers. However, if the EU wanted to, they could simply insist on ISPs in their constituencies using EU-sanctioned root servers, under their own control. Then, if they wanted, they could issue any domain name they desired, and it would be resolved to one they had sanctioned. Of course this would probably result in court cases over who should have international ownership of a given domain name, but within their own borders they could decide.

We’re certainly not suggesting this is the right approach, but from a technical perspective they’re not asking for something they can’t already implement entirely under their own volition and control. So what’s the real issue here?

The U.S. Federal Communications Commission will not require VoIP providers to cut off service to existing customers who do not have enhanced 911 services in place. There had been a deadline of Nov. 28. The companies will not be allowed to take new customers who are not equipped with the E911 service, however.

Everyone who is surprised by this should stand up and look under their chairs for gremlins.