Security Watch
CA Alert Service Vulnerable to Buffer Overflow
Plus Citrix flaw, Boing document theft and what Prevx tracked on recent Trojan attacks.
Numerous CA products include the company's Alert Service, which has been discovered to be vulnerable to several attacks via the SMB protocol. Such attacks would typically occur via TCP 445 or TCP 139. An attack could yield the criminal access to the victim system in the security context of SYSTEM. Patches are
available.
On Windows XP and Windows Server 2003 systems, an attacker would have to have authenticated to the victim system’s RPC environment. Windows 2000 can be attacked by an unauthenticated criminal. In any event, the RPC interfaces should not be available outside of the security perimeter, so attacks will likely come from internal systems only.
This vulnerability is similar to previous vulnerabilities in Symantec’s anti-virus products which ultimately led to attacks. The most likely scenario is that a roving user becomes infected while outside the security perimeter, and then brings the infected system back into your organization where it proceeds to attack other systems. Be prepared to segment your network and identify attacking systems should an attack in the wild occur.
Citrix Program Neighborhood Agent Content Redirection Buffer Overflow Issue
Citrix's Program Neighborhood Agent also contains a buffer overflow issue. If exploited, it could result in code of a criminal’s choice executing. Updates are available.
To exploit this vulnerability, the victim must click on a crafted file that represents a program found on a Citrix Presentation Server. Therefore, the attack either follows some other attack which placed a file on the victim’s system, or an attack that left such a file behind on a shared resource where the victim expects to find such files.
Boeing Theft Illustrates Portable Media Concerns
A former Boeing employee has been charged with numerous counts of first-degree computer trespass after allegedly stealing some 320,000 documents pertaining to work at Boeing -- ones that Boeing said was outside the scope of the employee’s job.
The documents were put onto a thumb drive and taken home by the employee. This has once again raised the issue regarding thumb drives and how vulnerable companies are to theft because of them. While they certainly make for an easy transportation method, they aren’t really any riskier than floppies, CDs or DVDs. Consider, for example, that practically every camera and phone also contains storage media and can be connected to a computer via a USB port. Who would think to check the memory of a camera?
Hackers Steal U.S. Government, Corporate Data Using Ransomware Trojan According to security firm Prevx, numerous corporate users have been infected by a ransomware Trojan and had sensitive information stolen by the criminals. Prevx claims to have tracked the criminals to the site they used to collect the data from victims. There, they found IP addresses of victims and, when translated, discovered them to be from the U.S. Department of Transportation, American Airlines and three from Booz Allen Hamilton, among others.
There’s no doubt that Prevx software functions very differently than traditional anti-virus solutions -- it's capable of catching previously unseen threats that might go silently past some anti-virus programs. Unfortunately, using Prevx can be somewhat cumbersome when you really want it to let you know about something that’s never been seen before. It’s a prompt-meister, constantly asking about this and that and the other thing.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.