'Advisories' Are Not Enough
Microsoft's security alerts will be lost on most ordinary users.
Hacking/Denial of Service
has begun a new security service called "Microsoft
." The advisories are meant to provide information
on security-related enhancements to products and address security concerns "that
may not require a security bulletin but that may still affect customers' overall
security," according to Microsoft's Web site.
Security Advisory 892313 warns about a Windows Media Player vulnerability.
It has to do with the automatic acquisition of media licenses in Media Player
9 and 10, which can be abused to cause unsuspecting users to visit sites other
than those they thought they were visiting. The automatic acquisition feature
allows media authors (attackers, in this case) to specify malicious sites as
the location to receive a license; when the browser visits the alleged license
site, malicious software is downloaded instead.
Expect to see more of these advisories. Unfortunately, Microsoft has decided
that such updates don't warrant the same treatment as vulnerabilities. It has
a point—the Media Player situation, for example, is not a vulnerability
per se, since the attacker must be able to specify the location of his license
repository. In practice, however, the question is whether or not this feature
should ever be completely silent—triggered without some type of warning
for the user. Given the number of existing browser vulnerabilities, and the
fact that license retrieval is done via browser, you have to ask whether it's
prudent to allow browsers to be sent to any site silently. Also, since this
won't appear in Windows Update, the vast majority of consumers—those most
likely to be attacked—will remain unaware of the potential for problems.
Corporations obviously don't want to receive updates too frequently; and for
those using appropriate content filtering (for example, by prohibiting media
file downloads from the Internet, preventing attempts at license acquisition),
there shouldn't be a problem. However, given the current state of affairs, Microsoft
should be erring on the side of caution and pushing such updates like this to
all consumers via Automatic Updates. The update's new feature (the ability to
decide whether you will or won't be prompted when retrieving licenses) should
be turned on by default.
The UK National Infrastructure Security Co-ordination Center (NISCC)
has announced a flaw in IPsec, a widely-used VPN protocol suite, that
could allow attackers to intercept secure network communications. The vulnerability
affects certain configurations of IPsec that use Encapsulating Security Payload
(ESP) in tunnel mode with confidentiality; configurations with integrity protection
being provided by a higher layer protocol; and some IPSec configurations using
the key Authentication Header (AH) protocol. If exploited, it's possible that
some plain text portions of the secure communication may be sent back to the
attacker, thus allowing the attacker to view the confidential communication.
If ICMP (Internet Control Message Protocol) error messages are prevented from
being sent back to tunnel participants, the leakage can be prevented.
RSA Authentication Agent for Web 5.3 and earlier versions contain a
buffer overflow vulnerability which could be exploited by a remote attacker.
The hole is yet another example of a chunked encoding vulnerability.
Chunked encoding has been heavily scrutinized of late, resulting in numerous
vulnerabilities in various products. This vulnerability could result in a remote
attacker obtaining "System" privileges on the server hosting the RSA
Web Agent. Such a server typically would be a critical system in your security
infrastructure. RSA has released a patch for the vulnerability.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.