Security Watch

Bad Java

While only Russian-language Web sites have been exploited by the Java vulnerability, it'll only be a matter of time.

Hacking/Denial of Service
MS05-037, "JVIEW/javaprxy.dll Remote Code Execution Vulnerability"
This patch addresses the vulnerability in the javaprxy.dll COM object used by the Microsoft Java Virtual Machine. Although the MSJVM has been removed from current distributions of Windows XP and Windows Server 2003, any system upgraded from a previous OS, installed with XP Gold, or which has loaded an application requiring the MSJVM will have it installed.

Two problems exist with this object. The first is that it can be invoked from within the Internet Security Zone -- in other words, from any site on the Internet. The second is that it improperly validates information being passed to it, so a buffer overflow is possible that would allow an attacker to run any code on the compromised machine.

In the Security Bulletin, Microsoft outlines numerous methods to restrict or disable the MSJVM. It has also produced the MSJVM Diagnostic Tool to assist customers in scanning their networks to determine which systems have the MSJVM installed. Another tool, the Java Removal Tool, will allow customers to remove the MSJVM completely.

Reports exist that this vulnerability is being actively exploited, and proof of concept exploit code has been published. So far, all sites which have been discovered attempting to exploit the vulnerability have been Russian-language sites, and it appears they can only exploit Russian-language versions of Windows; attempts to infect English-language systems have simply resulted in system crashes. If form holds, it will be only a matter of time before some miscreant will tweak the exploit to cause it to work on other language versions.

MS05-036, "Color Management Module Buffer Overflow Vulnerability"
Reports of in-the-wild exploits exist, but have so far been limited to inclusion in e-mails to a very few domains. Proof-of-concept exploits are certainly expected, but not widespread distribution. Image vulnerabilities are certainly not new, but so far they haven't been exploited en masse.

Initially it looked like only complex document types might be vulnerable. The Windows Color Management Module (CMM) interprets a value known as the International Color Consortium (ICC) profile, contained within the image header. This value would, typically, be used to instruct hardware devices, such as monitors and printers, how to translate color values from the author's system to the rendering devices system. This would allow an author to ensure that a color scheme was being matched as closely as possible by the rendering devices.

However, it now appears that many authoring programs permit this mapping to be embedded into images, including relatively simple image formats such as JPEG. JPEG permits numerous "extensions" to be embedded within the image, which Windows interprets. As such, it's possible to include an extension which includes an ICC Profile in a JPEG, then abuse this extension to invoke the buffer overflow.

Regardless, easier buffer overflows exist in the JPEG format, and while this is yet another, it's unlikely to be the method of choice since it requires extensions to be included in the image format (thereby possibly making it easier to detect as malicious, or at least potentially malicious.)

MS05-035, "Word Font Parsing Arbitrary Code Execution Vulnerability"
Microsoft Word contains a vulnerability in the font parsing functionality that could allow a remote attacker to invoke a buffer overflow. Attacks against this vulnerability would result in the victim causing the attacker's code to be invoked in the security context of the victim.

Vulnerabilities in Office documents have in the past been largely ignored, but recent discussion has suggested there may be an increased use of such documents for targeted attacks. The fear is that criminal rings may be attempting to steal intellectual property from corporations, although anti-virus companies have been extremely effective at detecting not only "macro" viruses, but also other malware within structured documents such as Word docs.

Oracle July Critical Patch Release
The best count so far is that Oracle's patch includes 49 new and cumulative patches for multiple products and vulnerabilities. The most serious appear to be possible remote SQL Injection vulnerabilities. Very little information is currently available, and no known detailed technical information or exploits exist. Depending on how you count them, there are more than 100 unpatched vulnerabilities in Oracle.

Port 80 Suspect Traffic Spikes
So far, our best information suggests that the spikes are due to attacks against ASN.1 vulnerabilities and older, pre-existing attacks on that port.

Denial of Service
Microsoft ASP.NET Malformed SOAP Message Denial of Service Issue
A remote DoS condition can be created by sending a malformed SOAP (Simple Object Access Protocol) message to an IIS Web server RCP/Encoded Web method which accepts arrays via an IList (or anything derived from an IList object.)

An ASP.Net site should not be exposing this functionality directly; if so, it should be re-coded to avoid such an exposed method.

Cisco Security Agent Denial-of-Service Issue
An attack against the Cisco Security Agent could result in a DoS of the host Windows system.

Governance
The Anti-Spyware Coalition, which includes Microsoft, EarthLink, McAfee and Hewlett-Packard, has released the first draft of the consensus document "Spyware Definitions and Supporting Documents" for a 30-day public comment period.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Failure is the most likely outcome of this effort, given how vague such a definition must be in order to avoid classifying legitimate software was spyware. Software will either have an End User License Agreement (EULA) or it won't. If it does, it can state whatever it wants in terms of what the software will do. This can including using spyware tactics; even then, users are still likely to install it.

ICANN's Security and Stability Advisory Committee (SSAC) has released a paper outlining several famous and recent thefts of Web sites, including Panix.com, Hushmail.com and HZ.com, and listed where the system went wrong and what can be done to correct the flaws.

We assume they're attempting to show that there is some way to prevent your domain from being hijacked, but such papers are just as likely to provide those with malicious intent the methods to hijack a domain.

Following a review of the U.S. Department of Homeland Security (DHS) structure he began after taking over in February, Homeland Security Secretary Michael Chertoff elevated the cybersecurity chief at DHS several levels on the agency's organizational chart by creating the position of assistant secretary for cyber and telecommunications security.

We can hope that this allows someone to accept the position and actually stay there for a while and get something concrete done.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.