More MS Buffer Image Vulnerabilities, but Are They Really a Threat?
The ability to embed malware in Office documents might provide a new avenue for hackers to exploit.
Security Bulletin MS05-053
: Microsoft Windows contains three buffer
overflow vulnerabilities when rendering the Windows Metafile
image formats that could allow a remote attacker to execute arbitrary
code on the affected system with elevated privileges. Patches are available.
Yet more image buffer overflows, this time in enhanced metafile and Windows
metafile file formats (.EMF and .WMF). They can be rendered in a lot of different
ways, including via Internet Explorer, Outlook, Word, PowerPoint and Excel.
A malicious image could be delivered by a Web page or e-mail; however, through
these transports, the image could be detected. When delivered as part of an
Office document, the image is most likely embedded and therefore more difficult
to detect unless anti-virus heuristics are enabled.
We’ve been anxious over image vulnerabilities since the first .JPG buffer
overflow disclosures and concerned that malware authors might pick up the attack
vector. We have yet to see them abused, however, so there’s no reason
to believe that this one will be any more attractive.
If there’s reason for concern, it may be that unlike previous image format
vulnerabilities, such as those affecting .GIF and .JPG, the fact that these
image formats can be embedded in Office documents may create new allure. Malware
authors appear to be seeing fewer and fewer new and easy victims, as suggested
by the recent malware containing a .RAR attachment. They’re trying new
social engineering hooks because the old ones don’t seem to be working
as well as they used to; ergo, embedding malware into Office documents may prove
Veritas NetBackup Enterprise Server contains a buffer overflow vulnerability
that could allow a remote attacker to create a denial-of-service condition or
execute arbitrary code on the system. Patches are available. Requires access
to port 13701.
XML-RPC for PHP Worm Linux.Plupii (Symantec), which other vendors are
naming Linux/Lupper, with two identified variants. Plupii generates Web
requests to many different URLs in hopes of exploiting one of three different
vulnerabilities: the XML-RPC for PHP vulnerability, the AWSTATS Rawlog vulnerability
or the Webhints Remote Command Execution vulnerability. If successful, it creates
a backdoor shell on UDP port 7222, sends a notification to an attacker on that
port and saves itself in tmp/lupii.
Thus far the actual number of infections in the wild seems very low, although
there have been rumblings that people are seeing more and more “get”
requests in their Web server logs.
According to anti-virus vendor Sophos, Troj/Stinx-E is a trojan
which uses pieces of the Sony DRM rootkit to hide its components. The Sony DRM
rootkit hides all files that begin with the characters $SYS$, in an effort to
maintain its stealth. The only people that could fall victim to this trojan
are those who have already run a Sony CD containing the DRM rootkit installer.
Otherwise, the files will be visible to the victim.
The concern now will be if file-sharing software networks start employing a
similar technique to hide their copyright violations.
Microsoft took a position this week favoring national privacy legislation.
In particular, they emphasized three points: The current and coming patchwork
of state, federal and international laws is too complex; consumer fear about
identity fraud may dampen e-commerce; and consumers’ desires for more
control over the information that has been collected about them. To this end,
they’ve proposed four core principles: Create a baseline standard for
collection and storage; create simplified and consumer-friendly notifications
and access services; provide consumers with meaningful control over their data;
and ensure a minimum level of security for storage and transport of the data.
As with all such proposals, there’s something for everyone -- what will
matter is the final draft should this proceed. Businesses can both benefit and
suffer as a result of a single standard: It may be more than they currently
have to do, or it may make it easier to have a single system across all borders.
Consumers may benefit by increased access to the data that has been collected
on them, but in the process phishing schemes may become more commonplace as
the standardized access methods are spoofed by criminals.
The European Commission hopes a meeting next week, the World Summit
on the Information Society, will come up with an agreement to allow governments
more direct influence over the domain name system that guides traffic around
the Internet. A U.N. report has put forward a more multi-national approach to
running the Internet, which serves a billion users worldwide, saying this would
be more democratic and transparent, a view the 25-nation European Union shares.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Sigh…can anyone really explain what’s at issue here other than
posturing? The EU doesn’t want to seem under the control of the U.S.-dominated
DNS environment. Is it that they feel they could make a ton of money doing it
themselves? The strange thing is that nobody is prevented from using a domain
name they create entirely themselves. The only time the worldwide DNS environment
comes into play is when you rely upon the U.S.-controlled root servers. However,
if the EU wanted to, they could simply insist on ISPs in their constituencies
using EU-sanctioned root servers, under their own control. Then, if they wanted,
they could issue any domain name they desired, and it would be resolved to one
they had sanctioned. Of course this would probably result in court cases over
who should have international ownership of a given domain name, but within their
own borders they could decide.
We’re certainly not suggesting this is the right approach, but from a
technical perspective they’re not asking for something they can’t
already implement entirely under their own volition and control. So what’s
the real issue here?
The U.S. Federal Communications Commission will not require VoIP
providers to cut off service to existing customers who do not have enhanced
911 services in place. There had been a deadline of Nov. 28. The
companies will not be allowed to take new customers who are not equipped with
the E911 service, however.
Everyone who is surprised by this should stand up and look under their chairs
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.