One Site Exploits IE Flaw
A visit to the malicious site in question can invite a trojan into your midst.
Microsoft Internet Explorer window arbitrary code execution vulnerability:
Re-amplified because Microsoft announced that a malicious Web site had been
found to be exploiting this vulnerability. According to various sources, that
site is implanting TrojanDownloader:Win32/Delf.DH
The site in question has not been identified to us; however, Microsoft has
acknowledged the reports, suggesting it may know the malicious site. Regardless,
the trojan that was being delivered was/would have been recognized by most current
AV programs as a generic downloader. In other words, it was not something new
that updated signatures were required to detect. Also note that to be victimized,
the attacker must lure the victim to a malicious site AND get the victim to
click on something within that site.
Given that only a single site has thus far been reported, the volume of discussion
right now places this issue in the "hype" category, as the threat
has not dramatically increased to warrant the increase in discussion. Yes, this
issue has potential for harm, but we believe it’s unlikely the threat
will increase. A worm is unlikely, and using this method to propagate a bot
is much slower than other existing mechanisms.
Webmin and Usermin Web Server Format String Vulnerability: Webmin is
an HTML-based administration console for Unix, while Usermin is an HTML-based
user console for Unix. The server component miniserv.pl contains format string
vulnerabilities that could allow a remote attacker to cause a denial-of-service
condition and possibly remotely execute commands. Patches are available.
Apple OS X Updates APPLE-SA-2005-11-29 Security Update 2005-009 APPLE-SA-2005-11-30
J2SE 5.0 Release 3: There were a number of items in these packages that dealt
with some strange circumstances, like having local users on open directory master
servers -- issues which shouldn’t occur in normal business practice. None
were urgent, but we'll continue to track the issues should they turn into an
exploit in the future.
Exploits have been released for both MS05-051 (MSDTC) and MS05-053
(vulnerabilities in rendering .WMF and .EMF file formats), although at this
point there’s no indication they’re being used.
Denial of Service
NTP Inc. continues to receive favorable rulings from judges in their
case against Research In Motion, makers of the BlackBerry. This time,
a federal judge ruled against RIM in two motions they filed; one to attempt
to force NTP to settle the case, and another to stop the proceedings while the
U.S. Patent and Trademark Office re-examined NTP’s patent claims. The
ruling brings the possible injunction to stop sales of BlackBerry mobile e-mail
devices and shut down the BlackBerry service in the U.S. closer to reality.
Since BlackBerry use is so widespread, enterprises should plan now on how to
deal with a possible outage. Some discussion has been held over whether or not
Web browsing and SMS service will continue to Blackberry devices should an injunction
be invoked. While it’s most likely true that neither of these services
will be interrupted, it’s yet another reason why customers should check
with their providers. Ultimately, it will be the providers who, driven by customer
demand, may record Friends of the Court letters regarding this case. Also, they
will be determining what, if anything, they are able to do for their customers.
It’s also important to remember that only Blackberry Enterprise Service
e-mail is encrypted between the BlackBerry gateway and the destination device.
SMS is not. So, should an injunction come into effect, determining the effect
of unencrypted messaging on your business plans is an important thing to do.
A man using the handle “Dr. Chaos” has been sentenced as
a result of a 2002 conviction for 1999 charges stemming from attacks against
SCADA systems in 1999.
At the time of the massive U.S. East Coast blackout in 2003, when Internet
attacks against SCADA systems were suspected, nothing was known about this individual
or the attacks performed in 1999. Much of the skepticism in 2003 about the possibility
of such attacks may have been eliminated had these prior attacks been known
According to Qantas Airlines testimony to the Australian government
inquiry into aviation security, during the past two years the company has issued
384 Aviation Security Identification Cards (ASICs) for Sydney Airport,
which they can no longer account for. They claimed that 24 were “indirectly
stolen” while the “vast majority” were simply lost, although
it’s unclear how they made that distinction or could stand by it given
they claim the ASICs are unaccounted for. Qantas claims it notified police whenever
they realized an ASIC was missing and disabled it from being used. However,
a spokesman for Sydney Airport stated that disabling the ASIC wouldn’t
prevent it from being of value since the ASICs validation isn’t tested
at manned entry points -- all anyone would need is a valid-looking ASIC with
a picture ID.
Tokens, or any “device” used to supplement other authentication
mechanisms, are only as valid as the environment they’re used in. So,
if you put a digital certificate on a token, it serves no purpose unless you
actually test the certificate, and then, only if you test to ensure that certificate
hasn’t been revoked or compromised. Far too many implementations sound
strong but operate weakly simply because the features of the token aren’t
fully implemented or verified at every point the token might get presented.
Then there is the issue of educating verifiers from one security mechanism
generation to the next. Tokens and passwords have been in use for thousands
of years and have been compromised for just as long. Each time a new scheme
is implemented, presumably to thwart the compromise of the previous scheme,
someone has to ensure that everyone is on the same, new page. In this case,
Qantas implemented ID cards with digital verification, but it didn’t ensure
that every point the old ID cards could be used was upgraded to actually test
the digital veracity of the new card. Without access to a “new”
card, any idiot could create a duplicate with their own picture and then simply
walk up to a manned entry point, never having to worry about the electronic
aspect of the ASICs at all. Wonderful!
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Lycos in the Netherlands was instructed by the Dutch court to
turn over the name and other information of one of their customers for use in
a civil litigation case. The effect of that order is now it’s easier to
force an ISP to disclose information about its customers in a civil court than
it is in a criminal court.
While this is strictly a Dutch law at present, its precedence may open the
way for adoption of similar decisions in other jurisdictions. If civil cases
afford greater flexibility in obtaining private information about individuals,
they’ll become the opening salvo of choice by anyone harmed by someone
else’s Internet actions. There’s a great deal of similarity between
forcing an ISP to disclose a customer who was connected on a given IP address
at a given time, to a company that has an employee connected to their network
at a given time.
Remember that any court can only force you to produce those records you actually
have. If records are not kept, you cannot be forced to recreate them unless
they can be fully constituted from other records. As such, you should carefully
consider what records you store, and how long you store them and develop this
decision into a policy. If civil subpoenas become commonplace, our customers
could find themselves overburdened by the efforts of producing logs and testifying
in cases in which they are being used.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.