CA's Backup Software's BOF Gets Fix
Plus: Hackers working together to steal your identity; AIM hack just needs you to be logged in to work.
The server side of CA ARCserve Backup for Laptops and Desktops contains numerous vulnerabilities that could allow a remote, unauthenticated criminal to cause code of their choice to execute in the context of the service, typically a privileged user. Updates are available.
One of the vulnerabilities involves the rxrLogin authentication process, which means that authentication by login ID alone is insufficient to protect the server from compromise. Vulnerabilities in backup servers and clients have been popular targets in the past, especially on .EDU networks where untrusted clients are popular and may have access to the backup servers. I wouldn't be surprised to see one or more of these vulnerabilities incorporated into bots in order to spur along exploitation once inside a network.
Like We Need Hackers Working Together
Vertical Web Media, publisher of Internet Retailer magazine, says its site was compromised and the credit card numbers and other personally identifiable information of customers were stolen by what they call “coordinated sophisticated hackers.” The FBI is investigating, and Vertical Web Media say they have turned over the logs and other information to forensic investigators.
The InformationWeek article detailing the hack appears to be full of speculation by Vertical Web Media’s president over how the attack was done and who did it. The article says that the company claims that attacks were performed by several IP addresses, and that the attack was passed from one IP address to another periodically.
There definitely isn’t sufficient information in the article to determine how the attack was conducted, but it does sound similar to eBay attacks where a CGI or some other function on the site was abused. The company says the attackers were collecting information from the site “one customer at a time,” which to us could be the result of a SQL query that was inappropriately exposed.
Of most interest to us was the claim that, because the patches were up to date, the company had a “sense of security.” The company went to lengths to suggest it had a highly secure site, but no mention is made of it having any kind of security audit performed.
column was originally published in our weekly Security
Watch newsletter. To subscribe, click here.
Log In to AIM, Get Hacked
It is important to understand that it is not MSHTML.dll which is vulnerable here. MSHTML.dll is a full-featured browser control that allows programmers to take advantage of the features of Internet Explorer. What valid HTML reaches MSHTML.dll is up to the application that embeds it, and how that application defines its zone to the control. AOL has basically turned IM into a fully functional HTTP environment via AIM, something which the company did not intend.
As a result, any browser vulnerabilities could likely be exploited via an AIM message and since IM is push, it represents the possibility of massive exploitation of vulnerable browsers without having to rely upon victim’s visiting malicious sites.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.