A second quiet week in a row. Separately, MacOS users who thought they were mostly invulnerable now may be rethinking that position.
@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).
Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process
Description: Multiple Mac OS X browsers reportedly contain a vulnerability in handling SSH URIs i.e. URIs of the form "ssh://". The flaw can be exploited to pass arbitrary command-line options to the "ssh" program, which is invoked by the browsers upon processing an SSH URI. An attacker can leverage this flaw via a specially crafted SSH URI in a malicious webpage or an HTML email to execute arbitrary commands on a client system. The commands would execute with the privileges of the currently logged-on user. The technical details and proof-of-concept exploits have been publicly posted.
Status: Apple has been notified. No official fix is available from Apple yet. An unofficial fix can be downloaded from http://www.unsanity.com/haxies/pa.
Council Site Actions: Three of the reporting council sites are using the affected software. They have notified their appropriate support groups and are waiting for the official patch from Apple. One site commented that many of their users are aware of the unofficial fix, although they are not supporting it. They plan no action at this time, but will devote more resources to this if we see reports of in-the-wild exploitation.
Description: The technology from WildTangent is designed to provide high quality media content such as online games to the Internet users. WildTangent's Web Driver, a browser plug-in that includes real-time 2D/3D graphics engines and media streaming support, has been reportedly downloaded over 80 million times. This software contains multiple buffer overflows that can be triggered by an overlong "filename" parameter. A malicious webpage or an HTML email can exploit these flaws to possibly execute arbitrary code on a client system. Limited technical details regarding the flaw have been posted. The discoverer has created a proof-of-concept exploit that has not been publicly posted.
Status: Vendor confirmed, upgrade to version 4.1.
Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary. One site did comment that as a result of 80 million downloads logged, they plan to research the issue further and attempt to learn more about specific applications that a user may have installed, where the installation process would have pulled in the WildTangent application.
Description: Symantec Norton Antivirus 2004, which is used by millions of home users worldwide, contains a vulnerability that allows an attacker to execute arbitrary code on a client system. The problem lies in an ActiveX control used by the software, which does not sufficiently sanitize its user-supplied input. A malicious webpage or an HTML email can exploit this flaw to launch any executables already present on the client system. Limited technical details regarding the flaw have been posted.
Status: Symantec has confirmed the flaw. Please use the "LiveUpdate" feature to upgrade the anti-virus software.
Council Site Actions: Three of the reporting council sites are using the affected software. All are using Symantec's "LiveUpdate" process and are presuming systems have already been patched. One site plans to devote more resources to issue this if there are reports of in-the-wild exploitation.
Description: The "mod_ssl" module provides cryptography support for the Apache webserver. This module contains a stack-based buffer overflow in its "ssl_util_uuencode_binary" function. The flaw can be triggered by an overlong "Subject-DN" in a specially crafted client certificate, if the certificate's Certificate Authority (CA) is trusted and the "mod_ssl" module is configured with "FakeBasicAuth" option. Exploiting this flaw to execute arbitrary code on the x86 architecture is reportedly not possible. However, it may be possible to execute arbitrary code when Apache is installed on other machine architectures (not confirmed). The technical details regarding the flaw have been posted.
Status: Vendor confirmed, fixes available.
Council Site Actions: We were unable to solicit the council site input for this item.
Description: The "disk" and the "help" URI handling vulnerabilities were discussed in the last week's @RISK newsletter. It has been reported that the code silently placed on a client system by exploiting the "disk" URI handling vulnerability can be invoked via arbitrary protocol handlers such as "ftp". A malicious website or an HTML email can leverage these flaws to silently execute arbitrary code on a client system. The flaws are reportedly being exploited in the wild. Currently no patches are available for the additional attack vectors. Please refer to the suggested workarounds in the CERT advisory.
Council Site Actions: Three of the reporting council sites are using the affected software. They are waiting on the official patch from Apple. One site plans to investigate the issue further since an exploitation in the wild has been discussed.
Description: VocalTec's enterprise class voice-over-ip (VoIP) gateway provides a bridge between the IP network and the PSTN network. The VoIP gateway reportedly contains a denial-of-service vulnerability that can be triggered by a malformed H.225 protocol "CallSetUp" message. The flaw can be exploited to crash the gateway, which may lead to loss of phone connectivity in an enterprise. The technical details and the exploit code are publicly posted.
Status: Vendor not confirmed, no updates available.
Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.
This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3445 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.
(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.
Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.
To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters. To change your subscription, address, or other information, visit http://portal.sans.org
Copyright 2004. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.