@RISK: The Consensus Security Vulnerability Alert

Another week and another security flaw is discovered in Computer Associates' ARCserve backup software. All these vulnerabilities found in widely used backup software reflect a sad truth: criminals use badly written backup software for immediate access to sensitive and valuable information as well as back doors into corporations and government agencies' networks.

Alan

PS. Useful check for December 2007: When was the last time your backup software was patched? A surprising number of people are unaware that Microsoft's automatic updates do not cover Symantec and CA backup software.

PPS. Useful check for 2008. What are the GSSP (secure programming) scores of the programmers who wrote the software you use? If you don't ask, you'll have no way of verifying that the developers have even a clue about writing secure code. http://www.sans.org/gssp

Table Of Contents

Widely Deployed Software

• (1) CRITICAL: Computer Associates BrightStor ARCserve Backup Insecure Method Exposure
• Affected:
  • Computer Associates BrightStor ARCserve Backup versions r11.5 and prior
  • Computer Associates BrightStor Enterprise Backup versions r10.5 and prior

• Description: Computer Associates BrightStor ARCserve is a popular suite of enterprise backup software. It exposes several Remote Procedure Call (RPC) interfaces. One of these interfaces exposes several operations that can manipulate arbitrary files and Microsoft WIndows Registry keys. No authentication is required to call these operations. An attacker who called these functions could execute arbitrary code or otherwise manipulate the system with the privileges of the vulnerable process (often SYSTEM). Technical details for this vulnerability are available in the advisory.

• Status: Computer Associates confirmed, updates available. Users can mitigate the impact of this vulnerability by blocking TCP port 6504 at the network perimeter, if possible.

• References:
  • Zero Day Initiative Advisory
  • http://zerodayinitiative.com/advisories/ZDI-07-069.html
  • Computer Associates Home Page
  • http://www.ca.com
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/26015

• (2) HIGH: Mozilla-based Browsers Multiple Memory Corruption Vulnerabilities
• Affected:
  • Mozilla Firefox versions prior to 2.0.0.10
  • Mozilla SeaMonkey versions priot to 1.1.7
  • Netscape Navigator versions prior to 9.0.4

• Description: Web browsers based on the Mozilla suite, including Firefox, contain multiple vulnerabilities in their handling of web content. A specially crafted web page or script could trigger one of these vulnerabilities. Successfully exploiting one of these vulnerabilities would allow an attacker to execute arbitrary code with the privileges of the current user. Note that other browsers or applications based on the Mozilla framework could be vulnerable. Details for these vulnerabilities are available via source code analysis.

• Status: Mozilla confirmed, updates available.

• References:
  • Mozilla Security Advisory
  • http://www.mozilla.org/security/announce/2007/mfsa2007-38.html
  • Netscape Release Notes
  • http://browser.netscape.com/releasenotes/#whatsnew
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/26593

• (3) HIGH: IBM Lotus Notes Attachment Parsing Multiple Buffer Overflows
• Affected:
  • Lotus Notes versions 8.0 and prior

• Description: Autonomy KeyView is a media viewing component distributed with IBM's Lotus Notes groupware suite. This component contains several buffer overflows in the processing of various file formats. A specially crafted file attached to a message could trigger one of these overflows, allowing an attacker to execute arbitrary code with the privileges of the current user. Note that Lotus Notes determines what icon to display for an attachment and what application to open it using different data; it is therefore possible to spoof malicious attachments as more innocuous formats. A proof-of-concept and full technical details for these vulnerabilities are publicly available. Note that other products using Autonomy KeyView may be vulnerable.

• Status: IBM confirmed, updates available.

• References:
  • IBM Security Advisory
  • http://www-1.ibm.com/support/docview.wss?uid=swg21285600
  • CORE Security Advisory
  • http://www.coresecurity.com/index.php5?action=item&id=2008
  • Proof-of-Concept
  • http://downloads.securityfocus.com/vulnerabilities/exploits/26604.py
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/26604

Other Software

• (4) HIGH: VideoLAN Client ActiveX Control Memory Corruption
• Affected:
  • VideoLAN Client Media Plaer versions prior to 0.8.6d

• Description: The VideoLAN Client Media Player (VLC) is a popular cross-platform media player. The version for Microsoft Windows provides an ActiveX control, allowing developers to embed VLC functionality in their applications. This control can be instantiated by web pages. This control contains a vulnerability in its handling of certain calls. A malicious web page that instantiates this control could exploit these vulnerabilities to execute arbitrary code with the privileges of the current user. Technical details for these vulnerabilities is available via source code analysis.

• Status: VideoLAN confirmed, updates available. Users can mitigate the impact of this vulnerability by disabling the affected control via Microsoft's "kill bit" mechanism.

• References:
  • VideoLAN Security Advisory
  • http://www.videolan.org /sa0703.html"> http://www.videolan.org /sa0703.html
  • Microsoft Knowledge Base Article (details the "kill bit" mechanism)
  • http://support.microsoft.com/kb/240797
  • Vendor Home Page
  • http://www.videolan.org
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/26675