Barcelona-based security firm Neutralbit has
discovered a
series of flaws in SCADA (supervisory control and data acquisition)
systems used to monitor and control computer processes for power
plans, water supply systems and gas and oil pipelines.
Neutralbit published details of what it called the
first five
vulnerabilities in
OPC (open connectivity via open standards) protocol
implementations.
According to a separate
analysis from the French Security Incident Response Team
(FrSIRT), multiple flaws were found in the NETxAutomation
NETxEIB OPC Server, which could be exploited by attackers to cause
a denial of service or execute arbitrary commands. "These issues
are due to errors in the OPC Data Access interface methods
'IOPCSyncIO::Read,' 'IOPCSyncIO::Write,' 'IOPCServer::AddGroup,'
'IOPCServer::RemoveGroup,' 'IOPCCommon::SetClientName' and
'IOPCGroupStateMgt::CloneGroup,' which could be exploited by an
attacker with access to the OPC interface to crash an affected
application or compromise a vulnerable server via specially crafted
OPC handles," FrSIRT said in its advisory.
FrSIRT recommended users upgrade to
NETxAutomation NETxEIB OPC Server version 3.0.1300 to fix the
problem.
Robert Graham, president of Atlanta-based Errata Security, wrote
in the company blog
that SCADA is completely open to attack, especially OPC. He
described OPC as a standard for Microsoft Windows that makes it
easy to write GUI applications for SCADA. They translate between
Windows primitives such as MS-RPC/DCOM to back end protocols that
actually do the monitoring and controlling of switches, valves,
pressure gauges and thermometers, he wrote.
"These backend protocols are often based upon standards that
pre-date Windows," he said. "They are horribly insecure because few
people in the SCADA industry know what a buffer-overflow is.
Unfortunately, OPC is completely open to attack. The code is
horribly insecure. It took me five minutes to find a remotely
exploitable bug when I downloaded sample implementations from the
OPC Foundation a couple years ago."
Weakness found in Windows settings
Researchers from Seattle-based security firm IOActive, Inc. have
discovered a flaw in how Windows machines obtain network settings,
and say attackers could exploit it to hijack network traffic. The
researchers announced their findings over the weekend at the
ShmooCon hacker conference in Washington. IOActive said digital
miscreants could reroute traffic because Internet Explorer searches
for a proxy server using the Web Proxy Autodiscovery Protocol
(WPAD) by default when it's running on a Windows box. With little
trouble, the bad guys can register a proxy server on a network via
the Windows Internet Naming Service, (WINS) and other network
services, including the Domain Name System (DNS), IOActive research
director Chris Paget told CNET News.com.
Microsoft acknowledged the problem on its TechNet Web site
over the weekend, saying, "If an entity can surreptitiously
register a WPAD entry in DNS or in WINS…clients may be able to
route their Internet traffic through a malicious proxy server."
Microsoft investigates Vista flaw
Microsoft confirmed Friday afternoon that it's investigating
reports of a Windows Vista flaw attackers could exploit to
compromise PCs by tricking the user into opening a malicious email
attachment. The problem reportedly affects Windows Mail on all
versions of Vista.
Cupertino, Calif.-based antivirus giant Symantec Corp. warned
customers of its DeepSight threat management service early Friday
that Vista's native email client will execute any script or program
file that has an associated folder by the same name.
"An attacker can deliver an email message containing a malicious
link that references a local executable," Symantec said in an email
advisory. "If the victim clicks on this link the native program is
executed with no further action required."
The vendor said an attacker could potentially exploit the design
flaw to delete files or shut down the victim's computer. Other
attacks are also possible. However, Symantec noted that the flaw
can only be used to execute programs or scripts that natively
reside on a computer and also have a folder in place by the same
name.
"There is the possibility that an attacker could execute custom
malicious binaries, yet they would have to first ensure that a
malicious file is placed on a target system by some means," the
company said. "To exploit this issue, an attacker must entice an
unsuspecting user to click a malicious link in an email."
A Microsoft spokeswoman confirmed that the software giant is
investigating the flaw report, but said there is no indication of
attacks at this time.
Flaws in OpenOffice.org
Attackers could run malicious code on targeted machines by
exploiting flaws in OpenOffice.org. According to Danish
vulnerability clearinghouse Secunia:
- Several flaws within the libwpd library used by OpenOffice.org
can be exploited to cause heap-based buffer overflows and may allow
the execution of arbitrary code by tricking a user into opening a
specially crafted WordPerfect document.
- A boundary error within the StarCalc parser can be exploited to
cause a stack-based buffer overflow and may allow execution of
arbitrary code by tricking a user into opening a specially crafted
document.
- Shell meta characters are not correctly escaped, which can be
exploited to inject and execute arbitrary shell commands by
tricking a user into opening a specially crafted document and
clicking a malicious link.
Secunia said the best defense against these flaws is to avoid
opening untrusted documents.
Mozilla fixes Firefox flaw
Mozilla has
released Firefox 2.0.0.3 and 1.5.0.11 to close a security hole
attackers could exploit to access sensitive information on a
victim's machine, as well as several glitches that were
accidentally introduced during the last browser upgrade.
Mozilla noted in an advisory that the file transfer protocol
(FTP) includes a passive command Firefox uses to request an
alternate data port. The specification of the FTP protocol allows
the server response to include an alternate server address as well,
Mozilla said.
"A malicious Web page hosted on a specially-coded FTP server
could use this feature to perform a rudimentary port scan of
machines inside the firewall of the victim," Mozilla said in its
advisory. "By itself this causes no harm, but information about an
internal network may be useful to an attacker should there be other
vulnerabilities present on the network."
The French Security Incident Response Team (FrSIRT) said in its
advisory that an attacker could exploit the flaw to access
sensitive information on a victim's machine.
With the latest versions of Firefox, Mozilla said clients will
now ignore the alternate server address.
The upgrade also fixes some glitches that were accidentally
introduced during the last browser update, Mozilla said.
The last update, Firefox 2.0.0.2 and 1.5.0.10, was released
earlier this month to address a regression error that occurred when
the browser processed certain IMG tags. Attackers who successfully
lured users to a malicious Web page could have exploited the flaw
to bypass restrictions and run arbitrary code.