Flaws haunt Symantec, IBM, Cisco and IE
Bug Briefs: Security holes plague Symantec Norton products, IBM DB2; Mozilla Firefox; Trend Micro ServerProtect; Cisco IP phones; Google Desktop; IE and Snort.
Symantec fixes ActiveX glitch
Symantec Corp. has fixed an ActiveX flaw affecting its Automated Support Assistant, Norton AntiVirus 2006, Norton Internet Security 2006 and Norton System Works 2006 products. The problem is a buffer overflow error in third-party ActiveX controls developed by SupportSoft.
"The vulnerability identified in the Symantec shipped controls could potentially result in a stack overflow requiring user interaction to exploit," Symantec said in an advisory. "If successfully exploited, this vulnerability could potentially compromise a user's system, possibly allowing execution of arbitrary code or unauthorized access to system assets with the permissions of the user's browser."
IBM fixes DB2 flaws
IBM has fixed several local privilege escalation flaws in the DB2 Universal Database Server, which attackers could exploit to compromise a vulnerable machine. IBM DB2 Universal Database Server is a database server application designed to run on various platforms, including Linux, AIX, Solaris, and Microsoft Windows.
The product contains the following flaws:
- Several setuid utilities facilitate multiple vulnerabilities that allow attackers to create or append to files with super-user or administrative privileges. These issues arise because certain administrative binaries use specified filenames to save data when certain environment variables are supplied.
- A heap-overflow vulnerability arises when the application copies user-supplied data from an environment variable into a finite-sized buffer. This can result in memory corruption and arbitrary code execution. A successful attack may allow an attacker to gain super-user or administrative privileges.
- A stack-overflow vulnerability arises when the application copies user-supplied data from an environment variable into a finite-sized buffer. This can result in memory corruption and arbitrary code execution. A successful attack may allow an attacker to gain super-user or administrative privileges. Failed attack attempts may result in crashing the server.
The flaws affect DB2 version 9.1 and 8x running on all supported platforms. IBM has released version 9.0 Fixpak 2 to address these issues in version 9.2. A fix for version 8 will be released in April.
Memory-corruption flaw in Firefox
Symantec has warned customers of its DeepSight threat management service of a new flaw in Mozilla Firefox, which attackers could exploit to run malicious code on targeted machines.
"When Mozilla Firefox processes a malicious document during a location transition that is modified from within the 'onUnload' event handler, a memory corruption vulnerability is triggered," Symantec said in an email advisory. "Successfully exploiting this issue may allow remote attackers to execute arbitrary machine code in the context of the affected application. This could facilitate the remote compromise of affected computers."
The problem affects Firefox 2.0.0.1. Other versions are also likely affected, Symantec said.
Researchers Michal Zalewski and Jakob Balle appear to have discovered this vulnerability independently of one another, Symantec added.
To mitigate the threat, Symantec recommended users:
- Not follow links provided by unknown or untrusted sources.
- Set Web browser security to disable the execution of script code or active content.
- Implement multiple redundant layers of security.
- Run all software as a non-privileged user with minimal access rights.
Trend Micro fixes ServerProtect flaws
Tokyo-based antivirus vendor Trend Micro has fixed several flaws in its ServerProtect product. Attackers could exploit them to cause a buffer overflow and run malicious code with system privileges.
The problems are:
- Two boundary errors within the "CMON_NetTestConnection()" function in StCommon.dll. Attackers could exploit this to cause a stack-based buffer overflow via a specially crafted RPC request to the SpntSvc.exe service.
- Two boundary errors within the "ENG_SendEMail()" function in eng50.dll. Attackers could exploit this to cause a stack-based buffer overflow via a specially crafted RPC request to the SpntSvc.exe service.
The vulnerabilities affect ServerProtect for Windows 5.58, ServerProtect for EMC 5.58; ServerProtect for Network Appliance Filer 5.61; and ServerProtect for Network Appliance Filer 5.62. Trend Micro advises customers to apply the appropriate patches.
Cisco warns of IP phone flaws
Attackers could circumvent security restrictions and compromise certain Cisco IP phones by exploiting a series of flaws, the networking giant warned Wednesday. Some of the problems have been fixed.
The first problem is with the Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and 7971G devices. The phones contain a hard-coded default user account with a default password that's remotely accessible via a Secure Shell (SSH) server enabled on the phone.
"This default user account may be leveraged to gain administrative access to a vulnerable phone via a privilege escalation vulnerability," Cisco warned. "The default user account may also execute commands causing a phone to become unstable and result in a denial of service."
The company has made free software available to address the flaws.
Researchers also found a series of flaws in the Cisco Unified IP Conference Station and IP phone devices.
According to Cisco:
The Cisco advisory offers a breakdown of the flaws it has fixed as well as those for which a patch is in development.
Google plugs dangerous flaw in desktop search tool
Google Inc. has plugged a dangerous flaw in its desktop search tool that could have exposed users' personal files to an attacker.
Google Desktop is used to index documents, email, instant messaging transcripts and archived Web pages. Once items are indexed by the application, users can conduct a search to quickly retrieve files and information.
The flaw, which enables a cross-site scripting attack, was discovered along with two other minor issues, last October by Yair Amit, security senior researcher at Waltham, Mass.-based Watchfire Corp., a security analysis provider. The hole allows an attacker to place malicious code on a user's computer and retrieve files in only a few seconds.
Once a PC is victimized by the cross-site scripting attack, a hacker could use Google Desktop to search the user's machine and take full control of the computer, said Danny Allan, director of security research at Watchfire. Although there has never been an attack documented in the wild, Allan said an attack could be conducted relatively easily after building an exploit
"It's probably one of most critical Web application vulnerabilities I've seen," Allan said. "Features built into Google allow an attacker to reach a thousand victims in a single search, so the potential outcome is very critical."
Google Desktop versions 5.0.0701.18382 and earlier are affected. Allan said it is unclear whether Google's Enterprise Search Appliance is similarly affected.
Google issued a statement saying it developed a fix several weeks ago after the hole was discovered, and that the flaw was never exploited in the wild. While Google says its automatic update would repair the vulnerability without user intervention, researchers at Watchfire said users should make sure they are using the latest version of the software.
Microsoft confirms new IE glitch
Attackers could exploit a new security hole in Internet Explorer (IE) to access local files on targeted systems, Microsoft confirmed Tuesday. Proof-of-concept exploit code is available for the flaw.
The problem, discovered by vulnerability researcher Rajesh Sethumadhavan, is that the browser mishandles certain html tags. The flaw, he wrote in his analysis, "could be exploited by a malicious remote user to obtain sensitive local files from the victim's computer."
Sethumadhavan said the flaw exists in IE 6, and security firms such as Cupertino, Calif.-based Symantec Corp. and Redwood Shores, Calif.-based Qualys Inc. have independently confirmed it.
Specifically, the problem occurs when Internet Explorer handles the following html tags: img, script, embed; object; param; style; bgsound; body; and input. If these tags are preceded by the file protocol specification, a remote attacker can access arbitrary local files on a victim's system.
Meanwhile, Secunia researcher Jakob Balle and researcher Michal Zalewski appear to have discovered a new vulnerability in IE 7 independently of each other.
The problem is an error in IE 7's handling of "onunload" events, enabling a malicious Web site to abort the loading of a new Web site. This can be exploited to spoof the address bar if the user enters a new Web site manually in the address bar. Secunia confirmed the flaw on a fully patched Windows XP SP2 system running IE 7. Secunia recommended users close all browser windows after visiting untrusted Web sites to mitigate the threat.
Sourcefire fixes Snort glitch
Sourcefire Inc. has updated its popular open source Snort IDS tool to plug security holes an attacker could exploit to cause a denial of service or launch malicious code.
The vendor said in a its Sourcefire advisory that the flaw is in the Snort DCE/RPC preprocessor. "This preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow attackers to execute code with the same privileges as the Snort binary," the company said.
The problem affects Snort 2.6.1, 2.6.1.1, and 2.6.1.2; and Snort 2.7. beta 1. Users are advised to neutralize the flaw by upgrading to Snort version 2.6.1.3 or 2.7 beta 2.
The French Security Incident Response Team (FrSIRT) described the flaw as a critical buffer overflow error within the DCE/RPC preprocessor -- enabled by default -- that surfaces when malformed data is processed via the "ReassembleSMBWriteX()" and "ReassembleDCERPCRequest()" functions. This "could be exploited by attackers to compromise a vulnerable system by sending specially crafted packets to a network being monitored by a vulnerable application," FrSIRT said.
