Flaws haunt protocol tied to national infrastructure

According to a separate analysis from the French Security Incident Response Team (FrSIRT), multiple flaws were found in the NETxAutomation NETxEIB OPC Server, which could be exploited by attackers to cause a denial of service or execute arbitrary commands. "These issues are due to errors in the OPC Data Access interface methods 'IOPCSyncIO::Read,' 'IOPCSyncIO::Write,' 'IOPCServer::AddGroup,' 'IOPCServer::RemoveGroup,' 'IOPCCommon::SetClientName' and 'IOPCGroupStateMgt::CloneGroup,' which could be exploited by an attacker with access to the OPC interface to crash an affected application or compromise a vulnerable server via specially crafted OPC handles," FrSIRT said in its advisory.

FrSIRT recommended users upgrade to NETxAutomation NETxEIB OPC Server version 3.0.1300 to fix the problem.

Robert Graham, president of Atlanta-based Errata Security, wrote in the company blog that SCADA is completely open to attack, especially OPC. He described OPC as a standard for Microsoft Windows that makes it easy to write GUI applications for SCADA. They translate between Windows primitives such as MS-RPC/DCOM to back end protocols that actually do the monitoring and controlling of switches, valves, pressure gauges and thermometers, he wrote.

"These backend protocols are often based upon standards that pre-date Windows," he said. "They are horribly insecure because few people in the SCADA industry know what a buffer-overflow is. Unfortunately, OPC is completely open to attack. The code is horribly insecure. It took me five minutes to find a remotely exploitable bug when I downloaded sample implementations from the OPC Foundation a couple years ago."

Weakness found in Windows settings
Researchers from Seattle-based security firm IOActive, Inc. have discovered a flaw in how Windows machines obtain network settings, and say attackers could exploit it to hijack network traffic. The researchers announced their findings over the weekend at the ShmooCon hacker conference in Washington. IOActive said digital miscreants could reroute traffic because Internet Explorer searches for a proxy server using the Web Proxy Autodiscovery Protocol (WPAD) by default when it's running on a Windows box. With little trouble, the bad guys can register a proxy server on a network via the Windows Internet Naming Service, (WINS) and other network services, including the Domain Name System (DNS), IOActive research director Chris Paget told CNET News.com.

Microsoft acknowledged the problem on its TechNet Web site over the weekend, saying, "If an entity can surreptitiously register a WPAD entry in DNS or in WINS…clients may be able to route their Internet traffic through a malicious proxy server."

Microsoft investigates Vista flaw
Microsoft confirmed Friday afternoon that it's investigating reports of a Windows Vista flaw attackers could exploit to compromise PCs by tricking the user into opening a malicious email attachment. The problem reportedly affects Windows Mail on all versions of Vista.

Cupertino, Calif.-based antivirus giant Symantec Corp. warned customers of its DeepSight threat management service early Friday that Vista's native email client will execute any script or program file that has an associated folder by the same name.

"An attacker can deliver an email message containing a malicious link that references a local executable," Symantec said in an email advisory. "If the victim clicks on this link the native program is executed with no further action required."

The vendor said an attacker could potentially exploit the design flaw to delete files or shut down the victim's computer. Other attacks are also possible. However, Symantec noted that the flaw can only be used to execute programs or scripts that natively reside on a computer and also have a folder in place by the same name.

"There is the possibility that an attacker could execute custom malicious binaries, yet they would have to first ensure that a malicious file is placed on a target system by some means," the company said. "To exploit this issue, an attacker must entice an unsuspecting user to click a malicious link in an email."

A Microsoft spokeswoman confirmed that the software giant is investigating the flaw report, but said there is no indication of attacks at this time.

Flaws in OpenOffice.org
Attackers could run malicious code on targeted machines by exploiting flaws in OpenOffice.org. According to Danish vulnerability clearinghouse Secunia:

• Several flaws within the libwpd library used by OpenOffice.org can be exploited to cause heap-based buffer overflows and may allow the execution of arbitrary code by tricking a user into opening a specially crafted WordPerfect document.
• A boundary error within the StarCalc parser can be exploited to cause a stack-based buffer overflow and may allow execution of arbitrary code by tricking a user into opening a specially crafted document.
• Shell meta characters are not correctly escaped, which can be exploited to inject and execute arbitrary shell commands by tricking a user into opening a specially crafted document and clicking a malicious link.

Secunia said the best defense against these flaws is to avoid opening untrusted documents.

Mozilla fixes Firefox flaw
Mozilla has released Firefox 2.0.0.3 and 1.5.0.11 to close a security hole attackers could exploit to access sensitive information on a victim's machine, as well as several glitches that were accidentally introduced during the last browser upgrade.

Mozilla noted in an advisory that the file transfer protocol (FTP) includes a passive command Firefox uses to request an alternate data port. The specification of the FTP protocol allows the server response to include an alternate server address as well, Mozilla said.

"A malicious Web page hosted on a specially-coded FTP server could use this feature to perform a rudimentary port scan of machines inside the firewall of the victim," Mozilla said in its advisory. "By itself this causes no harm, but information about an internal network may be useful to an attacker should there be other vulnerabilities present on the network."

The French Security Incident Response Team (FrSIRT) said in its advisory that an attacker could exploit the flaw to access sensitive information on a victim's machine.

With the latest versions of Firefox, Mozilla said clients will now ignore the alternate server address.

The upgrade also fixes some glitches that were accidentally introduced during the last browser update, Mozilla said.

The last update, Firefox 2.0.0.2 and 1.5.0.10, was released earlier this month to address a regression error that occurred when the browser processed certain IMG tags. Attackers who successfully lured users to a malicious Web page could have exploited the flaw to bypass restrictions and run arbitrary code.