Security Bytes: New .jpg attack imminent; CA agrees to pay $225 million for federal violations

Exploit code circulating for .jpg flaw
The SANS Institute is warning users of Microsoft Windows that exploit code is circulating for the flaw described in MS04-028 and recommends they immediately apply the patch.

In the Wednesday SANS Handler's Diary, Pedro Bueno wrote, "Today another exploit for MS04-28, regarding the .jpg [flaw], was publicly released. This one will open a command prompt in your machine." In an e-mail interview, he added, "The exploits that we have seen so far [range] from simple ones that open a command prompt to more dangerous ones that add a user at the admin group, which would have administrator rights on the machine. I think that we will still see more and more exploits in the next few hours/days that will be even worse."

"Companies should test [the patch] and also apply [it] as soon as possible," said Bueno, a SANS ISC incident handler. "Remember that patches are not to be applied only when a new malware is exploiting the vulnerability, so don't wait for it as a reason to apply the patches."

Geoff Shively, chief scientist at Newport Beach, Calif.-based PivX Solutions, said in an e-mail interview that he knows exploit code is privately circulating. "Rootkits, standalone exploit code, etc., are all being worked on to take advantage of the .jpg vulnerability."

CA admits financial wrongdoing; former CEO charged with securities fraud
New York-based Computer Associates International Inc. has reached an accord with the Department of Justice and the Securities and Exchange Commission, ending an investigation into financial wrongdoing. Investigators also announced Wednesday that the security software company's former CEO, Sanjay Kumar, has been charged with securities fraud, conspiracy and obstruction of justice. The company issued a statement on its Web site yesterday saying its agreement with the government ends a "deeply troubling chapter in its history."

CA Chairman Lewis Ranieri said in the statement, "On behalf of the company and all its employees, we tender our sincere apologies to our shareholders and customers." He added, "Some former members of CA's management engaged in illegal activity. Violations of law and ethical standards, including securities fraud, obstructing a government investigation, and lying to CA's board of directors and CA's lawyers cannot be condoned. We fully support the government's efforts to bring all responsible parties to justice."

Under the terms of the agreement, the company accepted full responsibility for improper accounting practices and subsequent misstatement of revenue, and for "impeding and failing to cooperate with the investigation by the Department of Justice and the Securities and Exchange Commission." The company will also:

• Establish a restitution fund of $225 million to compensate present and former shareholders for losses caused "by the misconduct of certain former company executives."
• Provide active assistance to government investigators -- including legal and accounting aid -- "to obtain disgorgement of compensation from any present or former CA officer or employee who engaged in any improper conduct while employed at CA."
• Take steps to strengthen CA's corporate governance, management team, and financial reporting and processes. CA will also enhance its compliance and ethics training.
• Adhere to relevant provisions of securities laws and continue to cooperate with the government.

Large credit card processor taken down by DDoS attacks
One of the Internet's biggest credit card processing services has been crippled since last week by massive distributed denial-of-service attacks that have prevented online businesses from conducting sales. Authorize.Net, which is owned by Burlington, Mass.-based Lightbridge, says it's working with the FBI and outside consultants to minimize disruptions to its customers, which number about 90,000, according to Wired News. Meanwhile, merchants, primarily small businesses, have been hit especially hard from being unable to process credit card transactions. The attacks began last Wednesday and continually swamped Authorize.Net's servers with bogus traffic.

Vulnerabilities in GdkPixbuf library
Gentoo Linux recommends users upgrade to the latest version of the GdkPixbuf library to fix multiple image decoding vulnerabilities an attacker could exploit to cause a denial of service or launch malicious code. The GdkPixbuf library provides facilities for image handling and is available as a standalone library or can be shipped with GTK+ 2. Gentoo's advisory said a vulnerability has been discovered in the .bmp image preprocessor. "Also, [researcher] Chris Evans found a possible integer overflow in the pixbuf_create_from_xpm() function, resulting in a heap overflow. He also found a potential stack-based buffer overflow in the xpm_extract_color() function. A possible integer overflow has also been found in the ICO decoder." With a specially crafted .bmp image, Gentoo warned, "an attacker could cause an affected application to enter an infinite loop when that image is being processed. Also, by making use of specially crafted .xpm or ICO images an attacker could trigger the overflows, which potentially allows the execution of arbitrary code."

Several Mozilla vulnerabilities patched
Gentoo Linux has released new versions of Mozilla, Epiphany, Mozilla Thunderbird and Mozilla Firefox to fix several vulnerabilities an attacker could use to remotely execute malicious code or cause other problems. "Mozilla-based products are vulnerable to multiple security issues," Gentoo warned in its advisory. "Firstly, routines handling the display of .bmp images and vcards contain an integer overflow and a stack buffer overrun. Specific pages with long links, when sent using the 'send page' function, and links with non-ASCII hostnames could both cause heap buffer overruns." The advisory also warned of several problems found and fixed in JavaScript rights handling. "Untrusted script code could read and write to the clipboard, signed scripts could build confusing grant privileges dialog boxes, and when dragged onto trusted frames or windows, JavaScript links could access information and rights of the target frame or window. Finally, Mozilla-based mail clients [Mozilla and Mozilla Thunderbird] are vulnerable to a heap overflow caused by invalid pop3 mail server responses. There is no known workaround covering all vulnerabilities, Gentoo said, recommending users upgrade to the latest stable versions.