Security Bytes: Be aware of Google Desktop 'glitch'

Vulnerabilities in Google search tool
An attacker could secretly rifle through the contents of a personal computer using a security hole in Google's recently distributed desktop search tool. According to The New York Times, a Rice University computer scientist and two of his students found a composition flaw, a weakness that is opened up when separate components interact. "When you put them together, out jumps a security flaw," Dan Wallach, an assistant professor of computer science at the Houston school, told the paper. Wallach found the flaw with help from two graduate students, Seth Fogarty and Seth Nielson. "These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw," he said. Google unveiled a free test version of the desktop search tool Oct. 14. It indexes material on a user's local hard disk, then blends Web search results with local user information like electronic mail, text documents and other files.

Google said in a statement that it was notified of the flaw in late November and had begun distributing a new version of the search engine that repairs the glitch. The researchers said the vulnerability is in the way Google Desktop was designed to intercept outgoing network connections from the user's computer. The program looks for traffic that appears to be going to Google.com and then inserts results from a user's hard disk for a particular search. The researchers found it was possible to trick the Google desktop search program into inserting those results into other Web pages where an attacker could read them. Successful exploitation would require a user to visit the attacker's Web site first, and any type of Web browser could make a user vulnerable. Google said there was no evidence that any such attacks had occurred.

Cisco to acquire Protego Networks
Cisco Systems said Monday it has reached a definitive agreement to acquire privately-held security firm Protego Networks Inc. of Sunnyvale, Calif. Protego provides enterprise customers with security monitoring and threat management appliances. Cisco said those products will help it broaden its Self-Defending Network initiative. Under the terms of the agreement, Cisco will pay approximately $65 million in cash for Protego. The acquisition is subject to various standard closing conditions and is expected to close in the second quarter of Cisco's fiscal year 2005, which ends Jan. 29. "Cisco is committed to providing customers with end-to-end, multi-layered, and integrated security and Cisco's Self-Defending Network initiative builds proactive and advanced security capabilities directly into the network." Richard Palmer, vice president of Cisco's Security Technology Group, said in a statement. "The acquisition of Protego further emphasizes Cisco's commitment to network security and their leadership in security monitoring, threat management and mitigation complements our ongoing work in security." Protego is currently a member of Cisco's AVVID partner program and the companies have been successfully working together to sell security products to customers, Cisco said. The Protego team will be integrated into Cisco's Security Technology Group. Protego was founded in 2002 and has 38 employees.

Hotmail dumps McAfee for Trend Micro
MSN's Hotmail service has dumped McAfee as its antivirus partner in favor of rival Trend Micro, CNET News.com reported. According to Microsoft, e-mails and attachments sent or received by any of Hotmail's 187 million Web mail customers will be scanned in real time by Trend Micro's antivirus software beginning today. Hotmail's antivirus service was previously provided by McAfee and the reason for the change is unclear. However, Martin Hoffman, chief executive of Ninemsn, which operates Hotmail in Australia and is half owned by Microsoft, said in a statement that Hotmail will be able to provide a "safer online experience" using Trend Micro's products because they provide "deeper antivirus protection." "Ninemsn is focused on providing a safer online experience for our Australian customers...We're pleased to work with Trend Micro, to provide deeper antivirus protection for our Hotmail customers," CNET News.com reported Hoffman as saying.

Red Hat fixes XFree86 flaws
Red Hat has fixed several vulnerabilities in its XFree86 program an attacker could use to crash systems and launch malicious code. According to the Linux vendor's advisory: "Several integer overflow flaws in the X.Org libXpm library used to decode .xpm (X PixMap) images have been found and addressed. An attacker could create a carefully crafted .xp file which would cause an application to crash or potentially execute arbitrary code if opened by a victim." Red Hat recommends users upgrade to the updated XFree86 packages now available for Enterprise Linux 2.1. XFree86 is an open source implementation of the X Window System. It provides the basic low-level functionality full-fledged graphical user interfaces like GNOME and KDE are designed upon.

Mandrakesoft fixes PHP vulnerabilities
Mandrakesoft has issued updates that fix PHP flaws affecting its Corporate Server 2.0, Linux 9.0, 10.0 and 10.1 products. PHP, a widely-used scripting language for Web development that can be embedded into HTML, contains several vulnerabilities an attacker could use to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information or compromise a vulnerable system. The Linux vendor said in its advisory that the updates address the problems, which researcher Stefan Esser discovered in PHP versions prior to 4.3.10.

Gentoo fixes multiple vulnerabilities
Gentoo has issued fixes and workarounds for vulnerabilities affecting multiple programs:

Ethereal has been updated to fix vulnerabilities an attacker could use to run malicious code, crash the program or cause a denial of service.

The Linux vendor has also updated its kdelibs and kdebase packages against a flaw researcher Daniel Fabian discovered. He found that the KDE core libraries contain a flaw allowing password disclosure by making a link to a remote file. When creating this link, the resulting URL contains authentication credentials used to access the remote file.

Gentoo said it has not yet developed a patch for several buffer overflow vulnerabilities in kfax attackers could use to launch malicious code. Researcher Than Ngo discovered that kfax contains a private copy of the .tiff library and is therefore subject to several known vulnerabilities in which a remote attacker could entice a user to view a carefully crafted .tiff image file with kfax, potentially leading to execution of arbitrary code with the rights of the user running kfax. As a workaround, Gentoo recommends users remove the kfax binary as well as the kfaxpart.la KPart. This will render the kfax functionality useless. Gentoo said if the kfax functionality is needed, users should upgrade to KDE 3.3.2, which is not yet stable. "All kfax users should use the workaround as no patches are available yet," the advisory said.

Another advisory said abcm2ps is vulnerable to a buffer overflow that could lead to the remote launching of malicious code. Gentoo said abcm2ps is a utility used to convert ABC music sheet files into PostScript format. Researcher Limin Wang found a buffer overflow inside the put_words() function in the abcm2ps code. "A remote attacker could convince the victim to download a specially crafted ABC file," the advisory said. "Upon execution, this file would trigger the buffer overflow and lead to the execution of arbitrary code with the permissions of the user running abcm2ps." There is no known workaround and all abcm2ps users should upgrade to the latest version, Gentoo said.

Finally, Gentoo said it upgraded phpMyAdmin to fix multiple vulnerabilities that could lead to file disclosure or command execution. Researcher Nicolas Gregoire found the flaws that exist only on a Web server where the PHP safe_mode is off. These vulnerabilities could lead to command execution or file disclosure. "On a system where external MIME-based transformations are enabled, an attacker can insert offensive values in MySQL, which would start a shell when the data is browsed," the advisory said. "On a system where the UploadDir is enabled, read_dump.php could use the unsanitized sql_localfile variable to disclose a file." All phpMyAdmin users should upgrade to the latest version, Gentoo said.