Sbc Yahoo Browser Upgrade
Security Update: 28 February 2002Brett Glass
Serious Internet Explorer bug lets hackers commandeer systems
Despite Microsoft's claims that it is concentrating on improving the security of its products, the parade of bug reports continues. The latest Internet Explorer / Outlook / Outlook Express bug, reported by CERT this week, is particularly nasty; it allows the creator of a Web page or e-mail message to completely take over your system when you view the page or message. According to CERT, "This vulnerability could be exploited to distribute viruses, worms, or other malicious code."
Here's how it works. The Internet Explorer "rendering engine" -- the code that arranges and draws the text and pictures in a Web page -- has a buffer overflow vulnerability that can be exploited by a carefully crafted "<EMBED>" tag. Because Internet Explorer 5.5 and 6.0, Outlook, and Outlook Express use this rendering engine, all are vulnerable. Third-party applications that use the rendering engine, such as the AOL client software and some Intuit products, may also be vulnerable. (The Eudora e-mail client uses the MSIE rendering engine, too, and so is vulnerable unless the user un-checks an option titled "Use Microsoft's viewer.")
What should you do about the bug? If you can't avoid running MSIE or programs that depend upon it, you may be able to avoid intrusions by disabling ActiveX controls and plug-ins (a well-known source of security problems). Other tips are included in the CERT advisory (the first link below). Microsoft has published a patch that is claimed to fix the problem (second link below).
FURTHER READING CERT Advisory CA-2002-04: Buffer Overflow in Microsoft Internet Explorer Microsoft Security Bulletin MS02-005 (Note: May not render properly on non-Microsoft browsers)
Need it now? Click here to get Brett Glass's Security Update in e-mail newsletter form before it's published on ExtremeTech.com. Three new MSIE security holes
According to an article in The Register, three other security holes -- less serious than the one described above but also worthy of concern -- have been discovered in Microsoft Internet Explorer. Two are relatively minor, but the third -- used by itself or in conjunction with the media player scripting facilities discussed below -- could allow the theft of personal information and/or the propagation of worm and viruses. See the link below for details.
FURTHER READING Three new MS security holes
Windows Media Player may let worms in
<!-- Computer privacy investigator Richard Smith reported last week that Windows Media Player 8 -- the version that ships with Windows XP -- surreptitiously keeps records of what you watch and hear. The data, which is difficult to remove from your hard disk without crippling the player, could provide fodder for private investigators, divorce lawyers, or marketers, and could be used to check for illegal copies and/or to "turn off" access to media after a certain period of time.
If your PC is attached to the Internet, the Media Player also sends data which uniquely identifies you and your PC to Microsoft while fetching information about the titles you play. This gives Microsoft the ability to accumulate data on your viewing habits or track the use of copyrighted material and to correlate it with the data the company gathers via compulsory product registration and/or via its "Passport" registration system (which holds users' addresses, credit card numbers, and other personal information). According to an Associated Press article (link below), Microsoft says it "has no plans" to sell the data it gathers about users, but would not promise that it would not do so in the future. Like the data on your own PC, the data on Microsoft' servers might also be subpoenaed as part of court proceedings or revealed due to a security hole. Finally, according to Microsoft, the Windows Media Player also tracks users via "cookies." Worried about your privacy yet? See the first three links below for more. -->
Also discussed on Bugtraq this week was a "feature" of the Windows Media Player that could allow a media file to inject hostile code into your PC. Windows media files can contain URLs or JavaScript that are fed to the user's browser when the file is played. Thus, it's possible for a seemingly harmless music file to hijack your browser and/or exploit security vulnerabilities (including those cited in the two items just above) to steal your personal data or take over your entire system. It may be possible to create a "musical worm" that jumps from machine to machine by sending itself as a music file to the next potential victim.
The user who initiated the Bugtraq discussion said that when he attempted to play an "MP3" file he'd downloaded from the 'Net, a pornographic video began to play and "a MASSIVE amount of pop-up ads" appeared on the screen. Closer inspection of the file revealed that it was not an MP3 file at all but rather a .wmf (Windows Media file) -- a format that allows URLs and scripts to be embedded. (When the Windows Media Player opens the file, it apparently looks at the file itself and recognizes its own format, even though an incorrect file extension has been used. This makes it impossible for users to avoid potentially dangerous files by looking their names.) Other media players that use proprietary formats, such as those produced by Real, Inc., may also be vulnerable. However, those that play only industry standard MP3 files, such as Winamp, probably are not. For more, see the links below.
FURTHER READING Serious privacy problems in Windows Media Player for Windows XP (Richard Smith) --> Microsoft player logs user info (AP, via Washington Post) --> Media Player for Windows XP Privacy Statement (Microsoft) --> Windows Media Player executes WMF content in .MP3 files (Bugtraq) http://online.securityfocus.com/archive/1/257799 http://online.securityfocus.com/archive/1/258122 MP3 files not always safe with top media players (Newsbytes) Demonstration file showing how Windows Media Player can be hijacked (PC-Radio)
PHP Web scripting language has security problems
PHP: Hypertext Preprocessor is a popular language that makes it easy to write server-side scripts into Web pages. Developed by a subgroup of the Apache Project, it's present on many Web servers, and is often included in distributions of operating systems such as Linux.
According to an announcement made on February 27, 2002, the vast majority of Web servers that have PHP enabled are insecure due to recently discovered problems involving memory allocation. The security holes allow an intruder to commandeer a Web server, executing code with the same privileges that the Web server software enjoys.
While many of the newly discovered PHP bugs can be exploited only on Linux or Solaris systems, at least one is likely to be exploitable on nearly all systems that run PHP, according to Stefan Esser, the PHP developer who found and reported the problems. A Newsbytes article (link below) reports that would-be intruders are already scanning for these vulnerabilities. So, if you're serving Web pages that include PHP code, it's extremely important that you view the links below and patch or upgrade your server.
FURTHER READING CERT Advisory CA-2002-05: Multiple Vulnerabilities in PHP fileupload PHP remote vulnerabilities (ematters) Webmasters Urged To Plug PHP Security Hole (Newsbytes) PHP project site
Wireless security scheme cracked even before it's fully deployed
It's well known that "Wire-Equivalent Privacy", the original security scheme for 802.11b wireless networks, has been shown to be insecure due to small key lengths and a weak encryption scheme. But researchers have now discovered that its proposed replacement -- 802.1x -- is also insecure. A professor and graduate student at the University of Maryland have successfully mounted "session hijacking" and "man in the middle" attacks against the new protocol, which they say can be cracked even if it's combined with the older WEP scheme. Users of wireless LANs -- especially in public places -- would be well advised to "tunnel" their communications through virtual private networks (VPNs), SSH (Secure Shell) sessions, and/or encrypting Web proxies. See the links below for more.
FURTHER READING Researchers crack new wireless security spec (InfoWorld) Draft of the 802.1x/D11 Standard
New York Times internal networks hacked
This week, security consultant Adrian Lamo demonstrated that he could exploit well known security holes to break into the internal networks of The New York Times. Once inside, he found that sensitive data -- including the Social Security numbers and home telephone numbers of authors such as William F. Buckley Jr., former president Jimmy Carter, and Rush Limbaugh -- were available to him. According to a story on the SecurityFocus Web site (see link below), the consultant expressed relief that the holes he'd found did not allow him to tamper with the news. However, Lamo had previously discovered that he could change the content published by other media outlets, including Yahoo! News. Lamo was also recently credited with the discovery of a security hole that allowed anyone to retrieve the personal information and password of any SBC-Ameritech.net Internet customer (see last link below).
FURTHER READING New York Times Internal Network Hacked (SecurityFocus) NY Times Intranet, Source Database Hacked (Newsbytes) Sites Revealed Passwords For Thousands Of Ameritech Users (Newsbytes) HP JetDirect servers, printers subject to DoS Attacks
Hewlett-Packard may not be fessing up to security problems in its JetDirect servers and printers that may allow denial of service attacks. According to an article in The Register and a related posting on Bugtraq, a single rogue SNMP packet may be able to crash the printer or server, leaving it inaccessible. The bug appears to be an instance of the SNMP problems described in the previous ExtremeTech Security newsletter. Currently, the only way to fully protect a vulnerable device may be to place it on a separate network which has been firewalled to protect it from external SNMP traffic.
FURTHER READING SNMP exploit causes printers to jam (The Register) HP JetDirect SNMP Denial of Service Vulnerability (SecurityFocus)
Discussions: Biometrics, Combat Webbugs, PC Zombies
I need help finding biometric security software!
BINTIN needs help finding software resources for biometric security. Post your suggestions. Join the discussion
How do I combat webbugs?
ERM needs help finding tools to combat webbugs. Post your links and tips. Join the discussion
Help! My PC is connecting to the Net without my permission!
ERMCDONOUGH's PC is somehow automatically connecting itself to the Internet. Help him solve this mystery. Join the discussion
*For recent editions of Security Update, click here.
Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in ExtremeTech.