Little Bits and Pieces
The ongoing issue with the recent Internet Explorer arbitrary code execution vulnerability continues to worsen, with active exploitation by at least one new system worm. There is some speculation that Microsoft will be issuing an out-of-cycle patch for the Internet Explorer issue, although their scheduled monthly patch release is set for December 13.
The argument for the out-of-cycle patch is that Microsoft have known about the root flaw that allows the code execution for at least six months, and the criticality of the developed vulnerability; while the argument against an out-of-cycle patch is that some regard the issue to be a design error which would require a significant overhaul of the Internet Explorer code base in order to correct the flaw. Whichever way it turns out, it is essential that users of Internet Explorer apply whatever patches are made available, as soon as they are released.
Although not as critical as the Internet Explorer flaw, exploit code has been published for recently patched vulnerabilities, those patched by MS05-051 and MS05-053. A fully updated system will not be vulnerable to exploits developed from the sample code, but it should be a reminder to those who have not patched their systems that they should expedite the process. The sample exploit code would result in Denial of Service style attacks against vulnerable systems.
While fairly active attention was focussed on active and patched vulnerabilities in Microsoft products, Apple Computer released their latest security patch for their OS X Operating Systems. Released for their 10.3 and 10.4 product lines, the Security Update 2005-009 release fixes a number of fairly serious, and not so serious, vulnerabilities in included third party software and some core components of the Operating System. While most of the third party vulnerabilities, such as those affecting the Apache web server, were previously known about, the serious core Operating System vulnerabilities were not. Either Apple were able to encourage the discoverers to keep quiet about their discoveries, or they were discovered in house. Irrespective of the reason, it is an interesting difference to the way that recent Microsoft vulnerabilities have been disclosed and handled.
The news isn't all good for Apple, however, with initial reporting of vulnerabilities leading to arbitrary code execution through QuickTime, at least for the Windows implementation, for the most recent versions. The last update for QuickTime was to fix another arbitrary code execution issue, and it is not known whether the new claimed vulnerability is related in any way to the fixed vulnerability.
Also from previous weeks, and the high profile recent variants of the Sober email worm have started to include the UK National High Tech Crime Unit (NHTCU) as one of the spoofed senders, joining the FBI, CIA and other agencies as spoofed From: addressers. With less than a calendar month remaining in the year, it will take a fairly significant effort from another email-based worm to displace the latest Sober variants from the title of most significant email-based worm for 2005.
Amongst other movement in the so-called hacker 'underground' recently, European security firm, Zone-h, apparently found itself the victim of an online defamation. At some stage in the previous couple of weeks, a Google Groups group was established with the name 'Zone-h The Internet Thermometer', which is a phrase Zone-h does use to describe themselves. Rather than providing discussion ground for security news and efforts, the group appeared to be used for the solicitation and trade of hacking services. Zone-h (the real one) has issued a press release publicly denying any involvement with hacking services, offers for hacking, and other illegal activities promoted through the group.
It now appears that several members of the Google Groups group took advantage of a slip in moderation to redirect the focus of the group, and at least one Zone-h moderator has re-appeared to take back control of the group.
Researchers who are investigating weaknesses in common cryptographic hashing functions (one-way encryption which is commonly used for validating integrity of files and protecting passwords in applications) have released further samples of collisions (two different original samples producing the same encrypted result) under a range of common functions. While the presence of collisions has been known for some time, it was believed that generating products that collide under multiple hashing algorithms at the same time was practically improbable.
The released samples now include eight files with the same MD5 hash and two Windows executables with the same MD5 hash, the same CRC32, the same checksum 32, and the same checksum 16. While it is still practically improbable for any useful exploitation of the collisions found (i.e. starting with an arbitrary original file / content and then modifying it in a meaningful way), it does bring it another step closer and does show that multiple hash algorithm collisions can exist for the same content.
Finally, a fairly serious vulnerability was disclosed in a range of Cisco IOS versions, which could provide a remote attacker with complete control over vulnerable networking hardware. Designed to take advantage of the web server that is included with latter versions of IOS, the vulnerability, and published exploit code, makes use of functions that dump the memory of the networking device for an administrator to review.
By being able to inject arbitrary commands into the network traffic which the device then retains in memory, it was discovered that the commands would be executed if the administrator ran the appropriate scripts. What prevents this from being a massive problem is that the web server feature of the vulnerable IOS versions is not enabled by default, and the known attack is limited to a small set of specific scripts. The other downside, in addition to compromising targeted hardware, is that the attack can compromise all networking devices it passes through en route to the targeted device. provided that they have the same feature enabled.
Cisco have not been able to release a patch for this issue, and their current advice is for affected users to disable the web server.
5 December 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.