Category: Warnings

One of these, a boundary error that can cause a heap-based buffer overflow via a TCP or UDP request, may be used to execute malicious code on a system; MIT warned a successful attack could allow access to the entire authentication realm protected by the KDC.

Two of the flaws affect the Key Distribution Center (KDC), which authenticates users. One of these, a boundary error that can cause a heap-based buffer overflow via a TCP or UDP request, may be used to execute malicious code on a system

A third flaw, affecting the krb5_recvauth() function, could allow a remote attacker to take over a system. However, the but is a double-free error, where a program attempts to free memory that’s already been freed. “Exploitation of double-free vulnerabilities is believed to be difficult,” MIT said in its advisory.

[Editors note: Microsoft’s implementation of Kerberos should not be affected since they coded their particular implementation internally]

http://www.xatrix.org/article3963.html

“We’re starting to see a trend in vulnerability discovery where people are going after file format vulnerabilities,” said Michael Sutton, the director of iDefense Labs, the research arm of Reston, Va.-based security intelligence firm iDefense. “There have been numerous vulnerabilities found in image file formats and multimedia file formats,” Sutton went on. “Actually, the vulnerabilities don’t exist in the files themselves, but in the programs that read and interpret them.”

That’s the case with the Word vulnerability that Microsoft disclosed Tuesday. According to Microsoft’s security bulletin and iDefense’s own analysis, a specially-crafted Word file (in .doc format) containing extra-long font data can cause Word 2000 and Word 2002 to fail, and give the attacker complete access to the machine.

“If everyone plays by the [file format] rules, everything works fine,” said Sutton. “But what happens if I don’t follow that format?” The reason why attackers are increasingly looking for file format processing flaws, said Sutton, is that users are leery about accepting executable files, and most enterprises have blocked them from arriving as incoming e-mail attachments.

http://informationweek.com/story/showArticle.jhtml%3Bjsessionid=XQXHGZHLNPNA4QSNDBGCKHSCJUMEKJVN?articleID=165702181

In Windows 2000, Windows XP and Windows Server 2003, Microsoft uses TCP Port 445 to run SMB directly over TCP/IP to handle the sharing of files, printers, serial ports, and also to communicate between computers.

She said software engineers at Redmond would continue to analyze and monitor for any malicious activity but stressed that she was not aware of any customers being attacked via sniffing against TCP Port 445 and have not received any indication of malicious activity associated with MS05-027.

John Pescatore, VP of security research at Gartner Inc., said the reports of increased sniffing on Port 445 are a “serious concern for enterprise security managers” because such activity usually means a mass attack is imminent.

“[Administrators must] immediately review all firewall policies (including those covering personal firewall software) to ensure that Port 445 access is blocked wherever possible [and] update all intrusion prevention system filters (both network- and host-based) to block attempts to exploit this vulnerability,” Pescatore added.

http://www.eweek.com/article2/0,1759,1830698,00.asp?kc=EWRSS03119TX1K0000594

This week, security company Symantec sorted through low-volume e-mail threats submitted to its response team for analysis and found several that had targeted U.S. government agencies or had been submitted to Symantec from government sources in the United States. Two programs that fit the profile–identified by Symantec as Trojan.Mdropper.B and Trojan.Riler.C–were among the threats warned about by the NISCC.

Last month, law enforcement agencies in Israel found that private detectives had allegedly used targeted Trojan-horse programs to steal information from their clients’ competitors, according to press reports.

The latest attacks are targeted at only a few companies or government agencies at a time and show signs of significant background research into the target, said Mark Sunner, chief technology officer for e-mail security firm MessageLabs.

While data on the attacks is scarce, with the company only detecting two attacks per week, they are a serious threat, he said.

The United States Computer Emergency Readiness Team, or US-CERT, has not released a statement on the NISCC advisory.

The stealthy attacks have frequently been sent to a specific person at the targeted organization and show that attackers are researching the best way to convince the victim that the document containing the Trojan horse is real. Moreover, tradition e-mail-borne mass-mailing viruses typically have not stolen documents. Both MyFip and the latest string of attacks discovered by MessageLabs and NISCC appear to come from China.

http://www.securityfocus.com/news/11222

The bug, involving flaws in the processing of maliciously crafted DNS (Domain Name System) packets, also affects some of Cisco’s content networking and secure router products. The vulnerability is limited to Cisco products running DNS clients, rather than DNS Server functions, and creates a means for remote attackers to crash vulnerable devices, Cisco warns.

Cisco has made a series of free software upgrades available to address the vulnerability.

The scope of the vulnerability – and the number of products affected – promises to create a lot of work in Cisco shops, so users are advised to scope out remedial work sooner rather than later.

More technical details (but not a list of affected vendors) can be found in a UK government UNIRAS alert here: http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html

http://www.theregister.co.uk/2005/05/26/cisco_dns_glitch/

On its Web site, NISCC said a flaw in the IPsec VPN protocol could allow hackers to obtain a text version of encrypted communications with only “moderate effort”.

The flaw, which NISCC rated as ‘high risk’, makes it possible for an attacker to intercept IP packets travelling between two IPsec devices and modify the encapsulation security payload — a sub-protocol that encrypts the data being transported. This could ultimately expose this data to an unauthorised third party.

On its Web site, NISCC wrote: “By making careful modifications to selected portions of the payload of the outer packet, an attacker can effect controlled changes to the header of the inner (encrypted) packet…If these messages can be intercepted by an attacker, then plaintext data is revealed.”

NISCC has published a number of solutions to this issue.

http://news.zdnet.co.uk/internet/security/0,39020375,39198102,00.htm