Vulnerabilities roundup for May 18 - 22, 2009
This week has been a headache for the major web software vendors, especially Red Hat Linux and other distributions. Windows users are being targeted by highly critical vulnerabilities in Winamp and Quicktime. Mac users are affected by a flaw in Calendar Objects for Java. So far, between May 18 and 22 there have been at least 85 vulnerability advisories reported by the security investigators at Secunia, 17 of which are rated as "highly critical." I counted at least 7 SQL flaws that can be or are being exploited to inject hostile redirection codes into websites.
On 5/18 /09, Secunia reported an unpatched flaw in Winamp 5.x that can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to the use of vulnerable libsndfile code. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The vulnerability is confirmed in version 5.552, but other versions may also be affected. Since this vulnerability in currently unpatched, the best advise is to not open untrusted files in Winamp.
A highly critical vulnerability was reported in Apple QuickTime 7.x, on 5/22/09, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of "0x77" tags within PICT images, which can be exploited to cause a heap-based buffer overflow when the user opens a specially crafted PICT image or visits a malicious web site. This flaw is new and unpatched, so you are advised to not browse untrusted web sites, or open PICT files from untrusted sources.
Read about the vulnerabilities affecting other operating systems and software in my extended comments.
Microsoft Internet Information Services (IIS) WebDAV Request Vulnerability
US-CERT is aware of public reports of a vulnerability affecting Microsoft Internet Information Services 6 (IIS6). Reports indicate that this vulnerability is due to improper handling of unicode tokens. Exploitation of this vulnerability may allow a remote attacker to bypass authentication methods, allowing an attacker to upload files to a WebDAV folder or obtain sensitive information. If you run Microsoft IIS servers, implementing the following workarounds will help mitigate the risks until a patch or update is available from Microsoft.
- NTFS file ACLs will generally prevent the anonymous internet user from writing to an unauthorized area.
- Disable WebDAV if it is not needed
- Administrators who are unable to disable WebDAV may be able to mitigate some risk by configuring their IDS to refuse external HTTP requests containing "Translate: f" headers.
Please note that disabling WebDAV may affect the functionality of other applications such as SharePoint. Microsoft has released Security Advisory 971492 to provide information about this vulnerability and its workarounds.
Vulnerabilities affecting other OSes
Mac OS X users are being targeted again, this time by a highly critical vulnerability in Calendar Objects for Java, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the de-serialisation of Calendar objects in Java for Mac OS X. This can be exploited to escape the Java sandbox and execute arbitrary code e.g. when a user visits a web page containing a specially crafted Java applet. The vulnerability is confirmed in Mac OS X - 10.5.7. Other versions may also be affected. Until this is patched Mac OS X users should disable Java applets in their browsers and disable 'Open "safe" files after downloading' in Safari.
I counted 28 new or updated vulnerabilities reported in various distributions of Linux, including 12 in Red Hat products alone. Ubuntu and Debian are also affected and are in need of security package updates. If you use Linux workstations (desktops) or servers you need to begin checking for updates this weekend. Ubuntu has already released a patch for the new exploits, which affect all releases up to 9.04.
Applications were not left out of this week's vulnerabilities. I see at least 7 SQL Injection flaws in various web applications, including Coppermine Photo Gallery, DM File Manager and Drupal E-mail Verification.
Coppermine Photo Gallery Vulnerabilities
Coppermine has released an update, v1.4.23, to fix this flaw, so it is important that all users who run version cpg1.4.22 or older update to this latest version as soon as possible.
The Drupal vulnerabilities are reported in versions prior to 5.x-2.1 and 6.x-1.2. They can be exploited by malicious people to conduct script insertion attacks and by malicious users to bypass certain security restrictions. If you administer a server that runs this software you should check with the Drupal Email Verification page to get an update.
DM FileManager "username" SQL Injection Vulnerability
A vulnerability has been reported in DM FileManager, which can be exploited by malicious people to conduct SQL injection attacks.
Input passed to the "username" parameter in login.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that "magic_quotes_gpc" is disabled.
The vulnerability is reported in version 3.9.2. Other versions may also be affected.
Attacks against people using Google Searches and website owners continued this week, this time featuring the Cutwail Botnet. It is responsible for a substantial spam campaign promoting Acai Berry remedies and other useless drugs and herbal solutions. Some links lead to the fake Canadian Pharmacy websites that are unknowingly hosted on botnetted personal computers. Other links redirect hapless visitors to hostile web pages where exploits will be launched against their browsers and third party software. Unpatched versions of Adobe Reader and Flash are being targeted by these drive-by attacks.
Gumblar Malware Exploit Circulating
The so-called Gumblar exploit attacks have been on-going since March and are picking up steam this week. Gumblar has been described as "a Botnet of compromised websites" by security company ScanSafe. One of Gumblar's functions is to poison Google search results so that as many people as possible can be tricked into visiting Gumblar coded web pages.
According to this CERT Advisory, the first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them, usually via unsecured PHP scripts or SQL database exploits. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications. The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware. This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits. Additionally, this malware may also redirect Google search results for the infected user.
Browsing Security Best Practices
Obviously, if you are browsing the Internet and following links and you have not been keeping your browser add-ons and plug-ins updated, you are in extreme danger of being exploited by any number of hostile codes that are running all over the Internet. I urge you to use the Secunia Online Software Inspector, or their Personal Software Inspector, to stay current with Windows and third party patches and updates. When the Software Inspectors report that you have insecure applications on your computer you need to uninstall them and upgrade to the latest, secure versions. Links are provided in the reports so you can go directly to the vendor's download pages for patches.
That's all for today folks. Be sure you visit the vendor's websites listed in these vulnerabilities to watch for and obtain updates or patches as they are released.
Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Movable Type 4.38