OS X & political worms; virus scanner, PuTTY, QuickTime, RealPlayer patches

I've been having security problems of my own today, with the intrusion detection system of my house (aka 'burglar alarm') interfering with completing 'the watch'. Hopefully a very brief introduction section (written last, of course) may still see this reach my ever-patient mailing list managers in time for it to be posted out Friday...

This issue's topics:

Introduction:

* OS X & political worms; virus scanner, PuTTY, QuickTime, RealPlayer patches

Virus News:

* Mac OS X 'worm'...

* Zafi.C tackles Hungarian PM

Security News:

* McAfee, CA, Kaspersky, Sophos, Eset, RAV antivirus ZIP scanning bypass

* Remote code execution vulnerability in PuTTY fixed

* Apple Remote Desktop patch/update fixes root privilege escalation

* QuickTime update for Mac and Windows

* Critical RealPlayer skins vulnerability patched

* Java for mobile devices flaw affects 250 million mobile phones?

* Home computers riddled with viruses yet but most users feel protected

Introduction:

I've been having security problems of my own today, with the intrusion detection system of my house (aka 'burglar alarm') interfering with completing 'the watch'. Hopefully a very brief introduction section (written last, of course) may still see this reach my ever-patient mailing list managers in time for it to be posted out Friday...

This week we saw claims of the first worm for the new generation, OS X, Macintosh, but these are somewhat overstated as far as anyone can tell. Also, a new Zafi variant just may take off during the next few days (or maybe not!).

On the security front we saw a bunch of updates for several popular virus scanners to address an issue with them skipping files in specially tweaked ZIP archive files, updates for popular SSH client PuTTY, Apple's QuickTime and RealNetworks' RealPlayer media players and OS X updates for Apple Remote Desktop. We also include two hopefully interesting items about vulnerabilities in J2ME (Java for mobile devices such as cell phones and PDAs) and a survey of home users' security awareness and a comparison with what was actually found on their machines.

Virus News:

* Mac OS X 'worm'...

A Mac OS X-specific 'hacking tool' has been garnering a lot of media attention the last few days. It has variously been reported as a virus, a worm, a rootkit and a backdoor.

In reality, it is both none and all of those things. The main component of SH/Renepo is a Unix shell script (recall, OS X has deep Unix roots) that depends on running with root privileges. It has apparently been reported 'in the wild', but only in very limited numbers. At its simplest (there are several evolutionary generations) SH/Renepo alters its victim's startup configuration and can be easily tweaked to add all manner of further undesirable functionality, running backdoors, keyloggers, password stealers or crackers, spam relays, DDoS or bot-net agents, etc, etc, etc.

Included in that list of other functionality could be self-spreading using any of the methods commonly used by other self-mailing and network crawling malware. To date no-one has reliably and verifiably reported such a variant or combination spreading any of the Renepo scripts, so it would seem that claims for this being the first OS X worm are a tad overblown.

Computer Associates Virus Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Zafi.C tackles Hungarian PM

Last week Helen Clark may have thought she had it tough with media attention over the John Tamihere 'situation', but perhaps she should spare a thought for her Hungarian equivalent, Ferenc Gyurcsany...

The latest variant the Zafi virus family, Zafi.C (also known as Erkez.C), includes, among other payloads, a distributed denial of service against his official web site.

Like its forebears, Zafi.C is a mass-mailer, and like Zafi.B it is multilingual. Zafi.B was a bit of a sleeper, not seeming to get much traction in the first few days it was 'in the wild', but then it picked up with a vengeance and has now been consistently ranking in 'top ten' listings for several months. It is unclear yet whether Zafi.C will follow Zafi.B in this pattern or not, though it is not being seen in large numbers yet!

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* McAfee, CA, Kaspersky, Sophos, Eset, RAV antivirus ZIP scanning bypass

iDEFENSE has reported a method by which the contents of a ZIP archive may be bypassed when scanned by multiple virus scanners.

ZIP archives store information about the files within themselves in two places - in the 'central directory' (which is stored at the end of a ZIP archive) and in a header at the beginning of each file's compressed stream within the archive file. It turns out that several popular unzippers, including WinZip and the ZIP handlers in Windows XP, happily handle ZIP archives where the original (uncompressed) file size value in either or both locations is set to zero.

Several virus scanners apparently try to save some time by skipping files within ZIP archives that are recorded as having zero length. If a self-mailing virus employed the trick above, it could avoid possible detection by the affected virus scanners, but could still viably spread in such specially modified ZIP archive files. Response from the vendors listed above are available in the iDEFENSE security advisory, linked below.

Current versions of several other vendors' products were tested and not found vulnerable to this bypass, but note that earlier versions of all products may still be vulnerable to this scanning bypass.

Multiple Vendor Anti-Virus Software Detection Evasion - idefense.com

* Remote code execution vulnerability in PuTTY fixed

As a rule we don't usually carry warnings about beta, 'pre-release' or 'version zero-point-something' applications and OSes, when they are very widely distributed and used, we make an exception. PuTTY is one such application, being a widely used and distributed free implementation of Telnet and SSH for Unix-ish and Win32 platforms.

iDEFENSE has released a security advisory describing a buffer overflow in PuTTY's handling of malformed SSH2_MSG_DEBUG packets. This vulnerability would allow a PuTTY client to be attacked by an SSH server it had connected to, potentially running code of the attacker's choice with the privileges of the user running the PuTTY SSH client.

PuTTY 0.56 has been released to correct this critical security problem and PuTTY users are encouraged to obtain the relevant updates. Several Linux distributions include PuTTY and update packages are available for some of these already. The IPv6 version of PuTTY has also been updated to incorporate this fix.

PuTTY SSH2_MSG_DEBUG Buffer Overflow Vulnerability - idefense.com

PuTTY home page - greenend.org.uk

PuTTY IPv6 home page - unfix.org

* Apple Remote Desktop patch/update fixes root privilege escalation

Under specific circumstances, during the OS X 10.3 login process a user can run programs behind the login window with root privileges. The exact details are described on Apple's 'Security Updates' page, linked below.

The fix is either to install the Remote Desktop patch included in the latest security updates, or to update to Remote Desktop 2.1. If the latter option is chosen, please note the warning about updating the Remote Desktop Admin components before updating Remote Desktop Client!

Apple Security Updates - apple.com

Apple Remote Desktop 2.1 updates (admin) - apple.com

Apple Remote Desktop 2.1 updates (client) - apple.com

* QuickTime update for Mac and Windows

Apple has released Mac and Windows updates for its QuickTime media player to correct two critical vulnerabilities. One is a Windows-specific arbitrary code execution vulnerability discovered by Next Generation Software Security (NextGenSS). The other is a heap-based buffer overflow in the processing of malformed BMP format images that affects both Mac and Windows versions. Patches for the latter vulnerability were included in Security Update 2004-09-30 but only for Mac OS X 10.2.8 and 10.3.5. The new patches cover Mac OS X 10.2.8, 10.3.x and Windows ME, 2000 and XP.

High risk vulnerability in Quicktime for Windows - nextgenss.com

QuickTime Player download page - apple.com

* Critical RealPlayer skins vulnerability patched

RealNetworks has released patches for several versions of the Real media players affected by one (or possibly more) buffer overflows in the products' handling of skins files.

Both eEye Digital Security and Next Generation Software Security (NextGenSS) have published security advisories describing a buffer overflow in the RealPlayer code that handles skins files. RealPlayer's skins files are really just ZIP archives renamed with a '.RJS' extension. The eEye advisory describes some of the details of the flaw eEye researchers found, explaining that very long (greater than something over 32,000 character) filenames included in a skins file could be reliably used to overwrite the stack and run arbitrary code with the privileges of the user running RealPlayer. NextGenSS, in accordance with its 'wait three months' policy has only released the briefest of statements but states that RealNetworks has released patches.

The RealNetworks security update page strongly suggests there is only one vulnerability and mentions some details matching those in the eEye description, so it seems likely that both eEye and NextGenSS independently found the same flaw.

Windows versions of RealPlayer 10.5 (6.0.12.1053 and earlier), RealPlayer 10, RealOne Player v2 and RealOne Player v1 are affected and RealNetworks recommends that users of these products use the 'Check for Update' item on the program's 'Tools' menu to obtain the necessary patch. More details on achieving this are available from the page at real.com linked below.

RealPlayer Zipped Skin File Buffer Overflow - eeye.com

High risk vulnerability in RealPlayer - nextgenss.com

Update to Address Security Vulnerabilities - real.com

* Java for mobile devices flaw affects 250 million mobile phones?

Adam Gowdiak, a Polish security researcher at the Poznan Supercomputing and Networking Center, claims to have found two serious flaws in the Java bytecode verifier of Sun's reference implementation of Java technology for mobile devices (Java 2 Micro Edition; J2ME). Gowdiak believes that as many as 250 million mobile phones made by Motorola, Nokia, Panasonic, Samsung, Siemens and others carry defective versions of J2ME.

The bytecode verifier is the cornerstone of any Java implementation's security and Gowdiak claims both vulnerabilities can be exploited to gain access to the host device's entire memory and underlying operating system. As fundamental as such flaws are however, the major advantage of Java-based systems is that the Java Virtual Machine renders code that runs in it essentially device independent. Thus, exploiting flaws of the type Gowdiak has uncovered still leaves an attacker facing the issue of interfacing their code to the underlying device operating system and/or hardware, which can be highly variable from device to device, even within devices from the same manufacturer.

Still, 250 million mobile phones might be an enticing enough target, even if the result was a nasty denial of service on most of the devices because the attack code launched through a J2ME bytecode verifier exploit was specific to only one, or a few, of the vulnerable models. Of course, to turn this into a self-spreading attack, some method of automatically downloading a Java midlet to a potential victim device and executing it, or some way of enticing the device's user to accept and run such a midlet, must be found, and for now there are no known ways to achieve the former.

Gowdiak claims SUN Microsystems' plan to not release an advisory about these vulnerabilities prompted the public announcement of his discoveries. SUN is said to have sent its J2ME licensees an updated version of the bytecode verifier that addresses the issues Gowdiak discovered.

Archived Bugtraq list message - securityfocus.com

* Home computers riddled with viruses yet but most users feel protected

Giant ISP America Online (AOL) and US non-profit National Cyber Security Alliance (NCSA) have reported the findings of a survey of 329 home user computers and the attitudes of their owners to security. More than two-thirds of the home computer users in the survey felt they were safe from online threats, yet 20% of computers surveyed were infected with a virus or worm and 80% had one or more adware or spyware programs installed.

Further details of the survey results, and a discussion of the disconnect between users' perceived online safety and the state of their computers is included in the linked news article.

Your PC May Be Less Secure Than You Think - pcworld.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about America OnlineAOLAppleCA TechnologieseEye Digital SecurityEsetF-SecureKasperskyLinuxMcAfee AustraliaMotorolaNCSANokiaPanasonicRealNetworksSamsungSiemensSophosSSHSymantecTelnetTrend Micro AustraliaWinZip

Show Comments
[]