SCO DDoS'ed; IE update tackles phishing; RealPlayer updates

This issue's topics: Introduction: * SCO DDoS'ed; IE update tackles phishing; RealPlayer updates Virus News: * Mydoom DDoSes SCO... Security News: * Microsoft releases cumulative IE update 'early'... * Multiple RealONE and RealPlayer file format vulnerabilities * Check Point FireWall-1 HTTP parsing update

This issue's topics:

Introduction:

* SCO DDoS'ed; IE update tackles phishing; RealPlayer updates

Virus News:

* Mydoom DDoSes SCO...

Security News:

* Microsoft releases cumulative IE update 'early'...

* Multiple RealONE and RealPlayer file format vulnerabilities

* Check Point FireWall-1 HTTP parsing update

Introduction:

It has been another quiet week, punctuated with news of the SCO Group's response to the expected DDoS attack from Mydoom victims against its main web presence and Microsoft's first 'out of step' security update release since it implemented its 'security updates on the second Tuesday of the month' policy. In the latter case, the out of step release has prompted some speculation as to why the release was made. There are no publicly known cases of exploitation of the only security fix in the IE cumulative update Microsoft rates as critical, but there has been widespread abuse of the 'userinfo' field in HTTP URLs, especially combined with another URL spoofing trick involving non-printing characters. The latter have been used in innumerable 'phishing scams' which although prevalent in the latter half of last year, seemed to become even more common after the discovery of IE's further obfuscation of the real target URL when certain non-printing characters were included in the userinfo part of the scam page's URL (while writing this introduction, I just received another such scam e-mail, targeting customers of UK Barclays Bank).

Perhaps the only other security news of great significance is the release of security updates for popular media players RealONE and RealPlayer, and for some of Check Point's FireWall-1 products.

Virus News:

* Mydoom DDoSes SCO...

As reported last week, Mydoom has been well-detected since the first antivirus updates following its release early last week. Despite that however, large numbers of Windows users who do not have antivirus software, or at least who have not kept their antivirus software up to date, have unwittingly been engaged in a distributed denial of service (DDoS) attack against www.sco.com for the last couple of days.

In reaction to the magnitude of the attack, the SCO Group has moved its main web presence to www.thescogroup.com and removed www.sco.com from the DNS so the attacking machines would fail to resolve the site's address. If the DDoS payload code in Mydoom cannot resolve the IP address of www.sco.com it drops into a 'sleep for about 30 seconds then retry DNS check' loop, so dropping www.sco.com from the DNS has the least noticeable overall effect on the network, but at the cost of removing the well-known web presence of the SCO Group. As a German online news service put it in a headline 'Mydoom vs. SCO, 1:0'.

MyDoom worm scores hit, knocks out SCO site - computerworld.com

SCO moves Web site as Mydoom attack continues - computerworld.com

Security News:

* Microsoft releases cumulative IE update 'early'...

Indeed, it was not the second Tuesday of the month, but Microsoft did release a critical IE security update earlier this week. As foreshadowed in last week's issue of the newsletter, the forthcoming IE security update Microsoft was promising, that would alter IE's handling of invalid HTTP URLs, has arrived. In short, HTTP and HTTPS URLs that include a 'userinfo' component (as defined for the generic URL syntax) are invalid because specific URL schemes can specify non-inclusion of various optional generic URI components (such as userinfo fields) and the HTTP protocol RFCs define their URL schemes without support for userinfo data. Thus, this latest cumulative update for IE brings its handling of such URLs into line with the standards IE should have been adhering to all along - despite this, Microsoft characterizes this change as the removal of a feature rather than an overdue standards conformance fix.

The MS04-004 cumulative update also includes fixes for three security flaws in IE. One of these Microsoft rightly rates as being of critical severity as it involves a breach of IE's cross-domain security model, allowing remotely specified code to run in the Local Machine (or 'My Computer') security zone (i.e. with almost no security restrictions other than those normally applying to the current user).

Another bug, that in combination with IE's previously incorrect handling of userinfo data, allows more convincing hiding the real web site involved in 'phishing scams' and the like (also discussed in previous newsletters) has also been fixed. Sites using IE should obtain and install this update as soon as practicable. As usual with IE cumulative updates, note the warning in the security bulletin about the interaction between this update and the HTML Help update. Also, if you have in-house applications that depend on IE's erroneous handling of userinfo data in HTTP URLs, pay special consideration to this issue and its discussion in the related KnowledgeBase article linked from the security bulletin.

Microsoft Security Bulletin MS04-004

* Multiple RealONE and RealPlayer file format vulnerabilities

Next generation Security Software security researcher Mark Litchfield has uncovered multiple remotely exploitable buffer overflows in the popular RealONE and RealPlayer media players. The problems arise from poor bounds checking on various components of the media formats handled by these players, including formats normally provided as .RP, .RT, .RAM, .RPM and .SMIL files. An attacker who could entice a RealONE or RealPlayer user to play a specially created copy of one of these file types could run arbitrary code on the player's machine.

Jouko Pynnonen has also found some security zone crossing problems in most earlier versions of these products.

Real has made updates fixing these problems available, and obtaining them is described in the RealNetworks security advisory linked below.

Update to Address Security Vulnerabilities - real.com

* Check Point FireWall-1 HTTP parsing update

ISS X-Force researchers have uncovered a vulnerability in the relatively new HTTP Application Intelligence component of FireWall-1. This vulnerability could allow remote, non-privileged users to run commands in the security context of the firewall (usually 'system' or 'root').

Check Point has released a hotfix, described in their security alert, linked below the ISS alert.

Checkpoint Firewall-1 HTTP Format String Vulnerabilities - iss.net

FireWall-1 HTTP Security Server Vulnerability - checkpoint.com

Join the newsletter!

Error: Please check your email address.

More about Barclays Global Investors AustraliaCheck Point Software TechnologiesISS GroupMicrosoftRealNetworksSCOX-Force

Show Comments
[]