In-Depth

In Brief

Symantec grabs @Stake; JPEG vulnerabilities; Mozilla holes; Sniffer worm

• By Mathew Schwartz
• 09/22/2004

Symantec Grabs @Stake

Information security giant Symantec Corp. announced it will acquire Cambridge, Mass.-based @Stake Inc., a well-known security consultancy. The acquisition is expected to wrap by the end of October.

@Stake’s customer roster includes six of the world’s top 10 financial institutions, four of the world’s top 10 independent software companies, and seven of the world’s top 10 telecommunications carriers.

The acquisition will “expand the capacity and capabilities of our consulting organization, which allows us to better secure the applications that our customers develop and deploy,” says Gail Hamilton, executive vice president of Symantec Global Services and Support, which will absorb @Stake.

@Stake made headlines in September 2003 when (by some accounts) it fired its chief technology officer, Dan Geer, after he participated in a report entitled “CyberInsecurity: The Cost of Monopoly.” The report argued that relying upon a computer operating system monoculture, such as Microsoft Windows, imperiled the country’s information security. Microsoft was also an @Stake client.

- - -

Microsoft JPEG Buffer Overflow Vulnerability

Several Microsoft products are exposed to a JPEG processing buffer overflow problems, warns vulnerability information provider Secunia. It rates the flaws as “highly critical.”

Operating systems and software at risk includes Microsoft Windows Server 2003, Windows XP, Internet Explorer 6, Microsoft Office 2003 and XP, Microsoft Visual Studio .NET, and the Microsoft .NET Framework 1.x, and more.

“The vulnerability is caused due to a boundary error within the GDI+ JPEG Parsing component (Gdiplus.dll). This can be exploited to cause a buffer overflow by tricking a user into viewing a specially crafted JPEG image with any application using the vulnerable component for JPEG image processing,” notes Secunia.

A successful attack would allow arbitrary code to execute with the user’s privileges.

Despite the seemingly dire nature of the threat, however, JPEGs themselves aren’t the problem; it’s just the underlying code, cautions Rob Rosenberger, editor of Vmyths. Nevertheless, he warns of potential social engineering attacks playing up the supposed lethal nature of JPEGs. One possibility is “a hoax virus alert will arise with instructions to delete the JPEG registered file type in Windows … Such a hoax will play on the user’s misconception of the threat.” Deleting the file type also wouldn’t protect against the vulnerability.

For the buffer overflow vulnerability, note while such products as Office 2003 Service Pack 1 and Windows XP Service Pack 2 are not affected, systems may still be at risk “if a vulnerable Office, Visio, or Project application is installed,” notes Secunia. Applications that have installed third-party JPEG image processing software may also have introduced the vulnerability.

Microsoft released patches for the problem, as well as a tool for identifying vulnerable components on a system.

- - -

Mozilla: New Vulnerabilities

Multiple vulnerabilities affect Mozilla, Mozilla Firefox, and Thunderbird, and could allow an attacker to “conduct cross-site scripting attacks, access and modify sensitive information, and compromise a user’s system,” warns Secunia, which rates the vulnerabilities as “highly critical.”

The just-released Firefox 1.0PR, Mozilla 1.7.3, and Thunderbird 0.8 are not vulnerable. All previous versions, however, are at risk.

Some of the risks include boundary errors in “nsMsgCompUtils.cpp,” which a specially crafted e-mail can exploit. Also, insufficient restrictions in some text fields don’t adequately restrict scripts, meaning an attacker could read a target PC’s clipboard. Other problems include incorrect vcard and POP3 mail handling, both of which can be exploited to cause a buffer overflow and execute arbitrary code.

- - -

New Worm Sniffs Passwords

Trend Micro notes a new worm, Worm-SDBot, is making the rounds. Its payload is SDBot, a network-sniffing piece of Trojan software. It runs on Windows 95, 98, ME, 2000, NT, and XP.

The sniffing software can watch and record likely username and password information, and relay that to an attacker via a backdoor. It can also receive instructions via Internet Relay Chat.

This combination of abilities, says Trend Micro, might allow an attacker to “enable this worm to steal information, execute files, launch denial of service attacks, and other potentially damaging activities.”

The worm also looks for several well-known Microsoft vulnerabilities, including the RPC/DCOM exploit, by scanning both random IP addresses and IP addresses within the networks’ subdomain, and notifies the bot when it finds a vulnerability. The bot may then attempt to spread via the vulnerability. Built into SDbot are a number of usernames and passwords, which it uses to try and defeat any password-based security it encounters.

Beyond this, the worm can deactivate antivirus applications, other pieces of malware, and it “is also capable of stealing CD keys of popular Windows games,” notes Trend Micro.