In-Depth

In Brief

RealPlayer and JPEG vulnerabilities; security insurance

• By Mathew Schwartz
• 10/06/2004

RealPlayer Vulnerability

RealOne Player, RealPlayer, and the Helix Player have several “highly critical” vulnerabilities, reports vulnerability information service provider Secunia. The problems could, which could let an attacker remotely compromise a user’s system or delete files on a targeted Windows PC, have been reported in multiple versions of the products.

The first vulnerability, while unspecified by Real, would allow an attacker to exploit RM files running locally by letting them execute arbitrary code.

The second involves “embedding the player on a malicious Web site,” then making specially crafted—malformed—calls to it that could then execute arbitrary code.

The third vulnerability is also unspecified, but would allow a malicious Web site to delete local files.

Real released updates to all affected products to counter the vulnerabilities.

More information:
http://www.service.real.com/help/faq/security/040928_player/EN/

- - -

JPEG Exploits Appear

Malicious JPEGs that exploit the Microsoft Windows JPEG vulnerability have been released for Windows NT, 2000, XP, and 2003. If users click the malicious JPEG while in Windows Explorer, they could be hacked.

Security researchers mitigated the threat by identifying and removing from the Internet the FTP server the malicious JPEG used to download malicious code. In its unmitigated form, the JPEG exploit installed a Trojan back door and downloaded approximately 2 MB of code from the FTP server, though it did not appear to self-replicate.

While most of this exploit’s threat has been mitigated, it offers insight into how attackers might use the JPEG vulnerability to compromise systems, as well as highlight who’s at risk. As security researcher John Bissell explains on the Easynews.com site, “For the people out there who think you can only be affected through viewing or downloading a JPEG attachment, you’re dead wrong.” He notes an attacker can rename the JPEG file, perhaps with a .bmp or .tif extension, and Windows will still treat the file as if it’s a JPEG, triggering the vulnerability.

Users can determine if they’re infected by investigating the “c:\windows\system32\system\” directory. If two files—nvsvc.exe and winrun.exe—are present, it’s the Trojan code.

Regardless of infection or not, security experts recommend users patch their systems. Microsoft Windows XP users in particular can download SP2.

Related Article:

JPEG Vulnerabilities
http://www.esj.com/Security/article.aspx?EditorialsID=1125

- - -

Technology Alone Can’t Combat Crackers

Technology alone won’t better secure organizations against crackers, argues John Quarterman, one of the pioneers of the Internet.

Speaking at internet2, a consortium pushing technology and standards for the next-generation Internet, Quarterman says companies need incentives for improving their information security programs. Yet companies will never be able to counter every information security challenge, he also says, pointing to such recent events as Akamai’s DNS outage, various Internet Explorer exploits, and Hurricane Ivan, which severed Internet connectivity to the Cayman Islands.

His recommendation is to complement technology with risk-transfer strategies. “The development and implementation of insurance and other risk management strategies will lead to more and better use of technical security measures, because insurers will require it, just as they require sprinkler systems for fire insurance,” he says.

Such non-technical approaches will become mandatory, he believes, simply because of technology’s fallibility. “Most technical security measures are good, but each has its limitations.” For example, he says, “intrusion detection requires predicting exploits and does nothing about increased network traffic from organizations that are not using intrusion detection.” At the same time, while authentication and authorization can let approved people in, they “do nothing about slowdowns.”

The solution to that—autonomic networks—“may be able to monitor themselves, but how do we know their monitoring features have not been compromised, and, if they have self-healing capabilities, how does one guarantee those are not used against the network?”

Thus, he argues, companies have a need for non-technology approaches to help them effectively protect against information security threats.

- - -

Study: Unchecked Viruses Haunt UK

Five percent of IT managers in Britain say their systems are currently infected by a virus, and 12 percent acknowledge not updating their software frequently enough.

For many companies, “the battle against viruses continues to rage,” despite the availability of tools to solve the problem, notes David Clark, managing director of emedia. The company just released its RapidResearch Quarterly IT Security Survey which questioned British IT managers.

Many IT managers are at least aware of the virus and updating problem, notes emedia. In fact, the biggest wish of almost a third of IT managers would just be the ability to keep their technology more up to date.

Notwithstanding some companies’ lack of diligence, extant viruses don’t appear to be translating directly to the bottom line. Managers say security incidents don’t kill their budgets; only five percent of respondents said cost was the most negative effect of an incident. Security incidents play havoc in other ways, however, with IT managers saying the two biggest problems are time spent battling the incidents, plus the disruption they cause.

Despite perceived shortcomings, however, many organizations plan to spend little on IT security this year. Half attribute that fact to senior managers’ lack of information security interest. In addition, 61 percent of those surveyed expect security incidents to get worse next years.