Sun Solaris/Apache, Netscape/Sun, Winamp Vulnerabilities
Sun Solaris/Apache Warning
Secunia warns of a “highly critical” vulnerability in Apache for the Sun Solaris 8 and 9 operating systems on both SPARC and x86 platforms. These vulnerabilities “can be exploited to bypass certain security restrictions, cause a DoS (denial of service), or potentially compromise a vulnerable system,” says vulnerability information provider Secunia. In addition, it could also be used to deface a Web site.
Apache Web Server must be both configured and running on a system for it to be vulnerable.
Sun notes the vulnerability could let an attacker execute arbitrary code “with privileges of the Apache HTTP process.” That process “normally runs as the unprivileged uid ‘nobody’ (uid 60001).”
Sun released a preliminary patch for Sun Solaris 9. Unfortunately, says Sun, companies won’t know if the vulnerability has been exploited. “There are no reliable symptoms that would indicate any of the described issues have been exploited to gain unauthorized uid ‘nobody’ access to a host.”
- - -
Netscape and Sun NSS Vulnerability
Internet Security Systems (ISS) X-Force warns of a vulnerability in multiple Netscape products, as well as Sun One, that could let an attacker execute arbitrary code during SSLv2 connection negotiation.
ISS says the vulnerability, in the network security services (NSS) library, “may result in remote compromise of products making use of this library for Secure Sockets Layer (SSL) communication.”
Two affected products are all versions of Netscape Enterprise Server and Sun One. Both products are “widely used commercial Web server platforms which make use of the NSS library,” notes ISS.
Other products that use the NSS library are also affected. They include all versions of Netscape Personalization Engine, Netscape Directory Server, and Netscape Certificate Management Server. The ready availability of the NSS library, “an open-source component from the Mozilla Foundation,” says ISS, means other NSS-using applications may exist, and may also contain the vulnerability.
The vulnerability exists because of an SSLv2 flaw; it “fails to validate the length of a record field” while parsing the initial record, says ISS. A successful attack “will grant an attacker the privilege level at which the Web server was executing. On Windows platforms, this will likely be full system privileges,” while other platforms may be given non-root access.
Mozilla has released an NSS update to patch the vulnerability. Companies can also disable SSLv2 to mitigate the vulnerability.
- - -
Winamp Skin Blemish
The popular, free media player Winamp has an “extremely critical” vulnerability, reports Secunia. Successful exploitation could lead to remote system access. Winamp versions 3.x and 5.x are reportedly affected.
“Named ‘Skinhead,’ this zero-day attack has been in widespread use since at least July 22 to forcefully install spyware and trojans on unsuspecting victims who clicked on a Web site link. The main area of infection has been on IRC chat networks but anyone visiting these malicious websites could become infected,” notes security company PivX Labs.
“The problem is caused due to insufficient restrictions on Winamp skin zip files (.wsz),” says Secunia. In particular, “an XML document in the Winamp skin zip file can reference an HTML document using the ‘browser’ tag and get it to run in the 'Local computer zone,'" thereby allowing it to run an executable file also in the Winamp skin file. In other words, a specially constructed Winamp skin could trick Winamp into telling Windows to execute arbitrary code.
If users download the skin using a browser set to automatically download and run the skin files, the attack could run automatically. Secunia reports even fully patched systems running Internet 6.0 on Microsoft Windows XP SP1 are affected. Other browsers may also allow automatic vulnerability attacks.
The vulnerability code is in the wild; Winamp hasn’t yet released a patch. One temporary workaround is to set browser preferences to always require the user to manually accept every download, especially of WAL or WSZ files, and then have users only accept them from trusted sites.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.