COLUMN

Security Blog Log: A week of vulnerabilities

By Bill Brenner 10 Feb 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

---------------------------------------------------------------------------------------------------------

For companies that use Windows, Internet Explorer (IE) and Java applications, this was a week of workarounds, product upgrades and patches.

Fresh flaws in Internet Explorer (IE) and Windows got a fair amount of attention in the blogosphere this week, after Microsoft issued two advisories late Tuesday warning that attackers could exploit the security holes to launch malicious code or gain elevated system privileges.

The software giant said the IE vulnerability "could allow an attacker to execute arbitrary code on the user's system when the user views a specially crafted Windows meta file (WMF) image. The user could view this image on a Web site, as an attachment in an e-mail or view an HTML e-mail of Outlook Express or Outlook."

The unspecified security hole affects IE 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4, and IE 5.5 Service Pack 2 on Microsoft Windows Millennium. Microsoft recommended users upgrade to Internet Explorer 6, which isn't affected by the glitch. Also, the issue doesn't affect IE for Windows XP Service Pack 1 and Windows XP Service Pack 2.

Meanwhile, Microsoft warned of a possible new flaw in Windows.

"Microsoft is aware of public reports of a tool developed by a security researcher that reads access-control configuration information from the Windows registry, file system, and service control manager database, and feeds raw configuration data to the model," the company said. "Microsoft is investigating reports that application of this tool to certain versions of Windows may have discovered possible vulnerabilities in Windows and the ability to allow a malicious user to launch a privilege-escalation attack caused by misconfigurations of the access-control lists."

While the second issue got less attention in the blogosphere, the solution to the IE flaw was simple to security professionals like Todd Towles, a network systems analyst at a medium-sized, Southeastern-based retail chain. He noted in his Thoughts of a Technocrat blog that upgrading to IE 6 SP1 was the best option on Windows 2000 SP4 and Windows ME.

About Security Blog Log Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Surprise! IE7 beta has a flaw Is Nyxem really that dangerous? Oracle makes Microsoft look good Symantec flaw parallels Sony BMG Plenty of opinions on WMF patching

Beyond that, he said, "My suggested action [is] to get off Windows ME as soon as possible. The Win9x kernel is dead as dead..."

According to the Wikibooks Web site, the Win9x kernel Towles referred to was originally written to "span the 16-bit-to-32-bit divide." Operating Systems based on the 9x kernel are Windows 95, 98, and ME. Win9x series operating systems have a reputation for bugs and instability, the site noted, and development on the Win9x kernel ended with the release of Windows XP.

Trouble with Java
While Internet Explorer was getting all the attention, one blog was flagging the fact that Santa Clara, Calif.-based Sun Microsystems Inc. had put out a fix for seven critical flaws in its Java Runtime Environment (JRE).

JRE, also known as Java Runtime, is part of the Java Development Kit (JDK), a set of programming tools for developing Java applications. The Java Runtime Environment provides the minimum requirements for executing a Java application; it consists of the Java Virtual Machine (JVM), core classes, and supporting files, according to Whatis.com, a sister site to SearchSecurity.com.

The Networks and Security blog noted that attackers could exploit the flaw to gain remote control over a user's system.

"The flaws affect systems running on Windows, Solaris and Linux that are using certain versions of Sun's Java Development Kit 1.5, Software Development Kit (SDK) 1.3 and 1.4, and JRE 1.3, 1.4, 1.5 and 5.0 or earlier," the blog said, adding that Danish vulnerability clearinghouse Secunia had rated the flaws "highly critical."

The blog noted that Sun's JRE software, especially version 1.4, "is found on a number of computers and allows users to run Java applications, which operate in a 'sandbox' -- a separate area cordoned off from the rest of the user's system."

The latest flaws are found in one of the JRE's application programming interfaces (API), "which communicate between the sandbox and the rest of the system," the blog added. "The flaws could be exploited by attackers to gain remote access to a user's Java applications, allowing them to read and write files or execute code."

Based on a check of the SearchSecurity.com archives, the last time Sun had to patch flaws in JRE was in November. At the time, the company fixed a variety of flaws attackers could exploit by using malicious applets on vulnerable PCs to obtain the elevated user privileges needed to read and write local files or execute local applications.

Sound Off! -   Be the first to post a message to Sound Off!

Tags: Internet Explorer Security,  Configuration Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us