Researchers uncover encryption flaws
Encryption researchers have discovered that mathematical functions embedded in common security applications have previously undetected weaknesses. Thursday, it was announced that French computer scientist Antoine Joux uncovered a flaw in a popular algorithm called MD5, often used with digital signatures. Then four Chinese researchers released a paper on how to circumvent a second algorithm, SHA-0, according to CNET News.com. While their results are preliminary, these discoveries could eventually make it easier for intruders to insert undetectable back doors into computer code or to forge an electronic signature unless a different, more secure algorithm is used. Another announcement at the Crypto 2004 conference in Santa Barbara, Calif. Eli Biham and Rafi Chen, researchers at the Israel Institute of Technology, originally were scheduled to present a paper identifying ways to assail the security in the SHA-0 "Secure Hash Algorithm," which was known to have imperfections, CNET News.com said. In a presentation Tuesday evening, however, Biham reported some early work toward identifying vulnerabilities in the SHA-1 algorithm, which is believed to be secure. Biham's presentation was very preliminary, but it could call into question the long-term future of the wildly popular SHA-1 algorithm and spur researchers to identify alternatives. Currently considered the gold standard of its class of algorithms, SHA-1 is embedded in popular programs like PGP and SSL. It's certified by the National Institute of Standards and Technology and is the only signing algorithm approved for use in the U.S. government's Digital Signature Standard. SHA-1 yields a 160-bit output, which is longer than MD5's 128-bit output and is considered more secure.
Cisco addresses IOS vulnerability
Cisco Systems of San Jose, Calif. said a device running the Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) protocol is vulnerable to a denial-of-service attack and it has made free software available to address the problem. The company's advisory said the vulnerability is only present in Cisco IOS release trains based on 12.0S, 12.2 and 12.3. Releases based on 12.0, 12.1 mainlines and all Cisco IOS images prior to 12.0 are not affected. "This vulnerability was introduced by a code change," the advisory said. "All Cisco devices running a vulnerable release train and running OSPF process are vulnerable." Cisco added that a vulnerability in the processing of an OSPF packet can be exploited to cause the reload of a system. "Several parameters need to be known by an attacker to successfully exploit this vulnerability. These are the OSPF area number, netmask, hello and dead timers that are configured on the targeted interface." Cisco said the vulnerability can be exploited remotely. It is also possible for an attacker to target multiple systems on the local segment.
Resident Evil marketing campaign sparks panic over cellphone virus
A marketing campaign for the latest version of the Resident Evil video game has backfired, leading cellphone users to believe they've been infected by a virus, according to Lynnfield, Mass.-based Sophos. The antivirus firm said it has received inquiries from users who have received unsolicited SMS text messages on their mobile phones telling them they're infected by the so-called T-Virus. Sophos found that the messages are being sent from a Web site promoting Resident Evil: Outbreak, in which players defend themselves against zombies by blowing their heads off with a shotgun. The Web site allows unsolicited text messages to be sent to wireless phones claiming that the phone is infected. A typical message reads: "Outbreak: I'm infecting you with t-virus, my code is ******. Forward this to 60022 to get your own code and chance to win prizes. More at t-virus.co.uk." "The messages themselves are not infectious, but some people have panicked that they might have received a real mobile phone virus," said Graham Cluley, senior technology consultant for Sophos. "This marketing campaign seems particularly ill-conceived, particularly as there is so much genuine interest in the mobile virus threat at present."
Test: PC infected after 20 minutes on Web
The Internet Storm Center gave users another reason not to connect to the Internet without security precautions. Researchers from the Bethesda, Md.-based center connected an unpatched Windows PC to the Internet and found that on average, it took only 20 minutes to be compromised by malware. That figure is down from around 40 minutes, the group's 2003 estimate. The Storm Center, part of the SANS Institute, calculated the 20-minute "survival time" by listening on vacant Internet protocol addresses and timing the frequency of reports received there, ZDNet reported. "If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe," the center said in a statement. The drop from 40 to 20 minutes is also troubling because it means the average survival time is not long enough for a user to download the patches that would protect a PC from Internet threats, the center said.
Flaw found in PForum
Users of PForum are advised to update to version 1.26 to fix a vulnerability in earlier versions malicious users could exploit to conduct script insertion attacks. Copenhagen, Denmark-based security firm Secunia said in an advisory that input passed to the "IRC Server" and "AIM ID" fields isn't sanitized before being stored in the user profile. This can be exploited to execute arbitrary script code in a user's browser session in the context of an affected Web site when a malicious profile is viewed, the advisory said.
Buffer overflow vulnerability in xine-lib packages
Gentoo Linux recommends users upgrade to the latest version of xine-lib to fix an exploitable buffer overflow in the VCD handling code. According to Gentoo's advisory, xine-lib, a multimedia library that can be used to create multimedia front ends, contains a bug where it is possible to overflow the vcd:// input source identifier management buffer through carefully-crafted playlists. An attacker could use the flaw to execute arbitrary code with the permissions of the user. To conform with the generic naming standards of most Unix-like systems, playlists can have extensions other than .asx (the standard xine playlist format), and look like another file (MP3, AVI or MPEG, for example). If an attacker crafts a playlist with a valid header, they can insert a VCD playlist line that can cause a buffer overflow and possible shell code execution, the advisory said. There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of xine-lib.