Security Bytes: Leaks in Linux kernel

Online banks targeted by Trojan; Zone Labs and Cisco report flaws; antispyware law lays off service providers; 'Operation Web Snare' snags 150; startup sues India for stolen source code.

Multiple information leaks in Linux kernel
A Gentoo Linux security advisory issued Thursday warned of multiple information leaks in the Linux kernel that could allow an attacker to obtain sensitive data that may be used for further exploitation of the system. Twenty-nine packages on all of their affected architectures are vulnerable.

Three flaws are outlined in the advisory:

  • One identifies a flaw in addressing invalid 32- to 64 bit conversions in the kernel, as well as insecure direct access to file offset pointers in kernel code which can be modified by the open(...), lseek(...) and other core system I/O functions by an attacker.
  • A second deals with certain USB drivers using uninitialized structures and then using the copy_to_user(...) kernel call to copy these structures. This may leak uninitialized kernel memory, which can contain sensitive information from user applications.
  • And a race condition with the /proc/.../cmdline node was found that allows environment variables to be read while the process is still spawning. If the race is won, environment variables of the process, which might not be owned by the attacker, can be read.

The advisory recommended upgrading to the latest available sources for affected systems. Gentoo said there is no temporary workaround other than totally disabling /proc support. Unaffected kernels are listed in the advisory.

Trojan horses target online banking customers
A series of Trojan horses are targeting the financial information of British computer users who do their banking online, according to Lynnfield, Mass.-based antivirus firm Sophos. The Tofger Trojan horses target users of a number of online banks, including Abbey, Barclays, Cahoot, HSBC, Lloyds, NatWest, Nationwide and Woolwich, Sophos said. Tofger monitors which Web sites are being visited, and if it recognizes an online banking site it secretly captures keystrokes and takes snapshots of what is displayed on the monitor. The information is then sent back to the remote hackers, who can use the captured data to break into bank accounts and steal money, the firm said. "This is very different from the fraudulent e-mails that many computer users receive every day, trying to lure you to a bogus Web site. This Trojan waits for the customer to visit the real banking Web site, and then it captures passwords and account information making robbery a breeze," said Graham Cluley, senior technology consultant for Sophos. "Home users and businesses large and small need to protect themselves with up-to-date antivirus software and take extreme care to ensure their computers are kept free from Trojans like Tofger and other malware."

Zone Labs weak default permissions vulnerability
An advisory warns there's a weakness in select ZoneAlarm and Check Point Software Technologies products that allows an uprotected log file to be modified, however, the company says it's also available from another location that can't be modified. In a statement, the companies said, "Zone Labs ZoneAlarm family of products and Check Point Software Technologies Integrity endpoint security client software use the folder %WINDOWS%Internet Logs to store a copy of logging information and the locally stored security policy." Zone Labs security clients write logging information to an unprotected file named ZAlog*.txt, where ZoneAlarm product family users may review the contents of the protected log file with the client user interface. Check Point said, "Logging and policy information cannot be altered as the result of weak file ownership or permissions."

New California antispyware law lays off service providers
This week Californian legislators unanimously passed the Consumer Protection Against Computer Spyware Act, a law that still lets managed service providers install software on a California-based computer without notifying the recipient. Lobbyists for managed service providers, including security companies, fought for exemption from the law, which carries a $1,000 for each violation. MSPs argued their businesses required installation of software to automatically update or patch machines and to monitor network activity. Until the bill was amended, there was no distinction between such benevolent programs and malicious spyware. "Had the language of SB 1436 not been amended, it would have crippled the MSP industry," MSPAlliance vice president Celia Weaver told CRN.

Cisco reports Telnet flaw
Cisco Systems said a specifically-crafted transmission control protocol (TCP) connection to a Telnet or reverse Telnet port of a Cisco device running Internetwork Operating System (IOS) could be used to block further Telnet, reverse Telnet, remote shell, secure shell and in some cases http access to the Cisco device. An advisory from the San Jose, Calif.-based network giant said the vulnerability affects all Cisco devices that permit access via Telnet or reverse Telnet and are running an unfixed version of IOS. The company said all other device services will operate normally. Services such as packet forwarding, routing protocols and all other communication to and through the device are not affected. "Successful exploitation of this vulnerability requires a complete three-way TCP handshake, which makes it very difficult to spoof the source IP address," the advisory said. "Cisco is working to release fixes for this vulnerability in all currently maintained IOS releases. No software upgrade is required to mitigate this vulnerability. As fixed software becomes available for public release, Cisco will update the advisory." Suggested defensive actions are to upgrade, filter Telnet connections using access control lists or remove Telnet support and switch to SSH.

Feds arrest 150 people in 'Operation Web Snare'
U.S. Attorney General John Ashcroft Thursday announced the arrest or conviction of more than 150 people for online computer crimes. They face charges that include using spam e-mails to steal credit card numbers, online fraud and computer hacking. The Department of Justice said suspects were identified during the course of "Operation Web Snare," which included more than 160 federal investigations into online crimes. "Operation Web Snare shows that America's justice community is seeking to anticipate, outthink and adapt to new trends in Internet crime," Ashcroft said in a statement. "This effort shows how effective law enforcement can be against online crime when all levels of government -- domestically and internationally -- work together."

San Carlos startup sues India over stolen source code
A San Carlos, Calif., software maker has filed a lawsuit after Indian authorities refused to investigate suspected theft of source code at an offshore research facility. The CEO of Jolly Technologies says Mumbai authorities refused to pursue a criminal complaint against a 25-year-old local employee caught uploading source code and other intellectual property to a personal e-mail account, then disappearing once she was confronted. This month, Jolly Technologies sued Mumbai police for refusing to investigate the incident, according to the San Jose Mercury News. If the sensitive data is distributed to competitors or made public on the Internet, the company will be ruined, CEO Sandeep Jolly told the newspaper.

Dig deeper on Alternative OS security: Mac, Linux, Unix, etc.

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close