Vulnerability in Symantec's Norton Antivirus Symantec has fixed a vulnerability in Norton Antivirus that allows malicious code to escape detection. Reston, Va.-based security firm iDefense said in its advisory that the problem exists in attempts to scan files and directories named as reserved MS-DOS devices. "Reserved MS-DOS device names are a holdover from the original days of Microsoft DOS," the advisory said. "The reserved MS-DOS...
device names represent devices such as the first printer port (LPT1) and the first serial communication port (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a virus stores itself in a reserved device name it can avoid detection by Symantec Norton Antivirus when the system is scanned." As a workaround, iDefense said, "Ensure that no local files or directories using reserved MS-DOS device names exist. On most modern Windows systems there should be no reserved MS-DOS device names present. While the Windows search utility can be used to locate offending files and directories, either a separate tool or the specification of Universal Naming Convention (UNC) must be used to remove them. The following command will successfully remove a file stored on the C: drive named 'aux':" Symantec has fixed the problem in Norton Antivirus 2004, currently available through LiveUpdate. The fix is being incorporated into all other supported Symantec Norton Antivirus versions and will be available through LiveUpdate when fully tested and released, iDefense said.
Red Hat updates XFree86
Red Hat has updated its XFree86 packages for Enterprise Linux 3, fixing several security flaws in libXpm an attacker could use to launch malicious code or crash machines. According to Red Hat's advisory, researcher Chris Evans discovered several stack-overflow flaws and an integer-overflow flaw in the X.Org libXpm library used to decode X PixMap images. An attacker could create a carefully crafted .xpm file to launch code or crash a machine if opened by a victim. A flaw was also found in the X Display Manager in which it opens a chooserFd tcp socket even if the DisplayManager.requestPort parameter is set to 0. This could allow authorized users to access a machine remotely via X, even if the administrator has configured it to refuse such connections. Although XFree86 4.3.0 was not found vulnerable to this issue, Red Hat Enterprise Linux 3 contained a backported patch which introduced this flaw. Users are advised to download the package updates.
Red Hat fixes flaws in kdelib, kdebase packages
Red Hat has updated its kdelib and kdebase packages to fix multiple vulnerabilities a local attacker could use to prevent .kde applications from functioning correctly or overwrite files owned by other users by creating malicious symlinks. Researcher Andrew Tuitt reported that versions of .kde up to and including 3.2.3 create temporary directories with predictable names.
Meanwhile, Westpoint Internet Reconnaissance Services has discovered that the .kde Web browser Konqueror allows Web sites to set cookies for certain country-specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which could be sent to all other Web sites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co, .uk, .co, .in or .com.
A frame injection spoofing vulnerability has also been discovered in the Konqueror Web browser. This issue could allow a malicious Web site to show arbitrary content in a named frame of a different browser window. Users of .kde are advised to upgrade to these erratum packages, which contain backported patches from the KDE team for these issues.
IBM fixes Trading Partner Interchange flaw
IBM has fixed a vulnerability in Trading Partner Interchange an attacker could use to access files. The problem is an input validation error within the included Jetty HTTP server and can be used to access arbitrary files and directories on the system. IBM advises users to update to version 4.2.4.
Apple fixes multiple OS X flaws
Apple has issued a security update that fixes multiple Macintosh OS X vulnerabilities. Copenhagen, Denmark-based security firm Secunia described the following problems in its advisory:
- The AFP server can be exploited by guest users to disconnect AFP volumes by sending specially crafted SessionDestroy packets.
- The AFP Server can be exploited to change the permissions of a write-only AFP drop box to read-write due to an incorrect setting of the guest group id.
- CUPS can be exploited by malicious people to cause a denial of service.
- CUPS, within certain methods of authenticated remote printing, can be exploited to disclose users' passwords in the log files.
- The NetInfo Manager utility may result in an incorrect indication of the "root" account being disabled.
- A problem in postfix with "SMTPD AUTH" enabled may result in only users with the longest usernames being able to authenticate.
- QuickTime can potentially be exploited to compromise a user's system. The vulnerability is caused due to a boundary error within the handling of .bmp images.
- ServerAdmin comes with a self-signed default certificate used for encrypted communication. However, this certificate is the same on all systems and it is therefore possible to decrypt and read captured sessions if this certificate is used.