New flaw affects Windows XP SP2; Microsoft offers workarounds
Attackers could exploit a newly reported security hole in Windows XP Home Edition and Professional to cause a denial of service, Danish security firm Secunia said in an advisory.
"The vulnerability is caused due to an unspecified error in the kernel and can be exploited to cause the system to crash," Secunia said. "Reportedly, the integrated firewall does not protect against this."
Secunia said there is no patch for the flaw, though Microsoft is reportedly working on one and might release it in August. For now, the firm recommends users restrict incoming traffic to affected systems to minimize risk.
Secunia and the Bethesda, Md.-based SANS Internet Storm Center (ISC) said the flaw was discovered by a researcher who goes by the name badpack3t. ISC said on its Web site that the vulnerability "is due to a flaw in the remote desktop assistant. This service is NOT FIREWALLED in XP SP2's default firewall configuration." ISC added, "badpack3t was able to cause a blue screen. However, there is a chance that this could be used to execute code remotely."
Microsoft confirmed it is working on a fix for what it called a vulnerability in Remote Desktop Services.
"Our initial investigation has revealed that a denial-of -service vulnerability exists that could allow an attacker to send a specially crafted Remote Desktop Protocol (RDP) request to an affected system," the software giant said in an advisory. "Our investigation has determined that this is limited to a denial of service, and therefore an attacker could not use this vulnerability to take complete control of a system. Services that utilize the Remote Desktop Protocol are not enabled by default... however if a service were enabled, an attacker could cause this system to restart."
As workarounds, user can:
- Block TCP port 3389 at the firewall;
- Disable Terminal Services or the Remote Desktop feature if they are not required;
- Secure remote desktop connections by using an IPsec policy; and/or
- Secure remote desktop connections by employing a Virtual Private Network (VPN) connection.
Breatel worm circulating
Enterprises not blocking executable attachments should be aware that W32/Breatel-A@mm was gaining some ground Friday and that future variants could pose problems.
"This has a few new twists on an old theme, but isn't anything terribly exciting," said Dave Cole, Director of Symantec Security Response in Santa Monica, Calif. Symantec ranked the worm as a level 2 threat. "It's possible, but unlikely, that we'll see this worm really take off."
The e-mail attachment containing the worm arrives as .exe, .pif, .scr, .bat and .cpl files. The worms spreads via the Microsoft LSASS vulnerability (MS04-011) and also mass-mails itself using addresses culled from the victim's machine. Additionally, Breatel spoofs the "from" address to make it look like the e-mail is coming from various AV companies, Microsoft, AOL, Hotmail and others.
As is usually the case, AV vendors didn't follow any standard naming convention: NAI calls the worm W32/Reatle-GEN@mm, F-Secure labels it W32/Lebreat-A@mm and Kaspersky tagged it Net-Worm.Win32.Lebreat-B.
Herndon, Va.-based Cybertrust said preliminary analysis indicates the worm attempts to cause a denial-of-service attack against www.symantec.com, but added that the site has redundant DoS defenses.
Spread Firefox Web site attacked
Attackers knocked a Web site promoting the Firefox browser offline for a few days last week and may have compromised personal information on thousands of volunteer supporters in the process.
The following message was posted on Spreadfirefox.com after the attack:
"As you've no doubt noticed, we've been down for a few days. We took the site down to investigate an attack on the site. It appears that a part of Spread Firefox was hacked in an attempt to use it to send out spam. It doesn't look like the attacker accessed any personal data on the site, but to be safe, we're encouraging all of our users to log in and change their passwords. If you have an account with Spread Firefox, you probably received an e-mail about this with instructions for updating your password. We're sorry for the inconvenience and glad to have the site back up and running."
Denial-of-service flaw affects Sophos
Attackers could exploit a flaw in the Sophos Small Business Suite to overload the central processing unit (CPU) of targeted machines and prevent further scans, Reston, Va.-based security firm iDefense said in an advisory.
The Small Business Suite includes the Sophos PureMessage Small Business Edition, combining virus and spam protection for the e-mail gateway; and Sophos Anti-Virus Small Business Edition, which offers desktop and server defense against viruses.
"The problem specifically exists in the handling of .zip files compressed using the BZIP2 algorithm," iDefense said. "When scanning within a BZIP2 archive the Sophos engine will not perform any sanity checks on the 'extra field length' value. By specifying an abnormally large value for this field, the analysis routine is forced into an infinite loop leading to CPU exhaustion."
As a workaround, iDefense recommends users disable the "scan inside archive files" option.
Lynnfield, Mass.-based Sophos told iDefense that it has addressed the problem in the latest versions of Sophos Anti-Virus on Windows, Unix, Linux, Netware, OpenVMS and Mac OS X -- version 3.95.0 on all those platforms as well as version 5.0.4 on Windows 2000/XP/2003 and versions 4.5.3 on Windows NT and Windows 95/98/ME -- and in the latest updated versions of PureMessage for Unix, PureMessage for Windows/Exchange and MailMonitor (any version running antivirus engine 2.30.4 or above).
Apple plugs Mac OS X security holes
Apple has patched two security holes in Mac OS X an attacker could exploit to replace system widgets or crash machines. Apple described two flaws in its advisory:
- A NULL pointer dereference error in the TCP/IP implementation attackers could exploit to crash the kernel using a specially crafted TCP/IP packet. Mac OS X 10.4 and Mac OS X Server 10.4 are affected.
- An error in the dashboard attackers could exploit to install widgets with the same internal identifier [CFBundleIdentifier] as Apple-supplied widgets, thereby replacing it. Mac OS X 10.4 and Mac OS X Server 10.4 are affected.