PHP users urged to upgrade
Malicious users could exploit flaws in the popular PHP scripting language to run arbitrary code, conduct cross-site scripting attacks and bypass security restrictions. Recommended action includes updating
- The "GLOBALS" array is not properly protected. Attackers could exploit this to define global variables by sending a "multipart/form-data" POST request with a specially crafted file upload field, or via a script calling the PHP function "extract()" or "import_request_variables()." This could open up additional vulnerabilities in various applications, but requires that "register_globals" is enabled, Secunia said. The vulnerability affects versions 4.4.0, 5.0.5 and prior.
- Attackers can exploit an error in how an unexpected termination in the "parse_str()" PHP function is handled to trigger a memory_limit request shutdown in a script calling "parse_str()." The vulnerability affects versions 4.4.0, 5.0.5 and prior.
- Some unspecified input passed to the "phpinfo()" PHP function isn't properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability affects versions 4.4.0, 5.0.5 and prior.
- An integer overflow error in pcrelib may be exploited to cause a memory corruption via a script calling a PHP function using the PCRE library where the regular expression can be controlled by the attacker.
Adware firm says it may fight against removal
It's not unusual for an adware company to find itself in the security industry's crosshairs, but Direct Revenue LLC says it's ready to take the fight to a new level. In an interview with OnlineMediaDaily published this week, Jean-Philippe Maheu, CEO of the New York-based media and software distribution firm, said his company is considering whether to prevent its software from being deleted by adware removal programs. Maheu claimed many anti-adware offerings automatically remove Direct Revenue's software without allowing users to selectively intervene. The end-user license agreement accompanying Direct Revenue's software notes that it reserves the right to "correct the conflict" if a third party attempts to disrupt communication between a user's PC and its servers.
Direct Revenue's ad-serving program, Best Offer, is currently bundled along with peer-to-peer file-sharing application Kazaa, but the company was forced to eliminate a third of its workforce -- about 40 people -- this past summer. Additionally, Direct Revenue has been in the center of controversy before. It was reported last year that the company had changed its name several times as part of a series of covert branding practices, and has received media attention for allegedly disabling its competitors' adware without authorization.
Apple fixes Mac OS X flaws
Apple Computer has upgraded Mac OS X to fix a variety of security holes attackers could exploit to bypass security restrictions and disclose sensitive information. According to an advisory from the French Security Incident Rresponse Team (FrSIRT):
- The first problem is an error where the "Get Info" window doesn't properly display the file and group ownership information under certain situations. This could cause the "displayed ownership" and "actual ownership" to be unsynchronized.
- The second problem is an error in the "Software Update" feature that doesn't provide an opportunity to reset the status of ignored updates. This could cause important updates to go uninstalled.
- The third problem is an error where changes to a group's membership are not immediately reflected in access control checks. Authenticated users could exploit this to access files or other resources even after they've been removed from a group.
- The fourth problem is in the Keychain Access utility that could cause the disclosure of plaintext passwords.
- The fifth problem is that there are errors in certain kernel interfaces, which could allow local users to obtain portions of sensitive kernel memory.
Mac OS X 10.4.2 and Mac OS X Server 10.4.2 are affected, FrSIRT said. Users can protect themselves by downloading Mac OS X Update 10.4.3 or Mac OS X Server 10.4.3.
OpenVPN flaws fixed
OpenVPN Solutions LLC has fixed two OpenVPN flaws attackers could exploit to launch malicious commands or cause a denial of service. The first fix is for a format string error in the "foreign_option()" [options.c] function that doesn't properly handle specially crafted configuration arguments passed to the "push" DHCP option. Attackers could exploit this to make arbitrary commands by convincing a client to connect to a malicious OpenVPN server. The second problem is caused by a NULL pointer dereference when the service runs in TCP mode. Attackers could exploit this to cause a denial of service. OpenVPN versions 2.0.x is affected, and users are advised to download version 2.0.3
New Bagle variant on the march
A new Bagle variant has gotten the attention of researchers at UK-based antivirus firm Sophos, though it doesn't seem to be doing much at this point. BagleDl-W is a Trojan horse that was spammed out to e-mail addresses around the world, the firm said on its Web site. "Infected e-mails seen so far have message bodies saying 'Info' or 'Texte' and attached files with names such as Health_and_knowledge.zip, text_sms.zip, max.zip, Business.zip and The_new_price.zip," Sophos said. "If the program inside the .zip file is opened, the Trojan horse tries to connect to one of a number of Web sites in order to download further malicious code." Despite the wide distribution of this malicious program, Sophos said it has received few reports of active infections.
Companies diverting more attention towards malware, survey says
A new survey of 70 mid-tier enterprises indicates companies are investing more resources in operational security issues, such as patch management, firewall maintenance and antivirus updates. But it may be at the expense of more strategic initiatives that could alleviate widespread malware outbreaks in the future.
Among the key findings in the survey of IT managers conducted by GreenBorder Technologies Inc., which provides desktop DMZ software for Windows: