Update fixes critical Sendmail flaw
Security experts are advising users of the open source version of Sendmail to upgrade to the latest version, to fix a critical flaw attackers could exploit to gain remote root access to targeted machines. Sendmail is a popular Simple Mail Transfer Protocol (SMTP) server daemon used on mail gateways and forwarders to route and deliver e-mail. It is primarily used in UNIX server environments, although versions exist for Windows as well.
The security hole was discovered and researched by Mark Dowd, a member of Atlanta-based Internet Security Systems' (ISS) X-Force. The problem is that Sendmail contains a signal race vulnerability when receiving and processing mail data from remote clients.
"Sendmail utilizes a signal handler for dealing with timeouts that is not async-safe and interruption of certain functions by this signal handler will cause static data elements to be left in an inconsistent state," the X-Force analysis said. "These data elements can be used to write data to invalid parts of the stack (or heap in some scenarios), thus taking control of the vulnerable process."
In order to exploit this vulnerability, an attacker simply needs to be able to connect to a Sendmail SMTP server. "This is a multi-shot exploit, meaning the attacker can attempt to exploit it an indefinite amount of times," X-Force said, "since Sendmail spawns a new process for each connected client."
Sendmail versions prior to 8.13.6 are vulnerable to this issue. Cupertino, Calif.-based AV giant Symantec Corp. raised its ThreatCon to Level 2 in response to the Sendmail flaw. "The DeepSight Threat Analyst team considers this a critical vulnerability, with a significant chance of widespread exploitation," Symantec said in an e-mailed advisory.
The Sendmail Consortium, which maintains the open source version, has released Sendmail 8.13.6, to addresses this vulnerability.
Internet Explorer flaws mount
IE users have another security hole to worry about on top of the two flaws that came to light earlier this week. The latest flaw was discovered by Danish vulnerability clearinghouse Secunia. In an advisory, the company described the latest problem as an error in how the "createTextRange()" method is processed on a radio button control. "This can be exploited by a malicious Web site to corrupt memory in a way [that] allows the program flow to be redirected to the heap," Secunia said. "Successful exploitation allows execution of arbitrary code."
Secunia said the vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in the January edition of Internet Explorer 7 Beta 2 Preview.
Microsoft confirmed the vulnerability in its Security Response Center blog and offered a workaround, saying, "Our initial investigation has revealed that if you turn off Active Scripting, that will prevent the attack as this requires script." The response center added, "Customers who use supported versions of Outlook or Outlook Express aren't at risk from the e-mail vector since script doesn't render in mail. We're going to continue to look into this but remind you also that safe browsing practices can help here, like only visiting trusted Web sites, etc."
Earlier this week, Microsoft confirmed it was looking into two other flaws. One problem revolves around HTA files, HTML applications that are given higher levels of trust and access to a local system than remote Web pages typically receive. The browser is reportedly vulnerable to attacks where malicious HTA files are embedded in certain Web sites or e-mails. Attackers could exploit this to launch malicious code. The other flaw is an array boundary error in the handling of HTML tags with multiple event handlers. This can be exploited to cause a denial of service.
RealPlayer vulnerabilities addressed
RealNetworks Inc. has released an update addressing flaws that affect versions of Helix Player; RealPlayer; RealOne Player; RealPlayer Enterprise and Rhapsody. According to the vendor:
- The first vulnerability could allow attackers to execute malicious programs on a local machine placed in the path of RealPlayer by a previous separate attack.
- The second vulnerability could allow an attacker to use a malicious .swf file to cause a buffer overrun.
- The third vulnerability involves the housing of a specially crafted Web page on a malicious server attackers could use to cause a heap overflow in the embedded player.
- The fourth vulnerability allows attackers to use a malicious .mbc file to cause a buffer overrun.
The advisory outlines which program versions are affected.
Sophisticated Trojan targets Microsoft's WMF flaw
Digital desperados have been quietly infecting thousands of computers around the world with a sophisticated Trojan horse program designed to steal bank account information, according to a report in Computerworld. Security researchers say attacks have been underway for several weeks and are largely targeting customers of several large banks in Britain, Spain and Germany.
"This is one of those big, under-the-radar threats that we've been concerned about" for some time, Ken Dunham, director of the rapid response team at VerSign Inc.'s iDefense unit, told Computerworld. "There has been a trend away from big-bang attacks to very targeted and sophisticated attacks that take place right under your nose. This is one of them."
Dunham said hackers have been sending out hundreds of thousands of e-mails prompting users to visit malicious Web sites that use a Windows Metafile (WMF) exploit to download a Trojan program called MetaFisher on a victim's computer. The Trojan, also known as Spy-Agent and PWS, is then used to collect and send bank account and personal information from the compromised system to remote servers where the data is harvested, the report said.