Cisco addresses multiple vulnerabilities
Cisco Systems Inc. has reported multiple vulnerabilities in several of its networking products. Although considered less critical, malicious individuals could exploit these vulnerabilities for cross-site scripting, privilege escalation, or denial of service from local or remote systems. Cisco has provided fixes for most of the issues, except for several end-of-life products that it no longer supports.
The first vulnerabilities occur in CiscoWorks Wireless LAN Solution Engine (WLSE) 2.x. A vulnerability in the WLSE appliance Web interface "can be exploited to execute arbitrary HTML and script code in a user's browser session," according to an advisory posted by Danish vulnerability clearing house Secunia.
Another vulnerability, in a CLI application, can be exploited to gain a shell account with root privileges. Malicious users can perform these actions remotely. Cisco suggests updating to version 2.13 or later.
The second group of vulnerabilities is in Cisco IOS XR. All three vulnerabilities involve processing Multiprotocol Label Switching (MPLS) packets. Malicious users can exploit this locally to cause a denial of service. Cisco has patched the issue.
The final vulnerability affects Cisco Ethernet Subscriber Solution Engine (ESSE), CiscoWorks2000 Service Management Solution (SMS), Cisco Wireless LAN Solution Engine (WLSE), Cisco Hosting Solution Engine (HSE), and Cisco User Registration Tool (URT). According to Secunia, malicious local users can exploit the vulnerability to gain escalated privileges. Cisco has fixes for Cisco WLSE, Cisco HSE, and Cisco URT. However, Cisco ESSE and CiscoWorks SMS are end-of-life products and Cisco will not provide fixes, according to its advisory.
Apple fixes five Java vulnerabilities
Apple has released a patch for five Java-related vulnerabilities in the Mac OS X operating system (http://www.frsirt.com/english/advisories/2006/1398). According to an advisory by the French Security Incident Response Team (FrSIRT), a widely known vulnerability clearinghouse, at least one of these vulnerabilities is regarded as critical: malicious users could exploit it to remotely compromise a system. The problem is known to affect Mac OS X v10.4.5 and Mac OS X Server v10.4.5. However, a Sun Microsystems Inc. advisory admits that Microsoft Windows, Sun Solaris, and Linux systems may also be vulnerable.
More specifically, Sun's Java Web Start software contains a flaw that can allow untrusted applications to elevate their own privileges, including reading and writing arbitrary local files. Sun describes Java Web Start as technology that makes full-featured applications available via Web server. A specially crafted application could circumvent security restrictions and allow access and control by intruders. The flaw is in Java 2 Platform Standard Edition (J2SE) 5.0 Update 5 and earlier 5.0 releases.
In addition, several vulnerabilities in the Java Runtime Environment can permit untrusted applets to elevate their own privileges. This could also allow attackers to evade security and gain control of an affected system.
Finally, an issue with event handling can, for example, cause secure fields -- such as passwords -- to appear as normal text in the same window.
Sun first disclosed the vulnerabilities on Feb. 7. Customers are advised to upgrade to the Java 2 Standard Edition 5.0 Release 4 update (J2SE version 1.5.0_06).
F-Secure discovers first J2ME Trojan
Helsinki-based F-Secure Corp. has discovered Redbrowser.A, which it believes to be the first Trojan in J2ME form. Java 2 Micro Edition provides an environment for applications running on millions of consumer devices, such as mobile phones and PDAs.
A J2ME-based Java midlet, Redbrowser masquerades as a WAP browser, using free SMS messages to send the WAP pages. Redbrowser's claim to send free SMS messages is intended to fool a user into permitting the application to use Java SMS capabilities. When given permission, Redbrowser actually starts sending SMS messages to one specific number in an infinite loop. Each message is charged to the user's account, which may cause financial losses to the user.
Redbrowser's text is in Russian, which F-Secure said should limit the Trojan to Russian-speaking countries.
In addition to using its own removal tools, F-Secure said users can eradicate the Trojan by uninstalling it with the Symbian application manager.
Edmund X. DeJesus is a freelance writer in Norwood, Mass.