Fix available for RealVNC flaw
A security hole has surfaced in a program IT administrators use to access remote machines, but fixes are available.
A flaw in the authentication process of RealVNC (Virtual Network Computing) software could allow attackers to gain remote access to an affected VNC server and compromise it, Cupertino, Calif.-based AV giant Symantec Corp. warned in a message to customers of its DeepSight Threat Management System.
"During the initial handshake and authentication process between VNC clients and servers, a list of authentication methods is sent to clients," Symantec said. "The client chooses a method and returns a byte specifying the method it wishes to continue with."
The flaw appears because the server doesn't properly validate that the requested method sent by the client is actually one of the methods allowed by the server. "This issue allows remote attackers to request an anonymous authentication method, which will be incorrectly accepted by the server," Symantec said. "This allows them to gain full control of the VNC server session."
RealVNC version 4.1.1 is vulnerable and other versions may also be affected.
Symantec warned that attackers will likely modify readily available open source VNC client software to exploit the flaw. Exploit code has also been released.
UK-based RealVNC Ltd. has released fixes via its Web site download page.
Changes may be coming for PCI standard
The Payment Card Industry (PCI) data security standard may be in for some changes, Tom Maxwell, director of e-business and emerging technologies at MasterCard International, said Monday at a San Francisco conference hosted by Redwood Shores, Calif.-based vulnerability management firm Qualys Inc.
The proposed update, due this summer, is meant to address evolving attacks and problems businesses have had while encrypting consumer data, Maxwell told CNET News.com. Possible changes include a requirement to scan payment software for vulnerabilities. Right now, merchants only have to validate that there are no vulnerabilities in their networks.
While a broader vulnerability scan would be required, the proposed changes would cut merchants some slack when it comes to encryption. Specifically, the new version of PCI would offer merchants more alternatives for securing consumer data besides encryption, CNET News.com reported.
"Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said, adding that this encryption requirement is causing so much trouble for merchants that credit card companies are having difficulty processing requests for alternate measures.
In response, according to the report, changes to PCI would let companies replace encryption with other types of security technology, such as additional firewalls and access controls. "There will be more acceptable compensating and mitigating controls," Maxwell said.
Flaws to be addressed in Diebold voting machines
Diebold Election Systems Inc. plans changes to address a number of security holes in its electronic voting machines. Voting watchdog group Black Box Voting published a report (.pdf) last week outlining how attackers could compromise Diebold's TS6 and TSx touch pad voting machines by exploiting backdoor features that allow new software to be installed.
Finnish security researcher Harri Hursti discovered back doors in the systems' boot loader software, in the operating system and in the Ballot Station software that it runs to tabulate votes. "These are built-in features, all three of them," Black Box Voting founder Bev Harris told IDG News Service. If a malicious person gained access to a Diebold machine, Harris said, the backdoors could be exploited to falsify election results on the system.
A Diebold spokesman didn't dispute Hursti's findings, but said Black Box Voting was overreacting, given that the systems are intended to remain in the hands of trusted election officials.
"What they're proposing as a vulnerability is actually a functionality of the system," Diebold spokesman David Bear told the news service. "Instead of recognizing the advantages of the technology, we keep ringing up 'what if' scenarios that serve no purpose other than to confuse and in some instances frighten voters."
Still, Bear said, Diebold plans to address the issue in an upcoming version of the product, which will use cryptographic keys to ensure that only authorized software is installed on the machine.