Security News Roundup

• Microsoft SQL Server Flaws
• Microsoft Internet Explorer Flaws
• Microsoft Windows Worm
• PGP Plug-in Flaw Patched
• CERT Reports Flaws in CDE GUI

by InternetNews.com Staff [July 12, 2002]

Microsoft SQL Server Flaws
Microsoft warned of a buffer overrun flaw in a procedure used to encrypt SQL Server credential information that would let an attacker "gain significant control over the database and possibly the server itself depending on the account SQL Server runs as."

The company said another buffer overrun vulnerability in a procedure that relates to the bulk inserting of data in SQL Server tables has also been identified.

The cumulative patch (available for download here) also covers a privilege elevation but that results because of incorrect permissions on the Registry key that stores the SQL Server service account information. Microsoft said an attacker could gain greater privileges on the system than had been granted by the system administrator—potentially even the same rights as the operating system.

Meanwhile, as Microsoft was urging installation of its latest patch, security firm NGSSoftware issued a separate warning that Microsoft's SQL Server 2000 contains functionality that allows a database owner to populate a table with data with one fell swoop using the 'BULK INSERT' query. NGSS said this functionality contains a remotely exploitable buffer overrun vulnerability that can be exploited by an attacker to run arbitrary code.

NGSS said the 'BULK INSERT' query will take a user supplied file name and insert the contents of this file into a specified table. By supplying an overly long filename to the query, a buffer is overflowed and the saved return address stored on the stack is overwritten. This allows the attacker to gain control over the process' execution.

It said SQL Server 2000 can be run in the security context of a domain account or LOCAL SYSTEM, so depending upon the particular setup, an attacker may be able to gain complete control over the vulnerable system.

(Back to top)

Microsoft Internet Explorer Flaws
Newport Beach, Calif. security consultants PivX Solutions announced the discovery of "extremely high-risk" vulnerabilities within Microsoft's flagship Internet Explorer browser product. It said the bug uses universal cross domain scripting, allowing the arbitrary execution of programs, unprivileged reading of files, and stealing of server cookies.

PivX, which released vulnerability alert ahead of a fix from Microsoft, has ruffled the feathers of the software giant, but the security firm maintained support for immediate full disclosure of flaws as soon as they are discovered.

The company, which credited Danish researcher Thor Larholm with discovering the bug, released a workaround/fix on its home page to allow users to plug the holes ahead of a Microsoft patch.

The company said the vulnerability leaves apps that use WebBrowser control vulnerable to a variety of attacks but can be circumvented if ActiveX scripting is disabled.

(Back to top)

Microsoft Windows Worm
To add to Microsoft's security headaches, a worm comprising three components—MSVXD.exe, MSVXD16.dll and MSVXD32.dll—is on the prowl, masquerading as legitimate MS code. Security experts say the worm can drop copies of itself in all subfolders and network folders and is unusual in the way it masks and hides itself without networks.

Software security firm BitDefender, which issued the worm warning, said the Win32.Worm.Datom.A virus resembles the FunLove worm and uses the same spreading methods and is "troubling large, insufficiently protected networks."

"Taken separately, the (three components of the worm) cannot be considered as malware, but together, they form a pretty malicious code" said Costin Ionescu, Virus Researcher at BitDefender. "The worm has also the ability to hide its Windows Registry keys in normal mode and to disable certain security software installed on the system. This could mark an evolution for viruses' modus operandi," he added.

BitDefender said the virus attempts to connect to the Microsoft's home page and drops copies of itself in all shared folders and subfolders in the victim's network. The company has issued a free removal tool for the worm. Technical details on the worm's threat and removal is available at BitDefender's virus section.

(Back to top)

PGP Plug-in Flaw Patched
The world's most popular e-mail encryption tool, PGP (short for Pretty Good Privacy), has a flaw that could allow a malicious hacker to seize control of a user's machine and access encrypted communications.

The flaw lies in Network Associates Inc.'s (NAI) PGP plug-in for Microsoft's Outlook e-mail client. It affects NAI PGP Desktop Security 7.0.4, NAI PGP Personal Security 7.0.3, and NAI PGP Freeware 7.0.3. NAI. It does not affect PGP Corporate Desktop users, nor does it affect a plug-in for Microsoft's Outlook Express e-mail client. NAI has made a patch available.

The flaw was uncovered by eEye Digital Security, which said it leaves both a target's machine and PGP-encrypted communications open to compromise. It can also be exploited anonymously.

The vulnerability could allow an attacker to overwrite certain heap memory structures used by the PGP plug-in. It does not require the victim to open an attachment.

Once hackers have infiltrated a victim's machine, they can leave behind spyware to record keystrokes, steal important information like financial records, or uncover the public keys used to encrypt e-mails.

(Back to top)

CERT Reports Flaws in CDE GUI
Two vulnerabilities were discovered Wednesday in the Common Desktop Environment (CDE) ToolTalk RPC database server.

CDE is an integrated graphical user interface that runs on UNIX and Linux operating systems, and is widely installed as a default program.

The ToolTalk service allows independently developed applications to communicate with each other. Using ToolTalk, applications can create open protocols that allow different programs to be interchanged, and new programs to be plugged into the system with minimal reconfiguration.

The ToolTalk RPC database server manages communication between ToolTalk applications. Sun, Hewlitt-Packard, Compaq, Caldera, IBM, and Xi Graphics have all admitted to susceptibility on some on their machines.

The first vulnerability results from improper checks on user-supplied RPC arguments. By issuing a specially crafted call to the procedure, a remote attacker could overwrite certain locations in memory with zeros. Using a combination of techniques, an attacker could delete any file that is accessible by the ToolTalk RPC database server. Overwriting memory or deleting files could cause a denial of service. It may also be possible to execute arbitrary code and commands.

The second vulnerability stems from inadequate validation of file operations. The ToolTalk RPC database server does not ensure that the target of a file write operation is a valid file and not a symbolic link. This could allow a hacker to overwrite any file with contents of his or her choice, since the list of transaction records to log is passed by the client program.

Vendors with vulnerable systems have provided patching information on their security sites, as well as on the CERT Coordination Center site. According to officials at CORE Security Services, if patches are not yet available from a particular vendor, admins should block access from untrusted networks to the ToolTalk Database server program and disable the vulnerable service.

(Back to top)

— End