Posted on 05/02/2005 10:23:27 PM PDT by Eagle9
While Windows and other Microsoft Corp. products are the favorite targets of hackers, the malicious code writers are increasingly targeting software that run on other operating systems, including Apple Computer Inc.'s Mac and open-source Linux, a security research group said Monday.
In its list of the top 20 most critical Internet vulnerabilities in the first quarter of the year, the Sans Institute reported that software fixes were released for flaws in RealNetworks Inc.'s RealOne Player and RealPlayer. Security flaws were found in versions of the multimedia players running on Windows, Mac OS and Linux.
In addition, vulnerabilities were listed for Apple's iTunes music player, versions prior to 4.7.1, which runs on Windows and the Mac OS, as well as the Winamp mulitmedia player for Windows from Nullsoft, and the Helix Player for Linux.
"Hackers haven't stopped attacking Microsoft products, but they've started attacking everything else as well," Alan Paller, director of research for Sans said. "The reason is this is a huge criminal business now. Capturing another 100,000 computers to be used for spam can be worth a million bucks."
The current trend among hackers is to spread through e-mail viruses that exploit a variety of popular software that people install on their computers, such as multimedia software and music players.
"The attackers are going after the programs you buy to install on your computer, rather than the programs that come with your computer," Paller said.
To close vulnerabilities in programs such as iTunes or RealPlayer, users often have to download the latest version, rather than just a patch, which is commonly used to fix operating-system flaws. As a result, consumers with dial-up connections are often most vulnerable, because they are the least likely to take the time to download the latest software, Paller said.
Besides multimedia players, patches were released in the first quarter for several Microsoft products, including the Windows License Logging Service, the Microsoft Server Message Block and Internet Explorer browser.
Patches also were released for Computer Associates International Inc.'s License Manager, which is found in most of its storage, security and database products; and versions of Oracle Corp.'s 9i, 8i and 8 databases; Application Server, Collaboration Suite and E-Business Suite.
Patches also were released for antivirus products from Symantec Corp., F-Secure Corp., Trend Micro Inc. and McAfee Inc.
Details on the vulnerabilities and patches are available on the Sans Institute website.
May 2, 2005
Principal Investigator: Rohit Dhamankar
Co-investigators: Gerhard Eschelbeck, Marcus Sachs, Johannes Ullrich
The SANS Top20 Internet Security Vulnerabilities (www.sans.org/top20) is an annual consensus effort of leading information security organizations around the world. In 2004, the United Kingdom's NISCC hosted the announcement of the 2004 Top20 with the direct support of the US White House and Public Safety and Emergency Preparedness Canada.
Thousands of organizations rely on the Top20 to help set priorities for what needs to be fixed first. However, since new Internet threats are discovered daily, user organizations that rely on the Top20 as a list of high priority threats have been asking for more frequent updates.
On May 2, 2005, the sponsors of the Top20 project released the first installment in a new program of quarterly updates to the Top20. It updates the annual Top20 and provides an additional roadmap to the new vulnerabilities that must be eliminated in any Internet-connected organization.
The list below summarizes the most critical new vulnerabilities discovered during the first quarter of 2005 by vendor.
Following the brief list, the critical new vulnerabilities are grouped by the vulnerability categories employed in the 2004 Top20 announcement, and summarized with a brief assessment of the impact of exploiting the vulnerabilities and pointers to more detailed information.
Top New Vulnerabilities in Q1, 2005 (Summary List)
Microsoft Products
DNS Cache Poisoning Vulnerability
Multiple Antivirus Products Buffer Overflow Vulnerabilities
Oracle Critical Patch Update
Multiple Media Player Buffer Overflows (RealPlayer, Winamp and iTunes)
***********************************************************
Top New Vulnerabilities in Windows Systems Q1, 2005
Top20 Caterory: W3 Windows Remote Access Services
***********************************************************
Windows License Logging Service Overflow (MS05-010)
Patches:
MS05-010 available.
Affected:
Windows NT/2000/2003 Servers
Risk:
An attacker can execute code with "SYSTEM" privileges.
Exploits:
Exploit code has been published in the Immunitysec CANVAS and CORE Impact tools.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely1
http://www.sans.org/newsletters/risk/display.php?v=4&i=11#exploit1
http://www.microsoft.com/technet/security/bulletin/ms05-010.mspx
CVE:
CAN-2005-0050
*******************************************************************
Microsoft Server Message Block(SMB) Vulnerability (MS05-011)
Patches:
MS05-011 available.
Affected:
Microsoft Windows 2000, XP and Windows Server 2003
Risk:
An attacker can execute code with "SYSTEM" privileges.
Exploits:
The technical details have been posted.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely6
http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx
CVE:
CAN-2005-0045
************************************************************************************
Top20 Category: W6 Web Browsers
Internet Explorer Vulnerabilities (MS05-014 and MS05-008)
Patches:
MS05-014, MS05-008 available.
Affected:
Internet Explorer versions 5.01, 5.5, 6.0
Risk:
An attacker can compromise a client system.
Exploits:
Multiple exploits are available. Flaws being exploited in the wild to install spyware/adware applications.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely2
http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-008.mspx
CVE:
http://www.sans.org/newsletters/risk/display.php?v=4&i=2#widely1
http://www.sans.org/newsletters/risk/display.php?v=3&i=51#widely1
http://www.sans.org/newsletters/risk/display.php?v=3&i=52#widely1
http://www.sans.org/newsletters/risk/display.php?v=4&i=4#widely5
http://www.microsoft.com/technet/security/bulletin/ms05-001.mspx
CVE:
CAN-2004-1043
*******************************************************************
Microsoft DHTML Edit ActiveX Remote Code Execution (MS05-013)
Patches:
MS05-013 available.
Affected:
Windows 98/ME/SE/2000/XP/2003
Risk:
An attacker can compromise a client system.
Exploits:
Multiple exploits are available. Flaws being exploited in the wild.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely3
http://www.microsoft.com/technet/security/bulletin/ms05-013.mspx
CVE:
CAN-2004-1319
**************************************************************************************
Microsoft Cursor and Icon Handling Overflow (MS05-002)
Patches:
MS05-002 available.
Affected:
Windows NT/2000/XP SP0 and SP1/2003
Risk:
An attacker can compromise a client system.
Exploits:
Exploit code available. Flaws being exploited in the wild to install spyware/adware applications.
References:
http://www.sans.org/newsletters/risk/display.php?v=3&i=51#widely2
http://www.sans.org/newsletters/risk/display.php?v=4&i=2#widely2
http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
CVE:
CAN-2004-1049
*******************************************************************
Top20 category: W10 Instant Messaging
Microsoft PNG File Processing Vulnerabilities (MS05-009)
Patches:
MS05-009 available.
Affected:
Windows Media Player 9 series
Windows Messenger version 5.0
MSN Messenger version 6.1 and 6.2
Windows 98/ME/SE
Risk:
An attacker can compromise a client system.
Exploits:
Multiple exploits are available.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely3
http://www.microsoft.com/technet/security/bulletin/ms05-009.mspx
CVE:
CAN-2004-1244, CAN-2004-0597
*******************************************************************
Top New Vulnerabilities in Cross Platform Applications (A new category for the Top20-2005 Study)
*******************************************************************
Computer Associates License Manager Buffer Overflows
Patches:
Available at
http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp
http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp
Affected:
CA License Package versions 1.53 through 1.61.8
All CA products that use the vulnerable CA License Package on AIX, DEC, HP-UX, Linux Intel, Linux s/390, Solaris, Windows and Apple Mac OSs are affected.
Exploits:
Multiple exploits are available.
Risk:
An attacker can execute code with "SYSTEM/root" privileges on systems running any of the vulnerable products.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=9#widely1
CVE:
CAN-2005-0581, CAN-2005-0582, CAN-2005-0583
*******************************************************************
(7) Multiple Antivirus Products Buffer Overflow Vulnerabilities
Patches:
Available
Symantec patch site: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005020911112648
Affected:
Multiple products from Symantec, F-Secure, Trend Micro, McAfee
Risk:
An attacker can execute code with "SYSTEM/root" privileges on systems running any of the vulnerable products.
Exploit:
The technical details regarding the flaws are available in all the cases.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=6 (Symantec)
http://www.sans.org/newsletters/risk/display.php?v=4&i=6 (F-Secure)
http://www.sans.org/newsletters/risk/display.php?v=4&i=8#widely2 (Trend Micro)
http://www.sans.org/newsletters/risk/display.php?v=4&i=12#widely1 (McAfee)
CVE:
CAN-2005-0249, CAN-2005-0350, CAN-2005-0644
*********************************************************************************
DNS Cache Poisoning Vulnerability
Patches and Workarounds:
Available (See the referenced links for details):
Symantec Gateway Security 5400 Series version 2.x
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_2_5400/files.html
Symantec Gateway Security 5300 Series 1.0
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_1_52005300/files.html
Symantec Enterprise Firewall version 7.0.x and 8.0 (Windows and Solaris)
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_fw_8/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_fw_8_sol/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_firewall_704_nt/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_firewall_704_solaris/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_firewall_7_nt/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_firewall_7_solaris/files.html
Symantec VelociRaptor Model 1100/1200/1300 version 1.5
http://www.symantec.com/techsupp/enterprise/products/sym_velociraptor/sym_vr_15_1310/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_velociraptor/sym_vr_15_1200_1300/files.html
http://www.symantec.com/techsupp/enterprise/products/sym_velociraptor/sym_vr_15_other_models/files.html
Affected:
Symantec Gateway Security 5400 Series version 2.x
Symantec Gateway Security 5300 Series version 1.0
Symantec Enterprise Firewall version 7.0.x and 8.0 (Windows and Solaris)
Symantec VelociRaptor Model 1100/1200/1300 version 1.5
Windows NT and Windows 2000 (prior to SP3) DNS servers in the default configuration
The following configurations are also reportedly vulnerable:
http://www.sans.org/newsletters/risk/display.php?v=4&i=14#widely1
http://isc.sans.org/presentations/dnspoisoning.php
*******************************************************************
Oracle Critical Patch Update
Patches:
Oracle CPU issued on Jan 18, 2005
Affected:
Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3 and 10.1.0.3.1
Oracle9i Database Server Release 2, versions 9.2.0.4, 9.2.0.5 and 9.2.0.6
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4 (9.0.1.5 FIPS)
Oracle8i Database Server Release 3, version 8.1.7.4
Oracle8 Database Release 8.0.6, version 8.0.6.3
Oracle Application Server 10g Release 2 (10.1.2)
Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
Oracle9i Application Server Release 1, version 1.0.2.2
Oracle Collaboration Suite Release 2, version 9.0.4.2
Oracle E-Business Suite and Applications Release 11i (11.5)
Oracle E-Business Suite and Applications Release 11.0
Risk:
An attacker can potentially compromise an Oracle server.
Exploits:
The technical details have been posted about many of the flaws.
References:
http://www.sans.org/newsletters/risk/display.php?v=4&i=3#widely1
CVE:
CAN-2005-0298
*******************************************************************
Multiple Media Player Buffer Overflows
Patches:
Available.
Affected:
RealPlayer
==========
For Windows:
RealPlayer version 10.5 Builds 6.0.12.1040-1056
RealPlayer version 10
RealOne Player v2 Builds 6.0.11.853 - 872
RealOne Player v2 Builds 6.0.11.818 - 840
RealOne Player v1
RealPlayer 8
RealPlayer Enterprise
Mac OS
Mac RealPlayer 10 Builds 10.0.0.305 - 325
Mac RealOne Player
For Linux:
Linux RealPlayer 10
Helix Player
iTunes
=======
iTunes versions prior to 4.7.1
Winamp
========
Winamp versions 5.x prior to 5.08c
Risk:
An attacker can compromise a client system.
Exploits:
Multiple exploits available. Flaws being exploited in the wild.
References:
RealPlayer
http://www.sans.org/newsletters/risk/display.php?v=4&i=9#widely2
http://www.sans.org/newsletters/risk/display.php?v=4&i=10#exploit1
iTunes
http://www.sans.org/newsletters/risk/display.php?v=4&i=2#widely3
http://www.sans.org/newsletters/risk/display.php?v=4&i=3#exploit1
Winamp
http://www.sans.org/newsletters/risk/display.php?v=4&i=5#widely1
CVE:
CAN-2005-0455, CAN-2005-0611, CAN-2005-0043
*******************************************************************
Hackers are using popular programs written for cross platform use to access previously relatively secure operating systems.
Clearly Bush's fault.
Or is this a series breach of Mac security (Real Player vulnerability, iTunes vulnerability). Not really... they are dredging up a vulnerability now patched from January that has been already discussed.
It's FUD - PING!
Headline really is not supported by the information on the website.
If you want on or off the Mac Ping List, Freepmail me.
This is not really an attempt by crackers to target non-MS based OSes... that is just a side effect.
While the cross platform application with a flaw may allow a buffer overflow, what can be accomplished on a OSX platform is not much. Secondly, the flaw in iTunes was discovered on January 10, 2005 and fixed by Apple on January 17th.
The article implies that both Linux and Mac OSX platforms are being hijacked to send spam... not true, at least as far as OSX is concerned. The exploit described does not rise to that level, cannot install or execute any applications (Mac OSX requires permission to install anything... now, with Tiger, to even download an executable).
Then the headline is misleading, at the very least, and the article just plain wrong, in regards to Mac. I suspect that will also apply to Linux. Thanks for your enlightening comment.
There are plenty of useful update links for Windows users, as well as all those common programs, e.g. RealPlayer, MediaPlayer 9, etc. The unpatched programs and are always an opening for further spread of malware.
All email spammers should be strung up with piano wire. Figuratively. Or not.
Windows now does this as well, but the problem is, spyware makers present thmselves as something desirable, and get the user's permission. this is the way things are going.
Even if you are smart enough to resist, kids aren't.
Why are kids allowed to install programs on your computer?
My kids are grown and out of the house. I'm just reporting what I've observed with computers I get paid to fix. These are the kids' computers. Are you suggesting that a 15 year old should have constant supervision while using a computer?
No... but if I am going to be financially responsible for the upkeep of a computer, I damn well will make certain that if a kid wants to install a program that can globally impact my OS, I will be required to put in MY administrator password. If I set up the kid's access to allow certain programs to be installed on a Mac, and the kid DOES install a program with lower than administrator level access, that program only has access to his activities and his files. It cannot be installed in any of the system areas, cannot alter any of the system files, see or read other users' files, and it cannot monitor other users' activities.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.