Scanner Tool Released To Thwart JPEG Attack

With security experts predicting a large-scale worm attack is only a matter of days away, Microsoft has released a scanning tool to help users identify vulnerable versions of the GDI libraries that handle JPEG processing.

The Microsoft GDI+ Detection Tool (available for download here) helps detect the presence of non-Windows Microsoft products that contain the GDI+ component and determines whether a security fix should be applied.

The scanning tool was released along with the MS04-028 patch, which plugs a “critical” flaw in the way JPEG image files are processed.

The Internet Storm Center (ISC) has also issued a scanner (download here) for non-Windows users.

“Several non-Microsoft programs include versions of GDI libraries, which are vulnerable to exploitation. Using this tool, you can identify programs which may be vulnerable, and attempt to obtain updates from the software developer,” the center said.

The ISC said it is continuing to detect several exploits taking advantage of the JPEG GDI vulnerability and warned that a “rapid development of additional exploits” could be expected over the next few days.

The proof-of-concept exploits started circulating a mere eight days after Microsoft released a patch, confirming fears that malicious hackers are constantly reducing the time it takes to exploit known security holes.

Microsoft said it was aware of the circulating exploit code and was investigating the situation. A representative reiterated that customers should apply the MS04-028 patch as a matter of priority.

The exploit code detected by the ISC is capable of opening a command prompt on vulnerable machines, meaning that illegal hackers can potentially hijack an unpatched system and use it as a drone machine for a large-scale attack.

“If we are seeing exploits opening command prompts, something worse is on its way,” the center warned.

Anti-virus firm Trend Micro rates the risk as “high” and warned that a successful attack could allow a hacker to install or run programs and view or edit data with full privileges.

Microsoft Outlook and Outlook Express users, particularly in enterprise settings, are urged to use plain text for reading e-mail messages that could contain a malformed JPEG image.

http://www.internetnews.com/security/article.php/3412621

Posted in Security, Software, Windows | No Comments

Click here to become infected

Users should be wary of pressing the ‘click here to remove’ link on spam messages because it serves to confirm to spammers that junk mail messages are being read. Such email addresses can be sold at a premium to other spammers.

That’s reason enough to simply delete spam messages, but a junk mail message doing the rounds today provides an even more compelling reason. Selecting the ‘click here to remove’ link on messages blocked by MessageLabs today triggers an attempt to load malicious code onto potentially vulnerable Windows PC.

MessageLabs is blocking spam linking to the domains www. xcelent.biz (space deliberately inserted) which, if users click on the remove link and scroll down the page triggers a DragDrop JavaScript exploit. This uses an IE bug to download and run an EXE file, currently been analysed by MessageLabs.

Alex Shipp of MessageLabs writes: “I have not finished analysing the EXE currently hosted (currently called windows-update.exe), but the spammers can change this at any time by uploading a new Trojan. Typically, your machine may be turned into an open proxy, have passwords extracted, and keyloggers installed.

“So not only do you confirm your email address to the spammers, you also get to host their next spam run, and get your bank account cleaned out,” he adds.

The US’s CAN-SPAM Act requires junk mailers to put an opt-out link on their wares. It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts – and ignored by legislators.

http://www.theregister.co.uk/2004/09/22/opt-out_exploit/

Posted in Internet, Security | No Comments

More big security holes in Linux

Open-source developers have warned of serious security holes in two Linux components that could allow attackers to take over a system by tricking a user into viewing a specially crafted image file or opening an archive. Patches exist for the bugs, which affect LHA and imlib.

Imlib, a library for graphics-viewing applications used in the Gnome graphical user environment, contains a bug that could allow the execution of malicious code when a user views a specially crafted bit-map image file, according to Marcus Meissner of Novell Inc.’s Suse Linux. The vulnerability is due to a boundary error in the decoding of runlength-encoded bitmap images, which can be exploited to cause a buffer overflow, according to an advisory from Danish security firm Secunia, which maintains a vulnerabilities database.

Gentoo, MandrakeSoft SA and other Linux vendors have begun distributing fixes for the bug, and a patch is also available from the Gnome project. Imlib 1.x and imlib2 1.x are affected.

The vulnerability is related to last month’s BMP-decoding flaw in Qt, a software toolkit used in writing graphical user interface applications using the X Window system in Unix and Linux, Secunia said.

Linux vendor Red Hat Inc. warned of three security holes in LHA, an utility for compressing and decompressing LHarc-format archives. The bugs, affecting all versions up to and including 1.14, could allow the execution of malicious code if a user were tricked into extracting or testing a malicious archive or passing a specially crafted command line to the lha command. The third bug could allow an attacker to create a directory with shell meta characters in its name which could lead to arbitrary command execution.

Secunia noted that all three of the bugs could be avoided by staying away from untrusted archives. Patches are also available from Red Hat, Gentoo and others.

http://www.infoworld.com/article/04/09/09/HNmorelinuxholes_1.html

Posted in Linux, Security | No Comments

What You Should Know About Firewalls

Scott Rolf knows trouble when he sees it. An IT director for a law firm near Cleveland, Ohio, Rolf was asked by a friend to check out the new Web site the friend had put up on a DSL-connected Web server. Rolf did more than just visit his friend’s site; he quickly found that the server lacked any sort of firewall protection. It took less than five minutes for Rolf to exploit a well-known Windows NT vulnerability and e-mail to his friend a complete listing of files and directories from the server’s hard disk.

“He called me a few minutes later and said ‘Holy cow, what do I do?’ He was at work and couldn’t turn the server off,” Rolf laughs. “I think he went out and bought a Linksys firewall box.”

As the name implies, a firewall acts as a barrier between your PC and the Internet. Firewalls not only prevent unauthorized access to your PC or network, they also hide your Internet-connected PC from view.

Firewalls have long been a fixture at large companies, which must secure their networks against determined attackers. But the dangerous surge in e-mail- and Web-borne threats–including viruses, worms, hijacks, and increasingly aggressive spyware–means that home PCs require this protection as well.

Don’t believe me? Consider this. According to the Internet Storm Center, a typical unprotected PC will come under attack within 20 minutes of being connected to the Internet. That is not a misprint. In less time than it takes most people to shower and get dressed in the morning, your PC will probably attract some form of unwelcome advance.

Johannes Ullrich, chief technology officer at the Internet Storm Center, says the situation is so bad that a newly connected PC won’t have time to download all the Windows patches needed to make it secure before malicious software has found and infected it. The time to attack is even shorter for PCs on high-speed university networks and cable or DSL services. Hackers specifically target these addresses–much the way car thieves target Honda Accords–for their high bandwidth and always-on nature. It’s a digital catch-22. The better your connection, the bigger your risk.

Fired Up

Alas, it seems that too few people have well-meaning–if overly inquisitive–friends like Rolf. Alan Paller, director of research for The SANS Institute, an organization dedicated to Internet security issues, says most home users don’t have any firewall protection in place. That leaves connected PCs exposed to all manner of intrusion and attack.

The good news for cable and DSL customers is that firewalls are cheaper to buy and easier to use than ever. And adoption is picking up, according to forecasts by In-Stat/MDR, a market research firm. Sales of consumer firewalls are expected to rise from $455 million in 2003 to $1.8 billion in 2007, in part because firewall functions are being built into all sorts of consumer network gear.

“I don’t even think there are any routers that don’t have basic firewall protection,” says Ullrich.

Firewalls actually come in two distinct flavors: software applications that run in the background, and hardware devices that plug in between your modem and one or more PCs. Both types hide your PC’s presence from other systems, prevent unauthorized access from external sources, and keep tabs on network traffic across the firewall.

While software applications can be less expensive–Microsoft has improved the firewall software in Windows XP (news – web sites) Service Pack 2, and both ZoneAlarm and Sygate Personal Firewall are free for download–a hardware firewall usually does a better job for broadband users. (For more on software firewalls, see the accompanying story “Internal Defense.”)

“Users really like them because they are simpler to use than software firewalls, and they don’t have any [performance] impact on their computer,” Ullrich says. “The other advantage of a hardware firewall is if you happen to install some sort of malware on your system, it cannot take out your firewall. However, malware frequently disables antivirus checkers and software firewalls.”

If you’re networked, you probably haven’t bought a separate hardware firewall box. Rather, your wireless access point or network router that links multiple PCs can have firewall capability conveniently included. The $85 Netgear WGT624 108Mbps Wireless Firewall Router is a high-speed 802.11g Wi-Fi access point, router, and firewall that offers excellent protection against and tracking of external threats. Similar Wi-Fi products include the $85 D-Link DI-624 and the $70 to $80 Linksys WRT54G.

In the wired arena, firewall-capable routers include the Netgear FVS318NA VPN Firewall router with eight-port switch, about $100, and the Linksys BEFSX41 Instant Broadband EtherFast Cable/DSL Firewall Router, about $70, which provides four ethernet ports.

Matt Neely, a computer security expert for a major financial firm, says you can find bare-bones firewall devices for even less. “You can get a decent one on sale for 10 or 20 bucks,” says Neely. “They make a great gift. I give them out like candy on the holidays.”

What They Do, What They Don’t

Don’t make the mistake of buying a firewall and thinking your security problems are solved. Firewalls may be great at stopping unwanted intrusions, but they often do little or nothing to detect virus-laden e-mails or stop intrusive adware and spyware. You’ll want separate antivirus and spyware checkers to stymie these threats. What’s more, hardware firewalls usually won’t manage outbound traffic, which means a piece of spyware can freely send data from your PC to a server on the Internet.

So what do hardware firewalls do exactly? More than anything, they stymie inquisitive software that pings, sniffs, and queries IP addresses in the hopes of finding a wide-open system. To do this, hardware firewalls employ numerous functions. Among them:

Network address translation: Every system on the Internet needs an IP address–like a phone number for computers–which is used to forge links with other systems across the network. NAT foils unauthorized connections by giving PCs behind the firewall a set of private addresses, while presenting to the world a single, public address. The switcheroo makes it difficult for others to reach through the firewall to an individual PC.

Port management: By default, most hardware firewalls close unsolicited access to all ports (akin to doors in a hallway) on your connected PC. So if a piece of software locks onto your IP address and tries to form a connection with TCP port 80 (used for Web connections) or TCP port 25 (used for outbound e-mail), the firewall would ignore the request. As far as the inquiring software can tell, there is simply nothing there. By the same token, firewalls can let you open specific ports (an action known as port forwarding), so a multiplayer game can link up with other systems across the Internet or a Web camera can send a video stream to view on the Internet.

Stateful packet inspection: An important security feature, SPI digs deep into the packets used to encapsulate data traversing the network. The result: A firewall can do more than simply prohibit packets from a specific source and take action based on the content or behavior of packets. For instance, an SPI firewall can tell if an incoming packet was unsolicited (and therefore, unwanted) or if it arrived in response to a request from the local network (in which case it would be allowed through).

Virtual private networking: A method for establishing encrypted, point-to-point connections across the Internet, VPNs are widely used among businesses for giving remote employees access to local networks. The problem is, a good firewall will block the encrypted connection between the remote device and the local VPN software. Firewalls with VPN support can pass through these encrypted links.

Activity logging and alerts: One area where hardware firewalls can vary greatly is in their ability to track, record, and report the activity fielded by the device. If you need finely detailed information about network activity, make sure to check reviews for products that offer the most comprehensive and useable activity logging and alerting features.

Content and URL filtering: Firewalls can also offer higher-level features–for instance, blocking access to URLs with a specified string of letters in their URL (think “XXX”) or to any sites that fall outside of a list of accepted Web domain names.

PC security expert Neely suggests pairing a hardware firewall with a free software firewall application, such as ZoneLabs’ ZoneAlarm. Software firewalls can detect which applications are trying to send data over the Internet and prompt users to allow or disallow the activity. So when a previously unknown program asks for Internet access, you can dig down and see if that application might actually be spyware. Adjustable alert levels mean you can flag every access for review or simply allow all traffic through by default. Also, hardware firewalls can’t plug into analog modems, which means a software firewall is the best option for most dial-up Internet users.

The good news is, firewalls really work. I tested my setup (a D-Link DI-624 wireless router) using the ShieldsUp port test service at Steve Gibson’s Web site. I clicked the All Service Ports button, and the remote server performed a comprehensive scan of all the ports at my IP address. The scan took just over a minute and revealed that all of my ports–with one exception–had been stealthed. That is, my firewall had rendered them invisible, so that any computer trying to open ports on my machine’s IP address would get no reply. Port 113 on my system was marked as closed, meaning a remote machine would know a live system is out there, but it would be unable to gain entry.

So will all users someday have PCs protected by firewalls? If Scott Rolf has his way, absolutely.

“I preach it so loudly that most of them already have a firewall, and if they don’t I’ve given them ZoneAlarm.”

http://story.news.yahoo.com/news?tmpl=story&u=/ttpcworld/20040826/tc_techtues_pcworld/117557&cid=1740&ncid=1729

Posted in Hardware, Internet, Security | No Comments

Virus targets 64-bit Windows

Virus writers have unleashed the first program that infects 64-bit Windows files, antivirus firm Symantec said Monday.

The virus, dubbed W64.Shruggle by Symantec, seems mainly to be an experiment to test the concept of a 64-bit infecter and is not actively spread, said Alfred Huger, senior director of security at Symantec.

“The most interesting thing about this is that virus writers are already developing for the 64-bit platform,” he said.

Symantec got a copy of the virus from an antivirus newsgroup the company monitors, Huger said. The virus, even if released on the Internet, would not spread, he added, because the Windows software that the program exploits has not yet been released by Microsoft. Some developers are trying out the 64-bit extensions for Windows, but the software is still being tested. The virus will not run on 32-bit versions of Windows, such as Windows 2000 and Windows XP, owned by the vast majority of Microsoft users.

“This is for the future, when this stuff comes out of beta,” Huger said.

That a virus for 64-bit Windows has been developed so early is somewhat ironic, since 64-bit processors such as AMD’s Opteron have specific features to boost the security of Windows PCs. That protection is targeted at worms and other attacks that, unlike e-mail viruses, are triggered without having to trick users.

While the digital pest is little threat, it does indicate that virus writers are thinking ahead. Such “proof of concept” programs tend to be aimed at identifying vulnerabilities, not exploiting them. Other recent viruses targeted at new platforms include two programs that aimed to infect the Symbian and Windows CE operating systems used by many smart phones.

“They prove that there is a viable threat,” Huger said.

http://news.com.com/Virus%20targets%2064-bit%20Windows/2100-1002_3-5320803.html

Posted in Security, Windows | No Comments