Its been a heck of a week for security vulnerabilities. The most attention, deservedly so, went to another buffer overflow in Microsofts IIS Web server, but there were many more.
The IIS hole was unusual in that, unlike most vulnerabilities, it appears to have been exploited before it was discovered and patched. Even worse, it was the U.S. Armys Web server that was attacked. Microsoft put out a patch in relative hurry and there are several workarounds that should block the exploit. However, they come at the expense of functionality in IIS support for WebDAV, which allows file I/O-style access to web sites. This is one of those problems for which administrators should drop everything and deal.
After reports of server crashes introduced with the patch Microsoft modified the security advisory for this problem to warn that certain specific versions of Windows 2000 were incompatible with the patch and that it would cause these systems to blue-screen. Security patches from Microsoft are usually issued before there are any real-world exploits, and Microsoft puts them through extensive testing. No such luck in this case, and they had to write and issue the patch post-haste. This is what happens when youre in a hurry.
And it didnt end there. A second, less serious problem was found in the JScript engine. This one is a more run-of-the-mill problem with important mitigating factors, and patches are available through Windows Update and other locations.
Finally, a minor denial-of-service (DOS) attack is possible through ISA Server. The service denied is actually DNS servers on the other side of the ISA server, so this is nothing too much to worry about.
Those of you using a Version 4 implementation of Kerberos, the network-authentication system developed at MIT, should immediately patch your systems. MIT announced a “CRITICAL” vulnerability early this week that could allow an attacker to fabricate a “ticket” that represents credentials on the network. The good news is that there are patches. The bad news is that the weakness is at the protocol level and that fixing it necessarily involves limitations in functionality. Yet another reason to move to Version 5 of Kerberos, which is not vulnerable. (Incidentally, Windows 2000s Active Directory implements Version 5.) The full MIT advisory may be found here.
Two more vulnerabilities (here and here) do affect Kerberos 5 and can result in crashed server components and potentially compromised data.
Even More Security Problems
BEA announced a vulnerability in its WebLogic Server and Express versions 6.0, 6.1 and 7.0, all platforms. The problem, basically a bug in the implementation of an internal protocol used for copying files between servers and supporting developers, could allow unprivileged users to access and modify application source code, system settings, even system files. WebLogic users should apply the patches immediately.
The Samba team released patches for a series of bugs that could allow a remote user anonymously to gain su (root) privileges on the server running Samba. This is pretty much a worst-case scenario; Samba administrators, quit those video games and upgrade your servers ASAP. All versions of Samba from 2.0.x through 2.2.7 are affected. Administrators should either upgrade to 2.2.8 or follow instructions in the advisory referenced above in order to limit exposure.
The Linux Kernel team released Version 2.2.25 and a patch for Version 2.4.2x in order to patch a local root exploit in those versions. The kernel team does not believe that the 2.5 series of kernel versions are vulnerable. The announcement from Senior Kernel Boss Alan Cox to the linux-kernel mailing list states that a local user could obtain full privileges, but that a remote exploit was not possible.
On a more academic and theoretical note, a professor and a security officer at Stanford University released a paper on the possibility of using timing attacks against OpenSSL, a very popular open source implementation of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. In response, the OpenSSL team released an advisory and a patch that should address the problem. Almost all SSL_enabled versions of Apache are affected, so the number of potentially vulnerable systems is large.
Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.