Firewalls Prove Too Friendly

Opinion: Check Point warns that implementation of a CIFS service group can let unwanted traffic pass through.

Check Point Software makes firewalls. But their new "SecurePlatform NGX R60 Build 244" seems to have a problem. (The company says that it also applies to the VPN-1/FireWall-1, VPN-1 VSX, Provider-1 products running the NGX, NG AI, 4.1, NG software.)

You see, the firewall contains a set of predefined service groups that are designed to handle different types of traffic that are associated with a service (which means a collection of protocols). Check Point firewalls contain a predefined collection of rules to handle traffic associated with the Common Internet File System (CIFS), known as the CIFS service group. Clear so far? Good.

Now, a flaw in the implementation of the CIFS service group may cause traffic not designated as part of the CIFS service group to be handled in an unintended manner. (Its like using "ANY" in the services column. If the traffic matches the source from any service, it will get through. It can also drop the traffic in the same way.) Depending on the configuration of the rules in place, all traffic from a network in the CIFS service group may either pass through the firewall or be totally blockaded at the firewall.


Theres no fix available, although Check Point suggests renaming the CIFS service group to mitigate the issue. That is, after changing the name of the group, put the service "microsoft-ds" and service-group "NBT" in it and use this in your rulebase.

On Safari today

Jonathan Rockway discovered last week that Apples Web browser (Safari) has a memory corruption problem with some data: URIs that can cause the program to crash. Its been reported that this affects all current versions of Safari (2.0.x), even if the latest security update from Apple has been applied.

Secunia rates this vulnerability as not critical and US-CERT calls it "low risk"; but I would rate it as highly annoying. Any way that some joker can crash my browser remotely is one way too many for me.

/zimages/1/28571.gifApple swats Mac OS X security bugs. Click here to read more.

Hey Kids! Lets Pick on PHP some more!

PHP is prone to a vulnerability due to a design error that permits local hijacking of session variables. The problem is due to the way PHP stores session variables.

This defect can be used to hijack the session variables of victim users of other PHP applications running on a system that is running a vulnerable version of PHP, but no separate exploit is needed to cause the vulnerability.

This issue is reported to affect the 3.x and 4.x versions of PHP; but other versions may also be affected. US-CERT assigns a risk level of medium to this vulnerability, but there are currently no patches or workarounds available for the problem.

Larry Loeb was consulting editor for BYTE magazine and senior editor of WebWeek. He serves as a subject matter expert for the Department of Defenses Information Assurance Technology Analysis Center, and is on the American Dental Associations WG-1 and MD 156 electronic medical records working groups. Larrys latest book is "Hackproofing XML," published by Syngress (Rockland, Mass.). If youve got a tip for Larry, contact him at

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.