CYBERSPACE – A trio of serious vulnerabilities greeted IT professionals Monday as separate entities revealed flaws in Microsoft’s Internet Information Services Web server, a range of Linux kernels and Google’s Chrome browser.The Linux vulnerability may be the most distressing, as Linux generally is thought to be less prone to attacks than other operating systems. The National Vulnerability Database maintained by the National Institute of Standards and Technology classifies the threat severity as “medium,” but also notes the flaw is not complicated to access. In a nutshell, the bug allows local users unauthorized access to sensitive information maintained on the affected server. Details about the vulnerability and suggested responses are here: TinyURL.com/l2jct8.
The hole has been plugged in Linux 2.6.31-rc7, but there appears to be no fix for the more stable 2.6.30.x series yet, Jon Oberheide, the security researcher who published the disclosure, told The Register.
The IIS flaw is more serious in nature, though exploits have not been spotted in the wild … yet. However, since proof-of-concept code has been released on the Web, attacks may appear within a matter of days. The vulnerability is present in IIS version 5 on Windows 2000 with Service Pack 4. IIS 6 also is affected.
The exploit, published by hacker Nikolaos Rangos, gives attackers remote root access, thereby allowing complete control over affected machines. The code is effective even when cookie protection is enabled; however, IIS must be set to enable file transfer protocol in the presence of a writable directory.
The good news about that is Microsoft has declared IIS 5’s unequivocal end-of-life point to be July 2010, when the developer’s extended support program expires. Mainline support for the server software stopped in 2005. Hopefully system administrators will upgrade their servers well before the middle of next year, although some IT consultants doubt upgrades will occur with alacrity.
“I have customers who have Windows 2000 servers, and I scold them frequently,” Secorix Chief Technology Officer Rodney Thayer told The Register. “…[Y]ou shouldn’t be running any software that the vendor says is not supported.”
The Google Chrome 3.0 bug allows hackers to track users who visit websites containing particular code snippets. The vulnerability is associated with the Math.random algorithm within Chrome’s JavaScript engine, V8.
According to Trusteer’s Amit Klein, “Math.random’s internal state can be reconstructed, rolled forward and backward, and (in Windows) the exact seeding time can be extracted. This in turn leads to various attacks (e.g. ‘in-session phishing’).”
In-depth information about the vulnerability is here: TinyURL.com/l2orgy. (Tiny URL came up with that Web address all by itself — honest.)
