[ISN] Holes found in IBM's PC support control

From: InfoSec News (isn@private)
Date: Wed Jun 23 2004 - 04:00:26 PDT

  • Next message: InfoSec News: "[ISN] Book Review: Network Security Architectures by Sean Convery"

    Matthew Broersma 
    22 June 2004 
    Hackers could use two of IBM ActiveX controls designed for automated
    PC support to attack PCs through the Internet Explorer browser,
    according to security firm eEye Digital Security.
    The company found flaws in the eGatherer and acpRunner ActiveX controls - the first of which is installed by default
    on many IBM PCs - that could allow attackers to write malicious files
    anywhere on a computer's hard disc via a special web page.
    Because the controls are signed by IBM, users who agree to "trust" IBM
    components could be compromised, eEye said. The company published
    example exploits for both controls.
    Also last week, Linux suppliers began patching several new, but less
    serious holes in the 2.6 and 2.4 kernels and in the Gentoo and Debian
    The controls are simply badly designed, according to eEye, making
    available unsafe methods of accessing a user's PC.
    "ActiveX is a very profound web technology. As a profound web
    technology it may be abused," wrote eEye in its advisory. "Designers
    might create an ActiveX which could perform any function on an user's
    computer. The responsibility rests with the creator of the ActiveX, as
    in any trust model."
    IBM has released a fix for the problem on its website. Security tools
    such as eEye's Retina Network Security Scanner are also capable of
    protecting PCs.
    The hole is similar in some ways to two linked flaws in Internet
    Explorer publicised earlier this month. Those flaws also allowed a
    malicious web page to write files onto a user's hard drive without
    being detected. In that case, the bug was already being exploited by
    web pages in order to place spyware on users' PCs. The earlier exploit
    also made use of a "help" file.
    Because Internet Explorer and its connected technologies thoroughly
    dominate the web browser market, attackers tend to focus their efforts
    on the software, said industry analysts.
    This situation makes a convincing case for businesses to switch to
    another browser, such as Mozilla or Opera, according to some security
    Linux suppliers Red Hat and Trustix said they had discovered
    vulnerabilities in several drivers in the Linux 2.6 kernel, allowing
    local users to elevate their privileges or gain access to the kernel
    The bugs, affecting the aironet, asus_acpi, decnet, mpu401, msnd, and
    pss drivers, were discovered through a review of the 2.6 kernel source
    code, but some of them also affect the 2.4 kernel, Trustix said.
    Gentoo Linux reported a bug in a popular spell-checking program called
    aspell, affecting versions up to 0.50.5-r1, which could allow a
    malicious user to execute the code of their choice on the system.
    The most recent version of the package corrects the problem. Security
    firm Secunia said the bug could be used to execute malicious code
    remotely, with the privileges of the user, but would require extensive
    social engineering.
    Debian released patches for the components rlpr, www-sql, sup and
    super, fixing bugs which could allow certain local users to elevate
    privileges or compromise a system.
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Thu Jun 24 2004 - 05:11:03 PDT