As you may have heard, the source code of Cisco’s IOS—which
runs the routers that power many corporate networks and much of the Internet—was
recently stolen and illegally divulged in the public arena. The threat level
due to this disclosure is unknown, but is potentially extremely high. Administrators
that manage Cisco equipment should monitor their routers and switches with
extra caution over the short term.

As detailed in the “Also watch out for” section at
the bottom of this article, there are also several new Windows-related
vulnerability reports and new exploits of older threats that have emerged. It’s
not entirely clear just how serious they are at this time, but they have the
potential to become quite serious, if only because there are known and published
exploits that make them accessible to script kiddies. In addition, there is a
new, highly critical Mac OS X vulnerability.

Details

The FBI is currently investigating the theft and publication
on the Full-Disclosure security mailing list of a significant amount of what is
thought to be the proprietary firmware code used in Cisco routers and switches.

After a weekend of rumors, denials, and suspicions that the
whole thing was nothing more than a hoax, the IDG News
Service
reported on May 18, 2004, that copies of the Cisco IOS source code
had appeared on the Internet after apparently having been stolen from a
compromised Sun server on Cisco’s corporate network.

The amount of code exposed to hackers seems to have been as
much as 800 megabytes, so it is particularly difficult to quickly determine
just what vulnerabilities might be found by hackers going over that amount of
code with a fine tooth comb.

A post on the Russian security Web site www.securitylab.ru reports to
have seen about 2.5 MB of the code, which was supposedly hacked code, from
version 12.3 of the IOS.

ZDNet reports that what was actually stolen was some source code, in
the form of two raw C programming files, one of them dated 1996 and the other
dated 2003.

The fact that very little of the supposedly stolen code has
actually been seen circulating in chat rooms or elsewhere may indicate that the
claims are exaggerated, but it could also mean that this code was stolen by
serious hackers with a commercial or criminal motive.

Risk level – Unknown

At this time there are far more questions than answers
available, which in some ways, is even worse than knowing what information may
have been compromised, because administrators can’t fully judge the threat
level. They can only carefully watch all Cisco hardware to monitor for
suspicious activity.

Final word

This Cisco code disclosure follows on the heels of
Microsoft’s source code disclosure earlier in the year. That sent a lot of
administrators (not to mention Microsoft) into a nervous fit. Although no
serious exploits have ever shown up that are related to vulnerabilities
discovered in that Windows code, there still exists the possibility that
something serious will develop.

There is an ongoing debate as to just how serious that
security breach was but it’s clear that it wasn’t a high point in Microsoft’s
security efforts.

Whether or not malicious people get copies of the stolen
Cisco software and are able to discover serious vulnerabilities that can be
widely exploited, the mere fact that confidential firmware has been disclosed
must weigh heavily on Cisco administrators until or unless it can be absolutely
proven, not just claimed, that this doesn’t constitute a serious security
breach.

In the never-ending debate of open source versus proprietary
software, when it comes to security one thing is abundantly clear, once proprietary
code is exposed to attackers, it becomes considerably less secure than open
source software, where it is at least possible for administrators to examine
the source code for themselves. One of the main security pillars that
proprietary software relies on is its very secrecy.


Also watch for …

  • Security
    firm eEye has reported a critical vulnerability in Apple’s QuickTime software
    that can allow remote code execution. The problem was reported to Apple in
    February 2004 and a patch is now available.
  • Apple’s
    Mac OS X operating system has yet another highly critical vulnerability in
    addition to the one reported in the May
    17, 2004 Locksmith column
    . A Secunia report
    details the new, highly critical vulnerability and another slightly less
    dangerous threat, both of which were initially reported
    by lixlpixel to Apple on February 23, 2004; lixlpixel says Apple finally
    responded to this notification on May 20, 2004. The most troubling part to
    many security experts is the way Apple keeps explaining away these
    vulnerabilities by saying they are not anywhere near as serious as people
    are claiming—apparently based, not on the seriousness of the
    vulnerabilities, but simply on the fact that no one appears to be
    attacking Macs. MacWorld UK recently reported a
    malicious attack circulating that would delete a user’s Home folder using
    some recently disclosed Mac OS X vulnerabilities. The attack is disguised
    as a Word 2004 demo. Apple criticized Intego, the
    discoverer of the Trojan threat exploited by this malware, as overreacting
    and is currently downplaying the malware’s danger by pointing out that it
    isn’t technically a virus. That is small comfort to any Mac users who have
    had their Home folders wiped out.
  • SecurityFocus
    reports
    that a DoS vulnerability exists when Internet Explorer uses the “window.createPopup()
    method to invoke the heep equiv meta tag.” A simple proof of concept
    has been published.
  • SecurityTracker
    reports that an exploit has also been published for a
    threat to Outlook 2003, which bypasses the scripting restrictions that
    would normally protect systems. This would allow a malicious e-mail to
    execute arbitrary code if the e-mail message is opened. There doesn’t
    appear to be any workaround or other steps you can take to prevent this
    (obviously other than not using Outlook 2003).
  • The
    new Lovegate worm uses a very tricky (probably unique) method to spread;
    certainly I’ve never run across this precise combination of propagation
    methods before. It seems that Lovegate replies to the unanswered e-mail
    that is sitting in your MAPI-compliant (namely Outlook) mailbox. Klez also
    utilized an auto-responder but didn’t include the mass mailing feature of
    Lovegate, and Klez was around for a very long time. Auto-responder attacks
    are among the most persistent of threats. It shouldn’t be necessary to
    explain in detail the obvious dangers posed by such a worm. These range
    from triggering massive spam attacks by confirming addresses to posing as
    entirely legitimate responses—it’s pretty easy for most of us to spot spam
    when it comes packaged as a reply to a subject line message we’ve never
    sent, but how about when it looks exactly like a legit response?
    InformationWeek has a report on this.
  • A Secunia Advisory
    warns of a new privilege escalation vulnerability in Windows 2000 and Windows
    XP. The threat lies in desktop.ini files that may contain CLSID references
    to arbitrary executables. As of the latest round of Microsoft security patches,
    this threat hadn’t been patched.
  • New
    worms, in particular bobax and kibuv, are exploiting known Windows
    vulnerabilities for which patches are already published in Microsoft
    Security Bulletin MS04-011. Both appear to be causing heavy traffic on TCP
    port 5000 (Universal plug-n-play) and are trying to take over computers in
    order to spread spam.