A new Windows vulnerability threat has surfaced in the
Remote Desktop Protocol (RDP), for which Redmond is purportedly working on a
patch, and two new Internet Explorer vulnerabilities have also emerged.
Meanwhile, a slew of Oracle threats have reportedly been out there for months,
and they continue to remain unpatched.

Details

A new Windows vulnerability has surfaced, which Microsoft
has verified but not yet patched (as of July 22, 2005). A defect in RDP
can result in a denial of service event. However, no data loss or compromise
appears to be possible, so the flaw isn’t critical.

RDP is a protocol that permits remote access to all of a
computer’s data and applications via a virtual connection. So, while RDP has
the potential to allow great damage to a system, this particular vulnerability
doesn’t expose systems to any such takeover threat.

Nevertheless, the threat is serious enough that Microsoft
has announced that the company is working on a patch for release with its
regularly scheduled August security bulletin (currently the second Tuesday of the
month). For the latest details on this threat, check out Microsoft
Security Advisory 904797 and Secunia
Advisory 16071.

Another new Windows threat has emerged that relates to the way Internet
Explorer 6 displays JPEG images. One flaw is a remote code execution threat,
and a second is a denial of
service vulnerability. Both flaws are remotely exploitable, boundary
condition error vulnerabilities, and they affect Internet Explorer 6 Service Pack
2 (and possibly earlier versions as well).

Finally, News.com reports that the popular Oracle database
software contains a growing number of unpatched and serious vulnerabilities.
According to one security researcher, Oracle has known about some of these
flaws for two years and hasn’t taken steps to patch them.

The researcher, Alex Kornbrust, is an employee of Red
Database Security, which has published a laundry list of known
but unpatched vulnerabilities in Oracle products. Kornbrust said he
reported the vulnerabilities to Oracle about two years ago and recently warned
the software maker that he would publish details about the flaws if the company
didn’t address them in its quarterly July patch
release. He did just that on July 19.

According to an Oracle-specific security company, PeteFinnigan.com Limited, literally
hundreds of known and unpatched Oracle vulnerabilities are out there. It can be
very frustrating trying to determine which fixes Oracle has and hasn’t made to
its software—especially since the vendor seems to include a lot of bug fixes
without bothering to mention them. If you’re currently using workarounds to
protect Oracle systems, check out this Red
Database Security report for details on the latest patched—but not forgotten—bugs
that Oracle actually fixed in its July security update.

Applicability

Windows XP Media Center Edition is the only operating system
that enables RDP features by default. Therefore, this version is particularly
vulnerable. However, many business environments use this platform and enable
RDP.

Terminal Services in Windows 2000 and Windows Server 2003
also use RDP, as does the Remote Desktop Sharing feature in Windows XP.
However, the system is only vulnerable if you enable these services.

The threat also affects Windows XP Home Edition. But this
only applies when a Remote Assistance request is pending and the system is
waiting for a response on the vulnerable port.

In addition, RDP is available in the following systems: Windows
2000 Service Pack 4, all versions of Windows XP (including SP2 and 64-bit
editions), and all versions of Windows Server 2003 (including Itanium editions).
Check to see if someone has enabled the protocol in these systems. Keep in mind
that Microsoft doesn’t support earlier Windows versions for this level of
threat, but they may be vulnerable in some circumstances.

Risk level – High

The RDP threat is a denial of service threat, and the risk
level is high. While there are no signs that anyone is actively exploiting the
vulnerability yet, details of the threat are now available online, and future
attacks are certainly possible. I’ve run across some online reports about
increased RDP port scans in the past few days, but I was unable to verify them.

Mitigating factors

Again, only one Windows version enables RDP by default
(Windows XP Media Center Edition). Since most versions don’t have this feature
enabled, it lessens the overall threat. In addition, closing the TCP port 3389,
the port used by RDP, will also protect systems.

Fix

Of course, you need to apply the patch when it becomes available,
which will likely be August. In the meantime, recommended workarounds include
closing the aforementioned TCP port 3389 at the firewall, disabling Terminal
Services and the Remote Desktop feature if not actually necessary, and using a
secure VPN connection in situations where RDP is necessary.

Final word

For those who love to bash Microsoft about slow patching, I’ll
only point out that Oracle users have suffered much longer—dealing with only
quarterly updates and unpatched holes in the database for years. Even worse,
the company doesn’t announce when it actually does fix something, leaving users
completely in the dark about whether a vulnerability still exists after a
security upgrade. Actually testing for the vulnerability or relying on one of
the Oracle-specific security firms is the only real way to tell.

According to Red Database Security’s list, the current
champion in the unpatched vulnerability sweepstakes is a group of
cross-site-scripting vulnerabilities, which have remained unpatched for more
than 720 days. At least seven other threats also remain unpatched after more
than 600 days. Keep an eye out for these threats: Red Database Security has vowed
to publish exploits that are still out there more than 650 days after notifying
Oracle, and it recently began doing so.

Of course, Red Database Security is also promoting its own
Oracle security services, but I guess the company figures enough is enough, and
I tend to agree with them. While I typically don’t condone publishing
vulnerability or exploit information before giving a vendor the opportunity to
fix the problem, two years is rather excessive—especially for something as
critical as a database.

And remember: Just because this reputable security firm
discovered these Oracle holes and kept its mouth shut for a long time doesn’t mean hackers haven’t
discovered some or all of the same holes and are quietly exploiting them to
mine users’ data vaults for fun and profit.

Also watch for …

  • If you
    recently experienced trouble
    accessing the Spread Firefox Web site    , it might be because hackers,
    who wanted in on the browser’s success, brought down the site. This
    problem was reportedly due to the Drupal content management software used
    to maintain the site and had nothing to do with Firefox or Mozilla
    software.
  • And
    that’s a good thing because Firefox
    has yet more problems of its own, starting with the release of
    version 1.0.5     and a new version of the Thunderbird e-mail software,
    which patched vulnerabilities but also blocked some third-party
    extensions. Even if you downloaded 1.0.5 after the July 12 release date,
    it’s time to run out and get Firefox and
    Thunderbird 1.0.6, along with Mozilla Suite 1.7.10    .
    In fact, the bug fixes are coming so fast that, when I checked the site to
    verify the situation, one page touted Firefox release 1.0.6, but several
    security pages still listed 1.0.5 as the latest version. So I recommend beginning
    your update checks with the main site’s home page. By the way, Red Hat,
    Fedora, and other vendors have also released updates to fix Firefox, Mozilla,
    and/or Thunderbird problems.
  • According
    to the LSS security team    , there’s a newly reported and highly
    critical buffer overrun vulnerability in NullSoft’s Winamp 5.x media
    player—specifically, versions prior to Winamp 5.094. Exploitation can
    result in complete system compromise, including remote code execution.
  • Finally,
    Microsoft announced last week that it has dubbed the next version of its
    Windows operating system Windows
    Vista    —formerly code-named Longhorn—which
    the software giant plans to release in
    beta     sometime next month.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.