Security vulnerability found in MS SQL Server 2000

The folks over at SEC Consult have found a vulnerability in Microsoft’s SQL Server 2000 that will allow a remote attacker to execute code on the server.

The problem appears to lie in the extended stored procedure sp_replwritetovarbin, which can be exploited by supplying uninitialized variables by parameters.  Depending on the version of Windows that is running, it is possible to trigger a memory write or even use it to execute arbitrary code in the process context of the running SQL server.  It is worth noting that sp_replwritetovarbin is accessible by anyone by default, and hence can be exploited either via an authenticated user, or even via SQL injection through a vulnerable web application.

So far, this vulnerability has been confirmed on SQL Server 2000/2005, though not confirmed on SQL Server 2008.  According to SEC Consult, a release date for the patch remains uncertain despite the promise of a patch by Microsoft by September.  The recommendation is to remove the sp_replwriterovarbin extended stored procedure as a workaround.

You can read the Security Advisory here.

Scammers using Asterisk VoIP systems to make unauthorized calls

Criminals are taking advantage of older versions of Asterisk – some of which have a number of serious flaws, and exploiting them to make unauthorized outbound calls.  One such variant – called vishing – is to configure compromised Asterisk exchanges in order to receive follow-up calls to their phishing or spam emails.

In the scenario described by U.S. Federal Bureau of Investigation (FBI) though, these scammers are using hacked systems to dial-out from a list of predefined numbers, and then playing a pre-recorded mp3 or wav file.

According to an advisory by the FBI:

The [vulnerabilities in Asterisk] can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.

The logical thing to do would be to ensure that your Asterisk exchange, even if it is a hardware-based VoIP derivative, to update to the latest version of Asterisk or firmware. In the meantime, Digium – the creators of Asterisk, have called the Fed warning as a “tempest in a teapot”.

You can read more from Network World here.

Google goes native client

Google has whipped out a research project in order to allow x86 native code to run in the confines of a Web browser.  The idea is to allow online applications to take full advantage of the local CPU power for processing.

Possible applications would be a photo-sharing Web site where users can touch-up photos from a single interface.  In such a scenario, the ability to run native code on the desktop PC will allow for a much more responsive application by minimizing remote data transfer and latency.  The obvious problem here has to do with the question of security – protecting users from malicious applications or sites, which Google’s research project attempts to resolve.

According to heise Security UK:

Native Client is composed of a browser plug-in and a GCC based compiler. The plug-in works with Firefox, Safari, Opera and Google Chrome. Linux, Mac OS X and Windows are all supported too, with only Internet Explorer being the exception.

You can read more about Native Client from this blog entry at the Google Code Blog.  Alternatively, you can download this white paper (pdf) which looks at the process in detail, highlighting topics such as how the sandbox is designed.

Why not just use Java or existing client-side engines? I have no idea. Do you think this concept will take off?

New vulnerabilities discovered right after Patch Tuesday

Earlier this week, Microsoft delivered the largest patch release in five years – 28 patches covering 8 reported vulnerabilities. Hot on its heels however, came news of not one, or two, but three vulnerabilities that the Redmond-based company appeared to have missed.

One of them affects Internet Explorer 7, and involves exploiting an XML parsing component via a typical heap overflow.  What is important to note is that there are already many sites – mainly hosted in China, that are actively exploiting this flaw.

According to SecurityProNews though:

Microsoft downplayed the threat saying they were “aware only of limited attacks that attempt to use this vulnerability, but they were investigating. Until a fix is produced, the company recommends running Protected Mode in IE7 in Windows Vista, and the default high security level on Windows servers.

At the moment, the attack still requires some JavaScript in order to achieve code execution.  As such, disabling JavaScript could somewhat mitigate the risk.  Or maybe just switching to another browser makes more sense.

The second vulnerability involves MS SQL Server 2000 – which we covered above, at least appears to be an earlier reported flaw that has yet to be fixed.  The final vulnerability has been reported to affect the WordPad Text Converter for Word 97.

Microsoft is currently still investigating.

Do you have any comments or feedback on the security news roundup this week?