This week's security events includes news that the DNS patch released by Apple is flawed, a warning about the ease with which eavesdroppers can listen in to most wireless phone conversations, critical holes discovered in K9 Web Protection, and a DOS vulnerability in F-PROT's virus scanner.
Apple's DNS patch flawedThe DNS patch that was finally rolled out by Apple to fix the much-publicized Domain Name Server (DNS) security flaw appears to be flawed. Security Update 2008-005 were, along with other fixes, supposed to eliminate the vulnerability of recursive name servers to the threat of cache poisoning. However, several security researchers says late last Friday that Apple's DNS patch doesn't actually fix the problem. The introduction of port randomization on the source port to help block poisoning attacks did not appear to be working. As such, Mac users are still at risk.
Security researcher Andrew Storms noted on his blog:
Did Apple forget to patch something? By the look of things, the DNS client on the OSX 10.4.11 distribution still has not been patched.
For additional reading, you can check out Ryan Naraine over at ZDNet's Zero Day blog where he compares the result of tests with a patched OS X system compared versus a FreeBSD 6.3 one.
Are eavesdroppers tuning in to your conversations?
I came across this article over at InformationWeek warning against a lesser known danger in the form of proprietary wireless systems that one can find proliferating in the form of wireless phones and audio systems used in conference rooms. The issue is that they are often not encrypted, and with the right equipment, they offer ample opportunity to listen in.
In fact, it appears that many audio systems incorporating wireless stations simply broadcast any detected conversations in the room at 450 or 900 MHz — regardless of whether the unit is activated to perform recording or in an actual conference call.
Passive radio eavesdropping is a low-budget, relatively safe way for potential attackers to scout out targets. Anyone in your organization using a wireless headset or cord-less phone is potentially broadcasting sensitive material. All an attacker needs is a scanner set to the right frequency range and some patience. We tested this exploit with a cordless phone, but any analog wireless device can be monitored with consumer-grade scanners.Digital Enhanced Cordless Telephony (DECT) phones may provide additional protection by performing authentication as well as encryption of data sent between base station and the cordless phone. It might be worth noting that the details pertaining to DECT authentication and encryption are only made known to equipment manufacturers upon their agreement not to disclose its inner workings. In short, DECT is shielded by means of security by obscurity rather than having actually been independently proven by parties not having a vested interest.
I probably won't be very surprised here if government agencies or more nefarious parties already have the means with which to crack it.
Highly critical vulnerabilities in K9 Web Protection prompts advice to uninstall
Secunia Research has discovered a couple of vulnerabilities rated as "highly critical" in its free K9 Web Protection Internet filtering software by Blue Coat. Buffer overflow errors in the filter service (k9filter.exe) can be exploited by malicious parties to compromise an affected system.
The issue affects version 188.8.131.52 with filter version 3.2.32 and will only be fixed in a new version 4.1.x not due for release until September 2008. The vendor is reportedly working on a fix, but in the absence of an effective workaround currently, the company has issued the unusual advice of uninstalling its product in the interim.
Note that a beta version of 4.1.x will be available starting 8 August 2008, which should not have the flaw.
You can read the security advisory from Blue Coat here.
DOS vulnerability in F-PROT
It appears that manipulated ZIP archives can trigger a DOS vulnerability in F-PROT's virus scanner.
An error in the engine is reported to overload the CPU when certain archives are scanned, causing the system to become sluggish or even cease to respond. The error is said to occur in the Linux version 184.108.40.20652 with engine version 220.127.116.11, and in the Windows version 18.104.22.168 with engine version 4.4.4.
This problem should be of particular concern for system administrators who employ any of F-PROT antivirus technology — F-PROT does have a number of enterprise antivirus products which presumably uses the same scanning engine.
Read the full disclosure by Knud Erik Højgaard, who reported the error.