[ISN] Holes found in IBM's PC support control

InfoSec News isn at c4i.org
Wed Jun 23 07:00:26 EDT 2004


http://www.computerweekly.com/articles/article.asp?liArticleID=131444

Matthew Broersma 
Techworld.com
22 June 2004 
 
Hackers could use two of IBM ActiveX controls designed for automated
PC support to attack PCs through the Internet Explorer browser,
according to security firm eEye Digital Security.

The company found flaws in the eGatherer 2.0.0.16 and acpRunner
1.2.5.0 ActiveX controls - the first of which is installed by default
on many IBM PCs - that could allow attackers to write malicious files
anywhere on a computer's hard disc via a special web page.

Because the controls are signed by IBM, users who agree to "trust" IBM
components could be compromised, eEye said. The company published
example exploits for both controls.

Also last week, Linux suppliers began patching several new, but less
serious holes in the 2.6 and 2.4 kernels and in the Gentoo and Debian
distributions.

The controls are simply badly designed, according to eEye, making
available unsafe methods of accessing a user's PC.

"ActiveX is a very profound web technology. As a profound web
technology it may be abused," wrote eEye in its advisory. "Designers
might create an ActiveX which could perform any function on an user's
computer. The responsibility rests with the creator of the ActiveX, as
in any trust model."

IBM has released a fix for the problem on its website. Security tools
such as eEye's Retina Network Security Scanner are also capable of
protecting PCs.

The hole is similar in some ways to two linked flaws in Internet
Explorer publicised earlier this month. Those flaws also allowed a
malicious web page to write files onto a user's hard drive without
being detected. In that case, the bug was already being exploited by
web pages in order to place spyware on users' PCs. The earlier exploit
also made use of a "help" file.

Because Internet Explorer and its connected technologies thoroughly
dominate the web browser market, attackers tend to focus their efforts
on the software, said industry analysts.

This situation makes a convincing case for businesses to switch to
another browser, such as Mozilla or Opera, according to some security
experts.

Linux suppliers Red Hat and Trustix said they had discovered
vulnerabilities in several drivers in the Linux 2.6 kernel, allowing
local users to elevate their privileges or gain access to the kernel
memory.

The bugs, affecting the aironet, asus_acpi, decnet, mpu401, msnd, and
pss drivers, were discovered through a review of the 2.6 kernel source
code, but some of them also affect the 2.4 kernel, Trustix said.

Gentoo Linux reported a bug in a popular spell-checking program called
aspell, affecting versions up to 0.50.5-r1, which could allow a
malicious user to execute the code of their choice on the system.

The most recent version of the package corrects the problem. Security
firm Secunia said the bug could be used to execute malicious code
remotely, with the privileges of the user, but would require extensive
social engineering.

Debian released patches for the components rlpr, www-sql, sup and
super, fixing bugs which could allow certain local users to elevate
privileges or compromise a system.

 



More information about the ISN mailing list