Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

The danger you face if you don’t patch your systems – there is more to this than just Microsoft software

November 30th 2006 in Uncategorized

I subscribe to a well known patch management listserv where various system administrators and savy computer users share experiences and problems particular to patch management.  The list covers not just Microsoft software, but many other software providers.


A recent email to the list highlights the fact that danger can lurk with any software on your system, not just Microsoft software, and highlights the dangers we all face if we don’t have a system in place to check for updates for all of our software.


The email said, in part:


“While we attempted to patch all our Symantec AV installations since the SAV 10 vulnerability was announced, we did not reach 100% coverage.  Yesterday we baegn seeing numerous (30 in a 24 hour period) stations compromised with W32.Spybot.ACYR. which is an exploit of SYM06-010 – Symantec Client Security and Symantec AntiVirus Elevation of Priviledge (Symantec)  Remote stack Buffer Overflow Vulnerability.”


What is the SYM06-010 vulnerability?
http://www.symantec.com/avcenter/security/Content/2006.05.25.html


“A stack overflow in Symantec Client Security and Symantec AntiVirus Corporate Edition could potentially allow a remote or local attacker to execute code on the affected machine.”


What is W32.Spybot.ACYR?
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-112810-5302-99&tabid=2


What does W32.Spybot.ACYS do?
It allows attackers to copy or delete files, download files, show status, show IP address, portscan the network for vulnerable computers, scan vulnerabilities, start ftpd, start Internet Explorer, end processes, stop other worms, stop security-related services, list processes and use a network sniffer.


What does this tell us?
W32.Spybot.ACYS is just one example of malware that uses multiple vulnerabilities in different software products to spread.  It is not enough to use Windows Update, Microsoft Update, WSUS, SUS, SMS etc – that simply covers Microsoft products.


What other high profile software may be a problem on my system?
My personal opinion is that Sun Java should be top of that list.  Why?  Putting aside the fact that each version of Sun Java takes up over 100 megabytes of hard drive space, the Sun Java updater does not remove old, vulnerable versions of its products.  Until version 5.0 Update 6 hostile software was able to easily bypass newer, safer version of Sun Java and use old dangerous versions to infect computers with malware, spyware and adware – information about the change in behaviour can be found here:
http://msmvps.com/blogs/spywaresucks/archive/2006/08/26/109768.aspx


Anyway, Sun Java’s excuse for not removing old versions of their product during updates has been that there are some programmes that will only work with a particular (vulnerable) version of Sun Java, therefore they leave all versions of a product on your system, just in case.


I strongly recommend that you uninstall all old versions of Sun Java unless you have a particular programme that will only work with an old version of Java (a situation which is more likely to affect a corporate user with a specialised LOB application, not the casual home user surfing the net and therefore in the most danger of being attacked by malware).


Another example of potential danger not affecting Microsoft products?  How about Adobe Reader / Acrobat:
http://www.adobe.com/support/security/advisories/apsa06-02.html


If you want to check which of your software may have a vulnerability that you don’t know about, try searching Secunia’s database – this link will allow you to search by product name:
http://secunia.com/product/


You can also search by vendor name:
http://secunia.com/vendor/


Remember, update all of your software – don’t depend just on Microsoft Update and Windows Update to keep you as safe as possible.


Comments are closed.

Microsoft have released a tool for the Western Australian Daylight Savings changes that affected home users should install:http://www.microsoft.com/downloads/details.aspx?familyid=c6a2c8fe-abda-4051-a24f-3ec933089747&DisplayLang=en
But, what about the corporate environment?  As many of you know, I am based in Western Australia and have had to deal with these changes – yay for the politicians who did not look any further than the […]

Previous Entry

Microsoft have released a VPC virtual machine image containing a pre-activated Windows XP SP2, IE6 and the IE7 Readiness Toolkit to help facilitate testing and development.
It is important to note that the image is time bombed and will no longer function after April 1, 2007.
We can install now IE7 on our main machine for […]

Next Entry

Archives