Monthly Binary Analysis Update (March)

By Carsten Eiram

March is over with 20 binary analyses issued and due to yet another busy month, I'm again late on issuing this blog.

When tallying up the number of issued binary analyses this month, I was surprised by all the interesting vulnerabilities analysed. You can't help but loose track of them due to the very high number of vulnerabilities being processed every day.

Therefore, selecting two or three interesting analyses issued by the Secunia BA team has been quite difficult. So, instead of the usual rant about a few issues, I will do a lot of shorter rants on many of the issued analyses.

* Sun Java JRE Pack200 Decompression Vulnerability (SA34451)
* Sun Java GIF Image Decompression Vulnerability (SA34451 / CVE-2009-1098)
* Sun Java Web Start PNG Image Parsing Vulnerability (SA34451 / CVE-2009-1097)

Sun issued an update for Java, which fixed a lot of vulnerabilities. Of these, the Pack200 decompression, GIF image decompression, and PNG image parsing vulnerabilities were selected for further analysis (along with a font parsing vulnerability, but that one will be ignored here as it was released in April and thus counts as an April release).

I've seen some discussions on whether it's considered important to update to the latest Java version. We would strongly recommend it as many of the fixed vulnerabilities can be exploited to execute code on a user's system if left unpatched.

* Adobe Reader "getIcon()" Buffer Overflow (SA33901 / CVE-2009-0927)

A number of vulnerabilities were fixed in Adobe Reader in March. One of the really interesting ones was this vulnerability in the undocumented "Collab.getIcon()" method provided by the JavaScript API. Even though both the "/GS" and "/SAFESEH" compile time options were used to make exploitation harder, it was possible to bypass these security features and execute arbitrary code. It didn't take long before the vulnerability was being exploited in the wild…

* Adobe Acrobat/Reader JBIG2 Symbol Dictionary Buffer Overflow (SA33901 / CVE-2009-0193)
* Foxit Reader JBIG2 Symbol Dictionary Processing Vulnerability (SA34036 / CVE-2009-0191)

After the recent 0-day vulnerability in Adobe Acrobat/Reader, Secunia Research decided to take a closer look at the JBIG2 functionality in both products from Adobe, but also other vendors. It turned out that a lot of vendors have flawed (vulnerable) implementations.

In March, Secunia Research published advisories for two JBIG2 vulnerabilities – one in Adobe Acrobat/Reader and another in Foxit Reader. In April, we published advisories about similar vulnerabilities in both Xpdf and Ghostscript. There may even be more on their way…

* Adobe Flash Player Invalid Object Reference Vulnerability (SA34012 / CVE-2009-0519)

While the Adobe Reader vulnerabilities received a lot of attention, this vulnerability actually slipped fairly silently below the radar. Since I already ranted about it in a previous blog, I won't go into more details here.

* HP OpenView NNM Language Buffer Overflow (SA34444 / CVE-2009-0921)
* HP OpenView NNM "OvOsLocale" Buffer Overflow (SA34444 / CVE-2009-0920)

New vulnerabilities were also reported in HP's OpenView Network Node Manager. Some might recall that Secunia Research reported a number (actually, this is a good occasion to use the word: "plethora", which is just not used enough) of vulnerabilities in the same product the previous month.

There were some pretty random speculations as to some of these new vulnerabilities being either variants of the vulnerabilities previously reported by us or even the same, which were just not fixed. Actually, these issues are completely new and in no way related to the vulnerabilities previously reported by us, which were (properly) fixed by HP.

* Microsoft Windows Kernel Image Rendering Vulnerability (SA34117 / CVE-2009-0081)

Naturally, I can't wrap up March without mentioning the interesting vulnerabilities analysed in Microsoft products.

The first one is a vulnerability in the win32k.sys driver when rendering image contents. Image rendering functionality in general is one of the big pitfalls that has resulted in many (a plethora?) of vulnerabilities in products over time.

Having implemented the image rendering functionality in a system driver is therefore particularly bad when it goes wrong as it gives full control of the system if exploitable for code execution. As Internet Explorer renders image content via the driver, this vulnerability can be exploited when a user simply visits a web page. Fortunately, the vulnerability currently seems quite challenging to exploit for code execution. However, a malicious web page can still cause the infamous BSOD (Blue Screen of Death) when viewed.

* Microsoft Windows SChannel Authentication Bypass (SA34215 / CVE-2009-0085)

The next Microsoft vulnerability is in the implementation of Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), which is handled in Schannel.DLL and utilised by applications and services requiring cryptographic services.

The vulnerability is in the certificate handling and allows a malicious client to bypass certificate authentication when using SSL/TLS by spoofing the identity of e.g. a legitimate web or mail user without possessing the user's private key.

* Microsoft Excel Invalid Object Reference Vulnerability (SA33954 / CVE-2009-0238)

The last vulnerability that I'm briefly going to mention is this 0-day vulnerability in Microsoft Office where insufficient validation of string data can be exploited to reference an already freed object and execute code. The vulnerability is being actively exploited, but it should be noted that patches were released here in April via MS09-009.

That's it for this month.

Stay secure,

Carsten Eiram,
Chief Security Specialist