Bad software is not Free
Real Player has a fairly severe security hole. Sigh. It seems there is no such thing as ‘free’ software any longer. While
you may not pay for it with cash or credit cards, it’s not really free
if you pay for it through Spyware or security holes.
I was in the process of registering for Rich Mogull’s eSeminar , presented by Ziff Davis and sponsored by Oracle, on the 25th of this month. Once I signed up I needed to verify that my system met the minimum requirements. I ran the diagnostic, and I met all but one of the system requirements: Real Player needed to be installed. Argh!
My bias to not installing some of these
applications like Quicktime, Real Player, AOL Instant Messenger,
anything Yahoo or most of the other ‘free’ tools is not just because I
don’t trust them. I don’t. My
main reason is they have zero respect for me or my machine. I want one
specific function … ONE … and I get (what seems like) 50 that I don’t
want. I don’t want these other ‘features’
installed, don’t want them automatically turned on, don’t want resident
in memory, don’t want them scanning my machine for software and
versions, don’t want them communicating with other software or servers,
don’t want them attempting to update themselves, don’t want them
installing into the start menu, don’t want them updating the MS
registry, don’t want them automatically popping up services and ‘news’ items about
Soulja Boy’s baby or Britney Spears latest stupidity.
So I installed it … clearly because I am a moron,
and I also have some business needs that require Real Player … like
this and other e-Seminars. An easy install, but sure enough, it was flagged by AVG and SpyHunter because some of the DLLs are considered Spyware. I
quarantined them and I hope that there is nothing else I need to worry
about and that the application functions now that I disabled some of
the DLLs.
Worry got the better of me and I started searching the web about what sort of vulnerabilities or Spyware is also present. I did not get far. A quick Google Search revealed this: http://isc.sans.org/diary.html?storyid=3810 . So it opens up a hole on the machine.
OK, fine. Are there known exploits? In fact there is, as documented here: http://isc.sans.org/diary.html?date=2008-01-04. Which
is a pretty well executed SQL injection attack, with some well done
obfuscation of the code itself, making it harder for the average person
to detect. In a nutshell, the SQL statement
queries Sysobjects table looking for all user tables, and recursively
scans all of the table references it finds. For every Varchar column in the tables found, the program appends a small piece of code. I was not curious enough to find out what that code does. I
do not believe the injection attack is smart enough to auto-alter
itself depending upon the type of database present, this one looking
for SQL Server, but I am sure that enhancement will be in the next
release of the attack.
OK, is there a patch? Not that I can find. CVE-2007-5601
talks about a buffer overflow attack, but the arbitrary execution of
code in this attack does not appear to be reliant on a buffer overflow
to initiate. My guess is the author of the first Blog post is correct and there is no patch available. I un-installed it and selected and older version as I figured that the Spyware was not as evolved in the older versions. Sure,
it may have vulnerabilities as well, but I needed to pick my threat
model, so I picked the unknown threat instead of the known threat.
It’s ironic that I want to watch a database
security presentation, and I need to introduce a vulnerability onto my
computer to do so, one with known exploits and no patches at this time.
Yippee.
Comment from on January 11, 2008 3:22:49 PM PST
I sort of understand how SQL injection attacks gain database access.
What I don't understand is how they insert code into the database. How
do they get dba-level access?
Recent Comments