Security news roundup: FBI wants to police the Internet, vulnerability in Realtek HD driver

Here’s a collection of recent security vulnerabilities, alerts, and news, which covers vulnerabilities found in Foxit PDF Reader 2.2 for Windows, a privilege escalation vulnerability in the Realtek HD driver, a new Java update from Sun, and updates on attempts by the FBI to police the Internet.

�� * Vulnerabilities in Foxit PDF Reader 2.2 for Windows

Vulnerabilities have been discovered in the Windows version of the popular Foxit Reader, a popular and light-weight PDF reader. The problem was found in the 2.2 version of the PDF reader software.

Discovered by Javier Vicente Vallejo, there are no known exploit for these flaws at the moment. However, coding errors relating to the parsing of PDF files could allow attackers to execute harmful code via manipulated PDF files. Javier describes his analysis of the Foxit Reader flaws here and here.

It is not known if version 2.3 of the Foxit Reader — just released on the 24th April, resolves these security holes, or if versions of Foxit Reader for other platforms such as Linux and Windows Mobile are affected. I have written to Foxit Software on this and will report back on any updates updates here.

In the meantime, users of Foxit Reader 2.2 can opt to install Foxit Reader 2.3 first, and exercise discretion on opening PDF files from unknown sources.

Update: Foxit technical support has confirmed that Foxit Reader 2.3 resolves the issues mentioned.

�� * Privilege escalation vulnerability in Realtek HD driver

Wintercore has reported that the audio codec bundled with the Realtek HD drivers are prone to a local privilege escalation.

This is due to insufficient validation of user-mode buffers, and could result in SYSTEM privileges being granted to authenticated users. More critically, it could result in arbitrary code being executed. Realtek says that the vulnerable code was intended only for the development phase, and shipped out erroneously with the release version.

You can read more about this flaw from the Wintercore advisory page here.

Updated high definition audio codecs are available from Realtek available to plug the hole. Users of Realtek HD hardware are advised to install the update as soon as possible

�� * Sun quietly releases another Java update

Sun has quietly released update 6 for the version 1.6.0 Java runtime environment. It fixes at least one security vulnerability as well a sdozen other bugs.

According to heise Security:

�� … the new version updates time zone information. Java WebStart also reportedly requires less memory. A problem in the crypto classes can be considered a security issue; memory leaks can occur when Kerberos authentication is used along with LoginContext, and a crash may be the result.

You can check out the release notes for more details. Download and install the current version of Java here. As usual, you will need to manually remove any older versions of Java you may have, either before, or after updating.

�� * FBI wants to police the Internet

FBI Director Robert S. Mueller have expressed his opinion that ISP should be required to retain customer records for a minimum of two years. He made his statements to a Congressional committee as part of a bigger agenda for FBI to police the Internet, which ranks as the FBI’s third most important priority. Counterterrorism and counterintelligence are the first two.

Excerpt from CNET News.com:

�� “From the perspective of an investigator, having that backlog of records would be tremendously important if someone comes up on your screen now,” Mueller said. “If those records are only kept 15 days or 30 days, you may lose the information you may need to bring that person to justice.”

However, the scope of such a mandatory data retention law remains fuzzy. At the extreme, it could mean that companies will have to retain data related to customer-assigned Internet addresses, or even records of sites visited from proxy servers.

Kate Dean, director of the U.S. Internet Service Provider Association, noted:

�� Without specifics, it’s hard to know what Director Mueller is looking for from industry. The idea of data retention is complex, and Congress will need to examine many issues including which providers would be covered by a retention regime, for what period of time would those organizations be required to keep the data, does the policy idea fit with the today’s and tomorrow’s technologies, and what are the effects on the consumer–what are the potential risks to subscriber privacy and security?

If data rentention laws were indeed passed, the more immediate effect would likely be cost as ISP grapple with the sheer volume of logs generated. On the other hand, it remains to be seen just how effective such legislation would be, given the ready availability of technologies such as Tor and anonymous proxies to thwart attempts at monitoring.

http://blogs.techrepublic.com.com/security/?p=449