A Week For Holes
Perhaps this week's column is best read in conjunction with last week's, in order to gain an understanding of what drives some people to release vulnerability reports, and the vitriol that tends to follow the publication of reports that affect software that people have formed a strong emotional attachment to.
The last several days have been busy as far as security vulnerability releases go, particularly in terms of Internet browsers, with the Mozilla family of browsers attracting some increased attention.
Even companies that release vulnerability patches have run into trouble in the last several days. Customised Linux vendor, Debian, announced to a security mailing list that it has been suffering bandwidth problems following the release of security updates for the XFree86 components of their Linux distribution. Due to the large size of the patches, and the number of files directly involved, the 100 Mb / s connection to the vendor's servers has been saturated by users who have rushed to patch their systems. In the security list message, Debian has advised that a new security infrastructure will soon be in place, which should help avoid similar situations in the future, and that users should expect some delays until the rush for patches subsides.
While the security vulnerabilities that the patches addressed were moderate, the admission of difficulties in providing patches to end users could provide hackers with an extended attack window.
The Mozilla browser family vulnerabilities which were first reported on in last week's column have been joined by several more. They include vulnerabilities which can provide a remote attacker an ability to gain complete control of a vulnerable system, through to standard denial of service and data theft attacks. Due to the flaws affecting the browsers across all platforms, it is expected that the exploits (when they are released) will only target one or two specific platforms, those which are deemed to be the most vulnerable (most likely Windows).
The flaws range from problems with URLs which have different encoding, through specific image handling issues, AJAX (Asynchronous JavaScript And XML) problems, and startup problems on specific platforms, amongst other issues. According to the software developers, the vulnerabilities are all fixed by upgrading to the latest version of the browsers (Firefox 1.0.7, Mozilla Suite 1.7.12).
Arguments about the relative strength of the competing browsers (Internet Explorer vs. all others) were only fueled by recent announcements from Symantec that accompanied their latest Internet Security Threat Report. Claims that alternative Internet browser security was worse than Internet Explorer's, and that Apple Macintosh users were living in a 'false paradise' were met by derision and disbelief from the non-Internet Explorer using community of users and developers. The claims by Symantec that the Open Source development model contributes to extended delays between vulnerability disclosure and patch release also drew sharp criticism from Open Source developers.
In addition to the claims of bias, those countering Symantec's comments claimed the methodology used to generate the reports was questionable at best, and that the comments reflected an apparent lack of business for Symantec in those areas (non Internet Explorer using systems, or non-Windows based systems).
Microsoft's Internet Explorer did not escape the week unscathed, with suspicion that the XMLHttpRequest attacks will extend to it, and light reporting beginning to surface of a potentially deadly flaw with the browser. As far as Internet Explorer users go, the good news is that the vulnerability doesn't appear to have been picked up on by most of the hacker community, but the bad news is that it re-introduces a major threat that was supposed to have been neutralised over several previous security updates. The issue in question has been confirmed by multiple independent sources, a number of whom have workable exploit code ready for release, but Microsoft remains tightlipped on the issue (and is expected to do so until they release a security patch, if at all).
While discussing the XMLHttpRequest vulnerabilities for the Mozilla browsers, and the suspected attacks against Internet Explorer, it is important to highlight that the issues being raised are due to fundamental flaws which affect nearly every implementation of XMLHttpRequest. The cornerstone of the current Internet buzz, AJAX, XMLHttpRequest was initially introduced by Microsoft, before being picked up by the competing browsers, and is an ActiveX (Internet Explorer) or core JavaScript functionality (other browsers) which is used to pass content to and from a web page, without the need to reload the page completely. Current online tools which use this approach, and are very popular, include Google Maps, and Google Suggest.
Vulnerabilities which affect this AJAX component include referer spoofing (which allows for unmetered content grabs, and for complete man-in-the-middle attacks on the client), HTTP Request Smuggling, Response Splitting and cache poisoning attacks (which gets malicious content past filtering applications, and affects the online activity of the user). While some of the vulnerabilities are new, some of the others have been referred to in the past by other security researchers, and have been mentioned in concerns about AJAX security.
In a departure from the normal response to announced vulnerabilities, there has been cautious optimism to the announcement of a buffer overflow in the version 2.0 firmware for the PlayStation Portable. Affecting the photo viewer, the buffer overflow can only be used at this stage to modify the appearance of some menus. The reason why it is being approached with cautious optimism is that it might be the entry point which allows users to run their own code on PSPs with that version of firmware. In the absence of a Software Development Kit (SDK), it is vulnerabilities in the standard software which allows users to gain access to develop and run their own code. It is also the first step towards discovering where the cheats and modifiable codes are for games that run on the platform.
Sometimes it is the odd differences to expected results that indicates the presence of vulnerabilities. Over the last couple of weeks there have been occasional reports of Google searches returning odd sponsored results and advertising. The initially scattered reports were dismissed as being localised caching problems, user error in reporting, or as nothing serious. Further investigation showed that it was actually due to a new piece of malware, dubbed P2Load-A.
Designed to target Google searches, the malware achieves the redirection by modifying the local HOSTS file (like a local telephone book which links website names with IP numbers), and also the user's homepage (which is probably its biggest flaw). The hacker Google equivalent supports the 17 languages that Google does, and even catches some mistyped requests (such as wwwgoogle.com), which makes it difficult to pick up from visual identification (and it will also pass most antispyware / antiphishing toolbars). Spreading through various P2P applications, the worm passes itself off as a copy of 'Knights of the Old Republic 2', a recent PC game. When executed, it claims that it is missing some files, and needs to download them. By this stage the victim is infected.
The rationale behind the worm is expected to be completely financial.
Finally, for credit card holders who may have been affected by the 40 million credit card breach at CardSystems recently, there has been an interesting turn in the class action suit which has been brought against CardSystems, VISA and MasterCard which is claiming that the companies neglected their responsibilities under Californian law (SB 1386) to notify Californian residents of a breach in their online financial and identity data. The San Franciscan Judge sitting on the case has disagreed with the class action, passing down a ruling which effectively permits credit card companies (and third party processors) to withhold disclosure of identity theft cases that affect their customers. The judge felt that there was no 'emergency', and that he '... [didn't] think that there is any immediate threat of irreparable injury'. This is likely to be cold comfort to almost a quarter of a million consumers whose credit card details were directly stolen in the CardSystems breach.
26 September 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.