Tag Archives: Vulnerability

A Patch in Time?

Further to my earlier post about what I felt was Symantec’s somewhat tardy and insubstantial public response to the discovery of a serious vulnerability in its own Antivirus software, I don’t feel much more at ease after an email exchange with their PR folk. First off, Symantec has, by midday in the Asian day, come up with a fix which can be downloaded here.  “Symantec product and security teams,” the media statement says, “have worked around the clock since being notified of this issue to ensure its customers have the best protection available.”

That’s good. And quick. But not, I fear, good enough in PR terms. Why has Symantec worked around the clock to find a solution but not made the same effort to let interested people know of the problem in the first place? There’s been no press release on the web site, for example, only a media statement emailed to those journalists who enquire. When I asked Symantec’s PR about this. and requesting a comment to my original post, all I got was a copy of the media statement and a link to the original security advisory. So I where I could find the “media statement” online, where customers, readers, users and the media could find it? Their response: “Symantec posts security advisories [here]. Please contact Symantec Public Relations for any information you need.”

Sorry, but I don’t think this is sufficient. Security advisories are for specialists. This is not a specialist problem. It’s a vulnerability that affects everyone who uses the software, and people need to know about it. (A Google search throws up more than 130 stories on the topic.) Symantec, I feel, needs to be upfront about the problem and blanket everyone with information, not bury it. Symantec occupies a hallowed position in the Internet world, since journalists, users and others turn to it for supposedly objective views on the state of Internet security. Symantec makes the most of this position, straddling telling us about the problem and selling us the solution for it.

Perhaps I’m overstating things here, but I feel Symantec has let us down. I need to know that if I’m entrusting Symantec with defending my valuable data and office network, it’s going to tell me if there’s a problem with that defence. It’s no good hiding, as Symantec PR does in its response to my email that “There are no exploits of this vulnerability. Symantec strongly recommends customers to follow best practices and apply the patches as soon as they become available from Symantec.” First off, there are no known exploits. I don’t see how Symantec can be 100% sure of this. One has to assume that if there’s a hole in your defensive wall, someone is going to see it. Especially if it’s been publicised. Now the world has known there is a problem with Symantec’s software since Thursday. It’s now Monday. I’m assuming the bad guys too read these websites and news agencies.

So while the argument that you should throw all your effort into plugging the hole and then telling your customers you’ve built a plug might work if the vulnerability wasn’t publicised, this wasn’t the case. It was splashed all over the shop. Symantec’s position on this process is “that we are responsible for disclosing product vulnerabilities to our customers, but in general, no vulnerability should be announced until we have developed and thoroughly tested a patch and made it available to licensed customers.” (For a list of all Symantec product vulnerabilities, look here.) This clearly wasn’t going to happen here, because the vulnerability was already made public, for better or worse. And the process of “disclosing product vulnerabilities to our customers” seems to be somewhat weak here; if the vulnerability is an obscure one, perhaps an advisory might work. But more people than just a sysadmin needed to know what was happening and yet no one, unless they really looked on Symantec’s site, was any the wiser. Still aren’t, actually, since no press release is available.

Some lessons in here. Sometimes just keeping readers, journalists, bloggers, customers in the loop helps, even when it’s bad news.

Snake Oil? Public Service? KMGI Responds

Yesterday I wrote about the odd press release from the Internet Security Foundation and the apparent conflict of interest between a foundation pointing out flaws in software (in this case, Windows) while at the same time promoting its own related software.

Today I received a response from the founder of the company that registered the site, Alex Konanykhin of KMGI. Konanykhin may be familiar to some readers as the Russian entrepreneur and former banker who fled his homeland and has since faced a long legal battle in the U.S. over extradition on embezzlement charges. Konanykhin subsequently set up KMGI to sell web advertising services and software. Earlier this year the National Republican Congressional Committee chose him as their New York Businessman of the Year.

Konanykhin, in response to my posting and a request for comment, says he erred in not making clear KMGI’s relationship with the foundation:

After reading your reaction to our news release in your blog posting, I realized that it was a mistake to limit our Internet Security Foundation site to the discussion of the password vulnerability and not include a page on what compelled me to establish the Foundation.

He says his motives for setting up the foundation were entirely motivated by realisation that users did not understand their passwords in Windows remained vulnerable even if they were concealed by asterisks:

We researched this issue further and found that 86% of Internet users believed that the passwords hidden behind the asterisks are securely protected. As we opined in our press release, this false perception may result in criminals and terrorists unlawfully obtaining passwords of unsuspecting Internet users, gaining access to bank records, and other private information such as bank accounts. So, I urged Microsoft to fix this security hole (even thought it would kill our revenues from sales of SeePassword), but Microsoft refused to do it.

I was surprised by Microsoft’s position which leaves hundreds of millions of Windows users at risk of identity theft. So, I felt compelled to fight on – and founded the Internet Security Foundation. I allocated a significant portion of our proceeds from sales of SeePassword to informing computer users about the grave but largely unknown risk they are facing. The press release you received was the first step of this campaign which, I hope, will minimize the risks to the Internet users.

After reading Konanykhin’s response to my earlier posting, I’m persuaded that he did not intend to mislead the public or conceal his company’s relationship to the foundation. I think this is more a case of someone inexperienced in the importance of ensuring all interests are plainly visible to the public. That said, I think Konanykhin needs to move quickly to implement his promise to add a page of explanation to the ISF homepage, something that has yet to happen at the time of writing.

In matters of Internet security and privacy, there are enough snake-oil salesmen, piles of skewed or self-serving ‘research’ and bad guys masquerading as good guys for users to be understandably suspicious about the motives of anyone raising alarm bells while simultaneously offering solutions.

The Gaping Browser Hole

Sometimes security holes can be subtle rather than complex. Sidney Low of Aliencamel points out the vulnerability discovered by Secunia, called the Multiple Browsers Frame Injection Vulnerability.

It’s a fancy term for a simple enough trick, where the bad guy hijacks a frame in a legitimate webpage (a frame is one portion of a webpage which has been divided into sections). The result is that the overall page is kosher — including, crucially, the URL — but that one of the frames contained inside is not. In that frame, of course, the bad guy could do anything he likes, and the user is none the wiser.

The only way a user can tell, I think, is by right clicking on the frame content and seeing what URL it is coming from, but who does that?

This vulnerability, actually, is a variation on a vulnerability Secunia reported had been fixed in earlier versions of IE, but then created again in a recent version. The bad news is that the vulnerability is not only an IE also present in Opera, Safari, Netscape and Mozilla. I couldn’t get it to work in Firefox, interestingly. There’s a test you can perform here.

As Sydney says: “This one is quite worrying because it doesn’t need to do any URL masking. It simply exploits the fact that framesets will do the URL masking for the phisher.”

Phishing Gets Proactive

Scaring the bejesus out of a lot of security folk this weekend is a new kind of phishing attack that doesn’t require the victim to do anything but visit the usual websites he might visit anyway.

It works like this: The bad guy uses a weakness in web servers running  Internet Information Services 5.0 (IIS) and Internet Explorer, components of Microsoft Windows, to make it append some JavaScript code to the bottom of webpages. When the victim visits those pages the JavaScript will load onto his computer one or more trojans, known variously as Scob.A, Berbew.F, and Padodor. These trojans open up the victim’s computer to the bad guy, but Padodor is also a keylogging trojan, capturing passwords the victim types when accessing websites like eBay and PayPal. Here’s an analysis of the malicious script placed on victims’ computers from LURHQ. Think of it as a kind of outsourced phishing attack.

Some things are not yet clear. One is how widespread this infection is. According to U.S.-based iDEFENSE late Friday, “hundreds of thousands of computers have likely been infected in the past 24 hours.” Others say it’s not that widespread. CNET reported late Friday that the Russian server delivering the trojans was shut down, but that may only be temporary respite.

What’s also unclear is exactly what vulnerability is being used, and therefore whether Microsoft has already developed a patch — or software cure — for it. More discussion on that here. Microsoft is calling the security issue Download.Ject, and writes about it here.

Although there’s no hard evidence, several security firms, including Kaspersky, iDEFENSE and F-Secure, are pointing the finger at a Russian-speaking hacking group called the HangUP Team.

According to Kaspersky Labs, we may be looking at what is called a Zero Day Vulnerability. In other words, a hole “which no-one knows about, and which there is no patch for”. Usually it has been the good guys — known in the trade as the white hats — who discover vulnerabilities in software and try to patch them before they can be exploited, whereas this attack may reflect a shift in the balance of power, as the bad guys (the black hats) find the vulnerabilities first, and make use of them while the rest of us try to find out how they do it. “We have been predicting such an incident for several years: it confirms the destructive direction taken by the computer underground, and the trend in using a combination of methods to attack. Unfortunately, such blended threats and attacks are designed to evade the protection currently available,” commented Eugene Kaspersky, head of Anti-Virus Research at Kaspersky Labs.

In short, what’s scary about this is:

  • we still don’t know exactly how servers are getting infected. Everyone’s still working on it;
  • suddenly surfing itself becomes dangerous. It’s no longer necessary to try to lure victims to dodgy websites; you just infect the places they would visit anyway;
  • Users who have done everything right can still get infected: Even a fully patched version of Internet Explorer 6 won’t save you from infection, according to Netcraft, a British Internet security company.

For now, all that is recommended is that you disable JavaScript. This is not really an option, says Daniel McNamara of anti-phishing website CodePhish, since a lot of sites rely on JavaScript to function. A better way, according to iDEFENSE, would be to use a non-Microsoft browser. Oh, and if you want to check whether you’re infected, according to Microsoft, search for the following files on your hard disk: kk32.dll and surf.dat. If either are there, you’re infected and you should run one of the clean-up tools listed on the Microsoft page.

Windows’ Gaping, Seven Month Hole

Quite a big hooha over this latest Microsoft vulnerability, and I readily ‘fess up to the fact that I didn’t really take this seriously. Seems like I wasn’t the only one.

But folk like Shawna McAlearney of SearchSecurity.com points out that the delay of 200 days between Microsoft being notified and their coming out with a patch is appallingly long. “If Microsoft really considered this a serious or critical vulnerability for nearly all Windows users, it should have been a ‘drop-everything-and-fix’ thing resolved in a short period of time,” Shawna quotes Richard Forno, a security consultant, as saying. “Nearly 200 days to research and resolve a ‘critical’ vulnerability on such a far-reaching problem is nothing short of gross negligence by Microsoft, and is a direct affront to its much-hyped Trustworthy Computing projects and public statements about how security is playing much more important role in its products.” Strong stuff.

So what is all the fuss about? The vulnerability in question can, in theory, permit an unauthenticated, remote attacker to execute arbitrary code with system privileges: That means a ne’er do well could do anything they want in your computer. And while it hasn’t happened yet, to our knowledge, it’s only a question of time, according to Scott Blake, vice president of information security at Houston-based BindView Corp.: “We believe attacks will be conducted remotely over the Internet, via e-mail and by browsing Web pages. We expect to see rapid exploitation — it’s simply a case of when it materializes.”

Paul Thurrot, of WinNetMag, weighs in with his view, pointing out that the flaw is a very simple one: “attackers can compromise the flaw with a simple buffer-overrun attack, a common type of attack that Microsoft has wrestled with since its Trustworthy Computing code review 2 years ago.”

News: Beware Of Patches That Don’t Patch

 From the This Doesn’t Inspire Confidence Dept comes news that a patch recently released by Microsoft to fix a critical security vulnerability in its Internet Explorer browser does not work, according to security experts. CNET says that the vulnerability was discovered by eEye Digital Security around four months ago. The vulnerability in question can be exploited by crafting a malicious HTML file that, when viewed by an Internet Explorer browser, extracts and executes malicious code.
Two patches have since been released, but, according to eEye, neither fixes the vulnerability it is supposed to. If you’re worried, disable active scripting in your browser until Microsoft updates the patch. (Go to Tools/Options/Security/Custom Level, and then scroll down until you get to Active Scripting.)

News: A Patch In Time Saves You Online

 This from the guys at Information Security Magazine, a warning about some new, and serious vulnerabilities in Microsoft software. The most critical vulnerability is titled ?Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution? (MS 03037). Microsoft provided few details about the actual vulnerability, but says the flaw is dangerous and users of affected software should apply patches immediately. This is not just for techheads and sysops: Affected software includes Access (97/2000/2002), Excel (97/2000/2002), PowerPoint (97/2000/2002), Project (2000/2002), Publisher 2002, Visio
(2000/2002), Word (97/98(J)/2000/2002), Works Suite (2001/2002/2003) and several versions of Microsoft Business solutions.
There are other vulnerabilities too:
?Flaw in Word Could Enable Macros to Run Automatically? (MS 03035)
?Buffer Overrun in WordPerfect Converter Could Allow Code Execution? (MS 03036)
?Unchecked Buffer Overflow in Microsoft Access Snapshot Viewer Could Allow Code Execution? (MS 03038)
?Flaw in NetBIOS Could Lead to Information Disclosure? (MS 03034)
If we’ve learned nothing in the past month, we should have at least learned to patch, patch and keep patching.

Update: Microsoft May Stop Footing Pussies

 Security Wire Digest, published by Information Security Magazine, reports that Microsoft may stop pussyfooting around on updates to its Windows operating system. In the wake of the worm that ripped through networks worldwide by exploiting a vulnerability for which a patch had been released more than three weeks before, the company is considering several plans to beef up security in its products which may automatically install patches on PCs.
Privacy advocates will have a problem with this, but it’s logical. Most folk don’t update properly, or even know they’re supposed to, although I wonder whether it may leave Microsoft vulnerable legally. It’s tantamount to saying ‘what we’re selling you isn’t safe unless you let us keep patching it.’