- Email: [email protected]
The big picture on big holes
vulnerabilities ensure that their employees are made aware of the types of information that are sensitive, and which therefore should not be shared via the Internet in answer to unexpected requests. In more general terms, there are few completely definitive guidelines that can be given. For example, while the US Federal Trade Commission offers some basic guidance on its website in order to help consumers avoid phishing scams,10 these are not guaranteed to apply to all cases. For instance, one suggestion is that users should look for the padlock symbol on web browser’s status bar before submitting financial information to a website. However, the presence of the padlock is by no means an assurance that a site is genuine, as determined scammers could still use encrypted connections and fraudulent certificates to create a false impression of security.11 In many cases, the bottom line is that we have to rely upon users to take notice of what they are told, and then exercise common sense. For example, going back to the Barclays example, no matter how professional the received message might have seemed, if users took the time to follow the ‘security’ link and read the associated page, they would have seen the over-riding message from the bank was that it did not send emails asking for
confidential information. Add to this the fact that there were also other suspicious signs if the users knew what to look for, and it becomes apparent that many successful phishing incidents are actually preventable. As such, making efforts to get users attuned to these threats now will be beneficial in the longer term as the scams become more creative. 1Piore,
A. “Hacking for Dollars”, Newsweek International, December 2003. See http://msnbc.msn.com/id/3706599/ 2Word Spy. 2003. ‘The Word Spy – phishing’. http://www.wordspy.com/ words/phishing.asp. 3Anti-Phishing Working Group. 2004. Phishing Attack Trends Report February 2004. http://www.antiphishing.org/APWG.Phishing.Attack.Report. Feb2004.pdf 4Mitnick, K.D. and Simon, W.L. 2002. The Art of Deception – Controlling the Human Element of Security. Wiley Publishing, Inc., Indianapolis, Indiana. ISBN 0-471-23712-4. 5Barclays. 2004. “We’re making Online Banking safer for you”, Barclays Personal Banking : Security overview. 24 February 2004. http://www.personal.barclays.co.uk. 6Naraine, R. 2003. “PayPal Phishers Turn to E-mail Viruses”, internetnews.com, 14 November 2003.
The Big Picture on Big Holes Jakob Balle, IT Development Manager, Secunia Rapid development of exploits More and more vulnerabilities appear to be exploited at a more rapid speed than they used to. During the last two months, we have seen exploitation of the ICQ hole in certain ISS products and the LSASS and PCT vulnerabilities in Microsoft Windows. All were exploited within very short time after information about the vulnerabilities was published. This stresses the need to keep track of vulnerabilities in software and operating systems on our networks in order to avoid malicious hackers and worms from penetrating our perimeter defenses. 18
Many vulnerabilities, which generally go unnoticed, are very easy to exploit and exploited on a fairly wide scale. This is especially true for many SQL injection and code / file inclusion
7Furnell,
S. and Bolakis, S. 2004. “Helping us to help ourselves: assessing administrators’ use of security analysis tools”, Network Security, February 2004, pp7-12. 8S.M.Furnell, P.S.Dowland, H.M.Illingworth and P.L.Reynolds. 2000. “Authentication and supervision: A survey of user attitudes”, Computers & Security, vol. 19, no. 6, pp529-539. 9Schultz, E. 2004. “More bank phishing scams surface”, Security Views, Computers & Security,vol. 23, no. 2, pp90-91. 10Federal Trade Commission. 2003. “How Not to Get Hooked by a 'Phishing' Scam”, FTC Consumer Alert, July 2003. http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm. 11Colley, A. 2004. “Phishing scam ‘most devious ever’”, ZDNet Australia, 3 March 2004.
About the author Dr Steven Furnell is head of the Network Research Group at the University of Plymouth, UK. He has been involved in security research for over 11 years, and has authored numerous papers on the topic, as well as the book ‘Cybercrime: Vandalizing the Information Society’, by Addison Wesley. Email: [email protected]
vulnerabilities in content management systems and other Web-based applications. Many system administrators and Web masters fail or forget to monitor security sites and mailing lists for new vulnerabilities in various “innocent” applications that they have installed on their websites to provide additional services and functionality. Most merely focus on their perimeter defenses and their server opererating systems in the battle to stay secure.
Internet Explorer Another vulnerability has been reported in Internet Explorer, which can be exploited to bypass certain frame scripting restrictions.
vulnerabilities Successful exploitation potentially allows the capture of sensitive information like user credentials or credit card information typed in a frame associated with another site, if a user is tricked into following a link. Microsoft has not acknowledged this as a vulnerability and no solution is therefore available. However, a knowledge base article has been published; see below: http://secunia.com/SA10996
Multiple browsers Martin O'Neal of Corsaire has discovered a vulnerability, which affects almost all Internet browsers. The vulnerability lies in the way browsers validate restricted cookie paths and could be exploited to gain access to cookie information within restricted paths from the same domain. Reportedly, most vendors have silently patched this problem. http://secunia.com/SA9680
Various Microsoft products: In May Microsoft released one vulnerability rated as ‘important’ in the Help and Support Center, which affects Windows XP, and Windows Server 2003. In April Microsoft released four patches for various programs and operating systems, which address more than 20 different vulnerabilities. Some of the vulnerabilities were reported to Microsoft more than 250 days prior to the release of the patches. Users are advised to patch up as soon as possible, as several of the vulnerabilities can be exploited by a remote attacker to gain system access to a vulnerable system. Within days, we saw the PCT handshake vulnerability being exploited, catching many system administrators off-guard even though patches were released. The Sasser worm has emerged to exploit the LSASS hole. http://secunia.com/SA11068 http://secunia.com/SA11067 http://secunia.com/SA11065 http://secunia.com/SA11064
Outlook 2002, Windows 2000 Server, and MSN Messenger. The most severe vulnerability is the Cross Site Scripting vulnerability in Outlook 2002. It's a bad example of how one of the most common, but least exploited vulnerability types, can be used to gain access to client systems and not just to manipulate the behaviour of a vulnerable site. http://secunia.com/SA11078 http://secunia.com/SA11077 http://secunia.com/SA11076
OpenSSL New OpenSSL packages have been released to address three different vulnerabilities, which can be exploited to cause a denial-of-service on vulnerable systems. Many vendors have already updated their products. However, many other vendors will probably also issue updates for their products within a short time. While scouring the net for products affected by the OpenSSL vulnerabilities, We learned that quite a few vendors attempted to silently update their products with new OpenSSL versions, without informing their customers and the general public about the potentiel risk and the urgent need to upgrade. http://secunia.com/SA11139
WS_FTP Pro A vulnerability was reported in the popular FTP client WS_FTP Pro, which could be exploited by a malicious FTP server to compromise a connected client. http://secunia.com/SA11136
Unreal engine Security researcher Luigi Auriemma has reported a vulnerability in the Unreal Engine from Epic Games. The Unreal Engine is used in many multi-player games from different vendors, and many games may therefore be affected by this vulnerability. http://secunia.com/SA11108
Ethereal Microsoft issued three security bulletins in March, which fix vulnerabilities in
Stefan Esser has discovered no less than 13 buffer overflow vulnerabilities in
Ethereal, which potentially can be exploited to execute arbitrary code on a vulnerable system. An updated version is reportedly available from the vendor. http://secunia.com/SA11185
Symantec Norton AntiSpam and Internet Security Mark Litchfield of NGSSoftware has discovered vulnerabilities in Symantec Norton AntiSpam and Symantec Internet Security, which can be exploited to compromise a vulnerable system. For both products this can be exploited through HTML documents e.g. by visiting a malicious website. Symantec has reported that updates are available for both products via the "LiveUpdate" feature. http://secunia.com/SA11168 http://secunia.com/SA11169
Various ISS products eEye Digital Security discovered a vulnerability in the way multiple products from Internet Security Systems (ISS) handles ICQ Server Responses. The vulnerability could be exploited via a specially crafted packet with a source port of 4000/UDP. Just one day after the disclosure from eEye and release of patches from ISS, a worm began exploiting this vulnerability. http://secunia.com/SA11073
Internet Explorer - old news By the end of March month, there was a lot of talk about a "new" vulnerability in Internet Explorer. It has even been referred to as a so called "Zero-day" vulnerability. However, this is not the case. It is a variant of an older vulnerability in the "ShowHelp()" function in Internet Explorer, which allows a malicious website to download and run ".CHM" files on the local system. What's new, and what people have been talking about is that instead of using the "ShowHelp()" function in Internet Explorer, a new attack vector for this problem has been revealed by using either the "ms-its:" or "mk:@MSITStore:" URI handlers. http://secunia.com/SA10523
19
Events
Panda ActiveScan A vulnerability has been reported in Panda ActiveScan, which can be exploited to compromise a vulnerable system. Panda has released a new version of ActiveScan. http://secunia.com/SA11312
Winamp Peter Winter-Smith has identified a vulnerability in the very popular music player Winamp versions 2.91 through 5.02. The vulnerability may be triggered by visiting a malicious website with a vulnerable Winamp client. All users are advised to update to version 5.03. http://secunia.com/SA11285
Mac OS X Apple has released a security update for Mac OS X, which corrects multiple vulnerabilities. The vulnerability in libxml2
can be exploited to gain access on a vulnerable system. This can be exploited by making a vulnerable system parse a malicious XML document. The update is available from the vendor website. http://secunia.com/SA11303
Multiple operating systems TCP sequence number weakness Lately, there has been quite a lot of media hype regarding a vulnerability in the TCP specification (RFC793). Although, the vulnerability indeed could be exploited to cause a denial-ofservice, the severity of such an attack would be very limited in most cases and cause more nuisance than severe interruption if attempted exploited. Nevertheless, vendors should fix this soon. System administrators can wait until the next big patch day with more serious issues before updating. http://secunia.com/SA11440
Symantec client firewalls Symantec has corrected a severe denialof -service vulnerability in their Client Firewall products, where a successful attack will render a vulnerable system inoperable. Symantec reports that an updated version is available via the "LiveUpdate" feature. http://secunia.com/SA11102
BitDefender's online anti-virus scanner Rafel Ivgi has discovered a vulnerability in BitDefender's online anti-virus scanner, which can be exploited to compromise a vulnerable user's system. BitDefender has reported that the vulnerability has been corrected. Users, who have used BitDefender's online anti-virus scanner in the past, are therefore urged to visit BitDefender's website to get the updated ActiveX control. http://secunia.com/SA11427
Events Calendar NETSEC 2004 14-16 June 2004 Location: San Francisco, US Website: www.cmpevents.com
TECHNO-SECURITY 2004 6-9 June 2004 Location: Myrtle Beach, South Carolina, Website: http://www.thetrainingco.com
PAYMENT SYSTEMS & SECURITY 18-19 June 2004 Location: London Website: www.sec2004.org
ISACA INTERNATIONAL CONFERENCE 2004 27-30 June 2004 Location: Cambridge, Massachusetts, US Website: www.isaca.org
20
BLACK HAT BRIEFINGS & TRAINING USA 26-29 July 2004 Location: Las Vegas, US Website: www.blackhat.com
19TH IFIP INTERNATIONAL INFORMATION SECURITY CONFERENCE 23-26 August 2004 Location: Toulouse, France Website: www.sec2004.org
COMPSEC 2004 - BUILDING BUSINESS SECURITY 13-14 October 2004 Location: London, UK Website: www.compsec2004.com Contact: Conference secretarait: Lyn Aitken Tel: +44 (0)1367 718500 Fax: +44 (0)1367 718300 Email:[email protected]
RSA EUROPE 3-5 November 2004 Location: Barcelona, Spain Website: www.rsaconference.com
CSI ANNUAL COMPUTER SECURITY CONFERENCE 7-9 November 2004 Location: Washington, US Website:www.gocsi.com/annual/ Email: [email protected]
INFOSECURITY FRANCE 24-25 November 2004 Location: Paris, France Website:www.infosecurity.com.fr
confidential information. Add to this the fact that there were also other suspicious signs if the users knew what to look for, and it becomes apparent that many successful phishing incidents are actually preventable. As such, making efforts to get users attuned to these threats now will be beneficial in the longer term as the scams become more creative. 1Piore,
A. “Hacking for Dollars”, Newsweek International, December 2003. See http://msnbc.msn.com/id/3706599/ 2Word Spy. 2003. ‘The Word Spy – phishing’. http://www.wordspy.com/ words/phishing.asp. 3Anti-Phishing Working Group. 2004. Phishing Attack Trends Report February 2004. http://www.antiphishing.org/APWG.Phishing.Attack.Report. Feb2004.pdf 4Mitnick, K.D. and Simon, W.L. 2002. The Art of Deception – Controlling the Human Element of Security. Wiley Publishing, Inc., Indianapolis, Indiana. ISBN 0-471-23712-4. 5Barclays. 2004. “We’re making Online Banking safer for you”, Barclays Personal Banking : Security overview. 24 February 2004. http://www.personal.barclays.co.uk. 6Naraine, R. 2003. “PayPal Phishers Turn to E-mail Viruses”, internetnews.com, 14 November 2003.
The Big Picture on Big Holes Jakob Balle, IT Development Manager, Secunia Rapid development of exploits More and more vulnerabilities appear to be exploited at a more rapid speed than they used to. During the last two months, we have seen exploitation of the ICQ hole in certain ISS products and the LSASS and PCT vulnerabilities in Microsoft Windows. All were exploited within very short time after information about the vulnerabilities was published. This stresses the need to keep track of vulnerabilities in software and operating systems on our networks in order to avoid malicious hackers and worms from penetrating our perimeter defenses. 18
Many vulnerabilities, which generally go unnoticed, are very easy to exploit and exploited on a fairly wide scale. This is especially true for many SQL injection and code / file inclusion
7Furnell,
S. and Bolakis, S. 2004. “Helping us to help ourselves: assessing administrators’ use of security analysis tools”, Network Security, February 2004, pp7-12. 8S.M.Furnell, P.S.Dowland, H.M.Illingworth and P.L.Reynolds. 2000. “Authentication and supervision: A survey of user attitudes”, Computers & Security, vol. 19, no. 6, pp529-539. 9Schultz, E. 2004. “More bank phishing scams surface”, Security Views, Computers & Security,vol. 23, no. 2, pp90-91. 10Federal Trade Commission. 2003. “How Not to Get Hooked by a 'Phishing' Scam”, FTC Consumer Alert, July 2003. http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm. 11Colley, A. 2004. “Phishing scam ‘most devious ever’”, ZDNet Australia, 3 March 2004.
About the author Dr Steven Furnell is head of the Network Research Group at the University of Plymouth, UK. He has been involved in security research for over 11 years, and has authored numerous papers on the topic, as well as the book ‘Cybercrime: Vandalizing the Information Society’, by Addison Wesley. Email: [email protected]
vulnerabilities in content management systems and other Web-based applications. Many system administrators and Web masters fail or forget to monitor security sites and mailing lists for new vulnerabilities in various “innocent” applications that they have installed on their websites to provide additional services and functionality. Most merely focus on their perimeter defenses and their server opererating systems in the battle to stay secure.
Internet Explorer Another vulnerability has been reported in Internet Explorer, which can be exploited to bypass certain frame scripting restrictions.
vulnerabilities Successful exploitation potentially allows the capture of sensitive information like user credentials or credit card information typed in a frame associated with another site, if a user is tricked into following a link. Microsoft has not acknowledged this as a vulnerability and no solution is therefore available. However, a knowledge base article has been published; see below: http://secunia.com/SA10996
Multiple browsers Martin O'Neal of Corsaire has discovered a vulnerability, which affects almost all Internet browsers. The vulnerability lies in the way browsers validate restricted cookie paths and could be exploited to gain access to cookie information within restricted paths from the same domain. Reportedly, most vendors have silently patched this problem. http://secunia.com/SA9680
Various Microsoft products: In May Microsoft released one vulnerability rated as ‘important’ in the Help and Support Center, which affects Windows XP, and Windows Server 2003. In April Microsoft released four patches for various programs and operating systems, which address more than 20 different vulnerabilities. Some of the vulnerabilities were reported to Microsoft more than 250 days prior to the release of the patches. Users are advised to patch up as soon as possible, as several of the vulnerabilities can be exploited by a remote attacker to gain system access to a vulnerable system. Within days, we saw the PCT handshake vulnerability being exploited, catching many system administrators off-guard even though patches were released. The Sasser worm has emerged to exploit the LSASS hole. http://secunia.com/SA11068 http://secunia.com/SA11067 http://secunia.com/SA11065 http://secunia.com/SA11064
Outlook 2002, Windows 2000 Server, and MSN Messenger. The most severe vulnerability is the Cross Site Scripting vulnerability in Outlook 2002. It's a bad example of how one of the most common, but least exploited vulnerability types, can be used to gain access to client systems and not just to manipulate the behaviour of a vulnerable site. http://secunia.com/SA11078 http://secunia.com/SA11077 http://secunia.com/SA11076
OpenSSL New OpenSSL packages have been released to address three different vulnerabilities, which can be exploited to cause a denial-of-service on vulnerable systems. Many vendors have already updated their products. However, many other vendors will probably also issue updates for their products within a short time. While scouring the net for products affected by the OpenSSL vulnerabilities, We learned that quite a few vendors attempted to silently update their products with new OpenSSL versions, without informing their customers and the general public about the potentiel risk and the urgent need to upgrade. http://secunia.com/SA11139
WS_FTP Pro A vulnerability was reported in the popular FTP client WS_FTP Pro, which could be exploited by a malicious FTP server to compromise a connected client. http://secunia.com/SA11136
Unreal engine Security researcher Luigi Auriemma has reported a vulnerability in the Unreal Engine from Epic Games. The Unreal Engine is used in many multi-player games from different vendors, and many games may therefore be affected by this vulnerability. http://secunia.com/SA11108
Ethereal Microsoft issued three security bulletins in March, which fix vulnerabilities in
Stefan Esser has discovered no less than 13 buffer overflow vulnerabilities in
Ethereal, which potentially can be exploited to execute arbitrary code on a vulnerable system. An updated version is reportedly available from the vendor. http://secunia.com/SA11185
Symantec Norton AntiSpam and Internet Security Mark Litchfield of NGSSoftware has discovered vulnerabilities in Symantec Norton AntiSpam and Symantec Internet Security, which can be exploited to compromise a vulnerable system. For both products this can be exploited through HTML documents e.g. by visiting a malicious website. Symantec has reported that updates are available for both products via the "LiveUpdate" feature. http://secunia.com/SA11168 http://secunia.com/SA11169
Various ISS products eEye Digital Security discovered a vulnerability in the way multiple products from Internet Security Systems (ISS) handles ICQ Server Responses. The vulnerability could be exploited via a specially crafted packet with a source port of 4000/UDP. Just one day after the disclosure from eEye and release of patches from ISS, a worm began exploiting this vulnerability. http://secunia.com/SA11073
Internet Explorer - old news By the end of March month, there was a lot of talk about a "new" vulnerability in Internet Explorer. It has even been referred to as a so called "Zero-day" vulnerability. However, this is not the case. It is a variant of an older vulnerability in the "ShowHelp()" function in Internet Explorer, which allows a malicious website to download and run ".CHM" files on the local system. What's new, and what people have been talking about is that instead of using the "ShowHelp()" function in Internet Explorer, a new attack vector for this problem has been revealed by using either the "ms-its:" or "mk:@MSITStore:" URI handlers. http://secunia.com/SA10523
19
Events
Panda ActiveScan A vulnerability has been reported in Panda ActiveScan, which can be exploited to compromise a vulnerable system. Panda has released a new version of ActiveScan. http://secunia.com/SA11312
Winamp Peter Winter-Smith has identified a vulnerability in the very popular music player Winamp versions 2.91 through 5.02. The vulnerability may be triggered by visiting a malicious website with a vulnerable Winamp client. All users are advised to update to version 5.03. http://secunia.com/SA11285
Mac OS X Apple has released a security update for Mac OS X, which corrects multiple vulnerabilities. The vulnerability in libxml2
can be exploited to gain access on a vulnerable system. This can be exploited by making a vulnerable system parse a malicious XML document. The update is available from the vendor website. http://secunia.com/SA11303
Multiple operating systems TCP sequence number weakness Lately, there has been quite a lot of media hype regarding a vulnerability in the TCP specification (RFC793). Although, the vulnerability indeed could be exploited to cause a denial-ofservice, the severity of such an attack would be very limited in most cases and cause more nuisance than severe interruption if attempted exploited. Nevertheless, vendors should fix this soon. System administrators can wait until the next big patch day with more serious issues before updating. http://secunia.com/SA11440
Symantec client firewalls Symantec has corrected a severe denialof -service vulnerability in their Client Firewall products, where a successful attack will render a vulnerable system inoperable. Symantec reports that an updated version is available via the "LiveUpdate" feature. http://secunia.com/SA11102
BitDefender's online anti-virus scanner Rafel Ivgi has discovered a vulnerability in BitDefender's online anti-virus scanner, which can be exploited to compromise a vulnerable user's system. BitDefender has reported that the vulnerability has been corrected. Users, who have used BitDefender's online anti-virus scanner in the past, are therefore urged to visit BitDefender's website to get the updated ActiveX control. http://secunia.com/SA11427
Events Calendar NETSEC 2004 14-16 June 2004 Location: San Francisco, US Website: www.cmpevents.com
TECHNO-SECURITY 2004 6-9 June 2004 Location: Myrtle Beach, South Carolina, Website: http://www.thetrainingco.com
PAYMENT SYSTEMS & SECURITY 18-19 June 2004 Location: London Website: www.sec2004.org
ISACA INTERNATIONAL CONFERENCE 2004 27-30 June 2004 Location: Cambridge, Massachusetts, US Website: www.isaca.org
20
BLACK HAT BRIEFINGS & TRAINING USA 26-29 July 2004 Location: Las Vegas, US Website: www.blackhat.com
19TH IFIP INTERNATIONAL INFORMATION SECURITY CONFERENCE 23-26 August 2004 Location: Toulouse, France Website: www.sec2004.org
COMPSEC 2004 - BUILDING BUSINESS SECURITY 13-14 October 2004 Location: London, UK Website: www.compsec2004.com Contact: Conference secretarait: Lyn Aitken Tel: +44 (0)1367 718500 Fax: +44 (0)1367 718300 Email:[email protected]
RSA EUROPE 3-5 November 2004 Location: Barcelona, Spain Website: www.rsaconference.com
CSI ANNUAL COMPUTER SECURITY CONFERENCE 7-9 November 2004 Location: Washington, US Website:www.gocsi.com/annual/ Email: [email protected]
INFOSECURITY FRANCE 24-25 November 2004 Location: Paris, France Website:www.infosecurity.com.fr