4 X Security Team

Whoa! Google Chrome has crashed. Restart now? While Google’s Chrome team is cheering, Rishi Narang from Evil Fingers is typing and releasing a proof of concept for a denial of service vulnerability that is successfully crashing the Chrome browser with all tabs. According to Narang’s advisory :

“An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a ’special’ character, the chrome crashes with a Google Chrome message window “Whoa! Google Chrome has crashed. Restart now?”. It crashes on “int 3″ at 0×01002FF3 as an exception/trap, followed by “POP EBP” instruction when pointed out by the EIP register at 0×01002FF4.”

Nothing’s impossible the impossible just takes a little longer.

Also see: Google Chrome vulnerable to carpet-bombing flaw

• Security-wise, Google Chrome is (potentially very) Good
• See also: All ZDNet Resources for Chrome

Whenever a new product is in its introduction stage, it would logically attract a lot of attention from security researchers trying to a make a point that it’s vulnerable, and that some of the vulnerabilities are pretty trivial. For instance, yesterday David Maynor from Errata Security pin pointed possibilities for exploitation in Google’s Chrome, saying that :

“Google just released Chrome, their own web browser. We decided to run it through Looking Glass and it doesn’t look half bad. They at least have ASLR enabled on a few of their libraries, no NX though. Chrome is not as bad as some apps I have seen but that is not saying much.”

What’s important though, is whether or not the browser release would also start attracting the attention of cybercriminals. Being anything but old-fashioned, they too do their homework and take into consideration the market share of a particular browser in order to increase the impact of exploiting it. Consequently, for the time being the level of exploitability of Google’s Chrome is right after Opera’s from the perspective of the malicious attacker taking into consideration Chrome’s non-existent market share.

Would the level of exploitability change? In the fist quarter of 2009, Google would presumably release stats of the number of people who downloaded Chrome, demonstrating nothing else but the introduction stage of their browser. The question is, how many of those who downloaded it would actually stick with it, and would companies embrace it if it does gets popular enough, potentially increasing the exploitability level of any upcoming vulnerabilities?

Considering the fact that according to public statistics of usage share of web browsers, IE6 users are just as many as IE7 ones, converting from Firefox or IE to Google’s Chrome is not going to happen overnight.

[Source: zdnet]

Microsoft today announced plans to ship four security bulletins next Tuesday (September 9, 2008) to cover worm holes affecting Windows users.

All four bulletins in September’s Patch Tuesday will be rated “critical,” Microsoft’s highest severity rating. A “critical” rating is used to rate a vulnerability that can be exploited to allow the propagation of an Internet worm without any user action.

Here’s the skinny on what’s coming:
According to the company’s advance notice, the four bulletins will include patches for software flaws in Windows Media Player 11, the Windows Media Encoder, Microsoft Office and several components on the Windows operating system.

All the bulletins address “remote code execution” vulnerabilities:

Windows Media Player Bulletin (Impact: Remote Code Execution)

• Windows Media Player 11 on Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows Media Player 11 on Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Media Player 11 on Windows Vista and Windows Vista Service Pack 1
• Windows Media Player 11 on Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
• Windows Media Player 11 on Windows Server 2008 for 32-bit Systems (Windows Server 2008 Server Core installation not affected)
• Windows Media Player 11 on Windows Server 2008 for x64-based Systems (Windows Server 2008 Server Core installation not affected)

Windows Bulletin (Impact: Remote Code Execution)

• Microsoft Internet Explorer 6 on Microsoft Windows 2000 Service Pack 4
• Microsoft .NET Framework 1.0 Service Pack 3 on Microsoft Windows 2000 Service Pack 4
• Microsoft .NET Framework 1.1 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
• Microsoft .NET Framework 2.0 on Microsoft Windows 2000 Service Pack 4
• Microsoft .NET Framework 2.0 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
• Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition and Windows 2003 Server x64 Edition Service Pack 2
• Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems
• Windows Vista and Windows Vista Service Pack 1
• Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
• Windows Server 2008 for 32-bit Systems (Windows Server 2008 Server Core installation not affected)
• Windows Server 2008 for x64-based Systems (Windows Server 2008 Server Core installation not affected)
• Windows Server 2008 for Itanium-based Systems
• Microsoft Office XP Service Pack 3
• Microsoft Office 2003 Service Pack 2
• 2007 Microsoft Office System
• Microsoft Visio 2002 Service Pack 2
• Microsoft Office PowerPoint Viewer 2003
• Microsoft Works 8
• Microsoft Digital image Suite 2006
• QFE update for SQL 2000 Reporting Services Service Pack 2 when installed on Microsoft Windows 2000 Service Pack 4
• GDR update for SQL Server 2005 Service Pack 2
• QFE update for SQL Server 2005 Service Pack 2
• GDR update for SQL Server 2005 x64 Edition Service Pack 2
• QFE update for SQL Server 2005 x64 Edition Service Pack 2
• GDR update for SQL Server 2005 for Itanium-based Systems Service Pack 2
• QFE update for SQL Server 2005 for Itanium-based Systems Service Pack 2
• Microsoft Visual Studio .NET 2002 Service Pack 1
• Microsoft Visual Studio .NET 2003 Service Pack 1
• Microsoft Visual Studio 2005 Service Pack 1
• Microsoft Visual Studio 2008
• Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package when installed on Microsoft Windows 2000 Service Pack 4
• Microsoft Report Viewer 2008 Redistributable Package when installed on Microsoft Windows 2000 Service Pack 4
• Microsoft Visual FoxPro 8.0 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4
• Microsoft Visual FoxPro 9.0 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4
• Microsoft Visual FoxPro 9.0 Service Pack 2 when installed on Microsoft Windows 2000 Service Pack 4
• Microsoft Platform SDK Redistributable: GDI+
• Microsoft Forefront Client Security 1.0 when installed on Microsoft Windows 2000 Service Pack 4

Windows Media Encoder Bulletin (Impact: Remote Code Execution)

• Windows Media Encoder 9 Series on Microsoft Windows 2000 Service Pack 4
• Windows Media Encoder 9 Series on Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows Media Encoder 9 Series on Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Media Encoder 9 Series x64 Edition on Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Media Encoder 9 Series on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
• Windows Media Encoder 9 Series on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
• Windows Media Encoder 9 Series x64 Edition on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
• Windows Media Encoder 9 Series on Windows Vista and Windows Vista Service Pack 1
• Windows Media Encoder 9 Series on Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
• Windows Media Encoder 9 Series x64 Edition on Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
• Windows Media Encoder 9 Series on Windows Server 2008 for 32-bit Systems (Windows Server 2008 Server Core installation not affected)
• Windows Media Encoder 9 Series on Windows Server 2008 for x64-based Systems (Windows Server 2008 Server Core installation not affected)
• Windows Media Encoder 9 Series x64 Edition on Windows Server 2008 for x64-based Systems (Windows Server 2008 Server Core installation not affected)

Office Bulletin (Impact: Remote Code Execution)

• Microsoft Office XP Service Pack 3
• Microsoft Office 2003 Service Pack 2
• Microsoft Office 2003 Service Pack 3
• 2007 Microsoft Office System
• 2007 Microsoft Office System Service Pack 1
• Microsoft Office OneNote 2007
• Microsoft Office OneNote 2007 Service Pack 1

[Source: zdnet]

Security bloggers are already commenting on Google’s slightly premature “Chrome” browser leak. Built on top of the Apple sponsored WebKit engine, the browser offers several security features that we have only seen so far in the beta releases of IE8.

The most interesting feature discussed so far is the strict memory separation afforded by the technology, where each web application will operate in its own memory space with its own virtual machine for code execution. Keep in mind that modern browsers are practically primitive operating systems unto themselves. They handle asynchronous network traffic, user input, data rendering, and code execution. Modern operating systems, say, anything created in the past 25 years, implement dozens of technologies that allow for the safe execution of multiple processes simultaneously, such as individual memory spaces for each application. This feature, for example, helps prevent the crash of one application from taking down the entire system by not allowing applications to corrupt each other’s memory spaces.

Currently, browsers still operate as single applications inhabiting a single process space, and devote a significant portion of their codebase to keeping individual webapps separate from stepping on one another. The Chrome philosophy appears to be more akin to not reinventing the wheel, where the full-set of operating system process separation features are used rather than rebuilding them inside the browser.bn

As more and more applications move from the desktop, an environment that provides some means of process isolation, to an environment where one application can inadvertently take down another, the user experience will move from one of relative stability and security to one without. In many ways, Google’s Chrome technology is the next necessary step in the movement away from desktop applications to everything being delivered as a service.

[Source: zdnet]

The oft-rumored Google browser is real. It’s called Google Chrome and it comes with a handful of security-related features like privacy mode and blacklist-based blocking of phishing and malware sites.

[ PREVIOUSLY: Google hires browser hacking guru ]

A beta version of the new browser is expected to ship on Tuesday September 2 (Windows only) in more than 100 countries. A cartoon explanation also hints at the use of single-site browsers (like Mozilla’s Prism) and tabbed browsing within sandboxes.

From the official announcement:

• Under the hood, we were able to build the foundation of a browser that runs today’s complex web applications much better. By keeping each tab in an isolated “sandbox”, we were able to prevent one tab from crashing another and provide improved protection from rogue sites. We improved speed and responsiveness across the board. We also built a more powerful JavaScript engine, V8, to power the next generation of web applications that aren’t even possible in today’s browsers.

Google said it used components from Apple’s WebKit and Mozilla’s Firefox to build the browser and plans to open-source all the code.

[ SEE: Microsoft confirms ‘InPrivate’ IE 8 ]

On the Google Blogoscoped blog, some of the security tidbits are mentioned:

• Chrome has a privacy mode; Google says you can create an “incognito” window “and nothing that occurs in that window is ever logged on your computer.” The latest version of Internet Explorer calls this InPrivate. Google’s use-case for when you might want to use the “incognito” feature is e.g. to keep a surprise gift a secret. As far as Microsoft’s InPrivate mode is concerned, people also speculated it was a “porn mode.”
• Web apps can be launched in their own browser window without address bar and toolbar. Mozilla has a project called Prism that aims to do similar (though doing so may train users into accepting non-URL windows as safe or into ignoring the URL, which could increase the effectiveness of phishing attacks).
• To fight malware and phishing attempts, Chrome is constantly downloading lists of harmful sites. Google also promises that whatever runs in a tab is sandboxed so that it won’t affect your machine and can be safely closed. Plugins the user installed may escape this security model, Google admits.

Dennis Fisher makes the case that Google Chrome is unlikely to attract security-minded Web surfers.

[Source: zdnet]

Virtualization specialist VMware has shipped a mega-patch to cover several “highly critical” vulnerabilities affecting its server and workstation product lines.

In all, the patch batch addresses at least 16 documented vulnerabilities affecting the VMware Workstation, VMware Player, VMware ACE, VMware Server and VMware ESX server.

The flaws put users at risk of arbitrary code execution, information disclosure, privilege escalation and denial of service attacks.

Secunia has tagged the VMWare Server update as “highly critical” and provides the following breakdown of 8 security issues:

• Various vulnerabilities are caused due to unspecified errors within certain ActiveX controls. These can be exploited to e.g. execute arbitrary code by tricking a user into visiting a malicious website.
• An unspecified error when processing malformed requests exists within the ISAPI Extension. This can be exploited to cause a DoS by sending specially crafted requests to a vulnerable system.

[ SEE: VMware blames stray code for ‘time bomb’ hiccup ]

• An unspecified error related to “OpenProcess” can be exploited by malicious, local users on a host system to gain escalated privileges on the host system.
• Some vulnerabilities in freetype can potentially be exploited by malicious people to compromise an application using the library.

A separate advisory, rated “moderately critical,” spells out four more issues in the VMware ESX Server:

• An error in libpng can be exploited by malicious people to cause a DoS (Denial of Service).
• Some vulnerabilities in freetype potentially can be exploited by malicious people to compromise an application using the library.

Some of the ESX Server vulnerabilities are not yet patched. Secunia recommends that users not process untrusted fonts or PNG images.

[Source: zdnet]

Microsoft is downplaying the severity of a password leakage issue in BitLocker, the full disk encryption feature built into Windows Vista, insisting that a real world attack scenario is “very unlikely.”

According to an advisory from iViZ, the password checking routine of Microsoft Bitlocker fails to sanitize the BIOS keyboard buffer after reading passwords, resulting in plain text password leakage to unprivileged local users.

Technical details:

• Bitlocker’s pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0×40:0×1e.

Here’s the response from Microsoft’s Bill Sisk:

“We recognize that the claim detailed in the presentation by the researcher about BitLocker is correct…This theoretical attack is only possible in targeted situations, and while probable, [it’s] very unlikely.”

“Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use. If a system is in ‘Sleep mode’ it is, in effect, still running.”

The security issue is reportedly fixed in Windows Vista Service Pack 1.

[Source: zdnet]

Google’s shiny new Web browser is vulnerable to a carpet-bombing vulnerability that could expose Windows users to malicious hacker attacks.

Just hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference — to trick users into launching executables direct from the new browser.

Raff has cooked up a harmless demo of the attack in action, showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

[ SEE: Google Chrome, the security tidbits ]

In the proof-of-concept, Raff’s code shows how a malicious hacker can use a clever social engineering lure — it requires two mouse clicks — to plant malware on Windows desktops.

The Google Chrome user-agent shows that Chrome is actually WebKit 525.13 (Safari 3.1), which is an outdated/vulnerable version of that browser.

Apple patched the carpet-bombing issue with Safari v3.1.2.

Some Google Chrome early adopters using Windows Vista are reporting that files downloaded from the Internet are automatically dropped on the desktop, setting up a scenario where a combo-attack using this unpatched IE flaw could be used in attacks.

[Source: zdnet]