4 X Security Team

Project XSSed, the clearing house for cross site scripting flaws has just released details on four flaws affecting Facebook’s developers page, iPhone login page and the new users registration page, potentially assisting malicious attackers into adding more legitimacy to their campaigns. With yet another critical XSS flaw hitting Facebook in May earlier this year, what’s the potential exploitability of such flaws if any in the wake of the ongoing Koobface worm’s rounds across the social networking site?

It’s worth pointing out that in both of these cases there were no known cases of active exploitation, perhaps due to Facebook’s quick reaction upon being notified of them. The very same lack of active exploitation was also present in several other cases throughout the year, namely, the recent XSS affecting Google’s login page, and the multiple HSBC sites (still) vulnerable to XSS flaws. And if we are to exclude the XSS worm at Justin.tv which infected 2,525 profiles in July, active exploitation of such flaws is no longer favored compared to the less noisy social engineering tricks exploiting the weakest link - the Internet user social networking with a false feeling of security.

Take Koobface for instance. It scaled so efficiency without exploiting any social networking site specific flaw, only through social engineering tactics forwarding the entire spreading process to the already infected user, which in a trusted environment of friends proved to be a successful form of spreading. Despite the possibility for active exploitation of such flaws in phishing and malware campaigns, cybercriminals appear no be no longer interested in such noisy approaches, at least not while attempting to spread malware across social networking sites. Among the main reasons for this is the fact that their entire campaign would be based on a single propagation vector, which when taken care of through technical measn would render their campaign useless. Instead, just like the Koobface gang continues to do, they mix the social engineering vectors by abusing legitimate brands as redirectors to the malware infected hosts serving the fake YouTube videos.

The Web in general is an entirely different topic, since I can easily argue that the long tail of SQL injected sites can outpace the traffic that could come from a single high-page ranked site that’s participating in a malware campaign. Case in point - the recent Internet Explorer zero day flaw is currently being served through SQL injections affecting vulnerable sites across the Web, a pretty logical move on which I speculated given the fact that it was originally used on Chinese forums and sites only.

For the record, the Facebook security team has been notified of the recently published flaws.

[Source: zdnet]

That nifty password management feature in your favorite Web browser could be helping identity thieves pilfer your personal data.

That’s the biggest takeaway from the results of this test which shows that all the major Web browsers — including IE, Firefox, Opera, Safari and Chrome — are vulnerable to a total of 20 vulnerabilities that could expose password-related information. Among the problems are three in particular that, when combined, allow password thieves to take passwords without the user’s knowledge. They are:

1. The destination where passwords are sent is not checked.
2. The location where passwords are requested is not checked.
3. Invisible form elements can trigger password management.

Google’s shiny new Chrome browser was among the worst offenders. According to the study, Chrome’s password manager contains multiple unpatched issues that “form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity.”

Apple’s Safari for Windows browser was also failed a majority of the tests (click image for full version):

Technical details of the test, which was conducted by Chapin Information Services, can be found here.

[Source: zdnet]

Apple has released a peck of patches to cover at least 21 documented security vulnerabilities affecting Mac OS X users.

With its eighth security update for 2008, the company shipped fixes for flaws that could lead to remote code execution and denial-of-service attacks . The patch batch also covers a range of serious vulnerabilities in the Adobe Flash Player plug-in.

Here’s the raw skinny on Security Update 2008-008/Mac OS X v10.5.6:

• CVE-2008-4236: An infinite loop may occur in the Apple Type Services server’s handling of embedded fonts in PDF files. Viewing or downloading a PDF file containing a maliciously crafted embedded font may lead to a denial of service. This update addresses the issue by performing additional validation of embedded fonts. This issue does not affect systems prior to Mac OS X v10.5.
• CVE-2008-4217: A signedness issue exists in BOM’s handling of CPIO headers which may result in a stack buffer overflow. Downloading or viewing a maliciously crafted CPIO archive may lead to arbitrary code execution or unexpected application termination. This update addresses the issue by performing additional validation of CPIO headers.
• CVE-2008-3623: A heap buffer overflow exists in the handling of color spaces within CoreGraphics. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
• CVE-2008-317: Safari allows web sites to set cookies for country-specific top-level domains, which may allow a remote attacker to perform a session fixation attack and hijack a user’s credentials. This update addresses the issue by performing additional validation of domain names.
• CVE-2008-4234: Mac OS X provides the Download Validation capability to indicate potentially unsafe files. Applications such as Safari and others use Download Validation to help warn users prior to launching files marked as potentially unsafe. This update adds to the list of potentially unsafe types. It adds the content type for files that have executable permissions and no specific application association. These files are potentially unsafe as they will launch in Terminal and their content will be executed as commands. While these files are not automatically launched, if manually opened they could lead to the execution of arbitrary code. This issue does not affect systems prior to Mac OS X v10.5.
• CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823, CVE-2008-4824: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 9.0.151.0. Further information is available via the Adobe web site.
• CVE-2008-4218: Integer overflow issues exist within the i386_set_ldt and i386_get_ldt system calls, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issues through improved bounds checking. These issues do not affect PowerPC systems.
• CVE-2008-4219: An infinite loop may occur when a program located on an NFS share receives an exception. This may lead to an unexpected system shutdown. This update addresses the issue through improved handling of exceptions.
• CVE-2008-4220: An integer overflow exists in Libsystem’s inet_net_pton API, which may lead to arbitrary code execution or the unexpected termination of the application using the API. This update addresses the issue through improved bounds checking. This API is not normally called with untrusted data, and no exploitable cases of this issue are known. This update is provided to help mitigate potential attacks against any application using this API.
• CVE-2008-4221: A memory corruption issue exists in Libsystem’s strptime API. Parsing a maliciously crafted date string may lead to arbitrary code execution or unexpected application termination. This update addresses the issue through improved memory allocation.
• CVE-2008-1391: Multiple integer overflows exist in Libsystem’s strfmon implementation. An application calling strfmon with large values of certain integer fields in the format string argument may unexpectedly terminate or lead to arbitrary code execution. This update addresses the issues through improved bounds checking.
• CVE-2008-4237: The method by which the software on a managed client system installs per-host configuration information does not always correctly identify the system. On a misidentified system, per-host settings are not applied, including the screen saver lock. This update addresses the issue by having Managed Client use the correct system identification. This issue does not affect systems with built-in Ethernet.
• CVE-2008-4222: An infinite loop may occur in the handling of TCP packets in natd. By sending a maliciously crafted TCP packet, a remote attacker may be able to cause a denial of service if Internet Sharing is enabled. This update addresses the issue by performing additional validation of TCP packets.
• CVE-2008-4223: An authentication bypass issue exists in the Podcast Producer server, which may allow an unauthorized user to access administrative functions in the server. This update addresses the issue through improved handling of access restrictions. Podcast Producer was introduced in Mac OS X Server v10.5.
• CVE-2008-4224: An input validation issue exists in the handling of malformed UDF volumes. Opening a maliciously crafted ISO file may lead to an unexpected system shutdown. This update addresses the issue through improved input validation.

[Source: zdnet]

Mozilla is joining Microsoft and Opera on the browser patching treadmill.

The open-source group has rolled out the final security fix for the Firefox 2 branch and a new version of Firefox 3 to plug about a dozen security holes that could lead to remote code execution attacks, browser crashes and information disclosure issues.

[ SEE: ‘End of life’ beckons for Firefox 2 ]

In all, Mozilla released eight different bulletins with details on the security flaws. Three of the bulletins carry a “critical” label, meaning they can be exploited “to run attacker code and install software, requiring no user interaction beyond normal browsing.”

One of the bulletins carry a “high severity” rating, meaning it can be used by hackers “to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.”

[ SEE: ‘Extremely severe’ vulnerabilities in Opera browser ]

The details:

• MFSA 2008-69 XSS vulnerabilities in SessionStore
• MFSA 2008-68 XSS and JavaScript privilege escalation
• MFSA 2008-67 Escaped null characters ignored by CSS parser
• MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
• MFSA 2008-65 Cross-domain data theft via script redirect error message
• MFSA 2008-64 XMLHttpRequest 302 response disclosure
• MFSA 2008-63 User tracking via XUL persist attribute
• MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

Some of the bugs only affect Firefox 3 so it is important for all Firefox users to apply the update that’s released via the browser’s automatic patching mechanism.

As I previously reported, Mozilla is not planning any more security and stability updates for Firefox 2. If you are still on the old version, also note that the Google-powered anti-phishing protection will no longer be available for Firefox 2 users.

ALSO SEE: As attacks escalate, MS readies emergency IE patch

* Image source: _sarchi’s Flicker photostream (Creative Commons 2.0)

[Source: zdnet]

Malware hunters at Websense Security Labs have discovered legitimate Google sponsored links being used to plant scareware programs (rogue anti-virus applications) on the computers of Windows users.

In a blow-by-blow description of the rogueware attack, Websense researcher Elad Sharf shows how an innocent Google search for the Winrar file archiver and data compression utility can lead to a fake C|Net downloads.com page hosting a legitimate version of Winrar, with a nefarious twist:

According to Sharf, the installer also drops a malicious file named explore.exe in the Windows system32 folder, and then runs the executable. The malicious file is associated with the icon used by Winrar SFX archives, and it binds to the system’s start-up.

The malicious explore.exe file proceeds to change the hosts file to point popular home page sites to a fake Microsoft Security Center site and displays displays a message box at one minute intervals.

This is how the scam works: after installing the infected program, users are interrupted with message boxes at one minute intervals. Thinking that the system has been infected, and irritated at the constant interruption, they might next search for information about the infection using the text that appears in the pop-up message. Finding legitimate forums discussing this infection, they will find confirmation that they are infected. The malware itself offers a fake remedy in the form of a pointer to a fake site. Users with any of the sites in the modified hosts file as their home page, or users who try to access any of those sites, are redirected to a site that pretends to be a Microsoft security center alert.

The end result is the user is tricked into running a security scan using this rogueware and receiving confirmation that the machine is indeed infected. The criminals then attempt to sell a disinfection tool to remove the malware they installed on the victim’s machine.

Ugly stuff.

[Source: zdnet]

Opera has released version 9.63 of its browser as a “recommended security upgrade” that fixes at least seven security vulnerabilities, some with serious risk implications.

The most serious of the flaws could lead to remote code execution if an Opera user is tricked into surfing to a maliciously rigged Web page. Two of the bugs are rated “extremely severe” while three others are rated “highly severe.”

Details on the Opera 9.63 vulnerabilities:

• Manipulating certain text-area contents can cause a buffer overflow, which may be exploited to execute arbitrary code. Rated extremely severe.
• Certain HTML constructs can cause the resulting DOM to change unexpectedly, which triggers a crash. To inject code, additional techniques will have to be employed. Rated extremely severe.
• Exceptionally long host names in file: URLs can cause a buffer overflow, which may be exploited to execute arbitrary code. Remote Web pages cannot refer to file: URLs, so successful exploitation involves tricking users into manually opening the exploit URL, or a local file that refers to it. Rated highly severe.
• When Opera is previewing a news feed, some scripted URLs are not correctly blocked. These can execute scripts which are able to subscribe the user to any feed URL that the attacker chooses, and can also view the contents of any feeds that the user is subscribed to. These may contain sensitive information. Rated highly severe.
• Built-in XSLT templates incorrectly handle escaped content and can cause it to be treated as markup. If a site accepts content from untrusted users, which it then displays using XSLT as escaped strings, this can allow scripted markup to be injected. The scripts will then be executed in the security context of that site. Rated highly severe.
• Fixed an issue that could reveal random data, as reported by Matthew of Hispasec Sistemas. Details will be disclosed at a later date.
• SVG images embedded using tags can no longer execute Java or plugin content, suggested by Chris Evans.

Opera users are strongly encouraged to download and apply the newest version.

[Source: zdnet]

Microsoft’s Security Response Center and McAfee are warning on increased network scanning activity during the last couple of days courtesy of the very latest W32/Conficker.worm exploiting the already patched MS08-067 vulnerability. What’s particularly interesting in the latest wave of copycat worms is that W32/Conficker.worm is patching the infected host in order to ensure that competing malicious parties wouldn’t be able to get in using it. How nice of them.

“This malware mostly spreads within corporations but also was reported by several hundred home users. It opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too.”

The public release of the proof of concept code in September, prompted an immediate reaction by international underground communities releasing several different modifications of the exploit, with the Chinese to be first to release a do-it-yourself tool allowing subnet scanning and automatic exposure to malware hosted on a third-party server. At first, the tool was released with commercial intentions with its authors charging $37.80, however, just like the majority of proprietary web malware exploitation kits, several days later the tool leaked to the general public. From a strategic perspective, whereas such DIY tools indeed empower low-profile cybercriminals, the real danger comes from scanning modules introduced within larger botnets.

[Source: zdnet]