4 X Security Team

Guest post by John Viega

Today there’s been a lot of buzz about the clever new attack on public key infrastructure from Alex Sotirov and a team of researchers. In the attack, the bad guy ends up with his own Certification Authority (CA) that is fully trusted according to every major browser. People are declaring the entire Internet is broken, and that it will be hard to fix. This is simply not true.

The major misconception I’m seeing over and over is that the problem allows the bad guy to steal the signature off any valid MD5 signature from any certificate on the Internet.

[ SEE: SSL broken! Hackers create rogue CA certificate ]

Actually, the attack works by a bad guy generating two certificates, one that is just a regular web site certificate, and the other that is a CA certificate. Then, to get the CA certificate trusted, the bad guy submits the web site cert. If he can predict the internal values the CA will use when he starts generating the certificate (a process that takes a few days right now), then he will get back a signature that can be pasted onto the CA cert. That allows the CA to generate new certs to impersonate anybody on the Internet (e.g., Citibank.com).

This means that existing certificates aren’t currently an attack vector, unless they were actually used in an attack.

As a result, this hole is easier to close than people think. The few CAs signing certs with MD5 need to switch to SHA1 (or something stronger). That immediately gets rid of the problem for new certs.

[ Chris Eng: An easy fix ignored ]

For old certs, the risks are also pretty low. Just because of the up-front costs of research and development that would have been necessary, there’s a very good chance that bad guys have focused on low-hanging fruit like social engineering, instead of investing the research dollars.

Once the researchers publish technical details on the tricks they used to make the attack cost effective, then probably some bad guys will try, as long as there are still vulnerable CAs. My guess is that there won’t be.

Even if some bad guys have done all the work, it’s unlikely to have been used more than a handful of times. Either the bad guys will use their fake CA credentials selectively as to not get caught, or they will get caught quickly, and the certs will be blacklisted. Either way, the long term risks are negligible, as long as all CAs migrate from MD5 immediately, or take other precautionary measures, such as using a random certificate ID instead of a sequential one.

And for those CAs that don’t take mitigating steps immediately, the operating systems and browsers of the world should move to blacklist them ASAP.

Right now, the only CA that seems to consistently sign using only MD5 (signing with both also thwarts this attack) is RapidSSL/FreeSSL (FreeSSL is owned by RapidSSL, and is used for trial certs). Who knows why these guys have not migrated away from MD5. But assuming they do it soon, there is little to worry about.

* John Viega is CEO of Stonewall Software and author of several security books including the classic Building Secure Software (Addison Wesley, 2001), and the forthcoming Myths of Security (O’Reilly, 2009). Follow him on Twitter.

Source: zdnet]

Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.

The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable.

The research is significant because there are at least six CAs currently using the weak MD5 cryptographic algorithm in digital signatures and certificates. The most commonly used Web browsers — including Microsoft’s Internet Explorer and Mozilla’s Firefox — whitelist these CAs, meaning that a fake Certificate Authority can display any site as secure (with the SSL padlock).

“We basically broke SSL,” Sotirov said in an interview ahead of his 25C3 presentation.

Our main result is that we are in possession of a “rogue” Certification Authority (CA) certificate. This certificate will be accepted as valid and trusted by many browsers, as it appears to be based on one of the “root CA certificates” present in the so called “trust list” of the browser. In turn, web site certificates issued by us and based on our rogue CA certificate will be validated and trusted as well. Browsers will display these web sites as “secure”, using common security indicators such as a closed padlock in the browser’s window frame, the web address starting with “https://” instead of “http://”, and displaying reassuring phrases such as “This certificate is OK ” when the user clicks on security related menu items, buttons or links.

Researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands helped in the design and implementation of the attack using an advanced implementation of a known MD5 collision construction and a cluster of more than 200 PlayStation 3 game consoles.

According to Sotirov, a rogue CA in combination with Dan Kaminsky’s DNS attack can have serious consequences:

For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate that will be erroneously trusted, and users’ passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.

Sotirov said the team was able to secure NDAs in advance of briefing the major browser vendors about the problem but because of issues — some practical and some political — there are no straightforward fixes unless the CAs stop using MD5 and move to the more secure SHA-1 algorithm.

To avoid abuse, the team back-dated its rogue CA (it was set only for August 2004) and will not release the private key. “We’re also not going to release the special code that we used to do the MD5 collisions until later this year,” Sotirov added.

“We don’t anticipate this attack to be repeatable very easily. If you do a naive implementation, you would need six months to run it successfully,” he added.

Arjen Lenstra, head of EPFL’s Laboratory for Cryptologic Algorithms, the key objective of the research was to stimulate better Internet security with adequate protocols that provide the necessary security.

The key takeaway, according to Lenstra: “It’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard.”

Further details:

• Detailed explanation
• Slides from the 25c3 presentation
• Demo site (set your system date to August 2004 before clicking)

Colliding certificates:

• Real certificate
• Rogue CA certificate

[Source: zdnet]

Amazon has warned its customers that one of Samsung’s digital picture frames shipped to customers infected with a virus. While Samsung has some egg on its face, malware that ships on consumer hardware is not as serious of an issue as it may seem.

Earlier this week Amazon alerted its customers to an issue affecting the installation CD that shipped with the Samsung SPF-85H 8 inch Digital Picture Frame. Apparently the CD shipped with a copy of the W32.Sality.AE virus. Amazon is recommending that people download a recent copy of the application directly from Samsung’s website rather than using the CD.

So yes, this is embarrassing for Samsung. It shows that either they or the subcontractor who cut the CD need to tighten up their processes surrounding manufacturing systems. There is no reason for those machines to be exposed to malware, let alone not run up-to-date anti-virus to catch these infections.

The customers have a pretty low likelihood of being infected by this malware, though. Any system running up-to-date anti-virus would have been guaranteed to spot the potential infection, as the delay between when the CD was first cut and when the customer attempted to install the application was far longer than the average amount of time it takes for a piece of malware to be detected by an anti-virus package. If the system wasn’t running an up-to-date anti-virus package, well, it probably had oodles of malware already, and the marginal cost of one more infection is pretty small.

I suspect next year Samsung will be asking Santa for security people who are tightwads about compliance.

[Source: zdnet]

Media, Security, Consumer Electronics

Microsoft is pouring cold water on public reports of a serious code execution vulnerability in the newest versions of its Windows Media Player software.

Following the release of proof-of-concept code alongside a claim that the bug can be remotely exploitable to launch arbitrary code, a Microsoft spokesman insists this “is not a product vulnerability.”

Here’s Microsoft’s full statement:

Microsoft is aware of a falsely reported vulnerability in Microsoft Windows Media Player Dec. 25, 2008. Microsoft investigated the claim and found that this is not a product vulnerability. Microsoft confirmed that the reported crash is not exploitable and does not allow an attacker to execute arbitrary code, as was incorrectly claimed in the public report.

The statement follows an advisory from researcher Laurent Gaffie that a remote user can create a specially crafted WAV, SND, or MIDI file to trigger an integer overflow and execute arbitrary code on the target system.

Gaffie claims the bug affects all versions of the media player, including WMP 11.

UPDATE:

Jonathan Ness from Microsoft’s SWI team provides more details on why this bug isn’t exploitable and says it was already discovered internally and slated for fixing in a future service pack:

We found this already through our internal fuzzing efforts. It was correctly triaged at the time as a reliability issue with no security risk to customers. We do like to get these reliability issues fixed in a future service pack or a future version of the platform whenever possible. This particular bug, for example, has already been fixed in Windows Server 2003 Service Pack 2.

On the MSRC blog, Christopher Budd laments the fact that the researcher went public with an advisory instead of reporting it directly to Microsoft.

* Image source: LuChOeDu Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Once again confirming the trend of having more legitimate sites serving exploits and malware than purely malicious ones, Chinese hackers have been keeping themselves busy during the last couple of days, launching massive SQL injection attacks affecting over 100,000 web sites.

The SQL injection attacks serving the just patched Internet Explorer XML parsing exploit, are launched by several different Chinese hacking groups, and with several exceptions, are primarily targeting Asian countries which is a pretty logical move given the fact that it’s a password stealing malware for online games that is served at the bottom line.

Which is the most targeted country?

According to some stats from Symantec, China ironically remains the most actively targeted country by the IE exploit, ironically in the sense that it was Chinese researchers that leaked the exploit at the first place. Moreover, the 100,000 web sites cited as being infected by Symantec, should be taken as a very conservative metric, since more domains are being injected and as previous campaigns, the number of affected sites could change pretty fast.

Consider for a while the big picture. With or without a patch for the IE exploit, committing cybercrime through the exploitation of already patched client-side vulnerabilities would continue growing - it has been throughout the entire 2008. Despite being old-fashioned compared to Russian cybercriminals that would have included the exploit within their web malware exploitation kits and started serving banker malware instead of password stealing malware, the Chinese attackers appear to be well aware of this trend, and therefore all of the IE exploit serving sites are also serving several other exploits targeting Adobe’s Flash, Acrobat Reader and RealPlayer for starters.

Recent studies continue emphasizing on the fact that millions of users not only continue browsing the web using insecure browsers, but also, are so browser vulnerabilities centered and they ignore the rest of the software running on their PCs as a potential infection vector given they’re running an insecure versions of it - and yes they are. Cybercriminals are aware of this insecure Internet browsing, and are therefore including sets of exploits targeting each and every version known to be vulnerable of a particular software in order to increase the chances for a successful infection. This particular SQL injection attack is the most recent example of this mentality.

In 2008, cybercriminals continue infecting thousands of new hosts on daily basis using 2007’s critical vulnerabilities, because instead of patching vulnerable software, the majority of end users remain comfortable with their false feeling of security.

[Source: zdnet]

Microsoft late Monday issued a pre-patch advisory confirming a remote code execution vulnerability affecting its SQL Server line.

The vulnerability, publicly disclosed with exploit code more than two weeks ago, affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).

From the advisory:

[ SEE: As attacks escalate, MS readies emergency IE patch ]

Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time.

In addition, due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary.

[ SEE: MS Patch Tuesday whopper: 28 vulnerabilities in Windows, IE, Office ]

The vulnerability is not exposed anonymously. An attacker would need to either authenticate to exploit the vulnerability or take advantage of a SQL injection vulnerability in a Web application that is able to authenticate, Microsoft explained.

[Source: zdnet]

A T-SQL script is available to test systems for this issue. In the absence of a patch, Microsoft recommends that SQL Server admins deny permissions on the sp_replwritetovarbin extended stored procedure. See more in the Microsoft advisory.

Mozilla is joining Microsoft and Opera on the browser patching treadmill.

The open-source group has rolled out the final security fix for the Firefox 2 branch and a new version of Firefox 3 to plug about a dozen security holes that could lead to remote code execution attacks, browser crashes and information disclosure issues.

[ SEE: ‘End of life’ beckons for Firefox 2 ]

In all, Mozilla released eight different bulletins with details on the security flaws. Three of the bulletins carry a “critical” label, meaning they can be exploited “to run attacker code and install software, requiring no user interaction beyond normal browsing.”

One of the bulletins carry a “high severity” rating, meaning it can be used by hackers “to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.”

[ SEE: ‘Extremely severe’ vulnerabilities in Opera browser ]

The details:

• MFSA 2008-69 XSS vulnerabilities in SessionStore
• MFSA 2008-68 XSS and JavaScript privilege escalation
• MFSA 2008-67 Escaped null characters ignored by CSS parser
• MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
• MFSA 2008-65 Cross-domain data theft via script redirect error message
• MFSA 2008-64 XMLHttpRequest 302 response disclosure
• MFSA 2008-63 User tracking via XUL persist attribute
• MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

Some of the bugs only affect Firefox 3 so it is important for all Firefox users to apply the update that’s released via the browser’s automatic patching mechanism.

As I previously reported, Mozilla is not planning any more security and stability updates for Firefox 2. If you are still on the old version, also note that the Google-powered anti-phishing protection will no longer be available for Firefox 2 users.

ALSO SEE: As attacks escalate, MS readies emergency IE patch

* Image source: _sarchi’s Flicker photostream (Creative Commons 2.0)

[Source: zdnet]