aka jane

Good Stuff

2007-08-22T15:55:03-04:00

I felt that some humor might be beneficial today....

Confronting the 5 Stages of IT Grief

10 More Stupid Things Smart IT People Still Do

10 Things IT People Secretly Think ...

Microsoft Tackles Vista, Virtualization Patches

2007-08-15T11:57:28-04:00

By Lisa Vaas

Patch Tuesday finds Microsoft addressing a host of security issues with Vista and virtualization.

Patch Tuesday brings with it a host of security issues with Vista, issues with virtualization and a fun time for system administrators who deal with clients using some wildly popular Microsoft applications: Internet Explorer and Excel.

On Aug. 14, Microsoft released nine security patches for 14 vulnerabilities, with six of the updates rated critical, in its biggest patch release since February.

"With nine security bulletins, today is the second-busiest Patch Tuesday this year," said Dave Marcus, security research and communications manager at McAfee Avert Labs, in a statement. "Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site. Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."

One thing that Microsoft failed to get out: an update that would address an ATI driver vulnerability that affects the Vista kernel. Microsoft told eWEEK that it's now working with Advanced Micro Devices on a fix for that issue.

All nine of the security bulletins pertain to what Eric Schultze, chief security architect at Shavlik Technologies, calls client-side vulnerabilities. That means a user has to take action in order to get attacked. In most cases that involves visiting a malicious site, reading a malicious e-mail or opening a malicious file.

Read here about Microsoft's $50 million investment in its Forefront security line.

The good news: Server administrators running big server farms, with no users executing script that can install code onto their systems, have it easy. Their servers are safe, Schultze said, given that there's no vulnerability that can result in a Code Red or Nimba worm situation.

Still, today's patch load is enough reason to disconnect your PC from the wall for a few weeks, he said, given that if you visit a malicious site, there are six ways you can get attacked.

Starting at the top is MS07-042, a vulnerability in Microsoft XML Core Services that could allow remote code execution. This vulnerability, which can be exploited through attacks on Microsoft XML Core Services, involves a user viewing a maliciously crafted Web page using IE (Internet Explorer).

eWEEK.com Special Report: Keeping Pace with Microsoft's Patches

That one, rated critical, goes hand in hand with MS07-043, Microsoft's security bulleting regarding a vulnerability in OLE Automation that could also get your system hijacked. Users are vulnerable if they view malicious sites that contain attacks on OLE (Object Linking and Embedding). Both MS07-042 and -043 were found by the same researchers: An anonymous researcher working with the VeriSign iDefense VCP and an anonymous researcher working with the Zero Day Initiative.

A third critical vulnerability is detailed in MS07-044, which addresses an Excel problem that could allow remote code execution if a user opens a malicious Excel file. Nothing new there—Excel security vulnerabilities are popping up regularly nowadays, Schultze noted.

The MS07-045 security bulletin scoops up three critical vulnerabilities in IE that could get your system hijacked if you view a malicious site with the browser, given that a maliciously crafted page can trigger ActiveX controls on vulnerable systems. The flaws pertain to just about all versions of IE, including on Vista.

Ms07-046 is another critical bulletin, involving a vulnerability in GDI that could allow for remote code execution. This one involves visiting a malicious site that contains an evil graphic. As soon as you view the graphic through a banner ad or on a site, the malicious graphic attacks your system. Microsoft has patched GDI multiple times already, Schultze noted.

Amol Sarwate, manager of the Vulnerabilities Lab at Qualys, said -046 would likely be his top-priority patch to apply, followed by the IE and Excel patches, given the applications' prevalence and the consequences of remote code execution.

MS07-050 addresses a critical vulnerability in VML (Vector Markup Language) that also allow for remote code execution.

MS07-047 deals with two important vulnerabilities in Windows Media Player—particularly, in the skins that make Media Play look pretty—that could lead to remote code execution.

One important security bulletin, MS07-048, is notable in that the two vulnerabilities addressed aren't in old code—they're in Vista's Windows Gadgets, a new application that lets you run gadgets on the side of your screen that do things like display clocks or the weather or sports information.

If a gadget creator is evil, Schultze said, he or she can execute other code in that box on the side of your screen, given that the vulnerabilities allow anonymous remote attackers to run code with the privileges of a logged-on user.

"If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget an attacker could potentially run code on the system," Microsoft said in its bulletin. No other operating systems besides Vista are vulnerable to this one.

To read about Vista's top three support issues, click here.

Finally there's MS07-049, a flaw that's only rated important but which researchers find very interesting. This vulnerability concerns the ability to elevate privileges in Virtual PC and Virtual Server that could allow a guest operating system user to run code on the host or another guest operating system.

"While it is not the most severe vulnerability covered by Microsoft this month, IBM ISS considers MS07-049, the virtual machine vulnerability in Microsoft Virtual PC and Microsoft Virtual Server, to be the most interesting," said X-Force Researcher Tom Cross in a statement. "Enterprises are increasingly embracing virtualization to simplify IT management and cut infrastructure costs. As this trend continues, we're going to see attackers use vulnerabilities like MS07-049 to leverage control over one virtual host to infect others on the same server. This is a new kind of attack methodology that requires unique protection."

To exploit this virtualization vulnerability, a guest operating system does need administrative permissions to the guest operating system, Microsoft noted.

Still, it's notable, given that this flaw allows a guest to cross a chasm that's supposed to be uncrossable, breaking out of one machine and into another because they're running on the same piece of hardware, Schultze noted.

"That's a big one if you're relying on virtualization," he said. Microsoft's Virtual PC and Virtual Server technology may be less widely deployed than that of VMware, but it is still used on plenty of production servers to host Web sites or other applications, he said.

eWEEK Special Report: Securing Windows

To sum it all up: As Paul Zimski, senior director of market and product strategy for PatchLink put it, this month's Patch Tuesday "has headache written all over it."

The details of the patches indicate a broad spectrum of exposure, Zimski said in a statement. "The potential attack vectors exposed by these vulnerabilities include direct OS targeting (including Vista x32 and x64), fully-patched Internet Explorer 6 and 7, XML core services, Windows Media Player and Office. This is a target-rich environment for hackers. Organizations need to remediate these vulnerabilities as quickly as possible to avoid falling victim to quick turnaround exploits.

"All six critical patches require system reboots. Along with two of the 'important' patches, the critical patches all address vulnerabilities which, if exploited, could introduce remote code execution and allow hackers to completely take over a machine. This creates a nightmare scenario, and is not far off from complete administrator access—the favorite attack vector."

Indeed, some of the patches labeled "important" should actually be treated as critical, Zimski said.

"For instance, #6 addresses remote code execution through Windows Media Player. This is only given a rating of 'important' because it requires some form of user interaction, but many users browsing the Internet are viewing media. Even if an organization blocks certain Web sites or Active content, they typically don't block streaming media which could easily trick users into compromise if this vulnerability is exploited."

To get Microsoft's downloads, go to the bulletin summary page for August 2007.

Shavlik is having a Webinar for its customers to go over the patches on Aug. 15 at 11a.m. CDT.

Facebook Leaks Its Own Code

2007-08-14T15:24:52-04:00

By Lisa Vaas

Facebook reveals part of its source code on a blog named Facebook Secrets due to a server error.

Social networking site Facebook on Aug. 12 posted Facebook's homepage source code onto a newly created blog named Facebook Secrets on Aug. 12 and is now telling people not to use it.

Facebook, based in Palo Alto, Calif., issued a statement about the incident, stressing its minimal impact.

"A small fraction of the code that displays Facebook Web pages was exposed to a small number of users due to a single misconfigured Web server that was fixed immediately," a Facebook spokesperson said in an e-mail to eWEEK.

"It was not a security breach and did not compromise user data in any way. Because the code that was released only powers the Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further."

Some in the hacker community suggested that the problems don't stop here, though, given that Facebook runs a very old, very insecure Thttpd server—Version 1.0.

"While it is a cool and tiny server, I would not run it. Just ask Google," said a poster to the Hacker Webzine, who then proceeded to link to a Google search on "thttpd 1.0 exploit" that returned a host of articles regarding vulnerabilities on this server.

Click here to read about how Facebook has been opening up to developers.

An open-source Web server from ACME Laboratories, Thttpd is designed to be simple, lean and fast. The first "t" in thttpd stands for, variously, tiny, turbo or throttling. The server features bandwidth throttling, a feature that enables an administrator to limit the maximum bit rate at which certain types of files may be transferred.

"Thttpd is the first server I was able to exploit some six years back, so it brings back memories," said the Hacker Webzine poster.

"One of my favorite exploits all time is the Off by one buffer overflow it suffer(ed)s from, because it really shows how careless programmers are: set a max buffer and forget that a loop starts counting at 0, + 1 and it overflows. Anyway, that not the point now. If they are running a very early version they should upgrade," the post said.

A Facebook spokesperson declined to confirm whether a Thttpd server was in fact to blame for the code leak.

Biggest Pump-and-Dump Scam Ever Spikes Spam 445%

2007-08-12T17:27:52-04:00

By Lisa Vaas
August 10, 2007

The largest spam scam ever tracked increased the spam count by 445 percent in one day.

The largest spam attack ever tracked wound down Aug. 9 after delivering enough big, fat PDF files to increase total spam size 445 percent in one day, according to Postini, a hosted e-mail filtering company that's been tracking the attack since it started Aug. 7.

Postini tracked a 53 percent jump in spam volume from the day before the attack started to the day it launched, according to Senior Marketing Manger Adam Swidler, in San Carlos, Calif.

Why it stopped is a mystery, but more than likely it wound down because it was a spam run being conducted on a rented bot network, Swidler said. "Presumably … [the] rental time ran out," he said.

How much would renting that botnet have cost? PandaLabs recently released research into the malware market. It suggested one scenario in which a criminal could buy a Trojan for $500, a 1 million-address mailing list for about $100, a $20 encryption program, and a $500 spamming server. The total outlay in this theoretical example would be $1,120. (For PandaLabs' screen grabs showing what the market looks like, check out the slideshow.

The attack entails a straightforward pump-and-dump spam scam with no virus payload. Experts at SophosLabs said they had detected around 500 million e-mails with PDFs that recommend buying the stock of Prime Time Group.

Click here to view an eWEEK slideshow on how the gullible get sucked into "scam-spam."

Writing on the Sophos blog Aug. 8, SophosLabs Director Mark Harris noted that the PDF is actually 10 pages long. Toward the end of the file it contains random characters, which Harris suggested might be an attempt to fool simple checksum detection.

Prime Time, the subject of the stock pump, did see its stock rise 60 percent as of Aug. 8. It was up 20 percent as of Aug. 9, compared with its pre-spam scam price.

The stock fluctuation clearly shows that pump-and-dump scams work. "Taking a look at the stock price shows why these campaigns continue," Harris wrote in his posting. "The share price of this particular company has risen by 60 percent since [Aug. 3], so while recipients of this type of spam continue to try and profit on these 'Tips' stock, spam will continue."

Pump-and-dump scams are a numbers game, Swidler said. While there are people who might well believe whatever the spam author tells them as to the value of the stock, there are also plenty of people who know what the spammer is up to and just decide to ride along, buying stock and then hoping to ride the increase and then cash out before the stock gets dumped en masse, he said.

To read more about why we click on spam, click here.

The spammers might be long gone by now, in fact. "The stock was up 20 percent [Aug. 7]," Swidler said. "The spammers might have gotten out when they made 10 percent profit."

Postini is also tracking a prolonged virus attack that started July 16 and is still under way. Ninety-nine percent of the activity can be traced to delivery of the Storm worm.

The Storm worm, aka the Peacomm Trojan, initially wreaked havoc via a massive spam e-mail attack in January, and then in February spawned a variant that used instant-messaging platforms to spread.

During the week of April 9, researchers noted the return of the Storm worm, as more than 2 million spam e-mails arrived carrying the latest variant. The initial wave of spam used recent real or fake news headlines to convince users to execute malicious files, while the later Storm surge used e-mail subject lines claiming "Trojan Detected!" or "Worm Activity Detected!"

Postini has seen about 715 million e-mail messages—or about 30 million daily—carrying the Storm worm since this most recent attack began. That's about 30 times the amount of Storm e-mail messages tracked prior to this particular attack. Now ongoing is a blended attack: instead of attaching the virus as a payload, the e-mail points to a site that's hosting malware, which then gets downloaded to the victim's system.

If you're wondering what the spam scam attack and the Storm attack have in common, it's the rise of the botnet that's at the bottom of both, Swidler said.

Read here about the new tool Symantic is using to bat botnets.

"[Botnets are a] big reason, if not the primary reason, why spam is up so dramatically," he said. "It's up 51 percent over the beginning of 2007. Since September 2006, the volume has increased 161 percent."

Specifically, botnets are responsible for both sending out the spam e-mail and for sending the viruses that infect systems and make them easy prey for being recruited as bots into bot networks, he said.

Postini thinks it will get worse, given the upcoming holiday season and the traditional spike in people going online to do their holiday shopping, Swidler said.

Researchers Crack the iPhone

2007-07-24T12:54:39-04:00

By Lisa Vaas
July 23, 2007

Updated: Apple's popular multifunctional device can be exploited for data theft or snooping purposes, according to a security firm.

A security firm has run the first remote exploits on Apple's iPhone, proving that the widely popular smart phone is vulnerable not only to data theft but also to being turned into a remote snooping device.

A trio of researchers from Independent Security Evaluators—Charlie Miller, Jake Honoroff and Joshua Mason—have created an exploit for the iPhone's Safari Web browser wherein they use an unmodified device to surf to a maliciously crafted drive-by download site. The site downloads exploit code that forces the iPhone to make an outbound connection to a server controlled by the security firm.

The compromised device then can be forced to send out personal data, including SMS text messages, contact information, call history, voice mail information, passwords, e-mail messages and browsing history.

"We only retrieved some of the personal data, but could just as easily have retrieved any information off the device," the researchers said in a report.

The researchers also wrote a second exploit to turn an iPhone into a bugging device to record audio that it then transmitted for later collection by a malicious party. This exploit entailed viewing another maliciously crafted site whose payload forced the phone to make a system sound and vibrate for a second. The researchers discovered they also could force the phone into other physical actions, including dialing phone numbers or sending text messages.

Charlie Miller told eWEEK in an interview that the iPhone not only fell hard, it fell fast. "I was a little surprised how quickly and easily it was—two or three days…." to get to a point where the firm knew their exploits would work, he said, and then one and a half weeks total until the researchers had working exploits. "It was a little scary how easy it was."

There's no reason why others might not have already cracked the device, Miller said. "We're good at what we do but there are thousands of people just as good as us in the world," he said. "We did it so quickly, it's hard to imagine someone else [who's] skilled and motivated couldn't have done the same thing."

The iPhone runs a streamlined, customized version of the Mac OS X operating system on an ARM processor. Much of its security posture relies on restrictions against running third-party applications, instead only allowing JavaScript to execute in the device's Safari browser within a sandbox environment.

The Safari browser itself has been stripped down as well. Apple, of Cupertino, Calif., sacrificed the use of plug-ins such as Flash and the downloading of many file types, for example, to minimize the iPhone's attack surface.

However, that still leaves "serious problems" with the way security has been designed and implemented on the device, the researchers said.

They said that the most egregious problem with the iPhone's security profile is that it runs all important processes with full administrative privileges, meaning that an attacker who compromises any iPhone application gains full access to any capability on the device.

It's a problem specific to the iPhone, with scaled-back rights on Mac desktops having been lost somewhere along the line in the device's design. "[Apple does] things better on the desktop than the iPhone," Miller said.

iPhone vs. IT: clash of the culture titans. Click here to read more.

He suggested that one reason Apple may have done security differently with the iPhone's version of Mac OS X is that, ordinarily, you'd expect only one user on one phone. "I think why everything runs as it does [with the rights of an administrator on the iPhone] may be because with a phone, basically, you don't ever expect to have more than one user," Miller said. "All the data on there's probably [belonging to only] the one user."

But that's just a guess, he said.

At any rate, Apple could have tripped Miller up by having applications limited in the amount of data they're allowed to access. "I think it makes sense to have it where applications can only access data needed by that one application," he said.

"If they had done that, I would have only been able to break into the Safari Web browser and read only the browser information," instead of being able to force the phone to cough up the extensive information he got out of it, "much less dial a phone number" and the other actions, Miller said.

In both exploits—access to sensitive information and tinkering around with physical controls—process is running as root, meaning that an attacker can control the phone completely. "Once you get your foot in the door, you can do whatever you want," Miller said.

Curbing administrative rights so as to curtail the reach of a successful attacker is a lesson learned long ago by Microsoft, for one. In its latest operating system release, Vista, one of the most notable security boosts is UAC (User Account Control), a security feature that limits user privileges as much as possible for most of a user's interaction with the desktop. User rights are elevated only when necessary for administrative tasks, at which point a dialog box prompts the user to OK the escalation. Limiting normal permissions is a good thing, given that it limits the operating system surface an attacker can latch onto.

Not only does UAC limit the effectiveness of malicious code, but Microsoft, in its creation, also stands a good chance of breaking developers' habit of granting too many rights, Gartner analyst Neil MacDonald has pointed out.

Aside from limiting the effectiveness of malicious code, the biggest impact of UAC, according to MacDonald, will be to change developer behavior so applications don't demand that users have to run as administrators to use them.

Apple also dropped the ball on some other widely accepted practices when it comes to security on the iPhone. For example, as has been pointed out by other researchers, when designing the iPhone, Apple eschewed techniques such as address randomization and non-executable heaps, all of which make it harder to exploit the device and more difficult to develop exploit code with staying power.

"These weaknesses allow for the easy development of stable exploit code once a vulnerability is discovered," according to the report.

To use another comparison to Vista, another security feature in the new operating system is Address Space Layout Randomization. ASLR's job is to shuffle the address space deck, randomly locating programs in memory and making it tougher for attackers to pinpoint a target during an exploit of a vulnerable application. Symantec has determined that when implemented correctly, ASLR is "extremely effective" at mitigating memory corruption attacks.

The researchers have notified Apple of their findings and are holding off on releasing details until Aug. 2 to give Apple time to patch the security holes.

Until Apple patches the iPhone's security holes, Independent Security Evaluators is advising iPhone users to use common sense and not click on links sent by those they don't trust. Also, iPhone users should only use Wi-Fi access points they trust. "If you do those two simple things you reduce your risk to a small, manageable level," Miller said.

Apple's response to the security firm was pretty much the same as its response to eWEEK, and it is in keeping with what other security researchers have called its typical brush-off style: The company sent Independent Security Evaluators an e-mail saying that it's looking into the issues, without any acknowledgment that there's a problem. An Apple spokesperson told eWEEK that the company is looking into the issue and gave no further information.

Editor's Note: This story was updated to include input from security researcher Charlie Miller.