Less than a month after the clickjacking exploit came to light, sporadic reports of users falling victim to the attack are beginning to surface. Dennis O’Reilly’s column in Windows Secrets Newsletter, Issue 172, contains this report from a reader:
Yep, clickjacking is in the wild. I build, fix, and de-badware computers for family, friends, and businesses. I had a friend complain that his eBay page kept popping up with auctions when he hadn’t accessed eBay. So, dutifully, I went to see what was going on and found that he had been trawling through some [game] crack sites.
When he clicked some links, he would also pop his eBay page up (he had his eBay cookie set). Bingo! The crack-page vendors had scored his login details. I quickly apprised him of the risks of visiting said pages and, of course, quickly reset his eBay password and scanned, cleaned, and disinfected his computer.
Just yesterday, I received a report from another engineer at our office that he had witnessed a clickjacking attempt on his own machine when he clicked a button on an antivirus blog. Instead of going to the previous page, as expected, he receive a pop-up for the “Antivirus XP 2009” malware download. I had him disable IFRAME handling in Internet Explorer and install NoScript on Firefox. That fixed the issue.
Just as Opera completed patches for critical vulnerabilities in its browser, researchers discovered another remote code execution bug. In its recent article, “Opera scrambles to quash zero-day bug in freshly-patched browser,”
The Register reports:
Among the bugs squashed in Opera 9.61 was a stored cross site scripting (XSS) vulnerability that allowed attackers to view victims’ browsing history. That attack is no longer possible, but now researchers have discovered an even more serious exploit that’s based on the same weakness.
Until Opera releases version 9.62, which should be “very, very soon” according to Opera spokesman Thomas Ford, your best bet is to disable iFrames and turn off scripting. Open opera:config and select Extensions|iFrames. Change the setting from “1” to “0.” Similarly, change Extensions|Scripting from “1” to “0.”
Bear in mind that the above temporary workaround is going to break a lot of sites that use scripting. It would be simpler if Opera had some way to designate “trusted sites” (or a plug-in like NoScript), but I’m not aware of any way to do this. Hit the comments and let me know if there’s a better workaround (I haven’t used Opera since my conversion to Firefox four years ago).
Everyone agrees that it just isn’t safe out there on the Wild, Wild, Web and while Microsoft has made huge strides in securing Internet Explorer, the fact that IE continues to use ActiveX scripting technology makes it the least secure browser. I often recommend that people not use IE unless they have to and if they have to, to run it in a sandbox or virtual machine. An application sandbox such as SandboxIE protects your system from malicious scripts by allowing them to run only in the protected area.
There’s a much better approach, however: switch to Firefox and take advantage of the free Firefox add-on, NoScript. NoScript takes a “default deny” approach and prevents all scripts on a site from running unless you explicitly permit them. NoScript is also effective against the latest clickjacking attacks. My article, “How to Protect Yourself from Clickjacking,” over at Dave’s Computer Tips describes the configuration options for both IE and Firefox with NoScript installed.
Switch to Firefox, install NoScript, and enjoy secure computing.
Microsoft just released a critical update for a “privately reported” vulnerability in the server service:
This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.
Exploits are already being detected, according to the Microsoft Malware Protection Center:
Currently, attacks try to download a trojan named n2.exe to the victim’s computer and there are now two different versions of this binary. Our products are able to detect both files as TrojanSpy:Win32/Gimmiv.A. This trojan drops another DLL that we detect as TrojanSpy:Win32/Gimmiv.A.dll. The malware deletes itself after it executes so you may not find it even on systems that were previously infected. Our products provide real-time protection that will block that malware from being copied to the hard drive. You can read more details about this malware in our encyclopedia write ups.
I’m going to update the servers right now. Everyone should do the same.
This is an interesting and sensible approach to security. I would call these the “Logics of Cyber Security” because they’re so basic they could well be the principles upon which all cyber security can be based. The paper’s authors call them “first principles,” defining such as “…a basic foundational proposition or assumption that cannot be deduced from any other proposition or assumption”–in other words, logics. (You can read the orginal article, “A Thematic Approach to Cyber Security Using First Principles” and the link to its latest revision at https://wiki.cac.washington.edu/pages/viewpage.action?pageId=7481170&navigatingVersions=true. Note: The article hasn’t been updated since February, 2008.)
Here’s a simple overview of these principles.
DENY — default deny is an absolute must when making shared resources available via servers, network storage, and the Internet. You block everything until you are able to determine whether the entity attempting access is authorized. Another method of denial is encryption. This could be used to provide more granular application by, for instance, denying access to certain resources if the otherwise authorized user has no security clearance for the resource.
DISCRIMINATE –there are several ways one can discriminate between authorized and unauthorized access attempts, the simplest being a password; smart cards, biometrics, and security tokens are other examples, all of which should result in the access attempt being classified as either authorized or unauthorized.
DETECT — some means to detect unauthorized access attempts must be in place. In a Windows environment, one could activate auditing at both account level and resource level. Intrusion detection systems, both network and host based are designed for this purpose.
DESTROY — when unauthorized access attempts are detected, rules must be activated that effectively disrupt the attempt before the resources are compromised. This could be accomplished by dropping the connection, blacklisting the IP, etc.
The latest e-mail scam targeting Microsoft customers delivers the Backdoor:Win32/Haxdoor trojan as an attachment. The email looks like this:
Dear Microsoft Customer,
Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you have received this notice.
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Director of Security Assurance
Anyone reading this can spot the obvious grammar and punctuation mistakes, the first things that should alert them that this is a scam. But, as we know, users blindly click on anything and everything, especially links in official-looking messages.
Please advise your users to immediately delete this message if they receive it, and continue to advise them to NEVER click a link or open an email that they are not sure about. It’s better to err on the side of caution.
There’s already a frenzy of speculation, analysis and, probably, development of malware surrounding the announcement of SockStress–the proof-of-concept program developed by two Dutch researchers to exploit an apparently heretofore unknown vulnerability in the TCP/IP stack. It started when they let the cat out of the bag in an interview that got the attention of Slashdot. I’m not going to dive in and add my opinion to the frenzy; however, this incident reinforces the idea that data and network security require constant vigilance and attention to protecting the data first (See The #1 Security Priority: Protect The Information).
Steve Gibson of Gibson Research Corporation presents a good sampling of the news surrounding this issue. There’s a lot that is (and isn’t) being said. The bottom line is that it’s a nasty vulnerability. It’ll be interesting to see how this develops.
Criminals are targeting Google AdWords customers with phony emails requesting the victim download a 128-bit SSL certificate. A client received this version (there are quite a few variations):
From: Google Adwords account [mailto:email@example.com]
Sent: Monday, September 29, 2008 8:52 PM
To: <potential victim>
Subject: Google Adwords Alert
Attention GOOGLE ADWORDS Customers!
For certain services, such as our advertising programs, we request 128-bit SSL security information which we maintain in encrypted form on secure servers.
We take appropriate security measures to protect against unauthorized access to our unauthorized alteration, disclosure or destruction of data.
Please download latest SSL protection certificate
Unprotected browsers will not be able to Log in after September 30, 2008
Sincerely, Genaro Escobar.
2008 Google Adwords, Developing new services.
Unsuspecting victims who click on the “Read more” link are taken to a malicious website where their machine is infected with a keylogger rootkit. The URL of the site varies, but is similar to this one:
Of course, the actual domain the person arrives at isn’t google.com, but, in this case, mekefri.com.
A good rundown on this attack can be found at: Digital Certificate Spammer Goes for Google Adwords
According to US-CERT‘s latest alert, “Multiple Web Browsers Affected by Clickjacking,” there’s a new cross-browser exploit technique called “Clickjacking.” One report suggests that, “With Clickjacking attackers can do quite a lot. Some things that could be pretty spooky.” According to the CERT article:
Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page. A separate report indicates that this flaw affects most web browsers and that no fix is available, but that disabling browser scripting and plug-ins may help mitigate some of the risks.
A ZDNet blog posting, Firefox + NoScript vs Clickjacking, The Firefox plugin NoScript, written by Giorgio Maone, is effective against the most dangerous aspects of the exploit. In an email to ZDNet blogger Ryan Naraine, Maone said this about the exploit:
1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the “Plugins|Forbid iframe”[options]
Understandably, there’s not much specific information available about the exploit, but most experts agree that there’s no simple fix for it. In his blog post, Naraine said “I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed ‘very, freaking scary’ and ‘near impossible’ to fix properly.”
For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option as noted above. I also recommend that everyone review US-CERT’s article “Securing Your Web Browser” to insure maximum protection against this and other security risks.
I’ll keep you posted on further developments and suggestions for additional protection as the story unfolds.
I stumbled across this nifty free tool when running an online scan at Trend Micro’s HouseCall site. Botnets are a big problem, accounting for most of the spam on the Internet, not to mention their use in stealing financial information and launching denial-of-service (DoS) attacks. RUBotted (Beta) “…monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.” Note that this tool doesn’t clean anything–you still have to use antivirus software. Alternatively, you can take advantage of one of the many online malware scanners.
The tool runs on Windows 2000, Windows XP Home and Professional, Windows 2003 Server, and Windows Vista (32-bit only), providing the latest service packs are installed. There’s one caveat, however: Trend says, “RUBotted cannot protect computers running Panda Internet Security 2008.”
I hope that this effort by Trend starts a trend (pun intended) of vendors providing similar secure computing software, perhaps incorporating bot removal tools to boot. We’ll see.