Exploits

Javascript Must Die!

At least that’s what Mr. John Graham-Cumming says on his blog–and what he told attendees at Virus Bulletin 2009 in his presentation called, “JavaScript Security: The Elephant running in your browser:”

My thesis is that the security situation with JavaScript is so poor that the only solution is to kill it. End users have very little in the way of protection against malicious JavaScript, major web sites suffer from XSS and CSRF flaws, the language itself allows appalling security holes, and as data moves to the cloud the 14 year old JavaScript security sandbox becomes more and more irrelevant.

I’ve been recommending that everyone use NoScript with Firefox for quite some time. Here’s my article from more than a year ago: Software for Secure Computing: Firefox & NoScript. Recent security updates to Firefox tend to reinforce this view since most of the workarounds for security flaws recommend disabling Javascript.

What do you think? Should Javascript be killed? Would this break 99% of the web sites out there?

Maybe it’s time for a new technology.

Twitter Security: TwitBlock Blocks the Spammers

Besides being a security Geek, I’m also an Internet marketer (no, not the bad kind—the good kind—I actually try to help people with what I sell). Twitter, at first blush, appears to be a great way to get your message out; it probably is, if done right, but it’s also easily abused. Yes, Twitter gets spam, too. The spammers are relatively easy to spot; you see them sending out multiple marketing messages in rapid succession, often using different profiles for the same message.

Here’s the rub: Because Twitter only allows 140 characters per tweet, the URLs are always shortened, therefore it’s difficult to identify their target. My policy is to never click on a link in a tweet from someone I don’t know, especially when I see them sending multiple tweets trying to get me to take action of some sort. That’s a dead giveaway that the person or persons controlling the profile are spammers or scammers.

Enter TwitBlock, a junk filter and bulk blocking tool for Twitter users. Here’s what they say:

You may think you have a loyal following of people who find you interesting, or amusing, but they’re probably not all real people. Among your followers will be a wide spectrum of fully automated, or computer aided Twitter accounts. They will range from reputable companies looking to profile and market to you, to fake profiles directing you to adult websites. At the very worst you will find the spammers and phishing gangs - the same junk you get in your email inbox, designed to sell you fake pharmaceuticals, or trick you into parting with your passwords or credit card numbers.

An easy way to spot the spammers on your own is to look for duplicate profile images. I have my own handsome mug posted on my Twitter profile and I’m sure no one else is using it. Spammers tend to use pics of attractive women, often “R” rated, or generic photos. TwitBlock maintains a list of the top 20 duplicate profile pics (Warning: some are inappropriate for young viewers!)

The application is still in alpha, but consider testing it. Just give it some thought before you block “Annette552” who may just be your next door neighbor in disguise, but who is more likely to be a spammer out to get your credit card info. You be the judge.

Gmail Vulnerability Points Up the Need for Strong Password Policy

There’s a vulnerability affecting Gmail accounts that was recently announced by security researcher Vincente Aguilera Diaz. You can read the posting on the Full Disclosure security list which contains complete details on how a Gmail authentication attack is accomplished and how it can be automated.

Basically, if you have a Gmail account, you are permitted to guess another Gmail user’s password 100 times every two hours. That’s 1200 guesses per day. If a hacker controls 100 Gmail accounts (easy enough to do, since they’re free, and they probably have many more than this), that’s 120,000 guesses per day. Google has no intention of changing the 100 guesses/2 hrs. limit, saying it’s robust enough. Considering that the Conficker worm’s password table needed only 200 entries to compromise many systems, it’s conceivable that many Gmail accounts could be compromised easily within slightly more than 2 hours.

Gmail does require a password of 8 characters or more, but it does no further parsing, so extremely weak passwords such as aaaaaaaa,  12345678 and the like, are allowed as are dictionary words of sufficient length. What this means is that it’s up to you, the Gmail account holder, to protect your own account; Google isn’t going to enforce strong passwords (other than a length requirement) on the general public any time soon. So, it’s important that you have your own strong password policy.

Eight characters is sufficient length (though I consider it an absolute minimum) to create a very strong password using random upper- and lowercase letters, numbers and symbols. The trouble with those things is that they’re hard to remember. Better to come up with a phrase you can easily remember and use it as your password hint. Then, figure out a standard pattern you can apply to the hint to come up with a strong password. For example, choose the phrase My address is 555 Main St. Now, reverse the order of words and eliminate the spaces: St.Main555isaddressMy; eliminate all repeating letters and numbers: St.Main5drey; finally, make sure every other letter is shifted: St.MaIn5DrEy. That’s a very strong password.

If you want to play around with different scenarios to come up with your own strong password policy, test your passwords with The Password Meter. It’s a pretty cool app.

Twitter Used As Botnet Command & Control Channel

A botnet that uses Twitter for command and control? You bet. Jose Nazario over at Arbor Networks apparently found one: “Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run.” The bots connect to the Twitter account using an RSS feed, allowing them to receive the tweets in real time without having their own accounts on Twitter. Pretty slick.

The tweets themselves are base64 encoded and when Nazario translated one of them, it was clear the encoded tweet was sending links to the bot.

Oddly enough, there’s no mention of this at http://status.twitter.com, but the account in question (well, one of them, at least—there are probably more), https://twitter.com/upd4t3, has been suspended, so it appears that  Twitter security folks are on the ball.

Patch Tuesday – 19 Windows Security Flaws Fixed

It’s that day of the month again and this time Microsoft has patched 19 security holes, 15 of which have a “critical” rating. The good news is that none of the vulnerabilities affect Windows 7. As usual, a bunch of the flaws stem from ActiveX controls, probably the worst thing Microsoft’s developers ever came up with (with the possible exception of Microsoft Bob).

At least one of the vulnerabilities, MS09-037 - Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908), is currently being actively exploited on the Internet; exploit code for MS09-043 - Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638) has been posted publicly.

Get those patches installed ASAP!

Tsk, Tsk! Weak Passwords Allow Congressional Web Site Defacements

This is simply idiocy—or gross negligence—of the highest degree. In the last week, more than a dozen US Representatives’ websites were defaced by hackers who posted digital graffiti on the home pages. The graffiti read, “H4ck3d by 3n_byt3 @ Indonesia H4ck3rs” (see screen shot). There was not other damage to the sites.

The method used to break in? Password guessing. The hackers compromised the site administration passwords at Web design and hosting firm GovTrends of Alexandria, VA which provides Web hosting for about 100 House sites. Not all were affected.

According to GovTrends founder Ab Emam, passwords assigned to member offices were never changed. Now, it’s typical for a Web hosting company to assign default admin passwords, but those passwords should be strong. In this case, they weren’t. “Most of these passwords could be guessed, they were obvious,” Emam said. “That’s been changed, and each of these sites is now required to have strong passwords.”

Really? Should have been required all along. There’s simply no excuse for this. I have written numerous articles over the years about how to generate strong, un-guessable passwords and I’m not the only one: a Google search brings up 61,800 results for that term. Will they ever learn?

(In all fairness, I have to report that there is some question as to whether password guessing was actually the cause of the breach. This article by Brian Krebs has been updated to suggest that SQL injection may have been the method.)

No matter; there’s no excuse for that, either.

I’ll Say it Again—Turn Off the Remote Web Management Interface!

I don’t know how many times I’ve told people that the embedded management interface on most devices is a security breach waiting to happen. I just got wind of some news, but can’t seem to find anything more than this mention. As soon as I dig up some details, I’ll let you know. This exchange is from Security Now! Episode 206 for July 23, 2009:

Steve…Stanford security lab….will also be showing some very distressing news this weekend at the Black Hat conference. They tested 21 different devices from 16 different manufacturers. These are web-enabled gizmos - webcams, printers, network switches, photo frames, VoIP phones, remote management tools, all of these things - and, like, consumer routers, all of these things that are web-enabled, meaning that like so many peripherals now, they’ve got an Internet connection and a web interface. They tested the vulnerability of 21 devices made by 16 different manufacturers. There was not one that was not vulnerable to serious web-oriented problems. For example, they were able to enter JavaScript commands into the logon prompts.

Leo: Oh, boy.

Steve: And the device logged the log-on attempts. So when the administrator brought up the log, the act of displaying the log replayed the JavaScript commands…And that allowed the commands to connect to a remote server and download malware. They said that among the worst devices were network attached storage devices. They enumerated five different classes of attacks, and they said that the NAS…were vulnerable to all five classes of attack. For example, you could rename files to JavaScript strings. There was no control over file naming in these. And of course we all have long filenames now in our state-of-the-art file systems. Well, long meaning JavaScript. And so anytime this device attempted to display the filenames on a web page, again, you were running JavaScript. So now there’s scripting running in your directory listing, which is displayed on a web page, causing your browser to do whatever the JavaScript has said. And it’s running in the local context. So even systems that have security saying don’t allow remote sites to execute script, but of course we trust our self, well, now we can’t trust our self.

Don’t tell me I didn’t say so. Turn that interface OFF!

Foxit Reader Contains Multiple Vulnerabilities

According to a U.S. Cert bulletin issued today, my favorite PDF reader, Foxit Reader has multiple security vulnerabilities:

Foxit Reader has released updates for multiple vulnerabilities. By convincing a user to open a malicious PDF file, an attacker may be able to execute code or cause a vulnerable PDF viewer to crash. The PDF could be emailed as an attachment or hosted on a website.US-CERT encourages users to review the Foxit Security Bulletin and Vulnerability Note VU#251793 and apply any necessary updates.

The Foxit Security Bulletin describes the issues:

Two Security Vulnerabilities Fixed in Foxit Reader 3.0 and JPEG2000/JBIG2 Decoder

SUMMARY
Here is detailed information about the vulnerabilities:

1. Fixed a problem related to negative stream offset (in malicious JPEG2000 stream) which caused reading data from an out-of-bound address. We have added guard codes to solve this issue.
2. Fixed a problem related to error handling when decoding JPEG2000 header, an uncaught fatal error resulted a subsequent invalid address access. We added error handling code to terminate the decoding process.

I recommend that all Foxit Reader users update their Foxit Reader 3.0, available here: http://www.foxitsoftware.com/downloads/. Then, be sure to go to Help>Check for updates and download the stream decoder update.

NoScript Blocks Latest Firefox Bug

Got NoScript? If not, get it–the latest Firefox bug, an XML tag remote memory corruption vulnerability released on Wednesday, is mitigated by having the NoScript addon installed.

The bug can be exploited by a malicious website and can cause the browser to execute malware with no user intervention. All 3.0.x versions of Firefox running on Windows, Mac, and Linux operatintg systems are vulnerable. According to the Mozilla Wiki, the patched version, Firefox 3.0.8, “…is a high-priority firedrill security update to Firefox 3.0.x” and will be rolled out April 1.

The 3.0.8 release also fixes the Pwn2Own bug discovered at CanSecWest 2009, an issue that NoScript also mitigates.

I’ve said it before (see “Software for Secure Computing: Firefox & NoScript“); now’s a good time to say it again: install NoScript, and enjoy secure computing.

SecurityFocus bulletin: http://www.securityfocus.com/bid/34235/info.
The Register article: http://www.theregister.co.uk/2009/03/26/new_firefox_exploit/.
Mozilla Security Blog post: http://tinyurl.com/mozillasecurityblog

Firefox 3.0.7 Released, Addresses Multiple Vulnerabilities

Mozilla Foundation released Firefox 3.0.7 today to address multiple vulnerabilities. According to the Security Advisories, the vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof the location bar. Mozilla says that the vulnerabilities also affect Thunderbird and SeaMonkey. No updates have been released for these applications at this time.

The following Security Advisories are addressed in Firefox 3.0.7:

• Mozilla Foundation Security Advisory 2009-07: “Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.”
• Mozilla Foundation Security Advisory 2009-08: “An anonymous researcher, via TippingPoint’s Zero Day Initiative program, reported a vulnerability in Mozilla’s garbage collection process. The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed. An attacker could use this crash to run arbitrary code on the victim’s computer.”
• Mozilla Foundation Security Advisory 2009-09: “Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users authenticated to the redirected website.”
• Mozilla Foundation Security Advisory 2009-10: “libpng maintainer Glenn Randers-Pehrson reported several memory safety hazards in PNG libraries used by Mozilla. These vulnerabilities could be used by a malicious website to crash a victim’s browser and potentially execute arbitrary code on their computer. libpng was upgraded to a version which contained fixes for these flaws.”
• Mozilla Foundation Security Advisory 2009-11: “Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.”

Everyone should immediately upgrade to Firefox 3.0.7 to mitigate these issues.