insecure

Acrobat Reader Users Should Switch to Foxit Reader, Shrink Their Attack Surface

I’m not going to rant, I promise–I don’t have to because this doesn’t affect me. Several years ago, I abandoned the bloated, insecure and extremely resource-intensive Acrobat Reader in favor of the smaller and more secure Foxit Reader. Once again, here is more evidence that I’m right to have switched.  Brian Krebs of The Washington Post wrote:

No! Don’t update. Shrink your attack surface and switch to Foxit Reader and their other PDF software. Not only are Foxit Software’s products more secure, they’re also cheaper.

Mozilla Disables Insecure Microsoft Firefox Add-on

When I fired up my laptop the other day, I was greeted with this pop-up box:

If you’re running Firefox, you may have already seen it yourself. Recall that these add-ons were installed into Firefox without the user’s permission, causing quite an uproar in the Mozilla user community. Brian Krebs of The Washington Post wrote:

In May, I wrote about a Windows patch for the Microsoft .NET package that silently installed the Microsoft .NET Framework Assistant add-on into Firefox. The package also included an associated plug-in for Firefox called the Windows Presentation Foundation plug-in. The Mozilla user community was up arms over not just the fact that Microsoft was introducing unwanted components that could potentially weaken the security of Firefox, but that Redmond had made the thing almost impossible to remove.

Mike Shaver, Mozilla’s vice president of engineering, wrote Friday on the Mozilla Security Blog:

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately.

At least Microsoft agreed with Mozilla’s action to block the insecure add-on, but shame on them for blatantly compromising the security of a browser they don’t even own.

Conspiracy theorists: Do you have an opinion on this?

Patch Tuesday – Microsoft Fixes Eight Security Flaws

All of them are critical, but not a single one of them affects Windows 7, scheduled for release on October 22.

The most dangerous flaw covered by this month’s batch of patches is a remote code execution vulnerability in the way that the JScript scripting engine decodes script in Web pages (MS09-045). A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page and this could result in execution of arbitrary code on the affected system. All versions of Windows—except Windows 7—are vulnerable. Here is the list of bulletins taken from the Microsoft Security Bulletin Summary for September 2009:

MS09-045 Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
MS09-049 Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
MS09-047 Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
MS09-048 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
MS09-046 Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)

It remains to be seen how Windows 7 will fare once it’s released to retail, but so far, it appears to be more secure the previous versions of Windows. According to Wolfgang Kandek, chief technology officer at software security provider Qualys, "There are a number of additional security measures [in Windows 7] that seem to be working so far in its favor."

We can only hope.

Have You Noticed? Phishing Attacks Are Down

It’s just not in fashion anymore; phishing attacks are ‘way down, falling out of favor with cybercriminals who now prefer malicious websites and password-stealing Trojan horse programs.

IBM’s security research and development division, X-Force, recently issued a report that found throughout 2008 , phishing volume was around 0.5 percent of overall spam volume. But in the first half of 2009, the volume of phishing attacks fell to around 0.1 percent of spam volume. Not only did the volume of phishing attacks drop, but the targets also changed: in 2008, 90 percent of all phishing attacks targeted the financial industry; in the first half of 2009, that percentage had dropped to 66 percent.

That’s the good news. The bad news is that, according to the report, the number of malicious Web links is up 508 percent in the first half of 2009 and many of these links appear on otherwise trusted sites such as search engines. X-Force Director Kris Lamb says, “There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We’ve reached a tipping point where every Web site should be viewed as suspicious and every user is at risk."

A copy of the IBM report can be downloaded here (PDF).

As always, let the surfer beware.

Is Linux Security as Bad as Microsoft Windows “Security?”

Linux proponents often gloat over the seeming lack of security vulnerabilities in the Linux kernel when compared to Microsoft Windows; Windows proponents counter saying that Linux is just enjoying “security through obscurity.” Seems the Windows people may be justified to some degree as reports of a Linux vulnerability puts most versions of the Linux kernel built in the last eight years at risk of complete takeover.

According to The Register, “The bug involves the way kernel-level routines such as sock_sendpage react when they are left unimplemented. Instead of linking to a corresponding placeholder, (for example, sock_no_accept), the function pointer is left uninitialized. Sock_sendpage doesn’t always validate the pointer before dereferencing it, leaving the OS open to local privilege escalation that can completely compromise the underlying machine.” This means that it’s trivial for an attacker to put code in the first page and that code will get executed with kernel privileges. You can read a full rundown of the vulnerability at the CR0 Blog.

All Linux kernel 2.4 and 2.6 versions since May 2001 are affected. The vulnerability has been patched, but “this is the second time in less than a month that a serious security vulnerability has been reported in the Linux kernel. In mid July, a researcher alerted Linux developers to a separate "NULL pointer dereference" bug that put newer versions at risk of complete compromise,” according to The Register.

There’s no question that Microsoft has ongoing security issues; it’s no surprise that Linux is beginning to show the same. The only difference lies in the attack surface; Microsoft is still the biggest target. As Linux continues to gain market share, however, we’ll be seeing more researchers focusing their attention on the Open Source OS; as they do, they’ll find more and more vulnerabilities there, too.

There’s a technology called “secure coding” that still hasn’t been fully developed, much less implemented on a grand scale; until programmers fully get this concept, we’re saddled with insecure OS’s and applications.

Gmail Vulnerability Points Up the Need for Strong Password Policy

There’s a vulnerability affecting Gmail accounts that was recently announced by security researcher Vincente Aguilera Diaz. You can read the posting on the Full Disclosure security list which contains complete details on how a Gmail authentication attack is accomplished and how it can be automated.

Basically, if you have a Gmail account, you are permitted to guess another Gmail user’s password 100 times every two hours. That’s 1200 guesses per day. If a hacker controls 100 Gmail accounts (easy enough to do, since they’re free, and they probably have many more than this), that’s 120,000 guesses per day. Google has no intention of changing the 100 guesses/2 hrs. limit, saying it’s robust enough. Considering that the Conficker worm’s password table needed only 200 entries to compromise many systems, it’s conceivable that many Gmail accounts could be compromised easily within slightly more than 2 hours.

Gmail does require a password of 8 characters or more, but it does no further parsing, so extremely weak passwords such as aaaaaaaa,  12345678 and the like, are allowed as are dictionary words of sufficient length. What this means is that it’s up to you, the Gmail account holder, to protect your own account; Google isn’t going to enforce strong passwords (other than a length requirement) on the general public any time soon. So, it’s important that you have your own strong password policy.

Eight characters is sufficient length (though I consider it an absolute minimum) to create a very strong password using random upper- and lowercase letters, numbers and symbols. The trouble with those things is that they’re hard to remember. Better to come up with a phrase you can easily remember and use it as your password hint. Then, figure out a standard pattern you can apply to the hint to come up with a strong password. For example, choose the phrase My address is 555 Main St. Now, reverse the order of words and eliminate the spaces: St.Main555isaddressMy; eliminate all repeating letters and numbers: St.Main5drey; finally, make sure every other letter is shifted: St.MaIn5DrEy. That’s a very strong password.

If you want to play around with different scenarios to come up with your own strong password policy, test your passwords with The Password Meter. It’s a pretty cool app.

I’ll Say it Again—Turn Off the Remote Web Management Interface!

I don’t know how many times I’ve told people that the embedded management interface on most devices is a security breach waiting to happen. I just got wind of some news, but can’t seem to find anything more than this mention. As soon as I dig up some details, I’ll let you know. This exchange is from Security Now! Episode 206 for July 23, 2009:

Steve…Stanford security lab….will also be showing some very distressing news this weekend at the Black Hat conference. They tested 21 different devices from 16 different manufacturers. These are web-enabled gizmos - webcams, printers, network switches, photo frames, VoIP phones, remote management tools, all of these things - and, like, consumer routers, all of these things that are web-enabled, meaning that like so many peripherals now, they’ve got an Internet connection and a web interface. They tested the vulnerability of 21 devices made by 16 different manufacturers. There was not one that was not vulnerable to serious web-oriented problems. For example, they were able to enter JavaScript commands into the logon prompts.

Leo: Oh, boy.

Steve: And the device logged the log-on attempts. So when the administrator brought up the log, the act of displaying the log replayed the JavaScript commands…And that allowed the commands to connect to a remote server and download malware. They said that among the worst devices were network attached storage devices. They enumerated five different classes of attacks, and they said that the NAS…were vulnerable to all five classes of attack. For example, you could rename files to JavaScript strings. There was no control over file naming in these. And of course we all have long filenames now in our state-of-the-art file systems. Well, long meaning JavaScript. And so anytime this device attempted to display the filenames on a web page, again, you were running JavaScript. So now there’s scripting running in your directory listing, which is displayed on a web page, causing your browser to do whatever the JavaScript has said. And it’s running in the local context. So even systems that have security saying don’t allow remote sites to execute script, but of course we trust our self, well, now we can’t trust our self.

Don’t tell me I didn’t say so. Turn that interface OFF!

It’s Not Your Fault

I’m going to take a lot of heat for this post. Maybe. Unless I’m right (which I usually am). So, let me just get it out of the way: The state of security on the Internet today is NOT YOUR FAULT. Neither is it the fault of the clueless surfers who click on any and every link in their email and say “yes” to every popup on their screen. It’s not the fault of those who love to install the “little bitty kitty” screensavers that are loaded with adware and the ones who use the “fun web products” emoticons and stationery with similar bent. No, it’s not your fault.

It’s M….no, it’s U….no, it’s…hell,  it’s the software developers who don’t have a clue on how to write a secure application. The end user—be she a geek or a regular consumer user—has no way of knowing that there are security holes on the software she uses. And she shouldn’t have to be concerned about it, now, should she? NO.

The more I have to deal with the malicious–and sometimes just crappy–stuff that people manage to get on their systems, the more I want to grab the programmers, web app developers, and insecure software purveyors by the throat. Conspiracy theorists speculate that since the anti-malware software industry is a multi-billion dollar cash cow, we don’t have a chance of ever seeing truly secure software. I don’t think that’s true. There’s enough crap out there to keep the anti-malware industry busy for a long time.

But it does make one wonder, doesn’t it?

Firefox 3.0.7 Released, Addresses Multiple Vulnerabilities

Mozilla Foundation released Firefox 3.0.7 today to address multiple vulnerabilities. According to the Security Advisories, the vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof the location bar. Mozilla says that the vulnerabilities also affect Thunderbird and SeaMonkey. No updates have been released for these applications at this time.

The following Security Advisories are addressed in Firefox 3.0.7:

• Mozilla Foundation Security Advisory 2009-07: “Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.”
• Mozilla Foundation Security Advisory 2009-08: “An anonymous researcher, via TippingPoint’s Zero Day Initiative program, reported a vulnerability in Mozilla’s garbage collection process. The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed. An attacker could use this crash to run arbitrary code on the victim’s computer.”
• Mozilla Foundation Security Advisory 2009-09: “Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users authenticated to the redirected website.”
• Mozilla Foundation Security Advisory 2009-10: “libpng maintainer Glenn Randers-Pehrson reported several memory safety hazards in PNG libraries used by Mozilla. These vulnerabilities could be used by a malicious website to crash a victim’s browser and potentially execute arbitrary code on their computer. libpng was upgraded to a version which contained fixes for these flaws.”
• Mozilla Foundation Security Advisory 2009-11: “Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.”

Everyone should immediately upgrade to Firefox 3.0.7 to mitigate these issues.