Security Corner:

Remote Code Execution

Jun 5 2008   1:30PM GMT

Safari for Windows Flaw Quick Fix



Posted by: Ken Harthun
Apple, Microsoft Windows, Browser, Security, Vulnerabilities, Remote Code Execution

Microsoft has issued Security Advisory 953818 advising Safari users to “restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.” According to Microsoft:

“A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. An attacker could trick users into visiting a specially crafted Web site that could download content to a user’s machine and execute the content locally using the same permissions as the logged-on user. “

Oddly enough, there’s a quick fix for the problem. In the advisory, Microsoft clearly states: “Mitigating Factors: Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.” Just go to Edit > Preferences > General > Save downloaded files to [your chosen new location].

That was easy.

May 29 2008   8:14PM GMT

Phlashing Attack Can Damage Systems Beyond Repair



Posted by: Ken Harthun
Security, Cyber warfare, Security management, Vulnerabilities, Opinion, Remote Code Execution

It has long been an “everybody knows” that viruses and other malware cannot physically damage hardware. We’ve all seen those alarming emails that say, “…the virus destroys Sector Zero, thus permanently destroying the hard disk,” a statement we know is rubbish; at worst, the disk is rendered incapable of booting an OS, but the drive is still operable and the data recoverable. Seems that now, however, an HP researcher has found a way to exploit security vulnerabilities to create a permanent DOS (PDOS) attack by thrashing embedded hardware. From The Register:

The cyber-assault thrashes systems by abusing firmware update mechanisms. If successful, the so-called phlashing attack would force victims to replace systems.

The attack was demonstrated by Rich Smith, head of research for offensive technologies and threats at HP Systems Security Lab, at the EUSecWest security conference in London on Wednesday [21 May 2008]. Smith told Dark Reading that such a “permanent denial of service” attack could be carried out remotely over the internet.

The attack would be carried out by exploiting flaws in remote management interfaces to gain access to the system and then flashing or fuzzing the firmware binaries to render the hardware useless. One such remote management interface is HP’s Integrated Lights Out (ILO) which is embedded in their ProLiant servers; however, Doug Hascall, an HP manager in charge of ILO firmware, believes the security architecture of the interface makes it invulnerable to the attack.

Security watchers, myself included, don’t see crackers destroying systems since there would be no money in it; rather, this attack could make it possible for them to plant malware inside of the firmware: a far more insidious threat. Moreover, a country’s enemies could use the technique as an effective cyberwarfare weapon either to take out critical infrastructure or to implant spyware to gather military intelligence.


May 22 2008   7:38PM GMT

Foxit Reader Security Vulnerability



Posted by: Ken Harthun
Security, Remote Code Execution, Buffer Overflow, Vulnerabilities

Since I discovered Foxit Reader in early 2006, I’ve been recommending it to everyone. There’s no question it’s a best-of-breed tool for speed and simplicity. But recently, Secunia issued a bulletin advising of a security vulnerability in the program. According to that bulletin, Foxit Reader version 2.3 build 2825 is vulnerable to a remote code execution buffer overflow. attack on your system. The problem will be fixed in the upcoming build 2912.

I’m still using version 1.3.x which, apparently, is not vulnerable. So, if you’re using an older version of Foxit, you should be OK; however, just as soon as build 2912 is available, I’m going to upgrade just to be on the safe side. You should, too.