The Clock is Ticking
The clock is ticking on the time to mass exploitation for a couple of vulnerabilities released last week, in particular a Microsoft Internet Explorer vulnerability that has not had a patch released for, and may not get a patch released.
Various security companies have been reporting on the risks that a newly reported (late June) vulnerability in Microsoft Internet Explorer Versions 5.01 and above. The main problem exists in a COM Object, javaprxy.dll, which could allow for complete remote system compromise just by viewing a web page. Microsoft has since come out with an advisory, and it is also possible to disable javaprxy.dll usage with Internet Explorer, by editing the Registry. This last action should only be carried out by people who are comfortable with editing the registry, as it is possible that this action could destabilise systems.
The actual vulnerability announced is not merely limited to the javaprxy.dll, but extends to a number of of COM objects. With Internet Explorer, a website is able to access software and data stored locally through the use of Active-X and COM objects. The ability to view and edit Excel spreadsheets and Word documents in Internet Explorer is available through such mechanisms. Active-X has long been regarded as a significant security risk, and the ability to run Active-X controls unchecked in the web browser has lead to quite a number of exploits being made available for Windows based systems. According to SEC Consult, the company that claimed responsibility for discovering the vulnerability, the problem is a flaw in the way that Internet Explorer handles the creation of the link with the COM object. SEC Consult were able to find more than 20 COM objects that caused either Internet Explorer crashes, or memory faults. The javaprxy.dll was merely the first to be successfully exploited in the example provided by SEC Consult.
With the javaprxy.dll and PHP XML vulnerabilities that were announced recently, the ISC has been alerting readers that they believe a significant wave of attacks will flood the Internet in the near future. The ISC admits that they feel like they are crying wolf, as the more publicity that the vulnerabilities get, the more action that administrators will take to remedy them and the less likely it will be that the attacks will take place as believed. There has not been any indication that this is the case, yet. Having said that, it did take two months for Sasser and Blaster to make their appearances after the vulnerabilities were announced, and weeks after vendor patches were available.
The primary concern with the Internet Explorer vulnerability is that the discovery was only made two weeks ago, and Microsoft has yet to issue a patch, either for the javaprxy.dll, or the COM object vulnerability (the root cause). Because it was announced that more than 20 of the default objects available on a Windows XP installation are vulnerable, and the mechanism of the vulnerability was disclosed, it is possible that a wide range of attacks could arise in the near future, designed to attack these issues.
In addition to the javaprxy.dll vulnerability, the PHP vulnerability reported on last week has had exploits in the wild already. The failure in the PHP case was an inability to process input correctly. This allowed potentially malicious content to slip through, and be executed by the PHP parser.
Although the recent phpBB XML vulnerability has been remedied, a new vulnerability has been announced in the most recent version (2.0.16) which could allow for code of the attacker's choice to be run in the browser when a victim visits a phpBB site.
Of interest is the PHP XML vulnerability, which research has shown was first reported May 1, 2003. The person who made the report was not aware of what they had uncovered, only that they had encountered difficulties with one of their scripts, which was behaving in a strange manner. The exact problem they encountered was the one which has now been recently exploited as the PHP XML vulnerability. This is actually how a lot of vulnerabilities are found - a strange behaviour occurs, which the security researcher then investigates further and uncovers a security risk.
Sometimes software developers and hardware designers make decisions which do not appear to cause any problems initially, but are later found to be significant design errors. The whole Y2K bug issue was a result of system designs that only considered two digits to be sufficient for representation of years, which meant that the only century that could have dates represented was the 20th century. Another time related design issue which will be coming up in the future, is the Unix timestamp rollover in 2038. Unix-type systems, including Linux, and OS X, can use a timestamp based on the number of seconds since the Unix epoch - Midnight GMT, January 1, 1970. The actual valid date range that Unix-type systems can recognise typically covers from Friday, 13 December 1901 20:45:54 GMT, through to Tuesday, 19 January 2038 03:14:07 GMT. This date range represents the limits of a signed 32 bit integer based on the Epoch as origin.
The relevance to current software design is that some systems continue to use certain trigger dates as internal alerts. A recent example arising of the date 11/11/11, which a certain system uses to identify transactions that should not be processed. In the resulting discussion that followed, it was suggested that a lot of the Y2K solutions failed to move to four digit representation for years, and the actual solution applied was a 10 - 50 year offset. to the years being stored. What this means is that the Y2K problem for these systems has only been delayed, not solved, and they remain limited to a single 100 year period for date representation.
The tragic events in London last week have already drawn the attention of virus writers, although it has yet to spread widely. The email borne virus claims to be from CNN and claims to contain unique footage from the blasts, and even goes so far as to claim that it has been cleared by Norton Antivirus. At the time of writing, the virus does not yet have a name, and is designed to turn infected machines into spam zombies. Subscribers to the mailing list received early warning of this, and the advice in the following paragraph should be considered whenever a significant global event takes place.
Readers should be careful to avoid email attachments claiming to have content related to the recent central London attacks. Likewise, websites, other than the official sites, claiming to be collecting funds, providing lists of the dead and injured, or other details where they need your name, address, and bank account details, should be avoided. 419-type email fraud spam (Nigerian Spam) is also likely to increase in the near future, playing off the grief and shock surrounding the bombings in London, and the natural willingness to help that people have. The best advice is that even in this time of grief and shock, you shouldn't lose your ability to think critically about email content or website appearance.
A recent article on eWeek suggests that 9 out of 10 American Internet users has changed some of their online habits in some way as a direct result of fears surrounding spyware and adware. The report that the article was based on details the breakdown in changed behaviour. The specific examples given of changes by Internet users are recommended for all Internet users. This includes changing Internet browsers away from Internet Explorer, limiting use of P2P file sharing applications, applying caution to email attachments and avoiding untrusted websites.
Canadian newspaper The Globe and Mail is the latest in a string of mainstream media agencies alerting readers to the threats that electronic crime is presenting at the moment. Citing examples such as the recent 40 million credit card breach and phishing statistics, the article argues that the cybercriminals are operating with impunity, and the agencies and companies trying to prevent and mitigate online crime are barely keeping up. The concerns raised are valid, and it is vital for all computer users to be aware of their risks when functioning online, or storing critical data in computerised systems.
There are still many people who consider Identity Theft to be a non-issue, and that it only affects people who order things online, or who aren't careful with their credit card details. A recent article, by the Canadian paper The Globe and Mail, provides more evidence of what actually goes on with the trade of personal information that has been stolen. Although the article focussed on the trade in Russia, posters to Internet forums suggest that this trade is happening globally, and this is where the information from the major data breaches ends up - such as the recent 40 million credit card disclosure. There are a number of subscribers to this newsletter who do business with Russians, and we sincerely hope that they audit their personal data to ensure that they haven't been affected, at least not yet. Even if your identity hasn't been stolen yet, the legal trade in your details goes on, daily. Major aggregator companies, such as ChoicePoint in the USA, continue to sell highly sensitive personal information, with spyware companies such as Claria bringing up a significant new threat with their terabytes of information sucked from infected computer systems. There is also sufficient anecdotal evidence to suggest that anywhere that personal information is stored electronically, it isn't safe, be it a bank, merchant, or Government Agency - money talks, and money gets.
11 July 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.