[Sunnet Alert] Advisory #218 - BrightStor ARCServe, AdSense, Multiple News

Security and IT News Alerts alertmailinglist at skiifwrald.com
Tue Apr 3 22:03:08 EST 2007 

Sûnnet Beskerming Alert List Advisory #218

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	BrightStor ARCServe
	- Remote Hacker Automatic Control
	- Time Since Discovery - 4 Days
1.2	Google Adsense
	- Remote Hacker Automatic Control
	- Time Since Discovery - Same Day
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	The Law Of Unintended Consequences
2.2	Reminder For Windows Users
2.3	Conditional Logic, SP1, And A Google/Microsoft Battle
=====================================

1.	SECURITY

1.1	BrightStor ARCServe - Remote Hacker Automatic Control

	-- Products Affected --
	CA BrightStor ARCServe Backup

	-- Technical Description --
	Arbitrary remote code execution in the BrightStor ARCServe software,  
based on malicious RPC network traffic.  Public disclosure of the  
vulnerability included provision of detailed exploit code that  
provides remote control of a vulnerable system.

	-- Description --
	The BrightStor ARCServe Backup software is a backup and recovery  
toolset created by Computer Associates (CA) for multiple platforms.   
At the end of March, public disclosure was made of a vulnerability  
with the way the software handles certain network traffic, which then  
allows the attacker to take complete control of the vulnerable system.

	-- Recommended Action --
	Computer Associates has recommended that users and administrators  
disable the 'mediasvr.exe' file, such as by renaming it to  
'mediasvr.exe.disable', and then restarting the BrightStor Tape  
Engine service.  This has the effect of disabling command line access  
and control of the software, but also mitigates the risk of  
exploitation from this vulnerability.  Administrators and users are  
recommended to apply patches from CA as soon as they are released.

	-- Source --
	(withheld - subscribe to a paid list to access this source)
	
	-- Threat Matrix --
			U	O
	Home User	9	9  (Critical)
	Corporate	9	9  (Critical)


1.2	Google AdSense - Remote Hacker Automatic Control

	-- Products Affected --
	Google AdSense

	-- Technical Description --
	Account compromise and redirection based on simple CSRF attack based  
on the web interface to Google AdSense.  Successful attack requires  
the victim to be logged in to their account when opening up a new  
page containing the malicious script.  If Active Scripting /  
JavaScript is used and enabled, this attack may be launched from an  
already-open website when the victim logs in to their AdSense account.

	-- Description --
	Google's AdSense initiative is a popular means for website operators  
to obtain extra income, from targeted Google ads placed on their  
site.  Administration of a user's AdSense account is achieved through  
a web interface across a secure connection (https).  It has been  
demonstrated that it is possible to capture a victim's AdSense  
account if a user is logged into their AdSense account when they load  
a page with a short malicious script on it in another browser window  
or tab.  This capturing includes changing the registered email  
address and password for the account, locking out the unfortunate  
victim from their account.  With detailed code already publicly  
available, and the ease with which the attack can be launched, this  
is a very serious risk for AdSense users.

	-- Recommended Action --
	Ensure that you only conduct maintenance on your AdSense account in  
a brand new browser session, with no other sites loaded.  Ensure that  
you fully log off from your AdSense account before conducting any  
further Internet browsing.  Deleting cookies and restarting the  
browser before further Internet browsing may also provide further  
protection, if the log off from the AdSense account fails (and if the  
attacker is using CSS or JavaScript based detection of visited sites).

	-- Source --
	(withheld - subscribe to a paid list to access this source)
	
	-- Updates Available --
	Not Yet Available

	-- External Tracking Data --
	Not Yet Identified

	-- Threat Matrix --
			U	O
	Home User	10	10 (Highly Critical)
	Corporate	10	10 (Highly Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	The Law Of Unintended Consequences

Following the presentation by SPI Dynamics of the Jikto JavaScript  
bot software at the recent ShmooCon held in Washington, DC, the  
researcher responsible for development and demonstration of the bot's  
capabilities indicated that the source code would not be released for  
public consumption.

Unfortunately, that is no longer the case.

Despite efforts to obscure the location of and means of access to the  
source for Jikto, an enterprising attendee at the presentation was  
able to quickly observe the public address for Jikto, and thus able  
to grab and disseminate the code.  This is despite the fact that the  
public exposure for the code was effectively limited to the period of  
the presentation, and the code was then downloaded only about 100  
times from the attendee's own site, before he removed it at the  
request of the SPI Dynamics presenter.

100 times doesn't seem like much, but it was enough for the code to  
make it onto sites that have a very high amount of traffic, and from  
there it reaches a much wider audience and can essentially be  
considered to be available to anyone on the Internet.

In discussing the various steps that he took to obscure the path to  
Jikto during the presentation (yet another example of how security by  
obscurity is almost zero security), the SPI Dynamics presenter  
acknowledged that he had based most of Jikto off the public work done  
by another security researcher, who previously had released his own  
framework similar to what Jikto achieves.

Observers have suggested that connecting to a publicly hosted  
demonstration (i.e. on the Internet) at a security conference was not  
a very smart move if the original developer had wished to protect the  
system against inadvertent disclosure.


2.2	Reminder For Windows Users

A reminder for Windows users that Microsoft is expected to release  
the patch for the currently-exploited ANI vulnerability at some time  
in the next 24 hours.  According to postings made at the MSRC  
(Microsoft Security Response Centre) blog, a patch for this issue was  
originally being prepared for release in April's Security Patch  
release, due to be released on April 10.

For curious readers, who are wondering why Microsoft haven't applied  
the same level of urgency to the currently exploited 0-day  
vulnerabilities in their other products (such as numerous affecting  
Office), it is because those vulnerabilities can not be as easily and  
rapidly exploited, as this issue is.  If that was to change, it would  
be expected that Microsoft would rush the delivery of appropriate  
patches for those issues, as well.

An unfortunate reminder for Vista users is that their systems are  
still vulnerable to a very well-known obfuscation technique, of using  
multiple extensions to fool users and the system into believing that  
a malicious file is something benign (until it is opened).  For  
example malware.txt.vbs will display as malware.txt, until it is  
double-clicked, when it will run just like any other VBS (Visual  
Basic Script).


2.3	Conditional Logic, SP1, And A Google/Microsoft Battle

The use of Cascading Style Sheets (CSS) to detect a site visitor's  
previous browsing history is a technique that recently emerged from  
ongoing research by numerous Web Security researchers.  That  
technique has now been developed into a proof of concept that uses  
the capability to act as a form of conditional logic whenever a  
visitor reaches a site.

In the example that has been developed, site visitors who have  
previously visited Digg.com will be shown a link to allow them to  
vote for at Digg what they are reading.  Site visitors who have not  
visited Digg.com will not be shown the link.

What this allows malicious developers to do is hide the presence of  
malware / web attacks from all but those who are vulnerable, which  
will help them evade detection by security researchers.

Elsewhere, it has been reported that a list of the patches that will  
be incorporated into Vista SP1, due out at the end of 2007, has been  
placed online (http://www.vistasp1.net).  While Microsoft have  
confirmed that SP1 is due in the second half of 2007 (expected to  
coincide with the new Server version of Windows), they have not  
confirmed that the posted list is accurate.  They have not confirmed  
the proposed list of fixes that will make up a rumoured SP3 for  
Windows XP, either.

Finally, Microsoft's rumoured $2 billion USD planned purchase of  
online advertiser DoubleClick may be under threat with reporting that  
Google is planning to mount a bid for the advertiser.  With the clear  
majority of Google's existing income coming from online advertising,  
if Google is able to capture DoubleClick, it would mean that  
Microsoft will be far behind its smaller competitor in terms of being  
able to deliver online advertising.  If a bidding war does result, it  
will make the current owners of DoubleClick, a private equity group,  
a very happy (and rich) group of people.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list