[Sunnet Alert] Advisory #239 - PHP, Kaspersky, IIS, Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Mon Jun 4 18:26:19 EST 2007
Sûnnet Beskerming Alert List Advisory #239
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 PHP
- Remote Hacker Automatic Control
- Time Since Discovery - 4 Days
1.2 Kaspersky
- Remote Hacker Automatic Denial of Service
- Time Since Discovery - 1 Day
1.3 IIS
- Remote Hacker Automatic Data Theft
- Time Since Discovery - 5 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Bad Blood Over 'Sponsored' Speaking Positions
2.2 Recent Advancement for Network Worms
2.3 When Good Intentions go Bad
2.4 Antivirus Vendors and Filtering Vulnerabilities
2.5 City Loses Funds After Systems Infected
2.6 Misidentification Hurts
2.7 Developing Safe Sites is Hard
2.8 MOSEB Underway
=====================================
1. SECURITY
1.1 PHP - Remote Hacker Automatic Control
-- Products Affected --
PHP 5.2.2 and prior
-- Technical Description --
PHP have released version 5.2.3 of the PHP scripting language,
providing a number of security related fixes including integer
overflows in chunk_split(), infinte loop vulnerabilities in
imagecreatefrompng, email validation vulnerabilities, safe_mode
bypass, improved fixes for database support, and also added some
functionality to the base set. There are also a number of other
security-related patches included.
-- Description --
The PHP development team have released version 5.2.3 of the
scripting language. A number of key security fixes are included,
including patches for vulnerabilities that could allow an attacker to
take complete control of the system that PHP is running on. Noted PHP
security researcher, Stefan Esser, has claimed that there are still
known vulnerabilities outstanding.
-- Recommended Action --
Apply version 5.2.3 of PHP at the earliest opportunity
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.2 Kaspersky Antivirus - Remote Hacker Automatic Denial of Service
-- Products Affected --
Kaspersky Antivirus 7.0 and prior
-- Technical Description --
By sending malicious parameters to NtOpenProcess, it is possible to
crash Kaspersky Antivirus, when it uses klif.sys to access the
process. Ironically klif.sys is designed to prevent malicious
software from arbitrarily closing or otherwise controlling Kaspersky
Antivirus.
-- Description --
All current versions of Kaspersky Antivirus (including the upcoming
7.0) are vulnerable to an attack that will crash the software at any
account level, preventing its use by authorised users. This may leave
systems unprotected from further malware / virus infection attempts
and result in a completely compromised system.
-- Recommended Action --
UConsider the use of alternate antivirus solutions in a defence-in-
depth approach to system and data security.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 7 7 (High)
Corporate 7 7 (High)
1.3 Internet Information Service (IIS) - Remote Hacker Automatic Data
Theft
-- Products Affected --
Internet Information Service (IIS) 5.x
-- Technical Description --
Internet Information Service (IIS) is vulnerable to an
authentication bypass attack that can be carried out by targeting the
hit highlight feature of the software. By targeting a file that
doesn't exist, then using features of the hit highlight feature, it
is possible for an attacker to bypass the basic authentication
protection.
-- Description --
Microsoft's web server software (IIS) has been found to be
vulnerable to an attack that will allow a remote attacker to bypass
the basic authentication settings. This could be used by a remote
attacker to gain access to sensitive areas of hosted sites,
potentially allowing for reconfiguration of the server or leverage of
other vulnerabilities within the site software.
-- Recommended Action --
Consider upgrading to IIS 6.0 or later, or consider installing and
running an alternative web server (such as Apache).
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 0 7 (Nil - High)
Corporate 0 7 (Nil - High)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Bad Blood Over 'Sponsored' Speaking Positions
Less than a week after appearing at AusCERT 07, one of the invited
speakers has published an interesting take on the rise of 'sponsored'
speaking engagements and related Information Security conferences
(although it does not appear that AusCERT partakes in this).
After being contacted to contribute expert views for a television
program, he was surprised to find that he was going to have to pay in
order to provide his opinion (a $15,000 USD fee). This isn't the only
time that he has been asked to front up fees in order to deliver a
presentation at a conference, with at least one 'security conference'
requiring payment from presenters in order to fill spots.
This is not limited to conferences, with some traditional printed
media only running articles created by experts if the publication
receives advertising beyond a certain value (i.e. sponsored editorials).
For professionals working in the field, this practice of paying to
present makes it appear that the only information being presented at
conferences and in the media (and by certain industry groups) is
corporate propaganda. As a result there is a small, but growing,
backlash from IT professionals who are frustrated by this practice
and the time it takes away from important issues that need coverage.
Some qualified researchers are refusing to submit papers for
conferences if they are required to submit fees in order to present,
or if they are not provided with free entry to the full conference.
Others have just given up on the whole conference process.
2.2 Recent Advancement for Network Worms
After hinting at the possible future development of widespreading
worms that exist only on the Internet, spreading from browser session
to browser session when victims visit compromised sites, the
researcher who was behind the technological development that led to
Jikto (before Billy Hoffman picked up on it) has provided more
information about what is soon to be available.
A technological demonstration script has been created and pulished,
which utilises a number of freely available resources to automate an
attack against the browsing history of a victim. All that a victim
needs to do is to visit a site which is hosting the malicious script,
with Active Scripting activated (or JavaScript support active for
other browsers), and the script does the rest.
If the victim has visited any of the targeted vulnerable sites in
that particular browsing session, then it uses that visit as the
basis for executing a XSS attack against those sites, resulting in
the compromise of site cookies, and the capture of potentially
sensitive data (at the least it can allow for impersonation of the
victim). This means that if they have used webmail (GMail, Hotmail,
Live Mail, Yahoo! Mail, etc), accessed online financial accounts, or
any other number of potentially sensitive sites, that the script can
capture these details and take control of the victim's presence on
those sites.
2.3 When Good Intentions go Bad
Two incidents from the last several days have provided excellent
studies in how difficult it is to ensure that the data sets that you
are working with are accurate, and also how much a website can be
considered a mini-dictatorship - where whatever the site owner says,
goes.
Popular blogging site, LiveJournal, has been busy deleting accounts
that reference incest, sex abuse, paedophilia and other related
vicious crimes. The deletions are the result of a third party that
complained to LiveJournal that unless they deleted accounts that
discussed the various matters, then they would present that
information to the LiveJournal advertisers, in an attempt to force
LiveJournal to take a financial loss if they did not delete the
accounts.
The intent behind these deletions is admirable, however the
implementation is causing some trouble. While there are deletions
that are appropriate, it appears that many of the account deletions
have hit blogs that have been established to help victims of abuse.
Keyword-based deletions mean that no only will you hit the
perpetrators, but you will also snare those who are supporting the
victims.
Understandably, this has annoyed many of the site users. For a site
where the community is tightly-knit (compared to many other sites),
the apparently arbitrary deletions are having a much wider effect
than would normally be expected. That many of the account holders are
also paying subscribers means that there is also a financial basis
for the incorrectly-deleted users to complain about.
In an ironic twist, the website of the group behind the original push
to have the accounts removed is embedded with significant levels of
spyware and other malicious software that will infect any unprotected
system that browses their site.
Since the major outcry, the LiveJournal management have back-pedalled
and acknowledged that a number of their deletions were in error, and
they will be taking steps to try and ensure that those accounts are
reinstated. From community reactions, it appears to be too-little,
too-late.
The second major case affected MySpace, which recently introduced a
plan to identify and suspend account holders who were sex offenders.
As with the LiveJournal issue, it appears that one or more false-
positives have resulted - an innocent woman was identified as a sex
offender because she shared the same name and birthdate as an
offender who lived in a nearby state.
Observers have pointed out that this suggests that MySpace is
engaging in a fairly poor cross referencing of the government list of
sex offenders that they are using as the basis for identifying users
as potential sex offenders. This suggests poor validation, and
ignorance that it is a simple process for users to supply false
information in order to register on the site.
Fortunately for the user who was mis-identified, MySpace did not
publicly identify the reason for the account suspension, which means
that there would be no reason for other users to even know why the
suspension took place. Unfortunately, even though MySpace is not
responsible for the original database being used to cross reference
names, it is turning over data from the suspended accounts to law
enforcement, which could lead to dilution of the official databases
with incorrect data.
2.4 Antivirus Vendors and Filtering Vulnerabilities
Finland-based antivirus and security software vendor, F-Secure,
recently released a set of updates for almost their entire product
line, with the most serious vulnerability allowing an attacker to
take control of a vulnerable system. While the denial of service and
privilege escalation vulnerabilities that were also fixed with the
update are serious, it is the arbitrary code execution vulnerability
associated with a scanning library that is the most interesting.
Over the last few years, a high percentage of serious vulnerabilities
to affect antivirus software have been to do with weaknesses in the
libraries used to scan various filetypes. This means that the
antivirus product is becoming a target by itself, and it is
worthwhile for attackers to try and target these known issues when
distributing their malware. After all, why try and attack a system
that may be protected when you can target the protection itself.
In many cases, the vulnerabilities affect software libraries used to
peer inside files that may be compressed or archived with various
compression software. Because the antivirus software can't see inside
a compressed archive, it needs to be able to extract it to see
whether the files within it are affected. It is this step where
antivirus software is most at risk.
With the inability of antivirus vendors to keep up with the rate of
emergence for new malware threats (ref. the recent .rtf based malware
for an example, even though it was a variant of a Bancos trojan), and
vulnerabilities associated with scanning compressed archives, it
seems like end users are in a difficult place - they are at risk if
they don't use it, and they are at risk even if they do. That is
certainly true, but regularly-updated antivirus software is an
important layer of any security model, and should be in place on all
systems.
2.5 City Loses Funds After Systems Infected
The Californian city of Carson was left almost $450,000 USD out of
pocket after a spyware-infected system in use by the city's Treasurer
provided attackers with the details necessary to gain access to the
city's online bank accounts.
Over two transactions (of $90,000 and $358,000) in late May, the
attackers were able to wire the funds to accounts across the country.
Fortunately for the taxpayers of Carson, the city was able able to
recover all but $45,000 USD.
This isn't the first time this year that a Californian city has lost
tax payer's money due to remote attackers, with the city of Willows
having lost $4,000 from a city fund earlier this year.
In an effort to offset the risk of further loss, the Treasurer has
mentioned the prospect of seeking out legislation to address the
problem. The only problem with this is that it is already illegal to
carry out attacks like this, and additional legal restrictions are
unlikely to result in any difference in how often attacks are carried
out.
2.6 Misidentification Hurts
After a poor update to the Symantec Antivirus suite caused havoc for
Chinese Windows XP 2 users earlier this year, another poor update to
the Antivirus definitions file has led to an antimalware product
being misidentified as malware.
This time, the popular SpyBot Search & Destroy product had one of its
critical files identified as malicious. While the misidentified file
was only targeted in the 1.3 version of the product (current version
is 1.4), it is another case of antivirus definitions files going
haywire with unfortunate results for people struggling to ensure
their systems stay as secure and safe as possible.
Fortunately for potentially affected users, Symantec quickly released
an updated definitions file that addressed the problem.
2.7 Developing Safe Sites is Hard
Developing safe websites is a difficult task for any developer, so
when the experts are caught developing and operating sites that are
vulnerable to attack, it is a timely reminder that keeping systems
safe against potential attack takes a lot of work.
It was recently disclosed that the Internet Storm Center (part of
SANS) was vulnerable to an XSS attack through the search box on the
site. While there are many, many sites vulnerable to XSS attacks,
public acknowledgement of the issue by site administrators is rare.
The developer's initial reaction of scepticism and denial provides an
insight into how a significant percentage of vulnerability
notifications proceed - ignorance or dismissal of the report, even
more so from those who are 'experienced' or 'expert' security personnel.
2.8 MOSEB Underway
The latest in a string of 'Month of X Bugs' projects is underway,
with the 'Month of Search Engine Bugs' (MOSEB) commencing at the
start of June. Five vulnerabilities have already been disclosed,
starting with a number of XSS and redirector issues affecting a
Ukranian search engine, Yahoo!, and Hotbot.
While these vulnerabilities are relevant and are usable against the
Search Engines, their usefulness is largely limited to spoofing -
perhaps part of an effort to misdirect or compromise users. The
greater risk is for disclosed vulnerabilities in sites which provide
additional services, such as webmail or other account-based features.
These could then be used to capture the victim's account and allow
for impersonation of the victim.
Unlike the Month of ActiveX Bugs, which ran during May, the
vulnerabilities identified as part of MOSEB are being presented in
English and Russian. After the first few ActiveX bugs were disclosed
in May, the disclosures were being made in Italian, and focussed on
relatively obscure ActiveX controls - mainly third party controls.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list