Tuesday, November 14, 2006

Exploit Targets Widely Deployed Wireless Flaw. Exploit Targets Widely Deployed Wireless Flaw. A security researcher has released a set of instructions for exploiting a security flaw in the wireless Internet devices built into millions of new laptops from HP, Dell, Gateway and other computer makers. An attacker could use the flaw to take complete control over any vulnerable machine located within a few hundred feet, so be forewarned that reading the rest of this post could make you awfully leery of that guy sitting in the corner booth at Starbucks gleefully clacking away on his laptop. According to the the latest addition to the Month of Kernel Bugs project, the vulnerability resides in a flawed device driver from Broadcom Corp. that is bundled with many different laptops and built in to some devices made by Linksys and Zonet. The flaw is exploitable on vulnerable Windows machines whether or not the machine is connected to a wireless network. In fact, it is the wireless card's background scan for available wireless networks that apparently triggers the flaw. Security researcher Johnny "Cache" Ellch said he reported the bug to Broadcom last month, and that the exploit code he released today is tailored to work on a very specific version of the Broadcom driver (Version 3.50.21.10). Still, he said, it appears that every version except a brand new one currently being distributed is vulnerable. "The exploit only needs to be modified slightly for other versions," Ellch wrote in an online chat conversation with Security Fix. The Broadcom flaw also highlights a serious set of problems with fixing security vulnerabilities in device-driver software. For starters, who is responsible for shipping a patch? Many different companies use Broadcom chips and rebrand the hardware and drivers as their own. Linksys appears to be the only vendor that has a downloadable update for some of its affected devices. In addition, it's not clear what sorts of mechanisms the PC makers have in place to push updates (should they become available) out to customers. Apparently, these are questions that a number of security experts are also asking now. In an alert jointly posted today by the Zeroday Emergency Response Team (ZERT is the group that made headlines earlier this year for releasing an unofficial patch to fix a dangerous Windows flaws), the Metasploit Project, the SANS Internet Storm Center and SecuriTeam, the groups explained why writing a one-sized-fits-all patch would not work in this instance. "Though most of these vendors and manufacturers use the same basic driver, it differs enough that in most cases a single patch just won't cut it," the groups wrote in their alert. "Further, building a patch for all the different drivers from each vendor and all their versions, as well as test against them, is impractical." Paul Vixie, a ZERT volunteer, said Microsoft's Windows Update and Automatic Update patch deployment network could play a huge role in pushing fixes out to affected machines, but he said that process would likely be complicated and take some time. "Any way they try to address this is going to be a mess, and moving the fix to the user is going to be a lot like moving water with a fork," Vixie said. "This is dangerous because we know that people who like to do bad things are going to take advantage of this, that's no longer an open question." There is evidence to suggest the Linksys patch may plug the security hole in certain operating systems, but it's not altogether straightforward and we may not be at the stage where it would be responsible to explain how to do that. I suspect that a number of PC makers will come forward with updates to fix this problem in the coming days and weeks, and Security Fix will point to those as they are made available. In the meantime, many laptops sold these days come with a button you can push to disable the built-in wireless card. If your laptop came with one of those, it might not be a bad idea to get into the habit of using it. [Security Fix] 8:19:41 PM

A Little Patch Housekeeping. A Little Patch Housekeeping. Security Fix has been a tad sparse on patch updates lately because I've been taking some use-it-or-lose-it vacation time. The time off served as a good reminder of how quickly the programs on your machine can get outdated even in just a few weeks time. Last Tuesday, Mozilla released security updates for its Firefox Web browser and Thunderbird e-mail software. The Firefox updates fixed at least three separate "critical" security bugs in the browser, but people using the new 2.0 version of Firefox do not have to worry. Normally, Firefox will alert you when there are updates available; for some reason, my copy of Firefox 1.5.0.7 didn't, but I was able to download the 1.5.0.8 update by clicking on "Help" and then "Check for Updates." Speaking of browser updates, I'm way late on blogging about an important update for Opera users. In mid-October, the company shipped a patch to fix what appears to be a very serious and easy-to-exploit flaw in the browser that bad guys could use to install software just by getting an Opera user to click on a really long hyperlink. The vulnerability is present in versions 9.0 and 9.01 on Windows and Linux (version 8.x is reportedly not affected). Opera 9.0 users should make sure they're using the latest version, v. 9.0.2. There is also a new version of AOL's Nullsoft Winamp media player available that fixes what appear to be a pair of pretty serious security holes. The current, patched version is Winamp 5.31. Finally, my personal favorite software application to write about -- Java. -- also received more updates recently. The current version of the J2SE Runtime Environment (something most people probably don't even know is on their machine) is JRE 5.0 Update 9. There do not appear to be any security fixes in Update 9 that weren't also included in Update 8, but for some reason I never covered Update 8 when it was released so I'm mentioning it here. If you are running Update 8 already, I see no reason to go through the whole process again unless you're having problems with the program. Remember, it's important to uninstall any previous versions of Java that remain on your machine after updating. [Security Fix] 8:17:06 PM

Report: Firefox 2.0 Trumps IE7 In Phish-Fighting. Report: Firefox 2.0 Trumps IE7 In Phish-Fighting. Update, 3:24 PM ET: The text below was changed to clarify Mozilla's role as author of the report and the role of third-party testing and verification companies. Also, the data about this report that I promised earlier can be found at this link. Original Post from Earlier Today: The newly released Mozilla Firefox 2.0 and Microsoft Internet Explorer 7 Web browsers both include new technology to help flag and block phishing sites -- those authentic-looking Web sites set up by scammers to trick users into entering personal financial information. So how do the browsers stack up against one another in a no-holds-barred, anti-phishing slugfest? One third-party test that pitted the browsers against two week's worth of phishing sites concluded that Firefox's phish net may have fewer holes than IE's. The evidence comes in a report released today by Mozilla which shows the results of testing each browser against the same phishing sites flagged by contributors to Phishtank, an anti-phishing network run by OpenDNS. Mozilla is the author of the report, but they hired software testing firm SmartWare to conduct the testing, and they commissioned iSEC Partners to validate the test methodology and findings. Firefox blocked 243 phishing sites that IE7 overlooked, while IE7 blocked 117 sites that Firefox did not. Before I go any further with the numbers, I think it's important to offer a little background on how the phish-filtering technology is set up within both browsers. With IE7, the user is asked upon installation whether he wants to allow the browser to auto-check all Web sites against a Microsoft database. (More about how this technology works in IE7 is online here, and the obvious privacy issues are discussed here.) Firefox's default setting, in contrast, uses a blacklist of known phishing sites that is stored on the user's computer and updated approximately every 30 minutes. Alternatively, Firefox users can opt to turn auto-detect on, in which case the browser will check Web sites the user visits by checking them against a database maintained by Google. (More about the service is online here.) Back to the numbers: The testers found that with IE7's auto-check turned off, the browser blocked less than two percent of all phishing sites thrown at it. With the phone-home option turned on, IE blocked 66 percent of the scam sites. In its default configuration, Firefox 2.0 blocked close to 79 percent of all phishing sites during the test period; with the "Ask Google" option enabled, Mozilla's browser blocked nearly 82 percent of all scam pages. While I applaud Microsoft and Mozilla for their first efforts, the reality is that -- depending on which browser (and setting) you use -- anywhere from 20 to 40 percent of the phishing scams are going to sneak past undetected. I'm not saying this is an easy problem to solve: It certainly isn't. But I'm left wondering whether a stronger "whitelist" approach that involves identifying legitimate banking sites might prove to be a more effective strategy, or at least a highly complementary one. As Security Fix noted last week, Mozilla, Microsoft and other browser makers are teaming up with Web site certificate authorities to try to make it more obvious when a user is truly at a verified banking site as opposed to a convincing fake. It may turn out that phishers will come up with a clever way to spoof these "supercerts" as well. But it seems to me that combined with an oft-updated blacklist, the whitelist approach has the greatest potential to bring the number of phishing scams that go undetected by either browser well down into the single digits. Avivah Litan, an online fraud analyst with Gartner Inc., agreed. "With crooks moving these phishing sites from place to place within minutes, it's really hard to keep a blacklist up-to-date," Litan said "The future of [browser-based anti-phishing technology] is whitelisting, backed up with heuristics" that allow the browser to detect unidentified phishing links as suspicious. For its part, Microsoft pointed to a report the company commissioned earlier this year that gave Microsoft's anti-phishing measures top marks compared with other browsers and technologies. The report highlights the fact that IE7 didn't raise any alarm bells about legitimate sites, a problem known in the business as a "false positive." It's not hard to see why that factor alone would be a paramount concern for Microsoft: A legitimate company whose site was errantly blocked by IE7 most likely would file a lawsuit against Microsoft in a heartbeat. The SmartWare study doesn't appear to have addressed the problem of false-positives to any meaningful degree. Still, what I especially like about the Phishtank-based study is that it is premised on open-source information that everyone has the same access to. In contrast, the founders of 3Sharp, the company that authored the Microsoft study, clearly state on their site that their goal in creating 3Sharp was "to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers." Incidentally, any serious Mozilla-using phish fighters out there who want an easier way to submit "phishy" sites to Phishtank should check out this Firefox add-on. [Security Fix] 8:15:21 PM

Microsoft Patches 9 Security Holes. Microsoft Patches 9 Security Holes. Microsoft Corp. today issued patches to mend at least nine separate vulnerabilities in its Windows operating systems and other software, including three security holes that criminal hackers already are exploiting. As always, users can download and install the patches via Microsoft Update or through the company's Automatic Updates service. The new patches fix at least three vulnerabilities in Internet Explorer that hackers could use to install malicious software just by getting victims to visit a specially crafted Web site. One of the IE problems also is exploitable if a recipient merely views a tainted HTML message in an e-mail preview pane. Microsoft said the IE flaws are far less of a problem on Windows Server 2003 systems and for users of IE7, as the default security settings on those systems won't allow exploitation of the flaws. While it doesn't address a vulnerability in IE specifically, a separate patch issued today corrects a flaw in the Windows "Microsoft Agent" service that also could be exploited just by convincing someone to visit a site that takes advantage of the security hole. Another update fixes serious flaws in Adobe's Macromedia Flash Player, a component bundled with Windows XP systems. Adobe issued an update in September to fix this flaw, and provides more detail in its own writeup, which covers five separate Flash vulnerabilities. It is not unheard of for sites to try and use Flash vulnerabilities to install malicious programs, so don't ignore this important update. Microsoft also fixed a critical bug present in the "workstation service" on Windows XP and Windows 2000. This bug is less of a problem for home users (assuming they have a firewall running) and more of a concern for businesses, as it would most likely be exploited once the attacker already has access to the company's internal network. Also addressed in this month's patch batch are two critical flaws -- one in Microsoft's "XML Core Services" and the other in the "Client Service for Netware" -- neither of which are installed by default on Windows machines. Finally, a note about the wireless device driver flaw that I wrote about this past weekend. I said I'd circle back if more vendors released updates, and it turns out that HP issued a patch in October to fix this flaw. HP users should be able to install this patch by visiting Microsoft Update, letting it scan, and then selecting the "Hardware/Optional" option at the left hand side of the screen. This worked on my HP laptop, and there may be updates for this flaw from other affected PC makers (Dell and Gateway come to mind). I think it's great that Microsoft is offering Microsoft Update as a distribution mechanism for serious flaws in the PCs made by third parties, but most people probably would not know to check that portion of Microsoft Update, and I can't recall ever seeing any alerts from HP about this important patch. [Security Fix] 8:13:11 PM

© Copyright 2006 Paul Hardwick. Last update: 12/6/06; 5:32:37 AM.