Technical Tidbits™

Posts Tagged ‘security vulnerability’

I’d like to take this minute to publicly thank the donor who bought me a cup of coffee by dropping a tip in my tip jar! Thank you! That was very sweet of you and very much appreciated!

Sometimes it really bothers me to be right!

You may remember that throughout the RUBotted pop-up discussions and my predictions for the year, I stated that:

There will be a IWMD (Internet Weapon of Mass Destruction) launched sometime during this year. It will be considered a mashup blended threat because it will take advantage of the security flaws in a multitude of web apps and will propagate through ad servers.

The keywords in my rants and my predictions have always been that the new malware will be pumped through ad servers.  Remember that?

Well, it’s not the huge Weapon of Mass Destruction but it could be heading in that direction.

Microsoft issued a security bulletin today. And it seems there is a bit of a problem with the way Internet Explorer handles CSS. Yes, you’ve read that right. Cascading Style Sheets! A standard on the web!

In fact, here’s what their Bulletin MS09-002 says:

A remote code execution vulnerability exists in the way Internet Explorer handles Cascading Style Sheets (CSS). An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

And as they’ve told us repeatedly,  Microsoft knows all about security and all about web standards!

But this is not the BEST part!

The Mitigating Factors section or the conditions in which this vulnerability becomes a problem states:

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Now, what was it I said in the RUBotted pop-up discussion about ad servers possibly pushing the malware? Hmmm, maybe I’m not such a joke after all Symantec employee – huh?

The other part of that above quoted section makes me want to laugh myself off my chair.

In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Dear Idiots at Microsoft, if the fracking thing can be exploited through hosted ads, nobody needs to be directed to a website! Nearly every freaking website has hosted ads now!

Am I the only one that sees how lame and ridiculous this is?

So needless to say, if you’ve got your auto-updates turned off as I do, then make sure you install the fix for this baby.  But since we know there will be more fixes just move to Firefox and be done with it!

For the technical information on the new release see: Microsoft Bulletin Summary for February.

On another note, the RUBotted issue. My pop-ups are not as frequent as they were in the beginning, but I’m still getting a few here and there.

I think I’ve found multiple reasons for the message and although I tried to contact TrendMicro through our partner program and their twitter account, no one is responding – so what else is new?

One web site set off my RUBotted pop-up and I found a piece of code in the header that could explain it. The code was trying to activate my Firefox Skype toolbar  – which I don’t have.

I’ve inserted the code at the bottom of this post so you can see it for yourself.

Upon researching what this does, I found that this code snippet is inserted by accident when someone is editing a web page and using the Skype toolbar add-on for Firefox.

However, since the Skype toolbar add-on makes it easy to call from FireFox, the JS file associated with this toolbar led me to believe that it was trying to activate something on the toolbar which set off RUBotted.

Remember, all the RUBotted pop-up messages claim that something is trying to launch a program remotely! And that’s exactly what the script does!

(To see the JS file associated with this script code, visit here: Koders Code Search.)

Next, I have seen several other pop-ups associated with Flash files on a web site – either ads or just plain flash files on a web site.

Did you ever notice how you can right click over a flash file and get to the settings?

Just go to adobe.com and there’s a huge flash section in the upper section. Right mouse click and select the settings.

The first thing that appears is the privacy settings and you can allow or deny flash player to access your web cam or microphone – if you have them – and I do.

What if, there’s something attempting to access the flash player on those sites that are giving us the pop-up?

I don’t have the answer yet because it’s very time consuming and quite difficult to go through every flash ad and try to reverse engineer it to find out what it’s doing.

But I was correct about the ad servers and malware, just didn’t know about the CSS vulnerability. How many other ad server vulnerabilities are there that we still don’t know about? Or is this someone doing some testing for the next round of malware?

So, who’s to say I’m not right about these flash pop-ups either?

There is one flaw in my thinking however. My housemate didn’t have flash player installed when he first got hit with his pop-up. And…. he doesn’t have a web cam nor a microphone.

But! Could his pop-ups have been related to the Skype toolbar issue? Or something else?

I’ve had several people contact me with theories and thoughts, and another big possibility is the attempt to launch your messaging program, chat, or instant messenger.

We continue investigating flash files, JavaScript files, and lines and lines of code!

On the heels of my last blog post (yesterday), carrying some valid, but slightly older data about Apple’s method of handling security, I received an interesting – UP-TO-DATE – InfoWorld Newsletter with the headlines: Apple servers still vulnerable to DNS flaw.

A month after a critical flaw in the Internet’s Domain Name System was first reported, security experts are warning that updates introduced by Apple last week may not go far enough to combat the threat.

Even Microsoft updated and patched this and we know how much I just LOVE Microsoft!  Apple, when are you going to get a clue? What’s it going to take? The clocks ticking…….tick, tock, tick, tock, tick…..

As much as I preach and preach in my courses about Microsoft and their lame excuse for security – whether within their code or in an alleged security application – people continue to get suckered into the delusional image Microsoft presents about knowing what’s best for you in security.

I’ve posted before about this so I won’t rehash the same old arguments. I’m just going to illustrate YET ANOTHER reason why I continue to harp on the subject in an effort to educate users about the subject of their security.

I was reading my RSS feeds and ran across the current Microsoft Security Bulletin summary for May. Don’t know why I felt compelled to read it – I just did.

Published on May 13th (so I’m a little behind but give me a break, our PC Security course just launched!), the bulletin summary contains a “Moderate” severity listing hidden under the lovely plus signs [+] they use liberally to discourage people from actually reading the details.

First, if you click the link to see just what a Moderate severity rating is, you are taken to a page that explains the rating in such terms as: exploitability, mitigated, default configuration, and auditing. Yeah, right! I’m sure you all understand that right?

But okay, let’s give them a break since the technical writer was probably a nerd.

Moving on….. I click the nefarious plus sign [+] to expose the underlying dirt that M$ doesn’t want us to see. And what do I get?

This bulletin title:

Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service (952044)

Imagine that! A vulnerability in another Microsoft product!

Okay, so I’m not surprised by that, but what interests me is the fact that it’s in the Malware Protection Engine of their product. So, hmmmmm, I wonder… “could that be one of their so-called security products?” I ask myself as I start reading further.

I hit the jackpot! Not only is it one of their so-called security products, it’s a good many of them!

Specifically, the affected software is: Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security.

So now I’m REALLY interested! I clicked the link to go to the actual full bulletin – which is located here if you want to follow the whole story with me: http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx

And once again tackling the plus signs [+] I get to see the “down and dirty” details of what’s really going on here!

There are two specific CVE references to this vulnerability:

1. Microsoft Malware Protection Engine Vulnerability- CVE-2008-1437

2. Microsoft Malware Protection Engine Vulnerability- CVE-2008-1438

(For those who do not know, the CVE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security and they track all reported vulnerabilities.)

The first one is pretty odd and just annoying. The vulnerability causes their software engine to “hang and reboot“. And that’s different from any other Microsoft program because?????

The second CVE report is what’s fascinating to me and interesting the way M$ plays it down in the initial bulletin.

CVE reports:

…allows context-dependent attackers to cause a denial of service (disk space exhaustion) via a file with “crafted data structures” that trigger the creation of large temporary files, a different vulnerability than CVE-2008-1437.

To translate that into common, every day language, the vulnerability allows an attacker to use a specially crafted file (crafted data structures) that when the Microsoft product scans the file for malicious content, it causes you to use up all your disk space (disk space exhaustion) by creating large temporary files on your computer which results in your not being able to use your computer (denial of service).

I vaguely remember an old virus that used to do that!

The updated fix is available, but that’s not the point. (Although if you’re running this garbage, you should update immediately!)

The point is Microsoft has been selling you a line of marketing bull sh**!

Here’s their sales pitches directly from their website:

Microsoft Forefront – Trial Downloads
Help secure your servers, clients, and network edge with these free software trials from Microsoft Forefront.

Protect Your PC From Viruses, Spyware & Other Problems
Protecting your PC is easy with Windows Live OneCare-Download a Free Trial

Microsoft Security At Home – Help Prevent Identity Theft, Spyware …
Learn about how to protect your home computer, data, and family from viruses, phishing, identity theft, spyware, and email hoaxes. Learn about online child safety. Microsoft …

Which leads you to these recommended products:

Security Products
· Windows Defender
· Windows Live OneCare
· Windows Live OneCare Safety Scanner
· Microsoft Phishing Filter
· Windows Vista: Parental Controls
· Xbox Family Settings
· Windows Live OneCare Family Safety

Anyone else see a problem with this besides me? (HINT: I’ve bolded all the products they’re wanting you to use for your security that were affected by this vulnerability!) I’m going to trust a company who has never put security first since day one and can’t even build a secure product designed to be secure to protect me???

Oh, and in case you don’t want to go read what caused this vulnerability in the first place, here’s the actual cause described by Microsoft in the bulletin – under the plus signs of course!

CVE-1437 portion of the vulnerability: The Microsoft Malware Protection Engine does not properly validate input when parsing specially crafted files.

CVE-1438 portion of the vulnerability: The Microsoft Malware Protection Engine does not properly validate certain data structures when parsing files.

Now let me see….. security means, in part, authentication and validation of data, access, and execution of files. And it seems that Microsoft managed to botch the major portion of that basic programming again!

So, I reitterate: Using Microsoft and security in the same sentence is an oxymoron.

Yeah, I think I’ll trust them with my security! NOT!