Internet Privacy & Security Interest Group

2005-01-10T19:34:00.000-08:00

Monday, 10 January 2005

IE Flaw Exploited

by Matthew Broersma,
Techworld.com

Security firm identifies exploit technique for known browser hole

Internet Explorer has become an even bigger security risk – even under Windows XP SP2 – with the publication of a new and extensive exploit.

Security researchers have warned that the exploit, which takes advantage of known loopholes in SP2, could allow an attacker to run script code on a user's system via a specially crafted web page.

The holes involved have been known publicly for more than two months, but previous exploit techniques required the victim to take actions such as dragging an image from one part of a web page to another.

The new exploit – a demonstration of which has been published by Danish security firm Secunia – is fully automated, requiring the user only to visit a web page in Explorer. Other browsers and operating systems aren't affected. Secunia has raised its warning level to its highest, "extremely critical."

Security group Greyhats warned of the new type of exploit in an advisory in late December. Secunia then upgraded its advisory to "extremely critical" and published a demonstration based on a proof-of-concept by a researcher known as ShredderSub7. US-CERT, the US computer security alert organisation, has also published an advisory on the issue.

Microsoft has warned users to turn off IE's 'Drag and drop or copy and paste files' option as a partial solution. The danger can also be lessened by setting security levels to high for the 'internet' zone or, as several security firms pointed out, using another browser.

The exploit is the first major weakness in SP2 to have surfaced. Microsoft is promoting SP2, released last summer, as a solution to many of Windows' worst security problems.

Researchers have identified three separate but related issues in IE: a bug in the validation of certain drag-and-drop events, and zone restriction errors with embedded HTML Help ActiveX controls. The first problem can be avoided by disabling the 'Drag and drop or copy and paste files' option, but the new exploit doesn't rely on this particular bug, researchers said.

The HTML Help control exploit bypasses one of SP2's key features, the 'Local Machine' zone lock down, designed to make it far more difficult for attackers to execute script on a local system.

2004-10-16T13:00:00.000-07:00

Personal Firewall—Don't Surf Without It (Reprinted From PC Magazine which is a great computer privacy and security resource)

By Neil J. Rubenking

A personal firewall should protect your computer against external attacks by hackers or worms and against internal betrayal by spyware or Trojan horse programs. It shouldn't inundate you with alerts or otherwise interfere with normal computer use.

We tested new versions of two well-known firewalls in three distinct ways. On a direct, unprotected connection to the Internet we ran a dozen Web-based tests to ensure that all ports were stealthed—completely hidden from the outside. We ran ten leak test programs—single-purpose utilities that attempt to circumvent the firewall in the same way a worm or Trojan might. Finally, we took the gloves off and attacked the firewall process using techniques available to a malicious program.

Click here to read the full review

2004-08-25T15:05:00.000-07:00

Reprinted from PC Magazine's Online Security Watch Newsletter, a great privacy and security resource. Please post your comments below.

Thanks,

Dave

Security Watch Special: Windows XP SP2 Has a Dangerous Hole

By Jay Munro August 25, 2004

Microsoft will make Windows XP Service Pack 2 available to the general public this week, but the enthusiasm for the first significant OS update in almost two years is now competing with worries over discoveries and claims of new holes and vulnerabilities. Through an anonymous tip, we confirmed a core vulnerability in the Windows Security Center, the new control panel for a PC's security status. Another unpatched hole has been found in Internet Explorer that affects Version 5.01 and later, as well as on an SP2 updated system. The hole allows an attacker to download a malicious executable to the user's system without their knowledge. For more on this IE flaw, see our Windows Update and vulnerabilities.

This week's tip also deals with the new SP2 security; we show you how to open ports to allow products like PCAnywhere to work correctly. For more on the potential spoofing of the Windows Security Center, see our Top Threat.

Top Threat: Windows Security Center Spoof

Windows XP Service Pack 2 promises to raise the security bar for the sometimes beleaguered operating system. Unfortunately, one of the new features could be spoofed so that it reports misleading information about system security, or worse, lets a malicious program watch for an opportunity to do damage without being detected. The feature is the Windows Security Center ( Figure 1 ), which displays the status of the key elements of your defenses: Firewall, Updates, and Antivirus. If your firewall has been disabled, or your antivirus is out of date, that news will display here. The information is stored in an internal database managed by the Windows Management Instrumentation (WMI) subsystem built into Windows.

Based on an anonymous tip, we looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater. Due to the nature of WMI, it could potentially allow attackers to spoof the state of security on a user's system while accessing data, infecting the system, or turning the PC into a zombie for spam or other purposes.

According to Microsoft, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), an industry standard for accessing management information on a system. For Windows XP Service Pack 2, Microsoft added new fields or records to keep track of the Firewall and Antivirus information in the WMI database. Unfortunately, the WMI database is designed to be accessible via the WBEM API (application program interface) and is available to any program that wants to access the WMI. These programs can be desktop applications written in desktop- or web-based scripting or ActiveX modules.

This open door to the security status of a system can be exploited several ways. First, a malicious site could download a file (possibly with the drag and drop exploit discussed in our Windows updates and vulnerabilities section), which could run and access the WMI, monitoring the status of the firewall and antivirus protection.

Some existing malicious programs attack the antivirus or firewall directly, using techniques specific to the security product. These attacks are almost invariably blocked when security is turned on. The malicious program could wait until the security products are temporarily disabled, but do to that currently they would have to monitor the products directly, which again would trigger alarms. However, a program just casually checking WMI may be ignored by security programs. When WMI reports that protection is off, the malicious program could permanetly disable the security protection and remain undetected. Because the WMI database is not set to be a read-only file, the attacking program could simply change the disabled product's status to "up-to-date" and "enabled" to avoid suspicion. The WMI database and subsystem cares less what the actual state of the product is, only that it was told things are okay.

Beyond that, it is also possible to use WBEM API functions to add a firewall or antivirus listing that didn't previously exist. In our example, we used a reasonably simple script to add in fake antivirus and firewall product listings in the Windows Security Center. In both cases, we told WMI that they were up to date and enabled.

The WMI and WBEM interface has been well documented both on the Microsoft Developer's Network, and other places on the web. We were able to find some references to the namespace and objects that the Windows Security Center uses on the web, though no references to it being exploited, yet.

However, it's almost like Microsoft has given attackers the path, door and keys, Windows itself contains a test utility, WBEMTEST.EXE, that allows you to view, add and edit the values in the WMI. In addition, files associated with the utility provide the namespace, classes, and data types associated with the Windows Security Center, all in plain text. The danger in this utility is not that it can edit the WMI, but it lets a malicious developer learn the data and fields needed to do the spoof.

While we are not aware of any malware exploiting this, we think it will only be a matter of time. The one mitigating factor that we found is that to change the WMI, and spoof the Security Center, the script has to be running in Administrator mode. If executed in Windows XP's Limited Mode, it will give an error, and not allow changes. Unfortunately, most home users who will be at risk, run in the default administrator mode.

When we contacted Microsoft for comment, a spokesperson said that the company was not aware of this issue, but would investigate. They had not responded further at press time.

2004-06-11T09:50:00.000-07:00

Reprinted from PC Magazine's "Location, Location, Location" article written by Alan Cohen on June 22, 2004. PC Magazine is one of the best sources available for privacy and security issues.

Big Brother may not know your every move, but your boss, your coworkers, and your spouse soon may. And they won't have to do much to find you, either. They'll go to a Web page for a map showing everywhere you've been all day—bad news if you skipped work to go to the movies, good news if you're stranded on the side of a road. What gave you away? Your cell phone. Thanks to new location-based services, your phone is not just a communications device, it's a homing beacon.

One of the first companies to launch a phone-based tracking service is uLocate Communications, a year-old startup based in Newton, Massachusetts. It has integrated the location technology being built into new cell phones with the Internet, creating private Web pages where customers can track the comings, goings, and (sometimes) unauthorized escapades of employees and loved ones.

Although uLocate (www.ulocate.com) has launched on the Nextel network and is available to subscribers who have one of three Motorola handsets, the service is very much a work in progress. Some of the biggest wireless carriers, including Sprint PCS and Verizon, are still upgrading their networks to enable location-based services. You can expect them to be location-aware soon, however, as federal E911 legislation mandates that they incorporate the technology into their networks so emergency response systems can locate any cellular handset.

What makes services like uLocate possible is the Global Positioning System, a constellation of 24 satellites that circle the Earth in synchronous orbits and continuously transmit radio signals to terrestrial receivers. By picking up the signals of three or more satellites, a GPS receiver can calculate its own position on the ground. Today's receivers can be miniaturized enough to fit easily and economically into phone handsets. Indeed, most new phones have them—even if the networks they run on have yet to activate them.

A phone using uLocate links to the GPS satellites—at least three, but typically five or seven to get a fix within 100 feet of accurate—and calculates its location, speed, and direction of movement. A Java applet running on the phone sends this data over the cellular network, which, in turn, sends it to uLocate's server in Waltham, Massachusetts. The server—a Dell PowerEdge 1750 with dual 2.8 GHz Xeon processors running Linux—uses MapQuest Enterprise Server to turn longitude and latitude data into an address and plot it on a map, which can be viewed on a Web page or a phone.

To make the location data more useful to its customers, uLocate has developed some enhancements. For instance, users can set up "geofences" around specific locations; when a phone enters or leaves that area, an alert is triggered. This could be used to let parents know, by e-mail or SMS, when a child reaches school.

Location data is also stored—currently for 90 days—so users can check someone's route days or weeks later. "It comes in handy when a customer complains that something didn't arrive on time," says Frank Schroth, uLocate's vice president of marketing. Indeed, uLocate's business users tend to be companies with field personnel. "They use it to check on deliveries, but also to cut down on the unauthorized use of vehicles and to ensure the safety of drivers," says Schroth. Consumers, on the other hand, typically use the service to keep tabs on children or other family members.

The system is not foolproof. For one thing, those being tracked can foil uLocate simply by turning off their phones. When a cell signal is dropped, ulocate is dropped with it. And since the GPS receiver in the handset needs a clear line of sight to at least three of the GPS satellites, the system won't work if the phone is indoors, underground, or in a covered vehicle. In that case, the map will display only the phone's last known location.

At press time, uLocate was available for free (users, however, must purchase a wireless data plan from their carrier), but Schroth expects it to go commercial this spring, with rates of approximately $8 to $9 per month for the first phone on the account and discounts for subsequent phones.

uLocate plans enhancements that will make the service a little more inviting for those being tracked. For example, after plotting your location, it could send you driving directions to the nearest ATM.

2004-05-06T21:22:00.000-07:00

Reprinted from the PCMag.com Security Watch Newsletter a great resource for the latest internet privacy threats.

This weekly newsletter brings you an overview of the current viruses, worms and other threats that are trying to get to your computer.

Phishing Aims for Epidemic Status
By Jay Munro
April 27, 2004

Phishing and spoof attacks are on the rise. According to the Anti-Phishing Working Group (APWG) Web site, over a dozen unique phishing attacks appear every day.

More alarmingly, attackers are getting more innovative with their spoofing of sites, even going as far as to load fake address bars into your browser. A new eBay phish reported by the APWG contains a link that looks like a standard auction link, but takes the victim to a specially crafted web page that downloads a keylogger program

The latest Citibank phish we've seen links to a page on a theater troupe site that pops up a window to get the your account and pin you use for your ATM, and then redirects you to the real Citibank site.

An old threat, Blaster, reappeared this week with w32/Blaster.T.worm. Like its ancestors, Blaster.T uses the DCom/RPC vulnerability in Windows NT/2000/XP.

Spoofing and Phishing is rapidly moving from being a mere annoyance to a dangerous threat on par with virus attacks, especially when many attackers are relying on an increasingly sophisticated array of attack strategies, including existing vulnerabilities, obfuscation, and scripting to cover the real (scamming) web site. This week we bring you several scam techniques to watch for.

More alarmingly, attackers are getting more innovative with their spoofing of sites, even going as far as of loading fake address bars into your browser. A new eBay phish reported by the APWG uses a simple, e-mail message to lure eBay users to a web page. The e-mail's subject is a "Question for seller…" message that is familiar to many eBay sellers. The e-mail contains a link that looks like a standard auction link, but takes the victim to a specially crafted web page instead. The web page attempts to use the MHTMLRedir.Exploit vulnerability in IE and Outlook to download and run a keylogger program on the victim's machine. The key logger is reported to record names and passwords and send them back to an attacker. Symantec's informaiton on the exploit claimed it was un-patched. However, a Microsoft spokesperson confirmed that the latest update, MS04-013, fixes this vulnerability.

The latest Citibank phish we've seen links to a page on a theatre troup site (Pumpkinpieshow.com). The rather simple e-mail message attempts to get the user click to click on a link, and instructs them to disable pop-up blockers. The link takes the user to the Pumpkin site, pops up a window to get the users account and pin they use for their ATM, and then redirects them to the real CitiBank site. If you're running a pop-up blocker like Google tool bar, you won't see it.

An old threat, Blaster, reappeared this week with w32/Blaster.T.worm. Like its ancestors from last summer, Blaster.T, also known as Blaster.I, Blaster.G, Blaster.K, and Lovesan.F, uses the DCom/RPC vulnerability in Windows NT/2000/XP. The vulnerabilty, which was patched by Microsoft Update MS03-026. , is Blaster's only infection vector. Users can prevent infection by keeping Windows and their antivirus software updated.

Last week, we published a tip on keeping your PC safe in wireless hotspots. We got a call from Brett Molen, co-founder and CTO of STSN, a leading provider of wireless broadband to hotels and convention centers. He stressed that while keeping your own PC secure with a firewall, and limiting sharing was good, that it was just as important to seek a secure hotspot or wireless network when you can. He explained how STSN installs end-to-end secure wireless networks in hotels, such as Hilton and Marriott. Balancing ease of use with security, Brett stressed the importance of security at every point, from client connection, access point, router, to the backbone. While not the only secure wireless provider, travelers may want to see if their destination is in STSN's stable with the company's hotel locator

Spoofing and Phishing is rapidly moving from being a mere annoyance to a dangerous threat on par with virus attacks, especially when many are attackers are relying on an increasingly sophisticated array of attack strategies, including existing vulnerabilities, obfuscation, and scripting to cover the real (scamming) web site. This week we bring you several scam techniques to watch for.

Past wisdom on spotting a spoofed web site was to look for the "secure" lock in the browser. The US Federal Trade commission even recommends in a fact sheet for consumers looking for the lock. Looking for the lock is a good idea, though web sites can use fake or weak certificates to authenticate SSL connections. Normally if a fake certificate is used, the browser will pop up a warning saying it's not able to authenticate. However, according to a SANS.org report, it is possible for a web site to use a fake certificate without generating a warning. The advisory notes that a little used plain text encryption (or lack of) is specified by the server, and is supported by the browser. The browser will set the lock, which only indicates an SSL connection. The web site will appear to be secure without consulting a central certificate authority (such as VeriSign), nor will it be encrypted. The browser "secure connection" lock will appear, and no warning that it is an unknown certificate will appear. The only way to recognize the fake is to double click on the lock to view the actual certificate.

Netcraft, the Internet traffic reporting organization recently posted an article about a scam on a faux Earthlink site that combined a fake certificate and an authentic looking web page. The SSL certificate caused the lock icon to appear, and the URL was faked to look like Earthlink. However, if a user double clicked on the lock, and reviewed the certificate, they'd see it was not authentic.

In another article, Netcraft reports a technique called visual spoofing, where a spoofed web site uses JavaScript and substitute images to create a bogus address bar. The JavaScript code launches a new web page that lacks toolbars, scrollbars and status bar, which are replaced with the fake ones the scammer wants you to see, including an image of the Lock. While we have yet to see examples of these spoofs, if you think a site is suspect, double click on the lock and examine the certificate. If the lock is spoofed, then it may not pop up a certificate. If the toolbars and scroll bars are spoofed as well, then you may not be able to edit the URL, or scroll the page, which is another tip-off of a scam.

As these scams get more and more convincing, it is more important for users to not automatically trusted e-mail links that state they're going to secure sites. If you are an eBay, PayPal or electronic banking users, visit the web sites independently and read up on how they identify themselves in e-mail, and how you can spot fakes of their sites. If you receive an e-mail message that appears genuine, call the company or visit the site independently of the e-mail. It's better to be suspicious then get burned. In addition, since many scams rely on installing Trojans or key logging code, you should keep your antivirus up to date, as well as run a spyware scanner such as Ad-Aware, or SpyBot S&D often.

While it would be music to most American's ears, e-mails claiming Osama Bin Laden has been caught can download a Trojan to your system (Figure 1) . The e-mail includes a link to a web site where it claims an article by CNN reports the capture. We received five copies of the e-mail ourselves. When we clicked on the link, it took us to a page advertising Viagra. In the background, the page attempts to use an IE vulnerability to download a Trojan that can turn the system into a zombie. It opens a back door, and accepts instructions from a remote user.

The message is as follows:

From: Spoofed

Subject:
"Osama Bin Laden Captured"

Message text:
"Hey, Just got this from CNN, Osama Bin Laden has been captured! Goto the link below to view the pics and to download the video if you so wish: (Internet address) "Murderous coward he is". God bless America!".

The Trojan is downloaded and detected in several places. In an alert issued by Panda antivirus, the vulnerability is detected as Exploit/MIE.CHM, the Windows Help File exploit. The file that is downloaded and run initially is detected as VBS/Psyme.C. The VBS file created an executable file Exploit.exe which is detected as a Trojan Trj/Small.B. Other vendors may detect all or part of the process, though we were unable to find references with the other vendors.

This threat is distributed strictly via spam, possibly through compromised or zombie machines. By itself it does not propagate. The best prevention is not to open any messages with the subject mentioned above.