Archived Blog

Month of July 2008

The Web 2.0 malicious landscape continues to evolve, and as a part of our promise to be on top of all forms of Web threats in order to protect, here’s a summary of what happened in July 2008. This month brings us particularly insightful research on just how dangerous the Web browser threat is, and just how sloppy banks can be when designing their own Web applications.

---

iPhone 3G vulnerabilities

With the increased adoption of the iPhone as a business productivity tool in the workplace, vulnerabilities within the iPhone will not go unnoticed by the profit-driven underground economy. The iPhone’s Safari browser is still vulnerable to various exploits (e.g., CVE-2008-1026), as is the phone’s OS itself (a stripped-down version of OS X). Many of these patches are already published for Apple’s desktop, but simply not yet available for the iPhone.

Vulnerabilities in the iPhone mail application and Safari browser that exacerbate phishing attacks have been discovered and acknowledged by Apple, but no fix has been provided yet.

Websense recommendation: Refrain from or, exercise extreme caution using the Safari browser on the iPhone when conducting business until a vendor patch is released. Use the iPhone as a business tool to augment your desktop – not to replace it.

---

Cross-site Scripting (XSS) on more Web 2.0 properties

Just as Gen Y’s can’t imagine how Gen X’s grew up without the Internet, the generation today who grew up on the Web use email only to stay in touch with the “older” generation. They use social networking sites like Facebook as the new “email”, and they will bring their tools into the corporate environment when they enter the work force.

A slew of Facebook security vulnerabilities have been discovered. The potential losses in intellectual property range from the reading of someone else’s mail, forcibly installing Facebook applications on one’s profile, spreading malicious links, and creating a self-propagating JavaScript worm throughout the network. All these can wreak even more havoc.

Other Web 2.0 sites found with security vulnerabilities include Twitter (CSRF) and Justin.tv (XSS worm).

---

Firefox 2 browser vulnerabilities

Mozilla shipped a dozen patches for Firefox 2 vulnerabilities, five of which were rated critical. The vulnerabilities range from XSS (CVE-2008-2800) through a JavaScript same-origin violation to a weakness (CVE-2008-2809) in the trust model regarding alternate names on self-signed certificates that could be used for spoofing.

Websense recommendation: Upgrade to Firefox 3. If you must stay on Firefox 2, please apply all the latest patches.

---

Opera browser vulnerabilities

Opera version 9.5.1’s changelog shows that this update includes security patches. One of the vulnerabilities (CVE-2008-3079) enabled attackers to steal arbitrary samples of data in memory from the victim’s desktop through specially crafted JavaScript code.

Websense recommendation: Upgrade to the latest version of Opera.

---

Apple Quicktime vulnerability

Apple patches two Quicktime flaws. Playing a maliciously crafted Quicktime file may lead to the launching of arbitrary applications (CVE-2008-1585) and/or arbitrary code execution (CVE-2008-0234).

Websense recommendation: Update to the latest version QuickTime.

---

RealPlayer vulnerabilities

RealNetworks announces patches to RealPlayer, just after a multiple-vulnerabilities advisory was disclosed on the product. The first vulnerability lies in an ActiveX control (CVE-2008-1309), and the second vulnerability lies in the way SWF files are handled (CVE-2007-5400), both of which could lead to arbitrary code execution. At least one of the four reported vulnerabilities is OS-independent.

Websense recommendation: Upgrade to the latest version of RealPlayer.

---

MS Office Snapshot Viewer ActiveX Control (snapview.ocx) vulnerability

Websense Security Labs has discovered numerous web sites using this vulnerability (CVE-2008-2463) to infect the desktop of Web site visitors – merely by visiting the crafted Web page. In addition, this exploit is now a part of the Neosploit exploit toolkit, which means its widespread may increase. There has been news that the Neosploit team is end-of-life’ing the infamous malware kit, but that’s no guarantee that we won’t see their malicious handiwork in the near future.

Websense recommendation: At time of writing, no patch is yet available – check Microsoft’s advisory for mitigation (under “Suggested Actions”); deploy a Web security solution to filter infected pages.

---

Storm Worm social-engineering tactics

The infamous Storm Worm has changed social engineering tactics four times this month. The first campaign centered on US Independence Day. The second campaign heralded the coming of World War III, which was provocative news if it was true – except it wasn’t. The third campaign announced a new currency, the Amero, that would supposedly replace the US greenback. The last campaign fed privacy fears by falsely reporting that the FBI has a way of tracking activities on Facebook.

In short – the Storm Worm campaigns are effective at social-engineering because they use timely and relevant news along with thought-provoking subject lines in their spam emails. Victims usually end up with their desktops infected with a Trojan.

Their modus operandi is to mass send provocative emails enticing victims to click on the malicious link. The link then leads to a malicious Web page that attempts to exploit the browser, which, upon success, gives them control of the victim’s desktop.

Websense recommendation: A multi-pronged approach – deploy an email security solution to discard Storm Worm emails and have in place a Web security solution to filter the malicious links Storm Worm relies on to distribute malicious wares.

---

Spam innovation

This month in spam saw quick adaptations in campaigns by spammers to increase infection success rates.

One campaign redirected victims to exploit-laden Web pages with pornographic videos, enticing them to install what really was a Trojan Downloader. They then changed tactics and used a generic streaming video to lure victims to the path of infection. Spammers then shifted gears by quickly following up with the use of open redirects and pictures of Angelina Jolie. Then it was a supposed ActiveX control that users needed to download. 

But they didn’t stop there.  Since then, we have seen more fake codecs, fake Adobe Flash updates, and more videos of nude celebrities being peddled in effort to encourage the recipients to follow through on those malicious links.

This month also marks the first time we have detected Google sites being abused by spammers for setting up doorway pages to malicious Web sites.

Websense recommendation: Deploy an email and Web security solution.

---

DNS cache poisoning

Security researcher Dan Kaminsky’s findings on a critical DNS flaw (CVE-2008-1447, US-CERT VU#800113) that was embargoed until his talk at Black Hat were correctly guessed and leaked to the public. Soon after, proof-of-concept exploits utilizing this flaw surfaced and attacks have begun. Numerous big name ISPs were slow to respond and vendors late to patch. The iPhone is reported to be affected as well.

Websense recommendation: Entities running their own DNS servers should patch immediately. Those who rely on an upstream DNS provider are urged to contact their provider to confirm that this issue has been addressed properly.

---

The Web browser threat is only the tip of the iceberg

According to independent research by Google, IBM, and the Swiss Federal Institute of Technology, at least 45.2% (or 637 million) users have not been using the most secure versions of their Web browsers within the past year. These browsers are susceptible to drive-by download attacks, and their associated vulnerable plug-ins/add-ons increase the attack surface for mass injections.

Websense recommendation: The time between when a patch is released to when the patch is actually applied to the end-user’s machine is absolutely critical, and this interval must be narrowed. Corporations should streamline the updating of not just the OS, but also Web browsers and popular plug-ins/add-ons such as Adobe Flash, Java, Windows Media Player, Apple QuickTime, RealOne Player, Adobe PDF Reader, and Adobe Shockwave Player.

---

75% financial institution web sites have at least 1 security flaw

This is according to a research published at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University. A quote from the paper:

“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country […] Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.”

These are design flaws inherent in the banks’ Web applications, and the onus is on these financial institutions themselves to keep their customers information protected.