Blog
This Month in the Threat Webscape
10.03.2008 - 9:30 PMMonth of September 2008
September showed us that highly visible sites like BusinessWeek.com and BillOreilly.com are not immune to serious web attacks. BusinessWeek.com learned the hard way that they can unknowingly serve up exploits to themselves and their visitors. Other highly visible sites, like The New York Times, are also vulnerable.
While Microsoft works determinedly to patch vulnerabilities that can be exploited over the web, the Web Application Security Consortium reports that 97% of sites it studied continue to have significant vulnerabilities.
What's more, results reported in various studies released this month indicate that most people can't tell good sites from bad, and even the aware and informed fall prey.
On the road, generally insufficient hotel IT security means that traveling employees put corporate data at risk every time they stay at a U.S. hotel. And apparently it doesn't take a major new attack to add significant numbers to the zombie pool. Even in the absence of a major zero day, the population of zombie computers quadrupled in the last 3 months.
Smile, October is National Cyber Security Awareness Month.
Follow our This Month in the Threat Webscape series to stay abreast of emerging Web threats.
Google's Shiny Object
Google's recent BETA release of its Chrome browser included several flashy new features such as tabbed browsing within sandboxes, a more powerful JavaScript engine, a privacy mode called "incognito", and support for anti-phishing blacklists. Almost immediately after the release it was discovered that Chrome was susceptible to a carpet-bombing vulnerability--the very same flaw that pressured Apple to patch Safari just 4 months ago. Chrome's first security patch was released just a week after the BETA release and addresses multiple security vulnerabilities, some of which were rated critical. We shall stay on the look out for any new vulnerabilities.
Web 2 dot uh-oh
Researchers have proven the viability of launching a distributed denial-of-service (DDoS) attack with the help of Web 2.0 sites, bypassing the need to first build a base of infected machines. The researchers created a Web 2.0 app on Facebook, cleverly dubbed "FaceBot", that spread all on its own, leveraging social-networking viral properties. In the proof-of-concept, every click on the widget caused the victim to cough up precious bandwidth. One takeaway: most Web 2.0 platforms that allow 3rd-party developers do not have enough security checks in place to prevent abuse of its reputation and services. The research paper can be found on ZDNet here.
On another front, Google's Picasa and ImageShack were discovered to host malicious flash redirectors. We have reported on this tactic before, but this incident serves as a good reminder that no popular Web 2.0 host will go unnoticed as a potential platform for abuse.
Major Hits
Prominent business magazine BusinessWeek had their web site compromised. The attackers injected malicious code on hundreds of pages on BusinessWeek.com, exposing their visitors to drive-by exploits.
Financial institution ING's site was found to be susceptible to CSRF attacks, including one that could enable an attacker to transfer money out of the victim's account. According to researchers from Princeton University, other sites susceptible to this attack include The New York Times, YouTube, and Metafilter.
ING wasn't the only financial institution plagued with web threats. We alerted on Erste Securities hosting malicious code on their web site. Erste Bank is a large bank in Central Europe.
US Republican vice-presidential nominee Sarah Palin had her email "hacked". Turns out, it wasn't a technical feat at all. The key was Yahoo! Mail's "Forgot password?" feature. The perpetrator searched online for random tidbits of information--birthday, zip codes, etc.--to piece together the information jigsaw puzzle, and thus succeeded in accessing Palin's email. We've advised of this threat early last year.
Prominent political commentator Bill O'Reilly, who condemned the Sarah Palin email "hacking", also had his own web site broken into.
Microsoft's Wind-uh-oh(s)
This month's Patch Tuesday brought us 4 critical vulnerability patches for Windows Media Player (MS08-054), Windows Media Encoder (MS08-053) (POC exploit released!), GDI+ (MS08-052) and MS Office (MS08-055). All 4 vulnerabilities could be exploited with content delivered from the web (e.g., browsing a web site with a maliciously crafted image or windows media file). Successful exploitation could provide an attacker full control of the victim's machine. The GDI+ vulnerability is particularly dangerous because browsers display images without prompting the user for permission, thus making it a good vehicle for a drive-by attack. See our blog post here.
The Browser, Plugins, and Supporting Cast
Mozilla released 8 patches for Firefox, 5 of which were critical (exploitation requires no explicit user interaction beyond normal web browsing). Adobe has announced that they will soon change the way Flash interacts with the clipboard, a move that is in response to the clipboard hijackings reported last month. In other browser plugins reports, we have also discovered a slew of exploits delivered over the web, via the use of Adobe Acrobat PDF documents (CVE-2007-5659).
Proof-of-concepts are now out for a new vulnerability dubbed "clickjacking". Security researchers Robert Hansen and Jeremiah Grossman had planned to present their discovery at OWASP NYC AppSec 2008, but the talk has been withheld at Adobe's request. To date, details of this attack have only been released to a select few who are working on a solution.
Apple Quicktime made quite a footprint for itself in this month's threat webscape. Six vulnerabilities were patched that allowed an attacker to take control of the computer while the victim watched a maliciously crafted video ( CVE-2008-3615, CVE-2008-3635, CVE-2008-3624, CVE-2008-3625, CVE-2008-3626, CVE-2008-3627 ). Also patched were 3 vulnerabilities ( CVE-2008-3614 , CVE-2008-3628, CVE-2008-3629 ) in which viewing a malicious PICT image file allowed the attacker to control the victim's machine.
Two vulnerabilities were patched in Java for Mac ( CVE-2008-3638, CVE-2008-3637 ) that allowed drive-by attacks when visiting a malicious web site. Apple Macintosh users have more to worry about.
Ham or Spam
Spammers continue to abuse Web 2.0 sites and have expanded their tactics beyond just email. We have seen more than just the typical obfuscated JavaScript redirect through sites like Blogspot. Spammers are leveraging the pervasiveness of Web 2.0 sites such as YouTube, Livefilestore, Picasa, and Imageshack. The very nature of Web 2.0 services, which allow users to create their own content, have provided spammers and attackers with many more resources to carry out their malicious activities.
We have also seen an interesting social engineering tactic that lifted content from Facebook and spoofed a friend request in order to tempt victims into installing malware.
The pending U.S. elections have also caught the eye of spammers this past month, one attack attempted to smear one of the candidates with a sex scandal and promised a video to prove it.
Rock Phish Rage
Rock Phishers continue to obtain user account credentials with their complex and infamous fast-flux infrastructure, using mass phishing campaigns targeting banks (recent attacks were reported on Wachovia, Eastern Bank, and Bank of the West). Over the past five months, Rock Phishers have painstakingly refurbished their infrastructure, introducing several sophisticated crimeware packages that get silently installed on the victim's PC.
Security Trends
Computers: 1, Human ability to learn from mistakes: 0
We've always known that fake pop-ups social-engineering works, but the quantified results from a North Carolina State University study is just staggering. When presented with a malicious fake pop-up window:
- 63% of the participants clicked OK (rather than closing or minimizing)
- ~12% of the participants clicked OK because the computer instructed them to do so
- 23% of the participants clicked OK because that's what they always do when presented with an error message
- >40% of the participants clicked OK to "get rid of" the box
- Multiple warnings did not help, most fell for it over and again
- Most of those who were aware of fake malicious pop-ups actually failed
A Cornell University study shows that employees risk their corporate crown jewels when they connect to internet connections at hotels in the U.S.
- Most hotels don't have IT employees
- Hotel budget for IT security averaged a paltry 9.5%
- Most hotels with secured networks had overly helpful employees who helped penetration testers social-engineer their way in
The Web Application Security Consortium (WASC) reports:
- ~97% of sites assessed carry a severe vulnerability
- Top vulnerabilities: XSS (41%), information leakage (32%), SQL injections (9%), predictable resource location flaws (8%)
- CSRF vulnerabilities didn't rank because it is difficult to detect,. but it is generally accepted by experts that it is the most prevalent
The number of zombie computers have increased 4X in last 3 months. However, there wasn't a single new exploit that could be attributed to this, indicating a trend towards the battle of distribution and sustaining the already infected victims. The Web is the largest distribution channel, but good news--Websense is already there.
