Tuesday, February 27, 2007

Bad Week For Symantec

Symantec's having a tough week. First an ActiveX component developed by SupportSoft that Symantec uses in its products was found to have multiple vulnerabilities that could allow an attacker to compromise a user's computer by way of a malicious website. Affected Symantec products: Norton AntiVirus, Norton Internet Security, System Works, and Automated Support Assistant. To their credit, they are protecting their antivirus customers by releasing virus signatures that attempt to catch exploits of the flaws.

As if that weren't bad enough, the SEC has announced that Symantec's servers were hacked by a small trading company called Blue Bottle, who used their access to the servers to get advance notice of press releases and then trade Symantec stock with that insider knowledge. It's just never good when a security company's own servers are hacked. In addition to Symantec, 11 other US firms, including Real Networks were compromised giving Blue Bottle over $2.7m in profits.

Yahoo Ditches SPF?

This blows my mind. Yahoo has no Sender Policy Framework DNS record. I believe that they did have it for awhile (someone correct me if I'm wrong). This means that people can once again spoof Yahoo e-mail addresses when sending spam and fraudulent e-mails.

Here's how SPF is defined on Wikipedia:

In computing, Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam.

SPF is an admittedly imperfect technology, but it's simple to implement and can drastically cut down on spam and fraudulent e-mails. Of the major e-mail providers, Microsoft; Google; AOL; and Yahoo, only Yahoo doesn't have a SPF record.

So why would Yahoo ignore this? Yahoo is pushing for a different solution to the problem of forged e-mails called DomainKeys. Here's the definition on Wikipedia:

DomainKeys is an e-mail authentication system (developed at Yahoo!) designed to verify the DNS domain of an E-mail sender and the message integrity. The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail (DKIM).

Yahoo's scheme also has flaws, but could also work well if widely deployed, although few sites currently use it. Now here's the rub: the two schemes are not mutually exclusive. That is, you could implement both SPF and DomainKeys with no problem. So why hasn't Yahoo implemented SPF?

Well, their own mail servers will reject mail pretending to be from yahoo.com but originating from another location. So their users are protected from the spoofing of yahoo.com e-mail addresses. Yahoo hopes other people are bothered by spoofed yahoo.com e-mails in order to force people to adopt Yahoo's DomainKeys technology.

This is a dirty trick. DomainKeys is a good idea, but it is more difficult to implement and adds a large burden to mail servers for both incoming and outgoing mail. SPF is light weight and easy to implement. And more importantly, they can coexist.

So what's the deal, Yahoo? Why not enable DomainKeys and SPF on your domain?

For more information on Sender Policy Framework, visit the OpenSPF site. And if you manage a domain, be sure to use the wizard to help you determine what your SPF record should be and how to add it to your domain.

Friday, February 23, 2007

Critical Firefox Update

The Mozilla folks have released a new version of Firefox,, that fixes several security flaws. Among the flaws is a widely publicized and easily exploited flaw that allows the theft of cookies from other websites. The theft of these cookies could allow a malicious person to login to websites that you visit such as online banking websites. We recommend you upgrade as soon as possible. To see your version of Firefox, enter "about:" into the URL bar (without the quotes).

To update Firefox, go to the "Help->Check for updates..." menu or follow this link.

[Note from the sponsor: eSoft's Intrusion Prevention Softpak protects users from exploits of the mentioned flaw.]

Thursday, February 22, 2007

Wells Fargo Phishing Alert

A new phishing scam targeting Wells Fargo customers is just hitting inboxes. The e-mail is titled "Update your Wells Fargo Account" and contains a link to http://www.wellsfargo.com.update.fr.nf. If you follow that link, you will be redirected to www.accent.dp.ua.

The site looks like this in Firefox:

If you receive e-mail from your bank, never click on links within the e-mail or call phone numbers in the e-mail. Instead, use independent means to lookup the phone number or navigate to the website. Never enter your social security number. And if something looks at all suspicious, don't do fill out any forms.

Google Desktop Compromise Demonstration

Watchfire has put together a really nice demonstration on the dangers of cross site scripting and in particular on some Google Desktop vulnerabilities:


Lowered ThreatLevel, New Word 0-day, and More Security Program Flaws

Just a quick note that eSoft has lowered the Threat Level back to normal levels after expected exploits for flaws disclosed on last week's patch Tuesday failed to materialize. If exploits appear, the Threat Level will be reraised.

In other news, Microsoft is warning of a new flaw in Microsoft Word that is being exploited in the wild on a limited, targeted basis. Few details are available at this time, but it leaves us wondering how long until this flaw will be fixed. Microsoft's recent track record at fixing flaws in Word that have exploits in the wild is very, very bad with the average response time being around 2 months.

Finally, we continue to be amused by the discovery of flaws in programs that are intended to enhance security. Trend Micro's ServerProtect web interface has a very easily exploited authorization bypass vulnerability. An attacker would only need to supply a cookie with a special name to get access to the web interface. We recommend you block external access to TCP port 14942, the default port for ServerProtect.

Of less consequence is a local privilege escalation in Cisco's Secure Services 4.x, Security Agent (CSA) 5.x, and Trust Agent 1.x/2.x. Secure services? Apparently not. Better go update.

[Note from the sponsor: eSoft's Intrusion Prevention Softpak protects users from the flaw in Trend Micro's ServerProtect product.]

Tuesday, February 13, 2007

Network Security Nightmare Week

What a week for computer security! The eSoft Threat Level has been raised from low yellow to solid orange due to a number of threats of concern to network administrators that are considered extremely critical. Here's an overview of the major threats Threat Center is tracking:

First there's the telnet vulnerability in Solaris 10 and 11. This is at the moment an unpatched vulnerability that will allow anyone to telnet into a Solaris system as root without any kind of authentication. Even scarier, the exploit doesn't require any special tools but can be accomplished with a standard telnet client. If you're running Solaris and have telnet enabled, turn on SSH, turn off telnet, and make sure it never starts up again. And while you're at it, block incoming TCP port 23 at your firewall to avoid all telnet traffic.

It always gets our attention when security products meant to protect you put you at risk. This week we've had a trifecta of these issues. Early in the week we became aware of a vulnerability in Trend Micro's antivirus engine where scanning a malicious UPX-encoded executable file could compromise a system. Now we learn that Microsoft's antivirus engine has its own vulnerability where a malicious PDF file being scanned could compromise a system. Exploits of the vulnerabilities will give the exploiter Administrator privileges. Finally, Cisco IOS IPS has a series of issues that could allow a hacker to take down your IPS box. This is the most recent in a series of Cisco issues that, luckily, we still haven't seen public exploits for. Don't hold your breath though.

Today is Patch Tuesday and in addition to announcing the antivirus scanner bug above, Microsoft has fixed a number of known vulnerabilities, and several unknown ones. The best news is that the growing handful of Microsoft Office vulnerabilities with exploits in the wild have finally been fixed. We've been waiting months for these fixes. Unfortunately, we have new things to worry about.

First, let's talk about Internet Explorer. The HTML Help ActiveX control has a fresh vulnerability. This isn't the first time Microsoft has recommended disabling the HTML Help ActiveX control in Internet Explorer due to security problems and if you didn't do it last time, you might want to do it this time. If you have a group policy editor, you can disable it on a bunch of machines. If you have an Intrusion Prevention System, check to see if there are rules to detect and stop this ActiveX component.

Microsoft Data Access Components in Internet Explorer also have a fresh vulnerability. Like the HTML Help ActiveX control, I'm having deja vu on this one. You'll have to think a little bit longer before deciding to block due to its widespread use in rich content internet applications, but if you can't enforce an immediate update of all of your site's computers, then block it and worry about consequences later. Better to have some annoyed users because of your policy than because their computer is mysteriously slow due to its raging malware infection.

Finally, we have one of the scariest batch of ActiveX Internet Explorer bugs I've ever seen. There are two "COM Object Instantiation" vulnerabilities that will allow an attacker to exploit any ActiveX object (DLL, OCX, etc.) that wasn't specifically intended to be used in Internet Explorer. And because these vulnerabilities were reported to Microsoft by H.D. Moore, founder of the Metasploit project, we expect proof-of-concept exploits to be published any time now. For some reason that I don't quite understand, Microsoft is recommending the blocking of a handful of ActiveX objects in particular. Apparently these are especially susceptible to the exploit. To find the CLSIDs to block, dig into the FAQ section of the MS07-016 security bulletin.

Microsoft released three separate patches for issues involving MFC (a framework for developers used in many Windows applications), OLE (object linking and embedding -- have you ever put an Excel document in the middle of a Word document? that's OLE), and RichEdit. Although it sounds like it may have wider implications, Microsoft is currently telling us that the attack vectors for these problems all center around RTF files with embedded content. Go pester your antivirus vendor and see if they'll add support for blocking RTF files with embedded content. And while you're at it, you may want to start blocking RTF files at your mail gateway.

Of the Patch Tuesday vulnerabilities, I've saved the scariest for last. MS07-016 also fixes a problem where a malicious FTP server could compromise a computer. Now, on the face of it, this doesn't sound too bad, but consider that almost every Windows application that accesses files via FTP uses the wininet library to do it, and this is the library with the vulnerability. Now consider the fact that Outlook and Outlook Express will automatically fetch files off of a FTP server if an e-mail references them. If an HTML e-mail is spammed out and it has html like <img src="ftp://badserver/somefile.gif" /&rt; in it, then the badserver can take control of the computer. Microsoft recommends that you only view e-mails as text until you've patched your system. The good news is that there isn't a public exploit available at this time. The bad news is that this affects all versions of Internet Explorer from 5 through 7, Outlook, Outlook Express, and all versions of Windows. And exploits will be here soon. The guys at iDefense who discovered this in May of 2006 have given enough details for people to figure it out.

This is my first post to the ThreatCenter Live blog and its far longer than I expect the average post to be, but we've got quite a lot of news to share. The eSoft Threat Level will remain at its elevated position for a few days to raise awareness of these issues. Assuming no exploits start hitting and being widely used in the next few days (which very well may happen with the ftp vulnerability in particular), we will lower the threat level back down.

[Note from the sponsor: eSoft's Intrusion Prevention, Gateway AntiVirus, and Gateway AntiSpyware Softpaks together protect users from all of the above mentioned vulnerabilities except for the Cisco IOS IPS issue.]