List of the TOP 25 Most Dangerous Programming Errors Released

Earlier today the List of the Top 25 Most Dangerouse Programming Errors was released.  The list was compiled by a number of different organisations and coordinated by the SANS Institute

Criminals are now moving from attacking the infrastructure layer and moving to finding ways into systems by means of bugs in the applications sitting on top of the infrastructure.   In light of this change in tactics it is very important that if you are responsible for developing applications that you ensure that your code does not contain any of these errors.  If you are not responsible for developing applications then make sure this list get to those who are and that they pay heed to it.

SSL Certificates Vulnerable to Attack

The computer security community is abuzz with the news announced today by a team of security researchers at the 25th Chaos Communication Congress in Berlin.  The researchers were able to demonstrate how they were able to generate a fake Certificate Authority certificate and thereby allowing them to impersonate any secure website using SSL certificates.

The research is very interesting and the full paper is available here.  What I particularly liked is they used an array of 200 PS3 game consoles to break the certificate.

However, before we all panic and think that the Internet as we know it has come to an end, we should note that the attack has a number of limitations.  Firstly the attack is against the MD5 algorithm, which has known weaknesses since 2004.  Secondly the certificates broken were using sequential serial numbers.  Finally, the researchers have kept their methods to themselves to allow vendors time to address the issue.

Wired magazine has a good write up on the issue, while Rich Mogull has an excellent post on his blog as to why we should not panic with regards to this issue, as does the Security Uncorked blog.  The Errata Security Blog also highlights that not all certificates based on MD5 are vulnerable.  The SANS Internet Storm Center also has a good write up of the issue with a list of vendor statements regarding the status of their certificates.

You can also use this site to check what SSL certificates are being used by a site you are visiting.

Microsoft To Release Out Of Cycle Patch for IE Vulnerability

Microsoft has announced that it will release an out of band patch for the vulnerability in Internet Explorer as outlined in the Microsoft Security Advisory 961051.

The patch will be released on the 17th December 2008.

Microsoft will host two webcasts to address questions on the patch. The first is scheduled for 13:00 Pacific Time (US Canada) on the 17th of December , you can register for this webcast at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399448Culture=en-US.

The second is scheduled for 11:00 AM Pacific Time (US Canada) on the 18th of December , you can register for this webcast at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399449Culture=en-US

More details on this out of patch band are available at http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

I was interviewed about this vulnerability on this evening’s Last Word Show on Today FM by Matt Cooper.  A podcast of the show is available here, my piece is about 5 minutes in from the beginning. 

I found it interesting to see how today a security vulnerability is getting press attention, whereas a few years ago it would be computer viruses.  Have we moved on to realise that the threat landscape is changing?

Microsoft Warn of New Attacks Against MS08-067

Microsoft are again urging PC users to apply the MS08-067 emergency patch issued last October due to an increase in attacks aimed at exploiting that vulnerability.  In particular a new worm Worm:Win32/Conficker.A. has been noted as causing a rise in the number of attacks.
 
Once a PC is infected the Worm:Win32/Conficker.A. will patch the vulnerability to prevent the PC from being exploited by another worm or attacker and will also reset the system restore point to make it more difficult to recover the infected PC.
 
More details are available on the Microsoft Malware Protection Center Blog at http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
 
If you have not yet applied this patch it is strongly recommended that you do.

Microsoft Release Critical Out-Of-Band Patch

Microsoft tonight released a critical patch, MS08-067, outside their normal patch cycle.  For Microsoft to release a patch outside of their patch cycle indicates that this is a serious issue that we must pay attention to. 

I am obviously not the only one who thinks that as the Internet Storm Center‘s Infocon has turned yellow which means they are “currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: ‘MSBlaster’ worm outbreak. “

The vulnerability could allow an attacker without authentication to remotely run arbitary code using a specially crafted RPC request on Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems.  This is similar in nature to how the MSBlaster worm propogated throughout the Internet and this vulnerability could be used in the same way.  Microsoft have reported that they have seen live targetted attacks on some customer systems using this vulnerability. 

It is recommended that you patch your systems ASAP.  However patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems.  Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems?  If we patch we may have problems, if we don’t we may have a security breach.  Not the easiest of choices for an IT or Infromation Security professional to have to make.
I recommend you look at the following steps to mitigate the problem;

  1. A concise and factual presentation should be made to senior management with the options to address the issue laid out clearly, together with the potential downside to each solution.
  2. Whatever solution is decided upon needs to be agreed to and signed off by senior management.
  3. An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
  4. Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
  5. Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
  6. Communicate clearly with the user population explaining why the patch is being deployed and to report any unusual behaviour.
  7. Ensure that all Anti-Virus signatures and software is up to date.
  8. Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
  9. Consider how best to update remote PCs and laptops that may not be connected to your corporate network.
  10. Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.

I strongly advise, as with all patches, to ensure that you test and are satisfied that the patch does not negatively impact your environment before you deploy it.  It also may be worth keeping on high alert even after deploying the patch as;

  1. Other new vulnerabilities could still be found in this feature of Windows.
  2. Not everyone will patch their systems in a timely fashion as we have seen time and time again and their compromise may impact your organisation.

More details are available from the Microsoft Security Response Center and also from the Internet Storm Center.  It is a pity that we do not have our own CERT here in Ireland to help coordinate a response to this issue and help Irish businesses better protect themselves.

Clickjack Proof Of Concept

Details of the much talked about Clickjack exploit are now available on Jerermiah Grossman’s blog, RSnakes blog and Adobe’s websiteJeremiah and RSnakewere meant to demonstrate clickjack at a recent conference but decided not to in order to give the vendors time to address the problem.  Given that this exploit can be used to remotely use a victim’s webcam and/or microphone the implications for stalking, industrial espionage or indeed national security highlight that the guys were right in waiting. 

Jeremiah and Rsnake should be commended on how they handled this issue and credit should also go to the Adobe PSIRT for their response to the problem.

More on the DNS Vulnerability

Since my post on this issue yesterday and also Andy Whelan’s post to the ISSA Ireland’s newslist, a number of people have come back to me offline with regards to the current status within the Irish Internet space.  It seems that a number of ISPs, 16 apparently, have not yet patched their DNS servers.  But the biggest challenge appears to be organisations ensuring that their DNS servers are patched.

Here is an excerpt from an email I recieved that highlights the challenges;

“we’re patched and we have been notifying our clients who have dns servers non-patched.  There is also a worldwide effort by “non-for-profit security organisations” to alert ISP abuse desks, although whether they act or the sysadmins act on the email is anyone’s guess.

There are 35 ISP in INEX (https://www.inex.ie/about/memberlist), a quick look through a “special list – as of 21/07/2008″ shows there were 16 ISPs with DNS servers in their range vulnerable.
The irish ISP’s have patched their main DNS servers, but the problem seems to be their clients who run their own DNS servers, have servers in hosting centres or rogue departmental servers hidden away the IT security teams don’t know about.”

More details are emerging of the nature of this problem (hat tip to Security4all) and active exploit tools are now being used.  So in short;

  • The criminals have a major opportunity to steal more money,
  • They have automated tools to achieve that goal
  • They will find vulnerable DNS servers
  • They will exploit those servers
  • If you have a vulnerable DNS server they will exploit it!

So to those 16 ISPs, patch your systems ASAP.  If your normal maintenance window is still a number of weeks away then consider using an emergency window instead.  Talk to your upstream ISPs and ensure they also patch their servers.

To those of you who manage or look after your own DNS servers you need to get the finger out and patch them.

Critical DNS Vulnerability Addressed

Various vendors have banded together to fix a critical DNS cache poisoning vulnerability.  The vulnerability was discovered by Dan Kaminsky six months ago and can enable criminals to conduct phishing scams by altering DNS records for legitimate sites to point to their phishing sites.  The Register has a good article on it and SiliconRepulbic.Com also cover it.  Details of the problem are available from US-CERT and The Internet Storm Center.

Dan Kaminsky’s own Blog goes into more detail on the issue and has an online checker so you can see if your DNS server is impacted.

Finally it is interesting to note that in other countries the response to this has been coordinated by their respective CERTs to ensure ISPs and others are aware of the issue and addressing it.  It will be interesting to see if the Irish Internet space can respond appropriately without our own CERT.

Firefox 3.0 – Hackers 1

Mozilla released the latest version of Firefox on June 17th amidst much fanfare and hype.  The major buzz about this release being the attempt by Firefox to break the Guinness Book of Records for the most downloads in a 24hr period for a single program. 

Well the launch has not gone so well for Firefox.  Firstly due to the number of people attempting to download the latest version (over 8 million) the site’s availability has been patchy at best.  But worse was to follow, within five hours of its release a security vulnerability affecting the latest version, and previous versions, were discovered.   Tipping Point have verified that the vulnerability is real using their Zero Day initiative.  The SANS Internet Storm Center and the Security4all blog provide more coverage on the issue.

For the browser that promotes itself as being more secure than Internet Explorer this is not the best of starts.

Adobe Flash Player 0-Day Vulnerability in the Wild

The Internet Storm Center has highlighted a 0-Day vulnerability in the Adobe Flash Player.  Adobe’s Product Security Incident Response Team is investigatingthe issue.  It is reported that versions affected are the current version 9.0.124.0 and earlier.  Symantec have raised their Threatcon to Level 2.

Attackers are apparently injecting redirections into legitimate sites to send users to hostile sites that host malicious flash files hosting the exploit.  If these redirects were to happen on a high traffic website the potential impact from this problem will be quite high.

If you are concerned about this attack vector, you should explain the risks to your senior management and see if they want to block the downloads of Flash files at your perimeter using your firewall or web proxy.  You should also ensure that all your systems are updated with latest anti-virus signatures and keep a close eye on Adobe to see if and when they release a patch.

UPDATE 28/05/08 – SiliconRepublic.com covers this story and refers to this Blog and includes additional comments from me about the issue.