Maximum PC XSS RSS Feed

Twitter Users Hope Cure for Mikeyy Worm Lasts

Mark Edward Soper — Tue, 14 Apr 2009 18:47:08 -0500

Over Easter weekend, many Twitter fans were getting worms instead of finding Easter Eggs, as the developer of a rival microblogging site (StalkDaily), one 17-year-old Michael "Mikeyy" Mooney, was busy drawing Twitter users to his site by using the so-called "Mikeyy" or "StalkDaily" worm to infect links and Twitter profiles. According to PCWorld and the Twitter status page, the infection has now been brought under control. But inquiring minds want to know, "what happened?" and "how can we stop a future attack?"

Doing a Google search for "Mikeyy" or "TwitterWorm" isn't the best way to find out, though, as the F-Secure security blog points out that fake news sites are being used to infect curious searchers with (unrelated) malware. So what really happened?

Mikeyy/StalkDaily used XSS (Cross-Site Scripting) and CSRF (Cross Site Request Forgery) attacks (we've discussed XSS a number of times here at MaximumPC.com). Website developer and Twitter expert Lynne Pope offers an excellent analysis of how the Mikeyy/StalkDaily attacks worked, and how you can protect yourself from similar exploits in the future:

The very first thing you must do to protect yourself is this - do not browse to any sites while logged on to another site. Leaving authentication cookies exposed is dangerous. Log off, then navigate away.

Ms. Pope also recommends:

Firefox fans should use NoScript to prevent scripts from running without explicit permission.
Use the Hosts file to block domains pointed to by malware.
Use tools available at LongURL.org to determine where short URLs are actually pointing to (Mikeyy/StalkDaily used bit.ly and tinyurl.com to conceal the actual websites used for spreading the worm).

Were you affected by the Mikeyy/StalkDaily worm? Hit Comment and tell us your war stories.

Twitter logo courtesy of a MESS of commentary.

XSS Vulnerabilities at AmEx Website

Mark Edward Soper — Fri, 26 Dec 2008 18:25:24 -0600

Before you drop in on the American Express website to see how much damage you did to your credit line with holiday shopping, you should know it's vulnerable to an XSS (cross-site scripting) exploit. As The Register reports, this news comes after a bungled attempt to fix the problem. As El Reg puts it,

The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.

So far, only proof-of-concept exploits have been written to show how easy it would be to pilfer login credentials, but until AmEx really eradicates this problem, keep a careful eye on your website transactions. For a list of precautions you can take to stop XSS exploits, see our 2007 article.

Have you been victimized by an XSS error? Hit Comment and sound off.

IE Climbs Into the "It's Not a Bug, It's a Feature" Browser Doghouse with Unpatched GIF Vulnerability

Mark Edward Soper — Tue, 01 Jul 2008 15:08:34 -0500

Embedded JavaScript in GIF Can Launch XSS Attacks in IE

ZDNet's Zero Day security blog reported Friday that the lowly 256-color GIF picture file format can be used by deliver "drive-by" attacks.

According to Kapersky Labs analyst Roel Schouwenberg, GIF files can include embedded JavaScript, and under certain circumstances, can be used to launch a cross-site-scripting (XSS) attack. XSS attacks are both common and dangerous, as reported here previously.

Unfortunately, because you can't determine whether a GIF file contains JavaScript, it's much tougher to avoid potentially hostile websites - or compromised websites containing hostile JavaScript.

An Unheeded Warning

According to Zero Day, Schouwenberg warned Microsoft a long time ago about this vulnerability, Microsoft disagreed, and the vulnerability was never patched. He has contacted Microsoft again.

Apple Climbs Out of Browser Doghouse – Making Room for Microsoft

This vulnerability is reminiscent of the recent "carpet bomb" vulnerability in Apple's Safari browser, which was actually a combination of poor design choices by both Apple and Microsoft. Fortunately, it didn't take long for Apple to issue a revised version of Safari to stop the threat.

Let's hope Microsoft can take a hint - especially since Zero Day's report on the GIF threat indicates it's an in-the-wild problem that's already compromised at least one legitimate website.

Skull and crossbones courtesy of Webweaver.nu

Vista Security Features Finally Getting Some Respect

Mark 'Marcus_Soperus' Soper — Mon, 14 Apr 2008 22:33:29 -0500

ASLR, NX Finally Arrive in QuickTime

Support for one of Windows Vista's best behind-the scenes security features, address space layout randomization (ASLR), is now available in Apple QuickTime 7.4.5 for Windows, eWeek reports. ASLR, which randomly locates program start and other key address locations each time an ASLR-compliant program runs on Windows Vista, is a key feature of Windows Vista that, so far, has seen limited use in third-party applications.

QuickTime 7.4.5 also includes support for hardware NX (No Execute), better known as Data Execution Protection, which, unlike ASLR, is widely supported in third-party applications. Given the frequent security patches QuickTime's needed over the last year or so, it's about time it received some significant beefing up in this area.

IE8 to Enable NX/DEP by Default

And, speaking of NX/DEP, Microsoft's IE8, currently in early beta, will have NX/DEP enabled by default on Windows Vista and its architectural sibling, Windows Server 2008. No word on when IE8 betas will include this improvement.

Improved Security Just in Time, as XSS Attacks Continue to Run Wild

It's a good thing that QuickTime and IE8 are getting "hardened up," as the BBC reports that XSS (Cross-Site-Scripting) vulnerabilities continue to make all parts of the Web potentially dangerous.

Browser Wars, Part II

Mark Soper — Wed, 26 Mar 2008 22:36:00 -0500

And the Acid3 100% Compliance Certificate Goes To...

Opera!

The Opera web team was the first to score 100% on the tough Acid3 browser rendering standards test, and posted the proof of compliance (the 100% Acid3 graphic many of you first saw here) earlier today. The 100% score on Acid3 was reached using WinGogi, Opera's name for its Windows reference builds. Opera expects to have a prerelease build available for download at its Opera Labs website "within the next week or so."

So, How Important Is Reaching 100% on Acid3? That Depends...

...on who you ask. The MozillaZine Forums hosted a heated discussion of this topic earlier this month when Acid3 was introduced. MozillaZine poster "Euchre" summarizes the problem with standards-based testing versus real-world web pages:

I don't think the Acid tests are the be-all, end-all measure of a browser - but they do showcase how thoroughly and completely a browser can handle standards based behaviors. I haven't seen a person try to make a test for NONstandard behaviors. Maybe that would be a better way to make all browsers fall into the same line of function?

The "What is the Best Browser?" page at Tech-Faq.com provides background information on rendering engines and the browsers that use them.

Stop Running Safari on Windows! You're Violating the EULA!

Hardly anyone ever reads the end-user license agreement (EULA) for software, and sometimes that statement also applies to software developers themselves. The Italian IT website setteB.IT reports that the license agreement for Apple's Safari browser "allows you to license and use one copy of the Apple Software on a single Apple-labeled computer at a time." Oops! The ChannelRegister website displays a screengrab of the License Agreement window to prove it.

According to an attorney interviewed for the ChannelRegister website, though, Apple can't enforce an "impossibility issue." That's good news for the two or three users out there who really take EULAs seriouly, but bad news for Apple Computer decal and sticker sellers who could have made a killing converting PCs into "Apple-labeled computers." After the pummeling Apple's taken for the sneaky way it's pushing Safari 3.1 to Windows users, you'd think Steve Jobs and Co would be trying to avoid any more bad news. But wait! There's more!

No Need to Go on a "Safari" to Find Safari Security Flaws

How can you tell when a browser's made the big time? When security researchers start looking for - and finding - security flaws in the browser. The browser is Safari 3.1, and Argentinian security expert Juan Pablo Lopez Yacubian has discovered two major vulnerabilities:

- A JavaScript vulnerability that can inject fake content into a page
- A memory access error that can be triggered by attempting to download a ZIP file with a very long filename, causing the browser to crash.

The JavaScript vulnerability could allow an attacker to display a legitimate URL in the address bar while the actual website being visited could install malware or phish for personal information. Until these problems are fixed with an update, better stay away from unknown websites, or, as our own Will Smith says, "think before you click."

Leaky Addons Make for Big Security Risks for Firefox Users

MarkSoper — Wed, 30 Jan 2008 16:23:52 -0600

Hacking Firefox? It's Easy When There's No JAR to Open

ZDnet's Security Blog reports that Firefox extensions that are not stored in JAR archive files (.JAR) leave users vulnerable to a vulnerability called a chrome URL handling directory transversal attack by hostile JavaScript files (Chrome URIs use extensions stored in the user's Chrome folder).

How big a deal is this? According to Gerry Eisenhaur of hiredhacker.com, who discovered the vulnerability earlier this month, merely opening a website that contains JavaScript aimed at this vulnerability could make Firefox display your preferences file (all.js) or find out what you've been doing by displaying the sessionstore.js file, just to name two examples (see his posting for demos).

Who's Vulnerable?

Mozilla is ranking this vulnerability as 'High Severity' because it can be exploited if you have any of over 600 add-ons installed, ranging from A (allcookies) to Z (Zipedia).

Who to Blame?

According to Mozilla Security Chief Window Snyder, don't blame Firefox; blame the developers that don't use .jar packaging for the add-ons. If you're a web developer (or play one on TV), you might want to review the debate at Bugzilla over this bug (number 413250). If you develop Firefox extensions, switching to JAR packaging might be a really good idea.

Firefox 2.0.0.12 to the Rescue - Real Soon Now

However, just as Microsoft initially blamed others for an Internet Explorer 7 URI vulnerability we discussed last fall, then decided to fix the problem at the operating system level, Mozilla will block this vulnerability with Firefox 2.0.0.12 (current version is 2.0.0.11). Watch for an update, or if you're impatient, visit the Firefox download page frequently.

In The Meantime, Protect Yourself Two Ways

So-called 'Proof of Concept' bugs discovered by the good guys have a nasty habit of being used for actual attacks, so you shouldn't wait for a Firefox update. Here's what you can do today:

1. Install Noscript immediately. Noscript uses preemptive script blocking on a site-by-site basis to stop this and similar script-based vulnerabilities, including XSS vulnerabilities.
2. Install updated versions of your favorite add-ons. A quick review of the list of affected add-ons shows that some affected add-ons are older versions; updated versions might not be affected.

Fake Microsoft Update Email Can Ruin Your Evening - Stop It Now!

Mark Soper — Tue, 22 Jan 2008 21:25:52 -0600

Heed This "Warning" - And You'll Be Sorry

Security vendor Sunbelt Software's blog reports that a fake warning to "update your P.C. in maximum 12 hours otherwise your Windows will be Expired" is making the email rounds. While the message (visible here) has all of the earmarks of a fake (including broken English), it might convince some technical novices that they'd better get clicking. If they do click, what happens? They download IRC.Backdoor.Trojan, an old threat that can still take over a system. It's disguised as updateWindows.exe. You can learn more about how it works by reading PacketShack.org's analysis.

Removing IRC.Backdoor.Trojan

There are a large number of variants of this nasty bit of malware, as this Tek-Tips thread suggests. It also goes by many different names depending upon the antivirus vendor, including Win32.HackTool (eSafe), Backdoor.IRC.Zapchast (F-Secure and Kaspersky), Riskware.HideWindow.B (Webwasher-Gateway), and many others (link requries a PDF reader). Some antivirus programs may have difficulty removing it.

If you're working on an infected computer and can't get rid of it, one Tek-Tips poster recommends using the free F-Secure online scanner. You must use IE6 or IE7 with ActiveX enabled to use the F-Secure scanner, and it runs on Windows XP or 2000 (a beta version is available for Windows Vista users).

What Not to Click

Tired of fixing virus and malware infections? Remind your family, friends, co-workers (and anybody else who thinks you're a technology genius) of the rules for staying out of trouble online:

Don't click links purporting to come from PayPal, eBay, or your local bank or credit union
Always log into Windows Update, e-commerce and similar sites manually
Hover the mouse over links in an email or web page to find out where it will really take you
Ignore logos and artwork when attempting to determine if an email or website is legit - they're easily stolen and reused

These can be summarized in one rule: Think before you click!

Google's in the XSS Crosshairs - and So Are You

Mark Soper — Mon, 24 Sep 2007 23:32:52 -0500

It's a commonplace that online security threats are aimed at the biggest target available. In terms of operating systems, it's still Microsoft. But if you consider how people use the Internet, think G - G for Google, that is.

According to theRegister.co.uk website (motto "biting the hand that feeds IT"), Google's Gmail web-based email, Picasa picture organizer, and embedded search appliance (used in websites that incorporate Google Search) have recently been proven to be vulnerable to exploits using cross site scripting (XSS).

Web Info Pirates Fly the XSS Flag

XSS takes advantage of the fact that JavaScript, HTML, VBScript, ActiveX, and Flash scripts are commonly used in websites. Put simply, an XSS attack (exploit) embeds a malicious script into a dynamic web page. The script captures or manipulates information as the attacker desires. This type of threat isn't new: the FAQ link provided above goes back to 2003. What's scary about XSS exploits is that they threaten the very richness of the Internet. I remember when websites were almost all text with just the occasional photo or drawing. Today's web user wants more - and unfortunately, that makes XSS attacks more common.

What XSS Can Do to You

In the case of the most recent Google XSS problems, XSS vulnerabilities could be used to steal cookies, steal photos from Picasa, contacts from a Gmail account, and redirected Gmail messages to a specified account. Although Google's taken action to block these attacks, this is just the latest round in XSS-based vulnerabilities suffered by Google - and others. For example, the Samy (aka J.S. Spacehero) virus used XSS to infect over a million MySpace users' pages in 2005, and a May 2007 ranking of websites with XSS vulnerabilities (available from this page) lists many major websites, including Flickr, Photobucket, Yahoo! and many others.

Stopping XSS - If You Can

The ultimate solution to XSS vulnerabilities would be to disable all scripts - unfortunately, in today's Internet, such a move would also disable most commercial websites. Boring! So, what else can you do?

If you develop websites for fun or profit, consider scanning them for XSS vulnerabilities, using a tool such as the Web Vulnerability Scanner from Acunetix Ltd (a free version is available) or others. This Google search (ironic, isn't it?) will find more examples.

But, if you're an ordinary web user, not a developer,what are your options (other than disabling scripting, that is)?

1. If you use browser add-ons or updates to other types of web-enabled products, make sure you install updates as soon as they're available. As with updates for Windows, browser add-on updates are often provided to improve security.

2. Keep in mind that any web-based service can be vulnerable to XSS.

3. XSS vulnerabilities are often cross-browser threats; using Firefox or Opera might not protect you.

4. Most XSS exploits also depend upon old favorites like spoofing or clicking links. As always, think before you click.