Software developers and security researchers still don't see eye to eye on bug disclosures. There are times when the constant emphasis on the researcher's duty to make responsible disclosures appears to overshadow the vendor's duty to patch vulnerabilities in a timely manner. TippingPoint's Zero Day Initiative (ZDI), the world's leading bug bounty program, is trying to ensure that this fact is not lost on vendors.
ZDI has announced changes to its bug disclosure policy. Under the new policy, ZDI will go public with “limited details” of the bug in case the flaw still remains unfixed after six months of the vendor being notified. It previously only detailed those bugs that had been patched by the vendor.
“As the 5th year anniversary of the TippingPoint ZDI program rolls around we have had a chance to reflect on the frequently changing vulnerability disclosure best practices utilized within our industry. From the days of no-disclosure, to full, to responsible, to coordinated, our policy has remained relatively the same,” Aaron Portnoy, manager of security research at HP TippingPoint, wrote in a blog post Wednesday.
“In an effort to coerce vendors to work with us on patching these issues more promptly, the ZDI is announcing a 6-month deadline going into effect on 08/04/10. This means that the first vulnerability report, if needed, will be disclosed on 02/04/11. At the end of the deadline if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigations in an effort to enable the defensive community to protect the user.”
Secunia said in its report that its findings reinforce the notion that “a high market share correlates with a high number of vulnerabilities.” It found that third-party vulnerabilities far exceed first-party vulnerabilities found in a typical end-user PC with 26 3rd party apps. The tables have turned as the reverse was true five years ago.
Although the total number of vulnerabilities in all the products covered by Secunia has remained stagnant since 2005, those affecting a typical end-user PC are growing at an alarming rate.
“In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010 to 760,” Secunia said in its report.
So here it is, folks, the first of what is likely to be many bugs affecting unpatched versions of Windows XP Service Pack 2 (SP2), which of course will remain unpatched since Microsoft cut off support for XP SP2 and earlier.
According to a security advisory (2286198), "the vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives," Microsoft says.
While disabling AutoPlay lessens the risk, users with an infected USB thumb drive can still fall prey the attack if they were to manually browse to the root folder. And because it can run when AutoPlay and AutoRun are disabled, Sophos senior security advisor, Chester Wisniewski, warns that the bug is particularly "nasty," pointing out in a blog post that "it bypasses all Windows 7 security mechanisms, including UAC, and doesn't require administrative privilege to run."
M86 Security Labs released a list of the top 15 most observed vulnerabilities for the first half of 2010 and, surprise-surprise, Adobe Acrobat & Adobe Reader (No. 1) and Microsoft Internet Explorer (No. 2) took the top two spots.
It wasn't enough to just take the top spots, Adobe Reader and Microsoft IE overachieved (underachieved?) by claiming nine out of the 15 slots, with four of them belonging to Adobe and five for Microsoft.
The list also indicates a growing focus on exploiting Java-based vulnerabilities.
"Java is the next low-hanging fruit for attackers," says Marc Maiffret, chief technology officer at eEye Digital Security.
A young Argentinian hacker, known only by his sobriquet Ch Russo, claims to have successfully slipped past The Pirate Bay's defenses, gaining access to the torrent site's administrative control panel. An SQL injection vulnerability discovered by Ch Russo and a couple of his chums exposed the site's user database, which is said to contain account information belonging to around 4 million users. However, the hacker denies altering or deleting information.
The trio also resisted the temptation of selling the data to the companies assisting the entertainment industry in its fight against piracy. “Probably these groups would be very interested in this information, but we are not [trying] to sell it,” Russo told security blog KrebsOnSecurity in a phone interview. “Instead we wanted to tell people that their information may not be so well protected.”
Everyone has different reasons for exposing Windows security flaws. Some do it for avenging a fellow security researcher's insult, others to bring home the bacon. Unlike the Microsoft -Spurned Researcher Collective, which falls in the former category, Danish security firm Secunia's motivation is purely pecuniary.
“The vulnerability is caused due to a boundary error in the "UpdateFrameTitleForDocument()" function of the CFrameWnd class in mfc42.dll. This can be exploited to cause a stack-based buffer overflow by passing an overly long title string argument to the affected function,” Secunia said on its site.
According to group manager Jerry Bryant, “Microsoft is investigating new public claims of a possible vulnerability in Windows 2000 and Windows XP.” However, he is unaware of any attacks based on the vulnerability.
July 4 turned out to be a field day for hackers and chance cyber-saboteurs as they converged on the world's most popular video streaming site to wreck havoc using a cross-site scripting (XSS) vulnerability. They inserted malicious code in the comments section of many YouTube videos to trigger a series of anomalous events, including redirects to porn sites and nasty pop-ups, whenever a user visited a targeted video. Justin Bieber fans were probably the worst hit, with hackers and pranksters concertedly targeting the Canadian singer's videos.
But Google wasted little time in plugging the hole. "We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com," a spokesperson for YouTube's parent company said. "Comments were temporarily hidden by default within an hour [of discovering the problem], and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future."
Microsoft has acknowledged that it is aware of a zero-day vulnerability in the HCP protocol. It learned about the threat on June 5, 2010 from Google security engineer Tavis Ormandy, who barely waited four more days before making the details of the threat public, complete with his proof-of-concept exploit code.
Microsoft took a dim view of Ormandy’s eagerness to make a public disclosure. “Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk,” wrote Mike Reavey, director of the Microsoft Security Response Center, in a blog post.
Reavey also criticized Ormandy for not being thorough in his analysis: “It turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.”
The vulnerability is known to affect Windows XP and Windows Server 2003 only. Microsoft is currently working on a fix. In the interim, users can protect themselves by unregistering the HCP protocol as described in Microsoft Security Advisory 2219475.
Soccer fans around the world are eagerly waiting for the 2010 FIFA World Cup to kick off. Soccer's marquee event will virtually transform host nation South Africa into the mecca for the sport's impassioned followers around the world. Like with any other major world event or cataclysm, the internet's dark alleys are filled with people ready to tax the outpouring of human emotion during the World Cup. It is likely that some of their nefarious plans are already afoot, even though there is a fair bit to go before the start of the event.
Symantec recently discovered a “targeted attack” that quite clearly tries to exploit the mounting soccer fever. Thankfully, the attack was thwarted before it could cause any damage. The attackers tried to drop their malicious payload using an email message ostensibly sent by a legitimate African Safari organiser, Greenlife. To the untrained eye, the sender had attached a “highly informative World Cup Travel Guide” with the message. But in reality the attached file was a modified variant of the real Greenlife's actual PDF guide. The actual PDF document was first debased with malicious code to exploit a recently patched vulnerability in Adobe Reader before being forwarded as an attachment.
“The patch for this critical rated vulnerability was released by Adobe on February 16, 2010. Since then we have observed a large number of targeted attacks attempting to exploit this vulnerability. Proof-of-Concept exploit code is available in the Internet which is contributing to the large number of observed attacks,” Daren Lewis, a Symantec employee wrote on the MessageLabs Intelligence blog.
Targeted attacks are known to be precise and less spammy. For instance, Symantec only has to deal with less than 100 such attacks every day, despite it blocking around 500,000 malicious emails per day. Such attacks usually target organizations, with people at the top of the pecking order more likely to be attacked first. This way the attackers can gain access to a pretty large chunk of that organization's sensitive information. In this case, the malicious email was sent to a person only identified as “a user in a major international organisation that brings together governments from all over the world.”
Adobe last week released a security update for a critical vulnerability in Adobe Flash, but according to security researcher Aviv Raff, installing the update could be cause for concern.
"If you did upgrade to the latest version of Flash from the Adobe website, you very likely have Adobe Download Manager installed," Raff points out.
So what's the big deal? Raff says there's an undisclosed flaw in the way Adobe's Download Manager works, which makes it possible for an "attacker [to] force an automatic download and installation of any executable he desires." In other words, those who download the update end up exposing themselves to a zero-day attack, Raff claims.
Adobe is apparently aware of the issue and is reportedly working with Raff to patch it up. The software maker also downplayed the security risk, saying "the user has to accept a number of prompts before being taken through the installation process," and therefore making it hard for a user to install unwanted and malicious software without their knowledge.