Risk Your PC’s Health for a Song?
http://www.pcworld.com/news/article/0,aid,119016,00.asp
Protect Yourself From Audio Adware
http://www.pcworld.com/news/article/0,aid,119063,00.asp
These articles don’t go into a lot of detail. It appears that via the DRM feature in Windows Media Player a malicious content provider could cause Media Player to go to a website of their choosing when you play the file. It uses Internet Explorer to to open a webpage of the authors choosing (even if that is not your primary browser). It will load whatever code is there, including exploits for Internet Explorer that could be used to install spyware.
Vulnerabilities in Internet Explorer and most applications require the user to follow a URL to be exploited, this provides a new vector of attack. It is likely much easier to socially engineer a user to open a Windows Media File than to open a URL. The old adage about not opening unexpected attachments is true. One wonders if this is something antivirus vendors will even be able to stop since it is basically just calling a URL.
Archive for December 2004
Windows Media Files could install Spyware
Worming into your company
Wired News has a light humorous article on what happens when you work on a project that is canceled before it ships and you’re fired. Of course the only course of action is to sneak into your former employee and finish it right?
As someone in infosec, the article scares the hell out of me. Even though the events occurred a decade ago, they could still occur today. The fired employee was able to continue accessing Apple headquarters because they failed to terminate his access after laying him off. Once the access was disabled employees were slack and allowed him to piggyback at entryways without challenge. Some employees condoned his efforts because they had similar side projects. It got to the point that Managers applied for contractor badges for this rebel even though he wasn’t actually working on anything for Apple. At Apple they like to remind us PC folk that they think differently. Apparently this includes total lack of security. For when his project was done, they licensed it and included it in their Operating System.
AOL’s Security Ads, Another View
I recently posted about my love for the new series of AOL ads. They highlight the fact that users don’t set out to have security disasters and lose their term papers and family photos to a virus. They don’t set out have their online experience be horrible because of porno spam and spyware. They just want to email grandma the pictures they took at christmas. Is that so wrong?
Tom Liston takes a different view over in today’s SANS Diary. I’m so glad I got my post in first (a month ago actually). This way I know I’m not just having a knee-jerk reaction against what the “experts” have to say.
Liston, claims the ads calls AOL customers idiots. Further that computers are tools that must be used skillfully. Basically he’s playing the old blame the user game. Don’t we yell at Microsoft for not making patching easier, and for not making stopping viruses and spyware easier? Here is AOL stepping up and helping keep the home users system secure. In the past they’ve done things like turn off the Messenger service. Now they are including anti-virus and antispyware. If the updates for this are as easy as the updates to AOLs own software they have the potential to make people much much more secure.
AOL IS FILLING IN THE SECURITY GAP. THEY SHOULD BE COMMENDED.
I would highly recommend, reading the following entry from the Microsoft Monitor Blog. It tells of the writers grandma, Windows XP and AOL Security Edition.
The sole problem I might have with the ad campaign is it implies, Get AOL Get Secure. When it reality the AOL Security Edition is necessary.
AOL Reports Blocked Spam Down
According to a Reuters story, AOL has seen a 50 percent reduction in spam detected over the past year. At the same time subscriber complaints due to spam are down 75 percent.
The article (which reads like a press release for AOLs new security initiative) does not speculate about the cause of this decline. One obvious possible cause is a reluctance on the part of spammers to become a test case for tough spam laws in the Commonwealth of Virginia (where AOL’s servers are located).
Where I work spam blocks routinely account for 80 percent of all incoming email so I wouldn’t make a global generalization about spam based on what AOL is reporting.
Merry Christmas
Hope that all of you have a safe and happy holiday.
Unto you is born this day, a savior. Christ the Lord.
Irresponsbile Blogging
Over at the SANS Internet Storm Center Diary today’s handler is taking swipes at David Litchfield (calling him mean, spiteful, and rude as well as a grinch). You see Oracle patched some vulnerabilities that David found back in August. Nice guy that he is, he did not publicly announce the vulnerabilities until December 23rd, 4 months after patches were available.
Stuff like this is fine in a blog. Opinion is great. But when the name SANS is on the blog, you’re lending the SANS name to your personal opinion. It doesn’t matter if you have a disclaimer. It just seems like more and more the SANS ISC Diary is used for a bully pulpit (or in this case just blowing off steam). The ISC Diary should stick to aggregating reports about what is going on out on the Internet.
I did a quick Google to see if want the SANS handler said was true or if Litchfield had posted a response yet. I didn’t find any current response, but I did find a zdnet interview with Litchfield. He appears to be very mindful of not releasing vulnerability info prior to patches being available. For that he deserves a pat on the back. Not the lump of coal that SANS is presenting.
Its kind of funny that after giving Litchfield the pitchfork, they just kind of mention in massing that a Chinese group has released exploit code for unpatched windows vulnerabilities. Perhaps those are the guys that deserve the heat.
Link: VNUNET Looks at 2005
http://www.vnunet.com/News/1160190
VNUNet’s 5 predictions for the coming year in security
1. Signature-based antivirus software is finished
2. Spam rates will regularly hit 90 per cent of all emails
3. Cyber-terrorists will remain mythical
4. No Longhorn in 2005
5. No security, no connection
For the full article see the vnunet link above. All in all looks like a pretty safe list to me. The last item I can only hope will happen. Endpoint compliant where users are denied access until they are proven secure (or proven to meet certain requirements like antivirus). The first item, I have to wonder what the solution will be. I don’t think HIPS is ready for prime time, and I don’t think heuristics as currently deployed are the solution either.
Google Wacking
This week the santy virus used Google queries to find vulnerable versions of PHPBB for it to attack. Immediately there were calls for Google to block this malicious search. Within 7 hours Google complied and the virus was no longer to search for PHPBB servers until a new variant was written that changed to user-agent field. If the user-agent field is random, or something common, will Google then block all queries for PHPBBs?
One has to wonder about the interests of information freedom versus the interests of computer security. I wonder how far Google will be forced to go. Will all googlewacks be banned as well? After all, what legitimate purpose do I have in searching for XLS files with “password” in the file name? Where will it stop. Will I no longer be able to search for +solaris +root +exploit? It seems antithetical to the nature of the internet to try to block all malicious searches in search engines.
Over at news.com Robert Lemos postulates that rate limiting is a possible solution. If I have a computer that queries for vulnerable PHPBB servers, it talks to Google once. How do you rate limit that? In the vast amount of traffic how do you notice “abnormal” query tendencies and block the dynamically? Frankly rate limiting should already be in effect to prevent address harvesting via the Google cache.
Given the security culture, I cant help but wonder how long we must wait before someone demands we shut down the search engines to protect national security. First we had a email virus getting addresses from Yahoo People. Now we have an internet worm gathering victims from Google. Wont someone please think of the children.
