June 13th, 2009 Beardy
By Beardy.
—
Photo by Henning
Ok, anyone who knows anything about security in IT systems knows that “security through obscurity” is akin to “the road to Hell is paved with good intentions”. It just does not really provide the desired outcome in the long term.
So, let’s examine the history of this approach. M$ products, getting better, tend to still depend on M$-specific proprietary APIs and protocols, that inevitably lead to “critical” security patch after “critical” security patch ad infinitum, sound familiar?
On the hardware and network design side, many people (some of whom should know better!) think that just because they have what is termed a “NAT firewall”, that their precious LAN is secured from the kiddiots and other nasty denizens of the world-wide-whackfest. WRONG!
First of all, while NAT does provide at least some level of protection (certainly better than the twits who connect their USB ADSL MODEMs directly to the ‘net without even enabling Winblows firewall, nuff sed on that one.), it only really obfuscates things, it is not true protection. Consider the annual C and Perl code obfuscation contests, the result is code that is nearly impossible to read without getting a headache, but it is decipherable in the end. This will eventually become largely academic as IPV6 becomes more pervasive. Remember that NAT was originally created to provide an artificial extension of the internet’s IPV4 address space (well, that combined with non-routable IP address ranges).
All the gurus of internet hacking agree on one thing about NAT as a “firewall” technology; it is limited but fine provided the machines on the inside NEVER open a connection OUT and no ports are forwarded IN. All a potential attacker needs is the details of who and where you came from and they can (in theory at least) use that against you, kinda like identity theft.
So where am I going with this?
Read the rest of this entry »
Posted in Security | Comments Off
December 17th, 2008 Beardy
Latest news…
The US software giant said that in response to “the threat to customers” it immediately mobilised security engineering teams worldwide to deliver a software cure “in the unprecedented time of eight days.”
According to researchers at software security firm Trend Micro, attacks based on the vulnerability in the world’s most popular Web browser are spreading “like wildfire” with millions of computers already compromised.
Microsoft typically releases patches for its software on the second Tuesday of each month and rushing this fix to computer users out-of-cycle is testimony to the severe danger of the threat, according to Trend Micro.
“Microsoft releasing emergency patch for perilous IE flaw”
<http://www.australianit.news.com.au/story/0,24897,24813123-15306,00.html>
Posted in Security | Comments Off
December 17th, 2008 Beardy
(As seen on /.)
The mainstream press and consumer IT news services are starting to pick up on the issue. Not surprisingly, there is a fair amount of disbelief that M$ are so blithely just advising users to be cautious rather than provide a real fix.
As mentioned previously, the greater worry is not in user computers becoming infected due to the flaw, but rather the trend that is the propagation of infections that are impacting legitimate web sites causing wider spread of the problem. The obvious greatest concern would be if the non-technical news sites (eg: BBC, CNN, etc) became compromised as the flow-on would undoubtedly eventually hit the online financial services (ie: banks) sites.
So, how long can M$ persist to play the role of Nero* before people start to vote with their feet(/fingers) and switch to non-IE browsers ?
“If users can find an alternative browser, then that’s good mitigation against the threat.”
But Microsoft counselled against taking such action.
“Hackers Compromise Legit Web Sites to Target Microsoft IE Flaw”
<http://www.eweek.com/c/a/Security/Hackers-Compromise-Legit-Web-Sites-to-Target-Microsoft-IE-Flaw/>
“Serious security flaw found in IE”
<http://news.bbc.co.uk/2/hi/technology/7784908.stm>
*Nero of “fiddled while Rome burns” fame rather than the CD burning variety.
Posted in Security | Comments Off
December 15th, 2008 Pete
The data-binding exploit is apparently capable of delivering viruses, trojans and pretty much any malware the exploiters take a fancy to delivering. This would by extension include keyloggers and website infectors.
The best advice so far is to use a non-IE browser and avoid any suspect sites….
NB: Trend Micro do NOT currently provide a protection for this issue (see last link on page).
“Internet Explorer Data Binding 0-Day Clarifications”
http://secunia.com/blog/38/
To clarify three common incorrect assumptions about this vulnerability:
Assumption: Only Internet Explorer 7 is vulnerable.
Correction: No, at least Internet Explorer 6 is also affected, but not by the public exploits that are currently available. According to Microsoft’s updated advisory, IE 5.01 is also affected. We have not confirmed this yet, but it seems plausible.
Assumption: The core problem is related to XML processing.
Correction: No, it’s related to data binding. Working exploits can be created nicely without using XML.
Assumption: Setting the security level to “High” for the “Internet” security zone or disabling “Active Scripting” support protects me against attacks.
Correction: Technically no. It is still possible to trigger the vulnerability. However, it does make exploitation trickier as it protects against attacks using scripting.
“IE zero day bites broader group of users”
http://www.theregister.co.uk/2008/12/12/ie_zero_day_misconceptions/
“More on the Internet Explorer zero-day”
http://www.sophos.com/security/blog/2008/12/2204.html
“Vulnerability in Internet Explorer Could Allow Remote Code Execution (961051)”
http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VNAME=Vulnerability+in+Internet+Explorer+Could+Allow+Remote+Code+Execution+(961051)&Page=
The link that Trend Micro point to at Microsoft…. (which does NOT fix the problem, just reduces the odds of infection…)
http://www.microsoft.com/technet/security/advisory/961051.mspx
Posted in Security | Comments Off
