Security Bytes 2008/24/05

by Steve Ragan - May 24 2008, 20:18

There are lots of little things this afternoon for security news. Instead of cluttering your RSS feed with several links to smaller articles, here is a Bytes like column with what is making headlines on Saturday, May 24, 2008.

Memorial Day Weekend!

Remember, odds are that the IT staff used most of this four day weekend to apply patches and upgrade software/hardware. On Tuesday, stop by the IT office or cubicles and thank them if they ended up working over the holiday.

Apple has no iCal patches for recent disclosure

In a recent eWeek interview, Ivan Arce, Core Security’s CTO, explained why their disclosure of three iCal vulnerabilities came out before Apple’s patches, instead of after as originally planned. After months of back and forth between the two companies, Apple said they would have patches ready by May 19. Core Security would release the disclosure on May 21. However, May 19 came and went and Core published as scheduled. This is how disclosure works; the two companies started talking about the iCal issues in January, and after a few setbacks, agreed to a release and disclosure date. Core held up their end of the deal, Apple failed to deliver.

“Three vulnerabilities discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application. Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted .ics file sent over email or hosted on a malicious web server; or without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server.” – Core Security Advisory

Apple had no comment as to why their deadline was missed or why they did not ask Core to stop the publication. “Disclosing information about a vulnerability may help the bad guys, but fundamentally it’s much more important to help the good guys protect themselves,” Arce said to eWeek. “So after a period of time has passed since the original disclosure it becomes more and more probable that the vulnerability will be widely known even if you don’t disclose.”

Google offers more information to Safe Browsing flags

Since 2006, Google has offered protection from malicious websites using the Safe Browsing API, and Firefox. “This system has proven to be highly accurate, but we've noted that it can sometimes be difficult for webmasters and users to verify our results, as attackers often use sophisticated obfuscation techniques or inject malicious payloads only under certain conditions,” says Niels Provos of Google.

He is correct, as this is the top complaint from most webmasters when you read Google Groups. “With that in mind, we've developed a Safe Browsing diagnostic page that will provide detailed information about our automatic investigations and findings,” Provos adds.

The diagnostic page will detail four things. First, it will list the status of the suite in question, including stats on how often this site has been flagged by Google. Second, it will list what happened when Google visited the site. “This section includes information on when we analyzed the page, when it was last malicious, what kind of Malware we encountered and so fourth. To help web masters clean up their site, we also provide information about the sites that were serving malicious software to users and which sites might have served as intermediaries,” Provos said.

The third part to the diagnostic page will list if the site has helped spread Malware in the past, for example an advertising network or statistics site that accidentally participated in the distribution of Malware. Finally, it will tell if the site has hosted Malware in the past.

“All information we show is historical over the last ninety days but does not go further into the past. We are adding a link on the interstitial page a user sees after clicking on a search result with a warning label, and via an "additional information" link in Firefox 3's warning page,” Provos said.

Facebook gets another XSS hole

[Note: As of Friday 5/23 @ 4:15PM EST, the site is fixed.] Facebook, the popular social networking site, was once again found to have Cross Site Script or XSS flaws on their website. You can view the mirror of the issue here: http://www.xssed.com/mirror/39468/

Like any other XSS attack on a website, the visitor is faced with possible exploitation with Malware or theft if they enter in credentials to the site serving up fake login fields or questions from an “identity check” that many websites are starting to use. (Banks mostly, Facebook has no such checks that I’m aware of.)

The problem is not the XSS issue, which is a problem Facebook as faced in the past. No, the problem is that the XSS flaws keep coming up. Like the current issue, the code for that single area was likely scrubbed and fixed, but somewhere on the other parts of the site, the code is likely still open. Add to that, Spammers are starting to pay attention to social networking sites, only adding another annoying layer of problems.

ZDI warns Trillian users about vulnerabilities

If you use Trillian, the popular all-in-one IM client from Cerulean Studios, in either basic or professional versions, you need to get an update. ZDI has issued three separate advisories, disclosing issues in the software that lead to several issues.

The first issue deals with MSN and a boundary error that can be exploited for a stack-based overflow via a specially crafted X-MMS-IM-FORMAT header. Successful exploitation allows execution of arbitrary code the advisory states.

The second issue deals with an error within the XML parsing in talk.dll, if exploited it too will lead to code execution. Finally “a boundary error when parsing messages (e.g. via the AIM network) with overly long attribute values within the FONT tag can be exploited to cause a stack-based buffer overflow,” ZDI warns. However, this will require a user open a malicious image file.

Trillian versions in the 3.x branch, both basic and professional, are vulnerable. The fix is included in version 3.1.10.0 of Trillian.

CompTIA revamps Security+

CompTIA has said that they will use new objectives for the Security+ IT certification. The new Security+ exam will add greater emphasis on how to address security issues instead of simply recognizing them.

The new exam will focus on six topics, or objectives, including Systems Security, Network Infrastructure, Access Control, Assessments and Audits, Cryptography, and Organizational Security. The Access Control and Assessments and Audits topics are new additions to the exam.

CompTIA said in a statement that if you are currently in the process of taking the exam or plan to in the near future, to continue on your current course, and take the exam as based on current objections.

Around the Web