Site Security Policy

June 8, 2008 – 8:18 AM

OK gang, this is one of those rare moments where feedback from community will directly influence a security feature that’ll make a real difference. First some background…

About 6 months ago Brandon Sterne left a cushy infosec position at eBay for Mozilla to solve an extremely important Web security problem he couldn’t while he was there. The same exact problem a lot of major website properties have including Google, Yahoo, MySpace, Microsoft, Facebook and so on. Where business requirements say that users must be able to upload dynamic content (HTML/JavaScript) where it’ll interact with other users. The other being including CDN content (advertising) supplied by multiple unknown upstream providers. We all know the damage this stuff do when abused.

Unfortunately browsers lack any mechanism to specify what the content on its website should be able to do and where its supposed to originate. When accepting user-supplied dynamic content on a website, it’s all or nothing. Website owners need more granularity. This is where the idea of content-restrictions came from years ago, ironically by RSnake whom also worked for eBay years back. The idea never really got off the paper and into browser code despite a lot experts, including myself, pleading for even a limited implementation. This is where Brandon comes in and this presentation on “Web Application Security and the Browser” he recently gave during Yahoo Security Week.

Brandon is in the process of creating Site Security Policy, a specification for people to comment on and proof-of-concept extension for people to play around with. He’s got policy provisions worked in to help prevent XSS, CSRF, and even Intranet Hacking. Brandon even has some cool client-side IDS stuff worked in. The vision is to later formalize the specification through W3C and integrate the feature natively into the browser once trouble spots are ironed out.

Read the rest of the story…

Crypto Virus Returns

June 7, 2008 – 8:50 AM

The emergence of a variant on a virus that encrypts the victim’s data with a strong 1,024-bit algorithm so the victim can’t unscramble it without paying a ransom has begun to spread, potentially posing a major threat, according to the antimalware firm which discovered it.

Kaspersky Lab says the new variant of the Windows-based encryptor virus Gpcode, which hasn’t been spotted for about 1 ½ years, is more of a threat than it was in the past because this time it is using strong encryption that so far has defied efforts to crack it.

“Up until now, we were able to crack the algorithms,” says Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab.

Earlier versions of Gpcode — which first appeared about 3 ½ years ago — used far weaker encryption than what it has today, plus it wasn’t well implemented, making it fairly easy to crack, Schouwenberg says.

But Gpcode.AK, with its RSA 1,024-bit encryption, is proving hard to break. He adds that computer users should be making an effort to back up their data vigorously in the face of this new threat.

The Gpcode.ak is hard to detect because it attempts to self destruct after encrypting, according to Kaspersky Lab. So far only a handful of computers with files that have been maliciously encrypted have been identified so far. Most evidence about it is originating in Russian-speaking countries, Europe and Africa, he says, but it may be spreading further.

So far, the primary means it uses to spread is unclear, but Kaspersky Lab believes it’s a form of “social engineering” that may involve trickery to induce computer users to make use of software they shouldn’t.

The text file that the criminals leave tells the victim that the file has been encrypted and offers to sell them a “decryptor.” Kaspersky Lab would advise against yielding to blackmailers in any ransomware situation.

Kaspersky Lab says efforts are continuing along with others in the antivirus industry to analyze Gpcode.ak further for technical weaknesses, but that users should now be extra careful in opening files and Web activity.

Source: PC World

Opera Bolsters Web Browser With New Malware Protection

June 6, 2008 – 1:08 PM

Opera has beefed up security in its upcoming Web browser as it looks to challenge Firefox and Internet Explorer in the area of Web security.

Putting a bulls-eye on Web-based threats, the Opera has formed a partnership with Haute Secure, a Seattle-based security vendor founded in 2006, to protect users from rogue sites known to distribute malware as well as from links users might click on and download malicious software.

The fruits of this union will bear in Opera 9.5, the upcoming version of the Norwegian company’s Web browser.

The two-pronged approach of protecting against both drive-by malware and malicious links puts the browser a step ahead of Firefox, which only addresses the former, said Thomas Ford, Global Communications Manager at Opera.

“Haute Secure provides information to protect down to the specific link, instead of blocking entire domains,” he said. “This is particularly critical because we can block specific hacked pages instead of blacklisting domains.”

The technology may offer something of a plug for a security hole for Web surfers at a time when mass compromises of legitimate sites have become more prevalent. According to research by ScanSafe, the vast majority of Web-based malware it blocked for its customers last month came from compromised sites.

Read the rest of this story…

Windows PHP Socket Hijack Toolset

June 6, 2008 – 5:48 AM

Due to a problem in the way Apache binds itself to port 80 on Windows machines allows the PHP environment running under Apache to gain access to the information being sent to port 80, which in turn can be leveraged to preform man-in-the-middle attacks.

This problem is exploited by the PHP tool linked below.

For more information about this issue see:
Abusing PHP Sockets for Fun and Profit

Source: SecuriTeam

Kaspersky driver bug allows privilege escalation

June 5, 2008 – 5:56 AM

A flaw in a kernel driver used by Kaspersky Anti-Virus 6.0 and 7.0, Kaspersky Internet Security 6.0 and 7.0, and Kaspersky Anti-Virus 6.0 for Windows Workstations can be exploited by uers with restricted rights to get admin rights to a system, or by malware to execute with system privileges.

The cause is a buffer overflow in the kl1.sys kernel driver when handling a call to IOCTL 0x800520e8 where the length of a user-supplied parameter exceeds 2,000 characters. According to iDefense, code can then be injected onto the stack and launched with the kernel’s rights. Kaspersky has released updates to fix the flaw. Most users will probably already have it installed via the software’s automatic update function.

Read the rest of the story…