Security

Organizations are finding it difficult to prioritize defense strategies against cyberattacks because most of them do not have an Internet-wide view of the attacks, according to a report from SANS Institute, the security training organization.

As a result, two security risks--Web applications and phishing--carry the greatest potential for damage, even though users instead tend to concentrate on less-critical risks.

The report, published by security training organization SANS Institute, amalgamates global data from security attacks on computers from March to August.

It identifies two main defense priorities for enterprise users. The first is targeted e-mail attacks, or spear phishing, that exploit client-side vulnerabilities in programs such as Adobe Systems' PDF Reader and Flash, Apple's QuickTime, and Microsoft's Office. These applications are described as the "primary initial infection vector used to compromise computers that have Internet access" and are the result of attackers taking advantage of "programming errors that are not being picked up by common vulnerability scanners."

The second priority is vulnerable sites. More than 60 percent of attacks are against Web applications and "convert trusted Web sites into malicious Web sites serving content that contains client-side exploits" by exploiting the most common vulnerabilities such as SQL injection and cross-site scripting flaws, in both open-source and custom-built applications. Such vulnerabilities make up more than 80 percent of attack opportunities.

A further finding is that applications are now more vulnerable and see more exploitation attacks than operating systems. There were no new major operating system worms seen in the wild during the reporting period.

Additionally, the report found there has been a "significant increase" over the past three years in the number of people discovering zero-day vulnerabilities: flaws that become known to attackers before they are discovered by security researchers, opening the chance of an attack against which no preparation has been made.

"This report is different from anything we have done before," a SANS spokesman said, "because it reflects massive amounts of data on the actual attacks (millions of them) and on the speed with which the underlying vulnerabilities are being patched (actual data from thousands of companies)."

The report sources includes attack data from 6,000 organizations, compiled by security hardware vendor TippingPoint, vulnerability data from 9 million computers compiled by security software vendor Qualys, and additional analysis and tutorial by the Internet Storm Center and SANS faculty members.

Manek Dubash of ZDNet UK reported from London.

A vulnerability in Microsoft's software for housing Web sites is now being used for "limited attacks" on the servers it's running on, the company said Friday.

Microsoft disclosed the Internet Information Services (IIS) vulnerability on Monday and said Friday it's still working on a security update to fix the problem. In the meantime, the advisory has instructions for a workaround, including disabling various elements of the vulnerable FTP (File Transfer Protocol) service to upload and download files.

According to the advisory, the vulnerability could let somebody run arbitrary code on a server using FTP on IIS 5.0 and conduct a denial-of-service attack using FTP on IIS 5.1, 6.0, and 7.0. The present version 7.5 isn't affected, though, and FTP 7.5 can be downloaded and installed on IIS 7.0 to protect it.

"Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits," said Alan Wallace, senior communications manager for Microsoft's security response communications team, in a statement.

Initially, the company said it was investigating a vulnerability only with versions 5 and 6 of IIS.

Microsoft on Monday said it is looking into a report of a flaw in some versions of its Internet Information Services product that could allow an attacker to gain control of a system.

In a statement, a Microsoft representative said the company "is investigating new public claims of a possible vulnerability in IIS 5 and IIS 6 File Transfer Protocol (FTP)."

Microsoft said it is not aware of any attacks using the vulnerability. "We will take steps to determine how customers can protect themselves, should we confirm the vulnerability."

According to IDG News Service, code for exploiting the unpatched flaw was posted to the Milw0rm Web site. IDG said the exploit appears to affect primarily older versions of IIS--and only when the FTP function is enabled.

Once it is done with its investigation, Microsoft said, it will decide how to address the matter, which could include a security update as part of its monthly Patch Tuesday or an out-of-cycle update.

In a posting on Monday, the U.S. Computer Emergency Readiness Team (US-CERT) suggested IT administrators "disable anonymous write access to the FTP server to help mitigate the vulnerability" but added that "a proper impact analysis should be performed prior to taking defensive measures."

Cisco Systems wireless local area network equipment used by many corporations around the world is at risk of being used in denial-of-service attacks and data theft, according to a company that offers protection for WLANs.

Researchers at AirMagnet, which makes intrusion-detection systems for WLANs, discovered the vulnerability, which affects all lightweight Cisco wireless access points, as well as the exploit that could be used against networks that have the Over-the-Air-Provisioning (OTAP) feature turned on.

"We found it in our labs," Wade Williamson, director of product management at AirMagnet, said on Monday. "We don't know about it being exploited in the wild."

Basically, the Cisco access points generate an unencrypted multicast data frame that is sent over the air and includes unencrypted data like the MAC address and the IP address of the wireless controller, as well as some configuration options, he said. The controller is used to manage the access points.

With that information, someone listening to the network could easily find the internal addresses of the WLAN controllers in the network and potentially target them with a denial-of-service attack, Williamson said.

"Someone out in the parking lot or a neighbor can look at the packets and see information about the controller on the wired side," he said. "This is giving anybody that's listening to the environment some pretty detailed information about the wired network that we want to keep protected."

If an access point has the OTAP enabled, the wireless LAN is also at risk of a "skyjack" exploit, Williamson said. With the OTAP feature enabled, a newly deployed Cisco access point will listen to the multicast data being broadcast to find the address of its nearest controller.

However, the access point could end up connecting to an outside controller if it hears multicast data from that network instead, and thus it would be under someone else's control, he said.

Someone could skyjack a corporation's access point and "use the wireless LAN to create a wired path into your network," Williamson said.

AirMagnet has informed Cisco about the problems and Cisco is working on a solution, Williamson said.

"As a matter of policy, Cisco takes security vulnerabilities very seriously and we continue to take active measures to safeguard the security and reliability of our equipment," a Cisco spokesperson said.

"Our standard practice is to issue public Security Advisories or other appropriate communications that include corrective measures so customers can address any issues," he said. "For that reason we do not provide comment on specific vulnerabilities until they have been publicly reported, consistent with our well-established disclosure process."

Cisco has 65 percent to 70 percent of the install base for wireless LANs, according to Stan Schatt, security practice director at ABI Research.

"What this really shows is that more and more companies have to have 7/24 monitoring of their LANs," he said. "They can't just periodically walk around the facility with a laptop and check to see if there's a problem."

An attack on a wireless LAN would be particularly dangerous for hospitals, which are increasingly moving critical apps onto the network for use by doctors and nurses with Wi-Fi-enabled handhelds, Schatt said. "A denial-of-service attack could impact mission critical phone systems," he said.

To mitigate against any attacks, Cisco customers should disable the OTAP feature and use a separate intrusion detection system that can detect whether someone is snooping on the network, as well as monitor that all access points on a network are authorized, AirMagnet said.

Updated 11:02 a.m. PDT August 25: Cisco released an alert on Tuesday that describes the finding as a low-risk vulnerability that could allow unauthorized control of a wireless access point and which could allow an unauthenticated, remote attacker to cause a denial of service condition.

"Any clients attempting to register to the AP (access point) will be unable to access network resources, but the AP is still unable to authenticate wireless clients," the company said in a statement. "There is no risk of data loss or interception. Cisco believes the vulnerability is easily avoided or mitigated and has provided techniques for this purpose."

Software updates and patches were not yet available, Cisco said.

Adobe has released a patch for a critical Flash Player problem that could let attackers take over people's computers through content viewed in a browser.

The vulnerability affected a file that shipped with Flash Player 9.x and 10.x for Windows, Mac OS X, and Linux, and with Adobe Reader and Adobe Acrobat 9.x for Windows, Macintosh, and Unix. Adobe said Thursday it fixed the problem in a security advisory, and Adobe's Matt Rozen posted a note on Twitter that directed people to download the patched version from Adobe's Flash download site.

This was no abstract, theoretical vulnerability, either.

"There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows," Adobe said in an earlier advisory about the problem.

Flash is very widely used in browsers to power features such as interactive stock charts and YouTube video streaming.

Microsoft on Monday warned of a vulnerability in its Video ActiveX Control that could allow an attacker to take control of a PC if the user visits a malicious Web site.

There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.

This is the second DirectShow security hole Microsoft has announced in the past few months. The company has yet to provide a security update for a vulnerability announced in May that involves the way DirectX handles QuickTime files.

Since there are no by-design uses for the ActiveX Control within Internet Explorer, Microsoft is recommending that users implement a workaround outlined in the security advisory. Customers can automatically implement the workaround by following the instructions under "Fix It For Me" in the Knowledge Base article for advisory number 972890 on the Microsoft support site.

Asked to explain what is meant by "no by-design uses," Christopher Budd, Security Response Communications lead, said: "In older operating systems like Windows XP that were originally developed under older programming methodologies, this ActiveX control was enabled for use within Internet Explorer by default to allow for possible future uses. These uses never materialized and as part of the more stringent security requirements that Windows Vista was developed under, this control was later disabled for use within Internet Explorer."

Even though Windows Vista and Windows Server 2008 are not affected by the vulnerability, Microsoft is recommending that users of those products also use the workaround.

Microsoft is working on a security update and will release it when the quality is at the appropriate level for broad distribution, the company said.

The Microsoft Video Control object is an ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording, and playing video. The control is the main component used in Windows Media Center for building filter graphs for recording and playing television video.

When it is used in IE, the control can corrupt the system state in such a way that arbitrary code could be run by an attacker. If the user is logged in with administrative rights, the attacker could take complete control of the system.

Antivirus vendor Symantec said it was seeing the flaw being exploited in China and other parts of Asia and cited reports that indicate thousands of Web sites are hosting the exploit.

Internet Explorer versions 6 and 7 are at risk, but people running IE 8 are not vulnerable, Symantec said.

Updated July 7 8:25 a.m. PDT with Microsoft explanation of "by-design," and July 6 at 11:45 a.m. PDT with background on a previous DirectShow hole and more details on exploits of the most recent hole.

A security researcher said on Thursday that he hopes that Apple has a fix later this month for what he believes could be a vulnerability in the iPhone that could allow an attacker to gain control of the device remotely via SMS, according to IDG News Service.

An attacker could exploit a possible weakness in the way iPhones handle SMS (short message service) messages to do things like use GPS to track the phone's location, turn on the microphone for eavesdropping, or take control of the device and add it to a botnet, Charlie Miller, co-author of The Mac Hacker's Handbook and principal security analyst at Independent Security Evaluators, said in a presentation at the SyScan conference in Singapore.

Miller said he plans to give a more detailed presentation on the hole at the Black Hat conference in Las Vegas at the end of the month.

Despite the SMS hole, which "could be a critical vulnerability," the iPhone is more secure than OS X on computers, Miller said. That is because the iPhone doesn't support Adobe Flash and Java, only runs software digitally signed by Apple, includes hardware protection for data stored in memory, and runs applications in a sandbox, he said.

Apple representatives did not immediately respond to an e-mail request for comment.

Correction at 8:45 p.m. PDT July 29:This post was updated to correct that the researcher said he hopes Apple will fix the flaw, not that it will.

A new, unpatched vulnerability exists in one of Microsoft's server products, the company warned late Monday.

In a technical bulletin, the company said it is looking into "public reports of a possible vulnerability in Microsoft Internet Information Services (IIS)."

The company said that a flaw exists in a certain type of Web serving operation.

"An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests," Microsoft said. "An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication."

Microsoft said it is not aware of attacks using the vulnerability. The company said it may provide an update as part of its monthly Patch Tuesday or, depending on the severity, could provide a fix outside of its monthly patching schedule.

In the meantime, the company listed on its Web site certain configuration settings that can help mitigate the impact of the flaw.

Microsoft will issue a patch on Tuesday to fix a critical vulnerability in PowerPoint that could be the same hole that has been exploited in limited and targeted attacks.

The vulnerability affects Microsoft Office 2000, 2003, 2007 and XP, as well as PowerPoint Viewer and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 file formats, according to an advance notification released on Thursday.

In a security advisory in early April, Microsoft warned about a vulnerability in PowerPoint that had been targeted by attacks that were tailored and not widespread.

That vulnerability could be exploited by getting a person to open a PowerPoint file rigged for the attack, the company said. When the file is opened, PowerPoint will access an invalid object in memory. That then allows an attacker to remotely execute code on the system.