Defense in Depth

A group of researches on Tuesday said 637 million Web users are surfing with outdated Internet browsers and therefore at greater risk of Web-based attacks.

Using data collected from Google Web searches and security firm Secunia, the researchers, Stefan Frei (of ETH, Zurich), Thomas Dübendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), analyzed the browsers used in a new report (PDF). They did so in an effort to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.

Overall the authors found that roughly 40 percent of users were using insecure versions of Web browsers. Among the least compliant were users of Internet Explorer, which currently dominates the Internet browser market.

The data was collected in mid-June 2008. The users were scattered among 78 percent Internet Explorer users, 16 percent Firefox, 3 percent Safari, and 0.8 percent for Opera. Of these, 52 percent were running the latest version of Internet Explorer, 92 percent for Firefox, 70 percent for Apple, and 90 percent for Opera.

The authors note that it has taken IE 7, the current Internet Explorer release, 19 months to gain only 52 percent of the entire Internet Explorer audience. Forty-eight percent of the users in the study were either using an old version of IE 7 or still had IE 6 installed.

Some of this has to do with how the respective vendors provide updates. IE 7 is currently offered as an auto-update with each monthly set of Microsoft security patches, yet a number of people are opting out of the upgrade and still running IE 6.

The study did not include use of insecure browser add-ons, such as older versions of Adobe Reader, because the data from Google contained only the browser info.

For mitigation, the study used comparisons to the food industry, arguing that people understand the need to buy the safest foods, why not browsers? People understand that food is perishable, so why not make Internet browsers display expiration dates? The authors provided an example of a browser that displayed in red in the upper right hand corner "145 days expired, 3 updates missed."

But unlike the food industry there is no liability for software vendors. And, the authors note, software vendors are not legally obligated to provide software updates.

Imagine if the food industry was not accountable for selling spoiled milk.

On Monday, Apple released Mac OS X 10.5.4. In addition to enhancements to existing features, Apple bundled in 13 specific security updates, including one for Safari 3.1.2. The security update APPLE-SA-2008-004 and Mac OS X 10.5.4 can be downloaded and installed from Apple Downloads.

Alias Manager
This patch only affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses an alias manager vulnerability described in CVE-2008-2308. According to Apple, a "memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of alias data structures. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier."

CoreTypes
This patch affects users running Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a potentially unsafe content types vulnerability described in CVE-2008-2309. Apple says, "This update adds .xht and .xhtm files to the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a Web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload. This update improves the system's ability to notify users before handling .xht and .xhtm files. On Mac OS X v10.4 this functionality is provided by the Download Validation feature. On Mac OS X v10.5 this functionality is provided by the Quarantine feature." Apple credits Brian Mastenbrook for reporting this issue.

c++filt
This patch affects users of Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a c++filt vulnerability described in CVE-2008-2310. Apple says that a "format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings."

Dock
This patch only affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses a screen lock bypass vulnerability described in CVE-2008-2314. "When the system is set to require a password to wake from sleep or screen saver, and Expose hot corners are set, a person with physical access may be able to access the system without entering a password. This update addresses the issue by disabling hot corners when the screen lock is active," Apple says. Apple credits Andrew Cassell of Marine Spill Response for reporting this issue.

Launch Services
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses a maliciously crafted Web site vulnerability described in CVE-2008-2311. "A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation," Apple says. If the "Open 'safe' files" preference is enabled in Safari, visiting a maliciously crafted Web site may cause a file to be opened on the user's system, resulting in arbitrary code execution. This update addresses the issue by performing additional validation of downloaded files."

Net-SNMP
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses a SNMPv3 packet vulnerability described in CVE-2008-0960. Apple says an "issue exists in Net-SNMP's SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. This update addresses the issue by performing additional validation of SNMPv3 packets."

Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses Ruby script vulnerabilities described in CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, and CVE-2008-2726. Apple says that "multiple memory corruption issues exist in Ruby's handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays."

Ruby
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The WEBRick vulnerability described in CVE-2008-1145. Apple says that "the :NondisclosureName option in the Ruby WEBrick toolkit is used to restrict access to files. Requesting a file name which uses unexpected capitalization may bypass the :NondisclosureName restriction. This update addresses the issue by additional validation of file names." The directory traversal issue associated with this vulnerability does not affect Mac OS X.

SMB File Server
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.3, and Mac OS X Server v10.5 through v10.5.3. The update addresses the heap buffer overflow vulnerability described in CVE-2008-1105. Apple says that "sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking on the length of received SMB packets." Apple credits Alin Rad Pop of Secunia Research for reporting this issue.

System Configuration
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the User Template directory vulnerability described in CVE-2008-2313. Apple says "a local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This update addresses the issue by applying more restrictive permissions on the User Template directory. This issue does not affect systems running Mac OS X 10.5 or later." Apple credits Andrew Mortensen of the University of Michigan for reporting this issue.

Tomcat
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses Tomcat 4.1.36 vulnerabilities described in CVE-2005-3164, CVE-2007-1355, CVE-2007-2449, CVE-2007-2450, CVE-2007-3382, CVE-2007-3383, CVE-2007-5333, CVE-2007-3385, and CVE-2007-5461. Apple says "Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Tomcat version 6.x is bundled with Mac OS X v10.5 systems.

VPN
This patch affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses a divide by zero vulnerability described in CVE-2007-6276. Apple says that "processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution. This update addresses the issue by performing additional validation of load balancing information. This issue does not affect systems prior to Mac OS X 10.5."

WebKit
This patch affects users of Mac OS X v10.5 through v10.5.3 and Mac OS X Server v10.5 through v10.5.3. The update addresses the memory corruption vulnerability described in CVE-2008-2307. Apple says "visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2. For Mac OS X v10.4.11 and Windows XP/Vista, this issue is addressed in Safari v3.1.2 for those systems. Visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution." Apple credits James Urquhart for reporting this issue.

Apple on Thursday released a new version of Safari for Windows that includes a security fix for a high-profile carpet-bombing desktop attack vulnerability previously dismissed by the Cupertino vendor. The Safari update is only for Windows users, not Mac OSX versions. Version 3.1.2 of Safari for Windows can be downloaded and installed from Apple Downloads, or you can download Safari 3.1 here.

BMP or GIF image memory error
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-1573, an out-of-bounds memory read vulnerability. The error may occur in the handling of BMP and GIF images, which may lead to the disclosure of memory contents. Apple credits Gynvael Coldwind of Hispasec for reporting the vulnerability.

Carpet bombing attack
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2540, a vulnerability in how Windows desktop handles executable files. Apple explains: "Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user's Downloads folder on Windows Vista, and to the user's Documents folder on Windows XP." Apple credits Aviv Raff for reporting the vulnerability.

Internet Explorer 7
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2306 which is an Internet Explorer 7 vulnerability. Apple explains: "If a Web site is in an Internet Explorer 7 zone with the 'Launching applications and unsafe files' setting set to 'Enable,' or if a Web site is in the Internet Explorer 6 'Local intranet' or 'Trusted sites' zone, Safari will automatically launch executable files that are downloaded from the site. This update addresses the issue by not automatically launching downloaded executable files, and by prompting the user before downloading a file if the 'always prompt' setting is enabled." Apple credits Will Dormann of CERT/CC for reporting the vulnerability.

WebKit Javascript array
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2307, which is a memory corruption vulnerability. An error exists in WebKit's handling of JavaScript arrays, so visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Apple credits James Urquhart for reporting the vulnerability.

Microsoft has issued an advisory warning Windows users who have installed the Apple Safari for Windows browser that their systems may be vulnerable to attack.

The Safari "carpet bombing" attack was first described by Nitesh Dhanjani last month, but dismissed by Apple as a serious threat. Under Dhanjani's scenario, a user would surf using Apple Safari for Windows to a maliciously crafted Web site such as http://malicious.example.com/. Dhanjani says Safari does not know how to render content-type of blah/blah, so it starts downloading carpet_bomb.cgi, executing the downloaded files with the same rights as the logged-on user. The end result is the victim's desktop is populated with a variety of malicious files.

(Credit: Nitesh Dhanjani)

Microsoft says it is the combination of the default download file location in Safari and how the Windows desktop handles the files that creates the blended threat on all supported versions of Windows XP and Windows Vista when Apple's Safari for Windows has been installed

Microsoft notes that users who change the default Safari download location are not affected. To change the download location in Safari, under Edit select Preferences. Where it says "Save Downloaded Files to" change the location.

Microsoft may follow the advisory with a security update if needed.

Safari users may be subject to crashes or interactions with an attacker's malicious site, according to a warning posted on Tuesday on BugTraq .

Researcher Juan Pablo Lopez Yacubian is credited with finding multiple vulnerabilities in Apple Safari 3.1.1 for Windows. Other versions of Safari may also be affected.

Among the vulnerabilities cited are a denial-of-service (crash) vulnerability caused by a write-access violation, a denial-of-service (crash) vulnerability caused by a read-access violation, and a third vulnerability that allows attackers to spoof the content contained in the address bar. A full write up can be found here .

In a separate mailing to Bugtraq, Juan Pablo Lopez Yacubian says he was also able to use a similar exploit to crash Mozilla Firefox 3 beta 5.

That said, the general workaround is not to use Safari 3.1.1 for Windows until Apple issues a fix. Versions of Firefox 2.x and Opera are recommended.

PayPal is seriously considering blocking some browsers from accessing its site, according to a paper (PDF) available to shareholders.

Titled "A Practical Approach to Managing Phishing," the paper admits that there's no one silver bullet to prevent fraudsters from making money on the Internet. However, authors Michael Barrett, PayPal's chief information security officer, and Dan Levy, the company's senior director of risk management for Europe, say companies could and should start addressing five specific areas:

1. Prevent fraudulent e-mail from getting into users' in-boxes

2. Prevent phishing sites by shutting them down

3. Authenticate users so that stolen credentials can't be used on PayPal

4. Prosecute fraudsters to the full extent of the law

5. Focus on brand and consumer recovery

Of these, the paper focuses mainly on e-mail prevention and phishing-site blocking. For e-mail prevention, the authors cite Yahoo Mail as an example and point to its use of domain keys to identify legitimate and illegitimate mail marked as coming from PayPal.

Most controversial is the idea of blocking "unsafe" browsers, or browsers that do not currently include antiphishing tools. PayPal says it would first notify users when they log in if they are using an unsafe browser. Later, PayPal would simply block the use of the browser entirely.

PayPal is interested in enforcing new Extended Verification SSL certificates used by Internet Explorer 7 and the upcoming Mozilla Firefox 3. EV SSL highlights the address bar in green when the site has been certified. Other browsers, such as Apple Safari and Opera, do not currently include these protections.

Browsers not on the desktop could also be barred. On Monday, researchers cited the Apple Safari browser on the iPhone and Nintendo's use of the Opera on its DS and Wii gaming systems as lacking adequate antiphishing protection.

In a paper (PDF) presented at the Usability, Psyschology, and Security Conference 2008 in San Francisco, researchers from the University of California at Davis warned that browsers within popular electronic gadgets often eliminate important security features available on desktop browsers.

Researchers Yuan Niu, Francis Hsu, and Hao Chen looked at the Mobile Safari browser in Apple iPhone, as well as the Opera browser included in the Nintendo Wii and DS gaming systems. In general, they cited the reliance on screen typing as a deterrent to typing in known URLs. They said users are more likely to click on URLs presented in an e-mail.

They also said reduced screen sizes tend to force the address bar off the screen. On the Nintendo DS, only the first 22 characters display. They gave an example of a page called www.bankofamerica.com.phishydomain.com, which would be truncated to simply www.bankofamerica.com.

On the iPhone, the researchers said a simple ScrollTo() JavaScript could knock the address bar off the Safari screen. In the paper, they gave an example in which JavaScript directs the page to load somewhere in the middle, forcing the address bar off the top of the page.

Even when the address bar is visible, the researchers were able to use JavaScript to overwrite the bogus address with a more legitimate address. The overwrite trick could also lead the user into thinking a site was Secure Sockets Layer (SSL)-protected when it was not.

On the Nintendo Wii, the researchers found that the URL bar disappears when the page is loaded.

The researchers state that porting the traditional browser to a mobile device requires some foresight, and they suggest that even built-in features within browsers are ignored by users. They suggest instead that vendors use a proxy to filter out phishing before routing the pages to the devices.

A new exploit will either lock up your iPhone or iPod Touch or crash your Safari browser on your PC or Mac OS desktop if you simply visit a maliciously coded Web site. Unlike an earlier exploit that required users to click to become infected, the new code published by iPhoneWorld requires no user interaction.

So far, Apple has had no comment.

The code was first reported in January and exhausts the memory in Safari, which in turn will cause your iPhone or iPod Touch to freeze, or your desktop Safari to crash. "Given the nature of this issue," said the BugTraq newsgroup vulnerability report, "remote code execution may also be possible, but this has not been confirmed."

There is no patch available from Apple. The recommended workaround is to disable Javascript within Safari. To do so:

1. Under Edit, click Preferences.
2. Click the Security icon.
3. Uncheck Enable JavaScript.
4. Close and restart Safari.