On Tuesday, Adobe issued a workaround for a serious issue that could allow attackers to change the security settings within Flash.
Termed "clickjacking," the process gives "an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable," wrote WhiteHat Security CTO Jeremiah Grossman in a blog posting last month. He went on to say that while "guarding against Clickjacking was largely the browser vendors' responsibility," both he and Robert Hansen agreed to withhold further information and even canceled their talk recently at OWASP NYC AppSec 2008 Conference at the request of Adobe. In return, Adobe thanked the researchers.
In brief, the attack involves embedded objects on a maliciously crafted Web page. Using framed content or that from Flash, Silverlight, or Java, the attacker places a transparent or invisible click button beneath the mouse so that whenever the user clicks on something they see on the page (to see more search results on Google, for example) the user is also clicking to a unseen Web site that may contain malicious code. The attack can also take advantage of dynamic HTML and CSS (Cascading Style Sheets) codes to further disguise itself.
In a blog, Guy Aharonovsky describes a process using clickjacking where Flash security settings can be changed to allow an attacker access to a PC's Webcam or microphone. This, he says, could create remote eavesdropping possibilities.
Although the demonstration page created by Aharonovsky has been disabled, his video demonstration shows a rigged click button as it randomly moves around the page. In reality, the click button under the mouse would be transparent or invisible to the user. In the background Aharonovsky shows the attack modifying the Flash privacy settings. Aharonovsky says "bear in mind that every Flash, Java, Silverlight, DHTML game or application can be used to achieve the same thing."
The flaws--there may be a half dozen or so specific vulnerabilities related to this--affect users of Internet Explorer, Firefox, Opera, Apple Safari, and Google Chrome. Turning JavaScript off within the browser won't work. The attack doesn't rely on JavaScript. Grossman commented: "Clickjacking is a well-known issue, but severely underappreciated and largely undefended."
Adobe advises users of Flash to set Adobe Flash Player Settings Manager to "always deny." This means that users will not be asked to allow or deny camera and or microphone access after changing this setting. Adobe says a Flash Player update addressing the issue will be available before the end of the month.
Users of Firefox should in the meantime consider use of the NoScript plug-in and set it to forbid iframe content. More details on configuring NoScript to block this attack can be found here
Additional US-CERT tips for securing other browsers can be found here.
Two researchers in Sweden have found multiple flaws in the TCP stack that could lead to massive denial-of-service attacks if exploited. At present there is no workaround and there are no patches available.
The TCP stack defines a set of rules by which a computer can communicate over any network. Robert E. Lee, chief security officer for Outpost24, told CNET News, "the vendors we are in talks with seem to be taking the threat seriously."
The discovery follows a test using a port scanner called UnicornScan, which Lee and senior security researcher Jack Louis created. The tool is used for vulnerability assessment and penetration testing at Outpost24. Lee told a Swedish podcast that when they couldn't get a port scan done soon enough, they decided to move the TCP stack into the program to make it more distributed. That's when Louis started noticing strange behavior.
"Jack found some anomalies in which machines would stop working in some very specific circumstances while being scanned," Lee told CNET News. One of the behaviors experienced was packet loss where the packets just kept trying, and trying, and trying, creating, more or less, a denial of service (DoS) on that machine.
There doesn't appear to be just one vulnerability, but several, according to Robert Hansen who first wrote about this Friday. Hansen says the potential for these vulnerabilities, as he understands it, if exploited, could result in great damage. And fixing it will require coordination with vendors of operating systems, firewalls, and Web-enabled devices.
To exploit the flaws, to see if the TCP vulnerabilities were real, Lee and Louis created a program called "sockstress" that intentionally did some wrong things with the TCP/IP handshake process. The sockstress program was very effective in producing DoS attacks. The pair have no plans to release sockstress.
Lee said he doesn't plan to have a big, public disclosure press conference like Dan Kaminsky did with the DNS flaw this past summer. "We plan to work with vendors to ensure they understand the issues fully and have adequate solutions in place before publicly sharing details on the issues. Since there are multiple issues, we may be able to share information on individual issues as they are individually addressed."
Asked whether someone else could figure this out before the patches are out, Lee said "even though I think Jack Louis is exceptionally brilliant, Outpost24 doesn't have a monopoly on bug-finding abilities. It is a matter of time before someone else independently figures it out."
LAS VEGAS--Black Hat 2008 is bigger, and some might say better. Occupying most of the third and fourth floors of the convention hall at Caesars Palace, the conference started on Saturday with two- and four-day training sessions that continue through Tuesday.
The "public" part of Black Hat runs Wednesday and Thursday and features speakers in 15 separate tracks. One of the tracks will consist of Turbo talks of 20 minutes each. After those, there will an opportunity for the audience to talk with some of the speakers in a another room.
Wednesday starts with a bang with Billy Rios and Nitesh Dhanjani reprising their Black Hat DC talk "Bad Sushi." Then high expectations are running high as Dan Kaminsky reveals more about his DNS vulnerability. Petko Petkov will be talking on Client-side security and Joe Stewart talking on the protocols and encryption of the Storm worm. Brian Chess and Jacob West will host the second annual Iron Chef Black Hat. Tom Stracener and Robert Hansen will present on vulnerabilities with Google Gadgets and Bruce Potter will talk about malware detection using network flow analysis. Then Jim Christy returns with the annual Meet the Feds panel with Federal agents from various agencies.
Events continue into the evening with the annual Hacker Court, a mock trial on some topical issue. At the same time there will be a presentation on recommendations for the 44th Presidency around cybersecurity.
Thursday starts with Shawn Moyer and Nathan Hamiel presenting Satan is on my Friends List, a talk about social networking evil. Then Billy Hoffman on Circumventing Automated JavaScript Analysis Tools. Lukas Grunwald on Federal Trojans. Karsten Nohl on MiFare hacking. Jeremiah Grossman and Arian Evans on making money on the Web, the Black Hat way. And Rob Carter and others will talk on a hybrid file format that combines GIF images with Java Archive Sets. Calling these files GIFARs, the speakers say this intersection of Javascript with images could pose a difficult problem in the near future. Christopher Tarnovsky will talk on exploiting Secure Smartcards and Microcontrollers.
Preceding the talks on both Wednesday and Thursday will be a keynote. On Wednesday, Ian Angell, Professor of Information Systems, London School of Economics, will talk on "Complexity in Computer Security--a Risky Business". On Thursday, Rod Beckström, director of the National Cyber Security Center (NCSC) will talk on "Natural Security."
So far the only controversy concerns Apple. Last week one researcher announced he would not present his talk on the Apple FileVault, then it was announced that a second talk on security practices at Apple was also withdrawn by the panel moderator.
For the first time, Black Hat 2008 will borrow the "Wall of Sheep," a display of unprotected wireless networks sniffed at the conference, from it's sister conference, Defcon, which begins on Friday at the Riveria, just up the street.
- prev
- 1
- next
