Category: security

Posted on

M$ WindowsXP just got a newer version of Update with new Components!

I am not sure if anyone is aware of it or not, so kindly spare me if it’s not NEW in the sense I wish to convey. (Or may b, you didn’t discover it the way I did) πŸ˜›
For no particular reason, I visited the windows update page today (using IE7) and got this message:

WindowsUpdateComponent

As you can see, the *latest version* of Windows Update requires a few components to be installed on your system. There’re also some details regarding the components, which are hidden using a javascript function.

I’d encourage you to read all the benefits that are provided by the latest version. Once you are done reading them (and figuring which of them are new and which makes sense), proceed to discover the *special component*.

WindowsUpdateComponentDetails

Posted on

Java vulnerable to remote compromise

ZDNet Asia reports that Google Security team has discovered as “Dangerous Java Flaw that threaten’s Virtually Everything“. The interesting part of this news is that, apart from a few scary statements, it doesn’t inform you anything else.

The Sun advisory page on this flaw, however, informs you about two flaws which are nothing but Buffer Overflows. Do not mistake me that I am undermining the impact of Buffer Overflow Attacks in any way. It’s just the ZD Net article’s title which’s bugging me. It makes the flaw look like an out of world ET attack scenario.

  1. A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.
  2. A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.

Now firstly, Buffer Overflows are no new form of attacks. They have been here since the existence of man (I admit that’s a little much :D), and they are here to stay. Thus, articles like this are more like FUD, IMHO.
Secondly, applet support is very limited in mobile devices. Not to mention that J2ME supports only PNG format. Thus, not “virtually everything” is everything.
Finally, image parsing library in Sun’s Java implementation is through a native library. It’s time that Sun writes a Java equivalent for it to avoid other similar issues. Further, since Java is now GPL, I also hope to see the code coming from some random, pimply, introvert teenage kid. πŸ™‚

The problems can be resolved by updating the packages. Detailed info provided on the Sun’s advisory.

Posted on

TPM Boys withdraw paper from BlackHat USA

I hope you remember the young Indian security researchers Vipin Kumar (22) and Nitin Kumar (23), the TPM Boys [I guess, that’s the way they call themselves. At least their blog confirms that. πŸ™‚ ]They presented a Paper “Vboot Kit: Compromising Windows Vista Securityat Blackhat Europe – 2007.

The talk explained the (different) booting process of Windows Vista. It also introduced the concept of manipulating an OS during its boot process using VBootkit. Finally, they gave a live demo of VBootkit in action (on Vista).

This event was Slashdotted. VBootkit was also blogged by Bruce Schneier. Here is an interview of the “boys” at SecurityFocus by Federico Biancuzzi. In their own words, “Vbootkit is much like a door or a shortcut to access vista’s kernel……. since vbootkit becomes part of the kernel, it can do anything that Vista’s kernel can do.”

This all, however, is a news of past. The current news stirred more vigour and controversy. They had yet another paper “TPMkit: Breaking the Legend of Trusted Computing (TC [TPM]) and Vista (BitLocker)” scheduled to be presented at Blackhat USA – 2007. They withdrew there paper last week without any comments. This news was Slashdotted and resulted in a (typical) slashdotian variety of comments. Some even doubted if they really had any success in their research. Well, you cannot really blame them. That’s the fussy nature of our FOSS communities… errr… wait. Before you bash me, I’d like to remind you that it’s not (only) me who says that. It was originally cited by Mark Shuttleworth. An amazing number of people opposed Mark by creating a lot of Fuss. πŸ˜‰

Coming back to the story. A user, by the handle PoliTech, commented on Slashdot and reminded the Michael Lynn’s paper at Blackhat about his research on Cisco Routers. Cisco and ISS sued Lynn and the management of Black Hat conference. It’s worth noting that Lynn was an ISS employee. πŸ™‚

It should be also be noted that Vipin and Nitin’s previous presentation was in Amsterdam, Europe. This presentation, however, was scheduled in US… and the (stupid) US laws can screw things up. Based on Lynn’s case, it is quite apparent that Vipin and Nitin didn’t wish to get caught in any such undesirable situation.

I hope to see them present the paper at some other conference (or location) pretty soon. Best of luck guys.

OffTopic: Coincidentally, my younger brother’s name is Nitin. πŸ™‚

Posted on

Month of Search Engine Bugs: “Mission Accomplished”

The Month of Search Engine Bugs by MustLive has come to an end.

MutLive reports:

In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).

Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.

Over a period of 30 days, 104 and vulnerabilities/bugs were discovered out of which only 44 have been fixed. Out of these 19 vendors, only two (Rambler and Ezilon) have thanked him for his commendable hardwork.

Several researchers, including Jeremiah, RSnake, Christ1an etc. blogged about it. Considering the complexities involved in the fixing a bug, they agree at some point that 44 is still a good number. However, there is one Big “Cheer” Leader which isn’t fixing the bugs. No points for guessing that the Leader believes in “not doing evil things”.

Posted on

Rediffmail Bug. Anyone Interested?

The title may lure you to assume that I am going to talk about some security bug. Well, I am not… or I’d rather say I haven’t yet thought of any ways to exploit it. If you come up with something, do let us know.

Now back to the topic.
Almost all the huge players are now moving to the AJAX arena. They are in fact coming up with new technologies like Silverlight, Apollo, JavaFx. I am personally not a very big fan of AJAX, but then it doesn’t make any difference. I am, however, interested in these new athletes, particularly JavaFx.

One of the major concerns of any AJAX programmer, IMHO, should be to take care of a situation where the user DOES NOT HAVE or DOES NOT WISH to use Javascript. It should be a growing concern when we have plugins like NoScript (Oh! I Love it.) and we have reasons to use it. Apart from the security concerns, it blocks most of the stupid ads that I am not interested in.

Bottom line, there should be a minimal interface to fall back to (like the one GMail has). The rediffmail coders have done the same and provided a…. ummmm BackUpInterface thingy. However, they probably forgot that the *thingy* is there because the person’s browser DOES NOT SUPPORT Javascript.

My Story, My Words:
I used the NoScript plugin to forbid rediff.com domain, opened the site rediffmail.com, entered userid and password… and said… Khul Ja Sim Sim. πŸ™‚

Bingo I was in and was able to read my mails without any fuss. Then I decided to delete some mails… wait a sec! What the heck!
I am not able to.
Move mails??? Nopes.
Compose? Okay.
Send?? Sorry.
Save Draft? Sorry.
Cancel??? Sorry. πŸ™

I concluded that all that looks like a Button uses javascript. However, the links were, fortunately or unfortunately, working.
The Logout‘s like a link. So it’d obvoiusly work.
click.. click.. clickclickclick.
What the Heck!.
Logout operation calls some javascript function do_logout().

So basically, if I am an average internet user and do not have javascript, I’d log into my rediffmail account, read mails, try composing but won’t be able to send… and worse, I won’t be able to logout. Not understanding anything, I might close the browser window.
And what if I am at a cybercafe???

I am sure there is way to revive the session even if the browser window is closed (I remember reading of some similar old Yahoo! bug). If you’re interested, take on from here. πŸ™‚

Now for the other people. I would really like to know how many people actually have a rediff aaccount and actually use it .
I have one too… and I login in… say a month.
I am not at all blaming rediffmail service (Okay! A little :D), I am just interested in the figures.

Posted on

Samy: A hero or a villian!

First thing first. I hate these sites meant for so called “socializing”.
Sites like: Orkut, MySpace, etc. Ditto with games like SecondLife.
Heck Man.
Just get out of these places and get a life…. [Be more like Swen, the GBCD ;)]

Anyways. There is this guy who created a, so called, WORM for MySpace.
It was a beautifully written piece of code… all in javascript. What this worm did was, it added Samy as a hero in the profile of every person who visited Samy’s profile.
And that’s not all, it also added Samy as a hero to the visitors who visited ANY affected profile.
He gives a beautiful (and “for-dummies”) writeup:
Story in his own words
Technical details

It created a havoc. Lakhs of profiles were infected in a few hours. MySpace had to take down the site to “repair” it.
The code is so beautifully crafted that it made me smile.

Now, was this wrong?
To a certain extent, YES.

Was it a punishable crime?
mmm… Depends on the extent and type of punishment. [If my views matter… well it’s my blog, so it matters πŸ˜‰ ]

The recent news is that Samy has been sentenced for three years of probation and 90 hours of community service. He cannot have access to internet during this period. [Though I am not able to understand what it means. He’ll anyways be using ATM etc.] However, this kind of “punishment” doesn’t make a sense to me.

If we really have to punish the “culprits”, why not punish MySpace too?
Why shouldn’t MySpace take the responsibility of the privacy of it’s users?
Why was MySpace stupid to allow DIV tags?
Why shouldn’t iexplorer and safari be sentenced for allowing javascript inside CSS?

These are questions that cannot be answered because the world belongs to the BIG-BAD-BOYS.
What this boy did not really harm anyone. He could have modified the code to steal private information, (the way your gmail book can be stolen).
Moreover, he published the code after MySpace had fixed the problem.
……. and yet he has been SENTENCED.

I am reminded of an incident that Lalit told me about.
There was this guy who informed the site administrator about some loophole in his site and was jailed.

“… but why?”
“Because you are not supposed to peek inside my house, even if the door is open.”
“… and what if I am one of those who have signed up to stay in your house? Isn’t my privacy your responsibility? Shouldn’t I be allowed to check the locks and doors?”
“No. I am a freaking BIG-BAD-BOY. You’ve no right to mess with me. If you even dare, be prepared to be jailed.”

Well…. That makes sense now.
So next time you find a loophole either sit silently or sell it.
That’s all I can conclude.

Posted on

Zone-H Deafced by Saudi Hackers.

In an ironical/laughable/insightful event, http://zone-h.org was defaced today by Saudi Hackers. Irony because Zone-H maitains (probably the largest) archive of defaced site.
Below is the screenshot of the (defaced) homepage of zone-h.

zone-h_defaced.jpg

The words “your security got bypassed .. see more security next time” are clear enough to announce that security is not an feature or an event, it’s a process.By the way, I liked the music πŸ˜›