|
|
| |
|
| |
Security
By Jake Edge
September 16, 2009
Some readers of the New York Times (NYT) web site were recently
surprised to "learn" that their computers were infected with viruses. As
it turns out, a rogue ad was responsible for the warning, and, as one would
guess, anyone who downloaded the suggested fix for the virus problems was,
instead, infected with malware. While the problem was fairly
short-lived—and targeted Windows, not Linux or Mac OS X—it does
point to a general problem for those who run web sites: how can one ensure
that the ads running on the site don't contain anything objectionable,
either because of the actual ad content, or because it contains malware?
Ad content is typically served by ad networks, and a web site
operator includes a little blob of Javascript into the proper place in a
web page. That Javascript is responsible for retrieving the ad content and
adding it into the page. But there is nothing stopping it from doing other
things, such as downloading Javascript from other sites. Because the
script code was served with the page, it has all the rights that any other
Javascript has in the context of that page. Essentially, the site owner
has given their ad network a "free pass" to do whatever is needed to put up
the ad.
In general, ad networks are careful to screen the ads they send to their
partners—at least for malicious content—otherwise, those
partners would switch to a different network. But, it is certainly
possible, and has probably happened in the past, that a dodgy ad gets put
into an ad network's rotation. That was the first guess for where the
NYT problem was. But, as the paper itself reported,
the ad actually came from elsewhere.
In addition to running ads from ad networks, web sites often directly sell
ads to customers. In this case, the NYT believed it was selling an ad to
VoIP provider Vonage. When the ads were placed, they at first displayed
normal Vonage ads. At some point, though, whoever placed the ads (and
provided the Javascript to the NYT) switched to serving virus warnings.
Obviously, in retrospect, the NYT should have been more careful to ensure
that whoever they were dealing with was, in fact, representing Vonage. The
ad content was not being served by vonage.com, but that's hardly
surprising as many advertisers use other sites to serve their ads. Vetting
advertisers can be rather difficult, though. There are multiple levels of
both technical and administrative verification that need to be done, some
of which is likely beyond the abilities of ad salespeople.
It is, in some ways, like the kind of vetting that needs to be—and
often isn't—done for SSL
certificates. There needs to be a real organization behind the ad, though
what constitutes "real" is an open question. The code to be inserted
needs to be inspected as well. An excellent dissection
of the NYT malware gives a good view of just how the attack worked.
Without somehow figuring out that tradenton.com was not a
legitimate ad serving network, there is nothing particularly suspicious
about the top-level code.
This is a problem we are likely to see more of over time. Because the ad
networks want to be able to run code on the client, for geotargeting and
other information gathering, sites must generally be willing to insert
fairly opaque Javascript into their site. As the dissection shows, that can
lead to bouncing around to multiple sites, grabbing code from
each—even legitimate ad serving networks often have their own
partners to whom the redirect requests. There is a sort of implicit web of
trust that exists, but one that has the potential to be subverted.
Another aspect of the problem is that site owners often cannot see all of
the ads that are currently being displayed on their site. If some small
percentage of the ads—or those targeted at a different
region—contain objectionable content of any sort, the site owner may
very well be completely unaware of it until users complain. It's not just
malware ads that are a problem, here, but any kind of ad that the owner
might prefer not to run.
The NYT article mentions other similar incidents that have occurred in the
past, but this attack, on a high-profile site, has, at least, served to raise
the profile of the problem. Other than eliminating ad networks and
customer-supplied Javascript from a
site, there is very little defense against this type of subversion. By
running other people's code in a site, one has, for all intents and
purposes, turned over control of the site's content to third parties. It
shouldn't be too surprising that attackers are taking advantage of that.
Comments (15 posted)
New vulnerabilities
firefox: web content processing vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2009-3070
CVE-2009-3071
CVE-2009-3072
CVE-2009-3074
CVE-2009-3075
|
| Created: | September 10, 2009 |
Updated: | June 14, 2010 |
| Description: |
From the Red Hat alert:
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2009-3070, CVE-2009-3071, CVE-2009-3072, CVE-2009-3074,
CVE-2009-3075) |
| Alerts: |
|
Comments (none posted)
firefox: use-after-free flaw
| Package(s): | firefox |
CVE #(s): | CVE-2009-3077
|
| Created: | September 10, 2009 |
Updated: | June 14, 2010 |
| Description: |
From the Red Hat alert:
A use-after-free flaw was found in Firefox. An attacker could use this flaw
to crash Firefox or, potentially, execute arbitrary code with the
privileges of the user running Firefox. (CVE-2009-3077) |
| Alerts: |
|
Comments (none posted)
firefox: URL concealment
| Package(s): | firefox |
CVE #(s): | CVE-2009-3078
|
| Created: | September 10, 2009 |
Updated: | October 20, 2009 |
| Description: |
From the Red Hat alert:
A flaw was found in the way Firefox displays certain Unicode characters. An
attacker could use this flaw to conceal a malicious URL, possibly tricking
a user into believing they are viewing a trusted site. (CVE-2009-3078) |
| Alerts: |
|
Comments (none posted)
firefox: JavaScript execution
| Package(s): | firefox |
CVE #(s): | CVE-2009-3079
|
| Created: | September 10, 2009 |
Updated: | October 20, 2009 |
| Description: |
From the Red Hat alert:
A flaw was found in the way Firefox handles malformed JavaScript. A website
with an object containing malicious JavaScript could execute that
JavaScript with the privileges of the user running Firefox. (CVE-2009-3079) |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2009-3069
CVE-2009-3073
|
| Created: | September 14, 2009 |
Updated: | October 20, 2009 |
| Description: |
From the Red Hat bugzilla [1] [2]:
Mozilla developers and community members identified and fixed several
stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of memory
corruption under certain circumstances and we presume that with enough
effort at least some of these could be exploited to run arbitrary code.
|
| Alerts: |
|
Comments (none posted)
firefox: certificate vulnerability
| Package(s): | firefox |
CVE #(s): | CVE-2009-3076
|
| Created: | September 10, 2009 |
Updated: | April 23, 2010 |
| Description: |
From the Red Hat alert:
Descriptions in the dialogs when adding and removing PKCS #11 modules were
not informative. An attacker able to trick a user into installing a
malicious PKCS #11 module could use this flaw to install their own
Certificate Authority certificates on a user's machine, making it possible
to trick the user into believing they are viewing a trusted site or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2009-3076) |
| Alerts: |
|
Comments (none posted)
freeradius: denial of service
| Package(s): | freeradius |
CVE #(s): | CVE-2003-0967
CVE-2009-3111
|
| Created: | September 10, 2009 |
Updated: | January 11, 2010 |
| Description: |
From the Mandriva alert:
The rad_decode function in FreeRADIUS before 1.1.8 allows remote
attackers to cause a denial of service (radiusd crash) via zero-length
Tunnel-Password attributes. NOTE: this is a regression error related
to CVE-2003-0967 (CVE-2009-3111). |
| Alerts: |
|
Comments (none posted)
horde: cross-site scripting
| Package(s): | horde |
CVE #(s): | CVE-2009-0931
|
| Created: | September 14, 2009 |
Updated: | April 1, 2010 |
| Description: |
From the Gentoo advisory:
Gunnar Wrobel reported that data sent to
horde/services/portal/cloud_search.php is not properly sanitized
before used in the output (CVE-2009-0931).
|
| Alerts: |
|
Comments (none posted)
htmldoc: buffer overflow
| Package(s): | htmldoc |
CVE #(s): | CVE-2009-3050
|
| Created: | September 11, 2009 |
Updated: | January 12, 2010 |
| Description: |
From the Mandriva advisory:
Buffer overflow in the set_page_size function in util.cxx in HTMLDOC
1.8.27 and earlier allows context-dependent attackers to execute
arbitrary code via a long MEDIA SIZE comment. NOTE: it was later
reported that there were additional vectors in htmllib.cxx and
ps-pdf.cxx using an AFM font file with a long glyph name, but these
vectors do not cross privilege boundaries. |
| Alerts: |
|
Comments (none posted)
kde: man-in-the-middle attack
| Package(s): | kde |
CVE #(s): | CVE-2009-2702
|
| Created: | September 15, 2009 |
Updated: | April 8, 2011 |
| Description: |
From the CVE entry:
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. |
| Alerts: |
|
Comments (none posted)
kernel: missing capability check
| Package(s): | kernel |
CVE #(s): | CVE-2009-1883
|
| Created: | September 15, 2009 |
Updated: | February 19, 2010 |
| Description: |
From the Red Hat advisory: Solar Designer reported a missing capability check in the z90crypt driver in the Linux kernel. This missing check could allow a local user with an effective user ID (euid) of 0 to bypass intended capability restrictions.
|
| Alerts: |
|
Comments (none posted)
libsamplerate: denial of service
| Package(s): | libsamplerate |
CVE #(s): | |
| Created: | September 14, 2009 |
Updated: | December 7, 2009 |
| Description: |
From the Mandriva advisory:
Lev Givon discovered a buffer overflow in libsamplerate that could
lead to a segfault with specially crafted python code. This problem has
been fixed with libsamplerate-0.1.7 but older versions are affected. |
| Alerts: |
|
Comments (none posted)
nginx: arbitrary code execution
| Package(s): | nginx |
CVE #(s): | CVE-2009-2629
|
| Created: | September 14, 2009 |
Updated: | December 7, 2009 |
| Description: |
From the Debian advisory:
Chris Ries discovered that nginx, a high-performance HTTP server, reverse
proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when
processing certain HTTP requests. An attacker can use this to execute
arbitrary code with the rights of the worker process (www-data on Debian)
or possibly perform denial of service attacks by repeatedly crashing
worker processes via a specially crafted URL in an HTTP request.
|
| Alerts: |
|
Comments (none posted)
planet: missing input sanitizing
| Package(s): | planet |
CVE #(s): | CVE-2009-2937
|
| Created: | September 15, 2009 |
Updated: | September 17, 2009 |
| Description: |
From the Debian bugzilla:
The planet feed aggregator attempts to remove malicious content from user-submitted feeds. It does a great job, but fails to sanitize this input:
<img src="javascript:alert(1);" >
At least Opera will execute this code. |
| Alerts: |
|
Comments (1 posted)
puppet: multiple vulnerabilities
| Package(s): | puppet |
CVE #(s): | |
| Created: | September 14, 2009 |
Updated: | September 16, 2009 |
| Description: |
From the Fedora update:
This update fixes a number of bugs in both the packaging and upstream source.
See the package changelog and bug reports for complete details.
References:
[ 1 ] Bug #475201 - puppetmasterd does not initialize supplementary groups
https://bugzilla.redhat.com/show_bug.cgi?id=475201
[ 2 ] Bug #480600 - puppet initscript: condrestart should call status
https://bugzilla.redhat.com/show_bug.cgi?id=480600
[ 3 ] Bug #495096 - puppet SPEC file defines improper modes for some directories
https://bugzilla.redhat.com/show_bug.cgi?id=495096
[ 4 ] Bug #501577 - `/etc/init.d/puppet status` returns errors
https://bugzilla.redhat.com/show_bug.cgi?id=501577
[ 5 ] Bug #515728 - Storeconfigs broken
https://bugzilla.redhat.com/show_bug.cgi?id=515728
|
| Alerts: |
|
Comments (none posted)
rails: missing input sanitizing
| Package(s): | rails |
CVE #(s): | CVE-2009-3009
|
| Created: | September 15, 2009 |
Updated: | December 21, 2009 |
| Description: |
From the Debian advisory:
Brian Mastenbrook discovered that rails, the MVC ruby based framework
geared for web application development, is prone to cross-site scripting
attacks via malformed strings in the form helper.
|
| Alerts: |
|
Comments (none posted)
silc-toolkit: format string vulnerabilities
| Package(s): | silc-toolkit |
CVE #(s): | CVE-2009-3163
|
| Created: | September 15, 2009 |
Updated: | June 1, 2010 |
| Description: |
From the Mandriva advisory:
Multiple format string vulnerabilities in lib/silcclient/command.c
in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10,
and SILC Client 1.1.8 and earlier, allow remote attackers to execute
arbitrary code via format string specifiers in a channel name, related
to (1) silc_client_command_topic, (2) silc_client_command_kick,
(3) silc_client_command_leave, and (4) silc_client_command_users
|
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2009-2559
CVE-2009-2561
|
| Created: | September 14, 2009 |
Updated: | December 7, 2009 |
| Description: |
From the Gentoo advisory:
A buffer overflow in the IPMI dissector related to an array index
error (CVE-2009-2559)
An unspecified vulnerability in the sFlow dissector
(CVE-2009-2561).
|
| Alerts: |
|
Comments (none posted)
xapian-omega: missing input sanitising
| Package(s): | xapian-omega |
CVE #(s): | CVE-2009-2947
|
| Created: | September 10, 2009 |
Updated: | September 16, 2009 |
| Description: |
From the Debian alert:
It was discovered that xapian-omega, a CGI interface for searching xapian
databases, is not properly escaping user supplied input when printing
exceptions. An attacker can use this to conduct cross-site scripting
attacks via crafted search queries resulting in an exception and steal
potentially sensitive data from web applications running on the same domain
or embedding the search engine into a website. |
| Alerts: |
|
Comments (none posted)
znc: arbitrary file overwrite
| Package(s): | znc |
CVE #(s): | CVE-2009-2658
|
| Created: | September 14, 2009 |
Updated: | September 16, 2009 |
| Description: |
From the Gentoo advisory:
he vendor reported a directory traversal vulnerability when processing
DCC SEND requests.
A remote, authenticated user could send a specially crafted DCC SEND
request to overwrite arbitrary files with the privileges of the user
running ZNC, and possibly cause the execution of arbitrary code e.g. by
uploading a malicious ZNC module.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|