Security
All the malware that's fit to print
Some readers of the New York Times (NYT) web site were recently surprised to "learn" that their computers were infected with viruses. As it turns out, a rogue ad was responsible for the warning, and, as one would guess, anyone who downloaded the suggested fix for the virus problems was, instead, infected with malware. While the problem was fairly short-lived—and targeted Windows, not Linux or Mac OS X—it does point to a general problem for those who run web sites: how can one ensure that the ads running on the site don't contain anything objectionable, either because of the actual ad content, or because it contains malware?
Ad content is typically served by ad networks, and a web site operator includes a little blob of Javascript into the proper place in a web page. That Javascript is responsible for retrieving the ad content and adding it into the page. But there is nothing stopping it from doing other things, such as downloading Javascript from other sites. Because the script code was served with the page, it has all the rights that any other Javascript has in the context of that page. Essentially, the site owner has given their ad network a "free pass" to do whatever is needed to put up the ad.
In general, ad networks are careful to screen the ads they send to their partners—at least for malicious content—otherwise, those partners would switch to a different network. But, it is certainly possible, and has probably happened in the past, that a dodgy ad gets put into an ad network's rotation. That was the first guess for where the NYT problem was. But, as the paper itself reported, the ad actually came from elsewhere.
In addition to running ads from ad networks, web sites often directly sell ads to customers. In this case, the NYT believed it was selling an ad to VoIP provider Vonage. When the ads were placed, they at first displayed normal Vonage ads. At some point, though, whoever placed the ads (and provided the Javascript to the NYT) switched to serving virus warnings.
Obviously, in retrospect, the NYT should have been more careful to ensure that whoever they were dealing with was, in fact, representing Vonage. The ad content was not being served by vonage.com, but that's hardly surprising as many advertisers use other sites to serve their ads. Vetting advertisers can be rather difficult, though. There are multiple levels of both technical and administrative verification that need to be done, some of which is likely beyond the abilities of ad salespeople.
It is, in some ways, like the kind of vetting that needs to be—and often isn't—done for SSL certificates. There needs to be a real organization behind the ad, though what constitutes "real" is an open question. The code to be inserted needs to be inspected as well. An excellent dissection of the NYT malware gives a good view of just how the attack worked. Without somehow figuring out that tradenton.com was not a legitimate ad serving network, there is nothing particularly suspicious about the top-level code.
This is a problem we are likely to see more of over time. Because the ad networks want to be able to run code on the client, for geotargeting and other information gathering, sites must generally be willing to insert fairly opaque Javascript into their site. As the dissection shows, that can lead to bouncing around to multiple sites, grabbing code from each—even legitimate ad serving networks often have their own partners to whom the redirect requests. There is a sort of implicit web of trust that exists, but one that has the potential to be subverted.
Another aspect of the problem is that site owners often cannot see all of the ads that are currently being displayed on their site. If some small percentage of the ads—or those targeted at a different region—contain objectionable content of any sort, the site owner may very well be completely unaware of it until users complain. It's not just malware ads that are a problem, here, but any kind of ad that the owner might prefer not to run.
The NYT article mentions other similar incidents that have occurred in the past, but this attack, on a high-profile site, has, at least, served to raise the profile of the problem. Other than eliminating ad networks and customer-supplied Javascript from a site, there is very little defense against this type of subversion. By running other people's code in a site, one has, for all intents and purposes, turned over control of the site's content to third parties. It shouldn't be too surprising that attackers are taking advantage of that.
New vulnerabilities
firefox: web content processing vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2009-3070 CVE-2009-3071 CVE-2009-3072 CVE-2009-3074 CVE-2009-3075 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 10, 2009 | Updated: | June 14, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat alert:
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3070, CVE-2009-3071, CVE-2009-3072, CVE-2009-3074, CVE-2009-3075) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: use-after-free flaw
| Package(s): | firefox | CVE #(s): | CVE-2009-3077 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 10, 2009 | Updated: | June 14, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat alert:
A use-after-free flaw was found in Firefox. An attacker could use this flaw to crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3077) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: URL concealment
| Package(s): | firefox | CVE #(s): | CVE-2009-3078 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 10, 2009 | Updated: | October 20, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat alert:
A flaw was found in the way Firefox displays certain Unicode characters. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-3078) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: JavaScript execution
| Package(s): | firefox | CVE #(s): | CVE-2009-3079 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 10, 2009 | Updated: | October 20, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat alert:
A flaw was found in the way Firefox handles malformed JavaScript. A website with an object containing malicious JavaScript could execute that JavaScript with the privileges of the user running Firefox. (CVE-2009-3079) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2009-3069 CVE-2009-3073 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 14, 2009 | Updated: | October 20, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla [1] [2]: Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: certificate vulnerability
| Package(s): | firefox | CVE #(s): | CVE-2009-3076 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 10, 2009 | Updated: | April 23, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat alert:
Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing a trusted site or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3076) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
freeradius: denial of service
| Package(s): | freeradius | CVE #(s): | CVE-2003-0967 CVE-2009-3111 | ||||||||||||||||||||||||||||
| Created: | September 10, 2009 | Updated: | January 11, 2010 | ||||||||||||||||||||||||||||
| Description: | From the Mandriva alert:
The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes. NOTE: this is a regression error related to CVE-2003-0967 (CVE-2009-3111). | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
horde: cross-site scripting
| Package(s): | horde | CVE #(s): | CVE-2009-0931 | ||||||||||||
| Created: | September 14, 2009 | Updated: | April 1, 2010 | ||||||||||||
| Description: | From the Gentoo advisory: Gunnar Wrobel reported that data sent to horde/services/portal/cloud_search.php is not properly sanitized before used in the output (CVE-2009-0931). | ||||||||||||||
| Alerts: |
| ||||||||||||||
htmldoc: buffer overflow
| Package(s): | htmldoc | CVE #(s): | CVE-2009-3050 | ||||||||||||||||
| Created: | September 11, 2009 | Updated: | January 12, 2010 | ||||||||||||||||
| Description: | From the Mandriva advisory: Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kde: man-in-the-middle attack
| Package(s): | kde | CVE #(s): | CVE-2009-2702 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2009 | Updated: | April 8, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: missing capability check
| Package(s): | kernel | CVE #(s): | CVE-2009-1883 | ||||||||||||||||||||
| Created: | September 15, 2009 | Updated: | February 19, 2010 | ||||||||||||||||||||
| Description: | From the Red Hat advisory: Solar Designer reported a missing capability check in the z90crypt driver in the Linux kernel. This missing check could allow a local user with an effective user ID (euid) of 0 to bypass intended capability restrictions. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
libsamplerate: denial of service
| Package(s): | libsamplerate | CVE #(s): | |||||||||
| Created: | September 14, 2009 | Updated: | December 7, 2009 | ||||||||
| Description: | From the Mandriva advisory: Lev Givon discovered a buffer overflow in libsamplerate that could lead to a segfault with specially crafted python code. This problem has been fixed with libsamplerate-0.1.7 but older versions are affected. | ||||||||||
| Alerts: |
| ||||||||||
nginx: arbitrary code execution
| Package(s): | nginx | CVE #(s): | CVE-2009-2629 | ||||||||||||||||||||||||||||
| Created: | September 14, 2009 | Updated: | December 7, 2009 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Chris Ries discovered that nginx, a high-performance HTTP server, reverse proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when processing certain HTTP requests. An attacker can use this to execute arbitrary code with the rights of the worker process (www-data on Debian) or possibly perform denial of service attacks by repeatedly crashing worker processes via a specially crafted URL in an HTTP request. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
planet: missing input sanitizing
| Package(s): | planet | CVE #(s): | CVE-2009-2937 | ||||||||
| Created: | September 15, 2009 | Updated: | September 17, 2009 | ||||||||
| Description: | From the Debian bugzilla:
The planet feed aggregator attempts to remove malicious content from user-submitted feeds. It does a great job, but fails to sanitize this input:
<img src="javascript:alert(1);" > At least Opera will execute this code. | ||||||||||
| Alerts: |
| ||||||||||
puppet: multiple vulnerabilities
| Package(s): | puppet | CVE #(s): | |||||||||
| Created: | September 14, 2009 | Updated: | September 16, 2009 | ||||||||
| Description: | From the Fedora update: This update fixes a number of bugs in both the packaging and upstream source. See the package changelog and bug reports for complete details. References: [ 1 ] Bug #475201 - puppetmasterd does not initialize supplementary groups https://bugzilla.redhat.com/show_bug.cgi?id=475201 [ 2 ] Bug #480600 - puppet initscript: condrestart should call status https://bugzilla.redhat.com/show_bug.cgi?id=480600 [ 3 ] Bug #495096 - puppet SPEC file defines improper modes for some directories https://bugzilla.redhat.com/show_bug.cgi?id=495096 [ 4 ] Bug #501577 - `/etc/init.d/puppet status` returns errors https://bugzilla.redhat.com/show_bug.cgi?id=501577 [ 5 ] Bug #515728 - Storeconfigs broken https://bugzilla.redhat.com/show_bug.cgi?id=515728 | ||||||||||
| Alerts: |
| ||||||||||
rails: missing input sanitizing
| Package(s): | rails | CVE #(s): | CVE-2009-3009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2009 | Updated: | December 21, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Brian Mastenbrook discovered that rails, the MVC ruby based framework geared for web application development, is prone to cross-site scripting attacks via malformed strings in the form helper. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
silc-toolkit: format string vulnerabilities
| Package(s): | silc-toolkit | CVE #(s): | CVE-2009-3163 | ||||||||||||||||||||
| Created: | September 15, 2009 | Updated: | June 1, 2010 | ||||||||||||||||||||
| Description: | From the Mandriva advisory: Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2009-2559 CVE-2009-2561 | ||||||||||||
| Created: | September 14, 2009 | Updated: | December 7, 2009 | ||||||||||||
| Description: | From the Gentoo advisory: A buffer overflow in the IPMI dissector related to an array index error (CVE-2009-2559) An unspecified vulnerability in the sFlow dissector (CVE-2009-2561). | ||||||||||||||
| Alerts: |
| ||||||||||||||
xapian-omega: missing input sanitising
| Package(s): | xapian-omega | CVE #(s): | CVE-2009-2947 | ||||
| Created: | September 10, 2009 | Updated: | September 16, 2009 | ||||
| Description: | From the Debian alert:
It was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting attacks via crafted search queries resulting in an exception and steal potentially sensitive data from web applications running on the same domain or embedding the search engine into a website. | ||||||
| Alerts: |
| ||||||
znc: arbitrary file overwrite
| Package(s): | znc | CVE #(s): | CVE-2009-2658 | ||||
| Created: | September 14, 2009 | Updated: | September 16, 2009 | ||||
| Description: | From the Gentoo advisory: he vendor reported a directory traversal vulnerability when processing DCC SEND requests. A remote, authenticated user could send a specially crafted DCC SEND request to overwrite arbitrary files with the privileges of the user running ZNC, and possibly cause the execution of arbitrary code e.g. by uploading a malicious ZNC module. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>