Friday, July 28, 2006
Cisco VPNs Open To Denial-Of-Service Attacks
Source Taken from CRN
A flaw in one of the protocols used by Cisco Systems' VPN 3000 Series concentrators could open up the devices to denial-of-service attacks.
The vulnerability lies in the Internet Key Exchange (IKE) Protocol, which enables remote IPsec VPN access. The flaw could allow an attacker to cripple a VPN 3000 Series concentrator by flooding it with IKE requests and making it unable to handle legitimate traffic, according to security researcher Roy Hills of U.K.-based security research firm NTA Monitor, who discovered the vulnerability last July and posted his findings to the Full Disclosure mailing list Wednesday.
Attackers don't need to be logged in to exploit the flaw because the problem occurs before the authentication stage, Hills wrote. Also, intrusion detection and prevention systems are likely to be ineffective because the traffic consists of genuine IKE packets, he said.
Cisco's VPN 3000 Series concentrators are designed for enterprise deployments and can support 200 to 10,000 simultaneous IPSec remote access users.
In an advisory issued Wednesday, Cisco's Product Security Incident Response Team (PSIRT) said the vulnerability is in version 1 of the IKE protocol and isn't related to vendor-specific hardware. Other Cisco products that use IKE version 1 include the Adaptive Security Appliance (ASA) line, PIX firewall and Cisco Internetworking Operating System (IOS) software.
Cisco IOS customers can protect themselves by implementing Call Admission Control (CAC) for IKE, which caps the number of simultaneous connections on a router, according to the advisory.
Although Cisco will continue to study possible software workarounds to mitigate the impact of the flaw, Mike Caudill, incident manager at Cisco's PSIRT, said a patch will be difficult to develop.
--------------------------------------------------------------------------------
"This is one that isn't easily patched because it's an issue with the protocol itself. It's more of an industrywide protocol issue rather than a Cisco-specific issue," Caudill said.
In January, Cisco patched a flaw in the VPN 3000 Series concentrator line that could have allowed a malicious user to send a crafted HTTP packet designed to trigger a denial-of-service attack.
A flaw in one of the protocols used by Cisco Systems' VPN 3000 Series concentrators could open up the devices to denial-of-service attacks.
The vulnerability lies in the Internet Key Exchange (IKE) Protocol, which enables remote IPsec VPN access. The flaw could allow an attacker to cripple a VPN 3000 Series concentrator by flooding it with IKE requests and making it unable to handle legitimate traffic, according to security researcher Roy Hills of U.K.-based security research firm NTA Monitor, who discovered the vulnerability last July and posted his findings to the Full Disclosure mailing list Wednesday.
Attackers don't need to be logged in to exploit the flaw because the problem occurs before the authentication stage, Hills wrote. Also, intrusion detection and prevention systems are likely to be ineffective because the traffic consists of genuine IKE packets, he said.
Cisco's VPN 3000 Series concentrators are designed for enterprise deployments and can support 200 to 10,000 simultaneous IPSec remote access users.
In an advisory issued Wednesday, Cisco's Product Security Incident Response Team (PSIRT) said the vulnerability is in version 1 of the IKE protocol and isn't related to vendor-specific hardware. Other Cisco products that use IKE version 1 include the Adaptive Security Appliance (ASA) line, PIX firewall and Cisco Internetworking Operating System (IOS) software.
Cisco IOS customers can protect themselves by implementing Call Admission Control (CAC) for IKE, which caps the number of simultaneous connections on a router, according to the advisory.
Although Cisco will continue to study possible software workarounds to mitigate the impact of the flaw, Mike Caudill, incident manager at Cisco's PSIRT, said a patch will be difficult to develop.
--------------------------------------------------------------------------------
"This is one that isn't easily patched because it's an issue with the protocol itself. It's more of an industrywide protocol issue rather than a Cisco-specific issue," Caudill said.
In January, Cisco patched a flaw in the VPN 3000 Series concentrator line that could have allowed a malicious user to send a crafted HTTP packet designed to trigger a denial-of-service attack.
Tuesday, July 25, 2006
Ransomware getting harder to break
Souce taken from The Register
Hackers may soon be pushing out ransomware packages so complex that they're beyond the decryption capabilities of the anti-virus industry, according to a study by Russian anti-virus firm Kaspersky Lab.
The report, Malware Evolution: April – June 2006, Hidden Wars, states that the creators of so-called ransomware packages are making the lives of security researchers more difficult by using more powerful and sophisticated encryption algorithms. Ransomware packages use malicious code to gain control of user files, encrypt them and threaten users that they won't see these files again unless they hand over a cash "ransom" to hackers.
Examples of ransomware malware, which made its first appearance only months ago, include Gpcode, Cryzip, and Krotten. At first the encryption approaches taken by hackers were crude. But Gpcode-AC, first detected in January 2006, used the RSA algorithm to create a 56-bit key. Since then, the unknown author of the virus has produced variants that use more complex encryption keys. The last detected variant Gpcode-AG uses a 660-bit key.
"We were able to decrypt 330 and 660-bit keys within a reasonably short space of time, but a new variant, with a longer key, could appear at any time. If RSA, or any other similar algorithm which uses a public key, were to be used in a new virus, anti-virus companies might find themselves powerless, even if maximum computing power was applied to decrypting the key," warns Aleks Gostev, senior virus analyst, Kaspersky Lab.
Kaspersky Lab warns that even if the original authors of ransomware families are tracked down there's nothing to prevent other hackers from developing the technique. Security firms might succeed in developing approaches that make it impossible for malicious users to encrypt or archive users' data. But users have the power to render ransomware attacks impotent by regularly backing up documents and email databases, a sensible security precaution that's all too infrequently applied. ®
Hackers may soon be pushing out ransomware packages so complex that they're beyond the decryption capabilities of the anti-virus industry, according to a study by Russian anti-virus firm Kaspersky Lab.
The report, Malware Evolution: April – June 2006, Hidden Wars, states that the creators of so-called ransomware packages are making the lives of security researchers more difficult by using more powerful and sophisticated encryption algorithms. Ransomware packages use malicious code to gain control of user files, encrypt them and threaten users that they won't see these files again unless they hand over a cash "ransom" to hackers.
Examples of ransomware malware, which made its first appearance only months ago, include Gpcode, Cryzip, and Krotten. At first the encryption approaches taken by hackers were crude. But Gpcode-AC, first detected in January 2006, used the RSA algorithm to create a 56-bit key. Since then, the unknown author of the virus has produced variants that use more complex encryption keys. The last detected variant Gpcode-AG uses a 660-bit key.
"We were able to decrypt 330 and 660-bit keys within a reasonably short space of time, but a new variant, with a longer key, could appear at any time. If RSA, or any other similar algorithm which uses a public key, were to be used in a new virus, anti-virus companies might find themselves powerless, even if maximum computing power was applied to decrypting the key," warns Aleks Gostev, senior virus analyst, Kaspersky Lab.
Kaspersky Lab warns that even if the original authors of ransomware families are tracked down there's nothing to prevent other hackers from developing the technique. Security firms might succeed in developing approaches that make it impossible for malicious users to encrypt or archive users' data. But users have the power to render ransomware attacks impotent by regularly backing up documents and email databases, a sensible security precaution that's all too infrequently applied. ®
Creating More Fuzz
Souce taken from The Register
Flaw finders lay siege to Microsoft Office
For most of the summer, Microsoft's Office product teams have had little time for development. Responding to a steady influx of flaws in the company's Office productivity suite has occupied many of Microsoft's programmers since late 2005. So far this year, the software giant has detailed at least 24 Office flaws found by outside researchers in its monthly bulletins, six times the number of Office flaws found in all of 2005. The count also surpasses the 20 flaws that Microsoft has fixed so far this year in Internet Explorer, a perennial favorite among vulnerability researchers.
The extraordinary jump in the number of flaws discovered by researchers in the components of Office has worried system administrators and forced Microsoft to spend development time on fixing the issues.
"When our security process gets activated, the application team is essentially ours," said Stephen Toulouse, security program manager for Microsoft's Security Response Center (MSRC). "It is not just that they are on-call, but they are working around the clock on response and updates."
The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.
The focus on Office flaws is a microcosm of the overall shift among vulnerability researchers from network service and server flaws to the application flaws that can be exploited to compromise a user's PC. Browsers, of course, are a popular target, but vulnerabilities have also been found in music-player software, image formats, the Macromedia Flash and Shockwave, e-mail readers and desktop security software.
"Nobody, I think, a year and a half ago would have thought that iTunes would have been a threat," Microsoft's Toulouse said.
Microsoft frequently sees such shifts in what vulnerability researchers find interesting, according to Toulouse. Yet, finding out what attracts researchers is more difficult, he said.
The initial signs of interest in Microsoft Office appeared last December, when one researcher attempted to auction off a vulnerability in Excel, only to have the high-profile auction canceled by eBay. Microsoft released its first major round of fixes for Office about four months later, approximately the average time that the software giant takes to patch flaws.
After that, a trickle turned into a flood.
"It's like someone opened the door and everyone wants to be in the same room," said Rohit Dhamankar, manager of security research for TippingPoint, a division of 3Com. "Once someone says, 'Look, this is an avenue of attack,' people from all over the world start concentrating on it."
TippingPoint, through its Zero-Day Initiative, has notified Microsoft of at least two flaws in Office discovered by independent researchers and patched by the software giant this year. TippingPoint's ZDI pays researchers a bounty for finding software flaws in common applications, a program that has caused some controversy.
While a vulnerability in a remote network service could be exploited to create a worm and tends to worry system administrators more, the rash of attacks leveraging the Office vulnerabilities to compromise specific companies underscores the seriousness of the current threat.
A limited number of companies have been targeted by Trojan horse Word documents, Excel spreadsheets, and PowerPoint presentations containing code to exploit previously unknown flaws within Office. The attacks appear to continue a trend of targeted espionage coming from within China. While security experts are careful to point out that the attacks may just be entering the U.S. from a compromised Chinese server, the continuing attacks from the same IP address space increasingly make that unlikely.
Not only are the attacks coming from China, but Chinese hacker clubs appear to be showing the lion's share of interest in finding flaws in Office, according to security experts. These groups are focused on using flaw information for financial gain, said Marcus Sachs, director of the SANS Internet Storm Center and the deputy director of the computer science laboratory at SRI International.
"My conclusion is the source of most of this trouble is coming out of China," Sachs said. "I think the technicians who are finding the flaws are selling the method of access to the intelligence or espionage community."
The hacker groups appear to be using data-fuzzing techniques to find flaws in Excel and other Office applications, agreed David Cole, director for Symantec's Security Response group. (SecurityFocus is owned by Symantec.)
"Given the number of Office flaws, it really feels like someone is fuzzing Microsoft Office and creating malicious files with the results," Cole said. "Someone is adamant about finding this stuff."
Of the public flaws detailed by Microsoft in July, at least four appear to have come from Chinese researchers. Other flaws were found as part of a vulnerability bounty program, so the sources of those issues are unknown. In total, at least seven of the last seventeen flaws appear to come from efforts by Chinese researchers.
"This is reminiscent of a few years ago when Russian (researchers) were doing stuff using issues in IIS and browser helper objects," ISC's Sachs said.
While Office files require some user interaction to compromise a victim's system, most workers are now accustomed to receiving such files, especially if attached to an e-mail that appears to be genuine, said Mikko Hyppönen, chief research officer for antivirus firm F-Secure.
"First and foremost, it is the easiest way to get through the most obvious barriers to entry in a corporate network: the firewall and antivirus," Hyppönen said. "If you try to use other executable code, the firewall or antivirus software will stop you. It is much easier to get in to reach the desktop if the document you are sending is an Excel file or a PowerPoint file or a Word file."
Hyppönen expects the attacks to continue, driven by a readily available source of flaws generated by fuzzing tools.
In fact, fuzzing tools appear to be the source of the deluge of Office flaws.
Once considered a crutch for the lowest form of code hacker - the much-denigrated "script kiddie" - data-fuzzing tools have gained stature to now be considered an efficient way to find vulnerabilities, especially obscure ones.
Fuzzers automate the process of trying to break an application by sending it unexpected data. Given a set of rules for constructing a file or an online form, a fuzzer will create every conceivable variation. Increasingly, vulnerability researchers and hackers are turning to tools to automate the discovery of flaws. For example, Next-Generation Security Software, a U.K. based technology consultancy, used a homegrown data-fuzzing tool to find the recent flaw fixed by Microsoft in the way Excel handles LABEL record files.
"Fuzzing and understanding file formats is the way that a lot of people are progressing along," said Sherief Hammad, founding director of NGSSoftware. "It is pretty easily, programmatically, to build up a file with malformed input. Sometimes that is a better way to analyze program flaws."
In July, security researcher HD Moore promised to release a browser bug every day of the month, highlighting the utility of data-fuzzing tools, but also the threat to software companies and their customers of falling behind the attackers in using such tools.
"Just like Moore is putting out a bug a day, these guys are using fuzzing tools and producing a large number of bugs," ISC's Sachs said.
Between Moore's focus on Internet Explorer flaws and the automated search for Office flaws, Microsoft's programmers have their work cut out for them, and system administrators should expect more fixes for software flaws from Microsoft. NGSSoftware, at least, has found two more vulnerabilities and reported them to Microsoft. In addition, the latest targeted Trojan horse attack uses a vulnerability in PowerPoint that the software giant still has to fix.
Moreover, the flaws reported to date are only due to a limited amount of effort using fuzzers, TippingPoint's Dhamankar stressed. Researchers do not typically have access to the detailed information about file formats for Microsoft's Office, so their efforts to date have been limited.
"What you are seeing right now is just investigation into one part of the file format, and people have a lot more records to look at," TippingPoint's Dhamankar said.
Flaw finders lay siege to Microsoft Office
For most of the summer, Microsoft's Office product teams have had little time for development. Responding to a steady influx of flaws in the company's Office productivity suite has occupied many of Microsoft's programmers since late 2005. So far this year, the software giant has detailed at least 24 Office flaws found by outside researchers in its monthly bulletins, six times the number of Office flaws found in all of 2005. The count also surpasses the 20 flaws that Microsoft has fixed so far this year in Internet Explorer, a perennial favorite among vulnerability researchers.
The extraordinary jump in the number of flaws discovered by researchers in the components of Office has worried system administrators and forced Microsoft to spend development time on fixing the issues.
"When our security process gets activated, the application team is essentially ours," said Stephen Toulouse, security program manager for Microsoft's Security Response Center (MSRC). "It is not just that they are on-call, but they are working around the clock on response and updates."
The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.
The focus on Office flaws is a microcosm of the overall shift among vulnerability researchers from network service and server flaws to the application flaws that can be exploited to compromise a user's PC. Browsers, of course, are a popular target, but vulnerabilities have also been found in music-player software, image formats, the Macromedia Flash and Shockwave, e-mail readers and desktop security software.
"Nobody, I think, a year and a half ago would have thought that iTunes would have been a threat," Microsoft's Toulouse said.
Microsoft frequently sees such shifts in what vulnerability researchers find interesting, according to Toulouse. Yet, finding out what attracts researchers is more difficult, he said.
The initial signs of interest in Microsoft Office appeared last December, when one researcher attempted to auction off a vulnerability in Excel, only to have the high-profile auction canceled by eBay. Microsoft released its first major round of fixes for Office about four months later, approximately the average time that the software giant takes to patch flaws.
After that, a trickle turned into a flood.
"It's like someone opened the door and everyone wants to be in the same room," said Rohit Dhamankar, manager of security research for TippingPoint, a division of 3Com. "Once someone says, 'Look, this is an avenue of attack,' people from all over the world start concentrating on it."
TippingPoint, through its Zero-Day Initiative, has notified Microsoft of at least two flaws in Office discovered by independent researchers and patched by the software giant this year. TippingPoint's ZDI pays researchers a bounty for finding software flaws in common applications, a program that has caused some controversy.
While a vulnerability in a remote network service could be exploited to create a worm and tends to worry system administrators more, the rash of attacks leveraging the Office vulnerabilities to compromise specific companies underscores the seriousness of the current threat.
A limited number of companies have been targeted by Trojan horse Word documents, Excel spreadsheets, and PowerPoint presentations containing code to exploit previously unknown flaws within Office. The attacks appear to continue a trend of targeted espionage coming from within China. While security experts are careful to point out that the attacks may just be entering the U.S. from a compromised Chinese server, the continuing attacks from the same IP address space increasingly make that unlikely.
Not only are the attacks coming from China, but Chinese hacker clubs appear to be showing the lion's share of interest in finding flaws in Office, according to security experts. These groups are focused on using flaw information for financial gain, said Marcus Sachs, director of the SANS Internet Storm Center and the deputy director of the computer science laboratory at SRI International.
"My conclusion is the source of most of this trouble is coming out of China," Sachs said. "I think the technicians who are finding the flaws are selling the method of access to the intelligence or espionage community."
The hacker groups appear to be using data-fuzzing techniques to find flaws in Excel and other Office applications, agreed David Cole, director for Symantec's Security Response group. (SecurityFocus is owned by Symantec.)
"Given the number of Office flaws, it really feels like someone is fuzzing Microsoft Office and creating malicious files with the results," Cole said. "Someone is adamant about finding this stuff."
Of the public flaws detailed by Microsoft in July, at least four appear to have come from Chinese researchers. Other flaws were found as part of a vulnerability bounty program, so the sources of those issues are unknown. In total, at least seven of the last seventeen flaws appear to come from efforts by Chinese researchers.
"This is reminiscent of a few years ago when Russian (researchers) were doing stuff using issues in IIS and browser helper objects," ISC's Sachs said.
While Office files require some user interaction to compromise a victim's system, most workers are now accustomed to receiving such files, especially if attached to an e-mail that appears to be genuine, said Mikko Hyppönen, chief research officer for antivirus firm F-Secure.
"First and foremost, it is the easiest way to get through the most obvious barriers to entry in a corporate network: the firewall and antivirus," Hyppönen said. "If you try to use other executable code, the firewall or antivirus software will stop you. It is much easier to get in to reach the desktop if the document you are sending is an Excel file or a PowerPoint file or a Word file."
Hyppönen expects the attacks to continue, driven by a readily available source of flaws generated by fuzzing tools.
In fact, fuzzing tools appear to be the source of the deluge of Office flaws.
Once considered a crutch for the lowest form of code hacker - the much-denigrated "script kiddie" - data-fuzzing tools have gained stature to now be considered an efficient way to find vulnerabilities, especially obscure ones.
Fuzzers automate the process of trying to break an application by sending it unexpected data. Given a set of rules for constructing a file or an online form, a fuzzer will create every conceivable variation. Increasingly, vulnerability researchers and hackers are turning to tools to automate the discovery of flaws. For example, Next-Generation Security Software, a U.K. based technology consultancy, used a homegrown data-fuzzing tool to find the recent flaw fixed by Microsoft in the way Excel handles LABEL record files.
"Fuzzing and understanding file formats is the way that a lot of people are progressing along," said Sherief Hammad, founding director of NGSSoftware. "It is pretty easily, programmatically, to build up a file with malformed input. Sometimes that is a better way to analyze program flaws."
In July, security researcher HD Moore promised to release a browser bug every day of the month, highlighting the utility of data-fuzzing tools, but also the threat to software companies and their customers of falling behind the attackers in using such tools.
"Just like Moore is putting out a bug a day, these guys are using fuzzing tools and producing a large number of bugs," ISC's Sachs said.
Between Moore's focus on Internet Explorer flaws and the automated search for Office flaws, Microsoft's programmers have their work cut out for them, and system administrators should expect more fixes for software flaws from Microsoft. NGSSoftware, at least, has found two more vulnerabilities and reported them to Microsoft. In addition, the latest targeted Trojan horse attack uses a vulnerability in PowerPoint that the software giant still has to fix.
Moreover, the flaws reported to date are only due to a limited amount of effort using fuzzers, TippingPoint's Dhamankar stressed. Researchers do not typically have access to the detailed information about file formats for Microsoft's Office, so their efforts to date have been limited.
"What you are seeing right now is just investigation into one part of the file format, and people have a lot more records to look at," TippingPoint's Dhamankar said.
Vulnerabilibties - New Ways to Buzz about Data Fuzz-ing
Source taken from
Browsers feel the fuzz
Vancouver, CANADA--Last month, security researcher HD Moore decided to write a simple program that would mangle the code found in Web pages and gauge the effect such data would have on the major browsers. The result: hundreds of crashes and the discovery of several dozen flaws.
“ Why go after the server where the safeguards are, when all this identity and data can be gotten from the client. ”
Timothy Keanini, chief technology officer, nCircle Network Security The technique--called packet, or data, fuzzing--is frequently used to find flaws in network applications. Moore and others are now turning the tool on browsers to startling results. In a few weeks, the researcher had found hundreds of ways to crash Internet Explorer and, to a lesser extent, other browsers. In another example, it took less than an hour at the CanSecWest Conference last week for Moore and information-systems student Matthew Murphy to hack together a simple program to test a browser's handling of cascading style sheets (CSS), finding another dozen or so ways to crash browsers.
"Fuzzing is probably the easiest way to find flaws, because you don't have to figure out how the application is dealing with input," said Moore, a well-known hacker and the co-founder of the Metasploit Project. "It lets me be a lazy vulnerability researcher."
Tracing the root causes of the crashes has resulted in the discovery of more than 50 flaws in Internet Explorer, a handful of which could be used to gain control of a Web site visitor's Windows system, Moore said. Other browsers had far fewer flaws, but each one had at least one remotely exploitable vulnerability that could be used to exploit users' systems, Moore said.
Microsoft stressed that the issues are still under investigation.
"Microsoft's initial investigation of HD Moore's findings determined that these are stability issues and not security vulnerabilities," a spokesperson for the software giant said Wednesday. "Microsoft will, of course, continue to work closely with HD to further investigate these findings and address these issues as appropriate for our customers."
The effectiveness of fuzzing at defining quality and security issues is nothing new.
Data fuzzing, or mangling, has been used often by security and quality-control engineers to test network devices. In 2002, the University of Oulu's Secure Programming Group (OUSPG) used the techniques to find a slew of flaws in the implementation of a basic communication protocol known as Abstract Syntax Notation One, or ASN.1, on which Internet protocols are based. The next year, the university used the same technique to find issues in a protocol used for Internet telephony.
Targeting browsers and other client-side applications using data fuzzing, or mangling, has become another tool on the belt of security engineers. As finding and exploiting server flaws has become more difficult, some researchers are turning to client-side applications, focusing mainly on Web browsers and desktop security software to date.
"Why go after the server where the safeguards are, when all this identity and data can be gotten from the client," said Timothy Keanini, chief technology officer for nCircle Network Security.
The most significant flaws discovered this year have been flaws that affected Microsoft's browser, Internet Explorer. A vulnerability in how Windows processes the Windows Meta File (WMF) format resulted in Microsoft fixing that issue in early January, ahead of schedule. On Tuesday, Microsoft issued a patch to close a critical vulnerability in Internet Explorer that had threatened users with compromise if they visited any of a few hundred malicious Web sites.
Security researchers have targeted browsers with fuzzing tools in the past. In 2004, Michal Zalewski released a tool that mangled HTML code and produced frequent crashes on browsers other than Microsoft's Internet Explorer. Another researcher, Shane Hird, targeted the Windows Component Object Model (COM) and ActiveX controls using a fuzzer, finding other security issues with Internet Explorer.
"For the most part, security people have stayed away from browser bugs," Moore said. "You can't go into a company at 3 in the morning and exploit all their desktops. You have to have the user involved."
Browser flaws have become more important to attackers, because they allow them to slip by a network's more secure network defenses and attack the internal systems, which are generally less well guarded, said Window Snyder, chief technology officer for security start-up Matasano and a former security strategist for Microsoft.
"There are so many ways to get past the perimeter and once you are in, it's an open field," Snyder said. "Internal applications have not been audited with the same rigor as core external applications."
The change in focus leaves system administrators having to worry about which of their desktop applications have been well audited, she said.
"We have to worry about vulnerabilities in Notepad--that is now considered a product that can affect your security," Snyder said.
Yet, fuzzing tools can, and should be, used for defense, nCircle's Keanini said. In many ways, fuzzers bring the same automated code checking capabilities as the static code checkers that are now being used with greater frequency by companies to audit their program code. And company administrators who decline to check a program do so at their own risk, because program complexity--and the number of vulnerabilities--has skyrocketed, he said.
"It used to be that the client was twenty times smaller than the server," Keanini said. "That's not the case anymore. There are clients that are bigger than operating systems--it's grotesque. There is nothing thin about the client anymore."
For his part, Moore has already tired of trying out fuzzing techniques, but he may try coding one more, he said. Almost every browser has plug-ins to handle Adobe's Flash format, and the security researcher said he wonders about the code's security.
"These are plug-ins that are installed by default, and no one has really taken a look at a corrupted Flash generator," he said.
Soon, that may not be true.
UPDATE: The original article affiliated Matthew Murphy with the wrong academic program. He is part of the Computer Information Systems program at Missouri State University. Also, a statement from Microsoft was added to the article late Wednesday, following the company's response to SecurityFocus's request for comment. The original article was posted at 8 a.m. PST.
Browsers feel the fuzz
Vancouver, CANADA--Last month, security researcher HD Moore decided to write a simple program that would mangle the code found in Web pages and gauge the effect such data would have on the major browsers. The result: hundreds of crashes and the discovery of several dozen flaws.
“ Why go after the server where the safeguards are, when all this identity and data can be gotten from the client. ”
Timothy Keanini, chief technology officer, nCircle Network Security The technique--called packet, or data, fuzzing--is frequently used to find flaws in network applications. Moore and others are now turning the tool on browsers to startling results. In a few weeks, the researcher had found hundreds of ways to crash Internet Explorer and, to a lesser extent, other browsers. In another example, it took less than an hour at the CanSecWest Conference last week for Moore and information-systems student Matthew Murphy to hack together a simple program to test a browser's handling of cascading style sheets (CSS), finding another dozen or so ways to crash browsers.
"Fuzzing is probably the easiest way to find flaws, because you don't have to figure out how the application is dealing with input," said Moore, a well-known hacker and the co-founder of the Metasploit Project. "It lets me be a lazy vulnerability researcher."
Tracing the root causes of the crashes has resulted in the discovery of more than 50 flaws in Internet Explorer, a handful of which could be used to gain control of a Web site visitor's Windows system, Moore said. Other browsers had far fewer flaws, but each one had at least one remotely exploitable vulnerability that could be used to exploit users' systems, Moore said.
Microsoft stressed that the issues are still under investigation.
"Microsoft's initial investigation of HD Moore's findings determined that these are stability issues and not security vulnerabilities," a spokesperson for the software giant said Wednesday. "Microsoft will, of course, continue to work closely with HD to further investigate these findings and address these issues as appropriate for our customers."
The effectiveness of fuzzing at defining quality and security issues is nothing new.
Data fuzzing, or mangling, has been used often by security and quality-control engineers to test network devices. In 2002, the University of Oulu's Secure Programming Group (OUSPG) used the techniques to find a slew of flaws in the implementation of a basic communication protocol known as Abstract Syntax Notation One, or ASN.1, on which Internet protocols are based. The next year, the university used the same technique to find issues in a protocol used for Internet telephony.
Targeting browsers and other client-side applications using data fuzzing, or mangling, has become another tool on the belt of security engineers. As finding and exploiting server flaws has become more difficult, some researchers are turning to client-side applications, focusing mainly on Web browsers and desktop security software to date.
"Why go after the server where the safeguards are, when all this identity and data can be gotten from the client," said Timothy Keanini, chief technology officer for nCircle Network Security.
The most significant flaws discovered this year have been flaws that affected Microsoft's browser, Internet Explorer. A vulnerability in how Windows processes the Windows Meta File (WMF) format resulted in Microsoft fixing that issue in early January, ahead of schedule. On Tuesday, Microsoft issued a patch to close a critical vulnerability in Internet Explorer that had threatened users with compromise if they visited any of a few hundred malicious Web sites.
Security researchers have targeted browsers with fuzzing tools in the past. In 2004, Michal Zalewski released a tool that mangled HTML code and produced frequent crashes on browsers other than Microsoft's Internet Explorer. Another researcher, Shane Hird, targeted the Windows Component Object Model (COM) and ActiveX controls using a fuzzer, finding other security issues with Internet Explorer.
"For the most part, security people have stayed away from browser bugs," Moore said. "You can't go into a company at 3 in the morning and exploit all their desktops. You have to have the user involved."
Browser flaws have become more important to attackers, because they allow them to slip by a network's more secure network defenses and attack the internal systems, which are generally less well guarded, said Window Snyder, chief technology officer for security start-up Matasano and a former security strategist for Microsoft.
"There are so many ways to get past the perimeter and once you are in, it's an open field," Snyder said. "Internal applications have not been audited with the same rigor as core external applications."
The change in focus leaves system administrators having to worry about which of their desktop applications have been well audited, she said.
"We have to worry about vulnerabilities in Notepad--that is now considered a product that can affect your security," Snyder said.
Yet, fuzzing tools can, and should be, used for defense, nCircle's Keanini said. In many ways, fuzzers bring the same automated code checking capabilities as the static code checkers that are now being used with greater frequency by companies to audit their program code. And company administrators who decline to check a program do so at their own risk, because program complexity--and the number of vulnerabilities--has skyrocketed, he said.
"It used to be that the client was twenty times smaller than the server," Keanini said. "That's not the case anymore. There are clients that are bigger than operating systems--it's grotesque. There is nothing thin about the client anymore."
For his part, Moore has already tired of trying out fuzzing techniques, but he may try coding one more, he said. Almost every browser has plug-ins to handle Adobe's Flash format, and the security researcher said he wonders about the code's security.
"These are plug-ins that are installed by default, and no one has really taken a look at a corrupted Flash generator," he said.
Soon, that may not be true.
UPDATE: The original article affiliated Matthew Murphy with the wrong academic program. He is part of the Computer Information Systems program at Missouri State University. Also, a statement from Microsoft was added to the article late Wednesday, following the company's response to SecurityFocus's request for comment. The original article was posted at 8 a.m. PST.
