Security Watch

Microsoft, Mozilla, Verisign Team Up on E-Commerce Security Flaw

Plus: Windows Media Player RCE flaw not serious, says Redmond; Twitter phishing; more.

• By Jabulani Leffall
• 01/06/2009

The New Year is beginning much as the old year ended, with Microsoft on the defensive in the security space, issuing warnings to users, explaining the emergence of certain flaws and refuting the severity claims by security researchers. Meanwhile, a new phishing threat has the blogosphere all atwitter as phishing attacks, a mainstay in the hacker's arsenal last year, makes its presence known with Web 2.0 applications such as those used in popular social networks. Buckle up for an interesting year in the IT security arena.

Microsoft, Mozilla, Verisign Team Up on E-commerce Flaw
Microsoft announced in a Dec. 30 security advisory that it has become aware of research documenting methods for attacks against digital certificates, which are authenticators for numerous types of secure online communications, like e-commerce transactions.

The flaw is a highly technical one that can be found in the Message-Digest Algorithm 5 (MD5) formula, a widely used but reputedly insecure cryptographic hash function that takes blocks of data and sequences them for transmission from one network to another (in other words, everything that happens after a mouse click on the backend that makes complex processing possible via a Web browser).

The software giant stressed that the vulnerability is not in any Windows products but that in response to the threat to the greater ecosystem it is getting together with Mozilla to make sure Internet Explorer and Firefox browsers are safe. Meanwhile security company VeriSign, one of the world's largest digital certification authorities or CAs, said it was updating to the stronger SHA-1 algorithim in an effort to help guarantee turning processing that a certificate's owner, which for example can be an online seller or an e-commerce site, is on the up and up.

Microsoft Details Ccritical IE Bug
Just after Christmas, Redmond admitted that a bug in IE that was critical enough for an off-cycle patch stymied security pros for the company mainly because they didn't have the right testing tools. In this blog post, Michael Howard, a security program manager at Microsoft, said programmers didn't know where to look for the bug because of a data binding technology inherent in IE's code. Security pros also opine that there was very little time to comb through the code in detail because of the urgent timing of the patch. The speed of the IE patch release represented the fastest turnaround for such a widely deployed solution as IE, especially given the patch's development, testing and packaging requirements.

Media Player Flaw Not That Serious
Just days before New Year's Eve, a reportedly snowed-in Christopher Budd adamantly denied a report on Christmas Eve detailing a pervasive Remote Code Execution-ready hole in Windows Media Player. The Microsoft Security Response Center spokesman said reports by security researcher Laurent Gaffi that the vulnerability could be used by hackers armed with malformed .wav, .snd, or .mid audio files to compromise a PC running Windows XP or Vista were false. While confirming Gaffi's claims of existing proof-of-concept code that could trigger a crash of the Windows video, audio and special file-running app, Budd said the program can be restarted with a reboot of the PC without any glitches in the larger operating system.

"We've found no possibility for code execution in this issue." Budd said.

Meanwhile researchers in the more technical Security Vulnerability Research and Defense group at Microsoft spelled out in mathematical and technological language how the flaw is not a threat.

Going Phishing in the New Year?
A prominent hack tool in 2008 and year's previous will likely be prominent again in 2009: phishing. Just after New Years Day, tech gadfly Chris Pirillo discovered that one of the latest social networking sensations, Twitter.com, was the target of phishing attacks. Twitter is mainly an online community and mini-blog that can both augment and supplant a user's daily activities as a Facebook junkie. There's even a verb for it: "Twittering." If updating one's status comment every five minutes on Facebook isn't enough, there Twitter lets you tell everyone where you are and what you're doing in a 140-character message in real time, all day and all night. It's no wonder that potential phishers find this site irresistible to stage attacks on. From an enterprise processing perspective, a worker twittering on a lunch hour or griping about an upcoming meeting on the social networking site can give a hacker an open door to a corporate network.

So for the year going forward, it looks like e-mail, mobile messaging, MySpace, Facebook and Twitter all have phishing attacks in common. Welcome to 2009.