Security Watch

Petco Punished for Doing the Right Thing

Even honest disclosure can incur the wrath of the Man.

• By Russ Cooper
• 12/01/2004

The irony here is that this information came to light when Petco pursued a suit against the hacker. The FTC settlement suggests that any company which discloses that it's been hacked may end up with very long-term scrutiny by the FTC. While it's important that we get business to realize the impact they cause consumers when they don't properly secure their information, I'm not convinced that such harsh settlements are yet warranted. Such action may very well stifle disclosure. Also, the extortion possibilities are very scary.

Liu Die Yu, noted for discovering numerous vulnerabilities in Internet Explorer (IE) over the last year using nothing more than a Windows 98 box, was acknowledged by Microsoft for responsibly disclosing information to them about two vulnerabilities corrected in the MS04-038 cumulative IE patch. This is the first time Liu's done this; he used to simply release his findings as he found them. I'm a strong supporter of informing a vendor of vulnerabilities in their products, and giving them a reasonable amount of time to fix it before telling everyone.

Two new vulnerabilities were announced for IE6. The first provides a method for a site to hijack another site's cookies. This should only be possible if the attacked site's cookies accept wildcards in the domain name, a bad practice in the first place. XP SP2 isn't vulnerable to this exploit. The second bypasses XP SP2, and exploits the way IE handles custom error pages, along with another URL parsing error. The result is that it's possible to download, and run, an executable of the attacker's choice.

It continues to baffle me why we have not seen a plethora of utilities that intercept the stream IE sees and looks for a wide variety of known vulnerabilities. Protocol handlers, a feature of Windows for several versions now, permit a tool to register itself against various protocols, like HTTP or FTP.

When implemented, they're handed an open stream for the requested protocol, allowing them to see the raw information being returned to the application that requested it. Not every application allows protocol handlers to do their thing, but IE certainly does for HTTP. A simple protocol handler could, for example, parse all URLs in a stream and only allow those that conform to a stricter set of parsing rules. In the case of the error page vulnerability above, it relies upon the fact that IE allows a URL like "v.exe?.htm," but wouldn't allow "v.exe". It wouldn't be difficult to spot that malformed URL.

Malicious Code
An e-mail was released recently which attempts to exploit the Graphics Rendering Engine vulnerability patched by MS04-032. That vulnerability is exploited by a Windows Meta File (WMF) or Enhanced Meta File (EMF).

A new version of the Cabir virus was discovered. Cabir exploits a Bluetooth vulnerability in cell phones and spreads very slowly. In some countries companies are charging $90 per phone to clean it.

A Russian member of the group 29a was fined the equivalent of $100 for writing a virus. That may be a lot of money there, but it sure doesn't seem like enough of a fine.

Human Factors
Historically, eCards during the holiday season have been a great way to get bots and trojans installed on your computer. Remember to be vigilant and not succumb to the cuteness of eCards. Very few free eCard services continue to exist, but most don't do nearly enough to ensure that the content they carry is safe. Considering the vulnerabilities exploiting graphic formats these days, plus the fact anyone can load any image they want into their eCard, don't be surprised to hear that these issues are combined to make for the next big deal.

Governance
Sarbanes-Oxley Act, Section 404, took effect a few weeks ago. Under Section 404 of the law, publicly-traded companies must have policies and controls in place to secure, document and process material information dealing with their financial results.