Security Watch

Search Engines Get 'OK' Bill of Health

Plus, buffer overflow vulnerabilities abound; Microsoft IIS still a target; more

• By Russ Cooper
• 07/25/2007

"Sponsored results," or those results which have been purchased by their site owners, remain problematic. While the safety of such results is better than a year ago by 1.6 percent, they're still 2.4 times more likely to contain unsafe links as generic, unpaid results.

Clearly, for-profit sponsored results are causing a problem; profit is definitely put before customer safety. This is interesting if you consider that the people wanting to purchase sponsored results for unsafe links aren't likely paying very much for it. Ergo, if they paid less attention to their largest paying customers and more attention to the lower end of the pay scale, they'd likely detect these criminals more often.

While it would be nice to keep unsafe links from ever appearing, this is hardly something we can reasonably expect. However, accepting money from a site that is attempting to exploit visitors is another kettle of fish. Hopefully, this report will catch the eye of the appropriate people who can get this problem fixed; there definitely hasn't been enough said in the mainstream media about it.

My.activation.php3 Hit With Code Execution Vulnerability
Hmm, let's see. Let's make a VPN device based on PHP. Ouch! And let's not bother to fully parse the parameters we allow prior to authentication -- that'll make it even more fun! Bingo, our two worst nightmares in a single environment.

My.activation.php3 is a script used by the F5 device to execute shell commands during sign-on. A vulnerability exists in the way it parses parameters, which could allow an unauthenticated user to execute arbitrary shell commands. Patches are available here
(registration required). Needless to say, I believe you should get this patched ASAP.

Triple-Threat XFERWAN Flaw
Symantec Discovery, Centennial Discovery and Numara Asset Manager can all be exploited by an unauthenticated criminal who can send a criminally crafted request to XFERWAN.exe. Improper parsing of the parameters in such a request could result in code of the criminal's choice running in the context of the component, typically system. Patches are unavailable.

Here's yet another example of a product intended to connect with only one, or at least a very few, systems. A server would typically send out the probes to all IP devices to receive responses. If the product has effective security management built-in, then it could only respond to requests from the legitimate server within the victim's organization. Unfortunately, the software will respond to any IP address which attempts to connect to it, thereby allowing for the possibility that criminally crafted packets can be sent and processed, resulting in exploitation.

This vulnerability could result in a widespread problem within an organization that uses it. However, some other compromise is likely required before a machine in such an environment could be used to launch an attack against this vulnerability.

InstallShield ActiveX Hole
Macrovision FLEXnet Connect, also known as InstallShield Update Service, contains a vulnerability which could be exploited by a criminally controlled Web site. The control could be invoked and passed instructions by a criminal, causing it to run code of the criminal's choice. Patches are now available (here at Macrovision's support page, or through Secunia) and should be installed automatically on most systems.

This is a critical vulnerability in the sense that it's an Automatic Update mechanism which can be compromised. Such tools should be trustworthy. In its promotional literature, Macrovision states:

From the Trusted Name in Software Updating, FLEXnet Connect is from Macrovision, the company that develops the InstallShield and InstallAnywhere installation authoring solutions. Since 1987, the name InstallShield has been synonymous with quality software installations and updating. Because end users are familiar with the InstallShield installation and updating experience, they are more willing to trust it and accept updates that follow its industry-standard format. It helps reduce customers' reluctance to adopt new updates and patches.

While no exploit code is known to exist, should such code be developed, and should it mimic the behavior of the update service and prompt the user that a new update is available, trust in updating services could be severely damaged. Automatic updating is crucial to the overall security infrastructure of the Internet by keeping home users as patched as possible.

Google: Watch Out, Microsoft IIS
Here's an interesting blog entry by Google security folks reporting on the distribution of Web server software that's serving up criminal binaries or hosting drive-by-downloads.

I found it interesting that the majority of the servers included in Google's survey were running the latest versions of their respective Web server software. This certainly bodes well for Web security overall because it shows that site owners are paying attention to the benefits of newer software versions.

While the number of IIS servers hosting malware is roughly the same as the number of Apache servers, this means that IIS is nearly twice as likely as Apache to be compromised, given its overall use on the Internet. Furthermore, this is true despite the fact that 80 percent of the IIS servers hosting malware were IIS 6.0 implementations. Clearly, the OS version is not enough to help secure the site.