Security Watch

The World Needs More Fuzzers

Javascript fuzzer used to discover Opera browser flaw; domain parking; another Nigerian 419 scam; more.

• By Russ Cooper
• 10/01/2007

The exploit offers an excellent example of the use of a fuzzing application to discover a vulnerability. We have to wonder why vendors haven’t all used such tools against their products to avoid similar vulnerabilities being found by less responsible parties. Opera 9.23 and above patch the vulnerability.

Domain Parking: Haven for Malware
The Register reports that some 100 domains parked at NameDrive were serving up malware via an ad server either run by, or subscribed to by, NameDrive. The ad server placed ads on parked sites, so site owners could derive some revenue while they were parked.

The article tries to suggest that the parked domains were targeted. There is no reason to believe this was the case, as being able to compromise an ad server would be a highly attractive target for any criminal. If malware could be inserted into any ad-serving environment, the opportunity exists to reach victims who would otherwise be surfing safely -- for example, those only visiting definitely legitimate sites. Given that the sites serving up the malware were all from the one parking service strongly suggests that either the structure of the parked domain Web page was vulnerable to attack, or that the ad server was used exclusively by the one domain parking service and itself was compromised.

As more hosting companies offer ad serving as part of the package their customers can subscribe to, we'll see more compromises of “ad networks.” We can only hope that the largest of them will do enough to ensure they don’t fall prey to such an attack on their infrastructure.

More URI Protocol Handlers Flaws
More URI Protocol Handlers have been found to contain flaws, similar to those found a few months ago in the FirefoxURL protocol handler, according to this article at InfoWorld.

The problem is that protocol handlers are registered by applications, so they can be invoked from within a browser. However, many applications don't provide sufficient sanity checks on the data that can be passed to the application the protocol handler might invoke, or, restricted from which zone the protocol handler can be invoked. It's akin to applications being marked “safe for scripting,” allowing any Web page to present links that would invoke them if a victim were to click on the link.

For example, Microsoft Office Communicator registers callto:, conf:, im:, sip:, sips: and tel: protocols. Searching the Windows registry for “URL Protocol” will show all registered protocols. Examining their “command” key will show what application is invoked and whether it passes parameters.

Hacking Law Aimed Indirectly at Security Industry
Wired Magazine reports that Paragraph 202C has gone into effect in Germany, making it illegal to possess, use, produce or distribute “hacker tools.” No attempt was made to define “hacker tools,” so it would seem it will be up to the courts to define it by rulings.

Overly broad or poorly defined laws serve little purpose in thwarting computer crimes. Convict someone under this law for using NMAP to port scan a government computer and you say that NMAP is a criminal tool. How many companies would then be using an illegal tool in Germany? Far more than the government would be able to prosecute. Give a defense lawyer a chance and he’ll bring in people from those companies to testify how the tool is not criminal, but a useful security management tool. Then where does the case go? Look in the average forensic investigator’s toolkit and you’ll likely find many tools the German government could deem illegal. So, are German companies not to be able to avail themselves of forensic services when trying to determine the extent of a breach by a criminal?

If it comes down to prosecutorial discretion, it's unlikely to be any different -- the law is too vague.

Online Dating Dealt a Setback in The Outback
Here's another story from The Register: A 56-year-old Australian farmer met his would-be wife online. She was from Mali, in Africa, and in addition to her she came with a $100,000 dowry in gold bars. So off he went to pick her up, but was instead met at the airport in Bamako by machete-wielding men who kept him captive for 12 days with the demand that he get his family to pay them $100,000. This story has a bit of a happy ending when he finally is saved when he's allowed to enter the Canadian embassy in Mali, allegedly to pick up the funds that had been transferred from Australia.

Well, duh! It's another minor variation of the Nigerian 419 scams. Come on! If she had $100,000 in gold bars, surely she could have flown to Australia to meet him!