Security Watch

CA's Backup Software's BOF Gets Fix

Plus: Hackers working together to steal your identity; AIM hack just needs you to be logged in to work.

• By Russ Cooper
• 11/05/2007

One of the vulnerabilities involves the rxrLogin authentication process, which means that authentication by login ID alone is insufficient to protect the server from compromise. Vulnerabilities in backup servers and clients have been popular targets in the past, especially on .EDU networks where untrusted clients are popular and may have access to the backup servers. I wouldn't be surprised to see one or more of these vulnerabilities incorporated into bots in order to spur along exploitation once inside a network.

Like We Need Hackers Working Together
Vertical Web Media, publisher of Internet Retailer magazine, says its site was compromised and the credit card numbers and other personally identifiable information of customers were stolen by what they call “coordinated sophisticated hackers.” The FBI is investigating, and Vertical Web Media say they have turned over the logs and other information to forensic investigators.

The InformationWeek article detailing the hack appears to be full of speculation by Vertical Web Media’s president over how the attack was done and who did it. The article says that the company claims that attacks were performed by several IP addresses, and that the attack was passed from one IP address to another periodically.

There definitely isn’t sufficient information in the article to determine how the attack was conducted, but it does sound similar to eBay attacks where a CGI or some other function on the site was abused. The company says the attackers were collecting information from the site “one customer at a time,” which to us could be the result of a SQL query that was inappropriately exposed.

Of most interest to us was the claim that, because the patches were up to date, the company had a “sense of security.” The company went to lengths to suggest it had a highly secure site, but no mention is made of it having any kind of security audit performed.

Log In to AIM, Get Hacked
Versions of AOL’s AIM client after 5.9 and beta versions prior to 6.5.3.12 are vulnerable to remote exploitation that requires no user interaction other than logging into AOL with the client. A remote criminal could send a criminally crafted AIM message, formatted in HTML, which exploits AIM’s underlying use of Microsoft’s MSHTML.dll. The AIM client does not adequately parse HTML messages to ensure they are not abusing the features that MSHTML.dll provides, including the ability to run javascript or create forms. AOL has implemented a temporary workaround in its AIM servers, but this will only apply to messages that traverse the AOL network and not direct connections or use of AIM in a private server environment.
http://www.scmagazineus.com/Core-Security-discloses-AIM-
vulnerability/article/35840/
http://www.coresecurity.com/?action=item&id=1924

It is important to understand that it is not MSHTML.dll which is vulnerable here. MSHTML.dll is a full-featured browser control that allows programmers to take advantage of the features of Internet Explorer. What valid HTML reaches MSHTML.dll is up to the application that embeds it, and how that application defines its zone to the control. AOL has basically turned IM into a fully functional HTTP environment via AIM, something which the company did not intend.

As a result, any browser vulnerabilities could likely be exploited via an AIM message and since IM is push, it represents the possibility of massive exploitation of vulnerable browsers without having to rely upon victim’s visiting malicious sites.