Security Watch

Flash Flaw Isn't So Flawless, After All

Here's a Flash flaw that'd be too much work for crooks to deploy. Plus, trusting your free e-mail; e-greeting cards are soooo personal; more.

A new book discloses issues with Flash authoring tools that can allow criminals to abuse environments that deploy Shockwave Flash files in order to execute code on victims' systems. The scope of the problem is hyped by the authors; stating that some 500,000 vulnerable applets are out there on popular sites.http://www.theregister.co.uk/2007/12/21/flash_vulnerability_menace/

The vulnerability exists because it is possible to cause an SWF to include a file not specified by the SWF author. SWFs will automatically include these files if they are present. So, to exploit the vulnerability a criminal would have to create the file and, more importantly, place it on a site that is hosting vulnerable SWF files. To do this requires the site to be compromised. Therefore, if all the star align, the criminal could cause his to be scripted by the SWF on the victim's system.

The bottom line: While such an attack is possible, its use would be like someone taking the hard way to exploit victims. If a criminal already can compromise a server, he'd be in position to directly cause script to run on the victim's system. They could simply add Javascript to the bottom of all pages, as has been seen in the past. Why then would a criminal choose to use Flash instead, especially given it does nothing more for them?

We Send You Greetings; Open Me Up!
In case you weren't aware, electronic greeting cards have been a commonly used vector for malware and phishing distribution. Yet, here's an article at the International Herald Tribune online that makes no mention of this fact. The story instead depicts e-greetings as a viable alternative, particularly for corporations interested in being "green." In any event, if the information in the story is reasonably accurate, e-greetings are here to stay and will, more than likely, increase over time.

If you have used them, or are considering, then consider the content and method of distribution carefully. Customers will come to expect them from you should you start, at which point criminals may start using them in phishing attempts. Further, if the content includes personalized graphics such as signatures, then consider how those signatures might be used by criminals. If you can convince your customers you're being personal with such an e-greeting, then it's almost impossible to prevent the criminals from using your own materials against your customers.

You Get What You Pay For with Free E-Mail
Here's a long, long blog post from a Web designer describing a security problem with free e-mail services, so we'll cut to the chase: Gmail had a vulnerability that could be exploited by a criminal's Web site if a visitor came to said criminal's site while logged into Gmail. The exploit inserts filters into Gmail such that e-mails to or from a Gmail user could be redirected to another e-mail address. In this particular blogger's case, his Gmail account hijacked and, after telling the entire world he would be away for a month, the hijacker used the blogger's e-mail account to transfer his domain name to another registrar. The result: the blogger no longer owned or controlled his domain name.

While it is truly unfortunate, the idea that someone would use a free service for a business e-mail account is the real mistake. Since the e-mail address is also authoritative for domain name transfers, the loss of the e-mail account resulted in the theft of the domain. It at least demonstrates the mistakes that smaller entities are prone to making in order to save money. Larger entitities are smart enough never to put their trust in free services, but I've encountered some corporations who use Gmail or other free mail services for alert notification and the like.

Spying or Intelligence?
Allegedly legal and ethical competitive intelligence-gathering is currently a $1 billion business and may swell to $10 billion by 2012, according to a survey conducted by one researcher. Further, the Society of Competitive Intelligence Professionals, which has 3,300 members, has formed to establish a code of ethics. These individuals, those working legally, talk the information out of employees and those around them. Chatting up sales people and engineers seems to be the most likely way such a person will get competitive information about upcoming products or marketing strategies.

Bottom line: Make sure those in your organization who know your company's plans understand what "loose lips sink ships" means. Who you talk to at a trade show could mean the difference between a successful product launch or a dud.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular