Security Watch

Gartner Blows Virtual Gasket

Plus: RBO flaw in Groupwise; bad Google links; more.

• By Russ Cooper
• 06/04/2007

How do you spell FUD? Yes, certainly there are new things to consider when deploying a virtualized server that may be hosting several different server applications. This is as true as saying you'd have to consider new things when deploying a new OS, or a new server application.

However, the implication from the story is that there are new security targets as a result of the adoption of virtualization, and this really isn't true. Certainly, there's a layer of code, whatever is facilitating the virtualization, but such a layer is most likely only vulnerable from the system itself. IOWs, you'll have to be compromised by something with nothing to do with virtualization before that layer could itself be attacked.

RBO Flaw with GroupWise WebAccess
A buffer overflow exists in the authentication-handling components of Novell GroupWise. A criminal could send a crafted basic authentication request which could overflow a buffer and possibly allow code of their choosing to run. Updates are available here and here.

Since the vulnerability exists in the authentication process, the system itself cannot protect you against such an attack. If possible, you could restrict access to the system by IP address.

Google-Sponsored Links Not Safe?
Exploit Prevention Labs says that sponsored links from Google for terms such as "BetterBusinessBureau" have been directing people through a browser exploit site, which in turn has been infecting visitors with a password logger and another Browser Helper Object that is allowing it to listen to the unencrypted version of an SSL transaction.

The sponsored link appears harmless, and the link Google displays is a legitimate link. However, the URL the browser is directed to first is malicious. Google has removed these sponsored links, but others may still exist.

It's always disconcerting to see the ways Google is being abused to assist criminals. In the blog link provided, there's a link to an image captured by Exploit Prevention Labs. It shows a legitimate link to the bbb.org Web site in the left search results, and then a sponsored link alleging to point to bbb.org, as well. The fact is, the sponsored link doesn't point directly to bbb.org, but instead passes through the criminal site. That site looks like an advertising tracking site, and it would appear that Google is purposefully going out of its way to help advertisers, or advertising hosters, to hide the fact that links go through ad management sites. The criminals appear to know this about Google, and have taken advantage of the fact to implant their criminal "man in the middle" attack to abuse a browser vulnerability and implant the spyware.

Google must get better at detecting this sort of criminal abuse of its customers.

Large Enterprises Still Serving Up Spam
Another content-free article, this time from a company called Support Intelligence, claiming that huge corporations are allowing systems they control to send out spam. Basically the article says that if big corporations spending tons of money on security can't solve the problem, then the smaller companies must have an even bigger problem.

You'll probably be very surprised to learn that Support Intelligence sells products that are designed to track and control compromised hosts.

The article focuses on spammers using bots on compromised machines to send out their e-mail waves. Well, gee, how hard would it be to prevent all computers in your network from sending outbound SMTP, other than the few SMTP servers that are supposed to send e-mail? Not difficult at all; we call it default deny and we've talked about it for many years now.

Yet these folks would have you believe you need to buy a product to do this, because even the biggest companies can't prevent it -- and they're presumably trying to tell you that you wouldn't be able to figure out how either.

An internal system spamming is probably the most obvious thing a bot could do. It must send its spam via SMTP 25 or no other mail server will accept it. Ergo, simply monitoring outbound SMTP 25 at your routers would allow you to identify any spam-emitting devices. See, we just saved you thousands of dollars you might have spent on some product that would essentially do the same thing.