Search Engines Get 'OK' Bill of Health
Plus, buffer overflow vulnerabilities abound; Microsoft IIS still a target; more
A year after its initial survey, McAfee SiteAdvisor has released a new report
on the safety
of search engine results
. Overall, search engines are safer with only 4
percent of search results representing unsafe links, compared to the 5 percent
reported in 2006.
"Sponsored results," or those results which have been purchased by
their site owners, remain problematic. While the safety of such results is better
than a year ago by 1.6 percent, they're still 2.4 times more likely to contain
unsafe links as generic, unpaid results.
Clearly, for-profit sponsored results are causing a problem; profit is definitely
put before customer safety. This is interesting if you consider that the people
wanting to purchase sponsored results for unsafe links aren't likely paying
very much for it. Ergo, if they paid less attention to their largest paying
customers and more attention to the lower end of the pay scale, they'd likely
detect these criminals more often.
While it would be nice to keep unsafe links from ever appearing, this is hardly
something we can reasonably expect. However, accepting money from a site that
is attempting to exploit visitors is another kettle of fish. Hopefully, this
report will catch the eye of the appropriate people who can get this problem
fixed; there definitely hasn't been enough said in the mainstream media about
My.activation.php3 Hit With Code Execution Vulnerability
Hmm, let's see. Let's make a VPN device based on PHP. Ouch! And let's not bother
to fully parse the parameters we allow prior to authentication -- that'll make
it even more fun! Bingo, our two worst nightmares in a single environment.
My.activation.php3 is a script used by the F5 device to execute shell commands
during sign-on. A vulnerability exists in the way it parses parameters, which
could allow an unauthenticated user to execute arbitrary shell commands. Patches
are available here
(registration required). Needless to say, I believe you should get this patched
Triple-Threat XFERWAN Flaw
Symantec Discovery, Centennial Discovery and Numara Asset Manager can all be
exploited by an unauthenticated criminal who can send a criminally
crafted request to XFERWAN.exe. Improper parsing of the parameters in such
a request could result in code of the criminal's choice running in the context
of the component, typically system. Patches are unavailable.
Here's yet another example of a product intended to connect with only one,
or at least a very few, systems. A server would typically send out the probes
to all IP devices to receive responses. If the product has effective security
management built-in, then it could only respond to requests from the legitimate
server within the victim's organization. Unfortunately, the software will respond
to any IP address which attempts to connect to it, thereby allowing for the
possibility that criminally crafted packets can be sent and processed, resulting
This vulnerability could result in a widespread problem within an organization
that uses it. However, some other compromise is likely required before a machine
in such an environment could be used to launch an attack against this vulnerability.
InstallShield ActiveX Hole
Macrovision FLEXnet Connect, also known as InstallShield Update Service, contains
a vulnerability which could be exploited by a criminally controlled Web
site. The control could be invoked and passed instructions by a criminal, causing
it to run code of the criminal's choice. Patches are now available (here
at Macrovision's support page, or through Secunia)
and should be installed automatically on most systems.
This is a critical vulnerability in the sense that it's an Automatic Update
mechanism which can be compromised. Such tools should be trustworthy. In its
promotional literature, Macrovision states:
From the Trusted Name in Software Updating, FLEXnet Connect is from Macrovision,
the company that develops the InstallShield and InstallAnywhere installation
authoring solutions. Since 1987, the name InstallShield has been synonymous
with quality software installations and updating. Because end users are familiar
with the InstallShield installation and updating experience, they are more
willing to trust it and accept updates that follow its industry-standard format.
It helps reduce customers' reluctance to adopt new updates and patches.
While no exploit code is known to exist, should such code be developed, and
should it mimic the behavior of the update service and prompt the user that
a new update is available, trust in updating services could be severely damaged.
Automatic updating is crucial to the overall security infrastructure of the
Internet by keeping home users as patched as possible.
This column was originally
published in our weekly Security Watch newsletter. To
subscribe, click here.
Google: Watch Out, Microsoft
an interesting blog entry by Google security folks reporting on the distribution
of Web server software that's serving up criminal binaries or hosting drive-by-downloads.
I found it interesting that the majority of the servers included in Google's
survey were running the latest versions of their respective Web server software.
This certainly bodes well for Web security overall because it shows that site
owners are paying attention to the benefits of newer software versions.
While the number of IIS servers hosting malware is roughly the same as the
number of Apache servers, this means that IIS is nearly twice as likely as Apache
to be compromised, given its overall use on the Internet. Furthermore, this
is true despite the fact that 80 percent of the IIS servers hosting malware
were IIS 6.0 implementations. Clearly, the OS version is not enough to help
secure the site.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.