Security Watch

Detaching from Barnacleware

HP plugs 8 ActiveX control flaws; cybercriminal round-up; security for small biz.

• By Russ Cooper
• 07/28/2008

Eight separate vulnerabilities have been discovered in the HP Instant Support ActiveX control, supplied by default on all HP Windows systems. The control assists in maintaining systems BIOS and drivers, as well as provides diagnostic information and facilities to HP support staff who want to interact with a client having a problem. An update is available.

HP's problem is a perfect example of "barnacleware," those utilities that come pre-installed on systems. No doubt most HP system users are aware they have access to support, but most are unlikely to know of HPISDataManager.dll, its capabilities, or the fact it is vulnerable to attack.

That said, this is also an example of vulnerability research carried further than is typically necessary. Okay, so the control has vulnerabilities and, as such, might leave system owners vulnerable to attack. But, HP correctly restricts access to the control only from sites in the HP domain.

Were it only true that more vendors took such precautions with their ActiveX controls. The researchers, in this case, failed to make any mention of this fact in their research document. Meanwhile, they were perfectly willing to provide exact numbers required to overflow the buffers afflicted by vulnerabilities. So who is the research document really targeting: the users who should update or the criminals who want to convert these vulnerabilities into crimes?

It's believed that some of the vulnerabilities can be exploited by a cross-site script, or some other flaw that could allow for cross-domain abuse. Such attacks can, equally, turn an "Internet Zone" request into a "Trusted Sites Zone" request, yielding harmful effects. Further, we never look at a vulnerability from the perspective that says another vulnerability must first be present for the first vulnerability under review to work. This is akin to suggesting that if I had Administrator rights to the machine, I can do bad things -- of course I can! Only HP-authorized users could exploit this vulnerability -- or criminals could -- if they compromised the HP site.

The researchers seem to have looked only at the fact the control could be abused, rather than at what the control was capable of without abuse. Think of it this way: If I can update the BIOS or replace drivers, why would I need to overflow a buffer?

Mugshots
Here's a round-up of recent cyber-criminals:

• Robert Bentley of Panama City, Florida, pled guilty to using a botnet, installed in Newell Rubbermaid’s European network, to install adware. His revenue came from DollarRevenue, which was fined 1 million euros in the Netherlands last year. Bentley has also been assessed $65,000 for restitution.
• After claiming that a hacker had broken into his computer and left pornographic images on it, the Ontario Superior Court jury has convicted Brian Brown of possessing and distributing child pornography on the Internet. Brown had been allowed to participate in police efforts to thwart such offenders.
• One of 27 students who were disciplined for altering grades at three Fort Bend County high schools was a valedictorian. He has been disallowed from participating in graduating ceremonies.
• Thirty-eight-year-old Jon Oson, formally the technical service manager for the Council of Community Health Clinics, received a 63-month sentence for hacking into clinic networks and deleting patient data. On December 23, 2005, he disabled automatic back-up facilities, and then on December 29 deleted the patient data for North County Health Services Clinic. He has been ordered to pay a total of more than $400,000.
• Gregory King has pled guilty to two counts of transmitting code to cause damage to protected computers. His plea bargain states he will face two years in jail and pay restitution to victims. One of those victims, who has had to put up with King’s DDoS attacks since 2003, feels the sentence is too light. King could have faced up to 20 years and a fine of $500,000. One really has to wonder how the courts can justify such light sentencing given the obvious lack of remorse King has shown.

SMB Security
Small- and medium-sized businesses in the U.S. may find some help coming their way regarding computer security issues. The Small Business Information Security Act of 2008 proposes to form a task force of public and private entities with the aim of identifying the issues such businesses face, and recommendations on how they can overcome their problems.

One author of the bill, Representative Snowe, said that "nearly one-fifth of small businesses do not use virus-scanning for e-mail, over 60 percent do not protect their wireless networks with encryption...." All things considered, those are pathetic numbers; no wonder so many PII records are being compromised. Forget about issues with SCADA systems as a source of concern -- consider instead just how many hours are being constantly wasted by so many businesses fighting with their compromised systems.