AMD Forums Uh-Oh
Speaking of client-side sploits, it appears that AMD's forums website was used to distribute WMF exploit code the other day. F-Secure has a write-up on the situation. It's been resolved, but there is likely a very interesting story behind this one. Again, client side exploits are the wave of the present.
Update: And now... the rest of the story (at least some of it). A diligent reader forwarded us to this ZDNet story about what happened. Seems that another company ran these fora for AMD, and they didn't update their software so they got whacked and turned into a wmf exploit dispenser.
Updated Malware Domain List
CME-24: It Has Begun
Just remember: Malware was created by man. It evolved. It rebelled.
Two-Way Firewall in Windows Vista and Microsoft OneCare
With client-side exploits so plentiful, it sure would be nice to have some form of serious outbound firewalling built into Windows, wouldn't it? The XP firewall blocks inbound traffic, but is of little use in outbound defenses. As Handler Queen Lorna Hutcheson points out, since Win2K, you can filter outbound using the so-called IPSec filters of Windows. However, such filters are: 1) Really badly named -- they don't have to use IPSec crypto; 2) Really hard to define (what an ugly GUI); and 3) Not limiting to specific applications to use specific ports and protocols. So, the existing outbound filtering of Windows is extremely limited.
But, here's a nice article about how Microsoft plans on including outbound filtering in the Windows Vista firewall. Let's see, we've had such features with free solutions for over a decade. But only in 2006 will we get it standard in Windows.
In Microsoft's defense, though, once an attacker infiltrates via a client-side exploit, their evil code can simply alter the firewall config. True. But, still, security is all about raising the bar. We raise the bar, they jump over it. We then raise it again. It's the natural order of things. I hear some arguments that say, "We shouldn't do this from a security perspective, because they'll jump over this bar." But, if the cost of such solutions is miniscule, why not raise the bar anyway, knowing that it still can be jumped? Let's make the bad guys work a little harder if it doesn't cost us anything.
A related story involves Microsoft's OneCare technology, an attempt at a comprehensive set of anti-virus/anti-spyware/firewall tools that help provide an envelope of protection around a user's PC. A blog post here talks about ways to dodge the defenses of OneCare, primarily by using Java and/or signed code to bypass the firewall restrictions. Some Microsoft personnel respond here, saying that their goals were to pull security configurations together in one place and offer protection while minimizing application breakage. It's all about trade-offs. And I, for one, welcome our new OneCare overlords. There are many copies. And they have a plan.
Client-Side Exploits - The Mother Lode?
As any stroll down the latest Metasploit exploit list will
tell you, attacking client technologies is very hot right now, including
browsers, mail readers, audio players, etc.
Here is an interesting article from Brian Krebs about a huge area likely
to be very ripe with such exploits: ActiveX controls installed by third
parties. Krebs summarizes well the
research of Richard M. Smith, who claims to have found a cornucopia of buffer
overflow flaws in widely deployed ActiveX controls. Handler extraordinaire Agent Tom Liston points out the
possibility of using a known flaw in an ActiveX control to really help target a
given population, such as a given ISP's customers or perhaps a given
corporation or government known to use a given ActiveX control.
Winamp 5.x Remote Code Execution via Playlists
remote code execution via a crafted playlist (.pls) file. The proof-of-concept exploit suggests using an
iframe to trigger a 'drive-by' attack on anyone unlucky enough to visit a website containing a malicious
iframe; say, third-party advertisers and forum websites--the usual vectors for this sort of thing.
Secunia's got a nice writeup of it here.
Update 21:22 UTC : Now that's what I call service! There's a new version of winamp out today, version 5.13,
which you can download now. Further research has shown that the workarounds can be bypassed, so don't
bother. Just update.
Update Jan 31: There's a sploit in the wild for this one. Have you patched yet? The kiddies will come a-callin' soon. --Ed.
Comments