Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-07-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mailbag (iPhone/Firefox/Citrix CAG vulnerabilities)

Published: 2007-07-23
Last Updated: 2007-07-23 22:40:34 UTC
by Daniel Wesemann (Version: 4)
0 comment(s)

Numerous readers have contacted us to let us know that ...

  • a serious iPHONE flaw was found (www.nytimes.com/2007/07/23/technology/23iphone.html)
  • apparently, parts of the online Knowledge Base of Installshield have been subverted; some articles seem to have been replaced by a defaced web page  Update 1800 UTC: The site seems to be mostly ok again
  • a flaw in Firefox up to and including 2.0.0.5 could allow an attacker to steal passwords that have been stored using the Firefox "Remember this password" function.  Heise has a web site with a demonstration but they also correctly point out that by the moment you log in to a site where everybody can upload hostile JavaScript, all bets are off anyway, and access to the password store is probably the least of your worry
  • several significant vulnerabilities have been found in Citrix Access Gateway. See the original advisories for details. Note that this link is only to the first of four, follow the references therein to CTX113815/16/17 as well

Thanks to all who reported these.

Keywords:
0 comment(s)

Antivirus: The emperor is naked

Published: 2007-07-23
Last Updated: 2007-07-23 18:27:25 UTC
by Daniel Wesemann (Version: 3)
0 comment(s)

Over the weekend, I read a report by an anti-virus firm about the "discovery" of a malware serving host which creates a new, unique malware binary "on the fly" for every exploited PC connecting to retrieve it. As if this were anything new, really.  But rather than to draw the obvious conclusion from this discovery - namely that the antivirus approach of the last 20 years, which is based on the assumption that you can keep up with creating "patterns" for all bad things out there, has completely outlived its usefulness - the article went on to extol the virtues of new "behavioural" virus defense software.

Time is overdue to radically change tactics on the malware defense side - but why doesn't anyone do it? Is it because the Anti-Virus vendors, reveling in their plum revenue stream of "update licenses", do not really see any need to change ? Is it because the operating system vendors have their eyes set on this same (for them: additional) revenue stream, and don't want to dry it up by making a few changes to the OS itself ?

At least for the corporate environment, the "solution" would be kinda obvious. Large firms have standardized their workplace computers, and use automated software distribution tools to patch, update and deploy software on client PCs. Frequently, the distribution mechanism used is even from the same vendor as the operating system on the workstations. All that's needed to make life a misery for malware in such an environment is a component which enforces that workstations only load/run executable code that has been deployed to the workstation via the software distribution system that the firm already has and uses. Wouldn't this be an useful application of all the DRM code for a change ?

Yes, I'm aware that this still leaves a number of attack points and injection techniques uncovered. And yes, this would not completely remove the need for anti virus software. But it sure would be a huge step in the right direction.

I think it's time to stop pretending that the emperor is wearing clothes.

 

Update 1800 UTC:  A few readers have interpreted the above as advocacy for vendor signed software. This is not at all what I meant. Neither am I recommending to painstakingly maintain a whitelist of good binaries.  All I'm suggesting is that large (Fortune-500 style) companies, who already have a strictly standardized workstation build and a solid software distribution process, could - with the right add-on tool - use their software/patch distribution as a method of policy enforcement, if the workstations would not run any code that did not come from the firm's SWDIST.  Yes this wouldn't work in R&D shops where folks are used to "download and install" the tools that they need, but it could be a huge step in the right direction in malware defense for firms like banks, etc, that already are running tightly locked down desktops anyway.

Keywords:
0 comment(s)
Diary Archives