Java patched at least 4 bugs

Immunity products claims oracle patched multiple 0day security holes (not just one) in the recent update.

While doing some fast analysis (keep in mind we only spent an hour and half on it), we find out that they patched at least 4 vulnerabilities in the Java code base: The two used by the Gondvv worm and two more on difference pieces of code.

These 2 vulnerabilities were located in com.sun.beans.finder.ConstructorFinder and com.sun.beans.finder.FieldFinder and the underlying issue was the same “a trusted immedate caller”.

The forgotten device..

So you think you patch everything regularly and watch out for zero days and take preventive actions. You have anti-virus running on all of your 5 desktops and laptops and have convinced your spouse to be careful as well.

But did you forget your modem ?

All too often network equipment devices are forgotten – once installed and configured, most users or businesses do not worry about applying firmware updates provided by manufacturers. Even the simplest failure can affect thousands of users, who are silently attacked and prompted to inadvertently install malware or steered into phishing domains. As pointed out by the researcher Marta Janus, DSL modems are attacked by different kinds of malware, generally Linux-based, or in attacks exploiting CSRF flaws, UPnP and SNMP misconfigurations or even a complex drive-by pharming. 

Strikingly, not only is this kind of fairly largely ignored by users, but the security community itself pays little attention. It is quite common to see reminders about the importance of installing security patches to the operating system, but few speak of the need to update DSL modem firmware. 

Without much fanfare, a vulnerability showing a flaw in a specific modem was revealed in March 2011. That failure allowed remote access to an DSL modem. No one knows exactly when criminals began exploiting it remotely. The flaw allows a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the DSL modem, capturing the password set on the device and allowing the attacker to make changes, usually in the DNS servers.

Speed at which a patch can be pushed to all clients is important..

How fast is an security patch converted into an exploit ?  F-secure’s @TimoHirvonen did a study and came with this example to document a time-to-exploit timeline.

  •  2012-08-14: Security update available for Adode Flash player, patches vulnerability CVE-2012-1535.
     (Security update available for Adobe Flash Player)
  â€¢  2012-08-15: Microsoft Office Word documents with embedded Flash exploit for CVE-2012-1535 seen in the wild.
     (CVE-2012-1535: Adobe Flash being exploited in the wildCVE-2012-1535 – 7 samples and info)
  â€¢  2012-08-17: Exploit is added to Metasploit Framework — a public, open-source tool for developing and executing exploits.
     (Adobe Flash Player Exploit CVE-2012-1535 Now Available for Metasploit)

Took just one day for it to be converted into an exploit. In other words, it is not enough to release a patch. What matters now is how fast can all the clients can be updated after a patch is released.

The tale of two plugins..

In the browser world, Java and Adobe look very similar. Not only are they similar in the kind of stuff they allow embedded applets/flash_Code to do, but also in the way its exploited to get out of the security container which anonymous code should never be able to do. So here are couple of interesting news items you should know more about…

Adobe revokes certificates: Some tools found in the wild were found to be signed with Adobe’s signature which should have never leaked Adobe’s infrastructure. Adobe had no option but to initiate the process to revoke the impacted signatures and are conducting forensics to understand what really happened and what else is exposed.

More Java holes reported:  A number of readers alerted ISC of news reports stating that new “full sandbox escape” vulnerabilities had been reported to Oracle. At this point, there are no details available as to the nature of these vulnerabilities, and there is no evidence that any of these vulnerabilities are exploited. However, it is widely known that Oracle is working on a substantial backlog of these vulnerabilities. It is still recommended to use Java “with caution”. 

Incorrect implementation of HTTPS in the login page

If you had asked me a few years ago about how should a website owner protect a login page, I’d probably have said that they should make sure credentials are never sent over unencrpted channel. Now thanks to a little more knowledge and a few ‘duh’ moments I’ve come to realize that there is one another aspect of login page which goes un-noticed.

While most websites today do enforce that credentials are sent over HTTPS, they do not verify that the login page itself is not in the clear. In fact many of them have a “login/password” form in the clean on many unencrypted pages. For those who understand the risk of javascript injection can tell you as a matter of fact that the forms can be modified by a MiTM (man in the middle) device to do lots of interesting things… including, sending your password to an attackers server. Hence getting the password over encrypted channel wouldn’t protect much.

A key point to note here is that this requires an active attack on the user instead of just being a passive listenner, but thats something which has become only easier over time.

IDS world has changed a lot in the last decade

Its been a while since I last played with snort and even longer since I touched tripwire which was at one point the most popular host based intrusion detection tool out there. A lot has changed since then.

From a quick glance at the various tools I found below, its clear that just alerting based on signatures isn’t enough. This is not surprising since I can see how lot of false positives can lead to a configuration which could produce false negatives. Whats needed is a set of tools which can help investigate false positives quickly using visual notification or automated secondary scripts which could pull data from various sources to put a confidence number on each alert.

  • Security onion – Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It’s based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
  • Suricata – The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine
  • Sguil – Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures.
  • Squert – Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data).
  • Snorby – Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan).
  • NetworkMiner – NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traff
  • Xplico – The goal of Xplico is extract from an internet traffic capture the applications data contained.
  • Configuring Security Onion – A SANS paper which goes into the process of setting up Security onion.

Clock skew is the new TCP flag

The surprise in my eyes when I read through the papers about how “clock skew” can be used to fingerprint and identify hidden servers, was similar to the surprise I had when I read about nmap and OS fingerprinting the first time ( 2001 ? ). An eye opener in many ways.

It reminded me of Dan Brown’s book, “Angels and Demons”, where they were on a hunt for the hidden “anti-matter particle” container. If the server broadcasting the image was on the internet, they could have flipped airconditioning ( in addition to lights) across the city to detect “clock skew” and narrow down to which part of the city it could have been.

If you have more interesting papers/links/tools to share please let me a comment