Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Information Disclosure Vulnerability in Internet Explorer

Published: 2010-02-03
Last Updated: 2010-02-04 02:54:07 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

Microsoft just publish KB Article 980088 [1] in response to the recently announced vulnerability in Internet Explorer. Microsoft confirms that it is possible for a malicious website to read files from the clients computer. All versions of Windows and Internet Explorer appear to be affected.

There is currently no patch for this problem. Microsoft advices users to set the Internet and Local Intranet security zone settings to "High". This will cause a prompt before running ActiveX Controlls and active scripting.

The attacker needs to know the file name. However, a typical target for this vulnerability would be a configuration file which is typically located at a predictable location.

[1] http://www.microsoft.com/technet/security/advisory/980088.mspx

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

8 comment(s)

Support for Legacy Browsers

Published: 2010-02-03
Last Updated: 2010-02-03 18:12:40 UTC
by Rob VandenBrink (Version: 1)
4 comment(s)

As part of the discussion we had last week on Neo Legacy Applications ( http://isc.sans.org/diary.html?storyid=8116 ), the topic of applications that require old browsers came up.  A wonderful example of how old browser support can be handled, phasing older code out gracefully, is Google's recent announcement that they'll be withdrawing support for IE6 and other older browsers, found here ==> http://googleenterprise.blogspot.com/2010/01/modern-browsers-for-modern-applications.html

However, Google's approach is not typical.  Often when an internal business application is released, it's list of supported browsers remains frozen, even as time marches on, and newer browser versions are released.

I've seen this myself - I've got a few clients who have spent 6 figures on new business systems, only to find that by the time they get from the pilot to a working system, that Microsoft has gone forward with a new version of IE.  What tends to happen then?  Why the business system vendor of course says they don't support the new browser, and for a nominal (5 figure) sum, they can upgrade to the new version that supports the newer IE version.

So this brings up two issues:
1/ I can see the position of the vendor, that it takes money to re-certify and maybe fix an application for the new browser version.  But is this a responsible approach?  Should this be a big-ticket app upgrade for the customer? Should a customer's maintenance agreement cover things like this?

2/ What happens in real life is that the management at the client company says "we just spent 200K on this system, and they want another 40k just for the new browser support - we'll show them! We'll stay at the old browser version".  Did you hear the silent "Forever!" at the end of that sentence?   So what you find is old browser versions hanging around much longer than they should - on every machine in the company !  Yes, I still have clients running IE6 for this very reason. 

I've had people say "You could just virtualize a machine with the old browser", but there are a couple of problems with that.  If it's a real VM (like in VMware Workstation for instance), remember that this app is running the *business system* - it needs to do things like access other apps, print, save files on the local disk, all that other stuff that you do when people do their job.  Running a VM makes that a little weird for anyone who's not tech-savvy.  Plus you have to buy that second windows CAL (unless you run IE in Linux that is)

Because the browser is so integrated into the OS, streaming the app using an on-demand installer (thinapp for instance), doesn't work so well either.  While running IE6 and IE8 on the same box is certainly possible (there's some good tech docs on this, and it really does work ok), It's a very complex process, and remember, our target audience is people in accounting or on the factory floor.

What I've seen done successfully is to run a terminal server or Citrix server (XENApp now), and keep the old browser and other required components there.  When we built this, we isolated the hosting server so that it has not HTTP access to the internet, in an attempt to try to mitigate against the IE6 problems.

Either way, it's an expensive way to go - has anyone out there seen a different, cheaper or more effective way to deal with being forced to keep an older browser?

 

=============== Rob VandenBrink Metafore ==============

4 comment(s)
Anatomy of a Form Spam Campaign (in progress against isc.sans.org right now) https://blogs.sans.org/appsecstreetfighter/

APPLE-SA-2010-02-02-1 iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch

Published: 2010-02-03
Last Updated: 2010-02-03 13:41:25 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

Several security issues are addressed for iPhone OS in this update.  All of them are applicable to iPhone OS 1.0 through 3.1.2, and iPhone OS for iPod touch 1.1 through 3.1.2.  The update will bring your device up to OS 3.1.3

Almost all of the issues addressed are serious - many of them are buffer overflow conditions allowing arbitrary code execution for common iPhone activities:

  • watching a maliciously crafted MP4 video
  • viewing a malicious TIFF graphic
  • accessing a (again, maliciously crafted) FTP site.
  • There's also a particularly nasty one that uses a memory corruption issue to bypass the iPhone password (via a crafted USB control message), allowing access to user data on the phone.

These are referenced as CVE-2010-0036, CVE-2009-2285, CVE-2010-0038, CVE-2009-3384 and CVE-2009-2841

These updates are available on iTunes - more information on the issues and update procedure can be found at http://support.apple.com/kb/HT4013 , or the main security update site at http://support.apple.com/kb/HT1222

The recommendation is to update your device to OS 3.1.3 as soon as possible.

 

=============== Rob VandenBrink Metafore ===================

1 comment(s)
Diary Archives