Advisory #236 - OpenOffice.org, Multiple News

Sûnnet Beskerming Alert List Advisory #236

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info@... to resolve the  
error.

Why not upgrade to get same day notification on security threats?  
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 OpenOffice.org
        - Remote Hacker Automatic Control
        - Time Since Discovery - 2 Days
=======================================
/*
        - Remote or Local - Can it be achieved through a network or does it  
require physical access?
        - Hacker - The bad guy
        - Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
        - Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1 Online Advertising Movements
2.2 .bank Backers Fighting on
2.3 The Threat That is the Internet
2.4 Being Secure is Not Easy
2.5 When Updates go Bad
=====================================

1. SECURITY

1.1 OpenOffice.org - Remote Hacker Automatic Control

        -- Products Affected --
        OpenOffice.org, all versions

        -- Technical Description --
        A macro worm, dubbed 'BadBunny', targeting OpenOffice.org has been  
discovered by Sophos (after the developers forwarded it to them).  
This worm is multi-platform, with different payload infections based  
on the current operating system (Windows, Linux and OS X are  
targeted). Dropped files target mIRC and X-Chat, which are then used  
to distribute the worm to other users. Other dropped files target  
various scripting languages (JavaScript, Perl, Ruby) and will also  
attempt basic network attacks against various antivirus and  
Information Security company websites.

        -- Description --
        Antivirus vendor, Sophos, has identified a new worm that is  
targeting the popular OpenOffice.org alternative office productivity  
suite. Separating the worm from most other macro worms is its ability  
to attack Windows, Linux, and OS X systems from the same infection (a  
different attack is launched based on what system is being used).  
Although the worm has been discovered in the wild, and it will  
attempt to gain control of vulnerable systems, it is not widespread  
at this time - the only known copy was forwarded directly to the  
Sophos antivirus team.

        -- Recommended Action --
        Update to the latest antivirus definitions files, and apply caution  
when interacting with OO.o files from untrusted sources, particularly  
files which contain macros. Consider using OO.o from a lesser  
privileged account until appropriate patches can be released.

        -- Source --
        (Paid subscription required to access)

        -- Updates Available --
        (Paid subscription required to access)

        -- External Tracking Data --
        (Paid subscription required to access)

        -- Threat Matrix --
                        U O
        Home User 8 8  (Very High)
        Corporate 8 8  (Very High)

=======================================
/*
Threat Matrix:
        U - User
        O - Operator
        Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Online Advertising Movements

Following the recent purchase of DoubleClick by Google, and the  
rumoured discussions between Yahoo! and Microsoft, comes more  
significant purchases from major Information Technology companies in  
the field of online advertising.

Yahoo! recently bought out its remaining $680 million USD stake in  
Right Media Inc, and Real Media Inc has been bought up for $649  
million USD by WPP Group, but the biggest news is in Microsoft's  
recent purchase.

Microsoft paid $6 billion USD to capture aQuantive, at a premium of  
over 80% over the current market value for the company. Even more  
interesting than the price is that it has been paid in cash ($66.50  
per share when they closed at $35.87 on Thursday) and it represents  
the largest acquisition in Microsoft's history. For existing  
shareholders in aQuantive, the payday has already arrived, with  
shares jumping to $63.77 late Friday.

The recent spate of purchases and conglomeration taking place has  
left ValueClick as one of the few large online advertising companies  
left in public ownership.

With Google purchasing the #1 company in the sector for $3 billion  
USD, and Microsoft purchasing the #2 for $6 billion a number of  
observers are concerned that this is another sign of an overheated  
tech sector (at least on the stock market). Even though the figures  
appear excessive when compared to each other, both companies were  
purchased for almost the same multiple of annual revenue (15x and 13x  
respectively).


2.2 .bank Backers Fighting on

After initially raising the idea of a .bank top level domain (.tld)  
as a means to defeat phishing and a number of other online financial  
fraud opportunities, the team at F-Secure are still strongly in  
support of the idea, despite the critical responses that the idea  
received on its initial publication.

Extending the original argument, the claim is made that because the  
domain authority will be limiting access to the domain to legitimate  
financial institutions ($50,000 per domain can't hurt) then users can  
be reassured that only a legitimate site will be able to own one of  
these domains. Unfortunately, history has shown (at least for  
commercial domains) that it is not possible to isolate complete .tlds  
as easily as that. Tightly controlled domains, such as .gov, .mil  
or .edu have had more success, but .bank will lack the necessary  
teeth behind it to ensure it remains clean (unless it is decided to  
give a government or a military control over it).

Even if .bank could be established, and was kept completely clean of  
malicious sites, it doesn't address the issue of banks that have the  
same name, but exist in different countries - such as 'National  
Bank', and it doesn't address the greater problem of attackers using  
flaws in the bank's own sites in order to redirect / confuse / con  
users. When banks are more than happy to use third parties to deliver  
content on their behalf (such as a number of US banks are known to  
do), all the work of ensuring users know that they are on a .bank  
domain is suddenly useless as official bank correspondence is coming  
in from a domain that is obviously not a .bank domain.

Unfortunately for F-Secure, they make the argument that smaller banks  
and credit unions will not be considered as important as larger  
financial institutions because they may not be able to afford the  
$50,000 registration fee. This is not going to make either the  
financial institutions or their customers happy (or safer), and  
conditions users to accept that official banking domains can still be  
not on the .bank tld.

Going further, arguing that companies such as PayPal (and presumably  
online trading companies such as ScottTrade and ETrade) should be  
eligible for a .bank domain even though they are not banks (though  
PayPal may soon be a bank in Europe) will further dilute the  
appearance of .bank as a place purely for banks and major financial  
institutions.


2.3 The Threat That is the Internet

Jikto, the JavaScript web scanner, relied upon basic research  
conducted by an independent researcher who has now come out and  
released a conceptual description of how a major AJAX / JavaScript  
Internet worm would work and how it could be configured for greatest  
effect.

Using a set of common, well known building blocks, it will soon be  
possible to construct a worm that attacks the Internet, spreading by  
user contact (i.e. every page they visit), and which creates havoc  
across the Internet, rather than the relatively limited scope of  
worms such as Samy (MySpace) and Yamaner (Yahoo! Mail).

This relies upon the way that JavaScript is implemented in browsers  
and features of the language itself. In this case it is resulting in  
something that isn't so pleasant for end users, or has the risk of  
being not so pleasant, but there are other cases where  
vulnerabilities have been declared, when it is the expected behaviour  
of a system.

Apple's flagship Internet browser, Safari has been declared  
vulnerable to a JavaScript flaw that could allow a malicious site  
operator to see what links are being clicked on from the site. Before  
rushing off to Apple to complain, consider that it is possible, using  
JavaScript or CSS (for those who surf with JavaScript disabled), to  
determine where a site visitor has been. Also consider that many  
sites (Information Security sites included) use formatted links that  
temporarily direct to an interstitial page before going to the  
desired location. This allows them to track where their visitors are  
going and also allows another opportunity to throw advertising in  
front of the site visitor.

Now to the 'vulnerability'. Unfortunately for the discoverer, and for  
the Information Security companies that have jumped on the discovery  
with glee, what Safari is doing is actually the expected behaviour.  
In the described situation, and the demonstrated proof of concept,  
the site coder has configured their anchor link <a> to trigger a  
JavaScript function which then loads the desired link in a new window  
(target="blank" is so much easier). Once the window has opened, the  
function continues to run and references a subsequent function, which  
references the opened window and identifies the URL.

In JavaScript, if a new window has been opened from a page,  
JavaScript can be used to perform various manipulations on the new  
window, and the same can be done from the spawned window.

The fact that the script continues to run in the original window and  
then referencing a known parameter of the new window is nothing new.  
It is not a vulnerability.


2.4 Being Secure is Not Easy

Building a system that is secure is a difficult prospect, but it is  
something that most people would assume about the Space Shuttle,  
modern fighter aircraft, and nuclear power plants - that they are  
secure systems.

Well, they aren't.

Even though it operates probably the most tested, reviewed, bug free  
and analysed code base in existence, the Space Shuttle was only  
recently discovered to have a unique roll-over bug that would lead to  
an unknown condition if the Shuttle was in flight over New Year's Eve  
- New Year's Day.

Even though the ultra-modern fighters are only just entering service,  
a flight of F-22 fighters were forced to turn back to Hawaii after  
their flight computers exhibited chaotic behaviour after crossing the  
International Date Line.

Even though nuclear power plants are supposed to have their control  
systems isolated from external network influences (one solid SCADA  
design principle that should be applied), a US nuclear plant was  
manually shut down after two water pumps failed following an unknown  
spike of network traffic. While it was assumed that a faulty  
controller on another piece of equipment was at fault, the operators  
can not rule out external traffic influences (i.e. they don't know  
where it came from).

These incidents are excellent examples of the problem surrounding  
secure software development - with the improvement of development  
tools, developers are producing bigger and better disasters - a  
concept being promoted by Professor Ross Anderson from the University  
of Cambridge in the UK. Professor Anderson also believes that  
security engineers need to know how things fail, and to study history  
to learn from past mistakes (just like licenced engineers do).

While the above cases provide three excellent examples of unexpected  
failures, it appears that 'security' companies can have problems of  
their own that still have not been addressed even after many months  
of notification.

McAfee Labs have picked up on some of the problems associated with  
VeriSign's assurance Seal that appears on many websites to indicate  
that Verisign has validated the identity of that particular website  
(alongside the SSL certificate).

These are just a subset of the problems that Sûnnet Beskerming  
reported to VeriSign in December 2005. Problems that included not  
only sites that could put a seal on their main pages that pointed to  
any other validated site record, but also the problem that it is  
possible to completely fake the record that it is being pointed at.

This can easily be achieved by setting up a fake page to look like  
the VeriSign record, but it can also be done using VeriSign's own  
results.


2.5 When Updates go Bad

In the space of less than a week, software updates caused two major  
system and network outages in Japan and China, and a less major  
outage over the weekend.

In Japan, a set of updates to Cisco routers led to a network-wide  
failure for the NTT East and West networks. Up to 4,000 routers were  
affected by an update that led to router tables (what tells the  
network traffic where the next hop in the path to the end destination  
is) being rewritten on each device. This rewrite caused the routing  
tables to fail, and ultimately the devices stopped forwarding network  
traffic (effectively self-DoS'ing). The outage, from Tuesday night  
until Wednesday morning, left millions of users without Internet  
access and has led to the network provider considering the use of a  
heterogenous network structure (i.e. multivendor devices, rather than  
Cisco-only - most likely to introduce Juniper devices).

It appears that some of the cause for the incident was the use of  
routers without sufficient spare capacity, which meant that when a  
handful of devices suffered resource exhaustion, it led to a  
cascading failure as subsequent routers quickly ran out of capacity  
while trying to identify new routes for network traffic.

Chinese Windows XP SP2 users who regularly maintain their system by  
applying the latest patches from Microsoft and running Norton-branded  
antivirus tools from Symantec (Norton AntiVirus, Norton 360, Norton  
Internet Security) found that a definitions file delivered by  
Symantec late last week left their systems unusable. The rogue update  
misidentified two critical system files as being part of the Haxdoor  
trojan - a very nasty piece of malware that has been causing  
significant problems for Windows users globally. The quarantining of  
the critical files left systems unbootable, even in safe mode,  
requiring significant effort to rebuild and recover the systems.

According to Chinese reports, several thousand users were affected,  
mainly corporate users. Symantec quickly released an updated  
definitions file which no longer quarantined the system files, so the  
current updates should be safe for ongoing use.

On Saturday, it was then reported that Kaspersky Antivirus was  
identifying files from Rising Antivirus (a popular Chinese antivirus  
product) as part of a malicious trojan, thus disabling the product.  
While it requires both antivirus products to be present and in use,  
that configuration is a common setup - according to the Chinese  
Incident Security Response Team.

These events aren't the first time that rogue updates from Antivirus  
vendors have led to significant system damage or outages, and it is  
sure to not be the last time, either. Incidents like this lead to  
users being conditioned against installing the latest system and  
critical software updates (Windows and OS X updates have also been  
known to break systems) for fear of having their system rendered  
inoperable from a rogue updae. This extends the exploitation window  
that attackers can make use of to compromise vulnerable systems.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.


_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com