A week later, "Operation Aurora," which I discussed in detail here, is still the most important IT security story. PC Magazine provided additional details here.
Early in the week it appeared that the exploit took advantage of a vulnerability in Internet Explorer 6, the version of Microsoft's browser originally released on August 27, 2001. Larry Seltzer blogged about Microsoft's ridiculously long support cycles demanded by corporate customers. Why any organization would allow the use of this nine year old browser is a mystery to me, especially at Google!!
Later in the week, we found out that the exploit could be retooled to exploit IE7 and IE8.
In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:
Next Generation Firewall
Secure Web Gateway
Mail Server well configured
Desktop Anti-malware that includes web site checking
Latest version of browser, perhaps not Internet Explorer
Latest version of Windows, realistically at least XP Service Pack 3, with all patches
Database Activity Monitoring
Data Loss Prevention
Third Generation Security Information and Event Management
On November 30, 2009, the US-CERT classified the design of the popular Clientless SSL VPN class of products as a vulnerability – US-CERT Vulnerability Note VU#261869. In other words, the method by which Clientless SSL VPNs work creates a vulnerability for which there is no direct fix. The issue is that Clientless SSL VPNs, by design, subvert the "same origin policy" of web browser programming languages. The policy is described here and here.
This is by no means the first time this vulnerability has been written about – see Michal Zalewski's article of June 6, 2006, which provides a lucid attack example. Cisco acknowledged MZ's references to Cisco's SSL VPN here.
All software products contain security flaws. Most of them are implementation bugs that are more or less straightforwardly fixed in a patch or a new release. Occasionally a vulnerability is the result of a design flaw. However, this is the first time that I am aware of when a security product class is architecturally flawedat it's design level.
The popular social news site Reddit was breached with an XSS exploit. Of course, the article does not indicate what, if any, protection methods Reddit was using to prevent this most popular of web site exploits. I wonder how they would do if an auditor showed up tomorrow using CSIS's Twenty Critical Cyber Security Controls (I previously posted) as a reference.
Two more high profile organizations have succumbed to Web 2.0 based exploits, New York Times and RBS Worldpay. These highlight the shortcomings of traditional IT security. I have no doubt that both of these organizations had deployed traditional firewalls and other IT Security tools, yet they were still breached by well understood exploit methods for which there are are proven mitigation tools.
The current RBS Worldpay problem was merely a hacker showing off a SQL Injection vulnerability of RBS Worldpay's payment processing system. Late last year RBS Worldpay suffered a more damaging breach involving the "personal and financial account information of about 1.5 million
cardholders and other individuals, and the social security numbers
(SSNs) of 1.1 million people."
The New York Times website itself was not breached. A third party ad network vendor they use was serving "scareware" ads on New York Times site. Martin McKeay points out on his blog:
"it appears that the code wasn’t directly on a NYT server, rather it was
served up by one of the third-party services that provide ads for the
NYT. Once again, it shows that even if you trust a particular site
you’re visiting, the interaction between that site and the secondary
systems supporting it offer a great attack vector for the bad guys to
gain access through."
On the other hand, the average user coming to the New York Times site is not aware of this detail and will most deservedly hold the New York Times responsible. Web sites that use third party ad networks to make money, must take responsibility for exploits on these ad networks. For now, as usual, end users have to protect themselves.
I recommend that Firefox 3.5 users avail themselves of Adblock Plus and NoScript. Adblock Plus obviously blocks ads and NoScript by default prevents JavaScript from running.
What's particularly interesting about NoScript is that you can allow JavaScript associated with the site to run but not the JaveScript associated with third party sites like advertising networks. Based on my reading of Troy Davis's analysis of the exploit, if you were using Firefox 3.5 and running NoScript with only New York Times JavaScript allowed, you would not have seen the scareware ad.
The browser vendors are adding innovative security features to help protect users against web-based attacks. Here are some examples:
Firefox 3.5.3 will check your Adobe Flash add-in and warn you if it's not current. It is believed that as many as 80% of browser users are using older versions of Adobe that contain vulnerabilities that are fixed in new versions.
Internet Explorer 8 added a raft of security features including URL filtering, Cross Site Scripting (XSS) filtering, click-jack prevention, domain highlighting, and data execution prevention (requires Vista SP1). The Cross Site Scripting filter is very impressive. Here is a detailed explanation of XSS and how the IE8 filter works. XSS attacks are particularly nasty because it can
happen through no fault of yours. All you have to do is go to a site
that has been successfully exploited. Details on the other features are here.
Opera 10, just now shipping, also includes URL filtering.
Safari 4, when running on Windows, will integrate with your Windows anti-virus software to check any files, images, or other items you are downloading via Safari. It also has URL filtering watching for phishing sites and sites known to harbor malware.
Chrome 2.0.172.43 was released on August 25, 2009 and fixed several high severity issues.
Firefox has long benefited from third party security and privacy add-ons. NoScript is one of the more popular add-ons that blocks javascript and let's you selectively turn on javascript per content source.
While I have not personally checked these security features, assuming they all work as advertised, Microsoft's Internet Explorer 8 leads the way in security innovation.
