Security beyond Obscurity

The
Black Hat USA 2008 is this week in Las Vega and I wish I could be there to listen to ALL the presentations.

All of the Talks that will take place at the Black Hat USA 2008 are very important (quite impressive list!!).

I wouldn't want to say one talk is more important than another or would have more affect on people's use of the Internet than another, but the substance of the talk entitled, "The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation" is pretty impressive and the possible exposure to users is very far reaching and not fixable from a central location or central set of locations, and thereby not easily fixed.

The dangers of client-side threats such as XSS and CSRF are well understood in the context of vulnerable web applications. Furthermore, the dangers of malicious script as a vehicle for exploiting browsers flaws and reconnoitering the Intranet have been discussed at length. Now what if XSS and CSRF could be leveraged to directly to compromise the host… by design?

Rewind a few years ago and the client-side landscape was somewhat different: research was focused on exploiting the complex interactions between components exposed by the browser. The security of the whole was defined as the sum of the weaknesses of the parts, namely JavaScript, Java, Flash, and anything accessible via a protocol handler. These types of attack gave way to direct browser flaws... after all, why carry out a multi-stage attack when you could trigger straight code execution? Fast forward to 2008: browser flaws are not going away in the foreseeable future but they are on the decline, and in a world of stack cookies, non-executable stacks and ASLR they are becoming increasingly hard to exploit. Which takes us back to the complexity issues. They never went away. In fact the situation has gotten worse spurred by the development of offline solutions such as Google Gears and Adobe AIR, the plethora of protocol handlers and an explosion of browser helper objects.

This double session presentation combines the research of four notable Black Hat presenters who have previously discussed client side exploitation from browser to rootkit. This combined with a rapidly increasing corporate interest in "outsourcing" applications to the browsers, this fast paced, entertaining, and novel presentation answers the question: should we really be building next generation applications on the shaky foundations of the browser?

This is NOT another talk focused on XSS or CSRF, it's about issues and vulnerability classes that have not been discussed anywhere else. ...

The concerns about these vulnerabilities have spurred the following articles:

A photo that can steal your Facebook account (Computerworld):

They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR but omit a few key details to prevent it from being used immediately in any widespread attack.

To the Web server, the file looks exactly like a .gif file. However, a browser's Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim's browser. The browser then treats this malicious applet as though it were written by the Web site's developers.

Black Hat Sneak Preview (ZDNET):

There are numerous web applications out there that allow you to upload images, but very few that allow you to upload Java class files. This is for the obvious reason that an attacker created applet uploaded onto a legitimate web application will allow the execution of arbitrary applet code in the victim’s browser under the context of the web application it was loaded from. Of course, this all goes out the door if you can convince the application that what you have is a valid file for its purposes, yet still deliver the Java applet to the server.

A photo that can steal your online credentials (InfoWorld):

By placing a new type of hybrid file on Web sites that let users upload their own images, researchers can circumvent security systems and take over Web surfers' accounts

It's only the tip of the iceberg and the Internet sure seems to be beginning to look an awful lot like the Titanic ... will it hit this iceberg head on and sink, graze it and hope for the best while it tries to patch it's gushing innards, or will it go around the iceberg?

I don't think it's possible to miss it entirely, but even a grazing can't be avoided without a concerted effort by an awful lot of developers.

Also from the InfoWorld article:

But researchers say that while a Java fix may disable this one attack vector, the problem of malicious content being placed on legitimate Web applications is a much larger and thornier issue. "There will be other ways to do this, with other technologies," said GIFAR developer Nathan McFeters, a researcher with Ernst & Young's Advanced Security Center.

"In the long term, Web applications are going to have to take control of the content," McFeters said. "It's a Web application issue. The Java attack that we're currently using is just one vector."

I am sure that there will be more discussion and concern after the full, well nearly full impact has been discussed at the Black Hat USA 2008 conference.

This makes no sense at all. I know Apple has been busy, but come on!

We Mac users have been waiting a long time for the Java 6, update 2! By the time they get it done, Java 6, update 3 will be available for the other OSes fixing yet more vulnerabilities!

Oh, wait ... too late for that, right? This one's been out since July 2007: FastSilicon.com - Newly Discovered Java Security Flaw Affects *ALL* Platforms.

I have had Java turned off in my browser since October 2006!! As Ryan Naraine stated in his ZDNET blog, Mac users waiting months for ‘critical’ Java runtime update, "One big problem. It’s August 2007 and Apple’s Java runtime has not yet been updated, meaning that millions of Mac OS X users are at risk of remote code execution attacks."

It's no wonder my Jim refuses to even install SUN Java at all!

First SUN was slow on getting it fixed in the first place (for all OSes), and now even though it's been fixed for all OTHER OSes, we Mac users still are waiting for the update to be pushed out by Apple. What's the hold up? Apple's had the code since the May 2007 when Java 6 update 2 came out for the other OSes, so what gives?

And while we are talking about third party addons, what about Flash? When will that be updated for the Mac?

Apple, if you are not going to keep up with critical updates to the third party addons, unbundle the addons, and give the third parties the information they need to do make a Mac version when they do it for all the other OSes.

I love the Mac! So don't get me wrong here, but Apple's Mac is at least as popular as Linux. I use them both -- Java is fixed for Linux and still not for the Mac?! I sure hope they will be putting it out soon.