Monday, April 27, 2009

New Vulnerabilities pwn you long time

There's a new security update for Firefox, and it's a doozy, so when Firefox asks you to restart, click "yes". From the SANS Security Consensus mailer (highly recommended):
Multiple Mozilla products, including the popular Firefox
web browser, Thunderbird email client, and SeaMonkey application suite, contain multiple vulnerabilities in their handling of a variety of inputs. Memory corruption, cross-site scripting, cross-site request forgery, script injection, bypass same origin policy, information disclosure and url spoofing are some of the vulnerabilities in these
products. Some of these vulnerabilities upon successful exploitation might lead to arbitrary code execution.
Other than that, Mrs. Lincoln, how did you like the play? Boy, howdy. "Arbitrary code execution" is the Holy Grail of Bad Guy hacking - their code runs on your computer. It pwns you long time.

But those of you who run Internet Explorer can stop smirking - you have some security fining to do, too:
Microsoft Whale Intelligent Application Gateway (IAG) is a VPN solution that provides secure remote access to corporate networks remotely. It installs with "WhlMgr.dll" ActiveX control, which has been identified with multiple stack based buffer overflows. ActiveX control is identified by CLSID:8D9563A9-8D5F-459B-87F2-BA842255CB9A. The specific errors are in the "CheckForUpdates()" and UpdateComponents()" methods while passing specially crafted arguments to hem. A malicious web page that instantiated this control could exploit these vulnerabilities to execute arbitrary code with the privileges of the current user. The user will have to be enticed to visit these malicious pages.
This is super extra crazy Bad News because of the broken security architecture of Internet Explorer. Basically, the browser can load code snippets (called ActiveX Controls) which execute in your CPU. Since ActiveX Controls can be downloaded from arbitrary web sites, Microsoft added a "security" model to protect you from J. Random Bad Guy: the code has to be digitally signed by a trusted organization.

Sounds good, right? Here's the problem:
That box at the bottom? Always trust content from Microsoft Corporation? Everyone always checks it, because otherwise you get a million security popups. When this box is checked, all ActiveX Controls from Microsoft are silently downloaded from the web server and execute in your browser.

Including our friend, the WhlMgr.dll ActiveX control. J. Random Bad Guy web site can serve up this ActiveX Control, and your browser will happily (and silently) download and execute it. The Bad Guy web site then exploits the vulnerability to run the arbitrary Bad Guy code. You get pwned long time.

Even worse, there's no good way to update the ActiveX Control to a version that isn't vulnerable; you often have to reinstall the application it came with.

Blech.

So use Firefox. Just click "yes" when it tells you it needs to restart to install security updates.

2 comments:

doubletrouble said...

OK, I've just read all the security posts.

I think the only safe course is to shoot the computer.

Is there a correct gauge/caliber for this mission (from a security standpoint)?

I'm thinkin' one mag of .45 ought to do it...

Borepatch said...

Doubletrouble, you'll recall that we did a scientific experiment. ;-)