December 22, 2014

The difference between an expoit and vulnerability

(LiveHacking.Com) – Any reader of this blog will inevitably come across words like vulnerability, exploit, malware, Trojan and so on. Some of these words have connected meanings but in themselves they have clear and separate definitions.  For example a Trojan is a type of malware, but not all malware is a Trojan. What about ‘vulnerability’ and ‘exploit’, are they they same thing? If not, what is the connection?

A vulnerability is a flaw in a system, or in some software in a system, that could provide an attacker with a way to bypass the security infrastructure of the host operating system or of the software itself. It isn’t an open door but rather a weakness which if attacked could provide a way in.

Exploiting is the act of trying to turn a vulnerability (a weakness) into an actual way to breach a system. A vulnerability can therefore be ‘exploited’ to turn it into viable method to attack a system.

In software (rather than whole systems including the people, the computers, the firewalls and the networks etc), the most common type of vulnerability is a memory error. These can be buffer overflows, heap corruptions or NULL pointer de-references. Once a memory issue has been discovered an attacker will try to exploit it by manipulating how the memory is corrupted in the hope to alter some aspect of the addressing (maybe a return address). This can then be used to make the CPU run code in another part of memory. If arbitrary code execution is achieved then the system can be exploited. The extent of the exploit will depend on the nature of the vulnerability,  if privilege elevation was achieved and the extent of technologies such as sand-boxing or address space layout randomization (ASLR).

Turning a software vulnerability into an exploit can be hard. Google, for example, rewards security researchers for finding vulnerabilities in its Chrome web browser. The payouts Google make are in the range of $500 to $3000. However it also runs competitions for security specialists to present exploited vulnerabilities. These exploits are rewarded much larger sums, as much as $60,000. The difference in payouts reflects the magnitude of the task when trying to exploit a vulnerability.

5 Threats Posed by Vulnerabilities

(LiveHacking.com) – A vulnerability scanner is an essential tool for any systems administrator. Vulnerabilities on your network and in your software can easily lead to compromised systems. There is a false impression that it requires a lot of skill to compromise a computer system. However, in reality, the number of incidents where machines are compromised due to trivial events is substantial. And these could all be identified and prevented up by a good vulnerability scanner.
In this article we outline five threats posed by vulnerabilities and juxtapose them with five real-life cases.

1. Change to a network - In 2004, a postal bank office in Israel suffered a break-in. A quick investigation found that nothing went missing, so the whole episode was dropped as some prank. In the following days however, the office noticed that tens of thousands of shekels were going missing. A more thorough investigation revealed a rouge access point installed on the network. The thieves had broken into the postal bank office to install it a few days earlier. The break-in obviously went unnoticed. A vulnerability scanner would have done a wealth of good in this case as it monitors changes to the network, advising the administrator when hardware is added or removed. Such an action would have alerted the administrator of the rouge access point the minute it was installed.

2. Creation of an account and irregular use - In April 2011, a story broke out about a former Gucci employee illegally accessing Gucci systems and causing $200,000 worth of damage. It all started when the Gucci employee was fired. His administrator promptly disabled his accounts as good security practices recommend. However, before being fired, the employee had created a fake user account that the administrator was not aware of, and which he then used to access Gucci systems. In this case, a good vulnerability scanner would have proved useful in detecting the threat firstly by alerting the administrator when the account was created, and secondly by notifying them when the account had been used on an irregular basis, so the administrator could then delete the unnecessary account.

3. Deploying a patch - On April 13, 2004, Microsoft released a patch for a security flaw in its Windows operating system. A few weeks after the patch was made available, a malicious computer worm was released on the internet. This Sasser worm exploited the vulnerability and caused wide-spread chaos even though companies had a few weeks’ head start to deploy the patch. This caused a news agency to lose satellite communications for hours, an airline to cancel flights and a financial institution to close 130 of its offices due to widespread infection. An important function of a vulnerability scanner is to scan the network for vulnerable applications for which a patch is available and inform the administrator. Provided the administrator is proactive in testing and deploying the patch, a few weeks would be more than enough to secure a network.

4. Creation of blank passwords - One of the top hacker stories recurring in the news over the past five years is that of Gary McKinnon. Out of his conviction that the United States government had certain information about extraterrestrials and knowledge of anti-gravity and free energy, in February 2001, McKinnon started looking for proof by trying to gain unauthorized access to US military and NASA’s computer systems . He allegedly scanned the system for administrator accounts using blank passwords, and actually managed to find quite a few systems, which he then compromised. A good vulnerability scanner will help in two ways in such a situation. First and foremost, it will scan and report on a system’s password policies, enabling the administrator to determine if users can create weak passwords. Additionally, a vulnerability scanner will also check administrator accounts for blank passwords.

5. File sharing software -We all know that the US military takes secrecy seriously, and there is no doubt that some of the most secretive details revolve around the presidential helicopter defense system. In March 2009, however, news broke out that details about Marine One’s missile system were being shared on a P2P network from a computer in Iran. It turned out that an employee of the contractor in charge of the helicopter had installed file sharing software and inadvertently shared the classified file. The dangers of file sharing software in relation to data leakage are well known. A good vulnerability scanner will not only inform the administrator if new software is installed on a system but also when file sharing software is installed on a scanned computer.

These threats could have easily been brought to the attention of the systems administrator by means of a vulnerability scanner. Vulnerabilities can cause a number of issues that can lead to a system compromise. The number is so staggering that it might not be possible to stay ahead without a systems support. A good vulnerability scanner nowadays checks for many vulnerabilities at the click of a button and can indeed provide the necessary information to help an administrator avoid many pitfalls, such as those discussed in the five examples above.

Editor Note: This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging need. Learn more on what to look out for when choosing a vulnerability scanner.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

New “Highly Critical” Windows 7 Vulnerability

(LiveHacking.Com) – Microsoft are investigating a new vulnerability in Windows 7 which causes a blue screen of death (BSoD). A “researcher” named webDEVIL posted to twitter that “<iframe height=’18082563′></iframe> causes a BSoD on win 7 x64 via Safari. Lol!”  Security company Secunia then posted an advisory rating the issue as “Highly critical” as the fault can lead to system compromise and successful exploitation does not require any user interaction.

The vulnerability is due to an error in win32k.sys and can be used to corrupt memory via a specially crafted web page. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges. It isn’t clear yet if an actual exploit exists or if this is just a potential hole to launch an attack.

“We are currently examining the issue and will take appropriate action to help ensure customers are protected,” Jerry Bryant, group manager of response communications for Microsoft’s Trustworthy Computing Group, said in a statement to SecurityWeek. The vulnerability is confirmed on a fully patched Windows 7 Professional 64-bit. Other versions may also be affected.

Has Skype for iOS Vulnerability Been Fixed?

(LiveHacking.Com) – A new version of Skype (3.5.84) for the iPhone and iPad appeared in the App Store yesterday with lots of new features like Bluetooth support and image stabilization. But the “What’s New” section also mentions “Bugfix for security vulnerability.” Currently Skype are keeping quiet about exactly which “security vulnerability” has been fixed, however it is most likely to be the Cross-Site Scripting vulnerability found in the “Chat Message” window which could allow an attacker to download a copy of the phone’s address book.

The vulnerability, which was found last week, can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.

Skype has a published a blog post about the new iOS version where it explains the new anti-shake feature and the support for Bluetooth, however it mentions nothing about the security fix.

It is recommended that every iPhone/iPad Skype user updates to this new version but it is also worth noting that there have been reports of problems with the new version including 1) Skype Credit not showing 2) Contacts slow to sync 3) Account settings (e.g. photo, name, profile) not appearing.

To remedy these, Skype suggest deleting your Skype app and starting a new installation from scratch. To delete the app, press and hold the app icon on your iPhone, and click the ‘X’. To re-install, return to the AppStore, and install.

Cisco Releases Details of Vulnerability in Cisco TelePresence Recording Server Software

(LiveHacking.Com) — Cisco has released a security advisory and a corresponding applied mitigation bulletin to address vulnerabilities in the Cisco TelePresence Recording Server Software Release 1.7.2.0.  Cisco TelePresence is a in-person communication and collaboration tool.

According to Cisco, Version 1.7.2.0 of its TelePresence Recording Server Software includes a root administrator account that is enabled by default. Successful exploitation of this vulnerability could allow a remote attacker to use these default credentials to modify the system configuration and settings. An attacker could use this account to modify the system configuration and settings by means of an SSH session.

Cisco’s workaround involves the use of  infrastructure access control lists (iACLs) to perform policy enforcement of traffic sent to the equipment. Administrators can construct an iACL to explicitly allow only authorized traffic to be sent to the infrastructure devices. However Cisco point out that the iACL workaround cannot provide complete protection against this vulnerability when the attack originates from a trusted source address.

Critical Vulnerabilities Found and Fixed in VLC Player but Opera Web Browser Not so Lucky Yet

Opera LogoTwo critical heap corruption vulnerabilities have been discovered in the
rarely used decoder for the CDG format in the VLC player. These index validation bugs could theoretically allow a maliciously crafted CDG video to corrupt the heap in a deliberate manner and potentially execute injected code.

As a response to these bugs, and a problem with the Real demuxer which could allow a remote denial of service attack, VLC V1.1.6 has been released. Other changes in V1.1.6 include faster Webm/VP8 decoding.

V1.1.5 of VLC was downloaded 58 million times since its release two months ago and the fixes are for potential exploitable vulnerabilities although no actual practical exploits have been documented. This can’t be said however for the Opera Web browser.

Back in January a bug report was posted by Jordi Chancel which identified a vulnerability in Opera’s handling of a HTML “select” element containing an overly large number of children. This bug could be exploited by remote attackers to take complete control of a vulnerable system.

It now appears that VUPEN have succeeded in using this exploit to inject and execute code. This now means that specially crafted web pages could exploit this vulnerability and infect Windows systems with malware. The bug has been confirmed in Opera 11.00 and earlier and 10.63 and earlier for Windows 7 and XP SP3. At present there’s no patch or update for the problem.

Another zero-day vulnerability in the Windows kernel

Prevx is reporting that an exploit for a previously unknown security vulnerability in Windows’ win32k.sys kernel mode driver has been published on a Chinese forum. The vulnerability allows attackers who have penetrated a system to escalate their privileges.

Read the full story here.

Source:[TheHSecurity]

Multiple Vulnerabilities in D-Link DIR-615

Multiple vulnerabilities in D-Link DIR-615 Wireless N 300 router have been discovered.

D-link DIR-615 Device Information and Configuration Vulnerability

General device configuration and information such as UDN, services, service ID, Control URL and other detailed information from a D-Link DIR-615 Wireless N 300 router can be accessed by fetching root.sxml using a web browser. More

D-link DIR-615 Open Ports Vulnerability

TCP ports 4444, 8099, 8456, 8832 and 9393 are open in D-Link DIR-615 Wireless N 300 router. The above mentioned ports could be used for a remote connection by HTTP or Telnet protocols. More

D-link DIR-615 User Name and Password Security Mechanisms

D-Link DIR-615 console login page contains information about the security mechanism used to encrypt the user name and passwords. More

Vulnerability in Open SSL 1.0.X

New vulnerability in Open SSL 1.0.X has been reported by Computerworld. This vulnerability has been discovered by a security expert Georg Guninski. He has pointed out a security issue in the 1.0 branch of OpenSSL that potentially allows SSL servers to compromise clients.

The hole can be exploited simply by sending a specially crafted certificate to the client, causing deallocated memory to be accessed in the ssl3_get_key_exchange function (in ssl\s3_clnt.c). While this usually only causes an application to crash, it can potentially also be exploited to execute injected code.

Read more about this news here.

Source: [Computerworld]