Earlier today I stumbled across a link to explorerdestroyer.com which is a site trying to convince web developers to urge their IE users to switch to firefox. They ask web developers to employ one of a range of solution, from showing an advert of firefox to IE users to not allowing IE users near their pages.

To me their approach seems silly. The problem (as they see it) is that IE doesn’t support various standards and encourages proprietary features. If everyone used firefox then what’s to stop that from being the next “IE”? Won’t it get proprietary features which will then get used. As an example (last I read) firefox allows transparency via CSS but the W3C has no official support of transparency (IE and Opera also support this, but each in their own way).

I think there should be an even spread of browser usage. This would encourage sites being developed to the standards and more importantly would speed up browser improvements as all the various companies would have to constantly improve their browsers to maintain their user base.

I am reminded of a South Park episode where the people rebel against Walmart burning it down and instead all shop at a local shop turning it into the next Walmart, then repeating the whole process over again.

I’m all for people saying how bad one thing is and promoting another, but to me this seems too far. They go as far as saying that Firefox has to quickly gain users so that IE6 users don’t switch to IE7 and stay with it. IE7 is a good browser, it fixes a lot of issues that people hate about IE6. I think that IE6 users should switch to IE7 (when it’s released) and then leave it up to them to do whatever they want, but deliberately forcing people away from a good browser is simply not a clever idea. I’m glad that Mozilla aren’t affiliated with this site as I dislike the aggressive mannerisms, though I would enjoy reading Mozilla’s comment on it.

Oddly enough, the site I’ve linked to works perfectly fine with IE and they have no nag screens asking me to change over.

Recent discussion at FD shows how difficult it’s to fix security hole at university Web site. This ongoing case is related to disclosing SSNs at public Web site.

Comments from list readers are interesting; from giving a news tip to the local campus TV station to exploiting this flaw by the discoverer. Sad.

Let’s hope that IT staff at that university are reading Full-Disclosure.

The NULL Terminated Strip, fourth strip of this new comics.

Click on the image for full size.

Hacked, eighth strip of this new comics.

Click on the image for full size.

Recently we’ve had several interesting comment spam attempts which were very advanced. Deciding what’s spam is becoming increasingly difficult. Further, we caught a comment spam kit.
:)

First example, Inter-linked Blogs:

“FICO scores and its variants are designed to measure the risk of default,
by taking into account various factors

Nickname: johnny
In johnny’s nickname website (Nickname URI) we have:
http://acceptcreditcard.blogspot.com

^^ anyone have any idea if that blog and all those linked to from it are
legit in any way?

In recent months we have seen an ever increasing number of inter-linked blogs, often at free blog online services, which link to each other for spamming purposes. I wrote on this before.

Just last month we had a spam attempt linking to a Google Group specifically created to have the spam in it so it can be linked to.

I had trouble deciding if it was legitimate as a comment for this post, I tend to think it isn’t:
http://blogs.securiteam.com/index.php/archives/169

Second example, Comment Spam Kit:

“Personally, I never use more than a single link in the comment I post
because doing so can trigger spam catchers if the user has that plugin activated,
whereas a single link will not.”

Nickname: Use Keyword Here
Nickname URI: http://www.sag-ci.com/pornarchive/05841.html

Previously, we have seen a similar post only with the spamming engine defaults completely unchanged, so that the Nickname URI was: http://www.your-domain.com/Your-Page.htm.

Meaning, this was likely a comment spam kit, and somebody forgot to change the defaults before setting it on the world wide web.

Third example, Content-sensitive Comment Spam:

“these security patches helps to secure some security holes in windows.
This happens due to a poor testing of the product.”

Nickname: Home
Email: cool at csun.edu (csun has no such email, but it’s a good one as EDU emails appear to be more reliable than usual fake ones, except for the “cool” part).

Nickname URI: http://www.homessecuritysystems.net

The original post this was a comment for
is: http://blogs.securiteam.com/index.php/archives/210

These are older posts, so that’s an indicator too.

Anyway, screening these things is becoming increasingly time consuming.

Some other examples, not as good though:

Nickname: Hacker_safa
E-mail: safa_7182@hotmail.com
Nickname URI: http://www.gencbiliim.us

BEn Hacked Dediysem Odur Haced By HAcker_safa

Well, there’s “hack” in there.

Nickname: Smart
E-mail: smart@smart.com
Nickname URI: http://www.smart.com

Have you ever heard ‘Sorry’ of Madona … hot song. I love C#

I suppose “I love C#” is supposed to be on-topic for “computer” type blogs?

I am just thankful that we now finally have a community where we can securely discuss these issues, on the comment spam mailing list.

Some of the previous posts I made on this subject:
http://blogs.securiteam.com/index.php/archives/285
http://blogs.securiteam.com/index.php/archives/290

Gadi Evron,
ge@linuxbox.org.

Fixing security vulnerabilities silently is possible at Apple Computer too, says security researcher Tom Ferris when releasing information about several unpatched OS X flaws at his Web site.

Solution:
This issue was silently fixed by Apple in update 10.4.6.
http://docs.info.apple.com/article.html?artnum=303411

says Mr. Ferris while disclosing details about Apple OS X 10.4.5 .tiff “LZWDecodeVector ()” Heap Overflow issue at ’sp-x2′ advisory.

Marc Bevand started thread Microsoft silently fixes security vulnerabilities at Dailydave recently.

I was given the following link to see the new Windows Vista by Microsoft.

Well, I don’t know. It looks like they just did

# cp -r /usr/src/KDE /usr/src/Windows/Vista

And thats after the KDE people did the same to Apple’s Mac.

Now don’t get me wrong, I do not hate Microsoft, it’s just that I do not agree with their EULA, behavior and other issues … That’s why I stopped being their customer few years ago.

Now, I have a question that bugs me a lot, and I would like to ask the people at Redmond: “Why are you always the last to use an already old technology and yet you call it new ?”

While hosts are still undecided on whether to upgrade to PHP5 or not, the people pushing the limits of possibility are busy planning PHP6. PHP6 is mainly a cleanup of code and the addition of some object oriented features (and some other little bits which probably mean more to others than to me). Nevertheless in terms of security it’s something I’m already drooling over.

Every week several exploits are found in various applications made by PHP. Even given the vast number of applications (and therefore flaws) some problems can’t be blamed solely on the coder. At least for me there have always been functions I’m extremely careful of when I pass any parameter into. Now all this is going to be made simpler, safer, better.

Register globals are gone! No more detection and coding around it, or worse; no detection and getting your ass pawned. To be honest no one really has it on any more anymore and but I’ve still found it a major hassle. Specially when I’m helping people out who are used to having it on and suddenly have lost it.

Magic quotes are gone! Again, no hassle of detection. Instead we’ll have the input_filter extension which is so very much better.

Easier detection of MIME types. Should improve checking if those uploaded files are valid.

header() will only accept one header, hopefully virtually killing off HTTP response splitting attacks.

For full details about the April PHP6 meeting read the minutes.

Hacked, seventh strip of this new comics.

Click on the image for full size.

A new high-clue mailing list for fuzzing now exists. It’s technical, about fuzzers but OT is allowed.

To subscribe:
http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing

Gadi Evron,
ge@linuxbox.org.

After years of arguments about the validity of the Full-Disclosure mailing list, flame wars, endless kiddie arguments and trolling, there came the mail bombings.

People actually quit FD after that.

A year ago a friend told Ren the following: “I finally got promoted, now one of the new kids can read FD!”

This past week, that same friend said: “I love reading FD, for the funny stuff.”

Ren immediately asked: “You read n3td3v?”
Friend: “Yeah.”
Ren: “I figured.”
Friend: “Well, it’s like with Howard Stern, you just want to see what he’ll say next”.

Another friend of Ren quickly pointed out: “Such people are good for enjoyment, but tend to discourage productive work due to frequent, uncontrollable laughter.”

There you have it folks, n3td3v will now and forever be known as the very special person who saved FD.

UPDATE APRIL 21: In response to reports of compatibility problems with the new extension verification component (verclsid.exe) of the MS06-015 update, Microsoft plans to issue a revised version of MS06-015 on Tuesday, April 25th. The updated update will effectively whitelist four extension class IDs. These are associated with HP Share-to-Web and some NVIDIA software.

You are encouraged to back up the relevant hive of the registry (or the entire registry, if possible) before making these changes. This will minimize downtime in the event of an unforeseen compatibility problem. You may find more information on how to backup the registry in Microsoft Knowledge Base articles 322756 (Windows XP and Windows Server 2003) and 322755 (Windows 2000).

Microsoft’s Patch Tuesday has struck again. It seems, that in order to enjoy Microsoft’s recent patch days, one must really appreciate the oh-so-sweet smell of downplay.

Today was no exception. Today’s downplay of the month goes to MS06-015. That bulletin announced a patch which supposedly plugged a single “Windows Shell Vulnerability” involving the shell’s handling of COM objects. It states, rather paradoxically:

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

[…]

Note The update for this vulnerability also addresses a publicly disclosed variation that has been assigned Common Vulnerability and Exposure number CVE-2004-2289.

According to a VIM post by Steve Christey, this vulnerability has been known since May 2004. So, let me get this straight. The vulnerability that is documented was privately-reported, but the “variation” that was also patched has been publicly known for 700+ days. In that case, the issue that is truly the “variation” is the issue that was discovered and reported privately after the public disclosure. At least, that’s how I hope it went down. Regardless, the information as published is extremely misleading and Microsoft’s choice not to document a publicly-reported vulnerability is not one that will be for the benefit of its customers’ security.

More interesting, is this convenient phraseology in MS06-015. The update includes two “changes to functionality”, one of which is below:

This security update includes a Defense in Depth change which ensures that prompting occurs consistently in Internet zone drag and drop scenarios.

Oh, and do tell us, Microsoft, what threat is this meant to address, exactly? The implicit statement the bulletin makes is rather clear: prompting in internet zone drag and drop scenarios was previously inconsistent. That’s not exactly rocket-science to anybody, and in fact, it sounds suspiciously like an attempt to plug the vulnerability I reported publicly in February, which is CVE-2005-3240. Now, without testing that hypothesis, I will refrain from passing immediate judgment or speculating on the likelihood of that possibility. The bottom line is this: we just don’t know.

Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn’t patch phantom vulnerabilities that don’t exist or unrealistic science-fiction attack scenarios. Microsoft’s under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot. You simply don’t know what the patches are for. It’s virtually impossible to make a determination about a deployment timeframe if not deploying a patch has the potential to place you at an additional, unknown risk. As a result, administrators may deploy patches unnecessarily, erring on the side of caution (and risking compatibility problems in the process), or they may choose not to deploy based on incomplete information. Individuals making these kinds of decisions deserve better information.

Everytime Microsoft seems to be getting the security pitch right, one gets thrown in the dirt. Microsoft needs a new ball. MS06-015 should be revised or completely rewritten, with the objective of providing sensible, coherent and complete information to customers.

http://news.com.com/2100-7349_3-6059672.html?part=rss&tag=6059672&subj=news

I wonder.

http://blogs.securiteam.com/index.php/archives/285
http://blogs.securiteam.com/index.php/archives/290

But I’m just being cynical.

Gadi Evron,
ge@linuxbox.org.

In a nutshell, from “The Cutest Human-Test: KittenAuth” by Oli:

I primarily wanted a method that didn’t make them have to decipher horrible random text from a box. With OCR constantly improving, this is inherently a failed system… Its more a case of “when”, less “if”.

I began to start to think of processes that we can do every day with little effort and a computer would either have to be extensively reprogrammed then taught all the possible combinations of entries. I also wanted something that people could customise to their website — eg: instead of everyone use letters and numbers.

Kittens are the answer to all this. Sure you can teach a computer what a cat looks like, and it will probably have a fair shot at picking kittens from alligators but what about when you put it up against other similarly cute animals? Well… I’ve yet to have something try and bodge through it.

There have been similar ideas to more interactive or easy-to-understand Captchas in the past. Nothing too amazingly new here except the actual implementation and the cuteness factor.

With enough attempts (and re-attempts, possibly from different IP addresses) one can learn all the pictures in use (especially with such a low number) or even just keep trying until one succeeds. One can also MD5 them rather easily. From that point on it’s a cat and mouse game. Pun intended.

Change a pixel to fool MD5 and people will map the image. Change the pictures randomly from some database, and people will find ways to recognize cats, as with all due respect they are different from other cute animals such as rabbits (bunnies! aahhh!). Etc.
Most importantly, it will be broken if it gets too common. As long as one guy uses it, he is pretty safe.

Cute or not ( ), this still demands action from the user and therefore will likely grow on the nerves of the same users over time.

It’s way cool though! Regardless, as with any system, the more complex it becomes the more it’s a bitch to run.

You can find more about this cool kitten Captcha here and here.

Gadi Evron,
ge@linuxbox.org.

(Story updated to add new information about copyright information format)

New version about popular phpBB software has been released on Friday. phpBB Group has related forum thread, but not an official changelog document yet. In fact, the latest Changelog points to the version 2.0.18 (yes, there was v2.0.19 too).

New release has name “Golden Super Furry Linen edition” and a number of minor security fixes is included. From the posting:

# [Sec] Replace strip_tags with htmlspecialchars in private message subject
# [Sec] Some changes to HTML handling if enabled
# [Sec] Escape any special characters in reverse dns - Anthrax101
# [Sec] Typecast poll id values - Anthrax101
# [Sec] Added configurable search flood control to reduce the effect of DoS style attacks
# [Sec] Changed the way we create “random” values for use as keys - chinchilla/Anthrax101
# [Sec] Enabled Visual Confirmation by default

Many of us remember this from FD list:
phpBB mass-hack being prepared (FuntKlakow-bot)?

Upgrading is worth of it now: www.phpbb.com/downloads.php

Earlier we had this problem with exact version number at main page footer:

Powered by phpBB 2.0.11 © 2001, 2002 phpBB Group
etc.

Now we have a new problem:
Powered by phpBB © 2001 - 2005 phpBB Group

But administrators using a patched version can sleap their nights safely.

In fact, I have no experience is the existing copyright information format ‘2001 - 2006 phpBB Group’ still.

But now, go and patch.

Update April 11th:
There are some widely known phpBB-based forums including year 2006 information: forums.mozillazine.org says ‘Powered by phpBB © 2001-2006 phpBB Group’. phpbb2.de, in turn, has related information and the following text: ‘Powered by phpBB © 2001, 2005 phpBB Group :: FI Theme’. Subsim.com forum says ‘Powered by phpBB © 2001, 2006 phpBB Group and Subsim.com’.
It is just an editable text string.

This means that detecting rootkits could get a hell of a lot more difficult that it currently is, for more info on this see Tibbar’s blog.
The source code for this project is also up for download on his site, so what does this mean to the security community? Comments people?