Google has decided to throw away years of progress in Web security, JIT interpreters, and general common sense and implemented a weak rehash of the ActiveX control. Dubbed Native Client, this new plug-in architecture will allow websites to deliver raw x86 code to users in an attempt to “create richer and more dynamic browser-based applications.”
First of all, there is nothing browser-based about running native code. The browser is simply the distribution medium for your native application. Is Google admitting that AJAX and browser applications aren’t all they’re cracked up to be?
In all the hilarious irony however, we shouldn’t lose sight of how awfully bad this idea really is. I mean, it’s just a terrible idea. Pushing raw machine code down the pipes is not a reasonable solution to the problem. We tried this with ActiveX – it’s been a mess. Sure, they’ve put some thought to security – a thinly veiled ‘sandbox’ that statically analyzes the bytes for any “dangerous commands” before it executes. Yeah, I’m sure no one is going to find a way around that….
Really, it’s ideas like this that guarantee that anti-virus vendors will always have a job…
There have been several interesting malware stories in the news this week.
There’s a new worm circulating the social network called Koobface. Basically, you get a message from on of your friends that says something along the lines of, “I found this video with you in it, check it out,” and then you click on the link and the website tells you to update your Flash player. Of course, this isn’t an update to Flash, but rather a worm that steals passwords and account information. McAfee’s Avert Labs has a good piece of advice that everyone should follow to stay safe on the web:
Do not follow any unexpected hyperlinks you receive over the Web, Email, or IM, even if they are received from someone you know. It’s best to ask for confirmation from the sender; that they intentionally sent such a link.
On the other end of hyperlinks, it’s best to install software and updates from the source (such as adobe.com in this case) rather than trusting the content from a third-party website.
There’s also a new trojan that is specifically targeting the Firefox add-ons system and masquerading as a legitimate extension called Greasemonkey. The trojan gets installed through traditional means (codecs, flash update, etc) and installs into the add-ons and extensions folder. Once it’s been installed, it runs as a normal add on would, and watches what websites get visited. It looks for about 100 different sites, ranging from gaming to banking sites. Once it finds a site that it knows, it records the user name and password and reports back to the attacker. The piece of malware takes advantage of what I believe is a major design flaw in Firefox; any extension has complete access to everything the browser gets. This is a major reason way IT departments are reluctant to deploy FF on their networks. You really need to be careful when you are installing extensions, and make sure that they from a trusted source. If browsing a local intranet page with confidential information, it is a best practice to either use a clean FF with no add-ons, or Internet Explorer.
Thirdly, Apple found itself in the malware spotlight after someone found an old support article in which the company recommended running anti-virus software on OSX. This sort opinion sort of flies in the face of their advertising campaign that says that OSX is immune to viruses due to it’s superior architecture. The controversy really started to mount with Apple quietly pulled that article from their support database and did a complete 180 on the issue. I think Apple is doing it’s users a disservice by acting so defiant about the issue. Suggesting that it’s users protect themselves with a modern anti-virus client which does more than just protect against viruses (it helps mitigate damage from trojans, phishing scams, and general data loss) does not mean that their product is flawed, or somehow inferior, it just means they care about their users. Throughout all of this debate though, people seemed to lose sight of the real reason why OSX users should have AV clients on their machines – they can still receive and forward Windows viruses! So please, if you’re on a shared open network, be courteous, and run an AV client.
Here are some of the links
It’s been about a month since Microsoft released MS08-067 – which I posted about here. Since the patch was released, malware writers have scrapped together a worm that is spreading through the internet, swelling the ranks of their already impressive botnet. How does this happen? Wasn’t the bug fixed? Well, let’s take a look at what happened. First, the hole in the system stayed hidden for years – no one knew it existed, not MS security, hackers, or the all-knowing Slashdotters. This is not necessarily a bad thing – because a vulnerability that no one knows about isn’t really a vulnerability at the time, right? It isn’t once the bug was discovered and disclosed that we started having a problem. In this case, the turnaround was fairly quick. MS reacted appropriately and released an out-of-band update and pushed out a lot of press about how imperative it is that people update their machines. The problem is, not everybody is going to update their machine. These people are exceptionally vulnerable right now because in sending out a patch, Microsoft not only told everyone about the bug, but practically sent exploit code to the bad guys. You see, a patch is like the inverse of an exploit – and hackers can take these files and analyze them to figure out exactly what component of the system is vulnerable. There is a time span of mere hours between a patch release and the first sighting of in-the-wild exploitation.
So, my question is, what are we supposed to do? These bugs are going to exists. All operating systems will have a bug like this. Don’t believe the drivel that gets spouted about how Windows is architecturally inferior to all other systems, therefore it is the only one to have these problems. Programmers and testers are human, they make mistakes. The question here is, how do you deal with these bugs once their found. Obviously, you have to disclose them. People need to be made aware of the situation. But once you tell people about the bug, and patch it, then some people are more at risk than they were before. I guess you could take comfort in the fact that less people are at risk (those who patched) but maybe, the overall risk has increased – because now there is a worm spreading. So, do we need a less informative way to disclose the information – just tell people to update without saying what the problem really is? Well, that won’t work either, because really, all the important information is found in the binary patch that gets sent out from Windows Update. Bad guys have a Windows box too, and they get the update. OK – encrypt the patch? Won’t work, they’ll just diff their machines – it might slow them down a couple of hours, but that’s about it. So, I’m at a loss, I guess I have to accept the fact that patches will lead to full disclosure, which will lead to exploitation. I guess we just have to hope that people update their systems when they’re asked to. But, I hate this conclusion – most cause of that H word… maybe we can make updates work they do in video games land – force you to update before it will allow you to connect to the internet again. Any ideas?
Please update your Windows machine now if you haven’t already. Microsoft released an out-of-band update to patch a critical hole that is present in all versions of Windows. Vista and Server 2k8 users are at a slightly less risk since “the vulnerable code path is only accessible to authenticated users” – but still, if you haven’t updated, do it now! This is not an everyday type of vulnerability, but rather a widespread wormable hole that has serious implications if it remains unpatched.
I had the opportunity to attend at talk by Mark Russinovich, of Sysinternals fame, during last week’s Trustworthy Computing Conference. The topic of the talk was about security boundaries in Windows, and more specifically, what is not a security boundary. The talk was very interesting, and I don’t want to reveal too much here, but there was one part of it that stuck with me and has been bothering me for a little while now. One of the technologies he addressed was Patchguard, or Kernel Patch Protection, which was introduced in 64-bit Vista and Server 2008. Patchguard is intended to keep programs from patching, hooking, or otherwise tampering with the internals of the NT kernel. It does this by periodically taking a checksum of some important structures in the kernel (SSDT, interrupt table, HAL tables, etc) and comparing the current value with the previous one. Any discrepancy here will indicate that the kernel has been subverted. If it notices any changes to these structures, it throws an exception which throws a blue screen error. Sounds good, right? Sounds like a great new security feature, no more rootkits! Well, not really. The truth is, KPP really does nothing to stop malicious code, and in fact, is pretty useless in doing so. Mark revealed in his talk, that that was never the intention of KPP, but rather, it was conceived as a way to force legitimate developers to stop using these techniques in their own programs. See, most anti-virus and security products will use some level of system hooking in order to get a good view of activity. In fact, one of Mark’s very own tools, RegMon, hook’s the SSDT to watch registry activity. He even wrote a publication about the technique! The problem with kernel hooking is that it is entirely unsupported and significantly reduces stability.
So here’s what I don’t understand. Microsoft has recognized that system hooking leads to instability. They’ve decided that programmers aren’t good enough to extend a kernel function safely without throwing a blue screen exception, so now they’re not going to allow us to hook certain system structures (pfft, allow is a funny thought). But, instead of actually fixing the gaping holes in their system, they’re going to simply watch for system hooking, and then guarantee that the system will crash, by causing the crash. Oh yeh, and they are going to blame it on the developer. It’s like a car company deciding that talking on your cell phone while driving is dangerous, so they’re going to create a system that detects if you’re on the phone and then drives the car off the road for you. That will show you!
I just don’t understand this anti-feature. There are plenty of legitimate reasons for hook these system functions, and it can be done safely. I know it can because Mark has done it, and I’ve done it. If you don’t want developers to subvert the kernel, then provide a complete API that we can use to extend and monitor the system, and fix the problems with your system that allows someone to take write-protected virtual memory, map it to physical memory, strip all the restrictions off of it, and send it back patched. Don’t just come behind perfectly valid code, throw an exception and blame it on us.
I love being right. Remember the Safari carpet bomb I posted about back in April? Remember how Apple said it wasn’t a “security concern” and I scolded them for it? Well, now it’s got interesting. Apparently there is a known flaw in Internet Explorer that allows a website to execute any program on the user’s desktop without their consent. Normally, this flaw isn’t as much of a concern because all new executables downloaded (by anything but Safari) get marked with an alternate data stream tag that indicates that is from the Internet Zone. Any time an application with this tag is opened, the user is prompted and the action must be explicitly allowed. Now when we include Safari’s carpet bombing technique that downloads an exe without notification or ADS marking, then this IE flaw becomes a critical security concern. This is a great example of what is called a blended threat. Two seemingly innocuous bugs combine to create a gaping security hole. The IE team was not concerned with their bug because there was no way to get an unmarked exe onto the desktop without the user knowing, and the Safari team wasn’t concerned with their’s because you couldn’t execute the exes that it downloaded automatically.
So yeh, here’s the MS Security Advisory.
Last week I blogged a little bit about a new cloud syncing product called Live Mesh. I mentioned how in its current incarnation it really only serves as a file syncing and sharing tool, but in the future it will have an open API that will allow programmers to add application specific data to the system instead of whole files. I concluded with a short wish list of programs that might take advantage of this API which included a cloud synced RSS feed list. Well, I was playing around with this the other night, and figured out that this can already be done with just the file-based Mesh.
Quick Background: with IE7, Microsoft introduced what is known as the Common Feed List within Windows. When you click on the little orange RSS icon in IE and subscribe to a feed, it gets added into a system wide collection of feeds. There is a background service that keeps all of these feeds up to date. The feeds are then visible to any application on the system that wants to interact with them. Right now, FeedDemon and RSS Bandit interact with the Common Feed List as well as IE, Outlook and Live Mail. So, as far as offline feed readers go, the Common Feed List is a pretty good idea. What I would like to do is push that list up into the cloud, and allow me to access it from any computer I’m at. I’m not talking about just an OPML file of feeds that I’m subscribed to, but instead it’s a full version of the CFL, including a read and unread marking on all entries. So far, I think I’ve got a working solution.
In Vista, and Feed List is stored in
and, in XP it is in
C:\Documents and Settings\$USERNAME$\Local Settings\Application Data\Microsoft\Feeds
I just added that folder to Mesh and synced it to that location on all of my other machines. It seems to work like a charm. While Google Reader is probably a better solution to all of this, I still sort of like this set up. You must be careful to allow Live Mesh to update before the Common Feed List does, or your read/write tags will get a little messed up.
I’ve been running this set for about a week or two now and I can say for sure that it does work, however it will clutter your Recycle Bin with .feed-ms files. Why? I cannot explain…