14th week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 14th week of 2010. I am Jay Johnson and these are the headlines:

Mozilla plans to fix a decade old CSS Leak in their FireFox web browser (pause)
Out of schedule update from Microsoft closes a critical security hole in their Internet Explorer web browser while
Researchers track cyber-espionage ring to China (pause)
New PDF exploit requires no specific security hole to function and Finally
The Open Source Community is working on to build a Wireless Keyboard Sniffer

And now for this week's newswire details
Firefox developers say they're close to plugging an information leakage hole that has plagued every major browser for more than a decade. The cascading style sheets history attack makes it easy for web masters to compile vast lists of links visitors have previously viewed. It exploits technology in virtually every browser that causes visited links to be displayed in purple rather than blue. Mozilla has classified the weakness as a bug since at least 2002.But fixing it has proved to be a vexing problem, largely because programmers didn't know how to close the hole without breaking key web functionality. Many proposed fixes threatened to bring browsers to a crawl or prevent users from knowing whether they had previously visited a website, trade-offs Mozilla, Microsoft and other browser makers have largely considered unacceptable. The announced changes will soon be incorporated into the development branch of the Firefox browser and the developers hope the look of most websites will remain unchanged, following its introduction.

(pause)
Microsoft has released an out-of-schedule update, closing the critical hole in Internet Explorer which has been known for about three weeks (iepeers.dll) – as well as nine further, previously unknown holes. However, not all of the holes are contained in all the supported versions. The risk of a successful attack also varies with the browser version and Windows version targeted. This is due to the improved security features in recent versions of IE (such as protected mode) and Windows (DEP, ASLR). The "F1 hole" disclosed four weeks ago still remains unpatched. It targets the MsgBox VBScript function, which can download help files (.hlp) from a remote source and execute arbitrary commands via macros contained in these files. However, this does require some user interaction as the user must confirm by pressing the F1 key. It seems Microsoft did not have enough time to also patch the hole in Internet Explorer 8 recently disclosed during the Pwn2Own contest. Contestant Peter Vreugdenhil managed to crack Internet Explorer 8 on Windows 7 despite ASLR and DEP.

(pause)
Researchers in the U.S. and Canada have tracked and documented a sophisticated cyber-espionage network based in China, dubbed Shadow, which targeted computers in several countries, including systems belonging to the Indian government and military. The Shadow network of compromised computers was detailed in a report released Tuesday by the Information Warfare Monitor a project involving researchers at the University of Toronto's Munk Center for International Studies and The SecDev Group and the Shadowserver Foundation. Information Warfare Monitor is the group that uncovered and documented GhostNet, a similar cyber-espionage ring, last year. The release of the latest report, which details the scope of the Shadow network and discusses some of the Indian government documents that were stolen, was first covered by The New York Times. Shadow is the latest example of cyber-espionage efforts linked to China, including attacks on Google's Gmail system that ultimately led the company to close the censored search engine it built for China. Like other such networks, like GhostNet, targeted malware is believed to have allowed the attackers to compromise specific computer systems. The report concludes that Shadow was controlled from China and attributes responsibility for the network to one or more individuals with strong connections to the Chinese criminal underground. However, it didn't rule out the possibility of a connection between these individuals and the Chinese government.

(pause)
PDF security specialist Didier Stevens has developed a PDF document which is capable of infecting a PC – without exploiting a specific vulnerability. The demo exploit works both in Adobe Reader and in Foxit. Stevens says he used the "Launch Actions/Launch File" option, which can even start scripts and EXE files that are embedded in the PDF document. This option is part of the PDF specification. Although Adobe Reader asks users to agree to the execution of the file, this dialogue can be designed in such a way that users have no idea they may be allowing an infection in to their systems. The Foxit reader doesn't even provide a warning. The Sumatra PDF reader is said to be unaffected. Stevens intends to keep his PDF document with the embedded code under wraps until the vendors respond. However, he has provided a document (direct download) which launches the command prompt when the PDF file is opened. When tested by the heise Security team, this worked under Windows 7 with the current versions of Adobe Reader and Foxit. In principle, this concept is also said to be suitable for starting an FTP transfer to download and start a trojan.

(pause)
The team at Remote-Exploit.org is currently working on an open source hardware/software sniffer project that allows you to decode Microsoft wireless keyboards and Logitech boards in the near future. According to the project page, Keykeriki is intended to enable every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks for educational purpose only. Yes, "educational purposes." In case you don't know, keyboard sniffers allow the user to eavesdrop on what is being typed by analyzing the electromagnetic signals produced with each keystroke. At this point, the software and schematics are available to download from the site, but a pre-made board is not ready for release just yet. However, they should arrive soon along with add on modules that include an LCD display and an interface that works with your iPhone.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.