lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <44252BE7.9040603@ddplus.net>
Date: Sat Mar 25 11:50:43 2006
From: dinis at ddplus.net (Dinis Cruz)
Subject: 4 Questions: Latest IE vulnerability,
 Firefox vs IE security, User
 vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

Another day, and another unmanaged-code remote command execution in IE.

What is relevant in the ISS alert (see end of this post) is that IE 7
beta 2 is also vulnerable, which leads me to this post's questions:

1) Will IE 7.0 be more secure than IE 6.0 (i.e. will after 2 years it
being released the number of exploits and attacks be smaller than today?
and will it be a trustworthy browser?)

2) Given that Firefox is also build on unmanaged code, isn't Firefox as
insecure as IE and as dangerous

3) Since my assets as a user exist in user land, isn't the risk profile
of malicious unmanaged code (deployed via IE/Firefox) roughly the same
if I am running as a 'low privileged' user or as administrator? (at the
end of the day, in both cases the malicious code will still be able to:
access my files, access all websites that I have stored credentials in
my browser (cookies or username / passwords pairs), access my VPNs,
attack other computers on the local network, install key loggers,
establish two way communication with a Internet based boot net, etc ...
(basically everything except rooting the boot, disabling AVs and
installing persistent hooks (unless of course this malicious code
executes a successful escalation of privilege attack)))

4) Finally, isn't the solution for the creation of secure and
trustworthy Internet Browsing environments the development of browsers
written in 100% managed and verifiable code, which execute on a secure
and very restricted Partially Trusted Environments? (under .Net, Mono or
Java). This way, the risk of buffer overflows will be very limited, and
when logic or authorization vulnerabilities are discovered in this
'Partially Trusted IE' the 'Secure Partially Trusted environment' will
limit what the malicious code (i.e. the exploit) can do.
   
This last question/idea is based on something that I have been defending
for quite a while now (couple years) which is: "Since it is impossible
to create bug/vulnerability free code, our best solution to create
securer and safer computing environments (compared to the ones we have
today), is to execute those applications in sandboxed environments".

Basically we need to be able to safely handle malicious code, executed
in our user's session, in a web server, in a database engine, etc... Our
current security model is based on the concept of preventing malicious
code from being executed (something which is becoming more and more
impossible to do) versus the model of 'malicious payload containment' 
(i.e. Sandboxing).

And in my view, creating sandboxes for unmanaged code is very hard or
even impossible (at least in the current Windows Architecture), so the
only solution that I am seeing at the moment is to create sandboxes for
managed and verifiable code.

Fortunately, both .Net and Java have architectures that allow the
creation of these 'secure' environments (CAS and Security Manager).

Unfortunately, today there is NO BUSINESS case to do this. The paying
customers are not demanding products that don't have the ability to
'own' their data center, software companies don't want to invest in the
development of such applications, nobody is liable for anything,
malicious attackers have not exploited this insecure software
development and deployment environment (they have still too much to
money to harvest via Spyware/Spam) and the Framework developers
(Microsoft, Sun, Novell, IBM, etc...) don't want to rock the boat and
explain their to their clients that they should be demanding (and only
paying for) applications that can be safely executed in their corporate
environment (i.e. ones where malicious activities are easily detectable,
preventable and contained (something which I believe we only have a
chance of doing with managed and verifiable code)).

I find ironic the fact that Microsoft now looks at Oracle and says 'We
are so much better than them on Security', when the reason why Oracle
has not cared (so far) about security is the same why Microsoft doesn't
make any serious efforts to promote and develop Partially Trusted .Net
applications: There is no business case for both. Btw, if Microsoft
publicly admitted that the current application development practices of
ONLY creating Full Trust code IS A MASSIVE PROBLEM, and if Microsoft
spent considerable resources and focus in turning that boat around, the
resulting 'partially trusted application' environment (which could then
be enforced by default to all locally executed code) would have more
impact in creating a secure and trustworthy computing environment that
all LUAs and UACs put together :)

Finally, you might have noticed that whenever I talked about 'managed
code', I mentioned 'managed and verifiable code', the reason for this
distinction, is that I discovered recently that .Net code executed under
Full Trust  can not be (or should not be) called 'managed code', since
the .Net Framework will not verify that code (because it is executed
under Full Trust). This means that I can write MSIL code which breaks
type safety and execute it without errors in a Full Trust .Net environment.

...in the hope that somebody is listening ....

Best regards

Dinis Cruz
Owasp .Net Project
www.owasp.net
 
-------- Original Message --------
Subject:     ISS ProIStection Brief: Microsoft IE createTextRange()
Remote Command Execution
Date:     Fri, 24 Mar 2006 14:55:42 -0500 (EST)
From:     X-Force <xforce@....net>
To:     alert@....net



Internet Security Systems Protection Alert
March 24, 2006

Microsoft IE createTextRange() Remote Command Execution

Version: 1.0


Summary:
A vulnerability was reported in the way Microsoft Internet Explorer
handles unexpected method calls.  Exploitation of this vulnerability
could lead to remote code execution under the security context of the user
viewing a malicious web page.

Description:
Internet Explorer does not properly handle the createTextRange()
method when invoked on a checkbox object.  Because of this, a call is
made to a predictable location in memory.  An attacker can easily
fill this predictable location in memory with malicious code to
be executed.

Business Impact:
Compromise of the operating system can lead to exposure of
confidential information, loss of productivity, and further network
compromise. Successful exploitation of this vulnerability could
be used to gain unauthorized access to one.s networks and machines.

Affected Products:
.    Microsoft Corporation: Microsoft Internet Explorer 6.0
.    Microsoft Corporation: Microsoft Internet Explorer 6.0 SP1
.    Microsoft Corporation: Microsoft Internet Explorer 7 Beta 2
.    Microsoft Corporation: Windows 95
.    Microsoft Corporation: Windows 98
.    Microsoft Corporation: Windows 98 Second Edition
.    Microsoft Corporation: Windows Me
.    Microsoft Corporation: Windows XP
.    Microsoft Corporation: Windows 2000 Any version
.    Microsoft Corporation: Windows 2003 Any version
.    Microsoft Corporation: Windows NT 4.0
______________________________________________________________________

About Internet Security Systems, Inc.
Internet Security Systems, Inc. (ISS) is the trusted security advisor to
thousands of the world.s leading businesses and governments, providing
preemptive protection for networks, desktops and servers. An established
leader in security since 1994, ISS. integrated security platform
automatically protects against both known and unknown threats, keeping
networks up and running and shielding customers from online attacks before
they impact business assets. ISS products and services are based
on the proactive security intelligence of its X-Force? research and
development team . the unequivocal world authority in vulnerability and
threat research. ISS. product line is also complemented by
comprehensive Managed Security Services. For more information, visit
the Internet Security Systems Web site at www.iss.net or call 800-776-2362.

Copyright (c) 2006 Internet Security Systems, Inc. All rights reserved
worldwide.

This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email

xforce@....net for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force

xforce@....net of Internet Security Systems, Inc.


xforce@....net of Internet Security Systems, Inc.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ