[ISN] Credit card theft feared in Windows flaw

From: InfoSec News (isnat_private)
Date: Thu Sep 05 2002 - 23:31:58 PDT

  • Next message: InfoSec News: "[ISN] Heard of drive-by hacking? Meet drive-by spamming"

    http://news.com.com/2100-1001-956729.html?tag=fd_top
    
    By Joe Wilcox 
    Staff Writer, CNET News.com
    September 5, 2002, 11:34 AM PT
    
    [update] Microsoft late Wednesday said that a flaw in its Windows
    operating system could allow hackers to gain unauthorized access to
    thousands of computers.
    
    Microsoft issued a security alert, calling the flaw "critical." The
    flaw affects how more than a dozen Microsoft products, including
    programs for Windows and the Macintosh, handle digital certificates,
    which are used to certify the authenticity of a Web site or of
    software code.
    
    The flaw could let a Web site with a valid certificate issue a second,
    invalid one, which could enable unauthorized access to a computer as
    well as, among other things, the theft of user passwords or credit
    card numbers.
    
    "You're on my site and I say, 'Click here to go to Amazon.com.' But I
    don't really take you to Amazon.com. I can pretend to be Amazon.com
    and get you to enter in your credit card number," explained Gartner
    analyst John Pescatore.
    
    Experts were quick to point out that, so far, it is unlikely anyone
    has taken advantage of the flaw, but they also say that the
    implications of the flaw could be widespread, since it affects one of
    Windows' key security-authentication mechanisms, called CryptoAPI,
    which is also used by many non-Microsoft programs that run on Windows.  
    Analysts also warned that the problem, if exploited, could undermine
    consumers' confidence in conducting transactions over the Web.
    
    "They (Microsoft) have one little thing broken that affects so much of
    the security infrastructure. That's the bad news. The good news is
    probably no one has really exploited this over the years," said
    Richard Smith, an independent security analyst.
    
    A chink in the digital armor
    
    In the security bulletin, Microsoft warned that because of a flaw,
    CryptoAPI does not properly validate a certain portion of a digital
    certificate. The flaw affecting Macintosh products is unrelated to
    CryptoAPI, according to the security bulletin. Windows uses
    cryptography to authenticate the validity of Web sites and software
    components such as software drivers, and to keep intruders from
    gaining control of key subsystems.
    
    "When we look at this particular issue, especially with the CryptoAPI,
    it shows these types of issues take thorough investigation," said Lynn
    Terwoerds, security program manager for Microsoft's Security Response
    Center. "We're in the situation where we've done our thorough
    investigation...People want to know if there is trust. Well, there
    is."
    
    Microsoft strongly encouraged consumers and businesses to immediately
    install software patches, posted to the company's Web site, to correct
    the flaw. But the company has released patches for only four of the
    affected products: Windows NT 4, Windows NT 4 Terminal Server, Windows
    XP and Windows XP 64-bit Edition. Other vulnerable products include
    Windows 98, Windows 98 Second Edition, Windows Me and Windows 2000.
    
    Six Microsoft Macintosh programs also are affected by the flaw: Office
    v. X, Office 2001, Office 98, Internet Explorer for Mac OS 8 and 9,
    Internet Explorer for Mac OS X and Outlook Express 5.05. Patches are
    expected to be available soon for those products.
    
    Microsoft deemed the problem critical for the affected Windows
    products but moderate for the Macintosh applications. The Redmond,
    Wash.-based company also noted that some older versions of the
    programs could be vulnerable to attack. Since Microsoft no longer
    supports the programs, no patches will be released for them.
    
    Microsoft could not say when the other patches would be made
    available. "We are working round the clock right now," Terwoerds said.  
    "As soon as they're available, we'll release them."
    
    The problem potentially affects many other programs that might rely on
    Windows cryptography features.
    
    CryptoAPI is "part of the base operating system, so the problem will
    affect a lot of different products. We don't know, for example, what
    non-Microsoft products people have to be concerned about here," said
    Smith.
    
    Last month, Microsoft issued a warning about a separate flaw that also
    affects digital certificates. That flaw doesn't allow a hacker to
    steal the certificates, but it does let the attacker corrupt the data,
    rendering it useless to the PC's owner.
    
    Avenues of attack
    
    Unpatched computers, particularly those running Windows, are
    vulnerable to a variety of avenues of attack, Microsoft warned.
    
    Because of the vulnerability, CryptoAPI might not recognize that a
    second digital certificate is bogus and would therefore fail to warn
    PC user. The issuer could then use that unauthorized certificate to
    redirect that person to a second Web site for conducting an online
    transaction using Secure Socket Layer.
    
    SSL, an encryption technology widely used in online transactions, lets
    Web servers scramble credit card numbers and other information so they
    can't be seen by prying eyes. In this instance, a person might start a
    legitimate transaction at one Web site, then be unknowingly redirected
    to a second, bogus site, analysts said.
    
    Security analyst Smith said the problem could become significant,
    since so many computers use software containing the flaw. "It's much
    more widespread than people originally thought," he said. "And,
    because this has to do with CryptoAPI, the problem may have existed
    for five years."
    
    Gartner's Pescatore emphasized that although no one has yet to really
    exploit the vulnerability, it does not negate the flaw's significance.  
    Consumers have grown comfortable with the secure key symbol in a
    browser, which indicates that it's safe to conduct a transaction.
    
    "They believe Secure Socket Layer is running and it's safe to enter in
    their password, safe to enter in their credit card information,"  
    Pescatore said. "If this flaw were exploited, people could all of a
    sudden say, 'Wait a minute, it's not safe to put my credit card into
    Amazon.com or do trades on E*Trade, because how do I ever know I'm
    talking to E*Trade?'"
    
    Microsoft also is concerned about the vulnerability's potential impact
    on trusted online transactions. "That's why we're taking aggressive
    measures to let people know about this," Terwoerds said.
    
    In another potential exploit, a rogue Web site could trash a
    computer's root digital certificate issued by third-party
    authenticator VeriSign. With that mechanism broken, the person would
    no longer be able to conduct transactions over the Web. The hacker
    could then send an e-mail that says, "The certificate is no longer
    working. Click here to install a new one."
    
    Pescatore said with that capability, if he had malicious intent, "I
    could go to VeriSign, get a certificate for Pescatore.com and trick
    you into thinking it was Amazon.com."
    
    Pescatore's example points to yet another possible abuse identified by
    Microsoft: sending, via e-mail, a seemingly valid digital certificate
    that's actually signed by someone else.
    
    A hacking two-step
    
    Still, analysts noted that the vulnerability would generally require
    some kind of two-step process for hackers to fully take advantage of
    it. But they could rely on habits ingrained in consumers who do
    business over the Web--ingrained by Microsoft itself in some
    instances--to help them succeed.
    
    "More and more consumers are using Windows Update and automatically
    updating their Microsoft software," Pescatore said. "They're getting
    trained to respond to 'You need to update, so click here.' These
    vulnerabilities exploit this behavior."
    
    Terwoerds, who emphasized she was not trying to downplay the security
    flaw, agreed with the assessment by analysts that a multistep process
    would be required to make the exploit work.
    
    "Are users going to be able to go to all these bogus Web sites and
    give out credit card information?" she asked. "Is it possible? Yes. Is
    each a likely scenario? No."
    
    Wednesday's security warning comes after a long list of recent alerts.  
    Attacks this week against Windows 2000 Server have stumped Microsoft,
    for example. In August alone, Microsoft issued eight security alerts.  
    It's issued two so far in September.
    
    Microsoft has been issuing security alerts on a fairly frequent basis
    since January, when company Chairman Bill Gates made security a top
    priority for the company. The company will likely issue even more
    security bulletins as the year progresses, say analysts.
    
    "They started out with the server products and then moved on to the
    server applications," Pescatore said. "They've now moved on to the
    desktop OS and things like (Internet) Explorer. They're shaking out
    the laundry and all these bugs are flying out...that haven't been
    looked at. There's more to come."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Sep 06 2002 - 02:30:51 PDT