[ISN] Is Another Web-Based Super Worm on the Way?

From: InfoSec News (alerts@private)
Date: Wed Jun 06 2007 - 22:20:19 PDT


Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

VeriSign's Extended Validation SSL Certificates
   http://list.windowsitpro.com/t?ctl=58F2D:57B62BBB09A69279FBC549C5DF4EA0E5

Top Ten Server Virtualization Considerations
   http://list.windowsitpro.com/t?ctl=58F38:57B62BBB09A69279FBC549C5DF4EA0E5

Protect Info from Phishing and Pharming Exploits
   http://list.windowsitpro.com/t?ctl=58F25:57B62BBB09A69279FBC549C5DF4EA0E5


=== CONTENTS ===================================================

IN FOCUS: Is Another Web-Based Super Worm on the Way?

NEWS AND FEATURES
   - Google Buys GreenBorder, Gains Security Technology
   - Mozilla Releases Firefox Updates, Retires Firefox 1.5.0.x
   - Spam King Gets Slapped with 35 Criminal Charges
   - Recent Security Vulnerabilities

GIVE AND TAKE
   - Security Matters Blog: PHP 5.2.3 Coming Soon--RC1 Available Now; 
Windows Media Player Plug-In for Firefox
   - FAQ: Disable IE Enhanced Security in Windows Server 2008
   - From the Forum: Multiple Web Servers Behind One IP address with a 
Proxy Server?
   - Share Your Security Tips
   - Microsoft Learning Paths for Security: Reducing the Challenges and 
Complexities of Identity and Access Management 

PRODUCTS
   - Web Filter Gets Reporting Engine
   - Product Evaluations from the Real World

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: VeriSign ==========================================

VeriSign's Extended Validation SSL Certificates
   Increase customer confidence at transaction time with the latest 
breakthrough in online security--Extended Validation (EV) SSL 
Certificates from VeriSign. Extended Validation triggers the address 
bar to turn green when a visitor is using Microsoft Internet Explorer 7 
and viewing a site with EV SSL Certificates. This green bar lets 
customers know that the site they are on is highly authenticated and 
secure. 
   In a recent VeriSign study, 77% of the respondents indicated that 
they would be hesitant about shopping at, would check into problems 
with, or would abandon a site that once showed EV and no longer did. 
Learn more about Extended Validation by reading the technical white 
paper: Maximizing Site Visitor Trust Using Extended Validation SSL. 
   http://list.windowsitpro.com/t?ctl=58F2D:57B62BBB09A69279FBC549C5DF4EA0E5


=== IN FOCUS: Is Another Web-Based Super Worm on the Way? ======
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Over the years, we've seen a number of "super worms." For example, 
Nimda, Code Red, and SQL Slammer were devastatingly effective. They 
spread quickly, infected a huge number of systems, and cost much money 
to eradicate. 

Worm technology has certainly evolved, and in many cases it basically 
follows the path of least resistance. Since Web technology is dominant 
and Ajax (a combination of JavaScript and XML) is being more widely 
used every day, it seems rather natural that worms begin to target 
those technologies. 

In fact, back in 2005, someone created an Ajax-based worm (dubbed Samy) 
and turned it loose on MySpace. The worm worked by taking advantage of 
the browser when a MySpace user visited a particular MySpace page. The 
page loaded JavaScript worm code that used Ajax to spread itself to the 
MySpace user's page. And that cycle kept repeating itself. Within 24 
hours, Samy had reportedly spread to more than 1 million MySpace pages! 
You can read a blow-by-blow description of how the worm worked at this 
URL: 
   http://list.windowsitpro.com/t?ctl=58F3A:57B62BBB09A69279FBC549C5DF4EA0E5

Samy took advantage of several problems with Ajax technology, one of 
which is the familiar cross-site scripting (XSS) scenario in which a 
script from one site interacts with another site. If someone were to 
take a worm like Samy further by automating it to contain a longer list 
of sites vulnerable to XSS attacks, the effect could be far more 
significant. After all, if the Samy worm could infect over 1 million 
MySpace sites in only 24 hours, then a worm targeting many different 
sites would spread exponentially faster. Furthermore, such a worm could 
do a lot more than simply spread itself. It could, for example, easily 
be made to steal user credentials and post that information someplace 
for an intruder to receive. 

Recently, Petko Petkov showed how using a combination of available 
technologies would provide the means for a new super worm to be 
created. You might know about XSSed.com, a site that aggregates lists 
of other sites that contain XSS vulnerabilities. The lists are 
presented in an easy-to-parse format and include examples of how to 
exploit each XSS vulnerability. Having such a database available online 
is useful, even educational, but at the same time, it's a treasure 
trove for a malicious coder. 

Petkov showed that a new super worm could use XSSed.com as a base and 
technologies such as Dapper and Yahoo Pipes to spread itself at 
lightning speed. Dapper (at the first URL below) lets people grab 
content from nearly any Web site. The content can be automatically 
formatted into XML (and other formats). So, effectively, someone can 
use Dapper to create a list of sites vulnerable to XSS along with the 
sites' associated exploits, all in XML formatted code that a script can 
then use for attacks. Yahoo Pipes (at the second URL below) lets the 
malicious script obtain a list very quickly on the fly. 
   http://list.windowsitpro.com/t?ctl=58F3F:57B62BBB09A69279FBC549C5DF4EA0E5
   http://list.windowsitpro.com/t?ctl=58F3E:57B62BBB09A69279FBC549C5DF4EA0E5

With that data and technology available, a worm would spread incredibly 
quickly. The problem is compounded by the fact that neither Dapper nor 
Yahoo Pipes specifically is necessary for such a worm to work. The 
technology provided by those two services could easily be recreated on 
any number of sites around the Internet. So stopping such a worm isn't 
as simple as it might seem at first. The best defense of course is to 
not create Web sites that contain XSS vulnerabilities!  

You can read more about Petkov's ideas at the first URL below. The 
upcoming Black Hat USA 2007 conference will have at least three 
presentations that deal with Web worms (see the second URL below), 
including "Attacking Web Service Security: Message Oriented Madness, 
XML Worms and Web Service Security Sanity" by Brad Hill; "Premature 
Ajax-ulation" by Bryan Sullivan and Billy Hoffman; and "The Little 
Hybrid Web Worm that Could" by Billy Hoffman and John Terrill. So if 
you're going to Black Hat USA this year (July 28 - August 2 in Las 
Vegas), consider attending these presentations. 
   http://list.windowsitpro.com/t?ctl=58F33:57B62BBB09A69279FBC549C5DF4EA0E5
   http://list.windowsitpro.com/t?ctl=58F2C:57B62BBB09A69279FBC549C5DF4EA0E5


=== SPONSOR: SWSoft ============================================

Top Ten Server Virtualization Considerations
   The playing field for server virtualization has become much more 
crowded over the last few years. This checklist provides a list of the 
main considerations and basic differences between the technologies to 
provide a starting point for technology evaluation.
   http://list.windowsitpro.com/t?ctl=58F38:57B62BBB09A69279FBC549C5DF4EA0E5


=== SECURITY NEWS AND FEATURES =================================

Google Buys GreenBorder, Gains Security Technology
   Expanding its security tools further, Google has acquired 
GreenBorder Technologies, maker of security tools that protect 
browsers, IM clients, and email clients.
   http://list.windowsitpro.com/t?ctl=58F30:57B62BBB09A69279FBC549C5DF4EA0E5

Mozilla Releases Firefox Updates, Retires Firefox 1.5.0.x
   Mozilla Foundation released updates for Firefox that fix five 
vulnerabilities present in both the 2.0.0.x and 1.5.0.x versions and 
said that unless a serious problem is discovered in the 1.5.0.x series, 
no further updates to it will be made available.
   http://list.windowsitpro.com/t?ctl=58F2F:57B62BBB09A69279FBC549C5DF4EA0E5

Spam King Gets Slapped with 35 Criminal Charges
   Robert Alan Solloway, infamous as a prolific spammer, has been 
arrested in Seattle and charged with several federal offenses. The 
arrest warrant charges Solloway with 35 counts of mail fraud, wire 
fraud, email-based fraud, identity theft, and money laundering. 
   http://list.windowsitpro.com/t?ctl=58F2E:57B62BBB09A69279FBC549C5DF4EA0E5

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at
   http://list.windowsitpro.com/t?ctl=58F27:57B62BBB09A69279FBC549C5DF4EA0E5


=== SPONSOR: Websense ==========================================

Protect Info from Phishing and Pharming Exploits
   Combat phishing and pharming with complete protection against 
complex Internet threats by filtering at multiple points on the 
gateway, network, and endpoints.
   http://list.windowsitpro.com/t?ctl=58F25:57B62BBB09A69279FBC549C5DF4EA0E5


=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: PHP 5.2.3 Coming Soon--RC1 Available Now; 
Windows Media Player Plug-In for Firefox
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=58F37:57B62BBB09A69279FBC549C5DF4EA0E5

PHP 5.2.3 will probably be released in the next week or two unless 
major problems are discovered in RC1. Get a link to test RC1 right now; 
plus get a link for a Microsoft-developed Windows Media Player (WMP) 
plug-in for Mozilla Firefox. 
   http://list.windowsitpro.com/t?ctl=58F26:57B62BBB09A69279FBC549C5DF4EA0E5

FAQ: Disable IE Enhanced Security in Windows Server 2008
   by John Savill, http://list.windowsitpro.com/t?ctl=58F35:57B62BBB09A69279FBC549C5DF4EA0E5 

Q: How do I turn off Internet Explorer Enhanced Security Configuration 
in Windows Server 2008?

Find the answer at
   http://list.windowsitpro.com/t?ctl=58F31:57B62BBB09A69279FBC549C5DF4EA0E5

FROM THE FORUM: Multiple Web Servers Behind One IP Address with a Proxy 
Server?
   A forum participant writes that he has a cable modem connection with 
a domain name mapped to his dynamic IP address. He has multiple Web 
servers on his network that he wants to make accessible to the 
Internet. When he had only one Web server, he could use port forwarding 
to make that site accessible, but now with several servers, he wonders 
if he needs to use a proxy server to forward requests to the 
appropriate site. He also wonders if an article is available that 
details how to set up a Windows Server 2003 machine as a proxy server. 
   http://list.windowsitpro.com/t?ctl=58F21:57B62BBB09A69279FBC549C5DF4EA0E5

SHARE YOUR SECURITY TIPS AND GET $100
   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

MICROSOFT LEARNING PATHS FOR SECURITY: Reducing the Challenges and 
Complexities of Identity and Access Management
   Learn how to reduce and control the challenges and complexities of 
enterprisewide identity and access management. Gain more control by 
providing a single view of a user's identity across the enterprise 
through the automation of common tasks. And learn how to use an 
integrated approach with smart cards, certificate and password 
management, and user provisioning.
   http://list.windowsitpro.com/t?ctl=58F32:57B62BBB09A69279FBC549C5DF4EA0E5


=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Web Filter Gets Reporting Engine
   Barracuda Networks announced the immediate availability of new 
reporting capabilities in Barracuda Web Filter firmware 3.2. The 
updated firmware adds a set of reports based on criteria such as user 
behavior, traffic patterns over time, bandwidth usage, domain requests, 
Web site categories and log history and supports PDF, HTML, text, and 
CSV output formats. The 3.2 firmware release also lets existing 
Barracuda Web Filter customers compile reports on historical Web 
traffic. (Barracuda Web Filter can store approximately six months of 
Web traffic history.) Barracuda Web Filter customers with current 
Energize Updates subscriptions can upgrade to the new firmware release 
at no additional charge. For more information, go to
   http://list.windowsitpro.com/t?ctl=58F3D:57B62BBB09A69279FBC549C5DF4EA0E5

PRODUCT EVALUATIONS FROM THE REAL WORLD
   Share your product experience with your peers. Have you discovered a 
great product that saves you time and money? Do you use something you 
wouldn't wish on anyone? Tell the world! If we publish your opinion, 
we'll send you a Best Buy gift card! Send information about a product 
you use and whether it helps or hinders you to 
whatshot@private


=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit
   http://list.windowsitpro.com/t?ctl=58F34:57B62BBB09A69279FBC549C5DF4EA0E5

Learn how to achieve ROI with your log management system in a matter of 
months without costly or daunting investments. Attend this Web seminar 
and learn how to ensure that your organization gets the most out of its 
log management investment, the key requirements and architectural 
differences you need to consider, and the caveats and risks to watch 
for when you spec out your requirements and design.  
   http://list.windowsitpro.com/t?ctl=58F22:57B62BBB09A69279FBC549C5DF4EA0E5

Tune in to the hottest network security products by listening to this 
exclusive podcast featuring Windows IT Pro Editorial and Strategy 
Director Karen Forster and Microsoft's Ian Hameroff. Learn how Network 
Access Control (NAC) and Network Access Protection (NAP) work, the 
technologies that are involved, and which third-party products are 
poised to work with those technologies. 
   http://list.windowsitpro.com/t?ctl=58F24:57B62BBB09A69279FBC549C5DF4EA0E5

Don't miss the 16th USENIX Security Symposium in Boston, August 6-10, 
2007. Security '07 offers in-depth training by experts such as Richard 
Bejtlich (on TCP/IP Weapons School) and Dan Geer (on measuring 
security). The comprehensive technical program includes a keynote 
address by Steven Levy, senior editor and columnist at "Newsweek," on 
"How the iPod Shuffled the World as We Know It"; 23 refereed papers; 
and talks by Gary McGraw and Peter Gutmann. Don't miss the latest 
advances in the security of computer systems and networks. Register by 
July 16 and save!
   http://list.windowsitpro.com/t?ctl=58F3B:57B62BBB09A69279FBC549C5DF4EA0E5


=== FEATURED WHITE PAPER =======================================

MSCS clustering can be a good option for local high availability, but 
it doesn't completely protect you from unplanned downtime. Download 
this free white paper and learn how extending your MSCS cluster offsite 
with a high-availability solution that integrates with CDP technology 
can protect against data corruption, including damage done by viruses 
or human error.  
   http://list.windowsitpro.com/t?ctl=58F23:57B62BBB09A69279FBC549C5DF4EA0E5


=== ANNOUNCEMENTS ==============================================

Scripting Pro VIP--Just Download and Run 
   Scripting Pro VIP is an online resource that delivers in-depth 
articles (with downloadable code!) every week on topics such as ADSI, 
ADO, and much more. Subscribers also receive tips, cautionary advice, 
direct access to our editors, and a host of other unique benefits! 
Order now at an exclusive charter rate and save up to $50! 
   http://list.windowsitpro.com/t?ctl=58F29:57B62BBB09A69279FBC549C5DF4EA0E5

Special Invitation for VIP Access 
Become a VIP subscriber and get continuous, inside access to ALL the 
content published in Windows IT Pro, SQL Server Magazine, Exchange & 
Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe 
now!:  
   http://list.windowsitpro.com/t?ctl=58F28:57B62BBB09A69279FBC549C5DF4EA0E5


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 
below).
   http://list.windowsitpro.com/t?ctl=58F36:57B62BBB09A69279FBC549C5DF4EA0E5
   http://list.windowsitpro.com/t?ctl=58F3C:57B62BBB09A69279FBC549C5DF4EA0E5

Subscribe to Security UPDATE at
   http://list.windowsitpro.com/t?ctl=58F2B:57B62BBB09A69279FBC549C5DF4EA0E5

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=58F39:57B62BBB09A69279FBC549C5DF4EA0E5
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at
   http://list.windowsitpro.com/t?ctl=58F2A:57B62BBB09A69279FBC549C5DF4EA0E5

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jun 06 2007 - 22:28:36 PDT