Web insecurity was in the news this week, with a major flaw in the security of ASP.NET and some sobering statistics on Web site infections. When your bank account gets hacked – is it your fault? And, with a patch out for one of four (!) zero day exploits used by Stuxnet, security experts wonder if its the most sophisticated malware…ever!?
The Web is the world’s operating system -the last five years have made that much clear. But if the news this week is any indication, that promise may be a mixed blessing. Indeed, the headlines this week were filled with dire warnings about the frailty of Web security.
The week began with news of a serious vulnerability that affects millions of Web applications. Researchers speaking at the ekoparty hacking conference in Buenos Aires will demonstrate a critical vulnerability in Microsoft’s ubiquitous ASP.NET technology. Using a tool called the Padding Oracle Exploit Tool researchers Juliano Rizzo and Thai Duong can reportedly decrypt sniffed ASP.NET cookies, which could contain sensitive data like bank balances, Social Security Numbers or cryptographic keys used to secure transactions. Online banking and e-commerce stand to be the main targets for this exploit, as much of it is ran on the ASP.NET framework, the researchers warned.
The ASP.NET bug spells trouble for banking and e-commerce Web sites, but according to Web anti malware firm Dasient, rank and file Web sites are faring even worse. Dasient released data that claimed that more than one million web sites were serving up malware in the second quarter of 2010 alone. The report cited .com and .cn (China-based) domains and third party widgets and ad networks as the main culprits.
Tuesday brought Microsoft’s monthly patch release – a fix for 11 vulnerabilities in a wide range of products. They included a high profile fix for a previously unknown security hole used by the Stuxnet worm. By patching Windows Print Spooler, the company disabled a hole that allowed attackers to spread the worm through networks via local printers. Kaspersky Lab researchers previously identified the hole as one of four the worm has been utilizing. The Stuxnet fix, MS10-061, was one of 11 vulnerabilities addressed by Microsoft’s monthly Patch Tuesday extravaganza. Other software patched included Microsoft Outlook, IIS and Microsoft Office.
The revelations about Stuxnet’s use of zero days had some researchers wondering whether the complicated worm, discovered in July, might be the most sophisticated malware ever. As Threatpost.com has reported, Stuxnet and is able to spy on and reprogram different industrial systems. Reports this week suggest that as many as 14 industrial control systems may have been infected by the Stuxnet worm.
Finally, it was another eventful week for the folks at Adobe. Following
last week’s news of an unpatched hole in Reader, the company’s Flash product
took center stage on Monday. According
to an advisory issued by Adobe, a zero-day flaw in the software allows
attackers to take control of remote systems. Since they share the same piece of
software, the vulnerability affects Reader and Acrobat as well.
While Adobe promised a fix by early October, and Microsoft assured customers that its Enhanced Mitigation Environment
Toolkit 2.0 can help prevent attacks from last week’s Reader flaw, software development company RamzAfzar provided
an independent fix for the Reader flaw in an unofficial patch. In
a statement Thursday, Adobe warned against using that patch and pointed out there is always risks when
installing software from unsanctioned sources.
Did any articles pique your interest? Nick Selby’s piece on who’s to blame for customer/banking breaches generated a good amount of discussion, as did Paul Roberts piece taking a hard look at HTML5 and how security may have to adapt to feed the emerging new technology.