Summer may have reached its unofficial end with the Labor Day holiday, but there was no break from security news this week, as both the Gov 2.0 Conference in Washington D.C. and a raft of warnings and patches from leading vendors kept the heat on high.
We all know the Internet started as a U.S. Government project, so maybe it should be a surprise that, more than thirty years later, the head of the Department of Defense’s new Cyber Command said the government needs to take the point on securing both government and critical networks from attack.
Addressing the audience on Tuesday at O’Reilly Media’s Gov2.0 Summit, Gen. Keith Alexander, the head of the National Security Agency, said “We made the Internet and it seems to me that we ought to be the first folks to get out there and protect it.” Alexander was speaking on the heels of last month’s news that a USB drive mishandled by the U.S. military compromised classified intelligence networks. That disclosure, by Deputy Secretary of Defense William Lynn, came in an article that suggested the government – in particular, Alexander’s NSA, might need to take a more active role in monitoring domestic networks for cyber attacks linked to foreign entities.
This week brought more evidence that social networking attacks are here to stay. On Monday, a new Twitter cross site scripting bug surfaced — its roots, experts say, are based in Brazil. By Tuesday, more than 100,000 had clicked on the malicious URL, enabling attacks to swipe the session cookie of the Twitter user. Twitter fixed the flaw, but security experts say that there’s little doubt others like it await discovery.
Elsewhere, the world’s largest social network, Facebook, also found itself tested this week. On Monday, spammers found a way to automatically post messages to users’ walls, which if clicked, would post messages to the user’s own wall. The spam pointed users in the direction of premium “entertainment” sites and exploited a hole which allowed users to hijack the Facebook messaging system without the user’s permission.
The first full week of September, it was also time for the monthly vendor patch parade. Apple and Mozilla stepped up on Wednesday with some of the first remedies to the recent DLL load hijacking issue, an isolated vector that continues to plague a slew of Windows applications. Apple patched three holes in new releases of Safari 5.0.2 and Safari 4.1.2 for Windows and Macs, respectively. Meanwhile, Mozilla pushed out Firefox 3.6.9, complete with patches for 15 vulnerabilities.
The bulk of the fixes help prevent drive-by download attacks while the DLL load hijacking issue, a flaw that Firefox stressed could only be exploited via Windows XP, was also addressed by the patches. Microsoft said it would patch 13 security holes in its Windows and Office products in its monthly Patch Tuesday release on the 14th.
While those holes were sealed, others opened. Researchers at Acros Security reported that DLL files weren’t the only way to carry out so called hijacking attacks. Executables, Windows INI files and other common system files can be used in hijacking attacks, as well.
We learned this week of still more vulnerabilities in Adobe’s Reader product. A zero-day flaw published in an advisory by Adobe affects those running the most recent 9.3.4 build and targets machines running Windows Vista or Windows. Unlike Adobe bugs of yore however, this one bypasses two critical Windows security features – Address Space Layout Randomization/Data Execution Prevention and is signed by a legitimate certificate. Adobe hasn’t announced plans for a patch just yet, but as it is, their next scheduled release is due October 12.
What did you, our readers, find interesting? Robert Hansen’s article on Snake Oil Security topped the week in popularity along with our story on the “Here you Have” e-mail worm, which hearkened back to attacks of the late 1990s, when viruses like ILoveYou crawled the ‘Net and raided contact lists of its victims to spread.