Attackers Exploit Unpatched Explorer Flaw (in animated cursors!!!)
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by Robert Green on March 30, 2007, 7:21 pm
Please log in for more thread options Microsoft is warning Windows users that hackers are exploiting a newly discovered flaw. It enables criminals to hijack Windows PCs if users merely visit a hostile Web site with an Internet Explorer browser or open a specially crafted e-mail message. The vulnerability stems from a weakness in the "animated cursor" function built into most Windows machines. The company's home campus in Redmond, Wash., says it is working on a security update to patch the hole, but cautions customers about visiting unfamiliar Web sites or viewing unsolicited e-mail. This vulnerability applies to every version of Windows and Internet Explorer, including version 7 http://blog.washingtonpost.com/securityfix/ (registration probably required although some sites at the Post are now apparently open to non-subscribers) Some other fascinating subjects, too: Fortune 500s Unwittingly Become Spammers A Fresh Look at Password Thieves Stolen Identities Sold Cheap on the Black Market "According to the latest Internet security threat report from Symantec Corp., the going rate for the keys to assuming someone else's identity can be had for between $14 and $18 per victim on underground cyber crime forums. Full identities typically include Social Security numbers, the victim's bank account information (including passwords), as well as personal information such as date of birth and the maiden name of the victim's mother." Is it time to build a bunker and live off the net? (-: -- Bobby G. | |||||||||||||||||||
|
Posted by Marc_F_Hult on March 31, 2007, 11:12 am
Please log in for more thread options >Some other fascinating subjects, too:
> >Fortune 500s Unwittingly Become Spammers > >A Fresh Look at Password Thieves > >Stolen Identities Sold Cheap on the Black Market >Is it time to build a bunker and live off the net? (-:
In an article titled "Betrayed" by in the current (March 26 07) issue of the New Yorker, author George Packer writes this about the Green Zone in Baghdad: "The deeper the Americans dug themselves into the bunker, the harder they worked to create a sense of normalcy ... The more chaotic Iraq became, the more the Americans resorted to bureaucratic gestures of control. The fact that it took five signatures to get Adobe Acrobat installed on a computer was strangely comforting." And sometimes the bunker mentality precedes the bunkers. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IMO, HA and a smart home ought to be helpful in smart risk assessment and effective risk reduction, and real-time loss mitigation (think sprinklers and their cyber equivalents) -- not feeding paranoia. What are the real threats and needed protection that pertain to HA in general and net-connected devices in particular in the context of comp.home.automation ? And specifically, what are 'best practices' with respect to net connectivity for home automation controllers? ... Marc Marc_F_Hult www.ECOntrol.org www.NeuralHome.org | |||||||||||||||||||
|
Posted by Robert Green on April 9, 2007, 9:32 pm
Please log in for more thread options
> On Fri, 30 Mar 2007 19:21:39 -0400, "Robert Green"
> > >Attackers Exploit Unpatched Explorer Flaw
<stuff snipped>
> IMO, HA and a smart home ought to be helpful in smart risk assessment and
and
> effective risk reduction, and real-time loss mitigation (think sprinklers > their cyber equivalents) -- not feeding paranoia.
With more and more emphasis on HA, alarm and even HT systems being "internet enabled" security issues are going to require careful consideration. It appears that the cursor exploit is being considered as rather serious among security experts. It's unfortunate that not one poster here has indicated an interest (or perhaps a willingness) to engage in discussions about how to secure the HA to internet interface as best as possible. Perhaps we need to sort that sociological issue out before any technological or educational interaction can proceed. In the meantime, I'll ring that paranoia buzzer one more time and quote some of a recent Infoworld article on the .ANI exploit. I find it interesting because the speed and seriousness of the exploit this late in the lifecycle of the affected OS's really suprised me. If the information leads even one person to patch their system where they might not have otherwise, then it was worth the effort: http://www.infoworld.com/article/07/04/03/HNemergencywindowspatch_1.html Microsoft Issues Emergency Windows Patch By Robert McMillan, IDG News Service April 03, 2007 With attackers finding more ways to exploit a critical flaw in its Windows operating system, Microsoft has published an emergency software patch . . . security experts are most concerned about a bug in the way Windows processes .ani Animated Cursor files. Online criminals have been exploiting this bug since late last week. . . . Microsoft was forced to release the early update a week ahead of schedule because attacks had become too widespread, said Ken Dunham, director of malicious code intelligence with iDefense. "We have more than 400 different URLs identified and related to attacks, and multiple e-mails have been sent out that direct people back there," he said. "We have proof that organized groups are now launching attacks." -- Bobby G. | |||||||||||||||||||
|
Posted by Neil Cherry on April 11, 2007, 9:30 am
Please log in for more thread options In comp.home.automation, you wrote:
>
>> On Fri, 30 Mar 2007 19:21:39 -0400, "Robert Green"
>> >> >Attackers Exploit Unpatched Explorer Flaw
>
><stuff snipped> > >> IMO, HA and a smart home ought to be helpful in smart risk assessment and
>> effective risk reduction, and real-time loss mitigation (think sprinklers >> and their cyber equivalents) -- not feeding paranoia. > With more and more emphasis on HA, alarm and even HT systems being "internet
> enabled" security issues are going to require careful consideration. It > appears that the cursor exploit is being considered as rather serious among > security experts. It's unfortunate that not one poster here has indicated > an interest (or perhaps a willingness) to engage in discussions about how to > secure the HA to internet interface as best as possible. Perhaps we need to > sort that sociological issue out before any technological or educational > interaction can proceed. I don't know if I can add anything useful to the conversation but I have a few points that may be of interest. I know a number of engineers who refuse to secure their home systems. One recent revealed that his home PC was so full of spyware that it failed to boot. He went to a local electronics retailer for advice on how to fix the problem (cha-ching, sale made). Another has a wireless system where he only uses WEP because it's 'good enough' (WEP can be cracked in about a minute). In the lab, at work, a vendor failed to inform us that their tool actually ran Embedded Windows and we had a nice case of spyware that kept re-infecting the lab servers. What a nightmare to find that one, and to get fixed! Modern printers (as well as other Internet ready appliances) are now running embedded Windows, how do you go about finding out and getting that fixed. Two years ago it was demonstrated that a Cisco router could be infected, used to run remote code and turned into a zombie machine. I'm also pretty sure there are various Linux embedded devices that have their fair share of problems. These complexities are enough to drive the engineering staff to drink. The average user can't even begin to comprehend what this all means or how to properly deal with it. Remember they pretty much want plug-n-play. If you're concerned with securing the access to the HA env. from outside the home this isn't too difficult. You've got VPN or ssh tunnels that can easily solve those kinds of problems. With the appropriate home route/firewall that can easily be established. The main problem with security is that it generally an after thought. Users only care about it when it interferes with the usage of the system (either by making it difficult to use or by fixing it after the fact). Vendors are more concerned with getting the system usable so they can get it out the door (they can always fix it later). Right now I'm can only take comfort in know that my system is more secure than that of my neighbors' systems. It's like when riding a bicycle by a loose dog. You don't have to be the fastest rider just don't be the slowest rider. -- Linux Home Automation Neil Cherry ncherry@linuxha.com http://www.linuxha.com/ Main site http://linuxha.blogspot.com/ My HA Blog Author of: Linux Smart Homes For Dummies | |||||||||||||||||||
|
Posted by Robert Green on April 12, 2007, 10:27 pm
Please log in for more thread options > In comp.home.automation, you wrote:
> >
> >> On Fri, 30 Mar 2007 19:21:39 -0400, "Robert Green"
> >> > >> >Attackers Exploit Unpatched Explorer Flaw > >
> ><stuff snipped> > > > >> IMO, HA and a smart home ought to be helpful in smart risk assessment
and
> >> effective risk reduction, and real-time loss mitigation (think
sprinklers
> >> and their cyber equivalents) -- not feeding paranoia.
>
> > With more and more emphasis on HA, alarm and even HT systems being
"internet
> > enabled" security issues are going to require careful consideration. It
among
> > appears that the cursor exploit is being considered as rather serious > > security experts. It's unfortunate that not one poster here has
indicated
> > an interest (or perhaps a willingness) to engage in discussions about
how to
> > secure the HA to internet interface as best as possible. Perhaps we
need to
> > sort that sociological issue out before any technological or educational
> > interaction can proceed. >
> I don't know if I can add anything useful to the conversation but I > have a few points that may be of interest. I know a number of > engineers who refuse to secure their home systems. One recent revealed > that his home PC was so full of spyware that it failed to boot. He > went to a local electronics retailer for advice on how to fix the > problem (cha-ching, sale made). Another has a wireless system where he > only uses WEP because it's 'good enough' (WEP can be cracked in about > a minute). In the lab, at work, a vendor failed to inform us that > their tool actually ran Embedded Windows and we had a nice case of > spyware that kept re-infecting the lab servers. What a nightmare to > find that one, and to get fixed! Modern printers (as well as other > Internet ready appliances) are now running embedded Windows, how do > you go about finding out and getting that fixed. Two years ago it was > demonstrated that a Cisco router could be infected, used to run remote > code and turned into a zombie machine. I'm also pretty sure there are > various Linux embedded devices that have their fair share of problems. > These complexities are enough to drive the engineering staff to drink. > The average user can't even begin to comprehend what this all means or > how to properly deal with it. Remember they pretty much want > plug-n-play. I think that's why so many new PCs are sold. I know of several cases where machines were so infested with spyware and such that they ran at 1/10 normal speed when they ran at all. Their owners just went out and bought new machines, hoping that newer was somehow safer, but it really never was. Lots of people balk at the attention to detail securing a PC requires and conceptually, I suppose you never really can secure a machine that has to talk to the outside world. That's why I found the animated cursor exploit so troubling. Who would have thunk it? > If you're concerned with securing the access to the HA env. from
> outside the home this isn't too difficult. You've got VPN or ssh > tunnels that can easily solve those kinds of problems. With the > appropriate home route/firewall that can easily be established. Half of the readers here have likely just lost you! (-: Virtual Private Networks and ssh are not the stuff that Suzie Q. Homeowner, trying to monitor her babysitter via a cellphone hookup. is going to master. There's a good writeup here: http://en.wikipedia.org/wiki/VPN <<Secure VPNs use cryptographic tunneling protocols to provide the intended confidentiality (blocking snooping and thus Packet sniffing), sender authentication (blocking identity spoofing), and message integrity (blocking message alteration) to achieve privacy. >>
> The main problem with security is that it generally an after thought.
> Users only care about it when it interferes with the usage of the > system (either by making it difficult to use or by fixing it after the > fact). Vendors are more concerned with getting the system usable so > they can get it out the door (they can always fix it later). Agree, and that "rush to ship" often spells trouble for the end user. Vendors are notorious for having stuff default to the least secure mode. Also, security is a pain. At one place I worked at, we had to reset at least a motherboard a month when the user forgot the BIOS password. Security adds a lot of overhead. > Right now I'm can only take comfort in know that my system is more
> secure than that of my neighbors' systems. It's like when riding a > bicycle by a loose dog. You don't have to be the fastest rider just > don't be the slowest rider. Or the one that smells like bacon. (-: If you're the standing up nail, like Steve Gibson was, www.grc.com/dos/grcdos.htm all the security in the world couldn't prevent him from being victimized by a massive DOS attack. That's what botnets excel at. Not being able to reach your own PC's is not as bad as someone hacking in, but it's no picnic, either. But back to the main question. Even with VPN and firewalls, something like the cursor exploit seems to me like getting carjacked. If you open up all the secure connections and then click on a site that uses the exploit, you'll have turned control over to the bad guys. They don't need to break in, they just need to trick you into letting them in. -- Bobby G. | |||||||||||||||||||
| Similar Threads | Posted |
| Attackers Exploit Unpatched Explorer Flaw (in animated cursors!!!) | March 30, 2007, 7:21 pm |
>