edit

Two Interesting Security Challenges

Posted by Laureli Mallek Fri, 25 Apr 2008 18:55:00 GMT

Two noteworthy exploits have surfaced recently. This blog post will cover: first a server-based attack-tool and second the discovery of a now-patched vulnerability in Flash.

First:

Tornado, a web-based exploit tool, can exploit more than a dozen browser vulnerabilities. ITNews Australia explains that the tool “is commonly installed on a server by a single ‘administrator,’ who then offers accounts on the server to other attackers.” This structure protects the proprietary code and protects it from being released “underground.”

The seller is also able to discriminate between clients, which Liam O’Murchu, a Symantec researcher, sites as a reason that the exploit has remained undiscovered for so long. Shaun Nichols of ITNews writes that Tornado “offers attackers a full set of traffic statistics and options for selecting which exploits can be conducted.”

Second:

Robert Jaques reports for ITNews that a new Flash vulnerability has been discovered by Tier-3. This issue arises from the use of “NULL pointers,” software code which points to specific locations in a computer’s memory. Geoff Sweeney, an executive at Tier-3, is quotes as saying,

“Buffer overflows are still an issue, but they are a problem that has been tackled by the industry for many years. NULL pointer de-referencing has not received anywhere near the same level of attention, which means that users need to be more vigilant than ever.”

A recent paper by Mark Dowd, a researcher at IBM Internet Security Systems, provides a detailed example of this type of exploit. The Matsano Chargen blog explains Dowd’s achievement while claiming that Dowd was “sent back through time to kill the mother of the person who will grow up to challenge SkyNet.” And his accomplishment does inspire some awe. In brief:

“Dowd’s exploit uses a NULL pointer write32 to knock the locks off the bytecode interpreter in Flash, so that his SWF file can run bytecode that will rewrite the system stack.”

So the NULL pointer presents an entry point for Dowd to run his exploit, and this entry exists on Internet Explorer and Firefox, which have compatible internal addressing, and Vista.

According to DailyTechNotes Adobe has already released a patch for the vulnerability and you should download it now. They explain the risk,

“Vulnerabilities in various online software is nothing new. But what makes vulnerability in flash so much damaging is that flash is installed on almost all browsers and it is independent of the operating system you are running.”