Exploiting trust: ISTR XII

[Symantec]

Exploiting trust: ISTR XII
<p><a href="http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport">Volume XII of the <em>Internet Security Threat Report </em>(ISTR)</a> is now out. In this report, we discuss how attackers have been using trusted Web sites as a means of reaching their victims. This trend is, in part, facilitated by something that we call “site-specific vulnerabilities”, which are vulnerabilities that are limited to a particular Web site or service. These vulnerabilities are typically present in the proprietary Web-based applications that drive the services provided by the site.</p>

<p>What initially tipped us off to the increasing prevalence of site-specific vulnerabilities was actually a drop in the proportion of Web application vulnerabilities. In this report, we observed that 61 percent of vulnerabilities affected Web applications, which is a drop from the 66 percent in the previous report. (Our discussion of Web application vulnerabilities includes only those Web applications that can be downloaded and installed within a third-party organization. Our numbers don’t include vulnerabilities that have been reported in hosted services like Blogger or Hotmail. However, one cannot ignore the recent emergence of forums for disclosing site-specific vulnerabilities such as sl.ackers.org and XSSed.com.) </p>

<p><strong>Shame for fame</strong></p>

<p>Site-specific vulnerabilities are disclosed in a number of ways. One approach is what I like to call “shame for fame”, which has been employed by researchers in various “Month of … bugs” projects. This is a publicity stunt that is typically meant to embarrass the vendors into fixing the bugs and draw attention to the security researchers involved in their discovery. Site-specific vulnerabilities have been featured in the Month of MySpace Bugs and the Month of Search Engine Bugs. These vulnerabilities are a good subject for this type of disclosure because they’re easy to discover and have the potential to get better media coverage than disclosing vulnerabilities in obscure Web applications that may affect a handful of users. Since they potentially make a bigger splash, the researcher benefits from the publicity.</p>

<p><strong>The perils of disclosing site-specific vulnerabilities</strong></p>

<p>Other researchers try to work with site maintainers to fix the vulnerabilities prior to disclosing them. However, if they do not obtain prior authorization to perform a security check from them, they risk breaking the law. There is no safe haven for the researcher to report vulnerabilities discovered during an active audit or inadvertently in such a case. If they’ve discovered a vulnerability in the Web site, they’ve technically attacked the site. Moreover, site-specific vulnerability research can’t be performed in a lab environment, so there is always the likelihood that the researcher could disrupt or damage the site in some way. What is a security researcher to do? Some security researchers acknowledge the risk and advise others to steer clear of researching site-specific vulnerabilities. This chilling effect may ultimately hurt the vendor if they found out about vulnerabilities after they have been exploited by attackers.</p>

<p><strong>Site-specific disclosure policies</strong></p>

<p>Some vendors, such as Google and Microsoft, have been pro-active in encouraging security researchers to report vulnerabilities in their sites. To facilitate this effort, these vendors have set up pages instructing people on how to report vulnerabilities and thank people who have responsibly disclosed vulnerabilities. This is a step in the right direction because it provides researchers with assurances that there won’t be repercussions for responsibly disclosing vulnerabilities in these vendor’s Web sites. </p>

<p><strong>Site-specific vulnerabilities in the wild</strong></p>

<p>Attackers also have a vested interest in discovering site-specific vulnerabilities since Web users are getting more savvy. This means they’re less likely to click on links in unsolicited email or wander unprotected into the nether regions of the Internet. So attackers have been compromising legitimate Web sites as a means of infecting users with malicious software. Users expect well-known sites to be secure and are easily caught off guard by attacks and malicious content that originates from those sites. This has manifested in mass compromises of sites hosted by a common provider or in more subtle exploitations of Web application vulnerabilities in an effort to seed popular sites with malicious content.</p>

<p>The upshot of these vulnerabilities is exploitation of trust, which is a common thread in this volume of the Internet Security Threat Report. We discuss it in our analysis of the rise of Web browser plug-in vulnerabilities, which have gained traction with attackers because of their integration into attack frameworks such as MPack. Browser plug-in and site-specific vulnerabilities go hand-in-hand, as was demonstrated in a sophisticated phishing attack that exploited a MySpace and an Apple QuickTime vulnerability in tandem. Compromised Web sites are an ideal distribution platform for browser plug-in exploits. Therefore, the sharp increase from 74 plug-in vulnerabilities in the second half of 2006 to 237 plug-in vulnerabilities in the first half of 2007 is cause for concern. The combined pool of Web application and browser plug-in vulnerabilities creates a wide array of possibilities for multi-staged attacks that exploit legitimate Web sites, user trust in those sites, and ultimately the users themselves.</p>

<p>Site-specific Web application vulnerabilities have found a place in the ecosystem of malicious Internet activity because they play a key role in making attacks less obvious by exploiting the trusted reputation of legitimate sites. They’ve been implicated in Web-based worms, malicious code, client-side exploits, data breaches, spam, and phishing. As different types of attackers converge on similar attack methods and motivations, the broader issue of exploitation of trust has also become an important strategy in the attacker’s playbook.</p>

<p>For more information on the current state of the threat landscape, please check out Symantec’s <a href="http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport"><em>Internet Security Threat Report</em>, Volume XII</a>. <br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/09/exploiting_trust_istr_xii_vuln.html
http://www.symantec.com/enterprise/security_response/weblog/2007/09/exploiting_trust_istr_xii_vuln.html
Wed, 19 Sep 2007 05:00:00 -0800