Death by a Thousand Little Cuts
It is not uncommon for seasoned (or heavily burdened) information security (infosec) professionals to look at the mornings’ security alerts and see a flood of the same old-same old. A few years ago, it was buffer overflows, and now in 2006 it is SQL injection attacks and cross-site scripting (XSS) vulnerabilities.
Typically, the deluged infosec professional will look at those attacks and think, “OK, that’s a lot of attacks I don’t care about.” It may be as simple as saying, “If it can be carried out by a browser, how hard can it be?” It may be simpler, “We’re not running that, it doesn’t affect us, got to move on.” Whatever the reason, many people simply ignore those reports.
However, they do have an impact. One of the things we have been seeing much of is Linux botnets based on PHP vulnerabilities (or Awstats vulnerabilities, also). Typically, someone will build their botnet on an established network like Undernet, and typically use a bot binary like Kaiten; it will be obvious and get taken down quickly.
However, there are many boxes out there that are potentially vulnerable to the attacks carried out by that malware. They are going to be used for additional attacks: DDoS attacks, warez trading, spam, what have you…they get used. Moreover, they get used in ways that you do care about.
Often we will see phishing attacks on web servers that have been compromised through some vulnerability we never thought twice about. A phishing attack will get loaded up on a website, someone will go and peek at the website and notice, “Hey, it’s running Cpanel,” and we’ll immediately know how the attackers got in and “set up shop” (Cpanel has had some relatively recent vulnerabilities, and there are more Cpanel installations than I had ever imagined).
In December 2005 and March 2006 (WMF and createTextRange, respectively), we are seeing websites be used for malicious web pages to attack clients. In the past few months it’s been the WebAttacker framework being thrown on some of these sites or, even more popularily, feeder sites. These include redirects or IFRAMEs of the WebAttacker toolkit. With two new Internet Explorer 0-days in the past week (the KeyFrame and VML bugs), we’re seeing this cycle more and more.
These high profile, once-per-quarter (and now, appearantly, once a month) type bugs that can be leveraged against millions of hosts wind up being successful because people get into websites such as “Bob’s Mortgage Site” using any one of a million bugs or a mis-configuration, and then socially engineer you there somehow and you wind up being affected. Yeah, it really all comes back to haunt you.
You cannot secure the Internet by acting alone; it is simply too big and dynamic for anyone one group to tackle. It is this challenge that we have always faced in one form or another. In 1998, it was poorly configured FTP servers and SMTP open relays. In 2001, it was the plethora of buffer overflows in every product and project. In 2006, every website (it seems) is out to get you: WMF, createTextRange(), WebAttacker, or some other web browser- based vulnerability. These vulnerabilities just will not go away, and you cannot avoid it by paying attention to every advisory that comes along. The combination of high profile client vulnerabilities and low profile website vulnerabilities is simply intractable.
Expect more of the same in one disguise or another. Attackers are researching browser bugs faster than the people who can fix them, and they’re learning how to capitalize on them by loading them onto more and more websites.