More on WMF Exploits

Peter Ferrie from Symantec mentioned on full-disclosure,

If they're blindly detecting anything that contains the SetAbortProc, then they're detecting the legitimate use of a documented function. It's not a buffer overflow. WMF files since at least Windows 3.0 days have been allowed to carry executable code in the form of their own SetAbortProc handler.

The Metasploit version of the exploit illustrates this well; working through the fields, it's apparent that there's no crazy high values being used. Just an (under) documented function.

It's a little snarky, though, to insinuate that "blindly" looking for this is a bad solution, though. It's certainly a lot better than checking file extensions.

Other observation: I still haven't heard "boo" from the major media outlets -- only nerdzines ZDNet and eWeek (and related) have picked up the story. Strange. I guess the constant flood of spyware/adware popups is just normal for most people.

The Traditional Holiday 0day

The Internet Storm Center is reporting a "widely-exploited" 0day. So, it appears we're not clear for Xmas after all.

More info at Secunia. I'm glad that they added a level to their rating system of "Extremely Critical." If a file format bug is Extremely Critical, then I can't wait for the "Supremely Extremely Critical" rating to debut for the next IIS/Apache vuln.

All clear for Xmas?

I was expecting the tradition of the Internet meltdown to continue this Christmas, but other than some mild news reports of the new Santa Worm (which read more like IMLogic press releases anyway), seems pretty quiet. At least, there's nothing at the Internet Storm Center other than some RFC gar-gar-garing, so that's good enough for me.

Also, best Xmas present for geek children: Giant Microbes (or more properly, macrobes).

XSS on Significant Government Websites

Cross-site scripting is near and dear to my heart, and I think that the XSS Myspace worms and the occasional XSS-powered phishing attack are promoting them from "neat trick" to "annoying vulnerability." So, it's a little troubling when trivial (less than 40 seconds or so) experimentation reveals XSS on significant, high-profile, easily-Googleable US government websites.

Now I have to figure out how to deal with disclosing application vulnerabilities to powerful law enforcement agencies without getting shipped off to Poland. Hopefully, it will be easy and painless.

Note to Ebay: You're not Helping

I've been doing some of my Xmas shopping on Ebay, despite the fact that I'm involved in anti-phishing and counter-fraud. Today, I got an HTML message from Ebay about some update to my User Agreement.

Ebay/Paypal is the number one target for phishing by a huge margin; just look at FraudWatch International's statistics. Yet despite this, all the links in this real message come in the format of:

http://click3.ebay.com/4381902.85438.0.0.http%3A%2F
%2Fpages.ebay.com%2Fhelp%2Fpolicies%2Fprivacy-policy.html

Phishers, of course, now have a template for inserting a redirect using Ebay's own site:

http://click3.ebay.com/1.2.0.0.http%3A%2F
%2Fwww.planb-security.net%2f

So, Ebay, just so you know: You're not helping by handing over a perfectly useful page redirector to phishers who are targeting your OWN brand.

Warrantless Wiretapping

Stories about the NSA are inherently interesting to security people, myself included. After all, according to this chart, I am a mere one degree seperated from the NSA VoiP conspiracy.

So, I feel compelled to comment on the breathless revelations that the White House has secretly authorized illegal wiretaps as part of its anti-terrorism efforts.

For background, here is the original New York Times article, and here is a brief Pigdog article detailing the relevant Electronic Surveillance statute.

I'm no lawyer, but FISA is written so plainly that it appears that the administration violated these laws. Senator Arlen Specter, since learning of the program, is now planning hearings for January to find out for sure.

The thing that bothers me is why they would even bother breaking the law. It's confusing because it's so easy to do this kind of thing within FISA and the PATRIOT Act. So, it makes me think that there's more to the story -- which, by the by, wouldn't surprise me. After all, not only did New York times admit that it sat on this story for a year (they knew about this before the 2004 election), but that "some information that administration officials argued could be useful to terrorists has been omitted." Hmm.