Category Archives: Security

Reflective XSS Worm

The SecuriTeam site reports on a new GaiaOnline (web-based game) worm:

Kyran ran the worm for 3-4 hours (with a central .js file it’s easy to stop the worm) and logged 1500 unique usernames, but not much more can be deduced in terms of growth over time due to the lack of timestamps. Since the passwords weren’t logged we cannot check statistics on those, but I would hazard a guess at the statistic being similair to those of sites like MySpace. Furthermore, the point of this exercise was to see how well a reflective XSS worm can spread on a large site.

Very effectively, they argue. And even more to the point:

Reflective XSS can viably be used to spread an effective worm and sending variables via POST does not make people any safer. Considering how very common reflective XSS is (34 pages of reflective XSS flaws) this is something web masters really need to start getting to grips with. Furthermore it’s clear that Gaiaonline aren’t ready for users reporting flaws, they don’t know what to do when a flaw is reported and they aren’t too quick at fixing them (at the time of writing the flaw is still up).

Reputation risk?

Bush authorizes search of snail mail

CNN reports on yet another bizarre statement by Bush:

A signing statement attached to postal legislation by President Bush last month may have opened the way for the government to open mail without a warrant.

The White House denies any change in policy.

The law requires government agents to get warrants to open first-class letters.

But when he signed the postal reform act, Bush added a statement saying that his administration would construe that provision “in a manner consistent, to the maximum extent permissible, with the need to conduct searches in exigent circumstances. …”

“The signing statement raises serious questions whether he is authorizing opening of mail contrary to the Constitution and to laws enacted by Congress,” said Ann Beeson, an attorney with the American Civil Liberties Union.

“What is the purpose of the signing statement if it isn’t that?”

And we worry so much about digital information in transit, I guess the question will soon be how to encrypt and sign mail sent via US Post Office.

Typically, presidents have used signing statements for such purposes as instructing executive agencies how to carry out new laws.

Bush’s statements often reserve the right to revise, interpret or disregard laws on national security and constitutional grounds.

“That non-veto hamstrings Congress because Congress cannot respond to a signing statement,” ABA president Michael Greco has said.

The practice, he added, “is harming the separation of powers.”

And that’s from the president of the ABA!

Penguins and threats

The New Zealand penguin pages explain in detail how humans have significantly altered the threats to these harmless birds:

Before the arrival of man, marine mammals were the only mammalian predators of penguins in New Zealand. Rats were the first mammalian predators introduced, albeit accidentally, but several more were deliberately introduced. Cats were the first, in an effort to control rats and mice. There is now a large population of wild cats in New Zealand, which is continually added to by the dumping of unwanted kittens by irresponsible pet owners

Beyond the new predators introduced by humans, there are also pages on oil (humans), climate (humans), fishing (humans), and habitat (humans). And after all that, if you can imagine, they have a page on the threat from humans. Unfortunately, the amazing (under water) flying ability of penguins is only adapted to reduce their vulnerability to non-human related threats. Time will run out before they develop another countermeasure, so some self-regulation by humans is in order…

Apple faces MOAB

I wasn’t going to write about this because it has such a notoriously self-serving marketing slant (e.g. “we’re just trying to improve OS X by publishing early warning to you about its flaws”) but I just can’t get around the fact that people are still under the impression that life will be safer if they choose X (pun intended) operating system. So, here it is in all it’s glory, the Month of Apple Bugs (MOAB) with four bugs so far (one-a-day):

  1. A vulnerability in the handling of the rtsp:// URL handler allows remote arbitrary code execution.
  2. A vulnerability in the handling of the udp:// URL handler allows remote arbitrary code execution.
  3. A vulnerability in the handling of the HREFTrack field allows to perform cross-zone scripting, leading to potential remote arbitrary code execution.
  4. A format string vulnerability in the handling of iPhoto XML feeds title field allows potential remote arbitrary code execution.

And just for further perspective, there are some excellent resources by people who notify their user communities about proper patching and maintenance of Apple systems (no scary exploit warning tactics needed). For example, James Madison University has a nice page open to the public. Don’t get me wrong, I’m all for disclosure, but I’m also curious about the fine line between public communication with manufacturers and the risk of narcissism.