EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

Zero-Day Mozilla Firefox OR ‘old’ Microsoft Internet Explorer vulnerability – debunking some myths about early warning systems

July 11th, 2007 · No Comments ·

Early Warning System – much work it takes to create ‘added value’
From time-to-time we will bring new insights regarding the running of EWS operations.
We hope that you enjoy reading these and will get something out of them
We would appreciate if you leave a comment below, why don’t you.

We have addressed the EWS issue, both regarding private versions thereoff and public or public-private type of services . For your convenience we provide some quicklinks here:- Early Warning System – taking 8 steps toward developing key performance indicators that make senseEarly Warning System (EWS) – what it takes to create successEISAS and ENISA – will it help risk management across the EU?

EISAS and ENISA – biggest challenge are the Key Performance Indicators – KPIs

Do CERTS differ from WARPS or should we create something different?

4 Tips for building an effective Early Warning System – organizational and human resource issues

Debunking more myths – new threats and national warning systems – do they work?

But 2007-07-10 we had another example and illustration of how things go when it happens that a zero-day exploit and/or vulnerability hits the news channels read by InfoSec folks.
SUMMARY OF WHAT HAPPENED

Internet zero-day or 0day exploit There is a URL protocol handler command injection vulnerability or what is also called input validation flaw and vulnerability with Microsoft Internet Explorer. Can be exploited only, if both IE and Firefox are installed and user is tricked visiting a web site.
When was it discovered Originally, the vulnerability in Internet Explorer being exploited via Firefox was discussed and outlined here:

Billy (BK) Rios – 2007-07Full exploit or proof of concept for the Microsoft Internet Explorer was delivered by

Thor Larholm – 2007-07-10

But how new is this class of command injection vulnerability? 2007-07-10- Paul Szabo pointed out that the vulnerability seemed to be similar to a group identified quite a while back, namely


Jouko Pynnönen – 2004-08-04 – referring to his work from 2003-07 – reported 2004-03-09 – calling it argument injection vulnerability – URL vulnerability
Jelmer – claims July 2003 and refers to Jouko Pynnönen
Nicolas Robillard – referring to the above 2004-08-04

Is this really a zero-day vulnerability? CyTRAP Labs’ zero-day list has included the above vulnerability in Microsoft Internet Explorer as a zero-day although for purity’s sake one could argue:
A)it is an old-type of exploit which we may have forgotten about, AND

B) proof of concept does not yet mean a maicious user takes advantage of the vulnerability to do something really nasty.

You be the judge.

Besides the above facts, interesting is also to see how the industry and early warning systems (EWS) handled the whole case.

Remember, bringing the goods to market faster than the competitor is sometimes important in this business. How this affects quality, however, remains to be seen.

But we show you a few interesting tidbits we found that raise some serious questions about quality — in fact they suggest that you trust many of these at your own risk (see also – The eight myths about Early Warning Systems)

COMMERCIAL EARLY WARNING SYSTEM TO THE RESUCUE – NOT HOW DID EWS’ DO REGARDING THIS VULNERABILITY REPORTED 2007-07-10 (all times Euorpean Summer Time = GMT + 2 hours)?

FrSIRT 2007-07-10
13:50 hrs
Released an advisory that says it is a Firefox vulnerability but naming of the advisory changed several times:Mozilla Firefox zero-day vulnerability….
Mozilla Firefox “FirefoxURL” URI Handler Registration Code Execution (16:00 hours)
Mozilla Firefox “FirefoxURL://” URI Handler Remote Code Execution (0day) (2007-07-11)
Secunia 2007-07-10
14:25 hrs
Same story, Firefox is the culprit – name given to alert changes over time:Mozilla Firefox zero-day vulnerability….
Firefox “firefoxurl” URI Handler Registration Vulnerability (2007-07-11)
CyTRAP Labs and CASEScontact.org

2007-10-1014:00 (zero-day) hrs & 15:00 hrs (advisory)

Released a zero-day alert as well as an advisory CASEScontact.org advisory – Microsoft Internet Explorer (Mozilla Firefox) – zero-day exploit – input validation flaw and vulnerability – proof of concept code released.

Important is that the material in both points out:1) Firefox users are protected using a plug-in and do some more work2) not a Firefox vulnerability but a Microsoft Internet Explorer one instead.

Provides tips on how to further minimize risks and work around.

US-CERT 2007-07-10
18:15 hrs entry on webpage only
Points out that this is an Internet Explorer vulnerability.Important as well it states

    ‘… To trigger this vulnerability, an attacker must persuade a user who has Firefox installed to access a specially crafted web page with Internet Explorer.’
Secusrer.com

2007-07-11
06:16 hrs

Released an advisory with limited informationVulnérabilité critique non corrigée dans Firefox

What is interesting is that some alerting services fail to read and test all the information they get, in turn, releasing material that needs to be changed down the line. However, one explanation is that time pressure and competition requires fast response to satify clients. Moreover, rarely if ever will they realise these little mistakes we pointed fingers at here and, instead, are happy if the alert comes quick.

As well, the sheer size of alerts or advisories some services provide by covering the whole range of products and types of users makes it a real challenge to test all the information that comes across one’s desk. In turn, mistakes happen.

CONCLUSION

In conclusion, releasing information lateron does not mean the subscriber gets better quality (e.g., Secuser.com). However, if somebody studies things carefully between the first advisories published and lateron, the quality of output can most certainly go up a noth or two (e.g., US-CERT).
The amount of information has resulted in the unfortunate outcome that quality cannot always be maintained by all. Furthermore, as our summary table explains what comes as new today may actually have been around for a while (since 2003-07 = 4 years! a lifetime in information security).

TREND

Information overflow is increasing the chances for EWS services to overlook things, not having enough time to check carefully and releasing sloppy info.

Another alternative strategy being persued is keeping it simple by not doing anything (‘… we release Microsoft info or phishing stuff but not zero-days because we do not have the manpower to technicall assess this stuff….’) (SEE BELOW).

PS.

Besides the above, several groups decided not to report on this vulnerability such as:

– GOVCERT.NL

– AUSCERT

– itsafe.gov.uk

and so on. We are quite certain that these organizations had good reasons for doing so, unfortunately, due to space limitations these cannot be addressed here.

UPDATE

Some feel it is a Firefox issue, others say it is the Microsoft’s Internet Explorer that is to blame since it has had this generic vulnerability since 2003.

We feel it is the latter but others feel different including the Microsoft Security Crew and Secunia’s CTO thomas Kristensen

Blaming the right or the wrong – Update on the Internet Explorer 0-day exploit
SUBSCRIPTION

To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.



|

→ No CommentsTags: Uncategorized