Disclosure: bBlog 0.7.4 Multiple Vulnerabilities

[This was originally disclosed on the SourceForge bug tracker. VulnDB 15754, 15755, & 15756]

in 0.7.4:

The blog entry title field seems prone to cross site scripting (XSSattacks.

The blog/comment body text seems prone to XSS as well.

In the index.php script, the postid variable seems prone to SQL injection attacks.

Predicting Vulnerabilities, Quotes and More

[This was originally published on the OSVDB blog.]

Interesting article for several reasons. Below are some of the interesting quotes that stood out to me and may prove to be interesting topics.

http://news.bbc.co.uk/1/hi/technology/3485972.stm

Hackers exploit Windows patches
By Mark Ward
Last Updated: Thursday, 26 February, 2004, 10:54 GMT

“We have never had vulnerabilities exploited before the patch was known,” [David Aucsmith, Microsoft Security Business and Technology Unit] said.

I don’t think Aucsmith nor any vendor can say this with any certainty. If a vulnerability is found by a security company and disclosed to the vendor, it leads to a patch down the road. When the patch comes out, many people will reverse engineer it to figure out the vulnerability as most of us know. On the same note, like the exploits, IDS signatures follow the exploits that follow the patches. So if an unpatched ‘0-day vulnerability’ is being exploited, how do we know? There will be a significantly lower chance of detecting such an attack to know this statement is true.

“It’s a myth that hackers find the holes,” said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.

Very interesting! Symantec attempts to predict which vulnerabilities will be exploited next. I wonder how =) It would be easy to do a high level analysis (expect to see this from mi2g or Gartner): “We predict that the X vulnerability which is a remote system level compromise that does not require authentication will be widely exploited in short order.” We can all predict this and be right most of the time. I assume Symantec does something above and beyond that…

“Almost all attacks against our software are against the legacy systems,” [David Aucsmith] said. “If you want more secure software, upgrade.”

This makes you wonder if Microsoft doesn’t care more about security because these nasty vulnerabilities are the best argument for buying the latest version they offer. Beyond that, how many of the vulnerabilities last reported affect their latest products? This quote seems like pure marketing spin.

Days of Risk

[This was originally published on the OSVDB blog.]

The last few months have seen a lot more talk about the “Days of Risk”. In short, vendors like Microsoft say the days of risk are the time between vulnerability information (or an exploit) being released and a system being patched. So if a new vulnerability is announced on Tuesday, and I patch on Friday, there were three days of risk. This makes sense.. and this is also why many vendors advocate responsible disclosure and coordinated vulnerability announcements.

So what has been happening lately? I’ve noticed that my Windows XP systems “auto-update” feature is lagging heavily. Vulnerabilities are announced on a Tuesday, and it is as many as six days before my machine will alert me, download and install the patches. The point of this post is to question, is six days a lot of risk? To get an idea, lets look at a few of the recent vulnerabilities announced by Microsoft.

MS05-016, Windows MSHTA Shell Application Association Arbitrary Remote Script Execution
Disclosure: 2005-04-12 // Exploit: 2005-04-13

MS05-021, Exchange Server SMTP Extended Verb Remote Overflow
Disclosure: 2005-04-12 // Exploit: 2005-04-19

MS05-020, IE DHTML Object Memory Corruption Code Execution
Disclosure: 2005-04-12 // Exploit: 2005-04-12

So we have 0 days, 1 day and 7 days. Due to the lag in Microsoft making the patches available (I honestly don’t care what their excuse is), my computers are vulnerable and there is nothing I can do about it. I don’t think I need to address the fact that many of these vulnerabilities had fully working exploit code developed long before the Microsoft advisories either. Sure, they were held by the researchers and not disclosed, but information is shared, information is leaked, and information is stolen. Fact of life that only increases days of risk.