Exploits are circulating for at least two new vulnerabilities in Microsoft software, barely two days after the critical security holes were disclosed in security advisories. The swift availability of working exploit code provides additional incentive for Windows users to update their systems promptly following the monthly release of security patches.
Microsoft acknowledged Thursday that "detailed exploit code " had been published for a vulnerability in Plug and Play technology that could allow a remote attacker to take control of a Windows machine via the Internet, with Windows 2000 systems being at particular risk. "Users running Windows 2000 are vulnerable to a potential worm attack that would take advantage of this flaw," noted security research firm eEye Security. The vulnerability, known as MS05-039, is addressed in the latest Windows Update patches issued Tuesday.
Fraudsters have exploited a flaw in the eBay web site that allows them to orchestrate phishing attacks using eBay's own Sign In page.
Registered users of eBay's popular online auction web site must sign in using a username and password in order to participate in bidding and listing of items. A new style of phishing attack reported through the Netcraft Toolbar community shows fraudsters exploiting flaws on the Sign In page and on another ancilliary page which results in victims being redirected to the fraudster's phishing site after they have logged in.
This particular attack starts off like many others, by sending thousands of emails that instruct victims to update their eBay account details by visiting a URL. However, that is where the similarity ends, because the URL in this case actually takes the victim to the genuine eBay Sign In page, hosted on signin.ebay.com. By including special parameters at the end of the URL, the fraudster has changed the behaviour of the Sign In page so that when a user successfully logs in, they will then be sent to the fraudster's phishing site via an open redirect hosted on servlet.ebay.com.
The eBay Toolbar reports that the maliciously modified Sign In page is a "Verified eBay Site". Conversely, the Netcraft Toolbar denies access to the modified page while still allowing access to genuine eBay Sign In pages.
The victim is more likely to trust the contents of the fraudster's site, because they have arrived there as a result of signing into eBay via a genuine eBay Sign In page. Because there is less reason to suspect anything is awry, the victim is more likely to surrender any sensitive details in the mistaken belief that they are really giving them to eBay.
Some web hosts are banning the use of phpBB in the wake of persistent security problems for the popular open source web forum program. The move follows renewed attacks on phpBB after a coding error was found in the same file targeted by a December worm attack that defaced thousands of phpBB sites.
"It's been brought to our attention over recent weeks that some hosts are banning or dissuading the use of phpBB," said a message from the phpBB development team. "This is unfortunate for everyone and seems largely to be based on FUD (Ed. fear, uncertainty and doubt). While phpBB has and no doubt will continue to suffer from exploits (show me a piece of software that doesn't!) we have consistently addressed such issues very quickly."
Web hosts are less impressed. One host that has banned the software said phpBB had been its biggest security headache. "Since January, phpBB has been through at least 4, and maybe 5 revisions due to serious vulnerabilities, often found/reported wthin HOURS of a version release," HostPC said in its customer advisory.
Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others.
The flaw affects the XML-RPC function, which has many uses in web applications, including "ping" update notifications for RSS feeds. PHP libraries that allow applications to exchange XML data using remote procedure calls(RPC) fail to fully check incoming data for malicious commands. The affected libraries, including PHPXMLRPC and Pear XML-RPC, are included in many interactive applications written in PHP.
Microsoft's support for RSS (Real Simple Syndication) in its upcoming Longhorn operating system and Internet Explorer 7 browser promises to bring RSS to the masses. Friday's announcement at GnomeDex 2005 generated excitement about new uses for the technology, as well as caution in some quarters about Microsoft's introduction of extensions to RSS.
But what about security? Microsoft's presentations discuss many new uses for RSS, but integrating RSS into the operating system will likely have hackers contemplating new scenarios as well. RSS is currently consumed through a wide variety of news readers, email clients, web sites and browsers. As RSS becomes a standard feature in IE7 and Longhorn, it may become more attractive to malware authors with an interest in delivering malicious code from the Internet onto RSS-enabled desktops.
RSS is an XML format that is widely used to syndicate news from weblogs or news sites. RSS can include HTML tags and many types of content, such as the audio files included in "podcasting" feeds, the current rage among bloggers. The format's versatility also could allow malicious content to be included in feeds and executed by newsreaders or browsers. The possible use of RSS to deliver malware and spam was highlighted by Mark Pilgrim in 2003, and tools have since emerged to help check whether a particular newsreader is securely coded.
New phishing attacks with data collection forms embedded directly in the electronic mails received by victims are inducing victims to send their financial details directly to the phishers via mail rather than through a specially constructed web site mimicking that of the financial institution.
The HTML emails masquerade as a security check on a PayPal account, with the subject "Validate Your Informations by Email" (sic). The message asks recipients to fill in an HTML form, which includes fields for the user's credit card details, date of birth, Social Security number and mother's maiden name. "Completing all of the checklist items will automatically restore your account access," the email advises. Clicking on "Submit to Secure Server" mails the form's contents to a free email account at Yahoo, using a CGI script hosted by a Brazilian hosting reseller at The Planet.