RE: New article on SecurityFocus

[Jim Clausing <clausing () ieee org>]

www.knoppix-std.org had an iframe that loaded a WMF for a while last 
Saturday (I believe, might have been Sunday).  Does that count?  It 
certainly isn't a porn site.

--Jim

On or about Fri, 6 Jan 2006, Brady McClenon pontificated thusly:

> What about them?  All may be possible, but my question remains.  Have we
> seen this, or is it just theory?  And, is the server hosting the forum
> truly infected/compromised?  It's like saying a snake is infected with
> it's own venom.
>
> Also, I dismiss any findings on porn sites.  90% of people that frequent
> porn sites would install the same compromise if it came with EULA they
> had to agree to before installation.  You don't need to dupe porn fiends
> into doing anything, just making it stand between them and their porn is
> enough.  Might seem harsh, but does anyone truly disagree? :)
>
> One last rant... I'm tired of hearing in the media that file indexers
> like Google desktop can cause a compromise through the WMF exploit.  It
> only indexes what is ALREADY on your hard drive.  How did it get there
> to begin with?!?  Obviously the user interacted with it at some point in
> the past in order to put it there.  The exploit would have occurred at
> that point, not when the file indexer finds it later!
>
>
>
> > -----Original Message-----
> > From: Socrates [mailto:socrates () newsguy com] 
> > Sent: Friday, January 06, 2006 2:13 PM
> > To: Brady McClenon
> > Cc: Drew Simonis; Thor (Hammer of God); Erin Carroll; 
> > pen-test () securityfocus com; Larry Seltzer; focus-ms () securityfocus com
> > Subject: Re: New article on SecurityFocus
> >
> > What about a trojaned avatar for your username in a forum? 
> > How about a 
> > malicious iframe inclusion in HTML enabled forums?
> >
> > Brady McClenon wrote:
> > > Just curious.  I hear media reports and people saying that there's
> > > hundreds or thousands of compromised web site from this, 
> > but I have ask
> > > where these numbers come from?  Where is this data, or is it pure
> > > speculation?  I'm also curious how one could compromise a web server
> > > with this exploit.  Putting files on a web server to dole out and
> > > compromise other computers I can see, but is the web server really
> > > compromised in this case?  If so, was it by way of the WMF exploit?
> > >
> > > One last question:  Has anyone here experienced or know 
> > anyone that has
> > > a "legitimate" web server compromised (or serving out) by the WMF
> > > exploit.  I'm trying to determine if there are those with actual
> > > knowledge that the sky is indeed falling, or if we are all 
> > shaking over
> > > unsubstantiated media hype.
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Drew Simonis [mailto:simonis () myself com] 
> > > > Sent: Friday, January 06, 2006 10:22 AM
> > > > To: Thor (Hammer of God); Erin Carroll; pen-test () securityfocus com
> > > > Cc: Larry Seltzer; focus-ms () securityfocus com
> > > > Subject: Re: New article on SecurityFocus
> > > >
> > > >
> > > > > Overall, I think community's coverage of wmf has been delivered 
> > > > > with an ounce of perception, and a pound of obscurity.  
> > It's almost 
> > > > > as if people *want* it to be worse than it is.  I'm not surprised, 
> > > > > of course.  But regardless,  my call is that we'll see a little 
> > > > > activity here and there, the patch will come out, most 
> > will install 
> > > > > it (or have it installed automatically) and the whole issue will 
> > > > > fade away.  But that's all.
> > > > >
> > > > > We'll know for sure shortly, either way.
> > > >
> > > > Thor,
> > > > I think your path of thought is stuck a bit in the past.  
> > > > Worms are neat as a technical exercise, but we see more and 
> > > > more that the attackers are increasingly aware of the value 
> > > > of these vulnerabilities from a financial perspective, not 
> > > > merely for notoriety.  As such, it benefits the attacker to 
> > > > have a less subtle attack, one that does not sensationalize 
> > > > the vulnerability.  Complacency is their ally.  
> > > >
> > > > That said, there are already numerous (hundreds+) 
> > > > "legitimate" web sites that have been compromised and had 
> > > > exploit images injected into their content.  There are also 
> > > > already hundreds of thousands of machines that have been 
> > > > infected with Trojans or bots.  These infected machines will 
> > > > patch, but they won't be safe, and the problem gets worse.  
> > > >
> > > > So no, there won't be some catastrophic worm event.  But I 
> > > > posit that what there will be could be much worse.  
> > > >
> > > > -- 
> > > > ___________________________________________________
> > > > Play 100s of games for FREE! http://games.mail.com/
> > > >
> > > >
> > > > --------------------------------------------------------------
> > > > -------------
> > > > --------------------------------------------------------------
> > > > -------------
> > --------------------------------------------------------------
> > ----------------
> > > Audit your website security with Acunetix Web Vulnerability Scanner:
> > >
> > > Hackers are concentrating their efforts on attacking 
> > applications on your
> > > website. Up to 75% of cyber attacks are launched on 
> > shopping carts, forms,
> > > login pages, dynamic content etc. Firewalls, SSL and 
> > locked-down servers are
> > > futile against web application hacking. Check your website 
> > for vulnerabilities
> > > to SQL injection, Cross site scripting and other web 
> > attacks before hackers do!
> > > Download Trial at:
> > >
> > > http://www.securityfocus.com/sponsor/pen-test_050831
> > --------------------------------------------------------------
> > -----------------
> > >
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------