deflected until any hint of consumerresponsibility is challenged with theaccusation that it is blaming the victim.

Maybe sometimes the victim is, atleast somewhat, to blame2. Sometimes,maybe the problem with viruses isn’t

really so unique. Sometimes, we aresimply experiencing an age-old problemfrom a different perspective — less of avirus problem and more of an inabilityto recognize and accept responsibilityfor our own actions (or lack thereof )?.

Notes:1One pleasant side affect for the AFMA?

It will put a damper on foreign imports -currently 14% of a $12.3 billion market.2 Of course, the virus writer really is toblame.

vulnerability analysis

15

16 October Microsoft Word Macro Name Buffer OverflowVulnerabilityAttackers can construct malicious Worddocuments with very long macro names.This causes Word to crash. So far I havenot received evidence proving that thiscould be used to execute code on the system.secunia.com/SA10020

15 October Microsoft Windows Helpand Support Center Buffer OverflowVulnerabilityAttackers can construct Web pages oremails which use the HCP URI handlerto cause a buffer overflow in Help andSupport Center. This is believed to beexploitable to execute arbitrary code suchas root kits and viruses.secunia.com/SA10013

15 October Microsoft Windows 2000Buffer Overflow in WindowsTroubleshooter ActiveX ControlI have previously written about the greatdanger of allowing ActiveX in Inter-net Explorer. This time a vulnerability

has been identified in an ActiveX compo-nent shipped with Windows 2000 bydefault. Since the ActiveX component ismarked safe for scripting, any website maycall it.

The problem is that any website, whichis allowed to launch this ActiveX compo-nent, can cause a buffer overflow that eg.could be exploited to install root kits andviruses on a user's computer.secunia.com/SA10011

15 October Microsoft Windows BufferOverflow in ListBox and ComboBoxControlFor years Microsoft Windows has beenvulnerable to so-called “shatter attacks”.The vulnerabilities in the ListBox andComboBox Controls are similar in natureto the shatter attack.

The problem occurs if privilegedprocesses (programs running as admin-istrator or system) show windows anddialog boxes in less privileged user’s ses-sions, allowing the less privileged usersto escalate their privileges and performtasks with administrative or systemprivileges.

Applications like personal firewalls andanti-virus programs run with higher priv-ileges and could potentially be exploitedusing shatter like attacks.secunia.com/SA10014

15 October Microsoft ExchangeCross-Site Scripting Vulnerability inOutlook Web AccessAttackers could be able to gain informa-tion about the user credentials of a userreading emails through Outlook WebAccess by conducting a Cross SiteScripting attack.

The Cross Site Scripting technique canbe exploited to inject malicious script andHTML code into a different website. Inthe case of Outlook Web Access thiscould be used to read and write emails orsteal user credentials.secunia.com/SA10016

15 October Microsoft Windows RPCRace Condition Denial of ServiceVulnerabilityAn exploit, which was constructed toexploit the older RPCSS vulnerability,proved that another vulnerability exists inthe RPC service. The new vulnerabilitycan be exploited to crash the RPC servicecausing the system to stop communicat-ing with other systems via RPC.secunia.com/SA9978

15 October Microsoft Windows MayAllow Installation of Arbitrary ActiveXControlsIf an attacker can cause Windows to runlow on memory, it may be possible toinstall arbitrary ActiveX controls on thesystem because Internet Explorer fails tolaunch a dialog box prompting the userto accept the installation.

The Big Picture on Big HolesThomas Kristenson, CTO Secunia

Thomas Kristenson, CTO at Secunia provides a personal dissection of recent flaws.From 22 September to 16 October there has been no less than 17 advisories affect-ing Microsoft software and operating systems. The severity has ranged from local,authenticated users being able to gain administrative privileges to intruders gainingremote system access.

ActiveX controls run with the same privi-leges as the user and could be maliciouscode like viruses and root kits.secunia.com/SA10010

15 October Microsoft Exchange SMTP Extended Request BufferOverflowA Microsoft specific function inMicrosoft Exchange has been found vul-nerable to a buffer overflow.

The problem is that Exchange assigns abuffer based on user input rather thanchecking the actual size of the input. Thisallows malicious people to craft a requestwhich causes a buffer overflow.

This could be exploited to execute arbi-trary code like viruses and root kits onExchange 2000 systems. On Exchange5.5 this is believed to merely causeExchange to crash.secunia.com/SA10015

15 October Microsoft Windows BufferOverflow in Messenger ServiceWe all heard about the infamousWindows Pop-Up SPAMS, which affectthousands of private Windows userswhenever they connect to the Internet. InSeptember a Microsoft product managersaid to USA Today that Messenger didn'tpose a security threat. Apparently thePolish research group LSD wanted toprove him wrong.

The problem is that messages, whichcontain special characters, aren't checkedproperly to determine the actual size ofthe message. This allows a maliciouslycrafted message to cause a buffer over-flow, which could be exploited to executecode like root kits and viruses on the system.

This could potentially allow anotherBlaster like worm to strike.secunia.com/SA10012

11 October Microsoft WindowsMessage Queuing Service HeapOverflow VulnerabilityApparently this vulnerability was fixed inWindows 2000 Service Pack 3. But forsome reason it has not previously beenreported in public.

This vulnerability could allow peopleon a corporate network to execute arbi-trary code like viruses or root kits on the system.secunia.com/SA9991

10 October Microsoft Windows Server2003 "Shell Folders" DirectoryTraversalA protective measure in the “shell://”URI handler fails to prevent escaping theshell working folder when paths containthe dot dot slash “../” sequence. Thiscould allow access to arbitrary, knownlocal files.

While this in itself doesn't pose a risk,it could potentially be combined withother bugs or vulnerabilities to conductmore intrusive attacks.secunia.com/SA9989

2003-10-07 - Microsoft WindowsMedia Player DHTML Local ZoneAccessWindows Media Player allows mediafiles to include links to external res-ources. A vulnerability in the handlingof these URLs allows hackers to createotherwise legitimate media files, whichcan access Local Zone resources.

This could be used to bypass the securi-ty model of Internet Explorer, becauseInternet Explorer automatically launchesmedia files. When Windows MediaPlayer allows access to local resources theprotection in Internet Explorer is effec-tively bypassed.secunia.com/SA9957

10 October Microsoft InternetExplorer Update fixes the Object DataVulnerabilityAlmost one month after the first reportabout how to bypass the originalObject Data patch, Microsoft released anew patch – which seems to do the job.The Object Data vulnerability allowedwebsites and emails to launch arbitrarycode like viruses, root kits and adver-tisement software on user systems. Ihave seen several minor attempts byquestionable business people to SPAMusers of Outlook Express and Internet

Explorer by automatically installing socalled “bars” in Internet Explorer, forc-ing the user to see specific advertise-ments. This vulnerability is extremelyeasy to exploit and very similar innature to the vulnerability, whichallowed the Nimda virus to flood theInternet in 2001.secunia.com/SA9935

3 October Microsoft WindowsUnauthorised Thread TerminationThis provides another case of less privi-leged users being able to interact withprivileged processes like personal firewallsand anti-virus programs.

The problem is that users are able tosend messages, which causes the programto exit. This is possible if the program hasa message queue. This is similar in natureto the previously mentioned shatterattack.secunia.com/SA9921

24 September Microsoft PowerPointModify Protection BypassMicrosoft has implemented a “protectivemeasure” which allows users to “write”protect a PowerPoint file.

This feature, however, can easily becircumvented. One of several ways ofdoing this is by selecting the MicrosoftScript Editor, which causes the contentsof the PowerPoint file to be written totemporary HTML files. The documentcould also be opened using a non-Microsoft presentation program, whichdoesn't honour the “protection”.secunia.com/SA9834

22 September Microsoft WindowsTCP Packet Information DisclosureUnder certain circumstances, it may bepossible to cause Windows to expose16bit of random data from other con-current data transfers. This is possiblebecause Microsoft Windows sometimesfails to clear the URG flag. When thishappens Windows doesn't calculate thecorrect value for the URG pointer butinstead includes 16bit of random data.secunia.com/SA9799

16

vulnerability analysis

22 September Microsoft BizTalk ServerInsecure PermissionsBy default BizTalk implements insecurepermissions on certain Web folders,allowing malicious intruders to uploadarbitrary files to these folders. This could be exploited to change the

contents of the website or upload mali-cious programs like viruses and rootkits.secunia.com/SA9800

The last month has been rather quiet when it comes to Linux / Unix,

with only two significant vulnerabilitiesin OpenSSH and OpenSSL. Theseshould be patched as soon as possibleeven though we haven't seen any workingexploits yet.secunia.com/SA9886secunia.com/SA9825

17

research

Jussi Angesleva1 is based in MIT’s MediaLab Europe in Dublin. He is exploring adifferent way of interacting with theinformation on PDA’s utilising mnemon-ics, or memory aids. What bodymnemonics does is use your body spaceas the interface to the device when youare looking for say, a phone number, aname or a shortcut to an application.Information is stored and subsequentlyaccessed by placing the PDA on differentparts of the body. So for instance toaccess your financial information youmight physically move the device intoyour chest pocket. If you wanted to lookup a diary entry you could put the PDAon your head. Body Mnemonics is simi-lar, in a way, to the desktop, where differ-ent shortcuts, applications, URLs, andsubfolders are placed spatially. However,instead of them being on screen space,they are in the real space, defined by thereach of the user's arms. These differentdata objects can be placed and retrievedto and from different locations in thesame way. What this system is doing iseasing your cognitive load, using a limit-ed number of body locations as amnemonic frame of reference for organiz-ing copious amounts of information.

Jussi explains, “For PDA’s with tinyscreens and keyboards you need both

hands and full visual concentration tofind anything, which means you have tostop whatever else you are doing. Butportable devices should be usable whenyou are doing something else. They real-ly serve as reference databases, and youneed to access this information as quicklyand intuitively as possible. The informa-tion you normally organize on the desk-top you are now organizing spatially inthe three dimensional space that sur-rounds your body, that follows you whenyou are moving, the limits being definedonly by how far you can physicallyreach.”

When you think about it, there aresome pretty obvious implications formobile security from the BodyMnemonics point of view. Think of thetwo most obvious scenarios. If your PDAwas stolen while powered off, the infor-mation could not be accessed without apassword. If the PDA was powered onthough, and you were logged in, couldthe thief use the screen menus as normal,and not have to use the physical gestures?“Having information stored in an invisi-ble space around you, it becomes muchharder for any third party to access without your consent”, says JussiAngesleva. “Though, that really has notbeen at the forefront of the project.

I propose the system as an augmentationof the traditional interface, and hence allthe data accessible through the motioninterface, would also be available, moretediously, through the traditional chan-nels. But having said that, the principleof course would still apply very much tokeeping your data private.”

“Then again”, asks Jussi, “when you areaccessing the data in public, are you notbroadcasting the gestures to the publicaround you, therefore making the keysmore accessible to those who might beattempting to steal them?” I wonder wouldbiometrics overcome this. What if a bio-metric component was added to the PDAthat could read a section of your hand, sothat the PDA only works when being heldby you? “Yes, it is true that the gestureswould definitely be very personal, and inac-cessible to anyone else, but I really proposethis as a usability improvement, and notreplacing the onscreen alternative. There-fore, if someone wanted to access your stuff,having the device would be enough, as youstill could go through the on screenmenus.” Another possibility is that thePDA be incorporated into a small yet tangi-ble object like a wristwatch, making itimpossible to steal unless you took it off?Interestingly, Fossil2 has already done this incollaboration with Palm, their Wrist PDAwatch including all the usual componentsof a standard PDA.

Security was not on Jussi’s mind when hedevised this concept, but that does notmean that someday, some of his ideas couldnot be incorporated into a clever securitysolution.

Notes1www.mle.ie/jussi/projects/body_mnemonics/index.php2 www.fossil.com

Body Mnemonics in PDASecurityBerni Dwan

There is no doubt that PDA’s have come of age as the communications device ofchoice for the growing legions of road warriors. However PDAs can become just asvulnerable as desktop systems to viruses, mobile code exploits and spam.