[pdp] provides some perspective on the news regarding the GIFAR attack developed by researchers at NGS Software. As he explains, the idea behind the attack, which basically relies on combining a JAR with other files is not new. Combining JAR/ZIP files with GIF/JPG files will create hybrid files with headers at both the top and bottom of the file and allow them to bypass any image manipulation library as valid files. While tightened security and more stringent file validation practices are advisable, the problem is larger than just a vulnerability in browser security. ZIP is an incredibly generic packing technology used everywhere, from Microsoft files to Open Office documents, and of course, in JAR files. He closes with, “any file format that is based on ZIP, you allow your users to upload on your server, can be used in an attack”
[photo: Jon Jacobsen]
Researchers at NGS Software have come up with a method to embed malicious code into a picture. When viewed, the picture could send the attacker the credentials of the viewer. Social sites like Facebook and Myspace are particularly at risk, but the researchers say that any site which includes log ins and user uploaded pictures could be vulnerable. This even includes some bank sites.
The attack is simply a mashup of a GIF picture and a JAR (Java applet). The malicious JAR is compiled and then combined with information from a GIF. The GIF part fools the browser into opening it as a picture and trusting the content. The reality is, the Java VM recognizes the JAR part and automatically runs it.
The researchers claim that there are multiple ways to deal with this vulnerability. Sun could restrict their Virtual Machine or web applications could continually check and filter these hybrid files, but they say it really needs to be addressed as an issue of browser security. They think that it is not only pictures at risk, but nearly all browser content.
More details on how to create these GIFARs will be presented at this week’s Black Hat conference in Las Vegas.
UPDATE: Full audio of the webcast is now available
Today Black Hat held a preview webcast with [Dan Kaminsky] about the massive DNS bug he discovered. On July 8th, multiple vendors announced a patch for an undisclosed DNS vulnerability. [Dan Kaminisky] did not release the details of the vulnerability at that time, but encouraged security researchers to not release their work, if they did happen to discover the bug. On the 21st, the full description of the vulnerability was leaked.
In today’s webcast, [Dan] covered how he felt about the handling of the vulnerability and answered a few questions about it. He started out by talking about how he stumbled across the bug; he was working on how to make content distribution faster by using DNS to find the server closest to the client. The new attack works because DNS servers not using port randomization make it easy for the attacker to forge a response. You can read the specifics of the attack here.
Continue reading “DNS cache poisoning webcast”
Which is a better method for finding vulnerabilities, fuzzing or static-code analysis? The question will be put to the test at next month’s Black Hat USA conference, where two experienced
hackers security researchers will be given a piece of mystery code and one hour to find all the vulnerabilities they can using one of the two methods. [Charlie Miller] from Independent Security Evaluators will use fuzzing and [Sean Fay] from Fortify Software will use static-code analysis to detect the vulnerabilities in the code. We reported on [Miller]’s fuzzing talk while at Toorcon 9.
The pair will be allowed to use their own equipment, but they won’t see the code until the moment the showdown begins. For an added bit of fun, conference attendees are welcome to join in the contest. The audience member who finds the most exploits within the hour wins a free dinner at a new Las Vegas restaurant. But you don’t have to wait until then to weigh in; go ahead and post your thoughts on fuzzing vs. static-code analysis in the comments, just be ready to back up your claims.
Nominations for the 2008 Pwnie Awards have opened. The annual event, in its second year, is accepting nominations in nine categories ranging from Mass 0wnage to Best Song. The awards will be presented at the Black Hat in Las Vegas in August. Linux.com covered last year’s awards ceremony.
We’re headed to Cleveland at the end of the week (we’ve heard rumors it rocks) and thought it would be good to list the events we’re planning on hitting in the next five months.
- Notacon / Blockparty April 4-6 Cleveland, OH – This will be a first for us, but we’re definitely excited, especially for the demoscene madness at Blockparty (like Trixter’s MONOTONE PC speaker tracker).
- ToorCon Seattle April 18-20 Seattle, WA – In its second year, this small gathering is sure to be a blast just like last year.
- The Last HOPE July 18-20 New York, NY – Our first HOPE and the last one ever.. since the hotel is being torn down.
- Black Hat US August 2-7 Las Vegas, NV – If anything gets released this year, it’ll be here.
- DefCon August 8-10 Las Vegas, NV – The first con we ever went to. It’s not the best con, but it’s always interesting.
- SIGGRAPH August 11-15 Los Angeles, CA – SIGGRAPH is where you need to be if you want to see cutting edge graphics and interaction projects. It’s a favorite of ours and a nice break from computer security.
Anything we’re missing?
UPDATE: Maker Faire May 3-4 San Mateo, CA – Can’t believe we forgot it. Thanks [pt]!