Seven years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations relied on that list, and on the expanded Top-20 lists that followed in succeeding years, to prioritize their efforts so they could close the most dangerous holes first.
The threat landscape is very dynamic, which in turn makes it necessary to adopt newer security measures. Just over the last year, the kinds of vulnerabilities that are being exploited are very different from the ones being exploited in the past. Here are some observations:
- Operating systems have fewer vulnerabilities that can lead to massive Internet worms. For instance, during 2002-2005, Microsoft Windows worms like Blaster, Nachi, Sasser and Zotob infected a large number of systems on the Internet. There have not been any new large-scale worms targeting Windows services since 2005. On the other hand, vulnerabilities found anti-virus, backup or other application software, can result in worms. Most notable was the worm exploiting the Symantec anti-virus buffer overflow flaw last year.
- We have seen significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications. These vulnerabilities are being discovered on multiple operating systems and are being massively exploited in the wild, often to drive recruitment for botnets.
- Users who are allowed by their employers to browse the Internet have become a source of major security risk for their organizations. A few years back securing servers and services was seen as the primary task for securing an organization. Today it is equally important, perhaps even more important, to prevent users having their computers compromised via malicious web pages or other client-targeting attacks.
- Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year. These vulnerabilities are being exploited widely to convert trusted web sites into malicious servers serving client-side exploits and phishing scams.
- The default configurations for many operating systems and services continue to be weak and continue to include default passwords. As a result, many systems have been compromised via dictionary and brute-force password guessing attacks in 2007!
- Attackers are finding more creative ways to obtain sensitive data from organizations. Therefore, it is now critical to check the nature of any data leaving an organization’s boundary.
The SANS Top 2007 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; the Internet Storm Center, and many other user organizations. A list of participants appears at the end of this document.
The SANS Top 2007 list is not “cumulative.” We include only critical vulnerabilities from the past year or so. If you have not patched your systems for long time, it would be wise to patch the vulnerabilities listed in the Top 20 2006 list as well as those in the prior lists. At the end of this document, you will find a short FAQ (list of frequently asked questions) that answers questions you may have about the project and the way the list is created.
This year’s list of top risks diverges from lists in past years that focused on very specific technical vulnerabilities that could be fixed by tweaking a configuration or applying one patch. Because attackers are moving so quickly today, such point-fixes are outdated almost immediately. For that reason, this year’s list of top risks focuses more on the areas that attackers are targeting and where organizations need to enhance their security processes to ensure consistent application of technical fixes.
The SANS Top 2007 is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. We will update the list and the instructions as more critical threats and more current or convenient methods of protection are identified, and we welcome your input along the way. This is a community consensus document — your experience in fighting attackers and in eliminating the vulnerabilities can help others who come after you. Please send suggestions via e-mail to email@example.com
Client-side Vulnerabilities in:
C1. Web Browsers
Microsoft Internet Explorer is the world’s most popular web browser and is installed by default on every Microsoft Windows system. Unpatched or older versions of Internet Explorer contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious web page or reads a malicious email. Exploit code for many of these critical Internet Explorer flaws is publicly available. In addition, Internet Explorer has been leveraged to exploit vulnerabilities in other core Windows components such as HTML Help and the Graphics Rendering Engine. During the past year, hundreds of vulnerabilities in ActiveX controls installed by Microsoft and other software vendors have been discovered. These are also being exploited via Internet Explorer.
Mozilla Firefox is the second most popular web browser after Internet Explorer. It also has a fair share of vulnerabilities. In 2007, it has released several updates to address publicly disclosed vulnerabilities. Similarly to Internet Explorer, unpatched or older versions of Firefox contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The web sites exploiting the browser vulnerabilities typically host a several exploits, and even launch the appropriate exploit(s) based on which browser the potential victim is using.
With the explosion of rich content in web sites, a parallel increase has been seen in the number of Browser Helper Object and third-party plug-ins used to access various MIME file types such as multimedia and documents. These plug-ins often support client-side web scripting languages such as Macromedia Flash or Shockwave. Many of these plug-ins are installed (semi-)transparently by a website. Users may thus not be aware that an at-risk helper object or plug-in is installed on his/her system. These additional plug-ins introduce more avenues for hackers to exploit to compromise computers of users visiting malicious web sites.
In October 2007, for example, systems running Windows XP and Windows Server 2003 with Windows Internet Explorer 7 were found not to handle specially crafted Uniform Resource Identifiers (URIs) properly. By creating a specially crafted URI in a PDF document attackers were able to execute arbitrary commands on vulnerable systems.
While some plug-ins such as Adobe Reader and Quicktime perform version checks and provide an update feature, these are often bothersome and ignored by users. It is often also difficult to detect which version of a plug-in is installed. For example, systems may have different versions of Shockwave installed for reasons of backward compatibility, but the user cannot easily discover which version or versions are running.
These flaws have been widely exploited to install spyware, adware and other malware on users’ systems. The spoofing flaws have been leveraged to conduct phishing attacks. In some cases, these vulnerabilities were zero-days i.e. no patch was available at the time the vulnerabilities were publicly disclosed. Many reported plug-ins were also widely exploited by malicious web sites before patches were made available by the vendor.
In 2007 alone, Microsoft has released multiple updates for Internet Explorer.
- Cumulative Security Update for Internet Explorer (939653) (MS07-057)
- Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127) (MS07-050)
- Cumulative Security Update for Internet Explorer (937143) (MS07-045)
- Cumulative Security Update for Internet Explorer (933566) (MS07-033)
- Vulnerabilities in GDI Could Allow Remote Code Execution (925902) (MS07-017)
- Cumulative Security Update for Internet Explorer (931768) (MS07-027)
- Cumulative Security Update for Internet Explorer (928090) (MS07-016)
- Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969) (MS07-004)
Note that the latest cumulative update for Internet Explorer includes all the previous cumulative updates. Also note that MS07-017 does not list vulnerabilities in Internet Explorer; however, the most common avenue of exploitation is via Internet Explorer.
C1.2 Operating Systems Affected
While in theory any web browser on any operating system is vulnerable, the most common web browsers will tend to be targeted most by attackers. The two most popular web browsers on the Internet today are Microsoft Internet Explorer and Mozilla Firefox.
Internet Explorer 5.x, 6.x and 7 running on all versions of Windows are affected
Firefox running on any version of compatible operating systems is potentially vulnerable.
As plug-ins are generally used to enable access to third party file formats, many plug-in vulnerabilities apply to all compatible browsers on all operating systems. Any web browser running on any version of any operating system is potentially vulnerable.
C1.3 CVE Entries
CVE-2006-4697, CVE-2007-0024, CVE-2007-0217, CVE-2007-0218, CVE-2007-0219, CVE-2007-0942, CVE-2007-0944, CVE-2007-0945, CVE-2007-0946, CVE-2007-0947, CVE-2007-1749, CVE-2007-1750, CVE-2007-1751, CVE-2007-2216, CVE-2007-2221, CVE-2007-2222, CVE-2007-3027, CVE-2007-3041, CVE-2007-3826, CVE-2007-3892, CVE-2007-3896
CVE-2007-0776, CVE-2007-0777, CVE-2007-0779, CVE-2007-0981, CVE-2007-1092, CVE-2007-2292, CVE-2007-2867, CVE-2007-3734, CVE-2007-3735, CVE-2007-3737, CVE-2007-3738, CVE-2007-3845, CVE-2007-4841, CVE-2007-5338
The CVEs for plug-ins like Media Players are listed in the section C4.
C1.4 How to Determine If You Are at Risk
You can use any vulnerability scanner to check whether your systems are patched against these vulnerabilities.
For Internet Explorer, consider using the Microsoft Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), Windows Live Scanner or Systems Management Server (SMS) to check the security patch status of your systems.
To see the plug-ins most recently used by Internet Explorer 7, select Tools -> Internet Options. Under the Programs tab, select Manage Add-ons. You can select different views of browser plug-ins, including those currently loaded, plug-ins that have been used by Internet Explorer, and those configured to run without requiring permission. You can disable any of these by clicking on a specific add-on and selecting Disable.
For Firefox, select Tools -> Options -> Content -> File Types -> Manage to see how Firefox will handle various file formats.
Third-parties have begun releasing tools, such as Secunia PSI (currently in beta), which scan for browser helper object versions and patches.
C1.5 How to Protect against These Vulnerabilities
- If you are using Internet Explorer on your Windows XP system, the best way to remain secure is to upgrade to Windows XP Service Pack 2. The improved operating system security and Windows Firewall will help mitigate risk. For those unable to use Windows XP with Service Pack 2, switching away from Internet Explorer to an alternative browser is the safest path.
- Users should upgrade to version 7 of Internet Explorer, which provides improved security over previous versions. The latest version of Internet Explorer, IE7, is being distributed by Microsoft as a Critical Update (KB926874)
- Keep the systems updated with all the latest patches and service packs. If possible enable Automatic Updates on all systems.
- Pay attention to Microsoft Security Advisories; implementing suggested mitigations before the patch becomes available could alleviate exposure to zero day attacks.
- To prevent exploitation of remote code execution vulnerabilities at Administrator level, use tools like Microsoft DropMyRights to implement “least privileges” for Internet Explorer.
- Prevent vulnerable ActiveX components from running inside Internet Explorer via the “killbit” mechanism.
- Many spyware programs are installed as Browser Helper Objects. A Browser Helper Object or BHO is a small program that runs automatically every time Internet Explorer starts and extends the browser’s capabilities. Browser Helper Objects can be detected with Antispyware scanners.
- Use intrusion prevention/detection systems, anti-virus, anti-spyware and malware detection software to block malicious HTML script code.
- Windows 98/ME/NT are no longer supported for updates. Legacy users should consider upgrading to Windows XP.
- Consider using other browsers such as Mozilla Firefox that do not support ActiveX technology.
C1.6 How to Secure Web Browsers
To configure the security settings for Internet Explorer:
- Select Internet Options under the Tools menu.
- Select the Security tab and then click Custom Level for the Internet zone.
- Most of the flaws in IE are exploited through Active Scripting or ActiveX Controls.
- Under Scripting, select Disable for Allow paste operations via script to prevent content from being exposed from your clipboard. Note: Disabling Active Scripting may cause some web sites not to work properly. ActiveX Controls are not as popular but are potentially more dangerous as they allow greater access to the system.
- Select Disable for Download signed and unsigned ActiveX Controls. Also select Disable for Initialize and script ActiveX Controls not marked as safe.
- Java applets typically have more capabilities than scripts. Under Microsoft VM, select High safety for Java permissions in order to properly sandbox the Java applet and prevent privileged access to your system.
- Under Miscellaneous select Disable for Access to data sources across domains to avoid cross-site scripting attacks.
- Ensure that no un-trusted sites are in the Trusted sites or Local intranet zones as these zones have weaker security settings than the other zones.
- Microsoft has published a “Internet Explorer 7 Desktop Security Guide” to enhance Internet Explorer security. It examines the new features and setting that can be modified to provide a more “locked down” security configuration for Internet Explorer 7.
To configure the security settings for Firefox:
- Select Options under the Tools menu.
- Further customization of Firefox configuration can be obtained at http://kb.mozillazine.org/About:config.
To update the plug-ins used by the web browsers:
- Most plug-ins come with “Check for Updates” feature. It can usually be found under “Options”, Preferences” or “Help” menus.
- Select the “Check for Updates” to ensure you have the latest version of the software.
US-CERT Securing Web Browser Information
Internet Explorer 7 Desktop Security Guide
Microsoft Internet Explorer Weblog
Mozilla Security Center
@Risk: The Consensus Security Alert
C2. Office Software
This section includes vulnerabilities for office productivity suites that include e-mail clients, word processors, spreadsheet applications, document viewers and presentation applications. Vulnerabilities in office products are typically exploited via the following attack vectors:
- An attacker sends a specially crafted office document in an email. When the attachment is opened, the malformed contents in the document exploit vulnerabilities in the office software.
- An attacker hosts a malicious document on a web server or shared folder, and entices a user to browse to the web page or the shared folder. Note that, in most situations, Internet Explorer automatically opens Microsoft Office documents. Hence, browsing the malicious web page or folder is sufficient for vulnerability exploitation in many cases.
- An attacker runs an NNTP (news) server or hijacks an RSS feed that sends malicious documents to news and RSS clients.
In all these scenarios, viruses, trojans, spyware, ad-ware, rootkits, keyboard loggers, or any other program of the attacker’s choice, can be installed on victim’s computer.
Microsoft Office is the most widely used email and productivity suite worldwide. It includes Outlook, Word, PowerPoint, Excel, Visio, FrontPage and Access. A large number of critical flaws were reported in MS Office applications and a few of them (CVE-2006-5574, CVE-2006-1305, CVE-2006-6456, CVE-2006-6561, CVE-2006-5994, CVE-2007-0515, CVE-2007-0671, CVE-2007-0045) were zero-day issues in which exploit code, technical details or proof-of-concept was publicly disclosed before any fix became available from Microsoft.
The critical flaws that were reported this year in Office products:
- Microsoft Excel Remote Code Execution (MS07-002)
- Microsoft Outlook Remote Code Execution (MS07-003)
- Microsoft Word Remote Code Execution (MS07-014)
- Microsoft Office Remote Code Execution (MS07-015)
- Microsoft Excel Remote Code Execution (MS07-023)
- Microsoft Word Remote Code Execution (MS07-024)
- Microsoft Office Remote Code Execution (MS07-025)
- Microsoft Outlook Express and Windows Mail (MS07-034)
- Microsoft Excel Remote Code Execution (MS07-036)
- Microsoft Excel Remote Code Execution (MS07-044)
- Adobe Reader and Acrobat Remote Code Execution (APSB07-18)
- Adobe Reader and Acrobat Cross Site Scripting (APSA07-01)
C2.2 Operating Systems Affected
Windows 9x, Windows 2000, Windows XP, Windows 2003, Windows Vista, MacOS X are all vulnerable depending on the version of Office software installed.
C2.3 CVE Entries
CVE-2007-0027, CVE-2007-0028, CVE-2007-0029, CVE-2007-0030, CVE-2007-0031, CVE-2007-0034, CVE-2007-0208, CVE-2007-0209, CVE-2007-0515, CVE-2007-0671, CVE-2007-0215, CVE-2007-1203, CVE-2007-0035, CVE-2007-0870, CVE-2007-1747, CVE-2007-1658, CVE-2007-1756, CVE-2007-3030, CVE-2007-3890
C2.4 How to Determine If You Are at Risk
Microsoft Office installations running without the patches referenced in the Microsoft Bulletins listed from the CVE entries are vulnerable. Use a vulnerability scanner to check whether your systems are patched against these vulnerabilities. Also consider using the Microsoft Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), Windows Live OneCare or Systems Management Server (SMS) to check the security patch status of your systems.
C2.5 How to Protect against Office Vulnerabilities
- Keep the systems updated with all the latest patches and service packs. If possible enable Automatic Updates on windows systems.
- Do not open attachments from unknown sources. Practice caution when opening unexpected e-mail attachments even from known sources.
- Do not “click browse” to avoid opening documents from unknown web sites. Click browsing is a habit of browsing the web by clicking on links in e-mails or online forums. Use the bookmark feature in every browser to create links to your frequently used web sites.
- Disable the Internet Explorer feature of automatically opening Office documents.
- Configure Outlook and Outlook Express with enhanced security.
- Use a vulnerability scanner to determine your risk.
- Use intrusion prevention/detection systems and anti-virus and malware detection software to prevent malicious server responses and documents from reaching end users.
- Use mail and web filtering systems at the network perimeter to prevent malicious Office documents from reaching end-user systems.
Securing Microsoft Office
C3. Email Clients
E-mail is one of the vital applications of the Internet. E-mail provides tremendous savings it terms of time, money and efficiency. Given its omnipresence, e-mail provides a common vector for multiple vulnerabilities.
Multiple avenues of attack that can be employed through email:
- Distribution of malware (viruses, Trojans, keyloggers, spyware, adware, rootkits etc);
- Phishing – Attempts to lure email user into revealing his/her passwords or other confidential information;
- Spam – unsolicited (junk) email;
- Social engineering;
- Denial of service attacks – sending high volume of email messages to a potential “victim” server or mailbox;
These attacks can result in:
- damage to applications, data, or operating system;
- disclosure of confidential information;
- propagation of malware;
- use of affected systems as “bots” (infected machines under the control of persons other than the intended users, used as proxies for attacks on other systems or for storage and distribution of pirated content and pornography);
- lack of availability of systems and services;
- waste of time, money and labor.
Virtually all contemporary operating systems can be used as platforms for e-mail client applications.
The most popular e-mail applications currently are
- Microsoft Outlook (Microsoft Windows only) and Outlook Express (Microsoft Windows only; old versions were available for Apple Macintosh);
- Mozilla Thunderbird (Microsoft Windows, Linux, Mac OS X);
- Mail.app (Macintosh only)
There are other popular email clients (Opera mail, Pegasus, Mozilla SeaMonkey, The Bat!, Eudora etc), but their usage share is relatively low.
No matter what operating system or e-mail client application is used, precautions should be taken whenever handling email (See C3.4 How to Protect Against The Email Vulnerabilities for details).
C3.2 Operating Systems Affected
Windows 2000 Workstation and Server, Windows XP Home and Professional, Windows Vista, Windows Server 2003, Mac OS X, Linux and Unix are all potentially vulnerable.
C3.3 CVE Entries
Mozilla Thunderbird, SeaMonkey
CVE-2006-4565, CVE-2006-4571, CVE-2006-5463, CVE-2006-5747, CVE-2006-6502, CVE-2006-6504, CVE-2007-0777, CVE-2007-0779, CVE-2007-1282, CVE-2007-2867, CVE-2007-3734, CVE-2007-3735, CVE-2007-3845
C3.4 How To Protect Against Vulnerabilities in Email Clients
- Remove all e-mail client software from production server systems, or where otherwise unnecessary.
- Do not to run any email client on servers or workstations with confidential information.
- When you must run any email client application on any system, be sure to:
- Use the latest version of the email client and enable the automatic update feature provided by the application or operating system.
- Use anti-virus software with current virus signatures. Configure the anti-virus software to monitor files in real-time if possible, and configure automatic daily update of virus signatures if possible.
- Do not run the email client as an administrative user, or other user account with elevated privileges.
- If you absolutely must run email while logged on as Administrator on Windows system, use tools like “Drop My Rights” for lowering privileges available to the email application.
- Do not open any email messages from unknown or suspicious sender;
- Do not answer junk mail (spam), even if there is an option to unsubscribe;
- View email messages as plain text, or with as little formatting as possible: HTML and RTF (two common enhanced formatting schemes for email messages) can allow scripting and other avenues for exploitation;
- Do not open any attachments without scanning them first with anti-virus program;
- Configure your email client to not send return receipts or read confirmations;
- For secure email exchange use digital signatures or/and encryption.
Application-specific configuration details and, settings that can improve security of email client
Outlook/Outlook Express/Windows Mail
Outlook Express is bundled with Internet Explorer and installed by default on Windows 98, 2000, XP, 2003.
Windows Vista replaced Outlook Express with Windows Mail.
- If Outlook Express is not required on the system, it is recommended to uninstall it.
- If Outlook Express is installed on the system, keep it updated.
- Outlook Express updates are bundled with Internet Explorer updates, so updating Internet Explorer to the new version or service pack level also upgrades Outlook Express.
Configuration settings for Outlook Express
- Outlook Express – Tools – Options – Read – Select “Read all messages in plain text”
- Outlook Express – Tools – Options – Receipts – Select “Never send a read receipt”
- Outlook Express – Tools – Options – Security – Select the Internet Explorer security zone to use – Select “Restricted sites zone”
- Outlook Express – Tools – Options – Security – Select “Warn me when other applications try to send mail as me”
- Outlook Express – Tools – Options – Security – Select “Do not allow attachments to be saved or opened that could potentially be a virus”
- Outlook Express – Tools – Options – Security – Select “Block images and other external content in HTML email”
- Outlook Express – Tools – Options – Maintenance – Select “Empty messages from the Deleted Items folder on exit”
- Outlook Express – Tools – Accounts – Mail – Select “Properties” for each email account – Server – Unselect “Remember password”
Configuration settings for Outlook
Settings for Outlook 2003:
- Outlook – Tools – Options – Preferences – Email Options – Select “Read all standard mail in plain text”
- Outlook – Tools – Options – Security – Security Zones – Zone – Select “Restricted sites”
- Outlook – Tools – Options – Security – Download pictures – Change Automatic Download settings – Select “Don’t allow pictures or other content automatically in HTML e-mail”
- Outlook – Tools – Options – Security – Download pictures – Change Automatic Download settings – Select “Warn me before downloading content when editing, forwarding or replying to e-mail”
- Outlook – Tools – Options – Preferences – Junk e-mail – Options – Choose the level of junk e-mail protection you want – Select “Low”, “High” or “Safe Lists only”
- Outlook – Tools – Options – Preferences – Junk e-mail – Options – Select “Don’t turn on links in messages that might connect to unsafe or fraudulent sites”
- Outlook – Tools – Options – Other – Select “Empty the Deleted Items folder upon exiting”
- Outlook – Tools – E-mail Accounts – Select “Change…” for each email account – Unselect “Remember password”
Same or similar settings can be accessed in Outlook 2007 as follows:
Outlook 2007 – Tools – Trust Center – E-mail Security
Configuration settings for Mozilla Thunderbird (versions 2.0 and later)
- Thunderbird – View – Message body as – Select “Plain text”
- Thunderbird – View – Unselect “Display attachments inline”
- Thunderbird – Tools – Options – Privacy – E-mail scams – Select “Tell me if the message I’m reading is a suspected email scam”
- Thunderbird – Tools – Options – Privacy – Anti-Virus – Select “Allow anti-virus clients to quarantine individual messages”
Browsing the Web and Reading E-mail Safely as an Administrator
How to view all e-mail messages in plain text format
Overview of Cryptography in Outlook 2003
Digital signatures and encryption (Outlook 2007)
Service Packs (Microsoft Office and Microsoft Outlook)
Microsoft Office downloads
Block or unblock links in suspicious phishing messages
Customizing the Outlook Security Features Administrative Package
Security and privacy-related preferences (Thunderbird)
Security Policies (Thunderbird)
C4. Media Players
To play or display any multimedia content (music, video, pictures, drawings, etc.), regardless of origin, your computer needs an application called a media player. Music and videos are commonly downloaded from the Internet, usually for entertainment, news, education, and/or business content.
Most modern operating systems are automatically configured with at least one standard media player software package. Third party applications are also available that play formats not normally supported by the standard application set. Such support is usually required for proprietary formats that vendors must license in order to add compatibility to their media player application. These additional applications are usually installed on an as-needed basis – at times even automatically – in order to provide support for the requested multimedia content. Once these applications are installed they may be easily forgotten and overlooked by IT administrators who are responsible for patch management and support, usually because they are not aware of their existence on each deployed system.
Over the past year vulnerabilities have been released for most popular media players available today. While the severity of the vulnerabilities varies, these vulnerabilities can often be used to install malware such as viruses, bot-net applications, root kits, spy-ware, and ad-ware.
While this list does provide a detailed overview of popular media players and their associated vulnerabilities, it does not attempt to be an exhaustive list of all media players and their associated vulnerabilities. Many of these vulnerabilities do have publicly available exploit code and are being actively exploited in the wild.
The media players for the major platforms are:
- Windows: Windows Media Player, RealPlayer, Apple Quicktime, Adobe Flash Player, Apple iTunes
- Mac OS: RealPlayer, Apple Quicktime, Apple iTunes, Adobe Flash Player
- Linux/Unix: RealPlayer, Adobe Flash Player
C4.2 Operating Systems Affected
- Microsoft Windows
- Mac OS X
C4.3 CVE Entries
CVE-2007-0462, CVE-2007-0588, CVE-2007-0466, CVE-2007-0711, CVE-2007-0712, CVE-2007-0714, CVE-2007-2175, CVE-2007-2295, CVE-2007-2296, CVE-2007-0754, CVE-2007-2388, CVE-2007-2389, CVE-2007-2392, CVE-2007-2393, CVE-2007-2394, CVE-2007-2396, CVE-2007-2397, CVE-2007-5045, CVE-2007-4673
C4.4 How to Determine If You Are Vulnerable
Using any media player that has not been patched or upgraded to the most recent version is a potential problem. Good system inventory and patch management practices will help you be proactive against threats from and attacks via media player applications.
C4.5 How to Protect Against Media Player Vulnerabilities
The following are some common best practices to protect against vulnerabilities associated with media players:
- Ensure media players are regularly updated with all the latest patches. Most players support updating via the help or tools menus.
- Carefully review default installations of operating systems and other products to ensure they do not include unwanted media players.
- Configure operating systems and browsers to prevent unintentional installation.
- Use anti-malware tools such as anti-virus and IDS software on the client desktop to prevent compromise.
- On centrally managed systems use the principle of least privilege, and limit installation of additional software by the end-user, when possible. This will make patch management and vulnerability management easier and more affective.
- On centrally managed systems when possible inventory installed software in order to identify potential risks in the environment.
- Install media player components only on systems requiring such components (e.g. workstations vs. servers).
RealNetworks Media Player Products Home Page
Windows Media Player
Adobe Flash Player Homepage
Security Reports and Other Links
General Networking Measures to Mitigate the Impact of Client-side Vulnerabilities:
- Users should be restricted from surfing any potentially dangerous URLs via URL blocking
- The Pentagon, for instance, has blocked access to all social networking sites like MySpace and YouTube.
- Deploy a commercial or an open-source URL filtering solution to prevent users visiting web sites serving exploits and malware.
- Users should be blocked from downloading any media files from the Internet.
- Users should not be allowed SMTP, POP or IMAP access to their personal or service provider mail servers. This helps prevent potentially unfiltered and unscanned content entering in an organization’s network via email.
- Email gateway anti-virus, spyware and other malware scanning solutions should be deployed.
- Web browser, email client, media player and office software should not be used on a production server. If possible, block outbound access from servers to the port 80/tcp.
Server-side Vulnerabilities in:
S1 Web Applications
Web-based applications such as Content Management Systems (CMS), Wikis, Portals, Bulletin Boards, and Discussion Forums are used by small and large organizations. A large number of organizations also develop and maintain custom-built web applications for their businesses (indeed, in many cases, such applications are the business). Every week hundreds of vulnerabilities are reported in commercially available and open source web applications, and are actively exploited. Please note that the custom-built web applications are also attacked and exploited even though the vulnerabilities in these applications are not reported and tracked by public vulnerability databases such as @RISK, CVE or BugTraq. The number of attempted attacks for some of the large web hosting farms range from hundreds of thousands to even millions every day.
Number of PHP File Include attacks recorded at a web hosting facility by TippingPoint IPS
All web frameworks (PHP, .NET, J2EE, Ruby on Rails, ColdFusion, etc.) and all types of web applications are at risk from web application security defects, ranging from insufficient validation through to application logic errors. The most exploited types of vulnerabilities are:
- PHP Remote File Include: PHP is the most common web application language and framework in use today. By default, PHP allows file functions to access resources on the Internet using a feature called “allow_url_fopen”. When PHP scripts allow user input to influence file names, remote file inclusion can be the result. This attack allows (but is not limited to):
- Remote code execution
- Remote root kit installation
- On Windows, complete system compromise may be possible through the use of PHP’s SMB file wrappers
- SQL Injection: Injections, particularly SQL injections, are common in web applications. Injections are possible due to intermingling of user supplied data within dynamic queries or within poorly constructed stored procedures. SQL injections allow attackers:
- To create, read, update, or delete any arbitrary data available to the application
- In the worst case scenario, to completely compromise the database system and systems around it
- Cross-site request forgeries (CSRF): CSRF forces legitimate users to execute commands without their consent. This type of attack is extremely hard to prevent unless the application is free of cross-site scripting vectors, including DOM injections. With the rise of Ajax techniques, and better knowledge of how to properly exploit XSS attacks, CSRF attacks are becoming extremely sophisticated, both as an active individual attack and as automated worms, such as the Samy MySpace Worm.
S1.2 How to Determine If You Are at Risk
Web scanning tools can help find these vulnerabilities, particularly if they are known bugs. However, to find all potential vulnerabilities requires a source code review as well as an application penetration test. These should be done by the developers prior to release of any important web application.
Inspect your web application framework’s configuration and harden appropriately.
System administrators should consider scanning web servers periodically with vulnerability scanners, particularly if they run a large or diverse range of user-supplied scripts (such as on a hosting farm).
No person should be engaged to write web applications unless they can pass the GSSP Secure Software Programming exam that covers the essential security skills and knowledge that developers need to produce more secure applications.
S1.3 How to Protect against Web Application Vulnerabilities
From the PHP system administration and hosting perspective:
- Upgrade to PHP 5.2 as it eliminates many latent PHP security issues and allows for safer APIs, such as PDO
- Always test and deploy patches and new versions of PHP as they are released
- Frequent web scanning is recommended in environments where a large number of PHP applications are in use
- Consider using the following PHP configuration:
- register_globals (should be off, will break insecure apps)
- allow_url_fopen (should be off, will break apps that rely on this feature, but protect against a very active exploit vector)
- magic_quotes_gpc (should be off, will break older insecure apps)
- open_basedir (should be enabled and correctly configured)
- Consider using least privilege execution features like PHPsuexec or suPHP
- Consider using Suhosin to control the execution environment of PHP scripts
- Use Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests. Consider using Apache’s mod_security to block known PHP attacks
- As a last resort, consider banning applications which have a track record of active exploitation, and slow response times to fix known security issues.
From the developer perspective:
- If you use PHP, migrate your application to PHP 5.2 as a matter of urgency.
- To avoid the coding issues above:
- Develop with the latest PHP release and a hardened configuration (see above)
- Validate all input according to the variable type it is being assigned
- Encode all output using htmlentities() or a similar mechanism to avoid XSS attacks
- Migrate your data layer to PDO – do not use the old style mysql_*() functions as they are known to be faulty
- Do not use user-supplied input with file functions to avoid remote file inclusion attacks
- Join secure coding organizations, such as OWASP (see references) to boost skills, and learn about secure coding
- Test your apps using the OWASP Testing Guide with tools like WebScarab, Firefox’s Web Developer Toolbar, Greasemonkey and the XSS Assistant
- Measure your skill using the GSSP exams and fill in the gaps in your knowledge.
OWASP – Open Web Application Security Project
OWASP Testing Guide
OWASP Guide – a compendium of secure coding
OWASP Top 10 – Top 10 web application security weaknesses
Suhosin, a Hardened PHP project to control the execution environment of PHP applications
GSSP Exam blueprints and testing schedule