Archive for April 5th, 2008

Today on PC Magazine's Security Watch:

Two vulnerabilities in Norton Internet Security 2008 have been patched by the vendor. The vulnerabilities were reported by VeriSign's iDefense (here and here).

The vulnerabilities are in an ActiveX control installed by NIS 2008 which is marked safe for scripting. The vulnerability could allow for remote code execution by an unauthenticated user; on the other hand. The bug is, nevertheless, difficult to exploit, and no public exploit exists.

According to iDefense, it would need to be executed in the context of the symantec.com domain. This could be accomplished through cross-site scripting on the symantec.com site—which would require incompetence on the part of that site's administrators and authors—or through DNS cache poisoning attacks against the user. Both are probably hard to do.

Yes, of course... (Notice: Symantec XSS vulnerability fixed later, on April the 10th)

BTW, isn't that a Google Search Appliance?

Update 1

Despite Symantec's search functionality being provided by Google Search Appliance, the XSS vulnerability above seems a genuine home-grown customization.

Update 2

This is quite hilarious (from Brian Krebs's Security Fix column on Washington Post):

Despite the fact that most of these Web site security flaws are posted to a publicly accessible archive site, only 473 of the cases discovered in the last half of 2007 were fixed by the end of last year, Symantec said.

Update 3 (10 Apr)

Symantec guys finally fixed their XSS vulnerability.

This morning I was toying with an idea for easing NoScript allowance of sub-objects and sub-scripts which, even being 1st party content, are offloaded to different domains for performance reasons.
One prominent example is YouTube, which recently started serving scripts from ytimg.com, requiring NoScript users who want to watch videos on youtube.com to whitelist both domains.
Now the idea, probably too much naive not to be a dead end, was to correlate domains by "ownership", using real time and cached WHOIS queries: sub-content whose Registrant information matches top-level page site's would be allowed to load if the latter is trusted.
Databases (in)accuracy aside, this approach is too much coarse-grained to fit: how many NoScript users would be happy to put www.google.com and googleanalitycs.com in the same basket?
Anyway, playing some minutes with com.whois-servers.net (the "meta-server" where WHOIS client programs lookup the server responsible for a certain .com domain) yielded some amusing results:

[ma1@groucho]$ cat >wtf && chmod 700 wtf
#!/bin/bash
while [ ! -z "$1" ]; do
echo
SUFFIX=${1//[a-zA-Z-_]*./}
exec 3<>/dev/tcp/$SUFFIX.whois-servers.net/43
echo -e >&3 "$1"
egrep -i "$1\.\w+\." <&3
shift
done
[ma1@groucho]$ ./wtf YOUTUBE.COM YAHOO.COM GOOGLE.COM MICROSOFT.COM
YOUTUBE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
YOUTUBE.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
YOUTUBE.COM.IS.N0T.AS.1337.AS.WWW.GULLI.COM
YAHOO.COM.ZZZZZZ.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
YAHOO.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
YAHOO.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
YAHOO.COM.VIRGINCHASSIS.COM
YAHOO.COM.TWIXTEARS.COM
YAHOO.COM.OPTIONSCORNER.COM
YAHOO.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
YAHOO.COM.JOSEJO.COM
YAHOO.COM.JENNINGSASSOCIATES.NET
YAHOO.COM.IS.N0T.AS.1337.AS.SEARCH.GULLI.COM
YAHOO.COM.ELPOV.COM
YAHOO.COM.EATINGFORJOY.NET
YAHOO.COM.DALLARIVA.COM
YAHOO.COM.CHRISIMAMURAPHOTOWORKS.COM
YAHOO.COM.BGPETERSON.COM
GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
GOOGLE.COM.YAHOO.COM.MYSPACE.COM.YOUTUBE.COM.FACEBOOK.COM.THEYSUCK.DNSABOUT.COM
GOOGLE.COM.WORDT.DOOR.VEEL.WHTERS.GEBRUIKT.SERVERTJE.NET
GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM
GOOGLE.COM.SPROSIUYANDEKSA.RU
GOOGLE.COM.SERVES.PR0N.FOR.ALLIYAH.NET
GOOGLE.COM.PLZ.GIVE.A.PR8.TO.AUDIOTRACKER.NET
GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
GOOGLE.COM.IS.HOSTED.ON.PROFITHOSTING.NET
GOOGLE.COM.IS.APPROVED.BY.NUMEA.COM
GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE.THAN.SECZY.COM
GOOGLE.COM.BEYONDWHOIS.COM
GOOGLE.COM.ACQUIRED.BY.CALITEC.NET
MICROSOFT.COM.ZZZZZZ.MORE.DETAILS.AT.WWW.BEYONDWHOIS.COM
MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
MICROSOFT.COM.ZZZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
MICROSOFT.COM.ZZZ.IS.0WNED.AND.HAX0RED.BY.SUB7.NET
MICROSOFT.COM.WILL.LIVE.FOREVER.BECOUSE.UNIXSUCKS.COM
MICROSOFT.COM.WILL.BE.SLAPPED.IN.THE.FACE.BY.MY.BLUE.VEINED.SPANNER.NET
MICROSOFT.COM.WILL.BE.BEATEN.WITH.MY.SPANNER.NET
MICROSOFT.COM.WAREZ.AT.TOPLIST.GULLI.COM
MICROSOFT.COM.USERS.SHOULD.HOST.WITH.UNIX.AT.ITSHOSTED.COM
MICROSOFT.COM.TOTALLY.SUCKS.S3U.NET
MICROSOFT.COM.SOFTWARE.IS.NOT.USED.AT.REG.RU
MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM
MICROSOFT.COM.RAWKZ.MUH.WERLD.MENTALFLOSS.CA
MICROSOFT.COM.OHMYGODITBURNS.COM
MICROSOFT.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
MICROSOFT.COM.LOVES.ME.KOSMAL.NET
MICROSOFT.COM.LIVES.AT.SHAUNEWING.COM
MICROSOFT.COM.IS.NOT.YEPPA.ORG
MICROSOFT.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
MICROSOFT.COM.IS.IN.BED.WITH.CURTYV.COM
MICROSOFT.COM.IS.HOSTED.ON.PROFITHOSTING.NET
MICROSOFT.COM.IS.GOD.BECOUSE.UNIXSUCKS.COM
MICROSOFT.COM.IS.A.STEAMING.HEAP.OF.FUCKING-BULLSHIT.NET
MICROSOFT.COM.IS.A.MESS.TIMPORTER.CO.UK
MICROSOFT.COM.HAS.ITS.OWN.CRACKLAB.COM
MICROSOFT.COM.HAS.A.PRESENT.COMING.FROM.HUGHESMISSILES.COM
MICROSOFT.COM.FILLS.ME.WITH.BELLIGERENCE.NET
MICROSOFT.COM.CAN.GO.FUCK.ITSELF.AT.SECZY.COM
MICROSOFT.COM.ARE.GODDAMN.PIGFUCKERS.NET.NS-NOT-IN-SERVICE.COM
MICROSOFT.COM.AND.MINDSUCK.BOTH.SUCK.HUGE.ONES.AT.EXEGETE.NET

The amazing thing is that this data is not even meant for human consumption!

Bad Behavior has blocked 3532 access attempts in the last 7 days.