Gladiator Research and Security

Microsoft has announced a patch for a critical vulnerability affecting several versions of Windows for both servers and workstations. The vulnerability could allow a remote attacker to access a system with full privileges.

There’s a buzz on the Internet about a new attack against SSL certificates used to secure website communications.  Researchers have been able to create new certificates for existing websites that appear legitimate to web browsers.  That means if a user is browsing a fake website using HTTPS, his web browser will accept the certificate as valid.  There will be no warning messages or approval dialog boxes.  This could be detrimental to the Internet’s secure communications model, but how bad is it, really?

There has been more information released about the Internet Explorer (IE) 0-day vulnerability.  Microsoft has stated now that the vulnerability affects more versions of IE than previously thought.  Vulnerable versions include IE 7, IE 8 (beta), IE 6 (non-SP2) and IE 5.  Gladiator recommends that users switch to a different browser for the time being.  Using Internet Explorer for banking applications that are not compatible with other browsers is fine, but do not use IE to browse the Internet.

If you have been reading the news or surfing any IT based websites, you may have heard of “cloud computing,” a new buzz word going around.  Cloud computing is a new style of providing IT or business applications and services via the Web or Internet “cloud.”  One very popular form of cloud computing is Google Apps.  With Google Apps, Google is able to provide many publishing applications, similar to Microsoft’s Desktop Suite (Word, Excel, PowerPoint), over the Web.  Users can log in via an Internet browser and access the applications that are actually running on servers hosted by Google.

Microsoft has released 8 new patches resolving 6 critical and 2 important vulnerabilities found in its various products.  The vulnerability for the Visual Basic 6.0 ActiveX Control has publicly available exploit code, so it should be patched as soon as possible. The products with critical severity vulnerabilities include:

• GDI
• Windows Search
• Internet Explorer
• Visual Basic 6.0 Runtime Extended Files (ActiveX Controls)
• Microsoft Office Word
• Microsoft Office Excel

For years Cross-site request forgery (CSRF) attacks have occurred on many websites and network devices, often undetected.  CSRF attacks execute malicious content on a trusted site, or device, that appear to come from the victim.  These attacks are often difficult to both detect and protect against.  While CSRF attacks are nothing new, a security researcher named Nathan Hamiel, has recently discovered that most DSL modems (and Cable modems) are still just as vulnerable to CSRF attacks as other technologies.

There have been reports of a new vulnerability in Microsoft Vista that would allow a local user to run code as System, which is an even higher privilege level than Administrator.  However, the user would have to be an Administrator to exploit the vulnerability, and the practical differences between Administrator and System are minimal.  So really, there is not much of a reason to be concerned.  If you see reports for an iphlpapi.dll Local Kernel Buffer Overflow, a Vista TCP/IP stack buffer overflow or a CreateIpForwardEntry2 this is the issue being referenced.  There is no need to panic.  In fact, Microsoft is not releasing an out-of-band patch for this issue, so they don’t believe it’s that critical.  Phion AG, the researcher group who found the vulnerability, has released a patch of its own, but we do not recommend you install it at this time.