02-01-2005, 04:00 PM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
Airscanner Audits Pocket IE, Demonstrates Concept Vulnerability
"There are several weaknesses in Pocket IE that can be used to trick end users into submitting local and/or sensitive data, such as usernames and passwords. The potential for exploiting these vulnerabilities are restricted only by an attacker�s imagination. However, Pocket IE is not as powerful as its big brother, and as such, an attacker is limited in what techniques she can use to launch the attack. For example, Pocket IE has no support for the IFrame tag, which is extremely useful in XSS and browser-based attacks. In addition, Pocket IE does not support every JavaScript command commonly used by attackers. The final example presented below is an attempt to combine these individual flaws into one attack and is only meant to serve as a proof of concept."
While most of these aren't explicit flaws or vulnerabilities, Seth over at AirScanner gives a demonstration of how they could be used to transmit potentially sensitive information, and how it might be worth hardening Pocket IE. Still, as Seth points out, Pocket IE is simply much less vulnerable to most attacks by virtue of being a less sophisticated piece of software. It's also worth pointing out that since Pocket PCs are ARM-based, it's difficult to get targeted exploit code on your device. Nevertheless, if you do sensitive financial transactions and the like from your Pocket PC, use your common sense and make sure not to use potentially spoofed links from third parties. (Note that the site has examples of spoofed URLs, so if you're accessing it from a corporate environment that might filter or tag such stuff as malicious code you might want to access it from somewhere else. There is no actual exploit on the website, just examples of what one may be able to do.)
|
| |
|
|
|
02-01-2005, 04:43 PM
|
|
Mystic
Join Date: Aug 2006
Posts: 1,734
|
|
Talk about scaring up a profit. Will they "audit" ppc's further and then publish their findings widely "for our own good", so we know how vulnerable we (now) are? Will they write 90% of the virus code, as a "proof of concept" and leave the payload up to their blackhat associates, "for our own good"?
People talk about security through obscurity, but most exploits are from vulnerabilities that had been published by the so-called "good guys", because we all know "information wants to be free". And of course they would'nt mind selling you a nice fat subscription either.
I have enough cr*p running on my pocketpc to have it bogged down further by a virus scanner. I recently switched of my virus scanner on my laptop, and the thing worked 5 times faster. No more pausing for 10 second when opening up a word document. No more labouring when looking at a directory.
I think the anti-virus people are as bad (or even worse) that the virus writers, and Im sure the CEO of Norton is laughing all the way to the bank every time a new exploit is published by the so called "security researchers". :evil:
Surur
|
| |
|
|
|
02-01-2005, 04:45 PM
|
|
Neophyte
Join Date: Nov 2004
Posts: 7
|
|
Let's hope the Minimo project gets well and truely underway for pocketpc baced ARM devices...
Still, in the meantime, we've got NetFront. Personally, I never use PIE unless I have no control over it popping up!
|
| |
|
|
|
02-01-2005, 06:56 PM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
Quote:
|
Originally Posted by Surur
People talk about security through obscurity, but most exploits are from vulnerabilities that had been published by the so-called "good guys", because we all know "information wants to be free". And of course they would'nt mind selling you a nice fat subscription either.
|
As a security researcher, I don't agree completely. Full disclosure is the way to get problems fixed. If you read the article carefully, they're just providing advice that URLs can be spoofed, and you should be aware of that. If it's a clear attack vector (e.g., a buffer overflow), then it is considered good behavior in the security community to first contact the vendor and wait 30 days before publishing, but this is not an explicit attack -- just rather a combination of things that are non-obvious that can lead to undesirable behavior.
Besides, Airscanner doesn't sell software to "fix" this; it's a disclosure, akin to what is commonly done on mailing lists like Bugtraq. They're one of the few in the PDA field who are taking a hard look at PDA security, and I'm glad they are.
--janak
|
| |
|
|
|
02-01-2005, 07:52 PM
|
|
Executive Editor, Android Thoughts
Join Date: Aug 2006
Posts: 3,233
|
|
I think the real issue here is that we can never release information so that it is only used by the "good guys" who will fix it. Invariably, the bad guys will get ahold of the information as well, and use it. We can't shoot the messenger here when we really would like to shot the 'bad guys' who make us run antivirus software. I feel the same slow-pain when openeing word documents that I'VE written because Norton feels the need to scan them, but without more efficient code or smarter users, right now we're stuck with it.
Although there are days when I switch off Norton just to get the speed back... but I am fully capable of rebuilding my system after a virus attack (even if that means a complete rebuild) - most others aren't. Therefore, I wouldn't recommend that idea.
The best case scenario: enough security minded individuals track these things as they come out and fix them before problems arise.
Just some of my ramblings...
__________________
Dr. Jon Westfall, MCSE, MS-MVP
Executive Editor - Android Thoughts
News Editor - Windows Phone Thoughts
|
| |
|
|
|
02-01-2005, 09:48 PM
|
|
Oracle
Join Date: Mar 2005
Posts: 980
|
|
Quote:
|
Originally Posted by Surur
Talk about scaring up a profit. Will they "audit" ppc's further and then publish their findings widely "for our own good", so we know how vulnerable we (now) are? Will they write 90% of the virus code, as a "proof of concept" and leave the payload up to their blackhat associates, "for our own good"?
People talk about security through obscurity, but most exploits are from vulnerabilities that had been published by the so-called "good guys", because we all know "information wants to be free". And of course they would'nt mind selling you a nice fat subscription either.
I have enough cr*p running on my pocketpc to have it bogged down further by a virus scanner. I recently switched of my virus scanner on my laptop, and the thing worked 5 times faster. No more pausing for 10 second when opening up a word document. No more labouring when looking at a directory.
I think the anti-virus people are as bad (or even worse) that the virus writers, and Im sure the CEO of Norton is laughing all the way to the bank every time a new exploit is published by the so called "security researchers". :evil:
Surur
|
are you a psyco? Did you read my mind? this people are making a good marketing by publishing those news and for free. They are not paying anything. In another hand they are telling others what to do so they can go and fix it later. It�s good to educate people but you have to think the method to do it. If you are educating both groups, users and hackers at the same time IMMO is better that you don�t educate anybody. 
|
| |
|
|
|
02-01-2005, 09:55 PM
|
|
Oracle
Join Date: Mar 2005
Posts: 980
|
|
Quote:
|
Originally Posted by Janak Parekh
Quote:
|
Originally Posted by Surur
People talk about security through obscurity, but most exploits are from vulnerabilities that had been published by the so-called "good guys", because we all know "information wants to be free". And of course they would'nt mind selling you a nice fat subscription either.
|
As a security researcher, I don't agree completely. Full disclosure is the way to get problems fixed. If you read the article carefully, they're just providing advice that URLs can be spoofed, and you should be aware of that.
--janak |
Janak, you can do the same thing without giving any details, you can warn people about "phishing" method by telling what is and telling then that not bank or any other institutions send emails asking for personal information such as SS, Name, Bank Account, User Names, passwords, neither they sent you emails asking you to click in a link where you are asked to provide that information. If anyone has any doubt about any email asking to click in a link the best thing to do is to go to the front page of that institution from another IE windows and try to find that link there, if you don�t find anything, send an email to that institution taking the email from that site (not from the email) asking if they sent you such email, or just call them. You can educate people without giving any information to hackers.
|
| |
|
|
|
02-02-2005, 05:39 AM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
Quote:
|
Originally Posted by ctitanic
You can educate people without giving any information to hackers. |
As an academic, I appreciate the detail that's given in many of these kinds of advisories. Not only does it help me understand what's going on, it can often help site owners craft an appropriate response based on the technical nature -- and it may differ based on what the technical aspects are. Moreover, I can tell you that in security research people are developing technical solutions that actually circumvent things like browser holes. For example, new products are coming out today that circumvent phishing methods by detecting things like spoofed URLs. Documentation as to the aspects of how they work is critical in designing such products.
One of the most reknowned security forums, for example, is USENIX Security. If you take a look there, there are tons of research papers that go into great technical detail on a broad range of topics. This is how both top-of-the-line commercial and academic security experts work towards developing comprehensive, long-term solutions. It's not a new practice, it's extremely productive, and it ultimately benefits consumers.
And if you really think the "hackers" don't know these things before the advisories are published, you'd be surprised. They have many backchannels where this stuff is discussed sooner than later.
--janak
|
| |
|
|
|
02-08-2005, 07:32 PM
|
|
Pontificator
Join Date: Mar 2007
Posts: 1,466
|
|
Quote:
|
Originally Posted by rangor
Let's hope the Minimo project gets well and truely underway for pocketpc baced ARM devices...
Still, in the meantime, we've got NetFront. Personally, I never use PIE unless I have no control over it popping up! |
If linux and/or Netfront were the "magic bullet" to all PC ills, we'd all have switched a long time ago.
The reason why they are currently more secure is because they are a overall minority. It is more time effective to attack MS products since they are 90% of the world.
There are known exploits in firefox and thunderbird as well....
I'm sure if airscanner did a work-over on Netfront....some thing somewhere would come up as an undesired result.
It's simply the nature of things....You create software with the best of your abilities and someone does something unpredicted with it...the results cannot be anticipated. You simply patch as fast as it becomes known. Therein lies the rub. I have seen Norton miss viruses while AVG catch them. Both are current! Someone explain that to me? Perhaps since AVG updates every Tuesday?
I have Nortons update scheduled similarily but.....
|
| |
|
|
|
02-08-2005, 09:54 PM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
Quote:
|
Originally Posted by Cybrid
It is more time effective to attack MS products since they are 90% of the world.
|
That is a common explanation, but not necessarily correct. Case-in-point: Apache is the dominant webserver on the Internet today, but IIS has seen far more exploits than Apache.
The fact of the matter is, until recently Microsoft didn't place the same emphasis on security that they now do. I can give you some technical examples if you like, but really, XP SP2 is the first major step in solving this, and hopefully that progress will reverbrate through their product line.
--janak
|
| |
|
|
|
|
|
Linear Mode
