Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Researchers: Popular apps have mismanaged security

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Researchers: Popular apps have mismanaged security
Date: Tue, 7 Feb 2006 03:14:57 -0600 (CST) 
http://www.networkworld.com/news/2006/020606-application-security.html

By Robert McMillan
IDG News Service
02/06/06

Big-name companies like America Online (AOL) and Adobe could do a 
better job of writing secure software, according to a recent report by 
two Princeton University researchers. 

The researchers took a look at a number of popular applications, 
including AOL Instant Messenger and Photoshop, and determined that 
many of them made changes to the operating system that could allow 
attackers to bypass some Windows security mechanisms. (Read the report 
- PDF. [1]) 

The Princeton team focused on the Windows access control system, which 
determines what types of things users and applications can do on any 
given PC. Their conclusion: Many programs ask for too many privileges, 
opening the door for potential attackers. 

"Vendors are making mistakes when they write programs for Windows," 
said Sudhakar Govindavajhala, a Princeton Ph.D. student, and one of 
the authors of the paper. "It's worrying that your computer can become 
insecure on installation of new programs." 

An attacker would first need to gain access to a local account on a 
computer to take advantage of the problems described in the paper, 
Govindavajhala said. "These attacks are not exploitable over the 
Internet, but if someone can get a handle of your machine, then one 
can do interesting things," he said. 

After years of focusing on Windows, attackers are increasingly 
targeting the software that is running on top of the operating system, 
according to the SANS Institute, a training organization for computer 
security professionals. SANS lists [2] instant messaging applications, 
media players and backup software among the most critical areas for 
new security vulnerabilities. 

Another Princeton computer scientist who is familiar with the paper 
said that the research shows just how widespread these "privilege 
escalation" problems really are. "For the average user, it's a 
reminder that software applications can open security holes and that 
application vendors do make mistakes that can cause risks for users," 
said Ed Felten, a professor of computer science and public affairs. 
"No application should be considered completely safe." 

The MediaMax copy protection software used by Sony BMG Music 
Entertainment was recently discovered to have this kind of privilege 
escalation flaw, according to Felten. MediaMax's producer, SunnComm, 
has since patched the problem, he said. 

The security vulnerabilities that Govindavajhala and his co-author 
Andrew Appel discovered have been fixed in the AIM client and Adobe's 
products [3], but there are other programs that suffer from the same 
problem, Govindavajhala said. 

Govindavajhala did not want to name specific unpatched products 
because that information could be used by attackers, he said.

[1] http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
[2] http://www.sans.org/top20/
[3] http://www.frsirt.com/english/advisories/2006/0431



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Researchers: Popular apps have mismanaged security, InfoSec News <=
Previous by Date:  [ISN] In QDR, Defense focuses on combating cyberthreats, InfoSec News
Next by Date:  [ISN] Honeywell blames ex-employee in data leak, InfoSec News
Previous by Thread:  [ISN] In QDR, Defense focuses on combating cyberthreats, InfoSec News
Next by Thread:  [ISN] Honeywell blames ex-employee in data leak, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]