AusCERT - AusCERT Week in Review for 28th March 2013

AusCERT Week in Review for 28th March 2013

Date: 28 March 2013
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=17279

Greetings,

Welcome to the Week in Review for the week ending Thursday 28th of March 2013.
As usual, it has been an interesting week in IT Security.

The three main news items of the week that will be covered in this post are:
1) The DDoS that has been the talk of the week,
2) Using JavaScript to change a link after you click on it, and
3) AusCERT's attendance at the APCERT AGM and Conference in Brisbane.

At the end of this post the most notable security bulletins of the week will also be covered in brief.

Firstly, let me quickly mention the DDoS attack against Cloudflare that has been the talk of the week. As it has made its way into the main stream media, I will try not to linger on it too much. Cloudflare has released so me interesting stats, noting that their networks were hit with an attack peaking at 120 Gbps on 22nd of March. Due to the use of anycast, Cloudflare noted that the attack did not have any negative performance hits on the targeted websites. Since the attackers did not achieve their intended goal, they attempted a DDoS attack on the 1st tier network providers of Cloudflare itself. Clouldflare's tier 1 provider has said that they saw more than 300Gbps of related attack traffic. As a result, a massive congestion was seen across many tier 1 networks, especially in Europe. Cloudflare concludes that the reason the attackers were able to successfully carry out such huge attacks was because of all the open resolvers sitting on high bandwidth across the world. So, do you have any open resolvers sitting on your network that might be helping perform a DDoS? A quick search will reveal a number of websites that will check your IP or IP range for open resolvers. One is the Open Resolver Project and another one is a tool provided by The Measure Factory. You may find links for these in the references section below.

Sophos has tried to bring attention to a problem by posing an open question to the IT industry. "Should JavaScript be allowed to change a web link after you click on it?" The problem has been around for a while but it was recently highlighted by a web coding enthusiast from UK. Some of you may have noticed this behaviour when you click on a Google search result. If you hover over a search result link, it will show you the correct URL. However, once you click on it, you actually go through Google.s links first before ending up at your final destination. This is achieved through the use of JavaScript's 'onclick' event, which can change the destination of your link after you have clicked on it. This obviously has massive implications for phishing. What if a bank's website is compromised and the attackers only change the internet banking links with the use of this small JavaScript trick to silently redirect users to a phishing page? To highlight the seriousness of the situation, Sophos used an interesting example that might provide a better picture: "You wouldn't expect a shop to show you a price of $99 on your credit card slip, ask you to approve payment, and then quietly bill you a completely different amount."

This week AusCERT participated in the 10th Annual General Meeting and Conference of the Asia Pacific Computer Emergency Response Team (APCERT). APCERT aims to foster cooperation and build a trusted network among member CERTs from the Asia Pacific region. AusCERT was one of the founding members of APCERT 10 years ago. This year's conference has highlighted the continued need to share data and build trust between the Asia pacific economiesin order to continue fighting to make the Internet a more safer and secure place.

Finally, here are this week's notable security bulletins:

1) ESB-2013.0440 - [UNIX/Linux] BIND: Denial of service - Remote/unauthenticated

Due to a flaw in a library used by Bind, denial of service can be caused as a result of excessive memory consumption by the 'named' process. Patching all your bind servers should be your top priority this week!

2) ASB-2013.0047 - [Win][Linux][OSX] Google Chrome: Multiple vulnerabilities

Google pushed out another update this week. It contained two 'High' rated fixes, four 'Medium' rated patches and six 'Low' rated patches, bringing the total number of vulnerabilities patched this week to 12. As usual, most of the actual exploit details are kept private until users have a chance to update.

3) ESB-2013.0442 - [Win][Linux][Debian][FreeBSD] icinga: Execute arbitrary code/commands - Remote/unauthenticated

Several buffer overflows were discovered in the 'history.cgi' CGI program of Icinga, a host and network monitoring system.

4) ESB-2013.0448 - [Win][UNIX/Linux][RedHat] pixman: Execute arbitrary code/commands

As a result of an integer overflow in the Pixal manipulation library for the X Window System and Cairo, a remote attacker could either crash the application or execute arbitrary code.

That ends our week in review. Stay patched and have a great Easter weekend.

Regards,
Parth Shukla
Information Security Analyst