LOUISVILLE – By the time this post goes live, DerbyCon will have ended, and the crowds will all be heading home, airlines permitting, as weekend rolls away and the reality that is Monday sets in.
The following update was originally written on Saturday evening, but updated early Sunday morning.
Original Post:
It's Saturday evening, and Salted Hash has spent most of the day learning (sitting in on some impromptu training in the lobby area), presenting (yours truly, along with Jen Ellis, gave a talk on hacking the media), and doing a marathon media training session for The Cavalry. Good times.
As was the case on Friday, most of the lobby and hallway conversations at DerbyCon focused on Shellshock.
It isn't that Shellshock is the end of the world, far from it. However, it's the number of attack vectors that has many researchers taking note. Truth be told, Shellshock is bad, so was Heartbleed for that matter, but neither of them stack-up to SQL Injection.
If there is anything positive about Shellshock, it's the fact that while the attack surface is massive, there's only a single patch needed. Believe it or not, that's a good thing. A sentiment that noted researcher Rob Fuller (mubix) expressed this evening.
With regard to presentations, there were dozens of excellent talks this year. One of them came from Carlos Munoz, a researcher with WhiteHat Security, which explored an unpatched vulnerability in Internet Explorer.
At the time his talk was given, I was in the middle of training, so I missed the initial presentation. Thankfully, a video of the talk appeared online rather quickly.
The issue is in Microsoft's reflective cross-site scripting (XSS) filter, a feature that's existed within their browser since version 8. However, while exploiting the flaw isn't all that complicated (much of the bypass revolves round HTML standards that have existed since 1998), Microsoft says that they will not patch the vulnerability.
At first Microsoft told Munoz that the problem required special functionality, thus they won't fix it. However, given that he used code allowed under HTML 2.0 and 4.0 specifications, one could argue that this is far removed from the realm of special functionality.
After the media caught wind of the research, Microsoft changed their tune some, telling Kaspersky's Threatpost last December that the XSS filter in Internet Explorer is only supposed to increase the cost of an attack. So it will only prevent the low hanging fruit and nothing else.
Microsoft's statement continues:
"The scenario in question would require a cross-site scripting vulnerability to be present in a website and would also require a user to interact with such a site. We continue to recommend that customers exercise caution when accepting links from untrusted sources."
Therein lies the problem. Should this flaw exist on a website the victim trusts, then the attacker has the upper hand all the way around. It's a great talk, worth checking out if you have legacy systems or rely on Internet Explorer in the office.
The presentation is embedded below, proof-of-concept code and slides are available here.
Update:
Early Sunday morning, the saga that is Shellshock moved forward with additional technical information, as well as an update on the state of active attacks.
From day one, attackers have been leveraging this vulnerability in order to conduct a number of schemes, including malware propagation, server compromise, and click fraud.
Researchers at Incapsula said that between Thursday and Friday evening they've witnessed more than 17,000 attacks (725 attacks per hour). More than 1,800 domains have been targeted, and the origin of these attacks are scattered between 400 IP addresses. A majority of the attacking IP addresses are assigned to systems in China and the U.S.
As the criminals go on the hunt, researchers have been working to patch critical systems and experimenting, locating various means of attack and attempting to establish a clearer picture of the overall attack surface. A collection of proof-of-concept code related to Shellshock is available online, thanks to Rob Fuller and those who are contributing to the resource.