"De Flashing" the ISC Web Site and Flash XSS issues
You may have noticed that earlier today, I removed the flash player that we use to play audio files on our site. The trigger for this was a report that the particular flash player we use (an open source player usually used with Wordpress) is suscepible to cross site scripting [1][2]. Instead of upgrading to the newer (patched) version, we instead decided to remove the player.
The other part of this is that pretty much all current browsers do have reasonable support for HTML 5 audio tags. We do offer our audio files, like the daily podcast, in MP3 as well as Ogg Vorbis format, which covers all major browsers. We also offer links to the direct files in case someone would like to play the files "offline" and we do offer via RSS feeds various MP3/Podcast players.
So in short, the flash player wasn't worth maintaining.
On the other hand, we will try to embrace some of the HTML5 features more as we move the site forward. The data will still be available in pretty much any browser (yup. ... lynx), but you will see our graphs and similar parts of the site take advantage of newer browser features to make it easier to navigate the data. For now, we still got a couple of flash movies on the site, but we are working on moving them either to youtube, or using our own (again HTML5 based) solution.
Big thanks to Rafay Baloch [3] for reporting the XSS vulnerability to us!
Example exploit string to test your own player: player.swf ? playerID= \\%22))} catch(e){alert('Your%20cookies%20are%20mine%20now')} // (remove spaces, but keep the // at the end)
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1464
[2] http://wordpress.org/extend/plugins/audio-player/
[3] http://rafayhackingarticles.net twitter @rafaybaloch
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Are there any websites that are NOT compromised?
Today was yet another day with lots of compromised websites, some notable others less.
This morning, a reader wrote in to notify us that the county government website of a county in Georgia was compromised. Sure enough, it appeared to serve malicious javascript, launching the usual exploit kit Java exploit (zeroaccess was the readers guess, and I think he was right). With smaller sites/organizations like this, I usually try to give them a call, and in this case, was pretty quickly sent to a person who was responsible for the web site content. Sadly, I don't think this person had any basic understanding of exploit kits or web applications to understand most of what I tried to explain, but she knew someone to contact. As of right now, the web site *appears* to be "clean". Which gets me to the next point, some of the difficulties one encounters in notifying sites:
- Frequently, like in this case, the exploit only shows up on some pages, and not all the time. Sometimes you need to visit with a specific browser, sometimes it is random, or in other cases, the miscreant appears to filter out requests from "administrators" showing them the unaltered site
- It is very hard to NOT get people to go to the URL right away as you talk about it being dangerous. It was relatively early in the morning, and I forgot my usual introduction not to go the site, so sure enough, as I explain which page I noticed as "infected", the person at the phone responded "but it look normal"...
- In particular for small sites like this, the standard blocklists don't work. Virus Totals URL Scanner showed the site as "safe" . Kaspersky Anti Virus on one of my Mac's flagged the javascript with a generic exploit signature and prevented access.
FWIW: My guess is that the site was infected via the Wordpress plugin "Super Cache" which was installed on the site. This plugin had some recent vulnerabilities.
The other compromisse, that created a larger news response, was the compromise of wtop. com and federalnewsradio. com. Both sides are related to each other, so I consider them one compromise. The interesting response in this case was that the site blocked access from users running Internet Explorer, but let others in to the site. I didn't see any exploit code when I retrieved the site, but I am not sure if it is safe to assume that an exploit is only going to attack one particular browsers, the miscreant appears to filter out requests from "administrators" showing them the unaltered site.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Syria drops from Internet 7th May 2013
There's been a number of reports that Internet connectivity to Syria has been broken or disabled and there is no official word on what has caused this.
Google's Transparency Report page [1] displays the drop off and a more comprehensive report is on Umbrella labs blog [2]
[1] http://www.google.com/transparencyreport/traffic/#expand=SY
[2] http://labs.umbrella.com/2013/05/07/breaking-news-traffic-from-syria-disappears-from-internet/
Chris Mohan --- Internet Storm Center Handler on Duty
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago