Examples and descriptions of various common vulnerabilities
Microsoft Windows, the operating system most commonly used on systems connected to the Internet, contains multiple, severe vulnerabilities. The most commonly exploited are in IIS, MS-SQL, Internet Explorer, and the file serving and message processing services of the operating system itself.
A vulnerability in IIS, detailed in Microsoft Security Bulletin MS01-033, is one of the most exploited Windows vulnerabilities ever. A large number of network worms have been written over the years to exploit this vulnerability, including ‘CodeRed’. CodeRed was first detected on July 17th 2001, and is believed to have infected over 300,000 targets. It disrupted a large number of businesses, and caused huge financial losses around the world. Although Microsoft issued a patch for the vulnerability along with the MS01-033 security bulletin, some versions of the CodeRed worm are still spreading throughout the Internet.
The Spida network worm, detected almost a year after CodeRed appeared, relied on an exposure in MS-SQL server software package to spread. Some default installations of MS-SQL server did not have a password on the ‘SA’ system account. This allowed anyone with network access to the system to run random commands. When using this exposure, the worm configures the ‘Guest’ account to allow file sharing and uploads itself to the target. It then uses the same MS-SQL password-less ‘SA’ account access to launch a remote copy of itself, thus spreading the infection.
The Slammer network worm, detected in late January 2003, used an even more direct method to infect Windows systems running MS-SQL server: a buffer overflow vunerability in one of the UDP packet handling subroutines. As it was relatively small – 376 bytes – and used UDP, a communication protocol designed for the quick transmission of data, Slammer spread at an almost incredible rate. Some estimate the time taken for Slammer to spread across the world at as low as 15 minutes, infecting around 75,000 hosts.
These three notorious worms relied on vulnerabilities and exposures in software running on various versions of Microsoft Windows. However, the Lovesan worm, detected on 11th August 2003, used a much more severe buffer overflow in a core component of Windows itself to spread. This vulnerability is detailed in Microsoft Security Bulletin MS03-026.
Sasser, which first appeared at the beginning of May 2003, exploited another core component vulnerability, this time in the Local Security Authority Subsystem Service (LSASS). Information about the vulnerability was published in Microsoft Security Bulletin MS04-011. Sasser spread rapidly, and infected millions of computers world-wide, at an enormous cost to business. Many organizations and institutions were forced to suspend operations due to the network distruption caused by the worm.
Inevitably, all operating systems contain vulnerabilities and exposures which can be targeted by hackers and virus writers. Although Windows vulnerabilities receive the most publicity due to the number of machines running Windows, Unix has its own weak spots.
For years, one of the most popular exposures in the Unix world has been the ‘finger’ service. This service allows someone outside a network to see which users are logged on a certain machine or which location users are accessing the computer from. The ‘finger’ service is useful, but also exposes a great deal of information which can be used by hackers.
Here’s what a sample of a remote ‘finger’ report looks like:
Login Name Tty Idle Login Time Office Office Phone
xenon pts/7 22:34 May 12 16:00 (chrome.chiba)
polly pts/3 4d May 8 14:21
cracker DarkHacker pts/6 2d May 10 11:58
This shows that we can learn some interesting things about the remote machine using the finger server: there are three users logged in but two of them have been idle for more than two days, while the other one has been away from the computer for 22 minutes. Log-in names shown by the finger service can be used to try login/password combinations. This can quickly result in a system compromise, especially if users have based their passwords on their username, a relatively common practice.
The fingers service not only exposes important information about the server it is hosted on; it has been the target of many exploits, including the famous network worm written by Robert Morris Jr, which was released on November 2nd 1988. Most modern Unix distributions therefore come with this service disabled.
The ‘sendmail’ program, originally written by Eric Allman, is also another popular target for hackers. ‘Sendmail’ was developed to handle the transfer of email messages via the Internet. Due to the large number of operating systems and hardware configurations, ‘Sendmail’ grew into an extremely complex program, which has a long and notorious history of severe vulnerabilities. The Morris worm utilized a ‘sendmail’ exploit as well as the ‘finger’ vulnerability to spread.
There are many other popular exploits in the Unix world which target software packages such as SSH, Apache, WU-FTPD, BIND, IMAP/POP3, various parts of the kernels etc.
The exploits, vulnerabilities, and incidents listed above highlight an important fact. While the number of systems running IIS, MS-SQL or other specific software packages can by counted in the hundreds of thousands, the total number of systems running Windows is probably close to several hundred million. If all these machines were targeted by a worm or a hacker using an automated hacking tool, this would pose an extremely severe threat to the internal structure and stability of the Internet.
In 2017, we encountered lots of samples that were ‘exploiting’ the implementation of Microsoft Word’s RTF parser to confuse all other third-party RTF parsers, including those used in anti-malware software. Read Full Article
In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service. Read Full Article
At first, it looked like we’d found a zero-day local privilege escalation vulnerability for Windows, but the sample that was triggering Exploit Checker events turned out to be the clean signed executable file, part of the multiplayer online game. Read Full Article
A search online lead me to a discovery I didn’t think was possible nowadays. I realized almost immediately that critical security issues were probably involved. I found that out of the many tens of thousands of gas stations the company claimed to have installed their product in, 1,000 are remotely hackable. Read Full Article
Q4 2017 represented something of a lull: both the number and duration of DDoS attacks were down against the previous quarter. At the same time, the increase in the number of attacks on honeypot traps in the runup to holiday sales indicates that cybercriminals are keen to expand their botnets at the most opportune moment by pressuring owners of online resources and preventing them from making a profit. Read Full Article
Being enthusiastic shoppers just like many other people around the world, at Kaspersky Lab we are, however paranoid enough to look at any Internet of Things (IoT)-device with some concern, even when the price is favorable. So we randomly took several different connected devices and reviewed their security set up. Read Full Article
Every year, Kaspersky Lab’s experts look at the main cyberthreats facing connected businesses over the coming 12 months, based on the trends seen during the year. For 2018, we decided to extract some top predictions that also have big implications for everyday connected life. Read Full Article
In 2017, Kaspersky Lab research revealed the extent to which medical information and patient data stored within the connected healthcare infrastructure is left unprotected and accessible online for any motivated cybercriminal to discover. This risk is heightened because cyber-villains increasingly understand the value of health information, its ready availability, and the willingness of medical facilities to pay to get it back. Read Full Article
Remote fault diagnostics, telematics and connected infotainment significantly enhance driver safety and enjoyment, but they also present new challenges for the automotive sector as they turn vehicles into prime targets for cyberattack. The growing risk of a vehicle’s systems being infiltrated or having its safety, privacy and financial elements violated, requires manufacturers to understand and apply IT security. Read Full Article
Looking back at a year like 2017 brings the internal conflict of being a security researcher into full view: on the one hand, each new event is an exciting new research avenue for us, as what were once theoretical problems find palpable expression in reality. On the other hand, as people with a heightened concern for the security posture of users at large, each event is a bigger catastrophe. Read Full Article