Yesterday we brought you news that Gmail is open to a filter-insertion technique that can allow attackers to forward mail with attachments to other addresses. Google confirmed that flaw yesterday.

But it looks like Petko Petkov isn’t the only researcher out there looking into Google flaws.

On Wednesday, Billy (BK) Rios posted on his blog that Google may be putting its own servers at risk because of a cross-domain exposure flaw associated with Google Documents.

Here’s a snippet:

“Google Documents basically allows you to upload your documents (a.k.a. content) to a Google server. Once you’ve uploaded the document, Google has essentially “taken ownership” of the document (content). There are ways to minimize the risks associated with taking ownership of content, and it seems that Google has taken some measures to sanitize for XSS… but it seems that their focus on XSS may have caused them to miss a different type of cross domain exposure.”

Rios’ blog also features proof-of-concept code.

Something to keep an eye on later this week: Microsoft’s BlueHat v6 blog.

Set to take place in Redmond this Thursday and Friday, BlueHat v6 will feature Microsoft brass meeting with outside security experts on topics like virtualization, process isolation, Windows Mobile and automated exploit creation.

Here are two goals of the conference as described by Andrew Cushman, Microsoft director of security outreach.

- “To expose senior product leaders and front-line engineers to the threats and attack tools and methodologies used in the real world. Take the security threat from the theoretical/intellectual level of, ‘I understand what a buffer overflow is,’ to ‘OMG that’s what it’s like.’ BlueHat connects with execs and engineers at a visceral level and *really* brings the message home…

- To expose security researchers (and the security community) to Microsoft engineers and business leaders… BlueHat gives us a chance to open up on our home turf and gives the researchers an opportunity to interact with all levels of the organization. They too get to experience first-hand that Microsoft does have smart, passionate engineers that do care about security.”

Of course, it’s Microsoft’s conference and it’s closed - so don’t expect breaking news to appear on the BlueHat blog, but it’s still worth keeping tabs on.

Don’t let anyone tell you that nothing ever happens at Black Hat anymore.

Researcher Robert Hansen has a recap on his blog of a conversation he had at the Las Vegas conference with a number of Mozilla officials. What began as a debate ended with Mike Shaver, Mozilla director of ecosystem development, using some colorful language to describe how quickly Mozilla can push out patches for Firefox.

“We showed up and nearly immediately I was surrounded by the bulk of the Mozilla QA and security team that was attending Black Hat. They asked me lots of questions and gave me lots of info. It was a pretty equitable trade of information. Clearly, they acknowledge that they need help from the community, but they also feel confident that once things come to their attention it’s simply a matter of days to close their holes. They said the recent rollouts were actually slower than they would have liked them to be, even though they were only a week and a half apart. Further, they said that they could roll out any critical patches within 10 days. Not one to let challenges go untested I called BS.

I told him I would post his card — and he didn’t flinch. No, he wasn’t drunk. He’s serious. I’ve always been a fan of Mozilla and Firefox. However, this is a pretty bold claim for a company of any shape or size. I shopped the business card around to various people while I was at the Microsoft party the next day to get people’s reaction. The consensus was that it was funny, very difficult to achieve and in one case, one of the head guys of security at Amazon simply doubted that the patches would be of sufficient quality. I’m not going to comment on my personal feelings on this matter except to say that I’d love to see Mozilla back up their promise.”

So was this a guarantee that Mozilla can patch anything and everything within 10 days? Mozilla clarified any statements, official or otherwise, on Monday with a few blog posts of its own.

From the blog of Window Snyder, chief security something-or-other:

“When I asked [Shaver] about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in only 10 days, that there was no reason for Robert to post details of vulnerabilities publicly before a patch was available. Since we’re among the most responsive software vendors, security researchers do not have to resort to full disclosure to get us to patch bugs quickly.

This is the official Mozilla word: This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the internet secure.”

And an apology from Shaver himself:

“I was intending to express my confidence in our ability to turn around a fix quickly if we needed to by giving him a sort of ‘admit one’ ticket for a disclosure that he thought needed an especially fast response due to extreme risk or some such. That was a bit overzealous in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a 10-day turnaround on all disclosed vulnerabilities. People are reading the conversation and Robert’s post that way, but that’s not our situation, and it certainly wasn’t my intent to give that impression.

I apologize, and hope that nobody will think less of Mozilla because of my error. We don’t issue challenges, and nobody here thinks that security response is a game. This was a personal bargain and overwrought showmanship from a late-night Black Hat party that has now taken on a life of its own, and I hope the fracas about my overzealous comments to Robert don’t overshadow the great work that people on the Mozilla project do to keep our users secure.”

Security researchers at McAfee are hot on the trail of a recent post at the Infosecsellout blog that claimed the availability of a proof-of-concept worm for Apple’s Mac OS X system.

The post was available on Sunday, then soon removed, and now alludes to an Apple worm and links to a SecurityFocus vulnerability alert.

Researcher Francois Paget from McAfee posted on the Avert Labs Blog that the story shows Mac with Intel is bound to be a target.

“As we were researching this announcement, we soon discovered that more accurate and interesting information was originally posted – but rapidly removed – on that blog. If you visited it on Sunday, you were able to read a note from the man who claims to be the worm author. His motivations were clearly visible: ‘I wrote this for my own purposes and it will be demonstrated to those who asked me to engage in this work. Yes, I am being compensated for this.’”

Citing the earlier post, Paget said the following:

“In this blog entry, the possible author gives some details about its proof of concept, which could be easily changed to be more malicious.

He said his code uses a non patched variation of the MDNSResponder vulnerability recently fixed by Apple. According to this guy, the worm gives remote root access, compromises its first system, places a text file on the desktop and moves on to attempting to compromise other systems on the same network.”

So, as of this post, there is no PoC Apple worm available, at least not on the Infosecsellout blog. But it is suggested that one could be created to exploit this newly found flaw.

As for what actually happened, an anonymous posted suggested that the blog had been hijacked by another person looking for attention.

It’s a little too early to start wondering if, a decade now, you’ll ask your friends, “Where were you when the iPhone went on sale?” But that doesn’t take away from the fact that Apple’s latest and greatest gadget launch was an unqualified success - at least in terms of living up to the hype.

Scammers have also had their turn with iPhone madness, sending out scam emails that download malware or try to acquire financial information from recipients.

The researchers are hard at work as well, taking the iPhone apart and looking for any security vulnerability they can find.

Here’s some post-launch security analysis of the iPhone launch:

“Within hours of Apple’s introduction of the latest version of its Safari browser two weeks ago, the hacking community began reporting bugs they had discovered in the beta code. Today, the iPhone is likely to get even closer scrutiny from many of the same security researchers. Here’s a list of the top items on the typical iPhone hacker’s to-do list.

3. Take a Close Look at iPhone’s Networking Technologies
Because Apple hasn’t previously developed its own mobile phone, there is bound to be lots of new and possibly buggy networking code in the device. “One of the things we’ll look at as well is the new code that will have to be developed for a phone platform,” said Neel Mehta, a researcher with IBM Corp.’s Internet Security Systems division. “With any piece of new code there’s always a risk that there could be vulnerabilities in it.”
- Anand Vardhan, Anand Varhan: Flex Developer, July 2, “A hacker’s to-do list – iPhone”

“Yup. After waiting a day to get the darn thing activated, we found a bug within a few minutes. We are cheating, of course; it’s just the same bug we found earlier on Safari. Also, our Bluetooth fuzzer locks up the device, so that’s an interesting sign. (As we’ve said in the past, we’ll disclose all our bugs to Apple when they publish acceptable vuln handling guidelines).

At the same time, Apple is going to have the same problem that Windows has. While they may have better theoretical security, they are going to be a bigger target. Hackers know a lot more about breaking into Mac OS X than they do competing platforms like Windows Mobile or Symbian. Thus, even though Apple will patch sooner, they’ll also have more bugs to patch because of increased hacker interest.”
- Robert Graham, Errata Security blog, July 1, “Our first iPhone bugs”

Looking back, what a strange bunch of news we had last week – and by strange, I mean that SC Magazine covered a little bit of everything.

First, a lot of IT pros are likely scratching their heads wondering if the iPhone’s release is going to be a career-changing event, and not in a good way.

Researchers and analysts last week were cautious of the iPhone. Here’s another take from a Symantec researcher:

“Projections made by various analysts suggest that iPhone adoption will be quite high. This allows attackers to target a larger audience with malicious code designed to run on the devices. The Safari browser and HTML email capabilities of the device could present an ideal attack vector. As recently demonstrated, Safari can be affected by vulnerabilities just as easily as other browsers on the market. While Apple may patch these holes on both the desktop and mobile platforms, the question is will users who have to pay for data transfers be willing to download large security updates on a regular basis?”
- Marc Fossi, Symantec Security Response Weblog, “Dialing for trojans”

The conventional wisdom used to be that malware authors would try to reach as many end-users as possible to spread viruses, worms, trojans or the malware of the day.

But now, attackers may be taking a page from marketers and forgoing attempts at global mass-attacks in favor of targeted, language- and custom-specific attacks to spread malware through a specific region.

Last week we saw the “Italian Job” trojan attack, spread mostly through use of the Russian-gang-controlled MPACK toolkit.

Here’s what Exploit Prevention Labs had to say about the trojan that ran amok through the boot-shaped country this month.

“The most important thing to keep in mind about this attack using compromised hosts and the MPACK exploit toolkit is that there is nothing unique save for the number of hosts involved. A year ago, the popular exploit toolkit was WebAttacker from Inet-Lux. The same many-to-one approach of using multiple compromised hosts to redirect to a singular malicious site was popular. Also, both WebAttacker and MPACK can serve up several exploits based on the visitor’s configuration…Prior to this ‘Italian Job’ we’ve been seeing MPACK use in the wild exploding this year. However, there are other toolkits out there, and there is no shortage of malicious talent to construct new ones. Whoever advertises the highest anticipated rate of infection will have a chance to become the weapon of choice. Moving forward, I’m sure we’ll see further larger-scale attacks play out either with MPACK or another toolkit.”
- Robert Freeman, Frequency X, “Reflecting on an ‘Italian Job’”

And what would a recap of last week’s news be without Harry Potter. The boy wizard was at the center of an information security controversy of his own, as a hacker claimed to have penetrated the networks at Bloomsbury Publishing and found out the end of the hugely popular series.

Most experts think the reported hacking was a fake; here’s the good word from Security-Protocols:

“If what (hacker) ‘Gabriel’ says is true, then that means tons of new spoilers for the book are now available online and we are going to have a lot of very upset Harry Potter fans. The spoilers the hacker gives away basically tell who dies in the last book…We also have to remember that potential troll posts like this one have occurred on two previous Harry Potter books, both of which were not true.”
- Security-Protocols, “Harry Potter and the Deathly Hallows hacked?”

One IT security topic that will never go away is vulnerability reporting - and the ethics of what truly comprises “responsible disclosure.”

As you’re probably well aware, opinions – and usually well researched ones at that – range from claims that flaws should not be disclosed by security researchers until a patch is released to the belief that all vulnerabilities, no matter how dangerous or widespread, should be released immediately.

And that’s not even touching the debate over whether or not it’s ethical to pay for vulnerabilities…

We’ll be revisiting the debate on vulnerability research on this blog again – hopefully taking in a wide variety of opinions. As always, please feel free to provide comments of your own or link to other blogs.

So, without further ado, here’s a post from Gunter Ollmann of IBM Internet Security Systems on “Disclosure vs. ethics.”

“Again, from my perspective, it is irresponsible and unjustifiable to hold an unresponsive vendor’s customers to ransom and undue risk. This is why I have trouble digesting some organizations’ disclosure guideline exceptions when dealing with Apple. Granted, Apple has an extremely poor – if not downright hostile – relationship with vulnerability researchers around the world, but that doesn’t mean that we should take our frustrations out on their customers. There are plenty of other ways to educate Apple and their customers – even the naïve ones that believe heart and soul in Apple’s boldest security claims.”
-Gunter Ollmann, Frequency X, “Disclosure vs. ethics”

Few people seem to know exactly what to make of the iPhone yet – other than to comment on how the device will deplete bank accounts.
But how much of a security headache will the iPhone be for IT pros? Here are two (mostly) opposite opinions:

“The vendor plays an important role in security methodologies, something I’ve written on before. Faced with a lack of vendor information, we must hunker down and prepare our defenses. For all our sake, let’s hope Apple pulls this one off (besides, I’d like an iPhone too). Though I suppose perhaps that Apple’s market analysis probably has already told them this – despite the fact of my own concerns, people like me will still want to pony up the $$ regardless.”
- Andrew Storms, 360 Security, “The iPhone, our new security nightmare”

“If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please don’t spend too much time on the iPhone. Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers’ financial information, and stolen laptops.

The person that spends $500 on their phone will protect it more than the laptop that you issued them.”
-Dave G., Matasano Chargen, “Matasano does not care about iPhone security”

At the risk of turning The Roundup into “All Safari, all the time,” here’s another sampling from the IT security blogosphere about Apple’s release of Safari for Windows.

Just hours after the release, researchers claimed numerous vulnerabilities within the browser, adding a new twist to Apple’s already strained relationship with the security community.

“Safari 3.0 is still in beta and beta software is expected to have bugs. Even after the final release, browsers with vulnerabilities have become more rule than exception. Microsoft’s Internet Explorer, Mozilla’s Firefox, and the existing version of Safari for OS X, regularly get patched to fix security vulnerabilities.

What it boils down to is this: The usual advice for safe computing remains the same. Don’t assume any software is inherently safe, regardless of how safe it purports to be. Software is written by humans, and humans do make mistakes, which can lead to vulnerabilities. Make sure you’re running up to date security software and install the latest security fixes from your software vendors.”
- Allysa Myers, McAfee Avert Labs Blog, “Safari for Windows is not a trojan horse”

“Probably the most interesting part of this is Dave Maynor’s reasons for going full disclosure. He doesn’t talk about it much on his blog, other than this little quip, ‘keeping with our disclosure policy, we do not report bugs to Apple.’ Apple has had a long history of bad dealings with security researchers, and they are now seeing a backlash amongst the security community. No surprises though, you get what you ask for. It pays not to make enemies in this business.”
- ha.ckers, “Sad day for Safari on Windows”

“So as everyone knows, Apple has released Safari 3 beta for OS X and Windows, and security researchers are already dropping flaws on it. I believe Apple has just caused the price of Safari zero days to increase about 1,000 percent by releasing it on Windows.”
- Security-Protocols, “Safari 3 beta released on Windows”

This isn’t a week-in-review post, or a pre-holiday recap. But here are viewpoints from two IT security blogs on some pre-Memorial Day stories covered this week.

New Office 2000 ActiveX flaw
McAfee on Thursday downplayed the flaw, disclosed as part of the Month of ActiveX Bugs project, on the Avert Labs blog. Researcher Allysa Myers pointed out that “if you’re practicing good computer hygiene, you’ll be just fine.”

“The PoC code itself is harmless, as intended, but will lower macro security settings in Word 2000. However, if you’ve been regularly applying your Office patches, you don’t have to worry about the exploit,” she said. “This vulnerability was patches seven years ago this month, so you’d have to be a pathological procrastinator to have missed the update. This fix is also included in Office 2000 (Service Pack 3).”

nCircle acquires Cambia Security
Almost a depressing send off to Cambia here from Mark Wood, who was the company’s VP of product management and marketing, before it was acquired this week by nCircle. He’s stressing opportunity over sentimentality in this post.

“For the past two years, I’ve worked hard with a team of incredibly talented people here in Atlanta to bring an agent-less configuration compliance solution to market and to make it as effective and as well-known as possible. That journey ended this morning when the Cambia website vanished for the last time and was replaced by the redirects to the nCircle site. I sat alone in a silent office at 8 am as I watched the Cambia home page go dark,” he said. “Now, I don’t want you to think I’m unhappy with this acquisition. It’s terrific. It was just harder to watch the Cambia stuff go away than I expected. Transitions like this often are, I suppose.”