In-Depth

Security Briefs: WiFi Attacks, Outlook Vulnerability

DoS attacks possible on 802.11 devices, public access points particularly vulnerable; tricking Outlook 2003 to download and run files

• By Mathew Schwartz
• 05/26/2004

New WiFi (802.11) Vulnerability Revealed

The IEEE 802.11 specification—better known as WiFi in the consumer realm—is vulnerable to a denial-of-service attack. Affected hardware includes all with implementations of IEEE 802.11 using the DSSS physical layer. That includes 802.11, 802.11b, and 802.11g wireless devices operating below 20 Mbps. Implementations of 802.11a are not affected, nor are 802.11a devices operating above 20 Mbps.

The Australian Computer Emergency Response Team (AusCERT), which discovered the problem, says the vulnerability could allow “a trivial but effective” low-cost attack against 802.11 networks’ availability. Previous attacks of this nature required expensive, specialized equipment able to “drown out” all 802.11 traffic. By contrast, given this vulnerability, “an attacker using a low-powered, portable device such as an electronic PDA and a commonly available wireless networking card may cause significant disruption to all WLAN traffic within range, in a manner that makes identification and localization of the attacker difficult.”

The specific vulnerability is with the medium access control (MAC) function in the 802.11 protocol. “WLAN devices perform Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), which minimizes the likelihood of two devices transmitting simultaneously. Fundamental to the functioning of CSMA/CA is the Clear Channel Assessment (CCA) procedure, used in all standards-compliant hardware and performed by a Direct Sequence Spread Spectrum (DSSS) physical (PHY) layer,” says AusCERT.

This attack simulates, in essence, an “always busy” signal for CCA, thus “preventing the transmission of any data over the wireless network.”

Any vulnerable product within range of the attacking device would be affected. Currently there is no known fix, though “well-shielded WLANs, such as those for internal infrastructures, should be relatively immune,” says AusCERT. On the other hand, “public access points will remain particularly vulnerable.”

Especially in light of the vulnerability, the agency reiterated its recommendation not to use 802.11 in “safety, critical infrastructure and/or other environments where availability is a primary requirement.”

Link: http://www.auscert.org.au/render.html?it=4091

Microsoft Outlook 2003 Can Be Tricked To Download and Run Files

Secunia warned of a “moderately critical” vulnerability in Microsoft Outlook 2003 that could allow an attacker to send e-mails resulting in automatic file download and launching on a target computer.

Outlook 2003 is also part of Microsoft Office 2003 Professional Edition, Small Business Edition, Standard Edition, and Student and Teacher Edition.

Though Outlook 2003 is supposed to open all e-mail inside its “restricted security zone,” which prevents such things as active scripting or automatic file downloads, not everything is contained in the zone. In particular, says Secunia, “it is possible to bypass the security settings by embedding an OLE Object with reference to a Windows media file in a Rich Text Format (RTF) message. This can be exploited to start a download sequence of arbitrary files, which in turn causes Internet Explorer to prompt the user whether to download the file.” No problem there if a user doesn’t end up downloading the file, except another vulnerability --- the “Predictable File Location Weakness”—could be used in conjunction with the first vulnerability to reportedly download and launch a file without warning.

Though the vulnerability affects Microsoft Outlook 2003, Secunia warns “other versions may also be affected,” although with the caveat that “they do not promise to protect the user in the same way,” meaning files might be more prone to running automatically.

To deal with the vulnerability, Secunia recommends users filter HTML and RTF messages, or “use another product.”