In-Depth

In Brief

Highly critical IE vulnerability lacks patch; new attacks reanimate mobile AV

• By Mathew Schwartz
• 11/10/2004

New Internet Explorer Frame Vulnerability

Microsoft’s Internet Explorer (IE) 6 has a vulnerability that an attacker could use to compromise the PC running IE, and to execute arbitrary code.

The exploit has been confirmed with Internet Explorer 6.0 running on fully patched versions of Windows 2000 and Windows XP SP1, reports vulnerability information provider Secunia. Windows XP SP2 is not affected.

Secunia rates the threat as “extremely critical,” noting no patch is currently available, and exploit code has been posted to public mailing lists, meaning attackers could be able to craft attack code in relatively short order.

The vulnerability stems from the way IE handles the two elements relating to the IFRAME tag in HTML. According to the World Wide Web Working Group, “the IFRAME element allows authors to insert a frame within a block of text.” In the IFRAME tag, the “src” (source) attribute points to the information to be inserted, and the “name” attribute names it.

The src and name elements, however, have boundary errors in IE, meaning they “can be exploited to cause a buffer overflow via a malicious HTML document containing overly long strings,” says Secunia. To mitigate the vulnerability, it recommends users switch browsers. Upgrading to Windows SP2 is another option.

- - -

Networked Devices Get New Antivirus

Is today’s MP3-playing PDA tomorrow’s corporate-network attack vector?

Today many businesses are delivering information to a variety of mobile devices to boost workers’ productivity. The Yankee Group predicts, however, that as uptake of these devices increases, attackers will increasingly subvert them to access corporate networks and information.

In particular, “the introduction of complex and multifunctional mobile devices such as smart phones and PDAs, which are often bought at the consumer level but used for business purposes without security integration, is opening new avenues for malicious code to affect businesses,” the firm notes. Expect a resurgence in antivirus (AV) and security software for mobile devices.

Of course, ever since Palm Pilots hit the enterprise, security experts have predicted mobile devices could devastate corporate networks and intellectual property. Despite the predictions, many firms selling antivirus scanners for PDAs discontinued them because of lack of end-user interest, and the scant number of exploits aimed at mobile devices.

When Cabir, a virus which targets some Bluetooth-using mobile phones, but which is harmless, appeared earlier this year, followed by Brador, a PDA-targeting Trojan, mobile malware was brought back into the limelight. The Yankee Group says this is part of a new trend, and that “as other increasingly complex electronic devices become networked, they too will be subject to attack.”

It’s not just phones and PDAs that could turn on you. Count copiers, fax machines, and voice over IP (VoIP) systems, too. “These devices will be the next to either come under attack or be used to launch attacks,” says the firm. In particular, VoIP is a potential target for denial-of-service (DoS) attacks, and—wait for it—spam over Internet telephony (SPIT).

If mobile devices are increasingly attacked by malware and such things as SPIT, stopping the attacks will require ingenuity, given a problem some developers haven’t seen for years: limited memory. Many mobile devices have scant processing power and storage to spare, and no consumer is going to suffer an antivirus check if it interrupts a phone conversation.

Today, PC-based AV products typically just pile up signatures of known attacks, then scan for them. In contrast, “the problem with PDAs—and even more so with cell phones—is that the amount of memory available is not sufficient to hold thousands of virus signatures. Therefore, AV programmers must use behavioral methods to protect against malicious code,” notes the Yankee Group.

Behavioral methods target odd device behavior, instead of matching known-bad code to stored signatures. Advantages of behavioral software include its need for infrequent updating, it works with limited memory and disk space, and it can prevent zero-day attacks. On the other hand, it can’t necessarily catch everything.

Still, Yankee says “behavioral recognition is the next generation of AV protection.” Expect all major PC products to sport it in the next year or two. Today, some companies already offer it for mobile devices, including CREDANT, F-Secure (which works with Nokia), Kaspersky, PDA Defense (which was acquired by JP Mobile), and Pointsec.

Given the increasing threat mobile devices pose to corporate assets, the Yankee Group recommends all organizations create and enforce mobile-device policies. In addition, it recommends “all PDAs have threat mitigation software installed before allowing them to connect to the network.”

Related Articles:

VoIP Growth Brings Focus on Security Holes
http://esj.com/enterprise/article.aspx?EditorialsID=1078

Q&A: Securing Mobile Workers
http://www.esj.com/news/article.aspx?EditorialsID=934

Best Practices: Handheld Security
http://www.esj.com/news/article.aspx?EditorialsID=687