Cutting Through the Spin of Recent Vulnerability Disclosures

The FUD surrounding the ClickJacking and TCP/IP vulnerabilities has the world seemingly frozen in fear. But once you cut through the spin, the vulnerabilities aren't all that they were made out to be.

Before going any further, it is important to point out that two completely different vulnerabilities can have the same end effects on a system. The vulnerabilities don't need to be related in any way for this to be the case, but, commonly, it is seen that independently working individuals and groups will often come to the same result through different methods. It may even be the case that they share a common starting point and end up in different locations, but the vulnerabilities end up being separate. Microsoft recently provided an example of this sort of problem when their due diligence on a denial of service vulnerability turned up a much worse code execution vulnerability.

Fyodor's approach to the TCP vulnerability relies upon a companion tool to his Nmap security scanner, that he called Ndos (Network Denial of Service). Basically the tool forced a denial of service against listening TCP services by exhausting the resources available on the host system. As Fyodor points out, there are many different ways to achieve this sort of attack and there are even variations which result in the system requiring a reboot, such as claimed by the recent partial disclosure.

Fyodor points out that variations of this style of attack have been public since early 2000 and may very well have been around for a while before that.

While it might seem like the world is ending based on the new yet-to-be-disclosed issue, the reality is that the countermeasures are almost the same as for any other network denial of service attacks. You find and isolate the attacking IP(s) or add extra capacity to your hosting and networking systems. Anything that the vendors can add beyond that is going to be extra usefulness, but it should always be assumed that the systems being protected are impotent as far as self protection in their default state is concerned.

A response to Fyodor's commentary has been posted by those behind this discovery, along with other entries that don't really do anything to clear up the confusion over the issue (though they do deliver the equivalent of a limp slap on the wrist for the coverage that has been woefully inaccurate and fear mongering).

Once Pandora's box has been opened, you can't really close it by telling everyone else to just be patient and not provide more details along the way.

On the other hand, ClickJacking, the much-hyped vulnerability that was finally disclosed last week after Adobe released a workaround for Flash, was found to be nothing more than a problem that many beginning Web designers stumble across when learning about Z-Indexing on Web sites (it is acknowledged that there are some other issues that have also been discovered, but they fall more into the realm of blended vulnerabilities that are more evolutionary than revolutionary). After all of the hype and buildup that preceded the disclosure, the actual disclosure could be seen as a significant letdown for the researchers behind the (re)discovery, RSnake and Jeremiah Grossman. Rather than cut out a demonstration that targeted a weak application (Flash), the entire initial presentation was dropped, which surely contributed to the overall hype cycle (and which could have stopped it dead in its tracks if it was actually delivered).

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags clickjackingTCP/IP

Show Comments
[]