MS08-067: The Worms are Loose
For anyone who hasn’t yet heard, last week Microsoft released a critical security bulletin regarding a serious vulnerability in the Server service, affecting nearly every version of Windows. Just today, Sans ISC reported that there is a worm loose in the wild that appears to be exploiting this nasty problem. If you haven’t already patched your personal computers and your servers, do so now.
Cross Site Request Forgery
You know how nice it is that whenever you head back to Amazon.com, it already knows who you are? This is because of a neat feature in web browsers called “Cookies”, which are basically little bits of information that web sites place on your computer. From that point on, every time you visit that site, the cookie is sent along with all the other information your computer uploads to the site, such as what web page you are requesting to view. This allows the site to recognize who you are without requesting you log in. Nice, right?
Well, it turns out that this same feature will allow hackers to essentially back-door a request to your favorite sites, and perform any available action using your cached credentials. Steve Gibson over at Security Now does a nice job explaining the more technical aspects of the problem in episode #166, which aired around two weeks ago, so I’ll leave the details to the experts. Suffice it to say, if Steve says this is a big deal (and he does), you need to pay attention.
Basically speaking, the ways to avoid this are two-fold. First, Gibson recommends actively logging out of any web sites that you aren’t actively using. This would include things like Amazon, E-Bay, and especially sites such as banks or brokers. If you happen to see one of those little “remember me” checkboxes when logging in, leave it blank! This will prevent the problem from occuring in the first place. But because we are all human, and tend to forget to do such things from time to time (present company most definitely included), there’s also a plug-in available for Firefox, called CSRF Protector, which stands for “Cross Site Request Forgery”. It all but transparently blocks this kind of exploit from occurring, so it comes highly recommended.