Staff Writer, CNET News.com
Security experts are watching out for attacks that burrow through two new flaws, warning that the vulnerabilities are a bigger threat because of people's reliance on the targeted software.
Last week, a security researcher published details of a hole in Sun Microsystems' browser plug-in for running Java applets downloaded from the Internet. The week also saw a banner-ad attack that exploited an unpatched flaw in Microsoft's Internet Explorer browser software.
The two major vulnerabilities have security experts jittery, because the technologies they affect are widely used—a situation that heightens the security threat. Popular use of a single technology—or, borrowing from the world of ecology, a monoculture—carries the risk that a flaw could lead to a single devastating attack, security experts said.
"When you have 70 or 80 percent of the Internet running the same software or service, then it only takes a single shot to do incredible damage," said Marcus Sachs, director of the Internet Storm Center, which tracks network threats for the SANS Institute, a security training company.
Security experts have found similarities in the way a disease can devastate crops and the way a virus and other onslaughts can attack Internet infrastructure. Despite the obvious differences between the two fields, some principles in agriculture can be applied to technology. Just as biologists advise farmers to diversify their plantings, computer researchers believe that diversifying the software components of the Internet, or at least encouraging more competition among developers of the components, could lead to a more robust system.
More targets, higher risk
The flaw in Sun's Java plug-in highlights the dangers. The vulnerability, found by Finnish security researcher Jouko Pynnonen in April, was patched last month by Sun. However, its details were not made public until Tuesday. The flaw helps bypass protections that make sure applets, or small Web programs, run safely on a user's computer.
It's a multistep process to exploit the hole: Attackers could release a Web-enabled virus, which would then send victims to a compromised Web site, which would then infect their PCs using the Java flaw.
The plug-in vulnerability raises the stakes, because it opens the possibility of infecting any operating system—Microsoft Windows, Linux and Apple Computer's Mac OS X—on which Sun's Java component can run.
"At first glance, it looks like this is pretty severe," said Oliver Friedrichs, senior manager for the incident response team at security software maker Symantec. "I don't think we've seen a flaw with real cross-platform potential."
Tragedy of the commons
When a flaw appears in widespread technologies, security researchers and would-be attackers scramble to understand the implications. The result depends on who wins the race.
A flaw in the Simple Network Management Protocol (SNMP) leaves open many network devices to attack. The flaw has not been widely exploited.
Microsoft SQL vulnerability:
A hole in a common component of Microsoft's SQL database software leaves PCs open to remote attack. Six months after it was found, the vulnerability was exploited by the Slammer worm.
Microsoft RPC flaw:
Microsoft published some details of a flaw in the remote procedure call (RPC) functions of Windows in July 2003. About three weeks later, the MSBlast worm arrived and infected as many as 10 million systems.
Microsoft LSASS flaw:
A hole in Local Security Authority Subsystem Service (LSASS) exposed Windows PCs. A month after it was revealed, the Sasser worm hit the Internet and spread among unpatched PCs.
iFrame flaw: At the end of October, a security researcher published information about a flaw in Internet Explorer. Online attackers quickly started to use the vulnerability to compromise PCs.
Source: CNET News.com
In the past, computer hardware architecture and operating systems have acted as a barrier to threats. Like a fish out of water, a software program cannot live outside its digital element. That inability has tended to block multiplatform attacks. However, the Java virtual machine—the basis of Sun's Java technology—abstracts underlying hardware and software. Java is all about running programs across platforms, and Sun's mantra—"Write once, run anywhere"—equally applies to malicious computer programs.
The security researcher who found the flaw believes that the vulnerability could lead to a virus that infects Linux machines, Windows computers and Mac OS X systems. However, he has not tested for the issue on Apple's operating system, and the company could not be reached for comment.
"It could be easily used for spreading viruses or other malware," Pynnonen said in an e-mail. "The exploit itself can't be easily embedded in e-mail, because Java applets contained in e-mail aren't normally started automatically. However, an e-mail message could contain a link to a Web page which has the exploit."
The lesson from recent events is that software is not the only weak point, said the Internet Storm Center's Sachs. Common services, such as advertisement hosting, can also represent a major risk of attack.
A week ago, a compromised server at a central Web-advertisement hosting service distributed malicious programs to other Web sites, including The Register, a technology news and commentary site. The programs used the iFrame vulnerability in Microsoft's Internet Explorer Web browser, discovered at the beginning of the month and as yet unpatched.
"Microsoft is an easy target because of their popularity, but it can be other technologies as well," Sachs said. "With these banner ads, we are seeing that it is not just a software product; it can be a Web service."
In fact, monocultures naturally evolve anywhere that companies and people seek out more efficiency, said Bruce Schneier, chief technology officer at Counterpane Internet Security.
"Monoculture is one of the things you get from global networks," he said. "Everyone wants to use Java and browse the Web, and they use the same implementation because it's easier."