Web on watch for common enemies

news analysis Security experts are watching out for attacks that burrow through two new flaws, warning that the vulnerabilities are a bigger threat because of people's reliance on the targeted software.

Last week, a security researcher published details of a hole in Sun Microsystems' browser plug-in for running Java applets downloaded from the Internet. The week also saw a banner-ad attack that exploited an unpatched flaw in Microsoft's Internet Explorer browser software.

News.context

What's new:
Two recent flaws in popular software--in Microsoft's IE and in a Java plug-in--are making security experts jittery.

Bottom line:
The threats underline how people's reliance on a certain technology could lead to a single devastating attack.

More stories on this topic

The two major vulnerabilities have security experts jittery, because the technologies they affect are widely used--a situation that heightens the security threat. Popular use of a single technology--or, borrowing from the world of ecology, a monoculture--carries the risk that a flaw could lead to a single devastating attack, security experts said.

"When you have 70 or 80 percent of the Internet running the same software or service, then it only takes a single shot to do incredible damage," said Marcus Sachs, director of the Internet Storm Center, which tracks network threats for the SANS Institute, a security training company.

Security experts have found similarities in the way a disease can devastate crops and the way a virus and other onslaughts can attack Internet infrastructure. Despite the obvious differences between the two fields, some principles in agriculture can be applied to technology. Just as biologists advise farmers to diversify their plantings, computer researchers believe that diversifying the software components of the Internet, or at least encouraging more competition among developers of the components, could lead to a more robust system.

More targets, higher risk
The flaw in Sun's Java plug-in highlights the dangers. The vulnerability, found by Finnish security researcher Jouko Pynnonen in April, was patched last month by Sun. However, its details were not made public until Tuesday. The flaw helps bypass protections that make sure applets, or small Web programs, run safely on a user's computer.

It's a multistep process to exploit the hole: Attackers could release a Web-enabled virus, which would then send victims to a compromised Web site, which would then infect their PCs using the Java flaw.

The plug-in vulnerability raises the stakes, because it opens the possibility of infecting any operating system--Microsoft Windows, Linux and Apple Computer's Mac OS X--on which Sun's Java component can run.

"At first glance, it looks like this is pretty severe," said Oliver Friedrichs, senior manager for the incident response team at security software maker Symantec. "I don't think we've seen a flaw with real cross-platform potential."

Tragedy of the commons

When a flaw appears in widespread technologies, security researchers and would-be attackers scramble to understand the implications. The result depends on who wins the race.

SNMP flaw:
A flaw in the Simple Network Management Protocol (SNMP) leaves open many network devices to attack. The flaw has not been widely exploited.

Microsoft SQL vulnerability:
A hole in a common component of Microsoft's SQL database software leaves PCs open to remote attack. Six months after it was found, the vulnerability was exploited by the Slammer worm.

Microsoft RPC flaw:
Microsoft published some details of a flaw in the remote procedure call (RPC) functions of Windows in July 2003. About three weeks later, the MSBlast worm arrived and infected as many as 10 million systems.

Microsoft LSASS flaw:
A hole in Local Security Authority Subsystem Service (LSASS) exposed Windows PCs. A month after it was revealed, the Sasser worm hit the Internet and spread among unpatched PCs.

iFrame flaw: At the end of October, a security researcher published information about a flaw in Internet Explorer. Online attackers quickly started to use the vulnerability to compromise PCs.

Source: CNET News.com

In the past, computer hardware architecture and operating systems have acted as a barrier to threats. Like a fish out of water, a software program cannot live outside its digital element. That inability has tended to block multiplatform attacks. However, the Java virtual machine--the basis of Sun's Java technology--abstracts underlying hardware and software. Java is all about running programs across platforms, and Sun's mantra--"Write once, run anywhere"--equally applies to malicious computer programs.

The security researcher who found the flaw believes that the vulnerability could lead to a virus that infects Linux machines, Windows computers and Mac OS X systems. However, he has not tested for the issue on Apple's operating system, and the company could not be reached for comment.

"It could be easily used for spreading viruses or other malware," Pynnonen said in an e-mail. "The exploit itself can't be easily embedded in e-mail, because Java applets contained in e-mail aren't normally started automatically. However, an e-mail message could contain a link to a Web page which has the exploit."

The lesson from recent events is that software is not the only weak point, said the Internet Storm Center's Sachs. Common services, such as advertisement hosting, can also represent a major risk of attack.

A week ago, a compromised server at a central Web-advertisement hosting service distributed malicious programs to other Web sites, including The Register, a technology news and commentary site. The programs used the iFrame vulnerability in Microsoft's Internet Explorer Web browser, discovered at the beginning of the month and as yet unpatched.

"Microsoft is an easy target because of their popularity, but it can be

other technologies as well," Sachs said. "With these banner ads, we are seeing that it is not just a software product; it can be a Web service."

In fact, monocultures naturally evolve anywhere that companies and people seek out more efficiency, said Bruce Schneier, chief technology officer at Counterpane Internet Security.

"Monoculture is one of the things you get from global networks," he said. "Everyone wants to use Java and browse the Web, and they use the same implementation because it's easier."

Schneier was a lead author of a report published last year by prominent security experts that cited agricultural examples in outlining the danger of over-reliance on a single kind of software. The scientists argued that the dominance of Microsoft technology has created a monoculture in the computing world and on the Internet.

The popularity of Microsoft's software has cut two ways for the company. In January 2003, the Slammer worm raced through servers and computers running an unpatched version of Microsoft's SQL software. By some estimates, it infected 200,000 machines in less than 10 minutes.

In addition, Microsoft's Internet Explorer has been dogged by security issues. While these problems are unlikely to be a fertile breeding ground for a worm, they do open users of the Web browser to attack.

That's why some have heralded the success of the Firefox browser as a good sign. Attackers have to truly double their efforts to create code capable of compromising two different applications. As a result, greater adoption helps all PC users lessen the danger of reliance on a single Web browser.

But the renewed Web browser war may be a solitary sign of diversity trumping a monoculture. The theory of the danger of monocultures and the reality of the day-to-day administration of networks have not mingled much in the last year, the Internet Storm Center's Sachs said.

"You have this tug-of-war between having diversity, which helps in the security world, and this commonality, which helps in the efficiency world," he said. "Having a monoculture makes things easier, because people only have to learn one thing."

Security experts have begun working to identify those parts of the Internet that are the most vulnerable because of their commonality. A year ago, the National Science Foundation granted three university researchers $750,000 to find the location and number of such weak links within the information infrastructure. While Microsoft's dominance in the computer industry naturally creates many common technology components, many others exist as well.

More than two years ago, researchers at a university in Finland pinpointed major flaws in the Simple Network Management Protocol, a widely used communications protocol for controlling network devices. And a flaw in a code library commonly used to support the open-source graphics format Portable Network Graphics opened many browsers and mail programs to attack in August.

This time around, the operating system that is the target of the majority of the monoculture criticism may be the most immune to the attack. The Windows operating system does not usually have Sun's Java implementation installed. That's because, until their recent settlement, Sun and Microsoft had competed in creating Java software, and most Windows computers came with Microsoft's virtual machine installed instead.

Starting with Windows XP Service Pack 1a, Microsoft no longer ships Java with the operating system, said Symantec's Friedrichs. That means that many Windows users will be protected from the flaw. Users with Java installed, however, should update their software, he said.

"Based on how widespread this environment is, we recommend that people install any updates or patches," he said.