OpenX Continues Questionable Security Posture

Last Thursday OpenX released version 2.8.8 of their software. They have yet to make any sort of public announcement of the update on their blog or anywhere else that we could find. The only information given, found on the Product Updates page in the OpenX admin interface, says that:

It is highly recommended to install this update as soon as possible, because it contains a number of security fixes. The version of OpenX which you are currently using might be vulnerable to certain attacks and is probably not secure.

With a release that includes important security fixes, as this seems to be, you would expect that they would want to make sure people that use their software would be well aware of the update.

There was no information was given as to what the vulnerabilities were or what other changes were made in the new version. This is a continuing practice from OpenX as we have written about before. While it is understandable that developers would want to limit the amount of information to make it harder to for people to be able to exploit the vulnerabilities, hackers have shown that they are able to hack OpenX without this information and the information would be useful for people not looking to hack OpenX.  To repeat what we said after the last OpenX release, “[w]ithout knowing what the issue or issues that were fixed makes it hard to determine the source of a hacking, potentially leading to new vulnerabilities that are exploited in OpenX going undiagnosed in the future if the OpenX installation hacked was running an out of date version.” It also makes it hard for anyone to independently verify the vulnerabilities were fully and properly fixed in the newer version.

The larger concern we have now is that OpenX seems to continue to be releasing security fixes in response to vulnerabilities being actively exploited, commonly referred to as zero-day exploits, instead them being found beforehand during development or during subsequent security reviews. We know that with past vulnerabilities they were being exploited before updates were released. We have seen some reporting that vulnerabilities in the last version were being exploited (with the most specific report we were not able to replicate the vulnerability, but that could be because of using a different server configuration) before this version was released. This at least means that users keeping the software up to date are not safe from being hacked, which they generally are with most web software that have a good track record of finding and fixing vulnerabilities in their software before they can be exploited. It also could be an indication that OpenX is not as concerned about the security of the software as they need to be for something that is so widely deployed.

What makes there apparent lack of concern towards the security of their software more troubling is the way they used the update message for 2.8.8 as a chance to promote their hosted solutions. This is the message that followed the warning about the need to update:

OpenX also provides both free and Enterprise hosted versions of the ad server, offering significant improvements in both infrastructure and functionality. Both of these products are managed and operated by the OpenX team, including upgrades, maintenance, and security scans, freeing you and your team from handling such issues. If ad serving is mission-critical to your business, we suggest contacting our team to learn more about OpenX Enterprise. As always, please let us know of any potential security problems by emailing [email protected]

All the hacks of OpenX we have dealt with so far have been due to security vulnerabilities in the OpenX software and not due directly to something related to self-hosting. In many of those cases OpenX had released a update before they were hacked, so automatic upgrades provided by their hosted solutions would have helped. But unless OpenX is providing their hosted customers with a more secure version of OpenX, then the hosted customers remain as vulnerable before the fixes for the security vulnerabilities are released. The quality of their security scans should be in question as well, if vulnerabilities keep getting found and exploited before they are fixed by OpenX.

Update (November 14, 2011):

Another thing that should be noted when considering how OpenX views the importance of security is the fact that their blog is still running WordPress 2.6.2. One of the most basic and important security measure anyone running a website should be doing is making sure they keep any software running on the website up to date. The version they are currently running is now over three years out of date. Since version 2.6.2 there have been 16 releases that include security fixes that they have missed (and 26 overall releases).

Microsoft Patch Tuesday – November 2011

Hello, welcome to this month’s blog on the Microsoft patch release. This is a small month—the vendor is releasing four bulletins covering a total of four vulnerabilities.

Only one of this month's issues is rated ‘Critical’ and it affects the Windows TCP/IP stack. It potentially can be exploited to completely compromise an affected computer. The remaining issues affect Active Directory, Windows Mail, and Windows kernel-mode drivers.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the November releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms11-nov

The following is a breakdown of the issues being addressed this month:

  1. MS11-083 Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

    CVE-2011-2013 (BID 50517) Microsoft Windows TCP/IP Stack Reference Counter Integer Overflow Vulnerability (MS Rating: Critical; Symantec Urgency Rating: 8.2/10)

    A remote code execution vulnerability affects the Windows TCP/IP stack when handling a continuous flow of UDP packets. An attacker can exploit this issue by sending a series of malformed packets to an affected computer. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the kernel. This may facilitate a complete system compromise.

    Affects: Windows Vista SP2, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 for Itanium-based Systems SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems SP1, Windows Server 2008 R2 for Itanium-based Systems, and Windows Server 2008 R2 for Itanium-based Systems SP1

  2. MS11-085 Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)

    CVE-2011-2016 (BID 50507) Windows Mail and Windows Meeting Space DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important; Symantec Urgency Rating: 8.5/10)

    A remote code-execution vulnerability affects Windows Mail and Windows Meeting Space due to how they load DLL files. An attacker can exploit this issue by enticing an unsuspecting victim into opening a file associated with the applications from a remote SMB or WebDAV share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

    Affects: Windows Vista SP2, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 for Itanium-based Systems SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems SP1, Windows Server 2008 R2 for Itanium-based Systems, and Windows Server 2008 R2 for Itanium-based Systems SP1

  3. MS11-086 Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)

    CVE-2011-2014 (BID 50518) Microsoft Active Directory LDAPS Authentication Bypass Vulnerability (MS Rating: Important; Symantec Urgency Rating: 6.8/10)

    An authentication-bypass vulnerability affects Active Directory when it is configured to use LDAP over SSL because it fails to properly verify if a certificate has been revoked. An attacker can exploit this issue to gain access to an affected system by using a revoked certificate.

    Affects: Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems SP1, Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Vista SP2, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, Windows Server 2008 R2 for x64-based Systems, and Windows Server 2008 R2 for x64-based Systems SP1

  4. MS11-084 Microsoft Windows Kernel TrueType Font Parsing (CVE-2011-2004) Denial of Service Vulnerability (2617657)

    CVE-2011-2004 (BID 50510) TrueType Font Parsing Vulnerability (MS Rating: Moderate; Symantec Urgency Rating: 5.3/10)

    A denial-of-service vulnerability affects the Windows kernel when handling TrueType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into connecting to a remote share that is hosting a malicious font. A successful exploit will cause the affected computer to stop responding, effectively denying service.

    Affects: Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems SP1, Windows Server 2008 R2 for Itanium-based Systems, and Windows Server 2008 R2 for Itanium-based Systems SP1

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Obama Pledges to Veto Anti-Net Neutrality Legislation

WASHINGTON — The White House said Tuesday that President Barack Obama likely would veto upcoming legislation that would unwind net-neutrality rules the Federal Communications Commission adopted last year.

Senate Journal Resolution 6, (.pdf) which is expected to go to the Senate floor perhaps as early as this week, “would undermine a fundamental part of the Nation’s Open Internet and innovation strategy — an enforceable, effective but flexible policy for keeping the internet free and open,” the White House said. (.pdf) The House passed a similar measure last spring, and Obama had threatened to veto that, too, if it landed on his desk.

The Senate measure, which mirrors the House resolution, says Congress “disapproves” of the FCC’s net neutrality rules, which “shall have no force or effect.” The rules, which don’t go into effect until Nov. 20, bar broadband providers like Comcast and Time Warner Cable from playing favorites with internet traffic, while a lighter set of rules applies to mobile broadband providers like Verizon.

The Obama administration said the measure, floated by Sen. Kay Bailey Hutchison (R-Texas), threatens “the very foundations of innovation in the internet economy and the democratic spirit that has made the Internet a force for social progress around the world.”

The net-neutrality dispute harkens to 2008, when the FCC ordered Comcast to stop interfering with the peer-to-peer service BitTorrent, which can use a lot of bandwidth and is often associated with online piracy.

That marked the first time the FCC officially tried to enforce fairness rules put in place in 2005 by Republican FCC head Michael Powell. Oddly, those rules, which differ only slightly from the ones the FCC put into place, were not opposed by Republicans or Democrats at the time.

That 2008 FCC action came as a response to complaints that Comcast was sending forged packets to broadband customers to close their peer-to-peer sessions, which was first discovered by a technologist who was trying to download out-of-copyright barbershop quartet tunes.

Supreme Court Sees Shades of 1984 in Unchecked GPS Tracking

WASHINGTON — A number of Supreme Court justices invoked the specter of Big Brother while hearing arguments Tuesday over whether the police may secretly attach GPS devices on Americans’ cars without getting a probable-cause warrant.

While many justices said the concept was unsettling, the high court gave no clear indication on how it will rule in what is arguably one of the biggest Fourth Amendment cases in the computer age. The Obama administration maintains that Americans have no privacy rights when it comes to their movements in public.

Justice Stephen Breyer told Deputy Solicitor General Michael Dreeben that, “If you win this case, there is nothing to prevent the police or government from monitoring 24 hours a day every citizen of the United States.”

Breyer said that “sounds like 1984.”

Chief Justice John Roberts wondered aloud whether the government’s position was that it may secretly attach GPS devices to the cars of the nine members of the Supreme Court without a warrant.

“You think they are entitled to do that?” Roberts asked.

“The justices of the Supreme Court?” Dreeben replied.

“So your answer is, ‘yes,’ you could tomorrow decide that you put a GPS device on every one of our cars, follow us for a month; no problem under the Constitution?” the chief justice continued.

“Well, equally, Mr. Chief Justice, if the FBI wanted to it could put its team of surveillance agents around the clock on any individual and follow that individual’s movements as they went around on the public streets …, Dreeben replied.

Justice Sonia Sotomayor suggested the government’s position went too far, especially in the age of “smart phones” that contain GPS tracking devices.

“It would be OK to put a computer chip and put it on somebody’s overcoat?” she asked. Dreeben said Sotomayor was off base because her scenario would allow GPS monitoring inside a home. “That is off-limits,” he said.

However, “a car parked in the garage,” he added, “does not have a reasonable expectation of privacy.”

But the justices seemed troubled on whether a warrant was always necessary, and whether they should take into account how long the monitoring continues. “Where do you draw the line?” Justice Samuel Alito asked.