Security researchers say McAfee website full of malicious scripting bugs
March 29, 2011
Earlier this morning, Internet security researchers have warned that multiples security holes on McAfee's website leave it very vulnerable to cross-site scripting and other malicious attacks to potential visitors of the site.
The YGN Ethical Hacker Group also discovered various lesser information disclosure bugs on the security firm's website, according to an advisory published on a full disclosure mailing list late yesterday.
The security researchers' group added that it published the details of its findings only after notifying McAfee privately of the security issues back on February 10.
Cross-site scripting (XSS) security holes create a means to present content from a third-party website in the context of a vulnerable site. The class of flaw, which is a perennial problem in website development, creates a possible mechanism to mount phishing attacks or other sorts of malfeasance on other sites.
However, in a public statement, McAfee said that no harm had come of the vulnerabilities, which it said it was in the process of repairing.
Early yesterday, various online news outlets reported on security vulnerabilities in McAfee's various websites. "McAfee is aware of these vulnerabilities and we are working to fix them," said one posting.
It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the security vulnerabilities.
Both McAfee and Symantec, along with other security vendors have had security issues in this segment in the recent past. For example, back in 2008, security enthusiasts at XSSed found cross-site scripting bugs on the websites of McAfee, Symantec and even SSL digital security issuer VeriSign.
Overall, various programming errors that give rise to XSS vulnerabilities are nothing out of the ordinary, but the Internet security industry is entitled to hold McAfee and other security vendors to a much higher standard than other organizations, especially given the fact that it markets its McAfee Secure service as a way for enterprises to identify security issues on their own websites.
Hackers attack the PHP source code repository
In other security news, the official source code maintainers of the PHP programming language spent the past couple of days carefully analyzing their source code for malicious modifications and numerous changes done to the code after discovering that Internet security on one of their servers had been breached. It took them a few days to discover that the server had been breached.
The overall compromise of wiki.php.net allowed the hackers to steal numerous account credentials that could be used to easily access the PHP repository, the maintainers wrote in a brief note. They continue to investigate the details of the breach, which exploited a security vulnerability in the Wiki software itself and a separate security hole in the Linux operating system.
The website has been down since at least March 18.
“Of course, our biggest concern here is the overall integrity and the reliability of our PHP source code,” the maintainers wrote. “We did an extensive code audit and looked at every commit since version 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found.”
The current version of PHP, which was released last week, is 5.3.6. All data on the compromised server has been wiped and the maintainers are forcing password changes for all accounts with access to the source repository, as that is standard procedure when there is any kind of server that was compromized.
However, the advisory omitted key details of the attack, including how long the compromise lasted, how many account credentials were stolen and whether the passwords were securely hashed, as security best practices dictate.
The PHP maintainers of the source code hadn't responded to a request for comment at the time this news story was published.
Word of the attack began circulating on Friday on underground Internet security forums monitored by researchers from Vupen Security. Based on discussions that took place there, the compromise of wiki.php.net appears to have originated from a “Chinese hacker who exploited a security vulnerability in the Wiki application (DokuWiki) installed on the server,” Vupen CEO Chaouki Bekrar wrote in an email.
The attacker “then used a privilege escalation exploit to take complete control of the server.”
Friday was the same day that a blog post from December resurfaced that raised additional concerns about the integrity of source code available from the PHP repository. Developer Hannes Magnusson said someone was able to make unauthorized modifications to code he had submitted after his account credentials were compromised.
The changes were limited to the insertion of the name "Wolegequ Gelivable" to the credit list of a specific piece of code, rather than malicious modifications. The incident prompted concern, not just with the code maintainers but also in the Linux and the Internet security community.
“Its not a good feeling to have your account hacked into, but I do wonder what their initial intentions were in the first place. Maybe just an credentials check, which was supposed to be followed by evil commits if none had spotted the first one? The Chinese government is trying to introduce security holes so they can break into PHP websites?,” wrote one of the maintainers.
Overall, PHP is an extremely popular language that allows programmers and developers to create interactive web sites with databases and dynamically generated content. Internet properties such as Facebook, Yahoo, Wikipedia, WordPress and millions of other websites use PHP extensively as their main foundation.
And those attacks aren't the first to hit major code repositories for a popular open-source software project. Just last December, the primary distribution channel for the Free Software Foundation was taken down following an attack that compromised some of the website's main account passwords and may have given the attacker unlimited administrative access.
The in May 2010, PHP-Nuke was purged of a nasty infection that for four days attempted to install malware on visitors' computers.
Everyone in the Internet security community knows very well that any computer or server system is only as good as its login credentials and the passwords used. Strong and complex passwords with a minimum of 12 to 14 characters that utilize upper and lower case letters, as well as numbers and ponctuation characters are just the beginning. Additionally, passwords need to be changed every 30 days at a minimum and should always be stored in a safe place if they need to be written down. And everytime a person or team member leaves your company or your department, that person's password needs to be immediately replaced to prevent future access to your data.
Source: The YGN Ethical Hacker Group.
You can link to the Internet Security web site as much as you like.