Vulnerabilities / Threats
2/12/2014
03:45 PM
Shahar Tal
Shahar Tal
Commentary
Connect Directly
Twitter
RSS
E-Mail
100%
0%

3 Web Security Takeaways From Wikipedia's Near Miss

Even the most useful and benevolent websites have the potential to host malware.

Last month, researchers in our Vulnerability Research Group found a critical vulnerability in MediaWiki, the open-source web platform that is used to create and maintain wiki websites, including Wikipedia.org, the sixth most visited website in the world.

This critical vulnerability left the MediaWiki platform (version 1.8 onward) exposed to a remote code execution (RCE) attack. An attacker could have used this vulnerability to gain complete control of the Wikipedia web servers, potentially exposing Wikipedia's 94 million monthly visitors to malware or massive information disclosure.

Since an update and patch has been issued to the MediaWiki software, the vulnerability has been exposed and resolved, so long as all MediaWiki users install the patch. However, there are still some useful lessons we can take away from this near miss.

Lesson No. 1: Know your stack
The RCE vulnerability was only the third of its kind found in the widely used, open-source MediaWiki platform since 2006. That's a good track record, but it demonstrates how easily organizations can be lulled into a false sense of security just because a vulnerability has not been announced in months or even years on the platforms they use.

Web application server stacks expose a broad software surface for an attacker on the vulnerability hunt. Even the most minimal setups typically overlay a web framework (e.g., Wordpress) based on a platform language (PHP), using a database (MySQL) in a web server (Apache) over an operating system stack. Any of these components can be an exploitation candidate -- and we haven't even mentioned custom application business logic, imported JS libraries, plugins, mods, and other extras. The opportunities are abundant.

In addition to keeping a vigilant eye for vulnerabilities on the development side, it's more important than ever to keep your software updated across the board. Make sure you are running recent versions of your framework and services, running on top of a modern OS with built-in exploit mitigation techniques and other native protections enabled, or look into threat prevention technology. Best-practices would recommend doing all three; follow your vendor's hardening guides.

Lesson No. 2: Occam's razor still cuts true
The slightly more modern version of Occam's razor is KISS (keep it simple, stupid). Both axioms hold true in this case: The simplest answer is usually the right one. Though we've seen a steady rise in sophisticated threat vectors, advanced persistent threats, mobile device breaches, DDoS attacks, and even international bank heists make headlines, relatively simple attacks through vulnerabilities like the one we discovered on the WikiMedia platform are still a very real and common threat.

Worse, some input validation vulnerabilities tend to go unnoticed because the exploitation techniques are not particularly new or technically advanced. This presents an attractive target, since attackers are always looking for the path of least resistance. It's akin to putting up the "Beware of Dogs" sign, keeping a big dog in the backyard, arming your sophisticated home protection system with mobile alerts, bolting the front door, locking the back gate, and then leaving one of the front windows open. Sometimes those simple, obvious entry points are the most lucrative for criminals -- and the most overlooked by developers and site owners.

Lesson No. 3: No such thing as a safe click
Even the most trusted sites are susceptible to exploits like this RCE vulnerability. But if you put appropriate protections in place, you can detect and block infecting code before it spreads to your clients and servers. It's not practical to block employees on your network from all sites, and as this case shows, even the most useful and benevolent sites can host malicious code.

Shahar Tal is the Vulnerability and Security Research Manager at Check Point Software Technologies. Prior to joining Check Point, he held leadership roles in the Israel Defense Force, where he was trained and served as an officer. He brings more than 10 years of industry ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/14/2014 | 9:42:37 AM
Re: How did you find the vulnerability
Thse of us in the realm you protect, salute you (and others) for your work! Definitely a growing and important field. 
shahartal
50%
50%
shahartal,
User Rank: Apprentice
2/14/2014 | 3:33:37 AM
Re: How did you find the vulnerability
These was no external activity to prompt the investigation. We regularly identify popular platforms and perform research in order to expose vulnerabilities that might harm all kinds of users. We're no 'protectors of the realm' but we do our best to help secure the Internet.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/13/2014 | 4:48:02 PM
How did you find the vulnerability
Shahar, Were you looking for something specific, or did some activity the investigation? 
shahartal
50%
50%
shahartal,
User Rank: Apprentice
2/13/2014 | 1:58:31 AM
Re: Was anyone actually affected?
The WikiMedia foundation has stated that they found no evidence of a past attack exploiting that vulnerability. Of course, the first thing a clever attacker would do is clean the logs. As for other web sites, I don't know of any other case yet, but as the exploit has been made public on exploit repositories, it's a matter of finding the unprotected ones and simply running a script.
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
2/12/2014 | 9:56:26 PM
Re: Was anyone actually affected?
The false sense of security around the oldie but goodie attack vectors is a very real issue. In the quest to protect against the newest threats, we don't always think about the older variants that are still out there. Security teams can't take anything for granted. Continually test and verify that systems are protected as best as they can be.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
2/12/2014 | 7:05:54 PM
Was anyone actually affected?
Did anyone get hacked as a result of this flaw or is that still to come if sites don't patch quickly enough?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4884
Published: 2014-10-21
The Conrad Hotel (aka com.wConradHotel) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4885
Published: 2014-10-21
The CPWORLD Close Protection World (aka com.tapatalk.closeprotectionworldcom) application 3.4.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4887
Published: 2014-10-21
The Joint Radio Blues (aka com.nobexinc.wls_69685189.rc) application 3.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4888
Published: 2014-10-21
The BattleFriends at Sea GOLD (aka com.tequilamobile.warshipslivegold) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4889
Published: 2014-10-21
The Diabetic Diet Guide (aka com.wDiabeticDietGuide) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.