Cisco warns of IOS, OpenSSL flaws
Cisco Systems Inc. has offered a schedule of security updates and a list of workarounds to address vulnerabilities in the Internetwork Operating System (IOS) HTTP server and OpenSSL. The San Jose, Calif.-based networking giant said the IOS HTTP server flaw comes into play when HTML code inserted into dynamically generated output -- such as the output from a show buffers command -- is passed to the browser requesting the page. "This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks," Cisco said. "Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected."
The advisory applies to all Cisco products that run IOS Software versions 11.0 through 12.4 with the HTTP server enabled. "A system which contains the IOS HTTP server or HTTP secure server, but does not have it enabled, is not affected," Cisco noted. The company said it will make free software available to address the vulnerability. For now, users can protect their systems by:
- Disabling the HTTP server;
- Disabling the HTTP WEB_EXEC service; and
- Avoiding the use of Web-based SHOW commands.
Cisco also acknowledged that several of its products are affected by an OpenSSL flaw that came to light in October. At the time, the OpenSSL Project warned that malicious users could exploit an error in how the SSL_OP_MSIE_SSLV2_RSA_PADDING option is handled to evade security restrictions and launch man-in-the-middle attacks. Cisco said the issue affects the following products:
- Cisco PIX version 7.0.1 through 22.214.171.124
- Cisco ASA 5500 version 126.96.36.199. and prior
- CiscoWorks Common Services (CWCS) version 2.2
- CiscoWorks Common Services (CWCS) version 3.0
- Cisco Mainframe Channel Connection (CMCC) version 28-22 and prior
- Cisco Global Site Selector (4480, 4490, 4491) version 1.2 and prior
- Cisco Wireless Control System Software version 4.0 and prior
- Cisco IOS-XR version 3.3 and prior
Cisco's advisory outlines steps it is taking to address the problem.
Shoe retailer reaches deal with FTC to prevent future data breaches
Discount shoe retailer Designer Shoe Warehouse (DSW) Inc. has agreed to take steps to thwart future data thievery, according to published media reports. The retail chain discovered in March that information on 1.5 million customers had been stolen from its network. The Federal Trade Commission later filed a complaint, saying DSW retained sensitive customer data it no longer needed, storing it in multiple files which, in turn, gave data hackers more material to work with. Regulators also accused the company of not using adequate security measures to limit access to its networks and detect network intrusions.
The company said it will put a comprehensive security program in place and have its systems audited by independent experts every other year for 20 years, The Los Angeles Times reported. The paper noted that in March, DSW found that credit, debit and checking account numbers of customers in 25 states had been stolen by hackers breaking into the company's database, and that the victims included FTC chairwoman Deborah Platt Majoras.
"Companies like DSW want to do the right thing to protect their customers. The problem is that traditional security methods cannot detect and stop the new forms of data theft -- where perpetrators masquerade as authorized users," Prat Moghe, CEO and founder of Maynard, Mass.-based Tizor Systems, said in a statement. "To truly protect their customers, DSW will need to monitor and analyze user activity around sensitive data in real-time -- to quickly detect suspicious activity and act on it. This same methodology will help them comply with the stringent PCI standards set forth by the credit card companies that they do business with."
Hacker: IE could be used to target Google Desktop
Attackers could exploit a design flaw in Internet Explorer to secretly hijack sensitive user information via Google Desktop, Israeli hacker Matan Gillon claims in an online posting. Gillon uncovered the flaw in the cross-domain protections of Microsoft's browser and published a proof-of-concept exploit to show how it could be used to target the search giant's desktop searching application.
"It was bound to happen. I was recently intrigued by the possibility of utilizing Google Desktop for remote data retrieval of personal user data (such as credit cards and passwords) through the use of a malicious Web page," Gillon said in his posting. "Now, thanks to a severe design flaw in Internet Explorer, I managed to show it's possible to covertly run searches on visitors to a Web site by exploiting this vulnerability."
He confirmed the vulnerability can be exploited on a fully patched Microsoft Internet Explorer 6 browser. He also tested his concept on Mozilla Firefox but said it seems "to adequately keep domain restrictions in CSS imports and doesn't seem to be vulnerable to this type of attack." He added that Opera isn't vulnerable because "it doesn't support the styleSheets collection."