Skip navigation

Qualys Blogs

1,095 Posts 1 2 3 Previous Next
0

Update2: McAfee published an analysis of an exploit for CHE-2014-1761. Very interesting and eye-opening, as everything is controlled through the RTF document itself:

  • The attackers use an listoverridecount level of 25, which is outside of the 0,1 or 9 specified in the standard. This confuses the RTF handler in Word and makes it possible to control the content of the program counter of the processor.
  • This gives the attacker the basis for arbitrary code execution. In this case the attackers are able to point the program counter to machine code that is included in the document itself, which makes the exploit very self-contained, no additional setup files are needed.

Conclusion: Patch this as quickly as possible, i.e. next Tuesday. The attacks are real and happening now. The exploit does not look that hard to replicate with the information provided. Beyond patching it makes sense to disable RTF opening any way, which is what the FixIt in KB2953095 does. It certainly looks as if there is more potential for this type of vulnerability that can be found with relatively little investment into file fuzzing. See Charlie Miller's presentation on "dumb fuzzing" for some initial reading.

 

Update: Microsoft published a post on the SRD blog with more details, including some test data of the exploit with EMET. It seems that EMET ASLR enforcements efficiently counters the exploit. Good stuff!

 

Original: Microsoft acknowledged today in KB2953095 a vulnerability present in Microsoft Word and Microsoft Outlook that is being exploited in the wild. The vulnerability CVE-2014-1761 is in the file format parser for RTF (Rich Text Format) and could be used by an attacker to gain remote access to the targeted system. The attack vector is a document in RTF format that the victim would have to open with Word. If the target uses Outlook 2007, 2010 or 2013 for e-mail, please be aware that Word is the default viewer for e-mails, and that even looking at the e-mail in the preview pane could lead to an infection through this attack.

 

The current workaround is to disable RTF as a supported format in Microsoft Office. The advisory contains a link to FixIt 51010 that performs the action for the end-user here. A secondary recommended action is to work with plain text in e-mails, which is generally a recommended safeguard that prevents the "drive-by" characters of these types of attacks. It is described in this knowledgebase article at the Microsoft site.

 

Microsoft credits Drew Hintz, Shane Huntley, and Matty Pellegrino from the Google Security team with the discovery.

 

Please note that Mac users are affected. The advisory lists Microsoft Office for the Mac 201 as vulnerable.

 

Stay tuned for more news as the situation is developing.

0

April’s Patch Tuesday Preview has just come out and we are having another light Patch Tuesday with only four bulletins: MS14-017 to MS14-020. This low total number is very atypical, and at least 30% under the numbers for last year -- in April of 2013 we were at 36 bulletins and in 2012 we had 20 bulletins. At the same time there is no shortage of vulnerabilities as we have seen at last month’s CanSecWest, where literally all software packages (Java excepted) fell to security researchers who received cash prizes between $75,000 and $100,000.

 

But back to this month. Four bulletins, two rated critical and two rated important, but all of them enable “Remote Code Execution”, which is something that attackers are ultimately after. Bulletin #1 addresses the current 0-day vulnerability (KB2953095) in Microsoft Word and is applicable to all versions of Word starting with 2003 to the latest 2013, and includes Mac OS X as well. By the way, Office 2003 together with Windows XP are going to be end-of-life after this Patch Tuesday and will stop receiving security updates.  The end of life for XP has received plenty of coverage already, but this vulnerability is a good reminder not to focus only on Windows XP, and that this Office version also deserves attention.

 

Bulletin #2 is a new version of Internet Explorer, applicable to all versions of IE starting with IE6 on XP to IE11 on Windows 8.1 and RT. The only version not affected is IE10 under Windows 7 and I expect it to contain the fixes for the vulnerabilities disclosed at PWN2OWN at CanSecWest.

 

Bulletin #3 and Bulletin #4 are the both rated “important,” but Bulletin #3 is the more urgent one. It affects all versions of Windows and can be used to gain Remote Code Execution. Bulletin #4 addresses a problem in Publisher 2003 and 2007, which is a software package that we do not see widely installed.

0

Next week, Microsoft will deliver its last set of public security patches for Windows XP.

 

bp3_1.png

 

The end-of-life for XP which has been announced for a number of years now, means that computers running XP will be very attackable in the near future. Over 70% Microsoft’s security bulletins in 2013 affected XP, and there is no reason to assume that this will change in the near future. XP will be affected by a large percentage of the problems exposed in May, June and July, but there will be no remedy (except for companies that pay for extended support - an option that is at least US$ 100,000/year).

 

The best solution is to migrate away from this outdated (designed in the 90s) operating system to a newer version, with the best candidates being Windows 7 and Windows 8. Organizations have focused a large amount of resources and money on updating their infrastructures, and we have seen the percentage of Windows XP machines drop from 35% in January 2013 to 14% in February 2014. We now project to be at 10% of Windows XP machines by the end of this month.

 

bp3_2.png

 

Different industry sectors show different XP migration profiles. For example, transportation dropped impressively fast from 55% in January 2013 to 14% in February.

 

bp3_3.png

 

while Healthcare has been consistently low in the ratio of Windows XP in their organizations’ networks.

 

bp3_4.png

 

Both of these industry sectors had significant challenges to overcome, especially in regards to specialized (non-IT managed) equipment that is connected to their networks and that frequently cannot simply be updated. Many industrial control systems and medical devices, configurations that typically have much longer useful lifespans (>10 years) than pure computer equipment (<4 years), have Windows XP systems as vital components in their setups that cannot simply be updated. Nevertheless, these systems are full XP and as attackable as your average office machine if they are used in similar fashion, for email and web browsing. Moving these machines into network segments that do not have direct Internet access and introducing additional firewalls that curb that type of usage are ways to improve security.

 

Stay tuned for more updates on the final days of XP.

0

Updating your computer software for security purposes should be a no-brainer, after all we have been working on this issue for the last 10+ years and it should be a solved problem. Nevertheless, many people use their PCs basically as they received it, ignoring patch warnings, thinking it does not apply to them:

 

bp2_0.png

(from a recent dialogue that I had on a news/comment site) or believe they have more important things to do:

 

 

bp2_1.png

 

The Top 4 Audit gives us the information on Operating System and other Microsoft software in Control 3 - in my case I am missing updates for Internet Explorer, Windows, .NET, Office and others, all pretty much unavoidable since they get updated almost every month, and any new installation will be behind almost automatically.

 

bp2_2.png

 

Anyway, getting the Operating System up-to-date is straightforward, simply run Microsoft Update (the more complete version of Windows Update) a couple of times until all pending updates are applied, and in the process, configure it for automatic installation going forward.

 

bp2_3.png

 

You can do this without leaving your newly set up standard user (for me “wolfgang”, see last week's post), but you will have to give the credentials for your administrator user every once in a while. From Desktop, access the Control Panel, and then click on System and Security, under Windows Updates, click on Check for Updates. If you have not done so before, also opt-in to automatic updates from here on. My first run of Windows Update gave me 920 MB to download, which took about 45 minutes to install.

 

bp2_4.png

 

After installing these 84 patches and rebooting, a second run gave me another 600 MB, which took roughly 30 minutes to install plus reboot. A third run gave me 5 MB and was just the latest Flash player update embedded in Internet Explorer 10, a really important 2-week old update as it fixes a 0-day vulnerability. But my Top 4 Score now looks quite a bit better: A in Control 4 and A in Control 3 for an overall score of “C”.

 

bp2_5.png

 

and even better from now on updates should be relatively easy and quick. Just need to pay pay attention at Patch Tuesday every month and let the machine update itself.

 

Next step: Application Patching - Control 2 - getting rid of that “D”.

0

At the RSA conference a few weeks ago, we introduced a new free service - the Top 4 Control audit.  This service focuses on how to help computer end users and small- to medium-sized companies implement the top 4 security measures first suggested by the Australian government's ASD division. In their internal forensics, using the four measures were able to prevent over 85% of the incidents that had occurred in the government agencies that they were responsible for. In the last year, the Top 4 controls have been starting to gain acceptance, with both the SANS Institute and the Council on CyberSecurity supporting their implementation. CSIS’s Jim Lewis gave them a very favorable mention in his 2013 paper “Raising the Bar for Cybersecurity”.

 

I have used our new Top 4 service on a new machine that I received recently. It was a new laptop, a Lenovo T430. It came with Windows 8.1 installed, an ideal and updated target to work with.

 

In essence, the Top 4 consists of:

 

  1. Whitelisting, which prevents the execution of downloaded malware, as it is not contained in the approved list of software
  2. Patching applications, which shrinks the attack surface in the installed applications focusing directly on the software most abused in recent months: Java, Adobe Flash, Adobe Reader , Microsoft Office and Apple Quicktime
  3. Patching the operating system, which fixes known vulnerabilities in Windows and further shrinks the available attack surface
  4. Running as a standard user, which  makes it harder for malware to install itself permanently on the system, as this usually requires administrator privileges

 

Overall, it is a small, but pretty promising set of controls to try out. Nothing better than a brand new machine to test a quick setup to see how practical the whole suggestion of running the Top 4 audit really is.

 

When I first booted up my new machine, I was prompted to use my Hotmail account at Microsoft, but I opted to use a local account because I felt I would rather maintain a clear separation between my online and local machine accounts. (Hint, click on "Create a new account," then "Sign in without a Microsoft account.")

 

I proceeded to install the Top4 service plugin through the URL retrieved through my account on Qualys BrowserCheck Business Edition (http://tinyurl.com/qgbe4 or https://browsercheck.qualys.com/?uid=de39b22f468a147906fd65041b56719e). If you want to use the Top 4 service, you should really create an account in the Business Edition backend tool and get your personalized URL to get better reporting and trending on your results, but feel free to use the above URL if that is too much effort for you at the moment.

 

Then, after logging into Windows with the newly created user “wkandek”, I clicked on the Desktop tile and started Internet Explorer on the familiar desktop interface and went to the URL tinyurl.com/qgbe4, clicked on “install plugin” and accepted the Terms of Service. Then, I answered “Yes”, and “Yes” to the prompts by Windows. You also need to add the “https://browsercheck.qualys.com” site into your trusted sites in Internet Explorer by clicking on “Tools” (the little gear icon in the top right corner), “Internet Options,” “Security,” “Trusted Sites,” “Sites” and then “Add.” Then select “Advanced Scan” in the drop-down menu in the top right corner and hit the “Scan” (or “Re-Scan”) button.

 

The first scan gave me a pretty bad grade: overall “D”, composed of 2 * “F” grades, and a “D” and a “B”.

 

bp1_1.png

 

I decided to attack "control 4" from the Top 4 list first, because it should be simple to address. I started the control panel, clicked on ‘Users and Accounts” and created a second local user “wolfgang” that would serve as my day to day account. Logging out of my admin account “wkandek” and into the account “wolfgang”, I reran the scan by going to http://tinyurl.com/qgbe4 (I had to add http://browsercheck.qualys.com to my trusted sites again) and got a better score, an “A” in item 4: “User Privileges”, but still a “D” for overall security, mainly caused by the two “F” grades in controls 1 and 2.

 

bp1_2.png

 

OK, that was straightforward; so far under 30 minutes spent on getting better. Moving on to the next controls. Let’s do Windows Operating System Patching next.

0

This update to QualysGuard 8.0 includes improvements to the QualysGuard API, allowing you to integrate your programs and API calls with QualysGuard Vulnerability Management (VM) and QualysGuard Policy Compliance (PC).

 

What’s New

VM - “Security Risk Score” summary added to XML and CSV reports

VM & PC - "Network Support API” Updates

 

QualysGuard API Server URL. The QualysGuard API documentation and sample code use the API server URL for QualysGuard US Platform 1. If your account is located on another platform, please replace this URL with the appropriate server URL for your account.

 

Account  Location

API  Server URL for login
QualysGuard  US Platform https://qualysapi.qualys.com

QualysGuard  US Platform 2

https://qualysapi.qg2.apps.qualys.com

QualysGuard  EU Platformhttps://qualysapi.qualys.eu
QualysGuard  @Customerhttps://qualysapi.<customer_base_url>

 

QualysGuard API Documentation. API user guides and other documentation are available in your account’s Resources section (Help > Resources > API). Note: The service enforces limits on the API calls users can make within a subscription. See “QualysGuard API Limits” for details.

 

VM - “Security Risk Score” summary added to  XML and CSV reports

With this release vulnerability scan reports include a security risk score summary for the report and per host, in all report formats - earlier this was not in XML or  CSV. As before the risk score summary appears when your report template is configured for host based findings (automatic data) and the Text Summary option is selected. The asset_data_report.dtd was updated - we’ll show you the changes.

 

Tell me about the Security Risk Score. The score for the overall report is the average security risk for all hosts in the report. The score for each host is the average severity level detected (the default) or the highest severity level detected. Managers can configure the calculation method for the subscription by going to Reports > Setup > Security Risk. Are you an Express Lite user? If yes the average severity level is always used.

 

Sample reports. These reports were created using a scan report template configured with host based findings and Text Summary is selected (under Display > Detailed Results).

 

CSV report:

New rows show you the security risk score summary for the report and per host.

8.0Image.png

 

XML report:

New XML elements show you the security risk summary for the report (see  <RISK_SCORE_SUMMARY>)  and per host <see RISK_SCORE_PER_HOST>.

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ASSET_DATA_REPORT SYSTEM https://qualysguard.qualys.com/asset_data_report.dtd>
<ASSET_DATA_REPORT>
  <HEADER>
    <COMPANY><![CDATA[Qualys, Inc.]]></COMPANY>
    <USERNAME>USERNAME</USERNAME>
    <GENERATION_DATETIME>2014-03-11T23:56:22Z</GENERATION_DATETIME>
    ...
    <RISK_SCORE_SUMMARY>
      <TOTAL_VULNERABILITIES>14</TOTAL_VULNERABILITIES>
      <AVG_SECURITY_RISK>2.6</AVG_SECURITY_RISK>
      <BUSINESS_RISK>13/100</BUSINESS_RISK>
    </RISK_SCORE_SUMMARY>
  </HEADER>
<RISK_SCORE_PER_HOST>
  <HOSTS>
    <IP_ADDRESS>10.10.24.104</IP_ADDRESS>
    <TOTAL_VULNERABILITIES>4</TOTAL_VULNERABILITIES>
    <SECURITY_RISK>2.5</SECURITY_RISK>
  </HOSTS>
  <HOSTS>
    <IP_ADDRESS>10.10.24.106</IP_ADDRESS>
    <TOTAL_VULNERABILITIES>10</TOTAL_VULNERABILITIES>
    <SECURITY_RISK>2.6</SECURITY_RISK>
  </HOSTS>
</RISK_SCORE_PER_HOST>
  <HOST_LIST>
    <HOST>
      <IP>10.10.24.104</IP>
      <TRACKING_METHOD>IP</TRACKING_METHOD>
...

 

DTD updates:

You’ll see the updated asset_data_report.dtd below. There’s  new elements RISK_SCORE_PER_HOST and RISK_SCORE_SUMMARY.

<!-- QUALYS ASSET DATA REPORT DTD -->

<!ELEMENT ASSET_DATA_REPORT (ERROR | (HEADER, RISK_SCORE_PER_HOST?, HOST_LIST?, GLOSSARY?, APPENDICES?))>


<!ELEMENT ERROR (#PCDATA)*>
<!ATTLIST ERROR number CDATA #IMPLIED>




<!-- HEADER -->


<!ELEMENT HEADER (COMPANY, USERNAME, GENERATION_DATETIME, TEMPLATE,
                  TARGET, RISK_SCORE_SUMMARY?)>


<!ELEMENT COMPANY (#PCDATA)>
<!ELEMENT USERNAME (#PCDATA)>
<!ELEMENT GENERATION_DATETIME (#PCDATA)>
<!ELEMENT TEMPLATE (#PCDATA)>
<!ELEMENT TARGET (USER_ASSET_GROUPS?, USER_IP_LIST?, COMBINED_IP_LIST?, 
                  ASSET_TAG_LIST?)>


<!ELEMENT USER_ASSET_GROUPS (ASSET_GROUP_TITLE+)>
<!ELEMENT ASSET_GROUP_TITLE (#PCDATA)>


<!ELEMENT USER_IP_LIST (RANGE*)>
<!ELEMENT RANGE (START, END)>
<!ELEMENT START (#PCDATA)>
<!ELEMENT END (#PCDATA)>


<!ELEMENT COMBINED_IP_LIST (RANGE*)>


<!ELEMENT ASSET_TAG_LIST (INCLUDED_TAGS, EXCLUDED_TAGS?)>


<!ELEMENT INCLUDED_TAGS (ASSET_TAG*)>
<!ATTLIST INCLUDED_TAGS scope CDATA #IMPLIED>


<!ELEMENT EXCLUDED_TAGS (ASSET_TAG*)>
<!ATTLIST EXCLUDED_TAGS scope CDATA #IMPLIED>


<!-- AVERAGE RISK_SCORE_SUMMARY -->
<!ELEMENT RISK_SCORE_SUMMARY (TOTAL_VULNERABILITIES, AVG_SECURITY_RISK,
                              BUSINESS_RISK)>
<!ELEMENT TOTAL_VULNERABILITIES (#PCDATA)>
<!ELEMENT AVG_SECURITY_RISK (#PCDATA)>
<!ELEMENT BUSINESS_RISK (#PCDATA)>


<!-- RISK_SCORE_PER_HOST -->
<!ELEMENT RISK_SCORE_PER_HOST (HOSTS+)>
<!ELEMENT HOSTS (IP_ADDRESS, TOTAL_VULNERABILITIES, SECURITY_RISK)>
<!ELEMENT IP_ADDRESS (#PCDATA)>
<!ELEMENT SECURITY_RISK (#PCDATA)>


<!-- HOST_LIST -->


<!ELEMENT HOST_LIST (HOST+)>
...

 

VM & PC - Network Support API Updates

 

We made some updates to the Network Support API for QualysGuard 8.0. You’ll find the latest information integrated into this user guide. You might like to review the latest changes below.

 

Set Up Networks

 

Scanner Appliance List API v2 - filter by network ID

The Scanner Appliance List API v2 (resource /api/2.0/fo/appliance/ with action=list) returns scanner appliances in your account. Now you can use the new input parameter “network_id” (optional) to return a list of scanner appliances for a certain network. Specify 0 for the Global Default Network or a custom network ID.

 

For example:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl"

"https://qualysapi.qualys.com/api/2.0/fo/appliance/?action=list&network_id=1002"

 

Organize Assets by Network

 

Asset Group List API v1 - network ID added to group’s IPs

The Asset Group List API v1 (/msp/asset_group_list.php) is used to retrieve a list of asset groups in your account. We added a new attribute “network_id” to the subelement /SCANIPS/IP in the XML output (asset_group_list.dtd). This appears for an All asset group that is not the same as the subscription’s All asset group.

 

Have multiple All asset groups? Yes you might. There is always 1 All asset group for the subscription - this includes all assets, visible to Managers. If you have business units, there is 1 unique All asset group for each business unit. If you have Scanners and/or Readers, there is 1 unique All asset group for each Scanner/Reader account. (There is no All asset group for a network.)

 

Sample XML output:

Sample XML output showing an All asset group that is not the subscription’s All asset group:

...
<ASSET_GROUP>
  <ID>5010</ID>
  <TITLE><![CDATA[All]]></TITLE>
  <SCANIPS>
    <IP network_id="0"> 10.0.0.0-10.10.10.11</IP>
    <IP network_id="0"> 10.10.10.13-10.10.10.247</IP>
    <IP network_id="1193"> 10.0.0.0-10.10.10.11</IP>
    <IP network_id="1193"> 10.10.10.13-10.10.10.247</IP>
...

 

DTD update:

New “network_id” attribute added to the subelement /IP.

...
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP network_id CDATA 0>
...

 

Asset Management

Support for IP List API v2

The IP List API v2 (resource /api/2.0/fo/asset/ip/ with action=list) is used to retrieve a list of IP addresses in your account. The XML output now lists the network ID for each IP address/range when the request is made by a sub-user with access to multiple networks. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (ip_list_output.dtd).

 

Good to know:

 

  • Managers will not see the “network_id” attribute for any IP or IP_RANGE elements in the output since Managers can see all IPs for all networks.
  • Any sub-user with access to only a single network (the Global Default Network or a custom network) will not see the “network_id” attribute either. This is for consistency with the UI, where these users do not see the network workflows.

 

Sample XML output:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/asset/ip/ip_list_output.dtd>
<IP_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-02-14T22:47:32Z</DATETIME>
    <IP_SET>
      <IP_RANGE network_id="0">1.0.0.0-10.10.10.14</IP_RANGE>
      <IP_RANGE network_id="0">10.10.10.17-10.10.10.29</IP_RANGE>
      <IP network_id="0">10.10.10.32</IP>
    </IP_SET>
  </RESPONSE>
</IP_LIST_OUTPUT>

 

 

DTD updates:

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
  network_id  CDATA  0
>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
  network_id  CDATA  0
>
...

 

Support for Excluded IP List API v2

The Excluded IP List API v2 (/api/2.0/fo/asset/excluded_ip/ with action=list) returns a list of excluded hosts.

 

Use the new input parameter “network_id” (optional) to return a list of excluded IPs for a certain network.

 

The XML output now identifies the network ID for each IP address/range when your subscription has at least 1 network defined. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (ip_list_output.dtd).

 

Sample XML output:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/asset/excluded_ip/ip_list_output.dtd>
<IP_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-03-20T20:49:19Z</DATETIME>
    <IP_SET>
      <IP network_id="0">10.10.10.19</IP>
      <IP_RANGE network_id="1275">10.10.50.6-10.10.50.10</IP_RANGE>
    </IP_SET>
  </RESPONSE>
</IP_LIST_OUTPUT>

 

DTD updates:

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
  network_id  CDATA  0
>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
  network_id  CDATA  0
>
...

 

Support for Excluded IP Change History API v2

The excluded IP change history V2 API (/api/2.0/fo/asset/excluded_ip/history/ with action=list) returns a change history for excluded hosts.

 

Use the new input parameter “network_id” (optional) to return a list of excluded IPs for a certain network.

 

The XML output now identifies the network ID for each IP address/range when your subscription has at least 1 network defined. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (history_list_output.dtd).

 

Sample XML output:

...
 <HISTORY_LIST>
      <HISTORY>
        <ID>1441</ID>
        <IP_SET>
          <IP_RANGE network_id="0">10.10.10.234-10.10.10.235</IP_RANGE>
        </IP_SET>
        <ACTION>Added</ACTION>
...

 

DTD updates:

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
    network_id  CDATA  0
>           
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
    network_id  CDATA  0
>
...
0

Mixed content issues arise when web sites deliver their pages over HTTPS, but allow some of the resources to be delivered in plaintext. The active network attacker can't do anything about the encrypted traffic, but messing with the plaintext can result with attacks ranging from phishing in the best case to full browser compromise in the worst. A single exposed script is sufficient: the attacker can hijack the connection and inject arbitrary attack payloads into it.

 

We tend to talk a lot about other aspects of SSL/TLS, but mixed content is arguably the easiest way to completely mess up your web site encryption.

 

In the very early days of the Web, all mixed content was allowed; web browsers expected site operators to think through the consequences of mixing content. That, of course, did not result with great security. Site operators did whatever they needed to get their work done and decrease costs. Only in recent years did browser vendors start to pay attention and start to restrict mixed content.

Mixed content in modern browsers

Today, almost all major browsers tend to break mixed content into two categories: passive for images, videos, and sound; and activefor more dangerous resources, such as scripts. They tend to allow passive mixed content by default, but reject active content. This is clearly a compromise between breaking the Web and reasonable security.

 

Internet Explorer has been the leader in secure mixed content handling. As early as Internet Explorer 5 (according to this post), they had detection and prevention of insecure content by default. Chrome started blocking by default in 2011, and Firefox in 2013. The default Android browser and Safari, however, still allow all mixed content without any restrictions (and with almost non-existent warnings).

 

Here are the results of my recent testing of what insecure content is allowed by default:

 

BrowserImagesCSSScriptsXHRWebSocketsFrames
Android browser 4.4.xYesYesYesYesYesYes
Chrome 33YesNoNoYesYesNo
Firefox 28YesNoNoNoNoNo
Internet Explorer 11YesNoNoNoNoNo
Safari 7YesYesYesYesYesYes

 

They are mostly as expecting, but there's a surprise with Chrome, which blocks active page content, but still allows plaintext XMLHttpRequest and WebSocket connections.

 

It's worth mentioning that the table does not tell us everything. For example, browsers tend not to control what their plugins do. Further, certain components (e.g., Flash or Java) are full environments in their own right, and there's little browsers can do to enforce security.

Testing for mixed content handling in SSL Labs

To make it easier to evaluate browser handling of this problem, I recently extended the SSL Labs Client Test to probe mixed content handling. When you visit the page, your user browser is tested, and you will get results similar to these:

 

ssl-labs-client-test-mixed-content.png

Mixed content prevalence

Anecdotally, mixed content is very common. At Qualys, we investigated this problem in 2011, along with several other application-level issues that result with full breakage of encryption in web applications. We analysed the homepages of about 250,000 secure web sites from the Alexa  top 1 million list, and determined that 22.41% of them used insecure  content. If images are excluded, the number falls to 18.71%.

 

A more detailed study of 18,526 sites extracted from Alexa top 100,000 took place in 2013: A Dangerous Mix: Large-scale analysis of mixed-content websites (Chen et al.). For each site, up to 200 secure pages were analysed, arriving at a total of 481,656 pages. Their results indicate that up to 43% of web sites have  mixed content issues.

Mitigation

The best defence against mixed content issues is simply not having this type of problem in your code. But that's easily said than done; there are many ways in which mixed content can creep up. When that fails, there are two technologies that can come useful:

 

  • HTTP Strict Transport Security (HSTS) is a mechanism that enforces secure resource retrieval, even in the face of user mistakes (attempting to access your web site on port 80) and implementation errors (your developers place an insecure link into a secure page). HSTS is one of the best thing that happened to TLS recently, but it works only on the hostnames you control.
  • Content Security Policy (CSP) can be used to block insecure resource retrieval from third-party web sites. It also has many other useful features for to address other application security issues, for example XSS.
0

A new release of QualysGuard AM API is scheduled to be released in production on the QualysGuard EU Platform on April 1st, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: QualysGuard AM API update includes the addition of the Asset Management and Tagging API v2. The addition of this API will allow customers to access new Tag API, Host Asset API, Asset API and Host Instance Vulnerability API functionality via one API. For more information on new features see QualysGuard API Notification 

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-eu

0

A new release of QualysGuard AM API is scheduled to be released in production on the QualysGuard US Platform 1 on April 3rd, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: QualysGuard AM API update includes the addition of the Asset Management and Tagging API v2. The addition of this API will allow customers to access new Tag API, Host Asset API, Asset API and Host Instance Vulnerability API functionality via one API. For more information on new features see QualysGuard API Notification 

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-us1

0

A new release of QualysGuard API is scheduled to be released in production on the QualysGuard US Platform 2 on March 27th, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: This QualysGuard API release includes the addition of the Asset Management and Tagging API v2. The addition of this API will allow customers to access new Tag API, Host Asset API, Asset API and Host Instance Vulnerability API functionality via one API. For more information on new features see QualysGuard API Notification.

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-us2

0

This API notification provides an early preview into the coming API changes in QualysGuard, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There is one primary API change in this release:

 

New API: Asset Management and Tagging API v2

 

This release will apply to the following platforms:

 

 

Full release notes will be available to customers on the day of the release.

 

API Enhancements

 

Tag API

          The Tags API provides a suite of API functions for managing tags. The supported Tag operations are get, create, update, search, count, delete and evaluate.

 

          Tag operations

                    Get Tag

                    Create Tag

                    Update Tag

                    Search Tags

                    Count Tags

                    Delete Tag

                    Evaluate Tag

 

 

Example:

          Fetch tag ID 12345.

 

Request:

          curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/rest/2.0/get/am/tag/12345"

 

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/tag.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <Tag>
      <id>12345</id>
      <name>Test Tag</name>
      <created>2014-02-06T19:14:50Z</created>
      <modified>2014-02-06T19:14:50Z</modified>
      <color>#FFFFFF</color>
      <ruleText>asset.installedSoftwares.contains { it.name == Windows }</ruleText>
      <ruleType>GROOVY</ruleType>
      <children>
        <list/>
      </children>
    </Tag>
  </data>
</ServiceResponse>

 

Host Asset API

          The Host Asset API provides a suite of API functions for managing host assets. In many cases these are hosts detected by our cloud scanners. Host assets can also be added manually by the QualysGuard API or user interface. The HostAsset members identify operating system, NetBIOS, tags, open ports, NICs, installed software, EC2 source information and current vulnerabilities (all instances).

 

          Host Asset operations

                    Get Host Asset

                    Create Host Asset

                    Update Host Asset

                    Search Hosts Assets

                    Count Host Assets

                    Delete Host Asset

                    Activate Host Asset

 

Example:

          Fetch the host asset ID 12345 and list host asset details.

 

Request:

          curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/rest/2.0/get/am/hostasset/12345"

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/hostasset.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <HostAsset>
      <id>2020094</id>
      <name>My Windows Asset</name>
      <created>2014-02-06T19:16:35Z</created>
      <modified>2014-02-06T19:16:35Z</modified>
      <type>HOST</type>
      <tags>
        <list>
            <TagSimple>
                <id>12345</id>
                <name>Tag 1</name>
            </TagSimple>
            <TagSimple>
                <id>54321</id>
                <name>Tag 2</name>
            </TagSimple>
        </list>
      </tags>
      <sourceInfo>
        <list/>
      </sourceInfo>
      <os>Windows 7</os>
      <dnsHostName>localhost</dnsHostName>
      <netbiosName>TEST</netbiosName>
      <netbiosNetworkId>10</netbiosNetworkId>
      <networkGuid>66bf43c8-7392-4257-b856-a320fde231eb</networkGuid>
      <address>127.0.0.1</address>
      <trackingMethod>IP</trackingMethod>
      <openPort>
        <list/>
      </openPort>
      <software>
        <list/>
      </software>
      <vuln>
        <list/>
      </vuln>
    </HostAsset>
  </data>
</ServiceResponse>

 

Asset API

          The Asset API is a subset of the Host Asset API. The Asset members identify name, tags, and EC2 source information.

 

          Asset operations

                    Get Asset

                    Update Asset

                    Search Assets

                    Count Assets

                    Delete Asset

                    Activate Asset

 

Example:

          This example fetches the asset ID 12345 and lists asset details.

 

Request:

          curl -n -u “USERNAME:PASSWORD” "https://qualysapi.qualys.com/rest/2.0/get/am/asset/12345"

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/asset.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <Asset>
      <id>12345</id>
      <name>My Windows Asset</name>
      <created>2014-02-06T19:16:35Z</created>
      <modified>2014-02-06T19:16:35Z</modified>
      <type>HOST</type>
      <tags>
        <list>
            <TagSimple>
                <id>12345</id>
                <name>Tag 1</name>
            </TagSimple>
            <TagSimple>
                <id>54321</id>
                <name>Tag 2</name>
            </TagSimple>
        </list>
      </tags>
    </Asset>
  </data>
</ServiceResponse>

 

Host Instance Vulnerability API

          The Host Instance Vulnerability API provides a suite of API functions for managing vulnerability instances found on host assets. The supported Host Instance Vulnerability operations are get, count and search.

 

    Host Instance Vulnerability operations

                    Get Host Instance Vulnerability

                    Search Host Instance Vulnerabilities

                    Count Host Instance Vulnerabilities

 

Example:

          Fetch the host instance vulnerability with the ID 12345.

 

Request:

          curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/rest/2.0/get/am/hostinstancevuln/12345"

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/hostinstancevuln.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <HostInstanceVuln>
      <id>9534081</id>
      <hostAssetId>1543621</hostAssetId>
      <qid>38167</qid>
      <port>25</port>
      <ssl>true</ssl>
      <found>true</found>
      <ignored>false</ignored>
      <disabled>false</disabled>
      <updated>2012-10-19T21:56:23Z</updated>
      <protocol>TCP</protocol>
      <source>HOST</source>
    </HostInstanceVuln>
  </data>
</ServiceResponse>
0

QualysGuard WAS 3.3 provides enhanced management of web application information and data filtering options along with usability enhancements.

 

Feature highlights include: Bulk editing of web applications, filtering sensitive content detections, enhanced report storage management, and additional scan cancellation options.  Together, these new features save organizations time and enable organizations to run a more effective and efficient web application security program.

 

QualysGuard WAS 3.3 will be released in production in late March/early April 2014 depending on the platform. Details about the release schedule are at the end of this blog post.

 

 

Web Application Management Enhancements

 

Bulk Editing Web Applications:  QualysGuard WAS is the most scalable web application scanning solution available.  So we've enhanced the ability to manage large numbers of web applications by adding the capability to perform bulk edits to web application details, saving users from having to make these changes on a app by app basis.  The new capability takes advantage of QualysGuard's asset tagging to enable users to easily group together applications that may have similar attributes that may need to be updated as a group.  Users can update web application details, scan settings and authentication information.

 

bulk_edit_select.jpg

 

 

bulk_edit_1.jpg

 

Reporting Enhancements

 

Filter sensitive content detections:   Now you can choose to ignore sensitive content in the detection browser and by default in all future reports  just as you can with vulnerabilities.  This provides users with the ability to have fine grained control over what sensitive content findings are listed in reports for all users, leading to higher levels of confidence for reports reviewed by internal teams.  But don't worry, you can easily modify the report filters if you need to include them again in the future.

 

Ignore sensitive content findings in detection browser

detections_list.jpg

 

Ignore sensitive content findings in report details

ignore_sensitive_content.jpg

 

Manage Report Storage Limit:  QualysGuard WAS 3.3 provides users with better visibility and planning for report storage.  Users can now easily identify how much storage they are using, and subscription managers can set user limits.  Managers can see how much report space has been allocated and make more informed decisions on how to allocate the allotted space to user.

 

acct_info_1.jpg

 

 

profile_1.jpg

 

Scan Enhancements

 

Cancel any unfinished scan:   Now you can cancel a scan any time before it’s finished, even when its status is Submitted. In the previous release, the cancel action was available only for Running scans.  This gives users more flexibility in managing scans that are already running.

 

 

 

API Enhancements

 

 

Tip: What's my platform

 

Release Schedule

For details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following:

0

A new release of QualysGuard WAS, Version 3.3 is scheduled to be released in production on the QualysGuard US Platform 1 on April 3rd, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: QualysGuard WAS 3.3 includes enhancements to Web Application Management,  Reporting and APIs that save organizations time and enable them to operate more effective and efficient web applicaton security programs.  For more information on features see QualysGuard WAS 3.3 New Features.

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-us1

0

A new release of QualysGuard WAS, Version 3.3 is scheduled to be released in production on the QualysGuard EU Platform on April 1st, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: QualysGuard WAS 3.3 includes enhancements to Web Application Management,  Reporting and APIs that save organizations time and enable them to operate more effective and efficient web applicaton security programs.  For more information on new features see QualysGuard WAS 3.3 New Features.

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-eu

0

A new release of QualysGuard WAS, Version 3.3 is scheduled to be released in production on the QualysGuard US Platform 2 on March 27th, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: QualysGuard WAS 3.3 includes enhancements to Web Application Management,  Reporting and APIs that save organizations time and enable them to operate more effective and efficient web applicaton security programs.  For more information on new features see QualysGuard WAS 3.3 New Features.

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-us2