[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Facebook Attach EXE Vulnerability

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Facebook Attach EXE Vulnerability
From: "Mikhail A. Utin" <mutin@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 1 Nov 2011 09:03:17 -0400

Face Book is trying to save its face. It's typical.
I got the same answer from SonicWALL one year ago when discovered that simple 
internal network scanning (Nessus, Nmap, etc.) brings down entire network. The 
firewall internal TCP connections stack was overloaded within a few seconds 
(IPS is not enabled, thus was not accepting new connections.

Mikhail A. Utin, CISSP
Information Security Analyst

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of 
full-disclosure-request@xxxxxxxxxxxxxxxxx
Sent: Tuesday, November 01, 2011 8:00 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Full-Disclosure Digest, Vol 81, Issue 1

Send Full-Disclosure mailing list submissions to
        full-disclosure@xxxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request@xxxxxxxxxxxxxxxxx

You can reach the person managing the list at
        full-disclosure-owner@xxxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of Full-Disclosure digest..."

Note to digest recipients - when replying to digest posts, please trim your 
post appropriately. Thank you.

Today's Topics:

   1. Re: Facebook Attach EXE Vulnerability (Charles Morris)

Message: 1
Date: Mon, 31 Oct 2011 10:40:24 -0400
From: Charles Morris <cmorris@xxxxxxxxxx>
Subject: Re: [Full-disclosure] Facebook Attach EXE Vulnerability
To: Nathan Power <np@xxxxxxxxxxxxxxxxxxx>
Cc: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Message-ID:
        <CABgawuYGTu1=eG2NEsD9g_n_aaPWE1myQzrZNc0TDZ5sqsb2VQ@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

Nathan, It IS an issue, don't let their foolishness harsh your mellow.

Although it's a completely ridiculous, backwards, and standards-relaxing 
"security" mechanism, the fact is they implemented it, and you subverted it.

In my book that's Pentester 1 :: Fail Vendor 0

I've had large vendors (read:Microsoft) reply to issues with the same kind of 
garbage, where they take a situation where there wasn't a threat, create a 
"security" mechanism to counter the nonexistent threat, then implement it 
incorrectly, thus creating either a vulnerability in the system itself or a 
false sense of security for the user.

Fail: "Hello user, you can add attachments now! Look at our amazing
1997 web technology!!"

User: "Oh neat, I can't wait to send my friend this random file (read:
give up your rights and control of your random file to facebook) your through 
your excessive, unnecessary, inefficient, insecure, closed-source tool"

Fail: "I am blocking exe attachments 'for your security' so feel free to just 
run attachments without a second thought, don't even bother to waste 100ns of 
your time to practice normal security"

User: "Wait, what about .bat, .cmd, .vbs, .ws, .pif, .inx, .lnk etc etc? What 
about the extensions that I set up? Can I really just spam clicks all over the 
place?"

Fail: "Oh those, well you shouldn't be clicking those. What, we can't be held 
responsible if you don't practice normal security!! P.S. You know when we said 
we were blocking .exe files? Well--- we aren't.
Enjoy."

</rant>

On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power <np@xxxxxxxxxxxxxxxxxxx> wrote:
> I was?basically?told that Facebook didn't see it as an issue and I was 
> puzzled by that. Ends up the Facebook security team had issues 
> reproducing my work and?that's?why they?initially?disgarded it. After 
> publishing, the Facebook security team re-examined the issue and by 
> working with me they seem to have been able to reproduce the bug.
>

*********************************
CONFIDENTIALITY NOTICE: This email communication and any attachments may 
contain confidential 
and privileged information for the use of the designated recipients named 
above. If you are 
not the intended recipient, you are hereby notified that you have received this 
communication 
in error and that any review, disclosure, dissemination, distribution or 
copying of it or its 
contents is prohibited. If you have received this communication in error, 
please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of 
this communication 
and any attachments. For further information regarding Commonwealth Care 
Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Facebook Attach EXE Vulnerability
  - From: Peter Dawson

Prev by Date: Re: [Full-disclosure] printer attacks?
Next by Date: [Full-disclosure] [ MDVSA-2011:162 ] kdelibs4
Previous by thread: Re: [Full-disclosure] Facebook Attach EXE Vulnerability
Next by thread: Re: [Full-disclosure] Facebook Attach EXE Vulnerability
Index(es):
- Date
- Thread