Thursday, 12 May 2011

Vmware still promoting a very old "browser-appliance.1.0.0"

I was on the vmware site earlier this week, and noticed that they are still hosting a very old "browser-appliance.1.0.0". (I got this in a "promoted link" when I was looking for virtual appliances).

http://www.vmware.com/appliances/directory/80

Back in 2006, this was intended to be a "safe" virtual browser environment.

"The Browser Appliance allows users to securely browse the Internet using Mozilla Firefox. Run the Browser Appliance with VMware Player to - Protect Against Adware and Spyware and Safeguard Personal Information"

 You would use the browser in the VM, instead of your own browser, to improve your internet security:
...but it is way too old, and if you were to use this now, you are reducing your security a great deal.


Attacking this platform

I took a look at this version, from an attack perspective:
  • It is an Ubuntu 5.10, with a 2.6.12 kernel, and Firefox 1.0.7.
  • It also has no inbuilt security features, such as antivirus, anti-spyware, or script detection
  • These type of appliances have known default passwords, and it doesn't prompt you to change them
There are many known vulnerabilities against these versions, enabling complete system compromise.

If you use it, the VM can easily be compromised, and any subsequent browsing you do through it will be at risk (not to mention that; once the VM is pwned, it can be used to pivot an attack against your internal network)

I can imagine someone downloading this, (or still using this from yester-year) to do their internet banking.


vmware recommending this to me this week is craziness!

I wonder how many other problem VMs are getting promoted on the site. Does anyone clear old ones off?

Here is a more up-to-date equivalent.

http://www.vmware.com/appliances/directory/507083

However, I question whether this is a valid approach for web security. It's a kind of cheap way of running a web-security proxy, but the platform is soon going to be out of date, so the average user would have to keep replacing the VM, to get a secure version, and if they forget, they become an easy target.


Bootnote: This is a handy platform for practicing your Metasploit hacking skills, but use it "Host-only" and don't surf the web with it!

6 comments:

  1. BTW - I did report this to vmware (I do believe in "doing something" rather than just complaining) - however, vmware have not done anything or responded to my request.

    ReplyDelete
  2. When you browser the web using a VM you should never save any changes to the VM. That way you cannot be compromised for longer than a session. If you reduce your browsing in the VM to secure places you are fairly safe even for that one session, however outdated your software is.

    ReplyDelete
  3. I disagree with that. Many legitimate sites are vulnerable to XSS, and other forms of script or header injection, meaning that redirection is often possible on many sites and exploiting old browser versions is relatively trivial for a skilled attacker.

    You also have the issues of session hijacking and credential theft, and the fact that most users use the same passwords on several sites.

    Even if you only visit "one website", modern content distribution means that your browser will be getting content from many servers, and several providers (even just visiting one online email provider; Hotmail for example, I can see from a packet-trace that my browser had downloaded content from over 30 different systems, and many 3rd parties)

    Yes, it is a good idea to limit your browsing to "legitimate sites", but the above issues collectively mean that the client needs to be strong, and to be more secure the OS, browser, and plugins need to be patched up to the latest versions.

    ReplyDelete
  4. Very helpful tips information. Thanks for sharing.

    Vmware Jobs in Hyderabad

    ReplyDelete
  5. ACTIVE & FRESH CC FULLZ WITH BALANCE
    Price $5 per each CC

    US FRESH, TESTED & VERIFIED SSN LEADS
    $1 PER EACH
    $5 FOR PREMIUM

    *Time wasters or cheap questioners please stay away
    *You can buy for your specific states too
    *Payment in advance

    CC DETAILS
    =>CARD TYPE
    =>FIRST NAME & LAST NAME
    =>CC NUMBER
    =>EXPIRY DATE
    =>CVV
    =>FULL ADDRESS (ZIP CODE, CITY/TOWN, STATE)
    =>PHONE NUMBER,DOB,SSN
    =>MOTHER'S MAIDEN NAME
    =>VERIFIED BY VISA
    =>CVV2

    SSN LEADS INFO
    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank NAME | DL Number | Home Owner | IP Address |MMN | Income

    Contact Us

    -->Whatsapp > +923172721122
    -->Email > leads.sellers1212@gmail.com
    -->Telegram > @leadsupplier
    -->ICQ > 752822040

    *Hope for the long term deal
    *If you buy leads in bulk, I'll definitely negotiate
    *You can ask me for sample of Lead for demo

    US DUMP TRACK 1 & 2 WITH PIN CODES ALSO AVAILABLE

    ReplyDelete
  6. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete