I saw this linked by Rod Trent over at myitforum.com/
Microsoft Standard User Analyzier is an application compatibility tool helps developers and IT professionals diagnose issues that would prevent a program from running properly as a standard user.
That sounds a lot easier than working with regmon and filemon to find conflicts with low user rights and what an application needs. This may be just what the doctor ordered if you’re considering taking admin rights back from users.
Archive for May 2006
Microsoft Standard User Analyizer
Cisco VPN Client Privilege Escalation
The Cisco VPN Client for Windows has a privilege escalation vulnerability that allows a regular user to gain system right.
http://www.cisco.com/warp/public/707/cisco-sa-20060524-vpnclient.shtml
Makes you wonder, if you’ve “locked down” your user permissions, how many of the really dangerous ones haven’t already promoted themselves to admin through privilege escalation vulnerabilities like this.
Stuff He Could Have Bought for $800
A guy I know online got taken in a ibook purchase. Now everywhere he goes, he is reminded of what could have been bought for $800.
Six Apart Forums WMF exploit
This is a follow on post on the exploitation of the Invision Forum used by Six Apart for its Movable Type free Support.
The code that is serving up the WMF exploits is in an IFRAME using an obfuscated url. Using a URL deobfuscator over at IPTools.com, I found that the iframe is calling http://traffnew1.biz/dl/adv670.php (danger will robinson, danger). Which I believe is hosted in Russia. Their DNS server is on the same IP block.
If you are running Internet Explorer when you go to that website you get exploited.
Spoofing IE6 on XPsp2 I get an obfuscated script. Not sure how to detangle that.
Gamedaily.com was hit by this bad guy on May 8th. They were also running Invision. So this has been occurring for a while.
Invision Board Vuln
While watching a little NASCAR this evening and IMing with friends, I decided to check out the Movable Type Support Forum. Movable Type is the blog software I use over at infosecblog.org.
The second I browse to http://www.sixapart.com/movabletype/forums/index.php I notice an odd script prompt:
Next I got virus alert popups from Symantec Antivirus telling me I had wmf exploits in my temp files!
It looks like Six Apart (the company that makes movable type) is using Invision Power Board version 2.0.4. A major vulnerability was announced on this version a few days ago.
Moral of the story, if you haven’t learned it already. 1) patch your system. 2) up to date antivirus 3) even when you aren’t surfing the seedy underbelly of the web, you can get exploits thrown at you.
I’ve sent an alert to the ISC as well as to the webmaster at six apart.
Webroot to Offer Antivirus
At the end of this article defending the need for Spysweeper even after Vista is released Webroot CEO David Moll says that Webroot will soon offer antivirus in addition to antispyware. Its not clear if they are going to bundle with a competitor, if they are developing from scratch, or if they are going to buy someone.
Other interesting notes:
-Webroot has a half million dollar “usability” center where they observe normal people using the product.
- They take time to play offense against their product, trying to be the bad guy and look for ways to circumvent the product, so they can close those holes.
- If you get a patent while working for the company you only get a 2k bonus.
Defenses against the Word Zero Day
If you have heard there is a new zero day attack on Word that has been sighted at one company in the world.
To protect yourself, you may want to consider the following
- When you receive an email, IM, Fax, telephone call or someone comes to your door, call them and make sure they really intended to communicate with you. Don’t be fooled. You may wish to use a turing test to verify you are speaking to a human
- Roll out PKI so you can sign all your messages. That way no one can get away with sending the exploit as you.
- Switch to a VT200 terminal hooked to a VAX running VMS.
- Three words – Precautionary Internet Disconnect.
- Quarantine all email messages 5-7 days to allow antivirus vendors to catch up.
- Set up fans to disperse smoke. After you take away all other means of communication users may resort to smoke signals to communicate. WE HAVE NOT VERIFIED THAT THE WORD VULNERABILITY CANT SPREAD THROUGH SMOKE SIGNALS!
SANS actual recommendations are here. They seem about as useful as my joke recommendations.
Zero day vulnerabilities and targeted attacks are here to stay. Research into technology that provides proactive defenses is extremely important.
Are Security Analogies Usually Wrong?
I just ran across a post from Michael Howard’s blog from March which claimed that security analogies are usually wrong. I’m not sure that I can agree with that statement. He finds that argument by analogy is weak. I don’t know his job role at Microsoft, but it seems rather technical and developer oriented. I suspect that if he was in the position to like be an evangelist for Microsoft Security with CEOs and I.T. people he would find that analogies are often the best way to get the point across. With fellow developers/computer scientists the emphasis should be on hard fact, but that doesn’t mean you’d talk that way to an end user. They’d be lost in no time. Analogies do help convey meaning to non-technical people. Analogies can also be imprecise.
What would he say when Jesper Johansson spends 15 minutes at a Microsoft Security Summit comparing defense in depth to a castles defenses? Should Jesper be chastised for using analogies? Of course not.
The one example Michael gives is attacking by analogy and there I agree with him. When people say “software security sucks, imagine if bridges were built the same way” I think they give away their ignorance about bridge building and software design.
