On Tuesday, as seems to be the custom, Microsoft released patches and announced a new zero day in Internet Explorer. MSKB 981374 is a remote code execution in IE6 and IE7. Who know that being on IE5 could ever be a good thing.
The KB says Microsoft released details to venders in their Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA) programs in order to provide protection to customers.
Within one hour Zscaler had protection in place for its customers. Zscaler offers web security company in a SaaS model. I would see them competing with Scansafe, Purewire and MessageLabs as well as any company trying to get you to put security appliances on your network for web security (bluecoat). Strangely, I didn’t get email from any of those venders bragging they are protecting their customers against this zero day. If they were protecting their customers would there be any reason not to use it for PR? Its not like they are making a Oracle Unbreakable (or was that Apple Unbreakable) claim.
Archive for the ‘Microsoft’ Category.
Microsoft Security Advisory for Flash
Microsoft published a security bulletin for Flash 6 which is included in Windows XP. MSKB 979267 recommends removing Flash 6 and installing the latest version of Flash from Adobe.
Maybe its just me, but I think since Microsoft included Flash 6 in the default XP install, shouldn’t they be responsible for patching it? Flash should be part of Microsoft Update.
Fortunately Flash 6 is ancient. I believe a lot of Flash content will prompt you to upgrade to Flash 8 or 9 rather than allow you to use such an old version. Even so, a lot of vulnerable Flash remains.
Journalism in a pay per click world
I’ve had my own rants about the tech media. I particularly enjoyed Ed Bott’s ZDNet article on “What the Black Screen of Death Story says about Tech Journalism”. check it out.
Local Admin Rights
We have the beginnings of a Windows 7 deployment project. As part of that I’ve been asked to develop a presentation for the director regarding local admin rights.
At our company it seems local admin rights is sacrosanct. On the other hand, I was once told Universities couldn’t have firewalls because of academic freedom. Now I understand that is no longer the case.
We last tried limiting user rights under Windows 2000. That involved a limited group of users, mostly secretaries and the corporate division. It fell apart quickly as the helpdesk was able to give users admin rights to get around problematic applications rather than taking the time to fix the application.
Applications and operating system support has improved for limited rights accounts has changed significantly since Windows 2000. Nevertheless it remains a political and technical hot potato.
The Federal Desktop Core Configuration (FDCC) requires the use of limited rights. This process is more about reminding senior management of the problems with users doing whatever they want, and getting them to sign a waiver for the FDCC requirement.
Right now I have what I think is mission impossible.
1. Demonstrate the problems caused by users being able to do whatever they want. Unfortunately our helpdesk is allowed to work without recording tickets accurately. Also virus incidents are not fully investigated so it is impossible to say x virus incidents occurred because the user was an administrator or Y systems were reloaded because the user installed a bunch of crap.
2. Show that our customer (the Federal government) is not giving users local admin rights. I can say what is required. But I really have no connection into the CSO office at each customer to determine their FDCC compliance.
3. Show that companies like us are limiting local user rights. Again, I’m not sure how I can do this. I dont see a Gartner report on this.
I have a month to put this together so we’ll see what I can come up with.
MS09-031 Authentication Bypass
I was reading this morning about an ISA authentication bypass that effects a very specific configuration scenario. (Doesn’t effect my setup). Read more about it on the ISA blog.
It put a smile on my face to think that somewhere Thomas Shinder is kicking a hole in a wall.
Steve Riley Out at Microsoft
Steve Riley posted in his latest blog entry that he was a victim of layoffs at Microsoft.
Steve’s new blog is over at MSInfluentials (also the home of Jesper Johansson’s occasional blogging.
Steve and Jesper wrote Protect your Windows Network.
Best wishes on the job hunt
ISA 2006 and Forms Based Authentication
I’ve been working on upgrading ISA 2004 to ISA 2006 (on new hardware as well). We use SecurID authentication at ISA, and then Forms Based Authentication on the Front End OWA server. While this had worked fine with ISA 2004, it didn’t work at all under 2006.
A quick Google found one post on a Microsoft forum with the same problem. Their conclusion was that this was not possible. The poster cited a ISA 2006 book as saying it was an either/or situation. “You can’t do Forms Based Authentication on both ISA and OWA.”
Fortunately, I searched a bit more and found a solution. http://support.microsoft.com/kb/935206
I found I already had files newer than those in the referenced patch. By running the script and configuring OWA publishing as a regular web publishing object, I was able to get it to work.
The dreaded FIPS complaint setting
(Ok, a typo in the subject, but it was funny so left it in)
The TechnetĀ blogs require registration to comment, and don’t allow me to use my Microsoft Live account to log in, much less openID. I didn’t feel like registering for yet another “community” so I left without commenting.
The ISA server product team blog at Technet wrote about a case where the customer Cannot Browse a HTTPs Site Published by ISA Server 2006 without using TLS 1.0 on Internet Explorer
I chuckled reading that headline because I’ve been there before.
When I upgraded to ISA 2004, I installed from scratch and applied a recommended hardening policy. I tested it with my computer using Internet Explorer and Firefox, and went home happy. I couldn’t understand why I received email from my manager reporting that people couldn’t get in.
I figured out relatively quickly that my system had TLS 1.0 enabled and the systems that couldn’t access using IE did not. That lead me to the FIPS compliant setting in group policy. I actually blogged about this in 2006.
The problem also occurs if you configure that setting on the clients. In January 2008, I also wrote about this setting and the FDCC and what a mistake I thought it was to require clients to turn it on.
EV Certs and IE7
I ran into an interesting problem on Tuesday.
I installed Extended Validation SSL certificates on three of our IIS servers, and the ISA front end. Yes, yes, I know. “EV SSL is a scam.” They weren’t that expensive at Digicert and I thought it would be cool to turn the address bar green.
After implementing, I found Firefox computers and non-corporate computers with IE 7 could see the address bar turn green successfully when I browsed to my newly secured site. Surprisingly, IE7 from corporate owned computers could not.
What I realized is that IE7 on XP uses the phishing filter to verify that the site is EV validated. The phishing filter is not on by default for the Internet Explorer Intranet zone. We have *.ourdomain.org in the Intranet zone, therefore no green bar for IE7 XP users.
Vista and IE7 works fine because it supports OCSP.
This is where it got kind of annoying. I expected group policy to be able to enable the phishing filter for the intranet zone. Unfortunately, Microsoft hasn’t provided that for XP. This blog seems to be accurate – http://www.frickelsoft.net/blog/?p=80
So my choices are create an ADM and import it, or open my XP group policy in Vista. This will upgrade the policy, I”ll be able to see the option to enable the phishing filter in the intranet zone, and it will apply to IE7 on XP computers. I’ve been a bit leery of “upgrading” my policies in this way ever since I opened Group Policy from a XP computer and then I couldn’t open the policies at the Windows 2000 Domain Controller (until a patch was deployed from Microsoft).
Friendly DSNs in Exchange 2008
You had me at EHLO wrote about new functionality introduced in Exchange 2007 Service Pack 1, Rollup 4. Exchange is now offering friendly error messages (DSNs). Oh joy.
While it is a funny write up, I’m reminded of the friendly error messages in Internet Explorer. It exchanges one set of technical mumbo jumbo (that is accurate) for something the user still can’t understand (and is less accurate). That’s not progress.
Worse yet, with IE friendly error messages, a webmaster can still use their own custom error messages overriding the browser choice (by having the custom error exceed a certain size). I only see a way for the admin on the server receiving the DSN to enable or disable this translation.
I guess I should wait to see this in action before passing judgement but it sounds worrysome. We should be able to have a custom error.
