General: June 2006 Archives
Suzi Turner at Spyware Confidential is blogging on how to disable the Windows Genuine Advantage antipiracy tool. Is this such a good idea? I'm wondering if this would be considered circumventing copyright protection which is specifically illegal under the DMCA.
It seems like since Gerhard Eschelbeck left Qualys I'm spending more time correcting poor Qualys detections than fixing the problems on the servers. If the scan results are not reliable, I am forced to investigate each detection before taking action.
At any given moment it seems like I've got three cases opened asking them for a clarification of scan results. Here are a few examples:
- They are falsely detecting some computers as 64 bit because Emmulex creates a registry key Qualys thinks should only exist on a 64 bit computer.
- Flash falsely reported as vulnerable. It said I needed to be running 8a, but I was already running newer version 8b.
- Not reporting systems vulnerable to the latest Symantec Antivirus vulnerability
So tonight, I scan my servers after they were patched last night. On one computer it says the latest IE patch is not installed because HKLM\SOFTWARE\Microsoft\Updates\Internet Explorer 5.01\SP4\KB916281-IE501SP4-20060519.173353 ismissing. That's nice and all, but that computer is running IE6 so there will be no Internet Explorer 5.01 registry key!
Then it says I'm ms06-024 vulnerable, a Windows Media Player png vulnerability because HKLM\SOFTWARE\Microsoft\Updates\Windows Media Player 7.1\SP0KB917734_WMP7 is missing.
HKLM\SOFTWARE\Microsoft\Updates\Windows Media Player 9\SP0\KB917734_WMP8 is missing.
Well, which is it? I cant be running both Windows Media Player 7 and 8. It so happens I'm running Windows Media Player 9 so wrong on both counts.
If I've learned anything from my support tickets is that the "reason" field that appears to indicate the reason for detection, doesn't always give the reason for detection. So who knows if this is really the reason for these false positives. All I know is I'm sick of it. I've been a huge Qualys supporter for years, but the past 8 months are really making me wonder what the other options are.
It seems like since Gerhard Eschelbeck left Qualys I'm spending more time correcting poor Qualys detections than fixing the problems on the servers. If the scan results are not reliable, I am forced to investigate each detection before taking action.
At any given moment it seems like I've got three cases opened asking them for a clarification of scan results. Here are a few examples:
- They are falsely detecting some computers as 64 bit because Emmulex creates a registry key Qualys thinks should only exist on a 64 bit computer.
- Flash falsely reported as vulnerable. It said I needed to be running 8a, but I was already running newer version 8b.
- Not reporting systems vulnerable to the latest Symantec Antivirus vulnerability
So tonight, I scan my servers after they were patched last night. On one computer it says the latest IE patch is not installed because HKLM\SOFTWARE\Microsoft\Updates\Internet Explorer 5.01\SP4\KB916281-IE501SP4-20060519.173353 ismissing. That's nice and all, but that computer is running IE6 so there will be no Internet Explorer 5.01 registry key!
Then it says I'm ms06-024 vulnerable, a Windows Media Player png vulnerability because HKLM\SOFTWARE\Microsoft\Updates\Windows Media Player 7.1\SP0KB917734_WMP7 is missing.
HKLM\SOFTWARE\Microsoft\Updates\Windows Media Player 9\SP0\KB917734_WMP8 is missing.
Well, which is it? I cant be running both Windows Media Player 7 and 8. It so happens I'm running Windows Media Player 9 so wrong on both counts.
If I've learned anything from my support tickets is that the "reason" field that appears to indicate the reason for detection, doesn't always give the reason for detection. So who knows if this is really the reason for these false positives. All I know is I'm sick of it. I've been a huge Qualys supporter for years, but the past 8 months are really making me wonder what the other options are.
Alex over at Sunbelt Software blog is having a temper tantrum over what he terms the predatory pricing of Microsoft Onecare and Frontbridge. Image what he'd be saying if they were giving it away as they probably should be.
I dont really follow this all that closely. I'm currently a user of Microsoft Antigen and the prices quotes for Frontbridge seem to be what I'm paying for Antigen now. So I dont see the predatory pricing. Further he says Microsoft has gone outside the norm in their pricing method. The reality is that Sybari was always a subscription based model where the software is license for a period of time only. This is not a change.
The Legacy antivirus vendors should be on notice. If they want to continue with the same crappy products bundled together for higher prices it will no longer work. Alex says that Microsoft will stiffle innovation. I say the opposite. AV companies need to get off the bench and create better products.
I dont want to be responsible for Rod not finding out about sunbelt software's webblog. So here's my OPML file.
Is it just me or is the term zero day being coopted to mean 'we've got product to sell' instead of 'an attack for which no patch is available.'
Saturday night, I swapped an ISA 2000 server with a ISA 2004 server running Windows 2003 SP1. Since I had new hardware I was able to set it up before hand and cut over without too much trouble. The main problem I had was on my test computer I had TLS 1.0 and SSL 3.0 enabled so I didn't notice that SSL 3.0 was not enabled on the server. ON IE6 TLS 1.0 is not enabled by default. (pretty stupid in my opinion). So I had to go into the security policy and disable the requirement for FIPS encryption.
POWWEB, the hosting company I use, was purchased and we migrated over to a new platform this week.
On of the things about the new company is they want your password when you contact support. Perhaps I"m kind of naive, but I expect when I provide a company a password that it is stored as a hash and the support drones are far from it. A system administrator could get it, but not a support drone. Either my webhost is storing the passwords in clear text or its encrypted but accessible by support, or they create a hash from the password I give them and compare it to the stored hash. Either way the potential for harm here is great.
Most people at best have 2 levels of passwords. One for the bank and another for all the throwaway accounts, mailing lists, etc. So what happens now, a support drone at my webhost is able to go to amazon, fidelity, bank of america and check if I used the same username/password there? Have these people not heard of insider attacks? Do they not read the news and see the AOL employee who sold the account roster to spammers? Do they not know of the Indian call center employees who are transferring money from customer accounts?
So what am I supposed to do, have a different password for every account that's out there? That will be really convenient.
The security gadflies thought they were onto something with the announcement that if a shortcut were named www.example.com and you typed that into your browser IE and Netscape would run what that shortcut pointed to.
The reason this isn't a huge security vulnerability is that an attacker would have to be able to create files on the system for it to occur. Not much of an attack.
Adobe Reader 7.0.8 is out. The release notes indicate:
Security: several security bug fixes have been made, including one considered critical
According to Adobe a Critical vulnerability is "A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware."
Why must Adobe be so mysterious? These vendors that hide critical security flaws behind "unspecified bug fixes" really annoy me. I have no way to know how important this patch is for my environment. Its like a product recall. They want to just update you silently because otherwise they'll get bad press for having a security flaw.
I posted here and here on May 20th regarding exploitation of Invision Power Board bulletin board using in Movable Type's support forum such that the BB would serve up WMF exploits via IFRAME.
I even submitted the incident along with links to the Secunia writeup to SANS and it was published in the ISC on May 21st.
Looks like whoever is running the Circuit City Home Theatre Discussion Boards didn't get the message. According the CNET they were 0wned in the same fashion. I think it is interesting to note that unlike Movable Type, Circuit City is notifying the registered users of that board. On the other hand Circuit City apparently didn't find out about the event until notified by the SANS ISC.
The WMF exploit came out beginning of January. So people really should be patched and on top of that have antivirus. Imagine if they'd been using a newer exploit.
