Recently in Microsoft Category

Microsoft published a security bulletin for Flash 6 which is included in Windows XP. MSKB 979267 recommends removing Flash 6 and installing the latest version of Flash from Adobe.

Maybe its just me, but I think since Microsoft included Flash 6 in the default XP install, shouldn't they be responsible for patching it? Flash should be part of Microsoft Update.

Fortunately Flash 6 is ancient. I believe a lot of Flash content will prompt you to upgrade to Flash 8 or 9 rather than allow you to use such an old version. Even so, a lot of vulnerable Flash remains.

I've had my own rants about the tech media. I particularly enjoyed Ed Bott's ZDNet article on "What the Black Screen of Death Story says about Tech Journalism". check it out.

We have the beginnings of a Windows 7 deployment project. As part of that I've been asked to develop a presentation for the director regarding local admin rights.

At our company it seems local admin rights is sacrosanct. On the other hand, I was once told Universities couldn't have firewalls because of academic freedom. Now I understand that is no longer the case.

We last tried limiting user rights under Windows 2000. That involved a limited group of users, mostly secretaries and the corporate division. It fell apart quickly as the helpdesk was able to give users admin rights to get around problematic applications rather than taking the time to fix the application.

Applications and operating system support has improved for limited rights accounts has changed significantly since Windows 2000. Nevertheless it remains a political and technical hot potato.

The Federal Desktop Core Configuration (FDCC) requires the use of limited rights. This process is more about reminding senior management of the problems with users doing whatever they want, and getting them to sign a waiver for the FDCC requirement.

Right now I have what I think is mission impossible.
1. Demonstrate the problems caused by users being able to do whatever they want. Unfortunately our helpdesk is allowed to work without recording tickets accurately. Also virus incidents are not fully investigated so it is impossible to say x virus incidents occurred because the user was an administrator or Y systems were reloaded because the user installed a bunch of crap.
2. Show that our customer (the Federal government) is not giving users local admin rights. I can say what is required. But I really have no connection into the CSO office at each customer to determine their FDCC compliance.
3. Show that companies like us are limiting local user rights. Again, I'm not sure how I can do this. I dont see a Gartner report on this.

I have a month to put this together so we'll see what I can come up with.

I was reading this morning about an ISA authentication bypass that effects a very specific configuration scenario. (Doesn't effect my setup). Read more about it on the ISA blog.

It put a smile on my face to think that somewhere Thomas Shinder is kicking a hole in a wall.

Steve Riley posted in his latest blog entry that he was a victim of layoffs at Microsoft.

Steve's new blog is over at MSInfluentials (also the home of Jesper Johansson's occasional blogging.

Steve and Jesper wrote Protect your Windows Network.

Best wishes on the job hunt

I've been working on upgrading ISA 2004 to ISA 2006 (on new hardware as well). We use SecurID authentication at ISA, and then Forms Based Authentication on the Front End OWA server. While this had worked fine with ISA 2004, it didn't work at all under 2006.

A quick Google found one post on a Microsoft forum with the same problem. Their conclusion was that this was not possible. The poster cited a ISA 2006 book as saying it was an either/or situation. "You can't do Forms Based Authentication on both ISA and OWA."

Fortunately, I searched a bit more and found a solution. http://support.microsoft.com/kb/935206

I found I already had files newer than those in the referenced patch. By running the script and configuring OWA publishing as a regular web publishing object, I was able to get it to work.

(Ok, a typo in the subject, but it was funny so left it in)

The Technet blogs require registration to comment, and don't allow me to use my Microsoft Live account to log in, much less openID. I didn't feel like registering for yet another "community" so I left without commenting.

The ISA server product team blog at Technet wrote about a case where the customer Cannot Browse a HTTPs Site Published by ISA Server 2006 without using TLS 1.0 on Internet Explorer

I chuckled reading that headline because I've been there before.

When I upgraded to ISA 2004, I installed from scratch and applied a recommended hardening policy. I tested it with my computer using Internet Explorer and Firefox, and went home happy. I couldn't understand why I received email from my manager reporting that people couldn't get in.

I figured out relatively quickly that my system had TLS 1.0 enabled and the systems that couldn't access using IE did not. That lead me to the FIPS compliant setting in group policy. I actually blogged about this in 2006.

The problem also occurs if you configure that setting on the clients. In January 2008, I also wrote about this setting and the FDCC and what a mistake I thought it was to require clients to turn it on.

I ran into an interesting problem on Tuesday.

I installed Extended Validation SSL certificates on three of our IIS servers, and the ISA front end. Yes, yes, I know. "EV SSL is a scam." They weren't that expensive at Digicert and I thought it would be cool to turn the address bar green.

After implementing, I found Firefox computers and non-corporate computers with IE 7 could see the address bar turn green successfully when I browsed to my newly secured site. Surprisingly, IE7 from corporate owned computers could not.

What I realized is that IE7 on XP uses the phishing filter to verify that the site is EV validated. The phishing filter is not on by default for the Internet Explorer Intranet zone. We have *.ourdomain.org in the Intranet zone, therefore no green bar for IE7 XP users.

Vista and IE7 works fine because it supports OCSP.

This is where it got kind of annoying. I expected group policy to be able to enable the phishing filter for the intranet zone. Unfortunately, Microsoft hasn't provided that for XP. This blog seems to be accurate - http://www.frickelsoft.net/blog/?p=80

So my choices are create an ADM and import it, or open my XP group policy in Vista. This will upgrade the policy, I"ll be able to see the option to enable the phishing filter in the intranet zone, and it will apply to IE7 on XP computers. I've been a bit leery of "upgrading" my policies in this way ever since I opened Group Policy from a XP computer and then I couldn't open the policies at the Windows 2000 Domain Controller (until a patch was deployed from Microsoft).

You had me at EHLO wrote about new functionality introduced in Exchange 2007 Service Pack 1, Rollup 4. Exchange is now offering friendly error messages (DSNs). Oh joy.

While it is a funny write up, I'm reminded of the friendly error messages in Internet Explorer. It exchanges one set of technical mumbo jumbo (that is accurate) for something the user still can't understand (and is less accurate). That's not progress.

Worse yet, with IE friendly error messages, a webmaster can still use their own custom error messages overriding the browser choice (by having the custom error exceed a certain size). I only see a way for the admin on the server receiving the DSN to enable or disable this translation.

I guess I should wait to see this in action before passing judgement but it sounds worrysome. We should be able to have a custom error.

By now you've probably read that Microsoft has released patches as scheduled for the second Tuesday of the month.

Hopefully if you're a home user you have the computer set to update these patches automatically and if you're a corporate user, your company is on schedule.

When I got up this morning I found that Secunia Personal Software Inspector was giving me a false positive on MS08-072, a Microsoft Word patch. Oddly, PSI was reporting my winword.exe version correctly and it matched the patched version posted in the Microsoft bulletin.

[update] this has been fixed by Secunia.

Its one thing to have false positives in corporate vulnerability scanners. I'm kind of used to those. But this software is targeted at your typical end user. Too many of these and the software will be ignored or uninstalled.

It looks like people need to apply Office 2003 SP3 before they can apply MS08-072. That has nothing to do with my Secunia problems. I'm just noting it because I'm sure there are many companies where there are pockets of computers that missed the service pack. Microsoft Office 2003 Service Pack 2 -- Support Ended October 14, 2008,

Microsoft does not normally release a security update outside the regular patch Tuesday. That they have chosen to push out this update indicates that it should be taken seriously.

http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

"This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter. The security update addresses the vulnerability by correcting the way that the Server service handles RPC requests."

Home systems should really be set to install patches automatically.
At work, the processes to deploy patches are hopefully well defined.
So there is really no point in running around in a panic, its just not that interesting. Potential for a new blaster just doesn't equal a new blaster. People are much more likely to have established patching programs and have personal firewalls in place. So get patching, but no need to freak out.

Today I listened to a recording of Paul Cooke posted at MyitForum, Director in the Windows Client division specializing in security, where he discusses BitLocker Drive Encryption, and how it has been extended in Windows Vista SP1.

Its been a while since I'd read anything on bitlocker. Since GuardianEdge did a number on my laptop I am interested to see if its worth continuing with GE if we ever upgrade to Vista.

SP1 enhancements:
- Can now require TPM, PIN and USB all together.
- Can now encrypt data volumes instead of only the OS/primary volume.

TPM 1.2 is required (if you use the TPM option). That sounds like quite a hassle, making sure the TPM chip is enabled on the computers that are coming in.

Recovery involves a 48 digit PIN. That sounds like a real joy to read off to the end user. What rights does the helpdesk need to access that number anyway? With our current product while you are reading off numbers to the user, there is a check digit returned to verify correct entry.

I found that I couldn't remotely access the registry or event viewer on my kiosk computers. I was rebuffed with a "Access Denied" error message. My kiosk computers are locked down via Group Policy so that was my first suspect.

I looked through the kiosk Group Policy and didn't find anything obvious so I checked with a co-worker. He found a KB article that pointed out that the permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg control remote access to the registry and event log. That had slipped my mind.

It turned out that the group policy (originally a Windows 2000 group policy) had applied permissions to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg. The setting removed the native XP permission and replaced it with a more restrictive permission . Windows XP uses the local service account for remote registry access. My policy removed that necessary permission. To resolve the problem, I gave local service read access to the registry value. See MSKB892192 for step by step instruction.

I'm sure some people will read this and think gee what a moron, but it may save some other people a few minutes.

After installing Symantec Endpoint Protection, I found that the Windows Firewall was still enabled on my computer. I had set up a WMI filtered Group Policy that disabled the Windows Firewall if SEP11 was installed. Eventually, I remembered that I created the firewall disable policy on Windows 2003, and that was not going to be able to manage the Vista policy. While I could disable the XP firewall, there were some Vista options not available in that policy.

I notice there are some things called Vista Extensions for Group Policy, perhaps that would have added the missing pieces to my Windows 2003 GPMC, but I don't know.

I set out googling GPMC and Vista. I was beset by websites talking mostly about release candidate versions of Vista. There were a few pre-SP1 articles complaining that it was being removed. Even searching at Microsoft.com didn't help. I finally found a forum post that linked KB941314, the Remote Server Administrator Tools for Vista SP1 and Windows 2008. I installed that, but apparently didn't read the instructions because I still couldn't find the Group Policy Management Console after the installation concluded.. Eventually I found a post indicating the need to install the KB then go into the control panel -> Programs -> Programs and Features and add new windows features.

I ultimately solved the problem I was trying to solve, after wasting a lot of time.

While reviewing the results of the latest windows domain password audit, I noted that there was an increase in the number of lanman hashes stored. We had two domain controllers blow up recently and they had to be rebuilt from scratch rather than restored from backup. I correctly figured that on one or both of those DCs the disable lan man setting had not been implemented correctly.

I knew that on a Windows 2000 domain controller this setting needed to be added manually. The Group Policy setting only effects XP and Windows 2003 computers. I didn't remember what the registry setting was so I sent to http://support.microsoft.com/kb/299656,

I read

To add this key by using Registry Editor, follow these steps: 1. Start Registry Editor (Regedt32.exe).
2. Locate and then click the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. On the Edit menu, click Add Key, type NoLMHash, and then press ENTER.
4. Quit Registry Editor.
5. Restart the computer, and then change your password to make the setting active.

In my haste, I forgot about the difference between a Key and a Value. I saw that the domain controller had HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa with Nolanman hash set to dword value 1. I compared that to the other domain controllers and didn't see why that domain controller wasn't working.

It took a second to realize that was the Windows 2003 setting set by Group Policy. For Windows 2000, you need to go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and create a key of nolmhash. That isn't the same thing at all. A quick check verified that this setting was missing on the new DCs and existed on the old DCs. We set the registry key and scheduled a reboot.

David LeBlanc takes the occasion of a Excel zero day to say see I told you so. Excel 2003 SP3 is not vulnerable.

I'd like to know if SP3 is not vulnerable because of the disabling of support for old file formats, or if its not vulnerable due to the other assorted fixes in the service pack. David implies its that latter saying " We did a _lot_ of work fuzzing our apps and fixing bugs. While I'll never claim that SP3 is unbreakable, it's a lot more robust than Office 2003 was previously, and this probably won't be the last time we see an advisory over something that affects SP2 but not SP3."

I was just thinking if its not vulnerable because obsolete file formats are disabled (security over backwards compatibility), then people who follow information in this KB to enable those file types are still vulnerable. I guess we'll find out when the patch is released and more information is available. Until then I'm going to go put a bug in someones ear at work about upgrading to SP3. We can't afford to wait until all of our other apps support Office 2007.

I just noticed that Microsoft released a new tool called the EFS Assistant back in May.

One of the big drawbacks to using EFS is enforcing what folders are encrypted. It seemed like unless you wrote some convoluted script using cipher, what was encrypted was in the hands of the user. I prefer to leave as little security as possible in the hands of the end user.

There are still many drawbacks to using EFS, but this tool helps with one of those issues.

According to Microsoft Technet MS07-016 is included in Windows 2003 Service Pack 2.

However, if you install IE7 after installing SP2 for Windows 2003, you end up with a wininet.dll that is version 7.0.5730.11. According to MS07-016, this is a vulnerable version of this dll.

So now, we're in a pickle. As of Monday, Windows Update did not recognize a need for MS07-016 on this computer. The Security Bulletin does not address this scenario.

I contacted our Microsoft Technical Account Manager. He contacted the security group at Microsoft who verified that the system is vulnerable and we must reapply the patch. Fortunately the Cumulative Update for Internet Explorer 7 for Windows Server 2003 (KB928090) worked on this system even though the patch says its for Windows 2003 SP1.

The Microsoft Security Response Center writes today that the DNS server patch is on target for May 8th.

"support for the legacy WSUSSCAN.CAB expired in March 2007, you need to ensure that your detection and deployment tools now support the new WSUSSCN2.CAB file. There will be no support for the security update for this issue in the old WSUSSCAN.CAB architecture. "

If you use MBSA 2.0 in offline-scan mode, you will need to use MBSA 2.0.1. If you use the SMS 2003 Inventory Tool for Microsoft Updates (ITMU), you need to ensure you’re using version 3 of that tool.

Next, a reminder that as part of our standard Microsoft Support Lifecycle, support for Windows Server 2003 expired on April 10, 2007 with the April monthly bulletin release. Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 are the currently supported versions."

While I think the ITMU requirement came up last month, I suspect a lot of people will be caught flat footed with the Windows 2003 RTM expiration.

SANS is reporting that successfull attacks were seen on April 4th against Windows DNS servers at two U.S. Universities.

We've disabled remote management of DNS. It would be a bad thing™ if our domain controllers were compromised. Don't forget to check for other places you might use Microsoft DNS. Some systems up on our DMZ are running Microsoft DNS. Fortunately those are all firewalled correctly.

http://support.microsoft.com/kb/935964

While reloading my computer, I found that there is an upgrade to Microsoft Desktop Search. Version 3 does have one imrovement. It has the capability to index file shares. That could be useful.

So far I'm struggling with one drawback. In the past I have indexed multiple mailboxes. This makes it easier to find account approval emails that might be in on several accounts. I have the two additional accounts opened with this Outlook Profile.

First I tried disabling the new default setting in Desktop Search to only index the local cache. These mailboxes are not part of the local cache. That didn't help. I have two thoughts left, set up the extra accounts as IMAP accounts or check if the indexing in Outlook 2007 is better.

We have a Windows 2003 64 Bit Edition with Service Pack 2 installed. Our vulnerability scanner is reporting that this server is vulnerable to MS07-013 because %windir%\system32\riched20.dll version is version 5.31.23.1225. According to the security bulletin http://www.microsoft.com/technet/security/Bulletin/MS07-013.mspx this should be version 5.31.23.1226. Neither Microsoft Update or MBSA detect a patch needed on this system.

Is MS07-013 included in Windows 2003 sp2? Is the system still vulnerable? Who knows!

It is not included in the list of updates included in Windows 2003 SP2 http://support.microsoft.com/kb/914962

If %windir%\system32\riched20.dll version 5.31.23.1225 is considered “patched” in Windows 2003 sp2 than we need the security bulletin updated. If it is not patched then I need a patch released.

I've sent a note to my Microsoft TAM. We'll see what happens.

I notice that a mailing list at patchmanagement.org reports four other curious patches. Those patches all have correct file versions on my server.

update - I heard back from my TAM. He provided this link which indicates MS07-013 is included in Windows 2003 sp2. While it doesn't specify the version number to expect, it does say it will be earlier than if you applied the patch to a sp1 server.

http://blogs.technet.com/msrc/archive/2007/04/03/an-inside-look-into-building-and-releasing-ms07-017.aspx

SANS is reporting the the Microsoft ANI patch may be causing some problems. That's the kind of headline that strikes fear into someone who is about to "release the hounds" and push patches to the enterprise.

The article fails to mention specifics about any of these bugs other than one bug when interacting with a specific third party software. A patch for that was available at the same time Microsoft released the ANI patch.

A second reading shows that they've only "received a few emails." So in the vast SANS audience they've found a few computer problems. That's probably par for any software installation. I would suspect that the importance of this update has brought people out of the woodwork who haven't updated for a while.

Its now been 18 hours since that entry was posted, and it has not been updated. You'd think when you raise questions about a patch, you'd follow up with an all clear or confirmation of what is breaking.

As announced originally when they went to the "patch Tuesday" practice, Microsoft does release patches out of cycle as events warrant. Microsoft has announced that a patch will be released Tuesday April 3rd.

.

http://www.microsoft.com/downloads/details.aspx?familyid=e41d8800-d134-4356-a2e7-c01bee790908&displaylang=en

Ever since installing the Remote Desktop Connection version 6 client on my XP computer, it seems like every system I connect into has problems with Accessibility shortcuts suddenly becoming active. The "k" brings up the narrator, the "l" locks the computer, "d" seems to minimize. Its driving me crazy. If I am logged into the system, I can often hit the windows key a couple of times to get the normal keys back. When the computer is locked I often have to disconnect the session and then reconnect to be able to log in.

I just heard about a Microsoft KB article posted back in September. It seems that MBSA 1.2.1 does not support IE7. As a result, if you have IE7 installed and you're using the Security Update Inventory Tool for SMS (based on MBSA 1.2.1) than IE patches might be repeatedly advertised to your computer.

I haven't noticed this problem yet, but it certainly puts a new light on how I view users installing IE7 on their own, and also the relative importance of upgrading our SMS implementation to use the newer ITMU scanner.

I checked my email logs to see if our Microsoft Technical Account Manager had warned us about this. No email from him, but I did get an alert from kbalertz

Matt Drudge should stick to what he does best; linking to other people reporting news and repeating rumors that reputable newspapers can't publish without confirmation.

Where is the source for the information he posted today?

MSFT facing early crisis of confidence in quality of VISTA; security researchers, hackers find potentially serious flaws in system... Developing...

It is rather typical for anti-Microsoft people to talk them down new Microsoft releases while at the same time claiming that Microsoft has promised them to be bug free. Can we settle this now? Microsoft Vista will have better security than XP. Just as XP had better security than 2000 and 2000 was better than NT4. Does better mean bulletproof? There is no such animal.

What security flaws are in the news that would lead to this supposed "crisis of confidence."
Is it the Windows Client/Server Runtime Server Subsystem (CSRSS) privilege escalation vulnerability? Reported here. A privilege escalation vulnerability means that a logged on user can gain higher rights than those already assigned. This is bad, but its not like a WMF vulnerability or a blaster vulnerability. The way most people currently use a computer, where everyone runs as admin ,this attack would not even be needed.

The metric for evaluating Vista isn't when the first vulnerability is publicly announced. Vista will be evaluated based on the number of patches it doesn't need that XPsp2 does. It will be evaluated on the number of patches in the first year, not the first month. It will be evaluated based on the severity of the patches.

Lets look at history, the other products developed under the security lifecycle have done great. Matt Drudge don't hype vulnerabilities that you don't understand.

-- Update -- Drudge now has a link to a New York Times article.

It doesn't take a lot of prognosticating power to see that the bad guys are focusing in Office attacks.

George Ou writes Is Microsoft Office Becoming a Zero Day Liability All Year Long.

That ought to get the Firefox sheep to try Open Office. Unlike IE, that would really hit MS in the ole pocketbook. Of course integrating Open Office into an enterprise patching strategy could be a problem. But then that didn't slow down some companies at all with Firefox.

Michael Daw is at it again. In September SANS reported on his report of a vulnerability in Adobe Reader and Adobe Professional whereby an external webpage could be opened without further user interaction if a user opens a malicious PDF document.

Now, SANS is reporting on a similar vulnerability he accessed through IFRAMEs in Microsoft Word.

Michael's website is not accessible right now. I remember checking out the sample pdf files on his site back in September.

A couple of graduate students have written an article in The Register reporting that the IE7 critical update is causing headaches for managed environments.

If these really are managed environments how is it that patches are being deployed without the I.T. departments knowledge? Why wasn't the IE7 blocker deployed? It was available a long time before IE7 was released to Windows Update.

The authors make a weird comment:

"For those organizations wishing to hold back a little further until these potential issues are sorted out by a later IE service pack (we are already on SP2) "

The problem they are reporting is that the home page can be changed by the user, it isn't locked down. Because the article is poorly written we don't know how the home page was originally locked. So we really don't know if there is actually a problem. Again, in a managed environment, you deploy the blocker (which admittedly only prevents accidental installs) or you don't provide your users with local administrator rights. Either way, you would have tested this desired functionality (preferably in the year long beta of IE7) so you're not surprised.

I wonder what method they used to try to lock the IE home page? Did they lock it with the IEAK for IE6, and then they are surprised it doesn't work with IE7? Or did they attempt to lock it with Group Policy and it doesn't work. I'm kind of curious.

I haven't seen this myself. In our environment we're just beginning to work with the internal application administrators to verify that IE7 will work with our HR, Finance and Payroll websites.

In a managed environment, you should deploy the Toolkit to disable automatic delivery which oh by the way was released in July, and use the Internet Explorer Administrators Toolkit 7 to deploy with the correct settings.

Microsoft has posted the Vista Security Guide.

Its been reviewed by NIST and the NSA.

I spoke with my Microsoft TAM today about how to add the additional registry tweaks found in the XP Security Guide into my Group Policy. I had expected to find *.adm files with the configurations.

The instructions in the XP Security Guide helped me import those settings into Security Templates and Security Configuration Editor, but I wasn't able to import that new template into Group Policy. It turns out I made a rookie mistake. My domain controllers are Windows 2000. So when I created a new policy on the 2000 domain controller and tried to import an XP policy with these 'extra' settings it understandably choked on that. What I needed to do was use AD Users and Computers on my desktop, connect to the domain controller and create the new policy. By doing that the policy is upgraded to "XP" and I'm able to import the XP policies including the new extra registry tweaks I had added.

The XP Security Guide from Microsoft makes it really easy to add their security tweaks. But what if you had some others you wanted to add. Well first I would search carefully to see if what you want is already in group policy. No need to reinvent the wheel.

If you really do need to create your own registry settings, there is still the old school adm way, but you can now add the settings to your security template using instructions here.

As I've mentioned, I've been hard at work adapting the NIST Windows XP hardening guidelines in 800-68. Any hardening guideline should be examined for appropriateness to one's corporate environment.

One thing I noticed about both NIST's writeup and Microsoft is that neither provides an ADM template. They both have settings that are not part of group policy such as disabling autorun or disabling auto admin logon. Microsoft seems to be providing a vbscript that will "patch" the Security Configuration Editor to have these settings. That would work well when I am applying the security settings to a computer being used to create a disk image for future deployment, but I dont see how I could use that to deploy through group policy.

Unless someone has a better idea, it looks like I'm going to be creating my own ADM file soon.

Great post by Security MVP Alun Jones about the API Kernel access Microsoft is giving vendors.

He says, the tech press may be awarding victory to the antivirus companies, but the bottom line is they still dont have the right to hook the kernel in crash inducing ways. They have been provided access to a documented API, which after all is what an API is for.

- - Six bulletins for Microsoft Windows. The highest severity rating for these issues is 'Critical'.
- - Four bulletins for Microsoft Office. The highest severity rating for these issues is 'Critical'.
- - One bulletin for Microsoft .NET Framework. The severity rating for this issue is 'Moderate'

So there is a new vulnerability (announced last week) accessed through Internet Explorer. Microsoft describes it as a Windows Shell vulnerability. You may see it listed through other sources as a setslice exploit.

The SANS ISC set their Infocon alert status to Yellow. Of course, they do this to increase "awareness" not because of any specific widespread threat. F-Secure reports that while its out there, they aren't seeing it in huge numbers.

Of the mitigations listed, my favorite is to set the activeX kill bits.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
"Compatibility Flags"=dword:00000400

The problem with this mitigation (as with most mitigations) is understanding the potential impact. Microsoft reports that performing this step could cause "Web sites that use the WebViewFolderIcon ActiveX Control to no longer display or function correctly." But there is no statement regarding how common this will actually be.

Additionally, I wonder if this will effect viewing folders locally. I dont know. The phrase WebviewFoldericon makes me wonder.

Lastly, while creating an activeX kill bit is easy, I feel like it is more difficult to put the computer back to its original state after the patch.

The bottom line is that I dont feel like I have enough information to make a decision.

The Microsoft System Integrity Team Blog has posted a link to the Bitlocker Cryptographic algorithm.

The amazing thing is that the paper is from Microsoft, on Microsoft's site, yet its in PDF. I'm kind of used to Microsoft documentation being placed in a signed self-extracting archive. In the article they discuss why existing ciphers were not satisfactory. They are using AES in CBC mode, but using a dedicated diffuser for security against manipulation attacks.

In the crypto world, an algorithm needs to be widely examined before it is trusted for use. In this paper, Microsoft explains why they have combined a widely tested AES-CBC with a new component, the Elephant diffuser. They feel that this gives the best of both worlds, the tested security of AES-CBC, and the additional security properties of the diffuser.

Wow, that's some hit piece that Rob Pegoraro writes in today's Washington Post. To him the 5 year anniversary is not something to be celebrated. That really shouldn't be a surprise. Newspaper tech writers always spend a disporportional amount of time advocating for Mac and Linux rather than writing about the software people actually use. He thinks because he hates Microsoft everyone else does to. Hey it worked with Haliburton. Just keep repeating "Microsoft sucks" enough times, and sooner or later the sheep will believe it.

Rob ends his article by crapping on Vista ("imagine the unknown bugs in vista"). Well, the fact is that since starting the new secure programming initiatives at Microsoft, the new products they've turned out have been rather good. Are there going to be problems? Sure anytime you do something new things dont always go as expected. Will people like Rob scream to high heaven when some backwards compatiability is gone and some insecurely written programs no longer work? You bet they will.

I bet the first days of Vista wont look like this.

Microsoft is reporting that there is a zero day in Vector Markup Language. This can be vulnerability can be exploited to install software (such as spyware) without your knowledge when your visit a website in IE or open an email in Outlook.

Currently there are some workarounds and Microsoft is planning on releasing a patch on patch Tuesday in October. By implementing the workarounds, websites that use Vector Markup Language will no longer work correctly. I have not seen any reports of just how bad that would be.

The mitigation options are deregister the VML DLL or change the ACL for that dll so the everyone group is denied access.

Jesper has an example of how to create a security template to deploy this file permission through group policy.

The problem with these methods is that you are making a security change that is really weird, and you dont know how it will effect the patching process when an official patch is released. With the WMF patch, the people who disabled this, needed to re-enable it in order to apply the patch IIRC. While that may be easy on an individual computer, is kind of worrisome for a enterprise.

Microsoft has published a security advisory regarding a DirectAnimation Path ActiveX control vulnerability in Internet Explorer versions prior to IE 7. This vulnerability could be exploited to install software on your computer without your knowledge.

One of the best ways to protect yourself against these ActiveX attacks is to set ActiveX kill bits to disallow execution of the exploitable control. I typically use Java Cool Software's Spyware Blaster for this purpose. To do this manually,

set the kill bit for a CLSID with a value of {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]
"Compatibility Flags"=dword:00000400

Or SANS has provided an app to set/unset this kill bit.
http://isc.sans.org/diary.php?storyid=1706

One note about ActiveX kill bits. They tell an ActiveX control not to run in IE. In the past there have been vulnerabilities that would allow malicious code to ignore this disable bit. It should work now if you are up-to-date on patches.

Until a patch is provided you should take steps to mitigate this risk.

MS06-042 is causing issues with CA Servicedesk even when XP sp2 is the Operating System. The previously reported fix for MS06-042 is for Windows 2000 and XPsp1 only. There is an announced MS06-042 rerelease of MS06-042 due by August 22nd. The release is said to be for all versions of IE6sp2. Its hoped that means this problem will be resolved. Some people think the release will only contain the currently available hotfix.

The SANS ISC covers the issue here.

SANS mentions the MS06-042 problem that I spoke of here. They are reporting that Internet Explorer crashes when accessing some websites while using WINXPSP1 or Windows 2000. They mention Peoplesoft web applications in particular.

A hotfix is now available at http://support.microsoft.com/kb/923762/en-us

I first saw this over at myitforum and verified it in my own testing. After applying MS06-042 to a Windows 2000 sp4 computer, I am unable to go to www.theregister.co.uk using IE6sp1. IE crashes and offers to send a report to Microsoft.

I've checked over the known issues and caveats, and I dont see the problem listed clearly there. It could be that TheReg needs to clean up their code a bit. I also called my TAM who hasn't heard of that being a known issue (other than the caveats regarding activex and java). The Register is a major tech news site, so I'm expecting to hear more about this.

This could be interesting because 35-40% of my enterprise has Windows 2000. How many sites could potentially have similar problems. What's odd is that the front page of www.theregister.com doesn't have this issue, its only when I click on links which then call the mothersite that a problem occurs. I think its something in their advertising.

UPDATE - My TAM has recommended disabling HTTP 1.1 as a workaround. I wasn't able to reproduce the problem today, so I didn't try that. I have heard that the problem is with sites using compression and that an update will be out this week.

Should Microsoft Update Patch Third Party Device Drivers? Alan Paller says yes.

Would the patches be deployable through SMS SUS Security Updates or ITMU? I'm not sure they could do that before the next SMS update. If its only available through Microsoft Update, that doesn't do me a lot of good.

I'm not sure why Alan thinks that Microsoft should patch everything on the system. Perhaps they should update drivers that came on their own Windows distribution CD, but in most cases the drivers are installed by the OEM not Microsoft. Its like asking Microsoft to provide patches for Winamp.

Its already incredibly difficult for them to fully q/a their own patches. Imagine trying to q/a third party device drivers. I think the emphesis should be on using SMS to make it easier to deploy these third party apps. The SMS 2003 R2 CAB system that Flash 9 is taking advantage of is probably the right direction.

Our vulnerability scanner is reporting some servers as vulnerable to MS06-038, which is a vulnerability in powerpoint. It is detecting this because C:\Program Files\Common Files\Microsoft Shared\OFFICE*\MSO.DLL is the wrong version. These systems for the most part don't have office on them. MSO.dll also gets installed as a component of Visual Studio.

When you look at the list of effected components for MS06-038 here, it lists Visual Studio. But then in the security bulletin itself, there is no mention of it.

It is my understanding that the vulnerability is in mso.dll so the system could still be vulnerable. The question is how to fix it?

Reviewing my RSS feeds this morning, I see that Jesper Johansson has announced his resignation from Microsoft. He is going to a security position at Amazon.

Jesper has been a primary source for me in determining the best way to secure my Windows network. The book "Protect Your Windows Network From Perimeter to Data" by Jesper and Steve Riley is the first thing I turn to, followed by Microsoft's Windows 2003 Security Guide (which he had a hand in), and then I look at Steve Fossen's SANS course material.

Microsoft is losing a great resource. Although I've never even met Jesper, I feel like i"m losing a valued colleague.

We finally got around to disabling the LAN Man Hash value on our domain controller.

As Jesper Johansson and Steve Riley say in Protect your Windows Network,

Ideally this setting will never have any direct impact on security because if it does it means your domain controller has been hacked; but just in case, we recommend disabling storage of LM hashes. In most cases, the primary benefit of this setting is that it breaks compatibility with Windows 9x

We've had it disabled in the test domain since I posted in March. I'm still nervous about whether or not this will break anything. Anything that does break, wont be discovered until the next time the user changes their password. That is because the LM hashes aren't dropped from the table when this setting is enabled. It is only dropped at next password change.

I see in Mark's Sysinternals blog that they've been bought by Microsoft.

Congratulations to Mark and thanks for the great tools. Best of luck at Microsoft.

Alex over at Sunbelt Software blog is having a temper tantrum over what he terms the predatory pricing of Microsoft Onecare and Frontbridge. Image what he'd be saying if they were giving it away as they probably should be.

I dont really follow this all that closely. I'm currently a user of Microsoft Antigen and the prices quotes for Frontbridge seem to be what I'm paying for Antigen now. So I dont see the predatory pricing. Further he says Microsoft has gone outside the norm in their pricing method. The reality is that Sybari was always a subscription based model where the software is license for a period of time only. This is not a change.

The Legacy antivirus vendors should be on notice. If they want to continue with the same crappy products bundled together for higher prices it will no longer work. Alex says that Microsoft will stiffle innovation. I say the opposite. AV companies need to get off the bench and create better products.

I'm searching the Microsoft knowledgebase for help in letting a ISA 2004 server get to Windows Update when I find a kb article on the subject. It has links that should be put in an "allow" destination set. One of the links is http://ntservicepack.micrososft.com. A quick who is query shows that the domain is not owned by Microsoft. I checked the site over in a text browser and it seems to just be loading ads, but I'm not 100% sure.

I've notified Microsoft using the link on the page for article errors.

On Monday Microsoft released a white paper on the Malicious Software Removal tool.

It contains some very cool info on the metrics of the scan results.

I saw this linked by Rod Trent over at myitforum.com/

Microsoft Standard User Analyzier is an application compatibility tool helps developers and IT professionals diagnose issues that would prevent a program from running properly as a standard user.

That sounds a lot easier than working with regmon and filemon to find conflicts with low user rights and what an application needs. This may be just what the doctor ordered if you're considering taking admin rights back from users.

If you have heard there is a new zero day attack on Word that has been sighted at one company in the world.

To protect yourself, you may want to consider the following

1. When you receive an email, IM, Fax, telephone call or someone comes to your door, call them and make sure they really intended to communicate with you. Don't be fooled. You may wish to use a turing test to verify you are speaking to a human
   
2. Roll out PKI so you can sign all your messages. That way no one can get away with sending the exploit as you.
   
3. Switch to a VT200 terminal hooked to a VAX running VMS.
   
4. Three words - Precautionary Internet Disconnect.
   
5. Quarantine all email messages 5-7 days to allow antivirus vendors to catch up.
   
6. Set up fans to disperse smoke. After you take away all other means of communication users may resort to smoke signals to communicate. WE HAVE NOT VERIFIED THAT THE WORD VULNERABILITY CANT SPREAD THROUGH SMOKE SIGNALS!
   
7. 
   

SANS actual recommendations are here. They seem about as useful as my joke recommendations.

Zero day vulnerabilities and targeted attacks are here to stay. Research into technology that provides proactive defenses is extremely important.

Microsoft has purchased Whale Communications.

Three or four years ago I looked at Whale's egap hardware as a way of securing remote access to OWA. I liked some of their software protections used to make sure OWA was logged out and prevent information from being left on the local computer. Ultimately I ended up purchasing ISA and used it in conjunction with our firewall to provide access.

Another interesting security purchase by Microsoft.

Did you know that Microsoft update and Windows update are not the same thing?

I knew that Microsoft was providing office updates outside of going to officeupdate.microsoft.com but I didn't know why I wasn't seeing those updates at windowsupdate.microsoft.com. I typically select Tools > Windows Update from within Internet Explorer. Turns out there is a update.microsoft.com, which must be where I had gotten updates for Microsoft products, not just windows. A tip of the keyboard to F-Secure and Sunbelt for writing about that this week, and thus reminding me.

I'm not sure if I've posted about this or not. During March and into April we had a pen-testing project as school. At the beginning of the semester we had a project to configure our server (Windows 2003, or Red Hat Enterprise AS 4). Next we had to perform reconnaissance on our classmates and a collection of cannon fodder servers set up by the instructor. This led into the pen testing assignment.

Going into the assignment, my main concern was not getting hacked and not embarrassing myself. It actually turned out better than that. I didn't get hacked, and I was able to hack more servers than anyone else in the class.

What differentiated my results from those of my classmates were a series of application attacks. The foundation for these attacks were laid when Terminal Services was installed. You see Terminal Services has asks at install if you want high security or application compatibility. If you select application compatibility, then any terminal server user has modify rights to c:\program files\* and some important registry keys. The administrator of those servers should have looked at the terminal server settings and changed it to the high security, or looked at the file ACLs and removed unnecessary permissions.

Although my "guest" account only had user rights, because I was a terminal server user, I was able to modify some key files. Luall.exe is Symantec Liveupdate. When a scheduled liveupdate runs, it runs with SYSTEM permissions. By replacing luall.exe with my own version of the file, I was able to escalate my rights and own multiple servers.

This is another case of application compatibility mode causing security troubles. Of course this is not the preferred configuration for Terminal Services. So hopefully this isn't an exposure that you have on your own servers. So if you have Terminal Services, even just for remote admin mode, make sure that you check your security level. Otherwise a Terminal Server User is just an admin who hasn't promoted himself yet.

Microsoft has released advanced notification that they will be releasing five security bulletins for Windows on April 11, 2006. The highest severity rating for these issues is Critical.

- - One bulletin for Microsoft Office and Microsoft Windows. The highest severity rating for this issue is Moderate.
- - Four bulletins for Microsoft Windows. The highest severity rating for these is Critical.

Further details about these issues are not currently available.

hwaldron comments on whether or not Microsoft should have a public beta for security patches.

I stumbled across a blog on using IPSec for Domain Isolation. http://blogs.msdn.com/James_Morey/

This sounds familiar. Corporations thinking that the next OS of Microsoft will cure all security woes. Donna's Security Flash had a link to this techtarget article which reports the result of a survey.

90% of respondent expect automatic patch updates and installation management functionality to be part of Vista.
66% expect IPS features.

I think they would have gotten the same numbers for "which security features have you heard of"

I'm taking another look at whether or not it is worthwhile to disable the LANMAN hash. If you don't know what that is, this is probably not the article for you.

The LANMAN hash is listed on the SANS/FBI Top 20 list. Microsoft says to disable it you dont need the backward compatibility.

Yet Jesper Johansson pretty much calls doing this security theatre. If someone were to compromise the password database, they aren't going to be cracking the passwords in his opinion, instead they will be replaying the hash. But sometimes the password is needed such as going after EFS or if the password might be used on other non-windows accounts.

I need to think about this.

I saw this over at Microsoft Monitor. The link to YouTube is dead, but I found it over on video.google.com.

Reportedly this is a self-parody. It was made inhouse to critique their design process. Either way, I was laughing through it. I just wish the quality of the video was a tough better so I could see the small print.

This morning at 11:40 our Exchange 2003 server updated the kaspersky antivirus scan engine. That is part of Microsoft (Sybari) Antigen. A few minutes later I began receiving emails about “scantime timeout” and when I checked I saw that no mail was being delivered anymore.

After spending an hour on hold with Microsoft waiting for support I changed tactics and called my TAM. He told me I was still 35th or so in the phone queue (down from a couple hundred) and that the problem was a bad Kasperski virus definition update. (that is what I suspected). I disabled Sybari’s scan jobs (once I could get into its admin gui) and updated kasperski to a newer definition set. All told two admins wasted three hours on this today and our company couldn’t send or receive email for most of that time.

While bad virus def updates have hosed our server in the past (usually its kaspersky), I have never had this kind of hold time. I am really unhappy with the quality of support now that Microsoft owns Antigen.

Scoble thinks everyone should just post all their contact information on their website. Hmm, anyone see a problem with this?

In the original version of this post, I thought I'd help Scoble out by posting the same info he had on his site: email, celphone, work street address, birthday, wifes name, marriage date, friends name, son's name and birthdate.

Sounds like a good start for some social engineering. His reasoning for posting this information is that the more people who know who the real Scoble is the less likely it is that his identity can be successfully stolen. I think that reasoning is crap. How many times has someone pretended to be a professional athlete and successfully written bad checks. I bet you that I could show up at TechEd and get people to believe that I'm Scoble.

http://interviews.slashdot.org/article.pl?sid=06/01/26/131246&from=rss

Good interview but of course dont waste your time with the comments. When the slashdot crowd here's the word Microsofst its like Pavlov's dog and the dinenr bell.

Here are some notes:
In Vista the Giant antispyware aquisition will be built in. It is named Windows Defender

The firewall will be bidirectional in Vista.

"After Blaster happened, I wanted to find out who was responsible for the buffer overflow that was exploited and hold the individual accountable. But once we looked into it, we realized that there was not a documented a process that the developer was supposed to follow that would have prevented the mistake, nor did we have a set of procedures for our developers to verify that a secure development process was utilized." Hence the need for the Security Development Lifecycle and all the re-training.

So I've got my shiny new Treo 700w. It doesn't come with a holster like my blackberry. But hey, its Windows Mobile 5. its supposed to be better. It doesn't come with a craddle. But hey its Windows Mobile 5, its supposed to be better.

Next lets synch it up to the computer. Oh wait, some numb nuts thought it would be a good idea to use tcp/ip over the usb connection for the synching. That means I have to whitelist 3 programs and 6 ports in order for this to work. Not only that, but I cant just whitelist them in my intranet personal firewall program. The mobile phone is self assigning an ip address in th 169.254.x.x autoconfiguration range. This causes my personal firewall to drop intot internet mode.

What does this mean? in order to synch I need to poke holes in my personal firewall allowing access to ActiveSynch a program which in prior versions has had denial of service vulnerabilities as well as information disclosure vulnerabilities. I am really not pleased about this. Not one bit.

Well, that's it for today. I'll go whitelist

I've been working at building a spreadsheet of patches, which are exploited, as well as the ratio of patched to unpatched systems at my company.

Its kind of a pain to search through old Deepsight notices to see which patches have associated exploits. The Elsenot Project posts which Microsoft patches have associated exploits. I'm not really a fan of their stated goal "an exploit for every Microsoft vulnerability" but it is a good quick reference. One thing they could do better is in addition to linking to exploit code they should also use the common name where possible such as slammer, or code red.

Microsoft put out a press release yesterday indicating that Bulgarian police have arrested 8. They had performed phishing on MSN accounts.

http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx

http://blogs.technet.com/msrc/archive/2006/01/05/416980.aspx

I'm sure the SANS Handlers will have a coronary at the thought that their hystericane is not wide-spread. Nice to hear from Mike on this subject.

In a boring meeting about 2:45 I saw that the WMF patch henseforth known as ms06-001 was out. I immediately grabbed most of the interested parties to organize a plan of action. Unfortunately I got waylaid by the firewall guy and before I could escape the patch planning discussion was over. As a result, the full plan wasn't thought through.

We did manage to get the new cab file (or is that xml now) downloaded. Unfortunately the SMS guys dont know how to make the clients report that they need the patch until some automatic scan occurs tomorrow morning. That means the patch probably wont get deployed until 10am tomorrow. :(

Hey, I can only make the recommendation for deployment.

Over at broadband reports I see a thread with a link (which the moderator has deleted) cleaiming to be to the official Microsoft patch for the WMF vulneraibility and that it has been fully q/a tested on Windows XP, Windows 2003 x86, x64 english and that it is currently being tested on other language installs and the IA64 architecture.

That sounds like great social engineering.

I've been wonderring if Jesper Johansson had a blog, and sure enough Scoble linked to it today for his post on the wmf vulnerability. SWEET!

Does anyone know if Mike Nash or Steve Lipner have blogs?

I had been wondering if it is possible to run the third party WMF patch in a silent mode. When I downloaded the patch and ran it with a /? it did not give me any command line options. SANS is now reporting the syntax to run the install quietly.

I'm still wondering how to uninstall the patch programatically when the real patch is released. I'm assuming since it is listed in add/remove programs is should be possible to find the uninstall command line in the registry. I haven't looked through.

SANS has posted a WMF FAQ. Good summary for those not keeping up.
http://isc.sans.org/diary.php?storyid=994

Long time readers (and I'd like to thank both of you) know that I really hate Redmond Magazine and what they've done to the old MCP Magazine. Fortunately, I've got a mag that is actually useful. TechNet is published by Microsoft so it doesn't have the annoying anti-Microsoft rhetoric that mars Redmond Mag.

I got the January/February issue this week and its got a "Hey Scripting Guy" article that addresses one of my problems. Creating a script to determine last logon time. Next it has an article by my personal security hero, Jesper Johansson. There is also a NTFS permission article that I haven't read yet that looks interesting.

According to this article at Blink.nu, the MIcrosoft Online Crash Analysis is capable of detecting some worms and viruses. Not only that the recommended account is to initiate a scan through Windows Live Safety Center. I think that is pretty sweet.

Microsoft's December patches are out. One Internet Explorer patch rollup and one privilege escalation vulnerability

MS05-054: Cumulative Security Update for Internet Explorer (905915)

MS05-055: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523)

Microsoft seems to be pushing the Rights Management Services (RMS) lately. They pushed it at a meeting I was at between my management and Microsoft. Reports from the MVP conference make it sound like it was pushed there as well.

RMS is a service on Windows 2003. With Office 2003 you can use RMS to restrict what people can do with your documents. In one way its better than encryption because it isn't an all or nothing proposition. Yet, Microsoft is carefull to make no claims about the security of RMS in spite of it using AES encryption.

For us it sounds like a internal solution only. External users would need to have a .net account and web access to our RMS server. Telling people to get a hotmail account so they can read our documents, really is a nutty idea. Of course if the partner company also had a RMS server we could federate them together. But then we have a really tight inbound traffic firewall policy that probably wouldn't allow that.

While it would be nice to have the ability to set a "do not forward" in an Outlook message that is meaningful, I'm not sure its really worth it. I'll be looking at RMS more the next few months as time allows.

Get the shovel. It looks like SSL2 is done. On the heels of Firefox's announcement a few months ago that they werre removing support for SSL 2, it will now be disabled by default in IE 7 beta 2. SSL 2.0 has many native vulnerabilities such as the ability for a MITM to downgrade your encryption to something more breakable.

Another change is the default behavior when dealing with bad certificates. In the past you've all seen a dialog box everyone says yes to. This will now take you to a redirect page that explains the problem in more detail. Should you choose to continue, the address bar will change to red to highlight that you are doing something unsafe. I suppose this is a good compromise. A lot of vendors use self signed ceretificates that will be blocked by this since I never access the site using the url they want (I use fqdn and they put only the host name in the certificate for example).

Also the error relating to a mix of https and http content on a page will be changed so that you will now be prompted by the information bar.

More information at the IEblog site.

The Internet Storm Center handlers are doing what we're all doing. Playing a game of prognostication. Will there be exploitation of MS05-051 this weekend. SANS and Microsoft Security Response recommend patching now. So what are you still doing here. Get thee to http://windowsupdate.microsoft.com.

Just to throw a monkey wrench into things some people have reported to the ISC issues with the MS5-051 patch.

We cant make decisions based solely on what happened in August, but one good sign is that at this point exploit code has not been made public. Perhaps we will survived the weekend.

I know I've got school things to be working on and dont need to have any patching excitement.

The French Security Incident Response Team had posted exploit code for MS05-044, MS05-045, and MS05-048. Fortunately these weren't the main 4 that I'm concerned about.

SANS did report yesterday that Immunity Sec Canvas customers have an exploit for MS05-051. That means the bad guys aren't far behind. Or more likely the bad guys that do have it prefer to be able to hack with it instead of compelling everyone to patch by releasing a worm.

Microsoft has posted the Security Bulletins for October. MS05-48 through ms05-052 are serious enough that it looks like this batch should be pushed out both on the desktops and the servers.

http://www.microsoft.com/technet/security/current.aspx (this link wasn't updated at last check, but should be soon)

Channel 9 over at MSDN has a chat with Roger Grimes on IIS 7 security. I'm half way through it and spend more time talking about the misconceptions of Microsoft Security. Microsoft has a very secure Operating System in Windows 2003. It was released nearly 2.5 years ago. Yet people want to talk about Microsoft Security as if it is still pre-ntfs and Windows 95.

There seems to be a school of thought that says the lesson to be learned from MS05-039 is "patch faster". Dont stop, dont think, dont consider. Just patch. They say fixing the result of patching is easier than fixing the result of the virus getting in.

If you're on a treadmill and someone starts hitting you with a baseball bat, the solution isn't 'run faster'. It may be time to look for a different solution. How many people got hit with MS05-039 who were running with personal firewalls on all systems? How many people got hit with MS05-039 who were running Host Based Intrusion Prevention systems got hit? How many people who locked down their computers got hit?

Patch faster they say, the real problem was with Configuration Management "bureaucracy".

Is computer security a science or an art? Is it your gut feeling that gets you to know you need to patch quickly? Is it rumors from SANS? Is it the result of a rational risk assessment? Is there too much gut checking and not enough Risk=Threat x Vulnerability?

It really scares the hell out of me when a technologist gets the ear of a politician. Sometimes the results are just funny, like when Senator Chuckie Schumer (NY-D) starts talking about viruses. But othertimes the results seem to be geared to wards encoding in law the particular biases of the tech staffer.

Over at Microsoft Monitor(a Jupiter Research weblog) Joe Wilcox commends on last weeks decision by the peoples republic of Massachusetts to only support "open" standards. In spite of all the news articles this is currently a proposal and it is public comment period. Also back in January there was a speech where Adobe Acrobat and Microsoft Word were listed as open standards.

I'm trying to put ms05-029 on a users desktop via sms remote control.
First attempt: nope, you need Windows Installer 3.1, reboot.
Seconds attempt: You're running Windows 2000 SP3. Ok, I've got that on the file server, no need to download it. Reboot.
Third attempt: You have 150 MB of updates!!!
Windows Update now does office patches too. So after deselecting the post SP4 rollup, I deselected all the SPs for Office. (for some reason we haven't deployed that at work, so I'll make things easier on myself and only bring this computer into parity with the other computers. No need to be testing a Office service pack upgrade on a weekend on someone else's computer). After trimming that down, I "only" have 25 updates to install.

The IE Blog has a post today addressing some of the concerns about the IE phishing filter. I was looking for my previous entry to link back to, but I dont see it.

There is also a whitepaper over at MSDN with some tips for site owners. Interesting that they advice people to prevent cross site scripting.

It seems like the new patch management platform used by the ITMU stores the patch information in WMI. This certainly speeds up the scanning for necessary updates, but I cant help but wonder if this will lead to security problems down the road.

When the Windows Security Center came out in XP, it was quickly discovered that you could spoof antivirus and the firewall by changing the information stored in WMI. Microsoft responded that WMI is protected by an ACL so that only the local Administrator can modify it, and further if an attacker has local administrator rights, then you have bigger problems than WMI. I say why help the attacker remain undiscovered and unfettered.

Does the local administrator need to be able to change those settings? Is there a way to do this so that only the scan tool can update WMI. I just fear a worm that disables the antivirus and the personal firewall, and spoofs WMI so the user thinks they are protected. Not only that, the patch info could be spoofed so not only does the user think they are patched, but Windows Update and SMS agree. Will Windows Update still check the registry entry and the file versions? It sounds like ITMU trusts completely in WMI.

My officemate pointed out that its even worse than this. Software will have vulnerabilities. What happens when someone is able to hack WMI to modify this info without local administrator rights?

Microsoft now has a writeup on this vulnerability. The page to keep an eye on for updates related to this is here.

I was very happy to see this. I called my TAM at lunch to see if setting the activeX kill bit on this dll was a good or bad idea. I didn't want to do it, not knowing what the end result would be. Microsoft now has this listed in their "workaround" section of this post. There is no aftereffect of making this change because this file was not intended to be accessed using this method.

I'm working on getting this added to our ActiveX Kill Bits file that we deploy with SMS. I also need to see when that is next going getting deployed to our comptuers.

Has anyone else noticed a problem with IE7 and terminal services?

While on vacation, I've been vpning back into work and using remote desktop to access a xpsp2 computer. IE7 on this computer is not loading pages properly for me. Nutscrape, ahem, Netscape works fine.

I haven't really set this blog up to accept responses, so hopefully this works. You can try emailing me at blog-response//at//infosecblog//dot//org.

I'm also going to try turning comments on. that ought to bring the comment spammers out. I think comments will be in moderation mode so dont expect it to show up right away.

edit- I stopped by work tonight and IE7 wasn't working either. Neither was task manager or most other apps. The latest change to the system was the backup software. Its likely either that or using rdp that caused the system to muck up. Not an IE7 issue as I see it.

Get it from the source

http://blogs.technet.com/msrc/archive/2005/08/17/409363.aspx

Saw a Microsoft article referenced over at TaoSecurity.

It argues that 802.1x on a wired network does not provide the security you think it does. 802.1x essentially authenticates the initial connection, not each packet. So it is possible for an attacker, a legit computer and a hub to work together to allow the attacker onto the network.

Worthwhile article over at SecurityFocus on Microsoft's HoneyMonkey project. We first heard of them one or two months ago, and its neat to see this update.

Traditionally a honeypot sits back and waits to be attacked. In the honeymonkey model, they go out and find websites, and look at the result of going to the website. Using this method they have found sites that serve up exploits, including at least one zero day. (the zero day was an exploit of the jview vulnerability patched in July).

Also interesting is the report that even a partially patched version of Windows XP Service Pack 2 blocks the lion's share of attacks.

According to the article Microsoft plans to forward the information on these sites to law enforcement.

I cant remember the last time I read Thurrott. He was useful with win2k was coming out. But now there are so many sources of information that I haven't been to his site in quite some time.

In fact, it was only through other blogs that I found out that apparently he is off his meds and posted an anti-IE7 rant over at WindowsITPro. It is not labeled as a blog article or even as a commentary. But this screed clearly isn't news. He says his advice is to boycott IE, describing it as a cancer on the web.

Apparently he is really upset that IE7 focused on being secure and implementing the current CSS standard instead of focusing on implementing unradified CSS standards and obscure web coding bugtests called the "Acid Test." Frankly his article was so bad I thought it belonged over on news.com.

Ryan Hoffman has written a classic retort. Actually, you'll want to go up to his blog home page to see a few other posts he has related to the subject.

Microsoft has released a redaction tool for Word 2003 available in the download center.

As advertised it allows the document user to mark out sections of a document such that the sections are blacked out. The text is removed from the document and replaced with blacked out text.

I seem to recall a problem in Adobe's implementation of this in their software where the black text was simply over the hidden text. The hidden text wasn't redacted at all, but available to any attacker. Lets hope Microsoft hasn't made a similar mistake. Anyone taking bets on how long it takes before someone uncovers that sort of vulnerability in this Microsoft product.

I particularly get a kick out of their note: "We recommend that you carefully review any documents redacted using this tool to confirm that all the information that you intended to redact was successfully redacted." Ugh.

Techweb has an article (which they repeat on their SecurityPipeline website) regarding Trojan.Jevproxy. They say that this is a trojan horse exploiting a still unpatched vulnerability in Microsoft Windows.

However MS05-036, Microsoft's security bulletin for this vulnerability says in the executive summary, "this is the fix."

Who is right?

SANS @RISK is a bulletin summarizing recent vulnerabilities and recommendations/actions taken by unnamed member companies. Their text related to the javaprxy.dll exploit follows. It sounds like one company has a default stance to disallow activeX from running in IE and others are just waiting on the real patch which will hopefully come out on Tuesday.

__

Description: An exploit for the Internet Explorer flaw discussed in last
week's issue of @RISK, has been publicly posted. The flaw was rated
"LOW" last week because the discoverer reported that Microsoft team
could not reproduce the flaw at that time. Microsoft has now issued an
advisory for this vulnerability. The advisory also lists workarounds on
how to disable the javaprxy.dll COM object and how to prevent this
object from running in Internet Explorer. Note that even if javaprxy.dll
is not installed on a user's machine, an attacker can force its download
via the "codebase" attribute while instantiating this object.

Council Site Actions: Several of the council sites are still reviewing
the workarounds from Microsoft and waiting to see if a specific patch
for this problem is released next Tuesday. One site commented that
their default configuration for IE included the recommended patches and
workarounds. Another site has a large number of vulnerable systems,
about 12,000. In some cases, the end users are manually visiting the
Microsoft Download Center to obtain the registry update that disables
javaprxy.dll. They have not yet made an attempt to roll out this
registry update on a widespread basis, and have not yet sent a general
announcement to Windows users about the vulnerability. At a minimum, the
great majority of their systems will obtain an update through the public
Windows Update site, or through their local SUS server, whenever
Microsoft happens to release a patch for this.

Symantec finally got detected the exploit file I created over the weekend for javaprxy.dll. They are calling it bloodhound.exploit.40. http://www.symantec.com/avcenter/venc/data/bloodhound.exploit.40.html They don’t think its in the wild either. Note that although the 7/7 rev 17 defs will detect this, it will not necessarily keep the exploit from occuring. It does help keep any webserver clean that is running antivirus.

Of course with attackers shifting towards more targeted models, they wont be noticed as quickly. A while back my webhosting provider got hacked and 10,000 sites had a iframe added that loaded malicious code. The vulnerability was 9 months old so I was well patched. Imagine if they were able to hack my web provider again and use this newer exploit to install spyware or bots. While it wouldn't make the news since its doesn't effect Microsoft, Yahoo or Ebay, it would still infect an impressive number of computers.

You dont just need to worry about malicious websites. Sites that you trust can be made to serve up viruses if the server is compromised. You wont necessarily hear about it in the news or from the ISC if it only effects a small group of people. Take the mitigating steps that Microsoft recommends. Hopefully the real patch will be available on Tuesday, but why wait until then to have a measure of protection.

Microsoft put out a bulletin last week warning of a denial of service in javaprxy.dll (part of the Microsoft JVM). Exploit code has been posted to the Internet which show that this vulnerability is more than a denial of service, it can allow an attack to run code in the context of the logged on user.

Microsoft has posted several mitigating steps at http://www.microsoft.com/technet/security/advisory/903144.mspx. The easiest such step is to set the activeX kill bit. With this method you dont have to worry about loss of functionality in other applications which use the MS JVM. The downside is that from my testing the denial of service exploit still occurs (memory usage) although it does not allow the malicious code to run.

Check out the MS article for other mitigation techniques.

I watched a Webcast yesterday by Jesper Johansson and Steve Riley on security myths. They haven't posted the on demand version yet, if they do it should be available here. If not you can get some of the same material via their articles from March and April.
Article Part 1
Part 2

The Myths:
1. Security guides make your system secure
2. If we hide, the bad guys wont find us.
3. The more tweaks the better
4. All environments should follow the advice in
5. High security is an end goal for all environments
6. Security tweaks can fix physical security problems
7. The lemming security model: Always follow expert recommendations.
8. We need to audit everything
9. Password cracking is our biggest problem
10. Security Tweaks will stop worms and viruses
11. Technology can fix user problems
12. Friends will always be by your side
13. Encrypted attack traffic is better than clear text attack traffic.

http://www.microsoft.com/windowsserver2003/evaluation/news/bulletins/ws03sp1blockertoolfaq.mspxWindows Server 2003 SP1 will be automatically delivered through Automatic Updates starting July 26, 2005. Like with XP SP2 a tool will be available to block this installation until March 2006 (one year after initial release).

Write down your passwords. So says Jesper Johansson, senior program manager for security policy at Microsoft.

Password policies that led to using the same bad password accross all systems are are foolish. Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

I think this is good advice. Passwords that are written down on post-it notes and placed under the mousepad are bad. Passwords that are stored in encrypted databases are good. But it must be real encryption. Not the sketchy kind of password protection found in office documents. Passwords put in a sealed signed envolope and stored in a safe good.

Microsoft released a Windows Explorer patch yesterday with a rating of important. The exploit is that under Windows 2000 using the web view (which is the default) if you click on a specially crafted file it will run code of the attackers choice.

Now to me that seems kind of critical. I guess its only rated Important because it requires user interaction. User must save the file to disk rather than opening the file directly as in an email attachment. Next they must open it in Windows Explorer.

You can see examples of an exploit file over at security focus.

http://www.securityfocus.com/data/vulnerabilities/exploits/copy.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/simple.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/rename.doc

I just found the page where Microsoft details how it defines vulnerability severity. For Microsoft, to be considered critical a vulnerability must not require user interaction.

Critical
A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.

Important
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

Moderate
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

Low
A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

There is now proof of concept code available for ms05-019 (Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)).

http://www.frsirt.com/exploits/20050417.ecl-winipdos.c.php

This one was actually interesting, an off-by-one

"When processing an IP packet with an option size (2nd byte after the option) of 39, it will crash - since the maximum available size is 40 for the whole IP options field, and two are already used:
[ OPT ] [ SIZE ] [ 38 more bytes ]
Checks are done to validate that the option-size field is less than 40, where a value less than !39! should be checked for validation.

Note that this doesn't affect ALL options, and is also dependant upon the underlying protocol. "

There is now PoC code for MS05-016, MS05-017, MS05-019, and MS05-020. The time for patching is now.

Proof of Concept code is now available for ms05-016, the Windows Shell remote code execution vulnerability.

http://downloads.securityfocus.com/vulnerabilities/exploits/ms05016.c

The code when compiled runs notepad.exe. Bad guys can likely use this to contruct their own versions for a email virus. The vulnerability is related to how the OS handles unregistered file types.

Doc, pdf,pif etc are examples of registered file types. An unregistered file type is anything else. So if I create a file with extension D0C (thats a zero), it may look like an expected word document, but its really the exploit.

Further anyone whose email antivirus is stuck in the stone age scanning specific file types only wont even scan this in inbound email. People who rely on blocking "dangerous" file types to fill in the gap from exploit release to virus definition update will be out of luck unless they choose to whitelist a few specific extensions instead of relying on blacklists. is.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/default.mspx

IEBlog: An HTTP Detective Story

Interesting post over at IEBlog as they try to track down a login issue a website was experiencing with IE6 on WinXPsp2 as well as IE7. I thought it kinda funny they way they causually mention using IE7. Developers Developers Developers Developers.

I started the morning with a quick glance at the blog headlines. Donna's Security Flash has a headline "Windows Firewall has a backdoor". Donna is a MVP, I would assume based in security based on the name of the blog.

The blog entry contains a link to discussion on bugtraq. It seems someone has reported that if they add a new key to HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List they can "circumvent" the firewall. I have no doubt that this will be picked up by the usual Microsoft hating press eg, news.com and The Register. Of course reading bugtraq would require real work. They likely wont pick up the story until after it appears in Slashdot.

Others quickly replied to debunk this story. "This is not a backdoor or vulnerability. The default permissions on this key are Full Control for SYSTEM and Administrators and Read for Users. The Administrator should be able to configure the firewall to allow programs to connect outbound."

Another reply from a Pivx employee "having an exception list is not a back door". Basically any time you run code as administrator there is no limit to the damage that you can do. This is true with any software.

He went on to say that there was a Blackhat 2004 Briefings in Las Vegas where Eugene Tsyrklevich had a presentation called "Attacking Host Intrusion Prevention Systems" in which he demonstrated on-stage how to completely circumvent McAfee Entercept, a behavioral host based protection product which tries to limit the actions of malicious code once it is already running on the machine.

Computer world has an artiicle quoting microsoft as saying spyware and malware is beginning to use rootkits more. Currently malware is relatively easy to fine. Most is as vanilla as looking in the run key in the registry. Spyware takes advantage of many places to start from that the typical user and even many admins weren't aware of until they began battling spyware. Rootkits go deeper than that. Possibly even modifying the kernel. This brings a new urgency to the advise to reload your system if compromised!

On the same subject, Microsoft Research has a paper on detecting rootkits that is an interesting read.

Why it it every time you want to read a document from Microsoft, they wrap it up into an EXE file? I've read somewhere that this is so they can digitally sign the exe to prevent content spoofing. I guess that is an indication of how little trust they put in digital signatures attached to Word documents.

The anti-Microsoft conspiracy crowd never lets an opportunity go by. They are quick to put on the tin foil hats and divise some deep dark motive for every tiny little Microsoft move. The problem with looking at the minutia is they miss the big picture. They cry that Microsoft Anti-Spyware cant be downloaded without a valid OS license. But they fail to notice that most Microsoft downloads seem to have that test. When I downloaded it, I said NO to doing the license test, and was allowed to continue and download the software.

Mark Rasch's thesis appears to be that software pirates need security too. I disagree with that thesis, furthermore, from my experience you can decline taking the license test and still get the software (if you've taken the test and failed, this is no longer true).

Microsoft apps dont get the love from the tech media and the slashdot crowd. Just think what reaction there would have been if it was Microsoft's Desktop Search tool that allowed remote users to search your hard drive. But since it was Google, there was nary a wimper. What's even funnier is they fixed it without telling you. That's right. Google upgrades its software on your machine without asking. Not very friendly like.

Back in June, The Register screamed that US-CERT recommends not using Internet Explorer. Why in the face of a never ending cycle of patches would someone continue to use Microsoft Internet Explorer? Here's what I've been able to put together.

1. Business Use Case
Internet Explorer is the best browser for use with our intranet which uses Sharepoint and our future use of Microsoft Project. Alternative browsers do not have the same feature rich experience when dealing with Sharepoint and OWA. Additionally the integrated windows authentication would not be available with other browsers.
2. Ease of updates
Currently updates for Internet Explorer are performed using the SMS SUS FP. Its rather easy. Operating System patches and Internet Explorer patches can be done at one time. Third party browsers often require an install of a new version rather than a patch.
3. Vulnerabilities in alternative browsers are increasing in occurrence and severity.
4. User Education
Switching browsers doesn't address the true problem, the educated user.
5. Usability
Internet Explorer as the dominant browser works on most sites.
6. Manageability
Internet Explorer is enterprise ready. It can be configured via Group Policy. How will you centrally manage a third party browser.
7. Support
Who supports the third party browser? We would go from being Microsoft Premier customers to relying on newsgroups for help.

I was standing in line for lunch at the company cafeteria when someone commented to me that their Windows 98 system was more secure than their Windows 2000 system because it required less patching at Windows Update.

I'm not all that sure that number of patches is really a reliable metric for the security of a computer. Windows 98 was not designed with security in mind. There is just so much that you can do with it security wise. There is one patch for Windows 98. Its comes on a CD labeled Windows XP. I'm not sure if Windows 98 is even supported anymore.

Microsoft Monitor is a weblog by Juniper research group. Today's article attacks the FUD surrounding the JPEG vulnerability.

Good article all in all. The author praises Microsoft for limiting vulnerability by blocking the automatic display of images in Outlook 2003. This is good, but I do believe images included in the message itself (rather than just links to a website image) are displayed. Of course they have the chance to be scanned by SMTP antivirus.

Another important point of the article is to double check your antivirus. You really should be scanning all files. If you're scanning program files only, you need to add jpg and jpeg to that file extension list. There have also been reports that tiff uses the same interpreter. You're really better off scanning all files. I think most companies have caught on to that.

Got to love the old school viruses. The jpg exploit has gone back to the future by making its first notable appearance in porno newsgroups. There is a good writeup of this over at http://www.easynews.com/virus.txt

The virus is using the JpegOfDeath sample exploit code made available on the net to install remote admin software and downloading assorted hacker tools to make life easier.

If you haven't already seen it, SANS has posted a tool to scan the local system for vulnerable GDI files. There is a GUI and a command line version. It can be downloaded from SANS.

Tuesday was Microsoft patching day and this one left me scratching my head more than most. Maybe its my own fault for reading ntbugtraq and the babble of the tech writers. This jpeg patch seems tougher to decipher than the riddle of the sphinx. First you've got windows update that just gives you a tool to see if you have the file. Then you've got different Microsoft versions of the patch. At least that's what it sounds like. You dont need a patch if you have Microsoft Office 2003 SP1, but if you haven't applied that service patch then you need a patch. And there is an IE patch. Or is that the same thing. Then the file in question is used in other MS apps that MBSA doesn't detect. Then you've got other applications that introduce their own vulnerable version of the file. And of course you've got a denial of service exploit already on the market. What a patching nightmare

Tim Mullen has a totally awesome article over at Security Focus on the tech writers reaction to XP service pack 2.

http://www.securityfocus.com/columnists/265

It is a great article on the frenzy of reporting/bashing surrounding SP2 as every minor blemish or thing not fixed that was wrong in xp becomes a major blemish. It causes typical users to flee in terror from a service pack that will do them a lot of good.

"In the Feeding of Media Egos, everyone leaves vulnerable."

The U.S Computer Security Response Team has recommended that all users install Service Pack 2 for Windows XP.

http://www.us-cert.gov/cas/alerts/SA04-243A.html

Reasons:
Windows Firewall
Windows Firewall is enabled in almost all configurations, blocking network traffic coming into your computer. Blocking this traffic helps to protect you from worms and other malicious code that spread via the Internet.

Internet Explorer Local Machine Zone Lockdown
New settings for Internet Explorer disable the execution of ActiveX controls and Active scripting in the Local Machine Zone. This protects you from attacks and vulnerabilties such as Download.Ject.

Additional Internet Explorer Security Changes
Internet Explorer now includes a pop-up blocker, additional window restrictions, and changes in MIME type handling that better defend against social engineering and "phishing" attacks. A browser add-on management interface provides a way to identify and disable programs that run as part of Internet Explorer. Enhanced protection against security zone elevation and object caching vulnerabilities helps defend against malicious web scripts.

Email Handling Technologies
Outlook Express now supports the ability to read and compose messages in plain text and to block external HTML content such as "web bugs." Security checks are now performed in a more consistent way to help prevent the execution of malicious attachments.

Security Center
The Security Center "...provides a central location for changing security settings, learning more about security, and ensuring that [your] computer is up to date, with the essential security settings that are recommended by Microsoft."

Automatic Updates
The update services and automatic update feature of Windows XP have been improved. US-CERT highly recommends that you enable Automatic Updates.

Data Execution Prevention
Memory protection helps prevent attackers from executing code on your computer.

One of my users got an email supposedly from Suntrust which advised the user to go to https://internetbanking.suntrust.com/verify/default.asp otherwise their creditcard or account would be suspended. The url of actually went to http://219.117.228.247/verify. This is a computer in Japan running Redhat Linux.

Of course this is garden variety phishing. What I found interesting is that even on a fully patched version of Internet Explorer the real location is hidden from the user.

At this website, right clicking is prevented in IE. The addressbar displays a https:// suntrust url. The lock is missing down in the status bar.

According to SANS the unpatched Internet Explorer drag and drop vulnerability detailed here is being actively exploited.

The demo can add an item to your startmenu so on next reboot the program installs.

We're installing Microsoft Sharepoint as the new company portal. Part of their functionality is to index and allow people to search across file shares. This had some unintended consequences.

Nmap, the widely used scanning tool, does not work under XP sp2. Of course there are those that will say that nmap has never worked under windows, its a bastardized port of a good unix tool. They may be right, but it was a good scanner.

On a Microsoft XP SP beta newsgroup the following was posted:
"We have removed support for TCP sends over RAW sockets in SP2.
We surveyed applications and found the only apps using this on XP were
people writing attack tools. "

Fyoder has posted that since he has a port for Windows 95 he can do it without raw sockets, but he's working on other things right now.

Gibson's press campaign to gain noteriety, um I mean warn people about the HORROR of Raw Sockets in XP has finally born fruit and support for TCP Raw Sockets has been removed by Microsoft. In June 2001 Gibson warned that complete Internet meltdown was emminent if Windows XP were allowed to exist with raw sockets. Gibson is right, zombie attacks are dangerous. But I dont mean 0wn3d Windows XP boxes, I mean an army of zombie followers who uncritically click on a "tell Microsoft to remove raw sockets" link.

So we can all breath a huge sigh of relief. The scorge of tcp raw sockets has been lifted. Of course Gibson must have publicity, so I guess he's say that step was worthless with out removing UDP raw socket support as well.

Whether or not the raw socket "problem" is solved or not really isn't the point. Raw sockets never were a problem is ISPs performed proper egress filtering. Removall of raw socket support from one Operating System is insignifigent when other Operating Systems support it.

I liked this post over at MSDN (a user not a employee):
Your damned if you do and damned if you don't. That's what you get for being successful.

Steve Gibson is happy. However, has anything really been gained? No. Which only goes to indicate that MSFT were better off ignoring his advice in the first place.

Group Policy is the Swiss Army knife of the Windows Security Administrator. But what about when you want to change a registry setting and it isn’t a preconfigured option in Group Policy? That was my task over the past few weeks.

Microsoft has released an update to the security tool to removed excess information from Office documents. Information on that is available here.

Office documentation information leakage can be embarrassing. Information that was part of a collaborative document development effort not meant for public consumption can be leaked if efforts are not taken to remove them. To be on the safe side save to RTF or PDF when posting documents to a customer. Within a company Word is quite necessary, but I'd recommend using this tool on anything of great importance. It would be very bad to give an electronic copy of a performance review to an employee and have it contain a prior revision with a snide comment between reviewers.

The following if from the RSS Feed for Microsoft Security Bulletins

MS04-018: Cumulative Security Update for Outlook Express (823353)

MS04-019: Vulnerability in Utility Manager Could Allow Code Execution (842526)

MS04-020: Vulnerability in POSIX Could Allow Code Execution (841872)

MS04-021: Security Update for IIS 4.0 (841373)

MS04-022: Vulnerability in Task Scheduler Could Allow Code Execution (841873)

MS04-023: Vulnerability in HTML Help Could Allow Code Execution (840315

MS04-024: Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)

News.com is reporting that the long anticipated service pack 2 for Windows XP will be released to the manufacturers in August.

The service pack contains new security features that system administrators await with a mix of hope and dread. Hope that hope systems will be more secure by default and less likely to contribute as virus spreaders. Dread because of the fears that legacy products wont work well with the changes.

Microsoft today released a configuration change that addresses the recent malicious attack against IE known as Download.Ject.

This configuration change disables an ActiveX control known as adodb.stream. Disallowing this functionality prevents an attacker from placing malicious code on a PC hard drive and will prevent the Download.Ject attack. It can be downloaded from www.microsoft.com/downloads/details.aspx?FamilyId=4D056748-C538-46F6-B7C8-2FBFD0D237E3&displaylang=en

In addition, KB article 870669, provides information to implement this change manually: http://support.microsoft.com/default.aspx?kbid=870669.

This change has the potential to effect legit apps that use ADODB.Stream functionality. The KB article does show how to role back the change if you find that it effects your corporate applications.

For more information on the Download.Ject attack: http://www.microsoft.com/downloadject.

That is the question on everyone's mind. There are a lot of security enhancements for Internet Explorer. A lot of shops haven't seen the compelling need to upgrade to Windows XP from Windows 2000. But these new security enhancements for XP sound enticing.

Windows 2000 is heading toward maintenance mode, which means patching only. Given limited development resources, it is better to spend those resources on Longhorn and XP sp2, not trying to shoehorn it into previous versions.

An eWeek article says that this is still up in the air right now. It does say it is highly likely the Internet Explorer security enhancements will be part of Service Pack 5.

Russ Cooper recently did a presentation to the Austrlian CERT analyizing Microsoft Security Bulletins. His post about that presentation is available at NTBUGTRAQ.

Microsoft PR has been comparing patch amounts for Microsoft Operating Systems and other OSes to demonstreate that the computer security initiative is working. The problem is that 'number of patches' only tells part of the story. Each patch is often taking care of multiple vulnerabilities (see MS04-011 for one example). You really need to break it down by vulnerabiliy to get an apples to apple comparison. That is the meat of Russ's demo.

Russ's method fails to take into account vulnerability severity. He does however avoid a common pitfall where browser, webserver and operating system vulnerabilities are all lumped into one catagory.

Russ's conclusion is that vulnerabilities stay in Microsoft code. When a vulnerability comes out it is often for NT4, 2000, and 2003. He says generally when a vulnerability does not occur in 2003 it is not because the code was cleaned up, it is because of improved configuration to avoid specific problems. Thus those who upgrade versions for security reasons are not gaining the improvement they seek. They could just as easily configure an earlier version in a secure manner in his opinion.

I think that some of his comparisons are unfair. When you compare the first x days of Windows NT4 to Windows 2003 you do a disservice to Windows 2003 when you conclude they have the same number of vulnerabilities. The full story would point out that Windows Server 2003 is a major target for the anti-microsoft crowd. NT4 was a little more under the radar.

Russ had a slide in his presentation which reads "older is better". I hope in his presentation he articulated that he meant only in terms of vulnerability numbers. Newer versions have new security tools that make them easier to configure. Newer versions have improved features and stability. Of course Russ would reply that the new features are just new security opertunities. I cant see anyone saying older is better unless they are talking about wine.

I am afraid that Russ's analysis that "newer versions have more vulnerabilities than older versions... it is not getting better" will become the new chorus for the uninformed Microsoft basher. Russ isn't a Microsoft basher, but I dont think he is presenting the full security picture when he reduces "better" to vulnerability numbers, particularly vulerability numbers outside the context of severity. (He says he considers exploitability but he only seems to do that with IE).

Russ cites a TrueSecure survey which states that unless you achieved 100% patching with Sasser you were in were state than if you didn't try patching at all. That seems counterintuitive. Particularly when he does on to say that 100% patch compliance is not verifiable. Perhaps he meant to say corporations not focused on patching as their sole security solution were able to lessen the effects of sasser through other security means. Or perhaps they just got lucky.

He also oddly states that too much effort is being expending on keeping IE patched. He states that there have only been 2 wide spread attacks involving IE vulnerabilities. Certainly there is great fear with IE vulnerabilities becuase port 80 is not protected the way other ports are. I think it is worthwhile fear based on the number of javascript exploits I see detected by antivirus in the browser cache. I also think there is a lot of phishing (which can us a browser exploit to hide the true address if you are not patched. Further I think a lot of spyware gets in through IE vulnerabilities. Perhaps Mr Cooper would like to share with us the "secure" IE configuration he uses that makes patching unnecessary.

I would recommend reading this article. It is always important to get new viewpoints particularly when they are not from a rabid anti-microsoft basher. He raises some good points about patching numbers from Microsoft that you should be aware of so you are not snowed by PR.