Microsoft: August 2005 Archives
The IE Blog has a post today addressing some of the concerns about the IE phishing filter. I was looking for my previous entry to link back to, but I dont see it.
There is also a whitepaper over at MSDN with some tips for site owners. Interesting that they advice people to prevent cross site scripting.
It seems like the new patch management platform used by the ITMU stores the patch information in WMI. This certainly speeds up the scanning for necessary updates, but I cant help but wonder if this will lead to security problems down the road.
When the Windows Security Center came out in XP, it was quickly discovered that you could spoof antivirus and the firewall by changing the information stored in WMI. Microsoft responded that WMI is protected by an ACL so that only the local Administrator can modify it, and further if an attacker has local administrator rights, then you have bigger problems than WMI. I say why help the attacker remain undiscovered and unfettered.
Does the local administrator need to be able to change those settings? Is there a way to do this so that only the scan tool can update WMI. I just fear a worm that disables the antivirus and the personal firewall, and spoofs WMI so the user thinks they are protected. Not only that, the patch info could be spoofed so not only does the user think they are patched, but Windows Update and SMS agree. Will Windows Update still check the registry entry and the file versions? It sounds like ITMU trusts completely in WMI.
My officemate pointed out that its even worse than this. Software will have vulnerabilities. What happens when someone is able to hack WMI to modify this info without local administrator rights?
Microsoft now has a writeup on this vulnerability. The page to keep an eye on for updates related to this is here.
I was very happy to see this. I called my TAM at lunch to see if setting the activeX kill bit on this dll was a good or bad idea. I didn't want to do it, not knowing what the end result would be. Microsoft now has this listed in their "workaround" section of this post. There is no aftereffect of making this change because this file was not intended to be accessed using this method.
I'm working on getting this added to our ActiveX Kill Bits file that we deploy with SMS. I also need to see when that is next going getting deployed to our comptuers.
Has anyone else noticed a problem with IE7 and terminal services?
While on vacation, I've been vpning back into work and using remote desktop to access a xpsp2 computer. IE7 on this computer is not loading pages properly for me. Nutscrape, ahem, Netscape works fine.
I haven't really set this blog up to accept responses, so hopefully this works. You can try emailing me at blog-response//at//infosecblog//dot//org.
I'm also going to try turning comments on. that ought to bring the comment spammers out. I think comments will be in moderation mode so dont expect it to show up right away.
edit- I stopped by work tonight and IE7 wasn't working either. Neither was task manager or most other apps. The latest change to the system was the backup software. Its likely either that or using rdp that caused the system to muck up. Not an IE7 issue as I see it.
Get it from the source
http://blogs.technet.com/msrc/archive/2005/08/17/409363.aspx
Saw a Microsoft article referenced over at TaoSecurity.
It argues that 802.1x on a wired network does not provide the security you think it does. 802.1x essentially authenticates the initial connection, not each packet. So it is possible for an attacker, a legit computer and a hub to work together to allow the attacker onto the network.
Worthwhile article over at SecurityFocus on Microsoft's HoneyMonkey project. We first heard of them one or two months ago, and its neat to see this update.
Traditionally a honeypot sits back and waits to be attacked. In the honeymonkey model, they go out and find websites, and look at the result of going to the website. Using this method they have found sites that serve up exploits, including at least one zero day. (the zero day was an exploit of the jview vulnerability patched in July).
Also interesting is the report that even a partially patched version of Windows XP Service Pack 2 blocks the lion's share of attacks.
According to the article Microsoft plans to forward the information on these sites to law enforcement.
I cant remember the last time I read Thurrott. He was useful with win2k was coming out. But now there are so many sources of information that I haven't been to his site in quite some time.
In fact, it was only through other blogs that I found out that apparently he is off his meds and posted an anti-IE7 rant over at WindowsITPro. It is not labeled as a blog article or even as a commentary. But this screed clearly isn't news. He says his advice is to boycott IE, describing it as a cancer on the web.
Apparently he is really upset that IE7 focused on being secure and implementing the current CSS standard instead of focusing on implementing unradified CSS standards and obscure web coding bugtests called the "Acid Test." Frankly his article was so bad I thought it belonged over on news.com.
Ryan Hoffman has written a classic retort. Actually, you'll want to go up to his blog home page to see a few other posts he has related to the subject.
Microsoft has released a redaction tool for Word 2003 available in the download center.
As advertised it allows the document user to mark out sections of a document such that the sections are blacked out. The text is removed from the document and replaced with blacked out text.
I seem to recall a problem in Adobe's implementation of this in their software where the black text was simply over the hidden text. The hidden text wasn't redacted at all, but available to any attacker. Lets hope Microsoft hasn't made a similar mistake. Anyone taking bets on how long it takes before someone uncovers that sort of vulnerability in this Microsoft product.
I particularly get a kick out of their note: "We recommend that you carefully review any documents redacted using this tool to confirm that all the information that you intended to redact was successfully redacted." Ugh.
