Microsoft: January 2006 Archives
Scoble thinks everyone should just post all their contact information on their website. Hmm, anyone see a problem with this?
In the original version of this post, I thought I'd help Scoble out by posting the same info he had on his site: email, celphone, work street address, birthday, wifes name, marriage date, friends name, son's name and birthdate.
Sounds like a good start for some social engineering. His reasoning for posting this information is that the more people who know who the real Scoble is the less likely it is that his identity can be successfully stolen. I think that reasoning is crap. How many times has someone pretended to be a professional athlete and successfully written bad checks. I bet you that I could show up at TechEd and get people to believe that I'm Scoble.
http://interviews.slashdot.org/article.pl?sid=06/01/26/131246&from=rss
Good interview but of course dont waste your time with the comments. When the slashdot crowd here's the word Microsofst its like Pavlov's dog and the dinenr bell.
Here are some notes:
In Vista the Giant antispyware aquisition will be built in. It is named Windows Defender
The firewall will be bidirectional in Vista.
"After Blaster happened, I wanted to find out who was responsible for the buffer overflow that was exploited and hold the individual accountable. But once we looked into it, we realized that there was not a documented a process that the developer was supposed to follow that would have prevented the mistake, nor did we have a set of procedures for our developers to verify that a secure development process was utilized." Hence the need for the Security Development Lifecycle and all the re-training.
So I've got my shiny new Treo 700w. It doesn't come with a holster like my blackberry. But hey, its Windows Mobile 5. its supposed to be better. It doesn't come with a craddle. But hey its Windows Mobile 5, its supposed to be better.
Next lets synch it up to the computer. Oh wait, some numb nuts thought it would be a good idea to use tcp/ip over the usb connection for the synching. That means I have to whitelist 3 programs and 6 ports in order for this to work. Not only that, but I cant just whitelist them in my intranet personal firewall program. The mobile phone is self assigning an ip address in th 169.254.x.x autoconfiguration range. This causes my personal firewall to drop intot internet mode.
What does this mean? in order to synch I need to poke holes in my personal firewall allowing access to ActiveSynch a program which in prior versions has had denial of service vulnerabilities as well as information disclosure vulnerabilities. I am really not pleased about this. Not one bit.
Well, that's it for today. I'll go whitelist
I've been working at building a spreadsheet of patches, which are exploited, as well as the ratio of patched to unpatched systems at my company.
Its kind of a pain to search through old Deepsight notices to see which patches have associated exploits. The Elsenot Project posts which Microsoft patches have associated exploits. I'm not really a fan of their stated goal "an exploit for every Microsoft vulnerability" but it is a good quick reference. One thing they could do better is in addition to linking to exploit code they should also use the common name where possible such as slammer, or code red.
Microsoft put out a press release yesterday indicating that Bulgarian police have arrested 8. They had performed phishing on MSN accounts.
http://blogs.technet.com/msrc/archive/2006/01/05/416980.aspx
I'm sure the SANS Handlers will have a coronary at the thought that their hystericane is not wide-spread. Nice to hear from Mike on this subject.
In a boring meeting about 2:45 I saw that the WMF patch henseforth known as ms06-001 was out. I immediately grabbed most of the interested parties to organize a plan of action. Unfortunately I got waylaid by the firewall guy and before I could escape the patch planning discussion was over. As a result, the full plan wasn't thought through.
We did manage to get the new cab file (or is that xml now) downloaded. Unfortunately the SMS guys dont know how to make the clients report that they need the patch until some automatic scan occurs tomorrow morning. That means the patch probably wont get deployed until 10am tomorrow. :(
Hey, I can only make the recommendation for deployment.
Over at broadband reports I see a thread with a link (which the moderator has deleted) cleaiming to be to the official Microsoft patch for the WMF vulneraibility and that it has been fully q/a tested on Windows XP, Windows 2003 x86, x64 english and that it is currently being tested on other language installs and the IA64 architecture.
That sounds like great social engineering.
I've been wonderring if Jesper Johansson had a blog, and sure enough Scoble linked to it today for his post on the wmf vulnerability. SWEET!
Does anyone know if Mike Nash or Steve Lipner have blogs?
I had been wondering if it is possible to run the third party WMF patch in a silent mode. When I downloaded the patch and ran it with a /? it did not give me any command line options. SANS is now reporting the syntax to run the install quietly.
I'm still wondering how to uninstall the patch programatically when the real patch is released. I'm assuming since it is listed in add/remove programs is should be possible to find the uninstall command line in the registry. I haven't looked through.
SANS has posted a WMF FAQ. Good summary for those not keeping up.
http://isc.sans.org/diary.php?storyid=994
