Microsoft: October 2006 Archives

Where's the ADM?

As I've mentioned, I've been hard at work adapting the NIST Windows XP hardening guidelines in 800-68. Any hardening guideline should be examined for appropriateness to one's corporate environment.

One thing I noticed about both NIST's writeup and Microsoft is that neither provides an ADM template. They both have settings that are not part of group policy such as disabling autorun or disabling auto admin logon. Microsoft seems to be providing a vbscript that will "patch" the Security Configuration Editor to have these settings. That would work well when I am applying the security settings to a computer being used to create a disk image for future deployment, but I dont see how I could use that to deploy through group policy.

Unless someone has a better idea, it looks like I'm going to be creating my own ADM file soon.

By Roger on October 30, 2006 11:19 PM | | Comments (2) | TrackBacks (1)

MS caves on Vista Patchguard? Not so fast

Great post by Security MVP Alun Jones about the API Kernel access Microsoft is giving vendors.

He says, the tech press may be awarding victory to the antivirus companies, but the bottom line is they still dont have the right to hook the kernel in crash inducing ways. They have been provided access to a documented API, which after all is what an API is for.

By Roger on October 16, 2006 8:05 PM | | Comments (0) | TrackBacks (0)

Microsoft patch Tuesday Pre-Announcement

- - Six bulletins for Microsoft Windows. The highest severity rating for these issues is 'Critical'.
- - Four bulletins for Microsoft Office. The highest severity rating for these issues is 'Critical'.
- - One bulletin for Microsoft .NET Framework. The severity rating for this issue is 'Moderate'

By Roger on October 5, 2006 1:45 PM | | Comments (0) | TrackBacks (0)

Windows Shell Vulnerability aka setslice exploit

So there is a new vulnerability (announced last week) accessed through Internet Explorer. Microsoft describes it as a Windows Shell vulnerability. You may see it listed through other sources as a setslice exploit.

The SANS ISC set their Infocon alert status to Yellow. Of course, they do this to increase "awareness" not because of any specific widespread threat. F-Secure reports that while its out there, they aren't seeing it in huge numbers.

Of the mitigations listed, my favorite is to set the activeX kill bits.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
"Compatibility Flags"=dword:00000400

The problem with this mitigation (as with most mitigations) is understanding the potential impact. Microsoft reports that performing this step could cause "Web sites that use the WebViewFolderIcon ActiveX Control to no longer display or function correctly." But there is no statement regarding how common this will actually be.

Additionally, I wonder if this will effect viewing folders locally. I dont know. The phrase WebviewFoldericon makes me wonder.

Lastly, while creating an activeX kill bit is easy, I feel like it is more difficult to put the computer back to its original state after the patch.

The bottom line is that I dont feel like I have enough information to make a decision.

By Roger on October 1, 2006 6:19 PM | | Comments (0) | TrackBacks (0)
« Microsoft: September 2006 | Main Index | Archives | Microsoft: November 2006 »

Search