Microsoft: November 2006 Archives
Michael Daw is at it again. In September SANS reported on his report of a vulnerability in Adobe Reader and Adobe Professional whereby an external webpage could be opened without further user interaction if a user opens a malicious PDF document.
Now, SANS is reporting on a similar vulnerability he accessed through IFRAMEs in Microsoft Word.
Michael's website is not accessible right now. I remember checking out the sample pdf files on his site back in September.
A couple of graduate students have written an article in The Register reporting that the IE7 critical update is causing headaches for managed environments.
If these really are managed environments how is it that patches are being deployed without the I.T. departments knowledge? Why wasn't the IE7 blocker deployed? It was available a long time before IE7 was released to Windows Update.
The authors make a weird comment:
"For those organizations wishing to hold back a little further until these potential issues are sorted out by a later IE service pack (we are already on SP2) "
So in their world we're running IE7 SP2? That's kind of strange. Further the authors imply that Microsoft released the IE7 automatic updates blocker as a result of this problem. In reality they released it in July.
The problem they are reporting is that the home page can be changed by the user, it isn't locked down. Because the article is poorly written we don't know how the home page was originally locked. So we really don't know if there is actually a problem. Again, in a managed environment, you deploy the blocker (which admittedly only prevents accidental installs) or you don't provide your users with local administrator rights. Either way, you would have tested this desired functionality (preferably in the year long beta of IE7) so you're not surprised.
I wonder what method they used to try to lock the IE home page? Did they lock it with the IEAK for IE6, and then they are surprised it doesn't work with IE7? Or did they attempt to lock it with Group Policy and it doesn't work. I'm kind of curious.
I haven't seen this myself. In our environment we're just beginning to work with the internal application administrators to verify that IE7 will work with our HR, Finance and Payroll websites.
In a managed environment, you should deploy the Toolkit to disable automatic delivery which oh by the way was released in July, and use the Internet Explorer Administrators Toolkit 7 to deploy with the correct settings.
Microsoft has posted the Vista Security Guide.
Its been reviewed by NIST and the NSA.
I spoke with my Microsoft TAM today about how to add the additional registry tweaks found in the XP Security Guide into my Group Policy. I had expected to find *.adm files with the configurations.
The instructions in the XP Security Guide helped me import those settings into Security Templates and Security Configuration Editor, but I wasn't able to import that new template into Group Policy. It turns out I made a rookie mistake. My domain controllers are Windows 2000. So when I created a new policy on the 2000 domain controller and tried to import an XP policy with these 'extra' settings it understandably choked on that. What I needed to do was use AD Users and Computers on my desktop, connect to the domain controller and create the new policy. By doing that the policy is upgraded to "XP" and I'm able to import the XP policies including the new extra registry tweaks I had added.
The XP Security Guide from Microsoft makes it really easy to add their security tweaks. But what if you had some others you wanted to add. Well first I would search carefully to see if what you want is already in group policy. No need to reinvent the wheel.
If you really do need to create your own registry settings, there is still the old school adm way, but you can now add the settings to your security template using instructions here.
