Microsoft Zero Day security holes being exploited

On Fri, 29 Sep 2006 05:50:14 -0600, Dan wrote:

I will copy and paste your reply to assist me in hardening all XP Pro.
computers. Do you have similar advice for the hardening of all the 98
Second Edition computers as well --- they are connected to the Internet
as my machine is and also are connected to the school's domain.

I wrote up hardening Win9x a while ago... let's see... ah:

http://cquirke.mvps.org/9x/riskfix.htm

In those days, no-one here had any kind on broadband, and ICS was
rarely used - so there was no need for TCP/IP on the LAN at all.

Avoiding TCP/IP on the LAN card has two advantages in Win9x; no DHCP
prompts, and better separation of LAN and Internet. You'd have (say)
File and Print Sharing (F&PS) on NetBEUI on LAN card, and no F&PS on
TCP/IP on DUN. The two would be well air-gapped, unless malware
established a bridge-head on one PC and re-entered the LAN from there.

Then folks wanted shared Internet access, either via ICS on DUN or via
LAN through an ADSL router. The strategy changed to; F&PS on NetBEUI
on LAN, no-F&PS on TCP/IP on LAN, and no F&PS on TCP/IP on DUN.

This worked brilliantly; most firewall software wouldn't tangle F&PS
because that wasn't on TCP/IP at all.

Then along came XP, which broke NetBEUI and IPX when it came to doing
F&PS across mixed Win9x and XP peer-to-peer networks. Believe me, I
tried getting IPX to work, as well as applying the "not supported"
NetBEUI from the XP CD. Typically, all the Win9x systems would see
each other and all the XP systems would see each other, but you
couldn't traverse the two tribes via F&PS.

So I was obliged to use the same TCP/IP protocol on both DUN and LAN,
and do F&PS on this protocol as well. Ungood.

BTW, what are the advantages and disadvantages of connecting my machine
to the school's domain and if the school's domain is down will my
machine be down from the Internet as well if I use their domain? Thanks

I'm under-experienced with domains, because I don't do server-based
LANs at all. That's a whole 'nother world ;-)

AFAIK, XP Home and Win9x can't operate as effective domain clients,
which is the main purpose of XP Pro. You can log Win9x into a domain,
but there's far less control that the domain can impose on Win9x.

This is why commentators claim that Win9x has "no security".

and what I really need besides your advice on domains is a good article
about domains that I can read when I get a chance since I know so little
about them.

That info is out there; in fact, it's the main thrust of most formal
MS tech training etc. It's really powerful but very detailed stuff,
with a fair number of cotchas and complications. For example, what
happens to a system that has domain control over its settings, when it
isn't connected to the domain?



------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
------------ ----- --- -- - - - -

"Dan" wrote in message
...
Great Job, Chris!

I will copy and paste your reply to assist me in hardening all XP Pro.
computers. Do you have similar advice for the hardening of all the 98
Second Edition computers as well --- they are connected to the Internet as
my machine is and also are connected to the school's domain.

Windows 98 was never designed for security.

Many of the things on Chris' list were either fixed in the default settings
in Windows XP SP2, or aren't the biggest risk you need to be worrying about.
People consider XP SP2 default settings fairly secure. You can spend a lot
of time and money on lots of tweaks to the default settings, without gaining
a lot of real security.

"cquirke (MVP Windows shell/user)" wrote in
message ...

All operating systems do that. They are designed to launch code at boot
time by reading registry values, text files, etc. Because those registry
values are protected from unauthorized access by permissions, someone
would
have to already own your system to modify those values, wouldn't they?

Sure, but the wrong entities come to own systems all the time.

My point is that this one example here doesn't seem to be a vulnerability if
it requires another vulnerability in order to use it. This isn't a case of
combining two vulnerabilities to compromise a system; it's a case of one
unnamed vulnerability being used to compromise a system, and then the
attacker performs some other action, specifically changing registry values.
If this is a vulnerability, then the ability of Administrators to create new
user accounts, change passwords etc. would also be a vulnerability.

Defense in depth means planning for how you get your system back; you
don't just faint in shock and horror that you're owned, and destroy
the whole system as the only way to kill the invader.

That's a different issue than the one we were discussing. The statement
was, winlogon using registry values to execute code at boot time is a
vulnerability. I'm arguing that it is not.

Besides, it's a relatively accepted truism that once an attacker has root,
system or administrator privileges on any OS, it is fairly futile to try to
restrict what actions s/he can perform. Anything a good administrator can
do, a bad administrator can undo.

cquirke (MVP Windows shell/user) wrote:
On Fri, 29 Sep 2006 05:50:14 -0600, Dan wrote:

I will copy and paste your reply to assist me in hardening all XP Pro.
computers. Do you have similar advice for the hardening of all the 98
Second Edition computers as well --- they are connected to the Internet
as my machine is and also are connected to the school's domain.

I wrote up hardening Win9x a while ago... let's see... ah:

http://cquirke.mvps.org/9x/riskfix.htm

In those days, no-one here had any kind on broadband, and ICS was
rarely used - so there was no need for TCP/IP on the LAN at all.

Avoiding TCP/IP on the LAN card has two advantages in Win9x; no DHCP
prompts, and better separation of LAN and Internet. You'd have (say)
File and Print Sharing (F&PS) on NetBEUI on LAN card, and no F&PS on
TCP/IP on DUN. The two would be well air-gapped, unless malware
established a bridge-head on one PC and re-entered the LAN from there.

Then folks wanted shared Internet access, either via ICS on DUN or via
LAN through an ADSL router. The strategy changed to; F&PS on NetBEUI
on LAN, no-F&PS on TCP/IP on LAN, and no F&PS on TCP/IP on DUN.

This worked brilliantly; most firewall software wouldn't tangle F&PS
because that wasn't on TCP/IP at all.

Then along came XP, which broke NetBEUI and IPX when it came to doing
F&PS across mixed Win9x and XP peer-to-peer networks. Believe me, I
tried getting IPX to work, as well as applying the "not supported"
NetBEUI from the XP CD. Typically, all the Win9x systems would see
each other and all the XP systems would see each other, but you
couldn't traverse the two tribes via F&PS.

So I was obliged to use the same TCP/IP protocol on both DUN and LAN,
and do F&PS on this protocol as well. Ungood.

BTW, what are the advantages and disadvantages of connecting my machine
to the school's domain and if the school's domain is down will my
machine be down from the Internet as well if I use their domain? Thanks

I'm under-experienced with domains, because I don't do server-based
LANs at all. That's a whole 'nother world ;-)

AFAIK, XP Home and Win9x can't operate as effective domain clients,
which is the main purpose of XP Pro. You can log Win9x into a domain,
but there's far less control that the domain can impose on Win9x.

This is why commentators claim that Win9x has "no security".

and what I really need besides your advice on domains is a good article
about domains that I can read when I get a chance since I know so little
about them.

That info is out there; in fact, it's the main thrust of most formal
MS tech training etc. It's really powerful but very detailed stuff,
with a fair number of cotchas and complications. For example, what
happens to a system that has domain control over its settings, when it
isn't connected to the domain?



------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
------------ ----- --- -- - - - -

Thanks for the great replies as usual. I hope someone can answer your
question since I do not know. I really appreciate all the knowledge you
have provided me over the years, Chris and I see you as an awesome
person. Please accept my heartfelt and warm thanks for continuing to
help me in my endevers to help secure computers that are connected to
the Internet. I saved the information on securing the XP Pro. computers
and printed it all out for reference when securing the XP Pro. computers
at school. Apparently, they have some powerful security tied in with
the domain but it would be just great if I could help secure the systems
slowly but surely which I am doing at the site level. BTW, yesterday I
was working on a machine for a couple of hours that had been messed with
big time. I removed some spyware such as cool web junk and wild tangent
junk. The antivirus scanner did not even work -- it had been messed
with. Spybot -- Search and Destroy actually was the only scanner that
removed and detected the junk out of all of them I used but that might
have just been because of the order that I ran the scanners in. I also
installed AVG and proceeded to do a complete scan for viruses in the
system. The system froze up once and I had to pull out the power cord
and reinsert to force a reset -- oh by the way this was an XP
Professional machine --- and guess what -- error at the BIOS level.
Dang, I needed to get into the BIOS and the machine did not want to let
me into the BIOS settings. Okay, I had to leave and get information
from another member of the security computer team at our school. I got
it and returned after praying of course and bingo the BIOS screen was
showing. Thank goodness --- Yes success --- I was in and the fix was
easy from there --- just apply the proper BIOS settings that someone had
messed with and bingo the machine booted up without issue. I ended up
leaving the machine running a full anti-virus scan with AVG because it
was taking forever and the teacher of the classroom and myself needed to
go home --- it was 5pm and we were both scheduled just until 4pm. It is
amazing how time flies when you are working on computer(s).

Karl Levinson, mvp wrote:
"Dan" wrote in message
...
Great Job, Chris!

I will copy and paste your reply to assist me in hardening all XP Pro.
computers. Do you have similar advice for the hardening of all the 98
Second Edition computers as well --- they are connected to the Internet as
my machine is and also are connected to the school's domain.

Windows 98 was never designed for security.

Many of the things on Chris' list were either fixed in the default settings
in Windows XP SP2, or aren't the biggest risk you need to be worrying about.
People consider XP SP2 default settings fairly secure. You can spend a lot
of time and money on lots of tweaks to the default settings, without gaining
a lot of real security.




Yes, 98SE edition computers are not designed for security but are more
safe than XP Professional computers when regarding outside attacks.
Please see the following secunia advisories for proof of concept:

Microsoft Windows Shell Code Execution Vulnerability Advisory
Available in Danish

Secunia Advisory: SA22159
Release Date: 2006-09-28
Last Update: 2006-09-29

Critical:
Extremely critical
Impact: System access
Whe From remote
Solution Status: Unpatched

OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2006-3730 (Secunia mirror)


Description:
H D Moore has discovered a vulnerability in Microsoft Windows, which can
be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the Windows Shell and is
exposed via the "setSlice()" method in the WebViewFolderIcon ActiveX
control (webvw.dll). This can e.g. be exploited via Internet Explorer by
a malicious website to corrupt memory by passing specially crafted
arguments to the "setSlice()" method.

Successful exploitation allows execution of arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerability is confirmed on a fully patched system with Internet
Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be
affected.

Solution:
Set the kill bit for the "WebViewFolderIcon" ActiveX control (see
Microsoft advisory for details).

Only allow trusted websites to run ActiveX controls.

Provided and/or discovered by:
H D Moore

Changelog:
2006-09-29: Added additional information provided by Microsoft. Added
link to Microsoft advisory and updated "Solution" section. Updated
affected software.

Original Advisory:
H D Moo
http://browserfun.blogspot.com/2006/...-setslice.html

Microsoft:
http://www.microsoft.com/technet/sec...ry/926043.mspx


Please note: The information that this Secunia Advisory is based on
comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports
issued by security research groups, vendors, and others.


190 Related Secunia Security Advisories, displaying 10

1. Microsoft Vector Graphics Rendering Library Buffer Overflow
2. Microsoft Windows Indexing Service Cross-Site Scripting
3. Microsoft Windows Pragmatic General Multicast Code Execution
4. Microsoft Windows Two Vulnerabilities
5. Windows Kernel Privilege Escalation Vulnerability
6. Microsoft Management Console Cross-Site Scripting
7. Windows DNS Resolution Code Execution Vulnerabilities
8. Windows Server Service Buffer Overflow Vulnerability
9. Microsoft Windows WMF File Handling Denial of Service
10. Microsoft Windows Server Driver Denial of Service Vulnerability

Show all related advisories


Send Feedback to Secunia

If you have new information regarding this Secunia advisory or a product
in our database, please send it to us using either our web form or email
us at .

Ideas, suggestions, and other feedback are most welcome.









Learn more about our solutions

Secunia Poll

What is the worst type of attack that has affected your systems?

System Access (23%)
Denial of Service (16%)
Cross Site Scripting (7%)
Security Bypass (7%)
Other Impact (7%)
Never Been Affected (40%)

Old Polls

Most Popular Advisories

1.
Microsoft Windows Shell Code Execution Vulnerability
2.
Microsoft PowerPoint Code Execution Vulnerability
3.
Microsoft Vector Graphics Rendering Library Buffer Overflow
4.
Internet Explorer daxctle.ocx "KeyFrame()" Method Vulnerability
5.
OpenSSH Signal Handling Vulnerability
6.
Mozilla Firefox Multiple Vulnerabilities
7.
Microsoft Word Malformed Object Pointer Vulnerability
8.
Slackware update for openssl
9.
Google Mini Search Appliance Path Disclosure Weakness
10.
Mac OS X Security Update Fixes Multiple Vulnerabilities






Terms & Conditions - Copyright 2002-2006 Secunia - Compliance - Contact
Secunia

http://secunia.com/advisories/22159/

What the heck is going on. It seems like new critical security
advisories are being posted daily.

Vendor Microsoft

Product Link N/A

Affected By 154 Secunia advisories

Unpatched 19% (29 of 154 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Windows
XP Professional, with all vendor patches applied, is rated Extremely
critical

http://secunia.com/product/22/

http://secunia.com/product/13/

Vendor Microsoft

Product Link N/A

Affected By 32 Secunia advisories

Unpatched 9% (3 of 32 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Windows
98 Second Edition, with all vendor patches applied, is rated Less critical

http://secunia.com/product/11/

Vendor Microsoft

Product Link View Here (Link to external site)

Affected By 106 Secunia advisories

Unpatched 18% (19 of 106 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Internet
Explorer 6.x, with all vendor patches applied, is rated Extremely critical

http://secunia.com/product/102/

Vendor Microsoft

Product Link View Here (Link to external site)

Affected By 21 Secunia advisories

Unpatched 29% (6 of 21 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Outlook
Express 6, with all vendor patches applied, is rated Moderately critical


http://secunia.com/product/4227/

Vendor Mozilla Organization

Product Link View Here (Link to external site)

Affected By 36 Secunia advisories

Unpatched 8% (3 of 36 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Mozilla Firefox
1.x, with all vendor patches applied, is rated Less critical

http://secunia.com/product/4652/

Vendor Mozilla Organization

Product Link View Here (Link to external site)

Affected By 4 Secunia advisories

Unpatched 0% (0 of 4 Secunia advisories)

Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when
all vendor patches are applied.

This one was for Mozilla Thunderbird. I am going to try and add the 98
general newsgroup since this involves them as well.

Karl Levinson, mvp wrote:
"cquirke (MVP Windows shell/user)" wrote in
message ...

All operating systems do that. They are designed to launch code at boot
time by reading registry values, text files, etc. Because those registry
values are protected from unauthorized access by permissions, someone
would
have to already own your system to modify those values, wouldn't they?
Sure, but the wrong entities come to own systems all the time.

My point is that this one example here doesn't seem to be a vulnerability if
it requires another vulnerability in order to use it. This isn't a case of
combining two vulnerabilities to compromise a system; it's a case of one
unnamed vulnerability being used to compromise a system, and then the
attacker performs some other action, specifically changing registry values.
If this is a vulnerability, then the ability of Administrators to create new
user accounts, change passwords etc. would also be a vulnerability.

Everyone needs to know that all computers are somewhat vulnerable if
they are connected to the Internet no matter what the defense protocol
procedures that are used to safeguard the system(s) and the network(s).

Defense in depth means planning for how you get your system back; you
don't just faint in shock and horror that you're owned, and destroy
the whole system as the only way to kill the invader.

That's a different issue than the one we were discussing. The statement
was, winlogon using registry values to execute code at boot time is a
vulnerability. I'm arguing that it is not.

Besides, it's a relatively accepted truism that once an attacker has root,
system or administrator privileges on any OS, it is fairly futile to try to
restrict what actions s/he can perform. Anything a good administrator can
do, a bad administrator can undo.


It is indeed a good idea to have user accounts that have less privileges
than the admin. accounts do. If a Classic series of 9x came out that
worked well with older Windows 3.1 and DOS programs which I and the
school that I work with has a great deal of titles accumulated over the
years then it would be just great. This new 9x machine that is a
successor to 98 Second Edition would have Admin. accounts and User
accounts just like in XP but still has the overall system security of 9x
as I have provided in great detail in an above post on system
vulnerabilities in the two operating systems. The real deal is that 98
Second Edition has been out since 1999 while 98 came out in 1998 and I
think ME which was the last of the series came out in 2000. Like Chris
Quirke, has said ME introduced a lot of new concepts like System Restore
and you had the ability of drivers that did not need to be updated for a
particular system device like in 98 Second Edition. The problem was ME
started to get away from the compatibility roots that 98SE had and did
not have a resource kit like 98SE had so businesses and others did not
take it seriously. In addition, the easy exit to MS-DOS (Microsoft Disk
Operating System) was removed and the only way to DOS was through a boot
disk. The NT (New Technology) source code was flawed from the beginning
according to early Microsoft engineers in a text that I have read all
about Microsoft and its early days to present time. The early Microsoft
software engineers nicknamed it the Not There code since it did not have
the type of maintenance operating system that Chris Quirke, MVP fondly
talks about in regards to 98 Second Edition. Anyway, there was the 9x
line and the NT line and Microsoft wanted to eliminate one line of code
to allow for the focus to be on just one line of code. The problem is
that at the bare bones level the source code of 9x is actually more
secure --- I know that this is a RADICAL and hard to swallow statement
but it is TRUE!!! Windows NT (New Technology) that comes in flavors of
Windows NT, Windows 2000, Windows XP, and soon to be Windows Vista is
very secure because it has strong defenses. If you strip away the
defenses and compare the base lines of code in NT and 9x then you will
see that it is completely conclusive that 9x is more secure at the base
foundation of the kernel. This is an amazing concept. It would not
actually surprise me if Microsoft does indeed release this Classic
Series of 9x operating systems for the older software and as another
choice for consumers, businesses and governments. This Classic series
would be aimed at consumers and schools who have the need and desire of
great legacy compatibility.

Anyway, I digress and I wanted to see that System Administrators need to
learn how to edit and manually customize the registry in order to stop
the attacks that are coming in an ever increasing wave at a super fast pace.




in-line afterwards too

"Dan W." wrote in message
...

Yes, 98SE edition computers are not designed for security but are more
safe than XP Professional computers when regarding outside attacks. Please
see the following secunia advisories for proof of concept:

Maybe if you're only counting number of vulnerabilities found. But on the
other hand, there are and always will be more unpatched vulnerabilities for
Windows 98, because Microsoft is not providing patches for all Windows 98
vulnerabilities. Windows 98 lacks any ability to set ACL permissions on
files and registry values via NTFS, and you can log into Windows simply by
clicking the "cancel" button at the logon screen. On multi-user systems,
all users can read and modify all files belonging to all other users and to
the operating system. NTFS and the ability to log in as limited user
accounts has been shown to drastically reduce the amount of spyware and
adware that gets installed on a system. And availability can be an issue on
old and unsupported software like Windows 98.

Regarding hardening XP, the hardening guides from
www.microsoft.com/technet/security are very good. NSA worked with Microsoft
during their development, and as a result, NSA no longer publishes their own
hardening guides for XP, instead simply linking their web site to
Microsoft's guides.

"Dan W." wrote in message
...

Everyone needs to know that all computers are somewhat vulnerable if they
are connected to the Internet no matter what the defense protocol
procedures that are used to safeguard the system(s) and the network(s).

Agreed.

This new 9x machine that is a successor to 98 Second Edition would have
Admin. accounts and User accounts just like in XP but still has the
overall system security of 9x as I have provided in great detail in an
above post on system vulnerabilities in the two operating systems.

Fewer vulnerabilities are being reported for Windows 98 because Windows 98
is old and less commonly used, and vulns found for it get you less fame and
glory. New vulns found tend to go down as software ages and matures. A new
version of 98 would quickly be attacked and vulns found.

The real deal is that 98 Second Edition has been out since 1999 while 98
came out in 1998 and I think ME which was the last of the series came out
in 2000. Like Chris Quirke, has said ME introduced a lot of new concepts
like System Restore

Didn't XP expand on and improve the system restore feature to a level not
currently in 98 or ME?

about Microsoft and its early days to present time. The early Microsoft
software engineers nicknamed it the Not There code since it did not have
the type of maintenance operating system that Chris Quirke, MVP fondly
talks about in regards to 98 Second Edition.

If the MOS being discussed for Win 98 is the system boot disk floppy, that
was a very basic MOS and it still works on Windows XP just as well as it
ever did on Windows 98. [Sure, you either have to format your disk as FAT,
or use a third party DOS NTFS driver.] I think Chris really wants not that
kind of MOS but a much bigger and better one that has never existed. XP
also comes with a number of restore features such as Recovery Console and
the Install CD Repair features. I never use those or find them very useful
for security, but they're way more functional and closer to an MOS than the
Win98 recovery floppy or anything Win98 ever had. 98 never had a registry
editor or a way to modify services like the XP Recovery Console.

that at the bare bones level the source code of 9x is actually more
secure --- I know that this is a RADICAL and hard to swallow statement but
it is TRUE!!! Windows NT (New Technology) that comes in flavors of
Windows NT, Windows 2000, Windows XP, and soon to be Windows Vista is very
secure because it has strong defenses. If you strip away the defenses and
compare the base lines of code in NT and 9x then you will see that it is
completely conclusive that 9x is more secure at the base foundation of the
kernel.

It depends on what you consider security. Win98 was always crashing and
unstable, because there was no protection of memory space from bad apps or
bad attackers. Many environments like government consider the "strong
defenses" absolutely essential and wouldn't consider evaluating the security
of an OS that didn't have them.

Win98 doesn't have some features that some customers and people require. If
Microsoft was to release a new 98, Microsoft would probably be forced to add
those extra features and extra code that are in XP that you feel make it
less secure.

This is an amazing concept. It would not actually surprise me if
Microsoft does indeed release this Classic Series of 9x operating systems
for the older software and as another choice for consumers, businesses and
governments. This Classic series would be aimed at consumers and schools
who have the need and desire of great legacy compatibility.

Microsoft's security problems have largely been because of backwards
compatibility with Windows 9x, DOS and Windows NT 4.0. They feel, and I
agree, that Microsoft security would be a lot better if they could abandon
that backwards compatibility with very old niche software, as they have been
doing gradually.

On Fri, 29 Sep 2006 23:17:02 -0400, "Karl Levinson, mvp"
"cquirke (MVP Windows shell/user)" wrote in

All operating systems do that. They are designed to launch code at boot
time by reading registry values, text files, etc. Because those registry
values are protected from unauthorized access by permissions, someone
would have to already own your system to modify those values, wouldn't they?

The weakness here is that anything that runs during the user's session
is deemed to have been run with the user's intent, and gets the same
rights as the user. This is an inappropriate assumption when there
are so many by-design opportunities for code to run automatically,
whether the user intended to do so or not.

Sure, but the wrong entities come to own systems all the time.

My point is that this one example here doesn't seem to be a vulnerability if
it requires another vulnerability in order to use it.

Many vulnerabilities fall into that category, often because the extra
requirement was originally seen as sufficient mitigation.
Vulnerabilities don't have to fascilitate primary entry to be
significant; they may escalate access after entry, or allow the active
malware state to persist across Windows sessions, etc.

This isn't a case of combining two vulnerabilities to compromise a
system; it's a case of one unnamed vulnerability being used to
compromise a system, and then the attacker performs some other
action, specifically changing registry values.

If this is a vulnerability, then the ability of Administrators to create new
user accounts, change passwords etc. would also be a vulnerability.

OK, now I'm with you, and I agree with you up to a point. I dunno
where the earlier poster got the notion that Winlogin was there to act
as his "ace in the hole" for controlling malware, as was implied.

Defense in depth means planning for how you get your system back; you
don't just faint in shock and horror that you're owned, and destroy
the whole system as the only way to kill the invader.

That's a different issue than the one we were discussing. The statement
was, winlogon using registry values to execute code at boot time is a
vulnerability. I'm arguing that it is not.

I agree with you that it is not - the problem is the difficulty that
the user faces when trying to regain control over malware that is
using Winlogin and similar integration points.

The safety defect is that:
- these integration points are also effective in Safe Mode
- there is no maintenance OS from which they can be managed

We're told we don't need a HD-independent mOS because we have Safe
Mode, ignoring the possibility that Safe Mode's core code may itself
be infected. Playing along with that assertion, we'd expect Safe Mode
to disable any 3rd-party integration, and would provide a UI through
which these integration points can be managed.

But this is not the case - the safety defect is that once software is
permitted to run on the system, the user lacks the tools to regain
control from that software. Couple that with the Windows propensity
to auto-run material either be design or via defects, and you have
what is one of the most common PC management crises around.

Besides, it's a relatively accepted truism that once an attacker has root,
system or administrator privileges on any OS, it is fairly futile to try to
restrict what actions s/he can perform. Anything a good administrator can
do, a bad administrator can undo.

That's a safety flaw right there.

You're prolly thinking from the pro-IT perspective, where users are
literally wage-slaves - the PC is owned by someone else, the time the
user spends on the PC is owned by someone else, and that someone else
expects to override user control over the system.

So we have the notion of "administrators" vs. "users". Then you'd
need a single administrator to be able to manage multiple PCs without
having to actually waddle over to all those keyboards - so you design
in backdoors to facilitate administration via the network.

Which is fine - in the un-free world of mass business computing.

But the home user owns thier PCs, and there is no-one else who should
have the right to usurp that control. Creditors and police do not
have the right to break in, search, or sieze within the user's home.

So what happens when an OS designed for wage-slavery is dropped into
free homes as-is? Who is the notional "administrator"? Why is the
Internet treated as if it were a closed and professionally-secured
network? There's no "good administratrors" and "bad administrators"
here; just the person at the keyboard who should have full control
over the system, and other nebulous entities on the Internet who
should have zero control over the system.

Whatever some automated process or network visitationb has done to a
system, the home user at the keyboard should be able to undo.

Windows XP Home is simply not designed for free users to assert thier
rights of ownership, and that's a problem deeper than bits and bytes.



------------------ ----- ---- --- -- - - - -
The rights you save may be your own
------------------ ----- ---- --- -- - - - -

(posting this again due to 3-group posting limitation)

"karl levinson, mvp" wrote:

Maybe if you're only counting number of vulnerabilities found.

Well isin't that the point?

But on the other hand, there are and always will be more
unpatched vulnerabilities for Windows 98,

Care to provide some evidence that there are currently MORE unpatched
vulnerabilities for 98 vs XP?

because Microsoft is not providing patches for all Windows 98
vulnerabilities.

Only Since July 11. And how many vulnerabilities discovered since
then are really for IE?

And are you aware that the 2K versions of the patched files made
available since July 11 can be used on Win-98?

Windows 98 lacks any ability to set ACL permissions

Privilege escalation vulnerabilities exist for NT-based OS's like XP.
Many systems are configured (for ease of use) for single-user systems
to logon as administrator or have admin rights. ACL permissions are
primarily designed for servers on multi-user networks, not really for
single-user desktop / home computer use.

and you can log into Windows simply by clicking the
"cancel" button at the logon screen. On multi-user systems...

You are talking about "political security" which pertains to
untrustworthy users. The context of this conversation pertains to
unintended or malicious code execution that results in access to the
system through the network and not the local keyboard.

Many large organizations configure their infrastructure so that no
personal or organizational files or data exist on local desktop
machines, and where a correct login name/PW must be used to gain
access to the network. That strategy can be used all the way down to
a 2-desktop network.

all users can read and modify all files belonging to all other
users and to the operating system.

Irrelevant in the context of malware vulnerability. If you have users
of shared systems that seek out private information or intentionally
plant malware on their own system, then you have an HR problem.

NTFS and the ability to log in as limited user accounts has
been shown to drastically reduce the amount of spyware and
adware that gets installed on a system.

A solution that is only viable in institutional/corporate settings and
not for single-user home use.

And availability can be an issue on old and unsupported
software like Windows 98.

Availability of what?

Of new patches and fixes?

Maybe we should wait and see what new vulnerabilities come down the
pipe that are proven to affect 98. Until then, the "not supported"
argument is a red herring.

Regarding hardening XP, the hardening guides from
www.microsoft.com/technet/security are very good.

Too bad that from it's introduction in 2002 until SP2 was belatedly
released in late 2004 that XP systems were practically garanteed to
become infected via direct network exploits and a myriad of other ways
and that many XP systems in residential settings are never updated or
patched by their owners.

On Sat, 30 Sep 2006 07:31:27 -0600, "Dan W."
Karl Levinson, mvp wrote:
cquirke wrote in

Everyone needs to know that all computers are somewhat vulnerable if
they are connected to the Internet no matter what the defense protocol
procedures that are used to safeguard the system(s) and the network(s).

Until someone runs something on the system that initiates traffic,
there's no reason why they should be, unless there's an exploitable
surface in whatever first receives raw TCP/IP packets.

The trouble is, NT is designed to treat the Internet as a network, in
the sense that if you wave the correct credentials, you'd be able to
log in or otherwise interact with the system from "outside". That
adds additional exploitable surfaces.

I can think of NO circumstances where I'd want any Internet entity
that I had not initiated interaction with, to log onto to my PC,
access file shares, or make RPC calls - so why expose those services
at all? There's no "right" credentials to get in because I don't want
*anyone* to get in, so why even process such attempts?

It is indeed a good idea to have user accounts that have less privileges
than the admin. accounts do.

I'd rather have zero possible access from the Internet, be it as admin
or as limited user. The per-user model just isn't that useful,
especially where there is only one user. Why should I pretend to be a
staff of different job descriptions just to use my own PC?

The really sad thing - sadder even than all those games and accounting
apps that won't run unless you're admin - is that end users have no
control over how new user accounts are born. For me, that absolutely
kills the usefullness of user accounts.

I don't feel at all safe when half the files on the system are hidden
from me, where I can't easily tell if I'm in C:\TEMP, C:\D&S...\Temp
or \\BossPC\Windows\Temp, and where I'm expected to "open" files
without any visible cue as to what they will do.

Yet that is the state I'm forced to live with on any newly-created
user account - frankly, I feel safer as admin and "open eyes".



------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
------------ ----- --- -- - - - -

On Sat, 30 Sep 2006 06:55:35 -0600, "Dan W." wrote:
cquirke wrote:
On Fri, 29 Sep 2006 05:50:14 -0600, Dan wrote:

and what I really need besides your advice on domains is a good article
about domains that I can read when I get a chance

That info is out there; in fact, it's the main thrust of most formal
MS tech training etc. It's really powerful but very detailed stuff,
with a fair number of cotchas and complications. For example, what
happens to a system that has domain control over its settings, when it
isn't connected to the domain?

Thanks for the great replies as usual. I hope someone can answer your
question since I do not know.

AFAIK, what happens is that a copy of the domain's settings are kept
locally, and are used whenever the domain is unreachable. I guess
this copy would be updated whenever the domain is there.

There's also a lot of detail and granularity when different
permissions are combined. Whereas *NIX uses the same structure for
both directory location and permissions, the NT security model does
not - while files within a subtree start with permissions of the
parent (AFAIK), you can change this on a file-by-file basis.

There are easy ways to get really painted into a corner with this
stuff, and one of the common mistakes is to assign rights to
particular users, rather than to a group. It's better to create a
group, set the rights for that group, and then add your user(s) as
members of that group (yes, even if there's only one member). That
way, if you fire Fred and employ Brad, you just drop Fred from the
group and add Brad to it.

Often there will be contexts where different sets of permissions are
simultaneously applied. For example, there are machine permissions,
network permissions, user permissions, etc. so what really happens is
a resultant of these, prompting the question; what trumps what?

In many ways, a sysamin's job is as much about managing users via
Active Directory as it is about managing network resources such as
domain servers. Most businesses large enough to be using AD and
domains will insist on certification (MCSE etc.) before anyone can
touch this stuff. So when this security model is dropped into
consumerland, it's tough... consumers understand physical security
very well, but have zero intuition on business and staff security.

And why should they?

I was working on a machine for a couple of hours that had been messed
big time. I removed some spyware such as cool web junk and wild tangent
junk. The antivirus scanner did not even work -- it had been messed

Yup. I use Bart for those... the learning curve (OK, small wall) is
tougher than one would like, but if you do a lot of this stuff, it's
effort well spent. I expect malware to assume control over the system
I'm trying to clean, and start "from orbit" with Bart, concentrating
on the heavies, before tip-toeing in via Safe Cmd etc.

Safe Cmd is to XP what DOS mode is to Win9x, but there's a far higher
risk of malware being active in Safe Cmd than there is in DOS mode.

Spybot -- Search and Destroy actually was the only scanner that
removed and detected the junk out of all of them I used but that might
have just been because of the order that I ran the scanners in.

Could be... I use 7 av scanners and the usual 2 anti-"spyware"
scanners, then HiJackThis, then I de-bulk the usual malware hangouts
(loose code in C:\, all TIF, Temp), then I drop tools in place and run
'em when I enter Safe Cmd. The av scans shoot to kill, but the
initial anti-"spyware" and HiJackThis are usually look-don't-touch.

Once in Safe Cmd, I re-run SysClean (as some tests don't run when in
Bart), AdAware and Spybot, and this time I let the anti-"spyware"
scanners kill what they find. Then I add Ewido 4 and run that, do a
HiJackThis again, and look for mismatches that suggest a rootkit.

Next is normal Windows, which means I can install tools that require
the Windows Installer, e.g. BitDefender 8 and MS Defender. I add
BitDefender 8 if there's been a lot of traffic and/or the resident av
can't be updated. If the resident av is broken, expired or missing, I
add AVG 7. The I harden settings, set a clean baseline restore point,
and purge all older restore points (Disk Cleanup).

Then I check firewall, and go online to update the scanners and
non-scanning tools that need it (e.g. Spyware Blaster, Ewido,
BitDefender). Before going online, I'd have killed off old Java
versions and rreplaced the latest JRE, ditto Firefox, etc.

installed AVG and proceeded to do a complete scan for viruses in the
system. The system froze up once and I had to pull out the power cord
and reinsert to force a reset -- oh by the way this was an XP
Professional machine --- and guess what -- error at the BIOS level.

What sort of error?

Malware isn't the only thing that can bonk PCs; I didn't mention it,
but every Bart session starts with HD Tune to check physical HD, and
before that comes a few hours in MemTest86.



------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
------------ ----- --- -- - - - -

On Sat, 30 Sep 2006 07:05:17 -0600, "Dan W." wrote:
Karl Levinson, mvp wrote:
"Dan" wrote in message

Many of the things on Chris' list were either fixed in the default settings
in Windows XP SP2, or aren't the biggest risk you need to be worrying about.

Hard to respond to that without examples, but I certainly agree; SP2's
a worthwhile step forward. Anything older is stone dead if connected
as-is, because the firewall's off and both LSASS and RPC are unpatched
(yes, even in SP1a). In this respect, there's no safe-out-the-box
Win2000 at all - I dunno if the last Win2000 SP had fixes for LSASS
and RPC, but there's no firewall built-in.

People consider XP SP2 default settings fairly secure. You can spend a lot
of time and money on lots of tweaks to the default settings, without gaining
a lot of real security.

I'm after safety. I want no "admin shares" whatsoever, I want to see
what I'm dealing with when I work on files, and I don't want the PC
resetting every time there's a system crash or RPC falls over.

The vulnerability is caused due to an error in the Windows Shell and is
exposed via the "setSlice()" method in the WebViewFolderIcon ActiveX
control (webvw.dll). This can e.g. be exploited via Internet Explorer by
a malicious website to corrupt memory by passing specially crafted
arguments to the "setSlice()" method.

I would kill off "View As Web Page" on sight, and thus not be exposed
to this exploit (which I see as a barnacle on a whale of bad design...
why would I want the ability to autorun scripts dropped in any
directory?). WinME does this properly, but Win98xx is slippery and
can fall back to "Web View" so I might kill off the .DLL that operates
the web view "feature", as well as Active Desktop of course.

I'm not sure if XP is using the "Web View" facility or not, as there's
no UI to specifically control it.

Solution:
Set the kill bit for the "WebViewFolderIcon" ActiveX control (see
Microsoft advisory for details).

http://secunia.com/advisories/22159/

It seems like new critical security advisories are being posted daily.

Yup. Software complexity meets automated exploit search.



------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
------------ ----- --- -- - - - -

"cquirke (MVP Windows shell/user)" wrote:

I would kill off "View As Web Page" on sight, and thus not be
exposed to this exploit (which I see as a barnacle on a whale
of bad design...
I might kill off the .DLL that operates the web view "feature",

C:\Windows\System\webvw.dll

You should be able to rename it because you shouldn't have "view as
web page" enabled.

There apparently hasn't been any update to it for 98 because I only
see 1 version (4/23/99).

as well as Active Desktop of course.

See he

http://www.msfn.org/board/index.php?...pic=46066&st=0

regsvr32 /u webcheck.dll

There was an update to webcheck.dll on 08/29/02. I think I'll nuke it
and see what happens. Seems I have to do it from DOS.

Here's couple of unrelated web links for your reading enjoyment:

http://www.usdoj.gov/atr/cases/f4600/4644.htm

http://www.varbusiness.com/sections/98pages/198sw.jhtml

"98 Guy" wrote in message ...

Care to provide some evidence that there are currently MORE unpatched
vulnerabilities for 98 vs XP?

That's difficult, because the number of unpatched vulns for XP is somewhat
unknown. Also, whatever comparison you do now, will be changing in the
future. With patches being released for XP and not for 98, the number of
unpatched 98 vulns is certain to increase.

because Microsoft is not providing patches for all Windows 98
vulnerabilities.

Only Since July 11. And how many vulnerabilities discovered since
then are really for IE?

For a significant time before that, Microsoft was not providing patches for
updates they did not consider critical. There was some disagreement about
the non-critical rating Microsoft assigned to a few of the vulnerabilities.

And are you aware that the 2K versions of the patched files made
available since July 11 can be used on Win-98?

Is installing those Win2K patches on Win98 easy for home users? I assume
you have to manually extract the files and replace them, assuming they are
not in use by the OS?

Windows 98 lacks any ability to set ACL permissions

Privilege escalation vulnerabilities exist for NT-based OS's like XP.

True, but Microsoft is and needs to be reducing these privilege escalation
vulnerabilities, not giving in to their inevitability. Resistance to local
privilege escalation attacks is one weakness Microsoft security has in
comparison to Linux, a growing competitor to Windows. With spyware, adware
and other malware increasingly infecting Windows platforms, more and more
users are asking why Windows cannot control what is done by local users.
The ability to open listening TCP/IP ports, send spam email outbound, launch
DoS attacks on other systems, etc. are things non-admins should not be able
to do silently and without native Windows logging.

A significant problem for Microsoft is the time it takes them to code both
patches and new software versions. A significant reason for that problem is
the large number of different combinations of product versions they need to
support. Different browser versions with different language versions on
different OS versions with different service pack versions in different
localized language versions, the number of combinations of patches that
Microsoft has to release is hundreds if not thousands. This is one big
compelling reason why Microsoft is trying to reduce the number of browser
and OS variants out there, such as eliminating Win98, in the name of
security. I do not see them reversing this trend, especially not to create
a Windows98-like niche OS that is only useful for some niche users [e.g.
home users that don't need the security features of XP].

Many systems are configured (for ease of use) for single-user systems
to logon as administrator or have admin rights. ACL permissions are
primarily designed for servers on multi-user networks, not really for
single-user desktop / home computer use.

Not true. ACLs are most valuable for system configuration management. Many
parents want to control what their children can and cannot do on their
single-user home computers, and this is difficult on 98 due to the lack of
ACLs.

Many large organizations configure their infrastructure so that no
personal or organizational files or data exist on local desktop
machines, and where a correct login name/PW must be used to gain
access to the network. That strategy can be used all the way down to
a 2-desktop network.

.... but going back to home users, the most likely consumer of the proposed
new Windows 98 product, those users would most likely be storing files on
the local hard drive, without any native protection against unauthorized
access from others in the house.

all users can read and modify all files belonging to all other
users and to the operating system.

Irrelevant in the context of malware vulnerability. If you have users
of shared systems that seek out private information or intentionally
plant malware on their own system, then you have an HR problem.

Well, the assertion was that Win98 was more secure than XP. I see no reason
to evaluate Windows security by ignoring certain common security features,
just because you don't need them yourself. Windows should not be programmed
just for certain users. It needs to be configurable so that it will work
for all users. Malware is only one threat, and saying that one OS is more
resistant to malware is only so useful in evaluating security.

The ability to prevent one user from modifying the files of the OS or of
other users is relevant to malware on multi-user systems. This prevents one
user from infecting anything other than just her own user profile. Log in
as another user, and the infection is not present for that user. It also
prevents malware from reading and modifying OS files and the data files of
other users. It also helps XP to protect the secret encryption keys of each
user, whether the snooper is malware, a remote attacker, or an insider on
the machine.

XP SP2 included a number of security features against malware that depend on
NTFS, such as AES. Win 98 does not have those features.

NTFS and the ability to log in as limited user accounts has
been shown to drastically reduce the amount of spyware and
adware that gets installed on a system.

A solution that is only viable in institutional/corporate settings and
not for single-user home use.

Logging in home users as non-administrators is absolutely viable, as Vista
is showing today. Linux and Lindows do it very well, and Walmart sells
Linux computers for home users. It's just that Windows XP and third party
software make this more difficult than it should be.

And availability can be an issue on old and unsupported
software like Windows 98.

Availability of what?

Of new patches and fixes?

Maybe we should wait and see what new vulnerabilities come down the
pipe that are proven to affect 98. Until then, the "not supported"
argument is a red herring.

No red herring, as you should know, there are already unpatched vulns for
Win98, and the number is going to grow. Unless you think there are zero
more vulns to be found in Win98.

I was meaning to say system availability, meaning that Win98 is not terribly
stable and crashes if it is not rebooted and reinstalled frequently.
Availability is part of the "CIA" security triad, and it's hard to argue
that 98 has better availability and stability than XP. 98 does little to
nothing to ensure system integrity is not compromised, and little to nothing
about confidentiality, so I'm not getting the assertion here that 98 is more
secure than XP.

Regarding hardening XP, the hardening guides from
www.microsoft.com/technet/security are very good.

Too bad that from it's introduction in 2002 until SP2 was belatedly
released in late 2004 that XP systems were practically garanteed to
become infected via direct network exploits and a myriad of other ways
and that many XP systems in residential settings are never updated or
patched by their owners.

That was then, this is now. We have XP SP2 now, and both XP and XP SP2 are
steps forward in security.

And all users had to do to be protected from most of those vulnerabilities
was to enable the Windows Firewall, Automatic Updates and some sort of
antivirus... things they should have been doing anyways. Anyways, the
question was, what good resources are there for hardening Windows XP, and
that's part of the answer.

As far as XP SP2 being "belatedly" released, they designed, tested and
released it in only a year, and with only minimal problems being caused by
it. That's amazing and is something to laud and support, not deride.