If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#61
|
|||
|
|||
Microsoft Zero Day security holes being exploited
On Fri, 29 Sep 2006 05:50:14 -0600, Dan wrote:
I will copy and paste your reply to assist me in hardening all XP Pro. computers. Do you have similar advice for the hardening of all the 98 Second Edition computers as well --- they are connected to the Internet as my machine is and also are connected to the school's domain. I wrote up hardening Win9x a while ago... let's see... ah: http://cquirke.mvps.org/9x/riskfix.htm In those days, no-one here had any kind on broadband, and ICS was rarely used - so there was no need for TCP/IP on the LAN at all. Avoiding TCP/IP on the LAN card has two advantages in Win9x; no DHCP prompts, and better separation of LAN and Internet. You'd have (say) File and Print Sharing (F&PS) on NetBEUI on LAN card, and no F&PS on TCP/IP on DUN. The two would be well air-gapped, unless malware established a bridge-head on one PC and re-entered the LAN from there. Then folks wanted shared Internet access, either via ICS on DUN or via LAN through an ADSL router. The strategy changed to; F&PS on NetBEUI on LAN, no-F&PS on TCP/IP on LAN, and no F&PS on TCP/IP on DUN. This worked brilliantly; most firewall software wouldn't tangle F&PS because that wasn't on TCP/IP at all. Then along came XP, which broke NetBEUI and IPX when it came to doing F&PS across mixed Win9x and XP peer-to-peer networks. Believe me, I tried getting IPX to work, as well as applying the "not supported" NetBEUI from the XP CD. Typically, all the Win9x systems would see each other and all the XP systems would see each other, but you couldn't traverse the two tribes via F&PS. So I was obliged to use the same TCP/IP protocol on both DUN and LAN, and do F&PS on this protocol as well. Ungood. BTW, what are the advantages and disadvantages of connecting my machine to the school's domain and if the school's domain is down will my machine be down from the Internet as well if I use their domain? Thanks I'm under-experienced with domains, because I don't do server-based LANs at all. That's a whole 'nother world ;-) AFAIK, XP Home and Win9x can't operate as effective domain clients, which is the main purpose of XP Pro. You can log Win9x into a domain, but there's far less control that the domain can impose on Win9x. This is why commentators claim that Win9x has "no security". and what I really need besides your advice on domains is a good article about domains that I can read when I get a chance since I know so little about them. That info is out there; in fact, it's the main thrust of most formal MS tech training etc. It's really powerful but very detailed stuff, with a fair number of cotchas and complications. For example, what happens to a system that has domain control over its settings, when it isn't connected to the domain? ------------ ----- --- -- - - - - Drugs are usually safe. Inject? (Y/n) ------------ ----- --- -- - - - - |
Ads |
#62
|
|||
|
|||
Microsoft Zero Day security holes being exploited
"Dan" wrote in message ... Great Job, Chris! I will copy and paste your reply to assist me in hardening all XP Pro. computers. Do you have similar advice for the hardening of all the 98 Second Edition computers as well --- they are connected to the Internet as my machine is and also are connected to the school's domain. Windows 98 was never designed for security. Many of the things on Chris' list were either fixed in the default settings in Windows XP SP2, or aren't the biggest risk you need to be worrying about. People consider XP SP2 default settings fairly secure. You can spend a lot of time and money on lots of tweaks to the default settings, without gaining a lot of real security. |
#63
|
|||
|
|||
Microsoft Zero Day security holes being exploited
"cquirke (MVP Windows shell/user)" wrote in message ... All operating systems do that. They are designed to launch code at boot time by reading registry values, text files, etc. Because those registry values are protected from unauthorized access by permissions, someone would have to already own your system to modify those values, wouldn't they? Sure, but the wrong entities come to own systems all the time. My point is that this one example here doesn't seem to be a vulnerability if it requires another vulnerability in order to use it. This isn't a case of combining two vulnerabilities to compromise a system; it's a case of one unnamed vulnerability being used to compromise a system, and then the attacker performs some other action, specifically changing registry values. If this is a vulnerability, then the ability of Administrators to create new user accounts, change passwords etc. would also be a vulnerability. Defense in depth means planning for how you get your system back; you don't just faint in shock and horror that you're owned, and destroy the whole system as the only way to kill the invader. That's a different issue than the one we were discussing. The statement was, winlogon using registry values to execute code at boot time is a vulnerability. I'm arguing that it is not. Besides, it's a relatively accepted truism that once an attacker has root, system or administrator privileges on any OS, it is fairly futile to try to restrict what actions s/he can perform. Anything a good administrator can do, a bad administrator can undo. |
#64
|
|||
|
|||
Microsoft Zero Day security holes being exploited
cquirke (MVP Windows shell/user) wrote:
On Fri, 29 Sep 2006 05:50:14 -0600, Dan wrote: I will copy and paste your reply to assist me in hardening all XP Pro. computers. Do you have similar advice for the hardening of all the 98 Second Edition computers as well --- they are connected to the Internet as my machine is and also are connected to the school's domain. I wrote up hardening Win9x a while ago... let's see... ah: http://cquirke.mvps.org/9x/riskfix.htm In those days, no-one here had any kind on broadband, and ICS was rarely used - so there was no need for TCP/IP on the LAN at all. Avoiding TCP/IP on the LAN card has two advantages in Win9x; no DHCP prompts, and better separation of LAN and Internet. You'd have (say) File and Print Sharing (F&PS) on NetBEUI on LAN card, and no F&PS on TCP/IP on DUN. The two would be well air-gapped, unless malware established a bridge-head on one PC and re-entered the LAN from there. Then folks wanted shared Internet access, either via ICS on DUN or via LAN through an ADSL router. The strategy changed to; F&PS on NetBEUI on LAN, no-F&PS on TCP/IP on LAN, and no F&PS on TCP/IP on DUN. This worked brilliantly; most firewall software wouldn't tangle F&PS because that wasn't on TCP/IP at all. Then along came XP, which broke NetBEUI and IPX when it came to doing F&PS across mixed Win9x and XP peer-to-peer networks. Believe me, I tried getting IPX to work, as well as applying the "not supported" NetBEUI from the XP CD. Typically, all the Win9x systems would see each other and all the XP systems would see each other, but you couldn't traverse the two tribes via F&PS. So I was obliged to use the same TCP/IP protocol on both DUN and LAN, and do F&PS on this protocol as well. Ungood. BTW, what are the advantages and disadvantages of connecting my machine to the school's domain and if the school's domain is down will my machine be down from the Internet as well if I use their domain? Thanks I'm under-experienced with domains, because I don't do server-based LANs at all. That's a whole 'nother world ;-) AFAIK, XP Home and Win9x can't operate as effective domain clients, which is the main purpose of XP Pro. You can log Win9x into a domain, but there's far less control that the domain can impose on Win9x. This is why commentators claim that Win9x has "no security". and what I really need besides your advice on domains is a good article about domains that I can read when I get a chance since I know so little about them. That info is out there; in fact, it's the main thrust of most formal MS tech training etc. It's really powerful but very detailed stuff, with a fair number of cotchas and complications. For example, what happens to a system that has domain control over its settings, when it isn't connected to the domain? ------------ ----- --- -- - - - - Drugs are usually safe. Inject? (Y/n) ------------ ----- --- -- - - - - Thanks for the great replies as usual. I hope someone can answer your question since I do not know. I really appreciate all the knowledge you have provided me over the years, Chris and I see you as an awesome person. Please accept my heartfelt and warm thanks for continuing to help me in my endevers to help secure computers that are connected to the Internet. I saved the information on securing the XP Pro. computers and printed it all out for reference when securing the XP Pro. computers at school. Apparently, they have some powerful security tied in with the domain but it would be just great if I could help secure the systems slowly but surely which I am doing at the site level. BTW, yesterday I was working on a machine for a couple of hours that had been messed with big time. I removed some spyware such as cool web junk and wild tangent junk. The antivirus scanner did not even work -- it had been messed with. Spybot -- Search and Destroy actually was the only scanner that removed and detected the junk out of all of them I used but that might have just been because of the order that I ran the scanners in. I also installed AVG and proceeded to do a complete scan for viruses in the system. The system froze up once and I had to pull out the power cord and reinsert to force a reset -- oh by the way this was an XP Professional machine --- and guess what -- error at the BIOS level. Dang, I needed to get into the BIOS and the machine did not want to let me into the BIOS settings. Okay, I had to leave and get information from another member of the security computer team at our school. I got it and returned after praying of course and bingo the BIOS screen was showing. Thank goodness --- Yes success --- I was in and the fix was easy from there --- just apply the proper BIOS settings that someone had messed with and bingo the machine booted up without issue. I ended up leaving the machine running a full anti-virus scan with AVG because it was taking forever and the teacher of the classroom and myself needed to go home --- it was 5pm and we were both scheduled just until 4pm. It is amazing how time flies when you are working on computer(s). |
#65
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Karl Levinson, mvp wrote:
"Dan" wrote in message ... Great Job, Chris! I will copy and paste your reply to assist me in hardening all XP Pro. computers. Do you have similar advice for the hardening of all the 98 Second Edition computers as well --- they are connected to the Internet as my machine is and also are connected to the school's domain. Windows 98 was never designed for security. Many of the things on Chris' list were either fixed in the default settings in Windows XP SP2, or aren't the biggest risk you need to be worrying about. People consider XP SP2 default settings fairly secure. You can spend a lot of time and money on lots of tweaks to the default settings, without gaining a lot of real security. Yes, 98SE edition computers are not designed for security but are more safe than XP Professional computers when regarding outside attacks. Please see the following secunia advisories for proof of concept: Microsoft Windows Shell Code Execution Vulnerability Advisory Available in Danish Secunia Advisory: SA22159 Release Date: 2006-09-28 Last Update: 2006-09-29 Critical: Extremely critical Impact: System access Whe From remote Solution Status: Unpatched OS: Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Server Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows XP Home Edition Microsoft Windows XP Professional CVE reference: CVE-2006-3730 (Secunia mirror) Description: H D Moore has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the Windows Shell and is exposed via the "setSlice()" method in the WebViewFolderIcon ActiveX control (webvw.dll). This can e.g. be exploited via Internet Explorer by a malicious website to corrupt memory by passing specially crafted arguments to the "setSlice()" method. Successful exploitation allows execution of arbitrary code. NOTE: Exploit code is publicly available. The vulnerability is confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected. Solution: Set the kill bit for the "WebViewFolderIcon" ActiveX control (see Microsoft advisory for details). Only allow trusted websites to run ActiveX controls. Provided and/or discovered by: H D Moore Changelog: 2006-09-29: Added additional information provided by Microsoft. Added link to Microsoft advisory and updated "Solution" section. Updated affected software. Original Advisory: H D Moo http://browserfun.blogspot.com/2006/...-setslice.html Microsoft: http://www.microsoft.com/technet/sec...ry/926043.mspx Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others. 190 Related Secunia Security Advisories, displaying 10 1. Microsoft Vector Graphics Rendering Library Buffer Overflow 2. Microsoft Windows Indexing Service Cross-Site Scripting 3. Microsoft Windows Pragmatic General Multicast Code Execution 4. Microsoft Windows Two Vulnerabilities 5. Windows Kernel Privilege Escalation Vulnerability 6. Microsoft Management Console Cross-Site Scripting 7. Windows DNS Resolution Code Execution Vulnerabilities 8. Windows Server Service Buffer Overflow Vulnerability 9. Microsoft Windows WMF File Handling Denial of Service 10. Microsoft Windows Server Driver Denial of Service Vulnerability Show all related advisories Send Feedback to Secunia If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at . Ideas, suggestions, and other feedback are most welcome. Learn more about our solutions Secunia Poll What is the worst type of attack that has affected your systems? System Access (23%) Denial of Service (16%) Cross Site Scripting (7%) Security Bypass (7%) Other Impact (7%) Never Been Affected (40%) Old Polls Most Popular Advisories 1. Microsoft Windows Shell Code Execution Vulnerability 2. Microsoft PowerPoint Code Execution Vulnerability 3. Microsoft Vector Graphics Rendering Library Buffer Overflow 4. Internet Explorer daxctle.ocx "KeyFrame()" Method Vulnerability 5. OpenSSH Signal Handling Vulnerability 6. Mozilla Firefox Multiple Vulnerabilities 7. Microsoft Word Malformed Object Pointer Vulnerability 8. Slackware update for openssl 9. Google Mini Search Appliance Path Disclosure Weakness 10. Mac OS X Security Update Fixes Multiple Vulnerabilities Terms & Conditions - Copyright 2002-2006 Secunia - Compliance - Contact Secunia http://secunia.com/advisories/22159/ What the heck is going on. It seems like new critical security advisories are being posted daily. Vendor Microsoft Product Link N/A Affected By 154 Secunia advisories Unpatched 19% (29 of 154 Secunia advisories) Most Critical Unpatched The most severe unpatched Secunia advisory affecting Microsoft Windows XP Professional, with all vendor patches applied, is rated Extremely critical http://secunia.com/product/22/ http://secunia.com/product/13/ Vendor Microsoft Product Link N/A Affected By 32 Secunia advisories Unpatched 9% (3 of 32 Secunia advisories) Most Critical Unpatched The most severe unpatched Secunia advisory affecting Microsoft Windows 98 Second Edition, with all vendor patches applied, is rated Less critical http://secunia.com/product/11/ Vendor Microsoft Product Link View Here (Link to external site) Affected By 106 Secunia advisories Unpatched 18% (19 of 106 Secunia advisories) Most Critical Unpatched The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 6.x, with all vendor patches applied, is rated Extremely critical http://secunia.com/product/102/ Vendor Microsoft Product Link View Here (Link to external site) Affected By 21 Secunia advisories Unpatched 29% (6 of 21 Secunia advisories) Most Critical Unpatched The most severe unpatched Secunia advisory affecting Microsoft Outlook Express 6, with all vendor patches applied, is rated Moderately critical http://secunia.com/product/4227/ Vendor Mozilla Organization Product Link View Here (Link to external site) Affected By 36 Secunia advisories Unpatched 8% (3 of 36 Secunia advisories) Most Critical Unpatched The most severe unpatched Secunia advisory affecting Mozilla Firefox 1.x, with all vendor patches applied, is rated Less critical http://secunia.com/product/4652/ Vendor Mozilla Organization Product Link View Here (Link to external site) Affected By 4 Secunia advisories Unpatched 0% (0 of 4 Secunia advisories) Most Critical Unpatched There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied. This one was for Mozilla Thunderbird. I am going to try and add the 98 general newsgroup since this involves them as well. |
#66
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Karl Levinson, mvp wrote:
"cquirke (MVP Windows shell/user)" wrote in message ... All operating systems do that. They are designed to launch code at boot time by reading registry values, text files, etc. Because those registry values are protected from unauthorized access by permissions, someone would have to already own your system to modify those values, wouldn't they? Sure, but the wrong entities come to own systems all the time. My point is that this one example here doesn't seem to be a vulnerability if it requires another vulnerability in order to use it. This isn't a case of combining two vulnerabilities to compromise a system; it's a case of one unnamed vulnerability being used to compromise a system, and then the attacker performs some other action, specifically changing registry values. If this is a vulnerability, then the ability of Administrators to create new user accounts, change passwords etc. would also be a vulnerability. Everyone needs to know that all computers are somewhat vulnerable if they are connected to the Internet no matter what the defense protocol procedures that are used to safeguard the system(s) and the network(s). Defense in depth means planning for how you get your system back; you don't just faint in shock and horror that you're owned, and destroy the whole system as the only way to kill the invader. That's a different issue than the one we were discussing. The statement was, winlogon using registry values to execute code at boot time is a vulnerability. I'm arguing that it is not. Besides, it's a relatively accepted truism that once an attacker has root, system or administrator privileges on any OS, it is fairly futile to try to restrict what actions s/he can perform. Anything a good administrator can do, a bad administrator can undo. It is indeed a good idea to have user accounts that have less privileges than the admin. accounts do. If a Classic series of 9x came out that worked well with older Windows 3.1 and DOS programs which I and the school that I work with has a great deal of titles accumulated over the years then it would be just great. This new 9x machine that is a successor to 98 Second Edition would have Admin. accounts and User accounts just like in XP but still has the overall system security of 9x as I have provided in great detail in an above post on system vulnerabilities in the two operating systems. The real deal is that 98 Second Edition has been out since 1999 while 98 came out in 1998 and I think ME which was the last of the series came out in 2000. Like Chris Quirke, has said ME introduced a lot of new concepts like System Restore and you had the ability of drivers that did not need to be updated for a particular system device like in 98 Second Edition. The problem was ME started to get away from the compatibility roots that 98SE had and did not have a resource kit like 98SE had so businesses and others did not take it seriously. In addition, the easy exit to MS-DOS (Microsoft Disk Operating System) was removed and the only way to DOS was through a boot disk. The NT (New Technology) source code was flawed from the beginning according to early Microsoft engineers in a text that I have read all about Microsoft and its early days to present time. The early Microsoft software engineers nicknamed it the Not There code since it did not have the type of maintenance operating system that Chris Quirke, MVP fondly talks about in regards to 98 Second Edition. Anyway, there was the 9x line and the NT line and Microsoft wanted to eliminate one line of code to allow for the focus to be on just one line of code. The problem is that at the bare bones level the source code of 9x is actually more secure --- I know that this is a RADICAL and hard to swallow statement but it is TRUE!!! Windows NT (New Technology) that comes in flavors of Windows NT, Windows 2000, Windows XP, and soon to be Windows Vista is very secure because it has strong defenses. If you strip away the defenses and compare the base lines of code in NT and 9x then you will see that it is completely conclusive that 9x is more secure at the base foundation of the kernel. This is an amazing concept. It would not actually surprise me if Microsoft does indeed release this Classic Series of 9x operating systems for the older software and as another choice for consumers, businesses and governments. This Classic series would be aimed at consumers and schools who have the need and desire of great legacy compatibility. Anyway, I digress and I wanted to see that System Administrators need to learn how to edit and manually customize the registry in order to stop the attacks that are coming in an ever increasing wave at a super fast pace. in-line afterwards too |
#67
|
|||
|
|||
Microsoft Zero Day security holes being exploited
"Dan W." wrote in message ... Yes, 98SE edition computers are not designed for security but are more safe than XP Professional computers when regarding outside attacks. Please see the following secunia advisories for proof of concept: Maybe if you're only counting number of vulnerabilities found. But on the other hand, there are and always will be more unpatched vulnerabilities for Windows 98, because Microsoft is not providing patches for all Windows 98 vulnerabilities. Windows 98 lacks any ability to set ACL permissions on files and registry values via NTFS, and you can log into Windows simply by clicking the "cancel" button at the logon screen. On multi-user systems, all users can read and modify all files belonging to all other users and to the operating system. NTFS and the ability to log in as limited user accounts has been shown to drastically reduce the amount of spyware and adware that gets installed on a system. And availability can be an issue on old and unsupported software like Windows 98. Regarding hardening XP, the hardening guides from www.microsoft.com/technet/security are very good. NSA worked with Microsoft during their development, and as a result, NSA no longer publishes their own hardening guides for XP, instead simply linking their web site to Microsoft's guides. |
#68
|
|||
|
|||
Microsoft Zero Day security holes being exploited
"Dan W." wrote in message ... Everyone needs to know that all computers are somewhat vulnerable if they are connected to the Internet no matter what the defense protocol procedures that are used to safeguard the system(s) and the network(s). Agreed. This new 9x machine that is a successor to 98 Second Edition would have Admin. accounts and User accounts just like in XP but still has the overall system security of 9x as I have provided in great detail in an above post on system vulnerabilities in the two operating systems. Fewer vulnerabilities are being reported for Windows 98 because Windows 98 is old and less commonly used, and vulns found for it get you less fame and glory. New vulns found tend to go down as software ages and matures. A new version of 98 would quickly be attacked and vulns found. The real deal is that 98 Second Edition has been out since 1999 while 98 came out in 1998 and I think ME which was the last of the series came out in 2000. Like Chris Quirke, has said ME introduced a lot of new concepts like System Restore Didn't XP expand on and improve the system restore feature to a level not currently in 98 or ME? about Microsoft and its early days to present time. The early Microsoft software engineers nicknamed it the Not There code since it did not have the type of maintenance operating system that Chris Quirke, MVP fondly talks about in regards to 98 Second Edition. If the MOS being discussed for Win 98 is the system boot disk floppy, that was a very basic MOS and it still works on Windows XP just as well as it ever did on Windows 98. [Sure, you either have to format your disk as FAT, or use a third party DOS NTFS driver.] I think Chris really wants not that kind of MOS but a much bigger and better one that has never existed. XP also comes with a number of restore features such as Recovery Console and the Install CD Repair features. I never use those or find them very useful for security, but they're way more functional and closer to an MOS than the Win98 recovery floppy or anything Win98 ever had. 98 never had a registry editor or a way to modify services like the XP Recovery Console. that at the bare bones level the source code of 9x is actually more secure --- I know that this is a RADICAL and hard to swallow statement but it is TRUE!!! Windows NT (New Technology) that comes in flavors of Windows NT, Windows 2000, Windows XP, and soon to be Windows Vista is very secure because it has strong defenses. If you strip away the defenses and compare the base lines of code in NT and 9x then you will see that it is completely conclusive that 9x is more secure at the base foundation of the kernel. It depends on what you consider security. Win98 was always crashing and unstable, because there was no protection of memory space from bad apps or bad attackers. Many environments like government consider the "strong defenses" absolutely essential and wouldn't consider evaluating the security of an OS that didn't have them. Win98 doesn't have some features that some customers and people require. If Microsoft was to release a new 98, Microsoft would probably be forced to add those extra features and extra code that are in XP that you feel make it less secure. This is an amazing concept. It would not actually surprise me if Microsoft does indeed release this Classic Series of 9x operating systems for the older software and as another choice for consumers, businesses and governments. This Classic series would be aimed at consumers and schools who have the need and desire of great legacy compatibility. Microsoft's security problems have largely been because of backwards compatibility with Windows 9x, DOS and Windows NT 4.0. They feel, and I agree, that Microsoft security would be a lot better if they could abandon that backwards compatibility with very old niche software, as they have been doing gradually. |
#69
|
|||
|
|||
Microsoft Zero Day security holes being exploited
On Fri, 29 Sep 2006 23:17:02 -0400, "Karl Levinson, mvp"
"cquirke (MVP Windows shell/user)" wrote in All operating systems do that. They are designed to launch code at boot time by reading registry values, text files, etc. Because those registry values are protected from unauthorized access by permissions, someone would have to already own your system to modify those values, wouldn't they? The weakness here is that anything that runs during the user's session is deemed to have been run with the user's intent, and gets the same rights as the user. This is an inappropriate assumption when there are so many by-design opportunities for code to run automatically, whether the user intended to do so or not. Sure, but the wrong entities come to own systems all the time. My point is that this one example here doesn't seem to be a vulnerability if it requires another vulnerability in order to use it. Many vulnerabilities fall into that category, often because the extra requirement was originally seen as sufficient mitigation. Vulnerabilities don't have to fascilitate primary entry to be significant; they may escalate access after entry, or allow the active malware state to persist across Windows sessions, etc. This isn't a case of combining two vulnerabilities to compromise a system; it's a case of one unnamed vulnerability being used to compromise a system, and then the attacker performs some other action, specifically changing registry values. If this is a vulnerability, then the ability of Administrators to create new user accounts, change passwords etc. would also be a vulnerability. OK, now I'm with you, and I agree with you up to a point. I dunno where the earlier poster got the notion that Winlogin was there to act as his "ace in the hole" for controlling malware, as was implied. Defense in depth means planning for how you get your system back; you don't just faint in shock and horror that you're owned, and destroy the whole system as the only way to kill the invader. That's a different issue than the one we were discussing. The statement was, winlogon using registry values to execute code at boot time is a vulnerability. I'm arguing that it is not. I agree with you that it is not - the problem is the difficulty that the user faces when trying to regain control over malware that is using Winlogin and similar integration points. The safety defect is that: - these integration points are also effective in Safe Mode - there is no maintenance OS from which they can be managed We're told we don't need a HD-independent mOS because we have Safe Mode, ignoring the possibility that Safe Mode's core code may itself be infected. Playing along with that assertion, we'd expect Safe Mode to disable any 3rd-party integration, and would provide a UI through which these integration points can be managed. But this is not the case - the safety defect is that once software is permitted to run on the system, the user lacks the tools to regain control from that software. Couple that with the Windows propensity to auto-run material either be design or via defects, and you have what is one of the most common PC management crises around. Besides, it's a relatively accepted truism that once an attacker has root, system or administrator privileges on any OS, it is fairly futile to try to restrict what actions s/he can perform. Anything a good administrator can do, a bad administrator can undo. That's a safety flaw right there. You're prolly thinking from the pro-IT perspective, where users are literally wage-slaves - the PC is owned by someone else, the time the user spends on the PC is owned by someone else, and that someone else expects to override user control over the system. So we have the notion of "administrators" vs. "users". Then you'd need a single administrator to be able to manage multiple PCs without having to actually waddle over to all those keyboards - so you design in backdoors to facilitate administration via the network. Which is fine - in the un-free world of mass business computing. But the home user owns thier PCs, and there is no-one else who should have the right to usurp that control. Creditors and police do not have the right to break in, search, or sieze within the user's home. So what happens when an OS designed for wage-slavery is dropped into free homes as-is? Who is the notional "administrator"? Why is the Internet treated as if it were a closed and professionally-secured network? There's no "good administratrors" and "bad administrators" here; just the person at the keyboard who should have full control over the system, and other nebulous entities on the Internet who should have zero control over the system. Whatever some automated process or network visitationb has done to a system, the home user at the keyboard should be able to undo. Windows XP Home is simply not designed for free users to assert thier rights of ownership, and that's a problem deeper than bits and bytes. ------------------ ----- ---- --- -- - - - - The rights you save may be your own ------------------ ----- ---- --- -- - - - - |
#70
|
|||
|
|||
Microsoft Zero Day security holes being exploited
(posting this again due to 3-group posting limitation)
"karl levinson, mvp" wrote: Maybe if you're only counting number of vulnerabilities found. Well isin't that the point? But on the other hand, there are and always will be more unpatched vulnerabilities for Windows 98, Care to provide some evidence that there are currently MORE unpatched vulnerabilities for 98 vs XP? because Microsoft is not providing patches for all Windows 98 vulnerabilities. Only Since July 11. And how many vulnerabilities discovered since then are really for IE? And are you aware that the 2K versions of the patched files made available since July 11 can be used on Win-98? Windows 98 lacks any ability to set ACL permissions Privilege escalation vulnerabilities exist for NT-based OS's like XP. Many systems are configured (for ease of use) for single-user systems to logon as administrator or have admin rights. ACL permissions are primarily designed for servers on multi-user networks, not really for single-user desktop / home computer use. and you can log into Windows simply by clicking the "cancel" button at the logon screen. On multi-user systems... You are talking about "political security" which pertains to untrustworthy users. The context of this conversation pertains to unintended or malicious code execution that results in access to the system through the network and not the local keyboard. Many large organizations configure their infrastructure so that no personal or organizational files or data exist on local desktop machines, and where a correct login name/PW must be used to gain access to the network. That strategy can be used all the way down to a 2-desktop network. all users can read and modify all files belonging to all other users and to the operating system. Irrelevant in the context of malware vulnerability. If you have users of shared systems that seek out private information or intentionally plant malware on their own system, then you have an HR problem. NTFS and the ability to log in as limited user accounts has been shown to drastically reduce the amount of spyware and adware that gets installed on a system. A solution that is only viable in institutional/corporate settings and not for single-user home use. And availability can be an issue on old and unsupported software like Windows 98. Availability of what? Of new patches and fixes? Maybe we should wait and see what new vulnerabilities come down the pipe that are proven to affect 98. Until then, the "not supported" argument is a red herring. Regarding hardening XP, the hardening guides from www.microsoft.com/technet/security are very good. Too bad that from it's introduction in 2002 until SP2 was belatedly released in late 2004 that XP systems were practically garanteed to become infected via direct network exploits and a myriad of other ways and that many XP systems in residential settings are never updated or patched by their owners. |
#71
|
|||
|
|||
Microsoft Zero Day security holes being exploited
On Sat, 30 Sep 2006 07:31:27 -0600, "Dan W."
Karl Levinson, mvp wrote: cquirke wrote in Everyone needs to know that all computers are somewhat vulnerable if they are connected to the Internet no matter what the defense protocol procedures that are used to safeguard the system(s) and the network(s). Until someone runs something on the system that initiates traffic, there's no reason why they should be, unless there's an exploitable surface in whatever first receives raw TCP/IP packets. The trouble is, NT is designed to treat the Internet as a network, in the sense that if you wave the correct credentials, you'd be able to log in or otherwise interact with the system from "outside". That adds additional exploitable surfaces. I can think of NO circumstances where I'd want any Internet entity that I had not initiated interaction with, to log onto to my PC, access file shares, or make RPC calls - so why expose those services at all? There's no "right" credentials to get in because I don't want *anyone* to get in, so why even process such attempts? It is indeed a good idea to have user accounts that have less privileges than the admin. accounts do. I'd rather have zero possible access from the Internet, be it as admin or as limited user. The per-user model just isn't that useful, especially where there is only one user. Why should I pretend to be a staff of different job descriptions just to use my own PC? The really sad thing - sadder even than all those games and accounting apps that won't run unless you're admin - is that end users have no control over how new user accounts are born. For me, that absolutely kills the usefullness of user accounts. I don't feel at all safe when half the files on the system are hidden from me, where I can't easily tell if I'm in C:\TEMP, C:\D&S...\Temp or \\BossPC\Windows\Temp, and where I'm expected to "open" files without any visible cue as to what they will do. Yet that is the state I'm forced to live with on any newly-created user account - frankly, I feel safer as admin and "open eyes". ------------ ----- --- -- - - - - Drugs are usually safe. Inject? (Y/n) ------------ ----- --- -- - - - - |
#72
|
|||
|
|||
Microsoft Zero Day security holes being exploited
On Sat, 30 Sep 2006 06:55:35 -0600, "Dan W." wrote:
cquirke wrote: On Fri, 29 Sep 2006 05:50:14 -0600, Dan wrote: and what I really need besides your advice on domains is a good article about domains that I can read when I get a chance That info is out there; in fact, it's the main thrust of most formal MS tech training etc. It's really powerful but very detailed stuff, with a fair number of cotchas and complications. For example, what happens to a system that has domain control over its settings, when it isn't connected to the domain? Thanks for the great replies as usual. I hope someone can answer your question since I do not know. AFAIK, what happens is that a copy of the domain's settings are kept locally, and are used whenever the domain is unreachable. I guess this copy would be updated whenever the domain is there. There's also a lot of detail and granularity when different permissions are combined. Whereas *NIX uses the same structure for both directory location and permissions, the NT security model does not - while files within a subtree start with permissions of the parent (AFAIK), you can change this on a file-by-file basis. There are easy ways to get really painted into a corner with this stuff, and one of the common mistakes is to assign rights to particular users, rather than to a group. It's better to create a group, set the rights for that group, and then add your user(s) as members of that group (yes, even if there's only one member). That way, if you fire Fred and employ Brad, you just drop Fred from the group and add Brad to it. Often there will be contexts where different sets of permissions are simultaneously applied. For example, there are machine permissions, network permissions, user permissions, etc. so what really happens is a resultant of these, prompting the question; what trumps what? In many ways, a sysamin's job is as much about managing users via Active Directory as it is about managing network resources such as domain servers. Most businesses large enough to be using AD and domains will insist on certification (MCSE etc.) before anyone can touch this stuff. So when this security model is dropped into consumerland, it's tough... consumers understand physical security very well, but have zero intuition on business and staff security. And why should they? I was working on a machine for a couple of hours that had been messed big time. I removed some spyware such as cool web junk and wild tangent junk. The antivirus scanner did not even work -- it had been messed Yup. I use Bart for those... the learning curve (OK, small wall) is tougher than one would like, but if you do a lot of this stuff, it's effort well spent. I expect malware to assume control over the system I'm trying to clean, and start "from orbit" with Bart, concentrating on the heavies, before tip-toeing in via Safe Cmd etc. Safe Cmd is to XP what DOS mode is to Win9x, but there's a far higher risk of malware being active in Safe Cmd than there is in DOS mode. Spybot -- Search and Destroy actually was the only scanner that removed and detected the junk out of all of them I used but that might have just been because of the order that I ran the scanners in. Could be... I use 7 av scanners and the usual 2 anti-"spyware" scanners, then HiJackThis, then I de-bulk the usual malware hangouts (loose code in C:\, all TIF, Temp), then I drop tools in place and run 'em when I enter Safe Cmd. The av scans shoot to kill, but the initial anti-"spyware" and HiJackThis are usually look-don't-touch. Once in Safe Cmd, I re-run SysClean (as some tests don't run when in Bart), AdAware and Spybot, and this time I let the anti-"spyware" scanners kill what they find. Then I add Ewido 4 and run that, do a HiJackThis again, and look for mismatches that suggest a rootkit. Next is normal Windows, which means I can install tools that require the Windows Installer, e.g. BitDefender 8 and MS Defender. I add BitDefender 8 if there's been a lot of traffic and/or the resident av can't be updated. If the resident av is broken, expired or missing, I add AVG 7. The I harden settings, set a clean baseline restore point, and purge all older restore points (Disk Cleanup). Then I check firewall, and go online to update the scanners and non-scanning tools that need it (e.g. Spyware Blaster, Ewido, BitDefender). Before going online, I'd have killed off old Java versions and rreplaced the latest JRE, ditto Firefox, etc. installed AVG and proceeded to do a complete scan for viruses in the system. The system froze up once and I had to pull out the power cord and reinsert to force a reset -- oh by the way this was an XP Professional machine --- and guess what -- error at the BIOS level. What sort of error? Malware isn't the only thing that can bonk PCs; I didn't mention it, but every Bart session starts with HD Tune to check physical HD, and before that comes a few hours in MemTest86. ------------ ----- --- -- - - - - Drugs are usually safe. Inject? (Y/n) ------------ ----- --- -- - - - - |
#73
|
|||
|
|||
Microsoft Zero Day security holes being exploited
On Sat, 30 Sep 2006 07:05:17 -0600, "Dan W." wrote:
Karl Levinson, mvp wrote: "Dan" wrote in message Many of the things on Chris' list were either fixed in the default settings in Windows XP SP2, or aren't the biggest risk you need to be worrying about. Hard to respond to that without examples, but I certainly agree; SP2's a worthwhile step forward. Anything older is stone dead if connected as-is, because the firewall's off and both LSASS and RPC are unpatched (yes, even in SP1a). In this respect, there's no safe-out-the-box Win2000 at all - I dunno if the last Win2000 SP had fixes for LSASS and RPC, but there's no firewall built-in. People consider XP SP2 default settings fairly secure. You can spend a lot of time and money on lots of tweaks to the default settings, without gaining a lot of real security. I'm after safety. I want no "admin shares" whatsoever, I want to see what I'm dealing with when I work on files, and I don't want the PC resetting every time there's a system crash or RPC falls over. The vulnerability is caused due to an error in the Windows Shell and is exposed via the "setSlice()" method in the WebViewFolderIcon ActiveX control (webvw.dll). This can e.g. be exploited via Internet Explorer by a malicious website to corrupt memory by passing specially crafted arguments to the "setSlice()" method. I would kill off "View As Web Page" on sight, and thus not be exposed to this exploit (which I see as a barnacle on a whale of bad design... why would I want the ability to autorun scripts dropped in any directory?). WinME does this properly, but Win98xx is slippery and can fall back to "Web View" so I might kill off the .DLL that operates the web view "feature", as well as Active Desktop of course. I'm not sure if XP is using the "Web View" facility or not, as there's no UI to specifically control it. Solution: Set the kill bit for the "WebViewFolderIcon" ActiveX control (see Microsoft advisory for details). http://secunia.com/advisories/22159/ It seems like new critical security advisories are being posted daily. Yup. Software complexity meets automated exploit search. ------------ ----- --- -- - - - - Drugs are usually safe. Inject? (Y/n) ------------ ----- --- -- - - - - |
#74
|
|||
|
|||
Microsoft Zero Day security holes being exploited
"cquirke (MVP Windows shell/user)" wrote:
I would kill off "View As Web Page" on sight, and thus not be exposed to this exploit (which I see as a barnacle on a whale of bad design... I might kill off the .DLL that operates the web view "feature", C:\Windows\System\webvw.dll You should be able to rename it because you shouldn't have "view as web page" enabled. There apparently hasn't been any update to it for 98 because I only see 1 version (4/23/99). as well as Active Desktop of course. See he http://www.msfn.org/board/index.php?...pic=46066&st=0 regsvr32 /u webcheck.dll There was an update to webcheck.dll on 08/29/02. I think I'll nuke it and see what happens. Seems I have to do it from DOS. Here's couple of unrelated web links for your reading enjoyment: http://www.usdoj.gov/atr/cases/f4600/4644.htm http://www.varbusiness.com/sections/98pages/198sw.jhtml |
#75
|
|||
|
|||
Microsoft Zero Day security holes being exploited
"98 Guy" wrote in message ... Care to provide some evidence that there are currently MORE unpatched vulnerabilities for 98 vs XP? That's difficult, because the number of unpatched vulns for XP is somewhat unknown. Also, whatever comparison you do now, will be changing in the future. With patches being released for XP and not for 98, the number of unpatched 98 vulns is certain to increase. because Microsoft is not providing patches for all Windows 98 vulnerabilities. Only Since July 11. And how many vulnerabilities discovered since then are really for IE? For a significant time before that, Microsoft was not providing patches for updates they did not consider critical. There was some disagreement about the non-critical rating Microsoft assigned to a few of the vulnerabilities. And are you aware that the 2K versions of the patched files made available since July 11 can be used on Win-98? Is installing those Win2K patches on Win98 easy for home users? I assume you have to manually extract the files and replace them, assuming they are not in use by the OS? Windows 98 lacks any ability to set ACL permissions Privilege escalation vulnerabilities exist for NT-based OS's like XP. True, but Microsoft is and needs to be reducing these privilege escalation vulnerabilities, not giving in to their inevitability. Resistance to local privilege escalation attacks is one weakness Microsoft security has in comparison to Linux, a growing competitor to Windows. With spyware, adware and other malware increasingly infecting Windows platforms, more and more users are asking why Windows cannot control what is done by local users. The ability to open listening TCP/IP ports, send spam email outbound, launch DoS attacks on other systems, etc. are things non-admins should not be able to do silently and without native Windows logging. A significant problem for Microsoft is the time it takes them to code both patches and new software versions. A significant reason for that problem is the large number of different combinations of product versions they need to support. Different browser versions with different language versions on different OS versions with different service pack versions in different localized language versions, the number of combinations of patches that Microsoft has to release is hundreds if not thousands. This is one big compelling reason why Microsoft is trying to reduce the number of browser and OS variants out there, such as eliminating Win98, in the name of security. I do not see them reversing this trend, especially not to create a Windows98-like niche OS that is only useful for some niche users [e.g. home users that don't need the security features of XP]. Many systems are configured (for ease of use) for single-user systems to logon as administrator or have admin rights. ACL permissions are primarily designed for servers on multi-user networks, not really for single-user desktop / home computer use. Not true. ACLs are most valuable for system configuration management. Many parents want to control what their children can and cannot do on their single-user home computers, and this is difficult on 98 due to the lack of ACLs. Many large organizations configure their infrastructure so that no personal or organizational files or data exist on local desktop machines, and where a correct login name/PW must be used to gain access to the network. That strategy can be used all the way down to a 2-desktop network. .... but going back to home users, the most likely consumer of the proposed new Windows 98 product, those users would most likely be storing files on the local hard drive, without any native protection against unauthorized access from others in the house. all users can read and modify all files belonging to all other users and to the operating system. Irrelevant in the context of malware vulnerability. If you have users of shared systems that seek out private information or intentionally plant malware on their own system, then you have an HR problem. Well, the assertion was that Win98 was more secure than XP. I see no reason to evaluate Windows security by ignoring certain common security features, just because you don't need them yourself. Windows should not be programmed just for certain users. It needs to be configurable so that it will work for all users. Malware is only one threat, and saying that one OS is more resistant to malware is only so useful in evaluating security. The ability to prevent one user from modifying the files of the OS or of other users is relevant to malware on multi-user systems. This prevents one user from infecting anything other than just her own user profile. Log in as another user, and the infection is not present for that user. It also prevents malware from reading and modifying OS files and the data files of other users. It also helps XP to protect the secret encryption keys of each user, whether the snooper is malware, a remote attacker, or an insider on the machine. XP SP2 included a number of security features against malware that depend on NTFS, such as AES. Win 98 does not have those features. NTFS and the ability to log in as limited user accounts has been shown to drastically reduce the amount of spyware and adware that gets installed on a system. A solution that is only viable in institutional/corporate settings and not for single-user home use. Logging in home users as non-administrators is absolutely viable, as Vista is showing today. Linux and Lindows do it very well, and Walmart sells Linux computers for home users. It's just that Windows XP and third party software make this more difficult than it should be. And availability can be an issue on old and unsupported software like Windows 98. Availability of what? Of new patches and fixes? Maybe we should wait and see what new vulnerabilities come down the pipe that are proven to affect 98. Until then, the "not supported" argument is a red herring. No red herring, as you should know, there are already unpatched vulns for Win98, and the number is going to grow. Unless you think there are zero more vulns to be found in Win98. I was meaning to say system availability, meaning that Win98 is not terribly stable and crashes if it is not rebooted and reinstalled frequently. Availability is part of the "CIA" security triad, and it's hard to argue that 98 has better availability and stability than XP. 98 does little to nothing to ensure system integrity is not compromised, and little to nothing about confidentiality, so I'm not getting the assertion here that 98 is more secure than XP. Regarding hardening XP, the hardening guides from www.microsoft.com/technet/security are very good. Too bad that from it's introduction in 2002 until SP2 was belatedly released in late 2004 that XP systems were practically garanteed to become infected via direct network exploits and a myriad of other ways and that many XP systems in residential settings are never updated or patched by their owners. That was then, this is now. We have XP SP2 now, and both XP and XP SP2 are steps forward in security. And all users had to do to be protected from most of those vulnerabilities was to enable the Windows Firewall, Automatic Updates and some sort of antivirus... things they should have been doing anyways. Anyways, the question was, what good resources are there for hardening Windows XP, and that's part of the answer. As far as XP SP2 being "belatedly" released, they designed, tested and released it in only a year, and with only minimal problems being caused by it. That's amazing and is something to laud and support, not deride. |
Thread Tools | |
Display Modes | |
|
|