Bill’s Security Blog

A snapshot of what’s been talked about in the IT Security realm over the past week.

Attack Vectors/Trends

This weekend I was listening to an episode of hmm… I think it was SecuraBit.

In any event, they spent some time talking about something I have posted about before: GIFAR.

GIFAR is combining Java JAR applets inside a GIF image.

When I first heard of it, I thought it was a neat vector, but didn’t fully consider the threat until I was listening to the podcast.

How many sites let users upload a profile image? Or how many social networking sites allow people to upload images and make galleries?

So, this bug is back on the radar.

News and Analysis

Microsoft, Apple, and age old bugs

This week @RISK listed a series of Microsoft image processing buffer overflows.

Buffer overflows. Yep, you heard it right.

Microsoft still doesn’t get it. Boundary checking is to a software developer what firewalls are to a network admin.

Shame on you, Microsoft.

The part that really gets my goat on this is that these are being discovered by researchers. Not by Microsoft. You can run automatic code checkers that will tell you that you have assignments with improper bounds checking.

This means that not only have Microsoft’s developers not gotten the clue, but also that Microsoft isn’t even doing the due diligence to do automated validation.

Fail.

Now, to be fair, there are several similar bugs this week in Apple products, including both host OS and iPhone.

But Apple is not enterprise ready, and it should not be used in the enterprise, and if it is, you get what you get.

Microsoft, on the other hand, explicitly bills themselves as the enterprise product. I expect more.

Google Chrome

I wrote a little about Chrome in last week’s This Week in Infosec.

Many more bugs have been discovered.

This is odd coming from Google that traditionally has pretty tight code.

Either they were rushing to market, or hoping that the community would debug for them.

Either way, they lost credibility with me. Yes, it’s still beta software, but some of these bugs are pretty basic stuff, like buffer overflows, which are insanely easy to find in the code.

From ITWorld.com, “Privacy feature in Internet Explorer 8 leaks private data”

Forensic experts however found it trivial to retrieve the history, according to a test by Webwereld, an IDG affiliate in the Netherlands, and Fox IT, a Dutch firm specializing in IT security and forensic research.

But researchers were able to retrieve data displaying general information about the browser’s behavior. Although URLs (Uniform Resource Locators) aren’t stored, Prickaerts was still able to restore the browsing history. “The remaining records in the history file still enable me to deduce which websites have been visited,” said Prickaerts.

Even more data is stored in the browser’s cache, a feature designed to speed up performance of websites by storing a copy of recently accessed information on a user’s hard disk. InPrivate Browsing failed to disable this feature. Users seeking a higher level of privacy could manually delete the cache, but it can later easily be retrieved through commonly available forensic tools.

The shortcomings in InPrivate Browsing put the level of privacy protection in Internet Explorer 8 on a par with Firefox 2 and 3. The open source browser allows users to delete all private data, but does that by merely deleting files. Those too can easily be retrieved. Developers have crafted plugins for Firefox which mitigate the risk of information leaks.

Microsoft’s main goal with InPrivate Browsing is to prevent other users of the same computer to gain access to the browsing history, the company said in an e-mail response. The feature isn’t designed to protect a user’s privacy from security experts and forensic researchers, the company said.

I’ll give Microsoft the benefit of the doubt. They do have time to fix these issues before final release.

But really. Come on!

This isn’t rocket science.

Now, I’d be a little less disappointed if the forensic team got the information from memory swap space, or by having to apply cryogenic memory retrieval tactics. This would at least indicate that Microsoft tried.

But from the article, it seems that they retrieved the files right out of the browser’s default local storage.

Here’s what really chafs me…

Microsoft IE runs on Microsoft Windows. Microsoft Windows runs on the hardware.

Microsoft runs the entire system. Memory allocation, process scheduling, you name it.

How can it be that they can fail to develop a simple tool that doesn’t store anything on disk, but uses only in-memory storage?

This is Microsoft doing what Microsoft does best: 80%.

Bill

How NTFS and share perms work is fragile, and easy to screw up.

Here’s a great article by Derek Melber on how they play together, and some best practices:

http://www.windowsecurity.com/articles/Share-Permissions.html

Bill

You just gotta love stuff like this:

Microsoft touts Vista’s low flaw count
Published: 2008-01-24

Microsoft gave itself a collective pat on the back on Wednesday, releasing a report that showed that Windows Vista had far fewer flaws patched in the first year than the company’s previous operating system, Windows XP.

The survey of vulnerabilities, dubbed the Windows Vista: One Year Vulnerability Report, found that Microsoft’s latest operating system required 9 patches for 36 vulnerabilities in its first 12 month of business-user (corrected) availability. Microsoft’s prior operating system, Windows XP, required 30 patches to fix 65 vulnerabilities in its first year.

The report also compared Vista’s rate of patching and total vulnerability count to those of Red Hat Linux, Ubuntu Linux and Apple’s Mac OS X, finding that the other operating systems had 360, 224, and 116 vulnerabilities patched in their respective software components in their first year of release. A reduced number of installed components were used for both Red Hat Linux and Ubuntu Linux, according to the report.

The report’s author, Microsoft Security Strategy Director Jeffrey R. Jones, stressed that the analysis is not an argument that Vista is more secure.
(http://www.securityfocus.com/brief/668)

Ok… If you are not claiming that Vista is more secure than the Linux distro’s mentioned, then what are you saying?  Why mention it.

Perhaps just telling themselves, “Good work, team?”

I wonder how many flaws they would have patched if they had people actually using the system.

Bug discovery rates parallel the distribution base.  XP was adopted quickly.  Has anyone used Vista?

I gave up on Vista when working on a friend’s laptop.  I was logged in as “Administrator” and had to click a confirmation 3 TIMES just to delete 1 FILE!  Man that got old quick.

NEI had planned on going to Vista this year, but it looks like that is going to be delated due to general antipathy among the employees.

Here’s another quote from the article:

Other groups in Microsoft pointed to the study as proof that the hundreds of millions of dollars that Microsoft has put into software security has paid off.

Does that include their advertising budget?  Or the studies they pay for that always seem to show that Windows is more secure, faster, better, whatever, than any alternative?

Others are seeing through the Microsoft FUD as well…

I was in a coffee shop yesterday.  A quick scan revealed: 5 MacBooks; 3 Windows laptops.

This tells me two things:
1) I’m damn glad I sold my Microsoft stock and bought Apple
2) Apple will win the hearts and minds of the users… Business will change when Apple is what people know, not Windows…

My girlfriend’s laptop crashed last week.  I bought her a MacBook.  She loves it…

Bill

I been out of the scene for a while, but this morning I was reading @RISK and noticed the volume of remote code execution vulnerabilities in Windows Vista.

Man, if that OS was even usable, I’d be worried, but since I don’t think ANYONE is using it, I am not too concerned.

It baffles me, though.

All the talk of security…  I knew it was a front.  Microsoft is an expert at FUD and protecting themselves from it.

I almost never hear people bashing Microsoft’s security any more.  Too bad, because from where I’m sitting, it doesn’t look like it’s getting any better.

Here’s one bug I was reading: Security Update for Outlook Express and Windows Mail (941202)

On another note, yesterday I built an Ubuntu Linux PC, installed a hex-editor, connected it to my corporate LAN, downloaded a thick-client Windows executable we are experimenting with, and extracted “protected content” from the .exe.  All that fun in less than 30 minutes.

Rock on,
Bill

Micro$oft’s most secure OS (since it’s last “most secure OS”).

If this bug is legit, then it proves that Microsoft is more worried about the appearance of security than security itself.

Can I get an “input validation!”

From Full Disclosure:
Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability

From: Kingcope
Date: Fri, 23 Mar 2007 08:52:09 +0100

Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
Successfully Tested on Windows Vista Ultimate

Greetings fly out to Alex,wtfomg,Thierry,Andi and Blackzero

Description
Windows Mail is the default Mail Client of Microsoft Windows Vista.

Vulnerability
Remote Code Execution is possible if a user clicks on a malicious prepared link.

Vistas Mail Client will execute any executable file if a folder exists with the same name.

For example the victim has a folder in C:\ named blah and a batch script named blah.bat also in C:\. Now if the victim clicks on a link in the email message with the URL target set to C:\blah the batch script is executed without even asking.

There is for example a CMD script by default in C:\Windows\System32\ named winrm.cmd (and also a folder named winrm inside System32).

Exploit:
Send a HTML email message containing the URL:
<a href=”c:/windows/system32/winrm?”>Click here!
or
<a href=”c:/windows/system32/migwiz?”>Click here!
and winrm.cmd/migwiz.exe gets executed without asking for permission.
These are just examples.

Later posts indicate that UNC paths work as well, but require an acknowledgment from the user.

After a few days of using Vista, users will be “ok” happy on any alert box.

In setting up a Vista box for a friend, I was particularly concerned about having to click “ok” THREE times to delete ONE file!

PWNT by the M$FT man.

Bill

A few snips from John Dunn’s article on Techworld:

A new test of anti-malware programs has found that Microsoft’s OneCare software is by some margin the weakest product on the market.

OneCare was only able to detect an average of 82.4 percent of what was thrown at it. To put this into context, the next worse program, Dr Web, scored 89.27 percent…

AV Comparatives also tested each program against a sample of polymorphic viruses…

Again, OneCare scored weakly, detecting only 4 out of the 12 polymorphics pitted against it.

The article also links to another article describing Microsoft Defender’s abysmal performance, detecting less than half the malware tested.

Though I’ve talked in the past about the impracticality of letting the fox build the hen house, I’ll talk a little further about incentives.

Bruce Schneier discusses the economic incentives for corporations by looking at economics and externalities.

What is the economic incentive for Microsoft to perform well in the security arena?

None.

• Microsoft is not liable, legally or financially for compromises of its poorly written software.
• Microsoft has a huge stake in giving the appearance of security.  Real or not.  People “want” to see that Microsoft is doing something.  If it looks like they are doing something, people will not look to alternatives.
• Microsoft has to combat the (ill-gained) notion that Mac’s are more secure.  Apple threatens Microsoft’s bottom line.

Microsoft has turned into a Goliath.  Like a huge government that has exceeded it’s ability to provide services in a fiscally reasonable manner.

This reminds me of some economics classes I took as an undergrad that focused on the role of government in the economies of developing countries.

There are some thing that government can do, but there are others that government cannot do effectively.

For example.  One of the best things government can do to allow for rapid economic growth is to provide stable critical infrastructure:

• roads, railways, and shipping ports
• a stable electrical grid
• laws and regulations creating a “fair” environment for contract creation, negotiation, and disput resolution
• patent and trademark systems to protect the brand and intellectual property

Private sector companies can provide much of the rest.

When government steps outside those bounds, it begins assuming responsibility for things it cannot satisfactorily provide.

When a company gets to the point that there is no fair competition, they operate like a government that has exceeded its economically reasonable mandate (think a huge socialist government).  The company becomes incapable of providing a service at a level of quality or cost that can be expected from the private sector.

This is what has happened at Microsoft.

They cannot provide security mechanisms better than the free market.

I’ve often thought that the best thing that could have happened to Microsoft during it’s anti-trust case was for the company to be broken down into several smaller companies, each of which would have to compete in the open market.

A new company, “Microsoft Security” could provide Defender, OneCare, and whatever other tools and resources it thought necessary.

Then those products could compete against other vendors for purchasing power in the market.

To get back to the point where they are producing truly innovative products, they need to get down to right-size.

If Microsoft wants to be successful in the coming decade, they must split up and compete in the market.  The core OS could provide the critical infrastructure.  Other Microsoft branded companies can provide the applications in a manner competitive in the market.  Let them fight for it!  We’ll get better products.

In the meantime smaller, more nimble and innovative companies (read, starving) will come along and produce products that will constantly nibble Microsoft’s bottom line.  Like a million piranhas working on a poor water buffalo attempting a river crossing in the Amazon.

Maybe the buffalo makes it.  My money is on the piranhas.

Bill

Here’s a perfect example of how Microsoft’s commitment to security is more investor relations than a real dedication to secure computing.

Let’s take a quick look at some slugs from MS06-016, update January 10, 2007:

Microsoft Security Bulletin MS06-016
Cumulative Security Update for Outlook Express (911567)
Impact of Vulnerability: Remote Code Execution
Affected Software:

• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Windows Me) – Review the FAQ section of this bulletin for details about these operating systems.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This is just about the point where you find me curled up into a ball, head in my hands, rocking back and forth, muttering “WTF, OMG, WTF, Oh Noz!”I mean, for REAL.

Lets take a look.

Could anyone who is not institutionalized tell me why on EARTH Outlook Express is installed on a server!

Outlook Express (like most useless Windows add-on’s) is installed by default, and if you remove it, Windows is happy to re-install it the next time you run Windows Update

We are looking at Windows Server 2000 to 2006 being affected by this bulletin. Doesn’t it seem reasonable that you log into that server as Administrator? I mean, there is no other reason to log into a server unless to perform administrative tasks, and I know of not one Windows SA that logs in locally and runs his apps using run-as.

So, if you are like every SA I know, and if you happen to be really stupid and use Outlook Express to read email, then you might as well just post your password to the Full Disclosure list and call it a day.

Here’s a quick scenario. Typical lazy, uninformed, and completely security un-aware Windows admin logs into his Windows box to try to figure out why his server is sending thousands of spam messages. He looks at the mail pick-up queue and double clicks an email to see what it says. PWNT! As Microsoft dutifully pops open OE to view the message.

Sometimes I get sick of reading these messages, and wonder why I still work in a Windows environment. On the other hand, it Microsoft = job security, so I shoul be grateful.

Please note, I’m not arbitrarily picking on Microsoft today. But I have just added the 3 Microsoft security RSS feeds to my reader, and am sifting through the articles… Almost everyone writes bad code… Just ask the PHP people… Lolz.

Bill Gross

It was only a matter of time.

“Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution”

The “Microsoft Malware Protection Engine” is the core of just about all of the Microsoft security tool suite.

Details:

A remote code execution vulnerability exists in the Microsoft Malware Protection Engine because of the way that it parses Portable Document Format (PDF) files. An attacker could exploit the vulnerability by constructing a specially crafted PDF File that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.

Solution:

… administrators can disable the Microsoft Malware Protection Engine as a workaround …

Microsoft hasn’t been able to write secure code in 25 years. What makes us think they’ll begin doing so now.

PWNT by your malware detection system.

Good job, Microsoft.

For the end user:
Switch to an OS with a proven track record for security. Linux if you are impatient, OpenBSD if you like 100 proof.

For Microsoft:
How about a simple code analyzer. This bug is because your N00bish tool trusts un-verified input provided by an untrusted third party.

Full Details:
http://www.microsoft.com/technet/security/bulletin/ms07-010.mspx?pubDate=2007-02-13

Oh Noz.

I been saying for a long time that:

1. Microsoft can’t code their way out of a paper bag (as far as security goes)
2. Letting them write their own security suite is like letting the fox build the hen-house…

And my prophecy came true, sadly…

Take a moment to enable that hardware DEP!

From the Inquirer:
http://www.theinquirer.net/default.aspx?article=37629

By Andrew Thomas
14 February 2007

OH DEAR, OH DEAR. If there was one piece of software you’d expect to be secure from malware attacks it would have to be malware protection software itself. Sadly, this is not the case with Microsoft Defender, the software giant’s all-singing, all-dancing user security package.

According to security bulletin CVE-2006-5270 - Microsoft Malware Protection Engine Vulnerability, Integer overflow in the Microsoft Malware Protection Engine (mpengine.dll), as used by Windows Live OneCare, Antigen, Defender, and Forefront Security, allows user-assisted remote attackers to execute arbitrary code via a PDF file. All the following are at risk of remote code execution:

Windows Live OneCare
Microsoft Antigen for Exchange 9.x
Microsoft Antigen for SMTP Gateway 9.x
Microsoft Windows Defender
Microsoft Windows Defender x64 Edition
Microsoft Windows Defender in Windows Vista
Microsoft Forefront Security for Exchange Server
Microsoft Forefront Security for SharePoint

According to the bulletin rated ‘critical’ a remote code execution vulnerability exists in the Microsoft Malware Protection Engine because of the way that it parses Portable Document Format (PDF) files. An attacker could exploit the vulnerability by constructing a specially crafted PDF File that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.

To have one insecure security product could be seen as unlucky; to have eight looks a bit like carelessness.

L’INQ
Microsoft Security Bulletin MS07-010
http://www.microsoft.com/technet/security/Bulletin/ms07-010.mspx