Bill’s Security Blog

From the eWeek Security blog:

Microsoft Office Under Siege

News Analysis: Attackers and flaw finders are pounding away at Microsoft Office applications, discovering new ways to attack millions of Windows machines. Can Microsoft cope with the deluge of flaws?

What started as an amusing eBay listing of an Excel vulnerability for sale has developed into an all-out hacker assault on Microsoft Office applications.

Security researchers and malicious hackers have zeroed in on the desktop productivity suite, using specialized “fuzzing” tools to find a wide range of critical vulnerabilities in Word, Excel and PowerPoint file formats.

http://www.eweek.com/article2/0,1759,2002421,00.asp

Today I was installing Microsoft FrontPage on my work desktop.

After the installation it reminded me to check for Office updates.

I thought, no sweat. Our desktops run Windows Update daily. I didn’t think I’d have any updates to install and could get strait to work.

Boy was I wrong. Well, it seems that Office Update does not always talk to Windows Update. I had at least 4 critical security updates in Office!

How in the heck can that happen? This machine has been running Windows Update daily, as far as I know.

Perhaps I’m wrong. Perhaps there is some misconfiguration in my Windows Update, but could it possibly be that Windows Update does nothing but update kernel level software (IE, Windows Media Player, Microsoft Messenger, Windows OS, and other highly critical pieces of software (sarcasm))?

Schweet…

Bill

Just look at that headline from the eWeek article I linked to in my previous post…!
( http://www.eweek.com/article2/0,1895,1779769,00.asp )

Man, you’d think Microsoft was on K street, DC, not in Redmond, WA.

Hypothetically, training your software engineers and developers on how to write secure code is a good thing. Hypothetically, man can travel at the speed of light. Fact of the matter is that Microsoft can’t solve the security problem. Microsoft is its own worst enemy when it comes to solving the security problem.

Einstein said, “you cannot solve a problem with the same level of intelligence that created it.”

Software engineering groups that are serious about developing flawless software adopt this philosophy. They do this through such independent certification processes such as the SEI-CMM. For more details, see: http://www.sei.cmu.edu/

First thing’s first. Microsoft needs to develop an organizational structure and work flow that promotes excellence in software engineering. Once it has obtained some reasonable level of capability to write good software, it can then begin to eliminate software flaws in a measurable, predictable way.

Claiming victory because a barely used OS (Windows Server 2003) doesn’t have many reported flaws is just plain ABSURD. As a security researcher, I’m fond of asking, “How do you know you haven’t been compromised?” or “How do you know there are no flaws.”

Just because you don’t see them does not mean they are not there.

What’s worse, how on earth can I trust Microsoft to accurately assess or report on the changes it’s seeing? I can’t.

Success will be believable when independent analysis confirms that they have accomplished something, anything…

Until then, I think it’s status-quo in Redmond.

Bill

As reported on eWeek:

LAS VEGAS—Remember the LSD—or Last Stage of Delirium—hacking group?
Back in 2003, the group of four Polish security researchers discovered the RPC (Remote Procedure Call) interface vulnerability that would later be used to unleash the Blaster worm, but because of distrust over Microsoft’s willingness to address software flaws at the time, LSD members had to be coaxed into sharing their findings.
Today, LSD is on Microsoft’s payroll, working on what is being hailed as the “largest ever penetration test” of an operating system coming out of Redmond, Wash.

http://www.eweek.com/article2/0,1895,1999070,00.asp

Earlier I wrote how Microsoft gives more lip service to security than they give effort.

Will hiring a hacker group really solve Microsoft’s security problem?

Yes and no. If done right, perhaps, if done wrong, then definitely not.

First, the groups hired must be able to report openly after the testing phase is over. Meaning, they must not be under any obligation to Microsoft to report future bugs to Microsoft only.

Second, the groups must be given unrestricted access to attack the system through any means possible. IE, a group must not get the mandate: “attempt to use Word to escalate privilege…” The goal should be, “given local login access, attempt to gain Administrator or System privileges.”

Groups must also not be on an arbitrary deadline. They must be able to take as long as they want to attempt a break in.

Beyond the restrictions on the attackers, my biggest concern is not what they discover, but what Microsoft does with that discovery.

To this day, buffer overflows are still being discovered in Microsoft software that is years old. How on earth can I expect that they will actually solve the problems that are identified in pen testing?

Long and short, I cant. Unless Microsoft is willing to open the source of it’s kernel, I will assume that it contains flaws. Even if pen testers don’t find them, or those very few researchers given access to the code don’t find them, the Windows kernel is one patch away from a vulnerability.

The eWeek article mentions an initiative at Microsoft titled it’s “Trustworthy Computing Security Development Lifecycle” [insert pleather here]. For the eWeek story, see http://www.eweek.com/article2/0,1895,1779769,00.asp

I’ll look into this some more. I suspect that this is more lip service.

Bill

US-CERT reports on 7/11:

Microsoft DHCP Client service contains a buffer overflow
Microsoft DHCP Client service contains a buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system.

Details: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2372

Holy sweet jesus.

Look at the systems affected:

• Microsoft Windows 2000 SP4
• Windows XP SP1 and SP2
• Windows Server 2003 up to SP1

DHCP client probably runs actively on just about every home PC, and a large number of business PCs.

What distresses me most is that for the upcoming Windows Vista, Microsoft revamped their implementation of the entire TCP/IP protocol stack.

If Microsoft could let such an obvious and novice bug persist in the code since Windows 2000 SP4, how on earth can we trust that their rewrite of the protocol stack will be bug free?

The fact that this bug has persisted for so many years is negligence on Microsoft’s part.

In all likelihood, the DHCP client is written in C or C++. There are automated tools that can detect buffer overflows in both those languages.

Microsoft’s commitment to security seems to be focused more on publicity than results.

Bill

In Sans NewsBites from 17 July:

Microsoft has “pulled” Private Folder 1.0, a Windows add-on. The free software allowed users to protect folders with passwords; the purpose of the software is to help people who share PCs protect their data from others who use the same computer. The software was available to users participating in Microsoft’s Windows Genuine Advantage software verification program. Corporate users complained the software could create situations in which company data would be inaccessible to those who need it.

As I pointed out previously, I think this will be a trend going forward. (As it has been in the past).

Microsoft delivers “their most secure operating system, ever,” but when business users complain about the features, the feature is removed, or disabled.

Security must be simple, or users will find ways of circumventing it.

Microsoft EFS is not overly challenging to set up, and allows decryption by a pre-specified authorized agent.

Instead of removing a feature good for home users who may not care about data recovery agents, Microsoft opts to yank the whole feature.

I’d have liked to see a different approach.

Bill

Microsoft had designed one of the Vista releases to prevent ActiveX installs for non-administrative users.

What a great idea. No more inadvertent installs of malicious ActiveX controls.

But bowing to pressure from beta testers, Microsoft will be releasing a feature allowing non-administrators to install ActiveX controls.

This is scary for two reasons:

First, ActiveX is a paradigm fraught with security problems. Restricting ActiveX controls to only install if on a white list, or to run only with user context is of little value as attackers will find ways of circumventing these restrictions. Additionally, I suspect most SMB’s have users set up as local administrators…

Second, and perhaps more scary. Microsoft has set the precedence that they are willing to roll back security enhancements in Vista when customers complain.

Where will this end?

Based on reports of the overwhelming challenges and dialogue confirmations Vista places in front of the system user, I suspect that the rollbacks will continue until Vista reverts to Windows XP but with significantly higher resource requirements.

Sadly, I believe that the end game here is that businesses will start installing Linux, or purchasing Macs.

In the very long term, this may be good for Microsoft. Starvation might be just what’s needed for Microsoft to get its head back in the game.

Bill