Friday, December 30, 2005

Racing Against the (WMF) Clock

The last time Microsoft was notified of a remote code execution bug in the rendering of WMF (Windows Metafile) images, it took 7+ months before a patch was made available.

At the time, the MSRC's Stephen Toulouse explained the lengthy delay:

"The graphics rendering system is an extremely important component of the operating system. It's critical to functioning of operating system. Any time you make a change to such an important component, you absolutely have to ensure you're not introducing new problems."

I can't imagine the MSRC having that kind of luxury this time around.

Most Vulnerable OS

According to US-CERT statistics, the operating system with the most vulnerabilities in 2005 was not Windows.

Tuesday, December 27, 2005

98% Unsafe

Bruce Schneier: "Internet Explorer sucks."

Thursday, December 22, 2005

MSRT vs Hacker Defender

holy_father, the creator of the Hacker Defender rootkit, claims the MSRT (Microsoft Software Removal Tool) cannot successfully detect newer versions of the offensive rootkit:

"Microsoft claims that Windows Malicious Software Removal Tool for XP/2000/2003 (MSRT) can detect Hacker Defender. I always test the latest MSRT with Hacker Defender, and the latest MSRT does not even detect the latest public version of Hacker Defender (hxdef 1.0.0 revisited), which was published weeks ago and is available for download to everyone, with full source code."

Home Office Security Checklist

Here's an excellent home office security checklist from Microsoft that's worth sharing with everyone you know.

When Silent Fixes Backfire

On the SecuriTeam Blog, Matthew Murphy provides an extreme example of why it's important for software vendors like Microsoft to be totally transparent about the way security vulnerabilities are handled and fixed.

He explains how a security bug in a Visual Studio was reported to Microsoft in 2002 but remained unfixed for a long time. Eventually, Micosoft silently fixed the flaw but declined to provide information on the fix to customers or partners. That caused anti-virus vendor Trend Micro to unwittingly use the vulnerable code in its products, putting its customers at risk of code execution attacks.

Trend Micro, at the end of 2005, claims it has "recently become aware" of the flaw which Murphy says he reported to Microsoft in July 2002.

The lesson:

"While this is an extreme example, it goes to show just how important information is in shaping response. Security fixes cannot simply be made and forgotten: they need effective distribution and uptake to have real-world impact. It wasn't the lack of a fix, but poor distribution and uptake of a security patch that enabled Blaster to infect 25 million Windows PCs, and bring entire networks to their knees. And… what better way is there to cripple uptake rates than to simply not inform users of the availability of a fix?

We can only hope Microsoft has learned its lesson... if approaches like this remain the norm there, we’re going to be dealing with more viruses, more sleepless nights, and more pounding headaches for quite a while before they ever get it right."

Tuesday, December 20, 2005

Password Strength Guidance Redux

Microsoft's Stephen Toulouse corrects my inference that the company's guidance on passwords is conflicting and offers some thoughts of his own on the issue:

"No one should be saying "always write your passwords down", just as no one should be saying "never write your passwords down" because there is no absolute guidance for all users on that point. You have to pick what works for you, balancing the risks in creating complex passwords. If you have no need to keep a password system in your head, then it makes sense to write things down if that's the only way you can do complexity. Just be aware that while you are reducing your risk of a single password being cracked and compromising everything, you are increasing your risk that anyone who finds the paper (or papers if you are smart) has the complete keys to the kingdom. If you take careful enough precautions with the paper then on the balance writing it down can carry less risk because of the gain in randomness and complexity."

On a related note, I don't think Microsoft's password strength checker is working properly. It's telling me that passphrases of more then 50 characters are 'weak' passwords.

Protect Your PC Pledge

Microsoft has started a "Protect Your PC in 2006" pledge as a "fun, informal way to get more people actively thinking about online security without getting intimidated."

Monday, December 19, 2005

URL Typo-Squatting Data

Here is the raw data from Microsoft Research on the URL typo-squatting scheme that Google continues to deftly ignore.

Jesper's Other PC

I snapped this shot of Jesper Johansson's laptop cover at Microsoft's Security Summit East in Washington, DC.

Saturday, December 17, 2005

Zotob and Windows 2000

I wonder if Microsoft knows (and if they do, if they'd tell us) how many Zotob infections occured on Windows 2000 SP3.

Tuesday, December 13, 2005

2 Bulletins, 5 Flaws and Keeping Count

As expected, Microsoft's security train dropped off two bulletins with patches for five holes -- in IE and in the Windows kernel.

As I noted in an earlier entry on counting vulnerabilities, Microsoft's PR machine loves to use the number of bulletins to boast of software securitiy improvements but if you go back and count the number of vulnerabilities fixed in the 55 bulletins released in 2005, you'll get a better picture of just how many fixes are coming out of Redmond.

And that's just those they tell us about. Remember, the MSRC has repeatedly told us that the patch-creation process involves a healthy dose of code auditing to find -- and fix -- additional things related to the bug reported by an external researcher.

A quick aside on today's patch day: I'm told that the IE update does fix the drive-by exploit vector but does appear to be quite buggy. The attack (exploit) seems to hang the machine even though it's not getting through. It takes a few minutes for the hang to go away.

Friday, December 09, 2005

MS Password Checker

Microsoft has set up a useful site to help uses test the strength of passwords. Enter a password into the box and the password checker will help determine its strength as you type.

It's strange to see Microsoft's own advice on the actual strength of passwords clash with the advice from Jesper Johansson, a well-respected security strategist at Microsoft.

Jesper recommends that passwords should be as complicated as possible and written down on a piece of paper and stored in a safe place. However, this guidance from Microsoft goes against that bit of advice.

"Random combinations of letters, numbers, and symbols that must be written down to be remembered, can be misplaced, or found by others and used."

Thursday, December 01, 2005

A Year of Agony

The computer security calendar for 2004.

* Via Emergent Chaos.

Why can't Microsoft just patch everything?

George Ou: "If smaller software companies can patch all of their bugs serious or minor, why can't Microsoft just patch all of their vulnerabilities with their massive army of programmers and massive budget?"

Spyware Has Won

Wired: "The spyware wars are over - and spyware has won."

Tuesday, November 29, 2005

Google Headhunting for Windows Security Guru

I wonder if Gord Mangione would be interested in this job listing from Google:

Google is looking for an enthusiastic individual that can live, breathe, and eat Windows security. If Windows security is what you love, then we would love to see your resume. This position is focus is in the Operations organization, but you will work with everyone in the company to bring good operating standards to Google.

* Design and implement security on the internal Windows infrastructure.

* Audit existing infrastructure and software to ensure proper setup, application of patches, and policy compliance.

* Evaluate security advisories for their impact to Google.

* Review designs for new Windows products and software implementations.

* Evangelize security within Google.

* Be a resource to Googlers regarding Windows security.

It sounds like Google is finally paying attention to security after this, this and this.

Monday, November 21, 2005

Responsible, Irresponsible

Take a look at this line from this security advisory issued this evening by Microsoft in response to today's today's zero-day exploit drama:

"This issue was originally publicly reported in May as being a stability issue that caused the browser to close."

That's essentially an admission from Microsoft that the vulnerability was reported six months ago but remains unpatched. Whenever I ask Microsoft about these old denial-of-service bugs, I'm always bothered by the flippant dismissal of these issues.

To paraphrase a typical Microsoft response: "All it does is close the browser. You open a new browser session and that's that. No vulnerability to see here."

Well, look what we have here. Someone figures out that it's not simply a denial-of-service flaw. In fact, it's a nasty code execution issue. Remember, this is something that Microsoft has known for six months. Isn't that more than enough time for Microsoft to figure this out themselves?

Hard to be sympathetic to Microsoft's pleas for responsible disclosure when their own actions here are incredibly irresponsible.

Thursday, November 03, 2005

Safety Center Scans for Rootkits

Matthew Braverman: "The [Windows Live] Safety Center includes a frequently updated, on-demand virus scanner which you can use to scan your machine for such threats as worms, Trojans, backdoors, and some user-mode rootkits."

Tuesday, November 01, 2005

Windows Live Safety Center

As part of the Windows "Live" MSN-rename shindig today, a new (beta) service called Windows Live Safety Center also saw daylight. It is described as a free service designed to help ensure the health of your PC.

- Check for and remove viruses
- Learn about threats
- Improve your PC's performance
- Get rid of junk on your hard disk

Use the full service scan to check everything, or turn to the scanners and information in the service centers to meet your specific needs.

UPDATE: Just tried testing it and it won't work. Probably because there's no Firefox support. Blah.

MS Anti-Malware Bloggers

The Microsoft Anti-Malware Engineering Team has joined the blogosphere. This is the unit at Redmond responsible for building Microsoft's anti-virus and anti-spyware technology (along with anti-rootkit, anti-bot tools). The team regularly updates the malicious software removal tool and is working directly on the Windows AntiSpyware app.

Thursday, October 27, 2005

Story of a Dumb Microsoft Patch

Cesar Cerrudo tells the Story of a Dumb Patch (PDF) from Microsoft. Dana Epps called it a Microsoft screw up and makes an important recommendation for dealing with data coming into a function.

UPDATE: There's a Slashdot thread on this issue.

Also, Cesar e-mailed me the following to counter Microsoft's response/explanation which was included in in my coverage:

Hi Ryan,

Just one thing to clarify Microsoft comments, because it seems they tried to add doubts and to discredit me:

Patch MS05-049 addresses three vulnerabilities:
Shell Vulnerability- CAN-2005-2122
Shell Vulnerability - CAN-2005-2118
Web View Script Injection Vulnerability - CAN-2005-2117

Shell Vulnerability- CAN-2005-2122 is the one on patch MS05-049 that was improperly fixed on previous patch MS05-018, named CSRSS Vulnerability - CAN-2005-0551 on patch MS05-018.

If you have any doubts you can contact serious third parties, I bet they will confirm my findings.


Cesar Cerrudo,
CEO & Founder.
Argeniss - Information Security

UPDATE 2: On the MSRC Blog, Stephen Toulouse has addressed this story in a candid way:

"Yes MS05-049 was a more complete fix. There’s no two ways about it. Should MS05-018 have been a more complete update to address the underlying vulnerable function? Yes, Cesar is right. But I want to reiterate that MS05-018 did protect against the issue that was brought to us. We don’t want people to worry that there was a problem with MS05-018 or that it didn’t protect against that the specific vulnerability it was designed to address...

[W]e’ve taken a look at this situation and incorporated some lessons learned. We will work very hard to help ensure something like this doesn’t happen in the future."

A correction for Toulouse: It was Cesar himself who called it a dumb patch, not "some people."

Wednesday, October 26, 2005

12 Months at the MSRC

The newest issue of (IN)SECURE mag (PDF) features an article by Stephen Toulouse on "12 months of progress" at the Microsoft Security Response Center (MSRC).

Not much in the way of news but still a nice overview read.

Sunday, October 23, 2005

More IE 7 Security Details

On the official IE Blog, Christopher Vaughan Eric Lawrence talks about the changes coming in IE7 to improve the security and user experience for HTTPS connections.

Call to Action:

1. If your site requires SSLv2, please reconfigure it to permit SSLv3 or TLSv1 connections.

2. Ensure that the hostnames used for your secure pages exactly match the hostname in your digital certificate. For example, using the certificate for on will result in an error page.

3. If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present. Testing for a non-compliant TLS server is as simple as navigating to any HTTPS page on the server using IE7 on Vista Beta 2. If IE7 fails to connect, TLS extensions are the most likely culprit.

Exploits, Botnet Client via MS05-047

F-Secure is reporting a botnet client being seeded through the security vulnerability covered in the MS05-047 bulletin released in the October patch batch. FrSIRT, formerly K-Otik, has released an exploit for the same vulnerability.

No word on whether the two are related but this is worth keeping an eye on.

Friday, October 21, 2005

A Subtle Hint?

Mary Jo Foley: "Some Windows 2000 users are starting to wonder if Microsoft's growing list of Windows 2000 patch problems are a not-so-subtle hint that Microsoft wants them to upgrade. You've got to wonder..."

Wednesday, October 19, 2005

MS VirtualWiFi Not So Safe

Because of security concerns, Pejman Roshan says businesses should stay away from the Microsoft VirtualWiFi technology.

* Via Om.

New Playing Field, New Rules

Microsoft's Jesper Johansson: "The information security discipline is heading for a crisis unless we start working on strategic security, not just tactical response. We need fresh thinking, new thought, and partnerships with those who use our systems. The bad guys know how we operate and they keep using that against us. To get out of this situation we need to stop just raising the bar and instead move it to a new playing field; one where we get to write the rules."

Tuesday, October 18, 2005

More Unpatched Windows Holes

eEye has flagged another code-execution vulnerability affecting Internet Explorer and Windows Media Player, two products baked into the Windows operating system. That makes it 7 unpatched flaws found by eEye alone.

I'm having coffee with the eEye guys on Thursday. Really looking forward to picking their brains on Windows security issues.

Redmond and the 'B' Word

The estimable Mary Jo Foley weighs in on Microsoft's calculated gamble to bundle security services into Windows Vista.

Monday, October 17, 2005

Counting Vulnerabilities

The New York Times sits in on on Microsoft's Blue Hat v2 and offers the following:

"Microsoft executives also cite a decline in the number of security bulletins issued for major products like Windows Server and Office as evidence that the new engineering discipline is having an impact.

There were 69 such bulletins issued for Windows 2000 Server in two and a half years and only 41 for Windows Server 2003 in a comparable period, the company said.

Eleven bulletins were issued for the 2001 version of Office XP during the first 594 days after its introduction; for Office 2003, there were six bulletins in the same period. For the last two Windows XP updates, 35 bulletins were issued for Service Pack 1 in the year ended last June but only 18 for Service Pack 2."

It's quite amusing to see Microsoft touting security improvements by the number of bulletins released when it's commonplace to find multiple vulnerabilities patched in a single bulletin. An example, in October, Microsoft issued nine bulletins that patched 14 bulletins.

Just for fun, I'll do the flaw count for the period listed in the New York Times story and the results should be interesting.

Spyware Protection in Vista

The latest build of Windows Vista contains quite a few changes to the Security Center. It now contains five categories instead of the three now in XP

The Security Center now checks "Firewall," "Automatic Updating," "Virus Protection," "Spyware Protection," and "General Security."

The addition of spyware protection, we're told, is the core Windows AntiSpyware product and is sure to raise the obvious questions about unfair competition.

Friday, October 14, 2005

Close Port 3372

Johannes Ulrich, of SANS Internet Storm Center, makes an important pre-weekend recommendation:

"The obvious thing is to apply patch MS05-051 on at least your Win2k systems. We do know the port 3372 scanning started in full force, likely in order to acquire target lists. If you can't patch, at least make sure port 3372 is closed."

MSRC on MS05-051 Exploit

Stephen Toulouse: "There's been a lot of talk today about exploit code, specifically around security bulletins MS05-051 and MS05-046. The good news is that we're not aware at this time of any exploit code being available publicly. Currently we've been told the exploit code is only available through third party fee-based security offerings. We're not currently aware of active attacks that use this exploit code or of customer impact at this time."

What's Your Password?

Jesper Johansson, senior security strategist in the Security Technology Unit at Microsoft, puts forward some valuable advice on choosing passwords:

1. Long -- A good password should be at least eight characters long. The longer the better. Passwords shorter than eight characters are inadequate today. If you are trying to improve password strength in your organization, teach people to use longer passwords that are not based on common words. One technique is also to base passwords, or better yet, pass phrases, on words in other languages than the primary one at the site.

2. Complex -- A good password should have a mix of all the four character types, uppercase and lowercase letters, numbers, and non-alphanumeric symbols. Preferably, all four should exist in a given password. Remember, any character on your keyboard is legal in a password. Using a pass phrase and interspersing it with randomly chosen characters and spaces considerably improves the strength of your password.

3. Changed frequently -- A poster from has a great phrase on it: "Passwords are like bubble gum; they are better when fresh." Passwords should be changed every 90-365 days, depending on the value of the asset they are protecting and the strength of the password. If you use eight-character passwords, 180 days is a reasonable change interval. If you use nine-character passwords today you can probably leave them valid for 360 days or even longer without a problem.

4. Used only in one place -- Reusing passwords significantly increases the exposure of the assets you are protecting with the passwords. Essentially, any given asset is only as secure as the least secure computer that protects that asset. When you reuse passwords the asset is only as secure as the least secure computer where you use that password.

5. Used only by one person -- Another characteristic that passwords borrow from bubble gum is that they are much better when used by a single person. If at all possible, each user on the computer should have their own account with their own password. This increases accountability and decreases exposure for the password. If you allow multiple people to use the same password you effectively give up all possibilities of monitoring their actions unless you install closed-circuit TV systems to oversee the computer.

6. Not typed on untrusted computers -- A password is only as secure as the computer or network it is used on. Keystroke loggers frequently target public kiosk-type computers, such as those used in Internet cafs, conferences, and hotel and airport lounges. The instant a password is typed on one of these computers fitted with a keystroke logger, the asset protected by the password is no longer secure.

And the most important bit from Jesper: "Writing down your password is an excellent idea as long as you adequately protect the medium you wrote it on! Doing so allows you to remember more and better passwords, thereby increasing security, not decreasing it."

Thursday, October 13, 2005

Does Microsoft's SDL Work?

Michael Howard offers an answer in this essay on the implementatioin of the Security Development Lifecycle (SDL) at Microsoft:

"The answer is a resounding Yes! We have seen the number of security defects be reduced by approximately 50 to 60 percent when we follow SDL. The simple fact is that every product touched by SDL has fewer security defects. Period. And that certainly makes it worth pursuing."

Wednesday, October 12, 2005

MS05-051 Proof of Concept

Dave Aitel's ImmunitySec is the first to post a working proof-of-concept exploit for the worm hole patched in Microsoft's MS05-051 bulletin.

If you're running Windows 2000 (yes, you Wolf Blitzer!) get patching!

IM Interoperability and Fear Mongering

I can't believe so many writers fell for this silly IMlogic flackery.

Tuesday, October 11, 2005

What's Not Patched

Today's patch day was interesting for what it did *not* fix. By my count, 4 of the 10 eEye-discovered flaws were addressed, leaving 6 unpatched, including three that are 136+, 99+ and 81+ days overdue.

The Jet DB engine flaw that I recently blogged about is also on the waiting list after more than 5 months. I asked Microsoft about this during an interview for my story today and was given the "patch-quality-takes-priority" excuse.

I say it's an excuse because when it takes that long to get a patch created and properly tested, something's very wrong with your process.

Microsoft Security Racket?

John C. Dvorak: "Does Microsoft think it is going to get away with charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system? Does the existence of this not constitute an incredible conflict of interest? Why improve the base code when you can sell "protection"? Is Frank Nitti the new CEO?"

MS Virus/Spyware Phone Support

Not sure how many people know that Microsoft offers *FREE* phone support for virus and malware-related issues.

The number is 1-866-PCSAFETY or 1-866-727-2338.

It is available 24 hours a day for the U.S. and Canada. For phone numbers outside of the U.S. and Canada, Windows users can select their specific region.

Saturday, October 08, 2005

Slipping Through the Cracks?

Just when I get suckered into believing the MSRC is on top of patching security holes in Windows products, along comes something to jolt me back to reality. Does it really take five months to address such a serious vulnerability?

I remember writing about this back in April when the first warning was issued with accompanying proof-of-concept exploit code.

Now that customers are being affected (see this Symantec advisory), will Microsoft rush out a patch?

The MSRC folks appear genuine when they talk about responding in an upfront way to security holes. But when evidence of unforgiveable tardiness come to the fore, you have to wonder whether some things just slip through the cracks.

Antitrust Questions Swirl

Microsoft Watch's Mary Jo Foley and I wrote a piece exploring the antitrust question swirling around Microsoft's aggressive push into the security (anti-virus, anti-spyware) market.

Thursday, July 21, 2005

MS05-036 Exploit Published

A proof of concept exploit has been posted for the "critical" Color Management Module vulnerability patched with MS05-036. The incident handlers at the SANS Internet Storm Center has raised the "patch now" alarm.

Kaminsky on Security at Redmond

Stephen Toulouse comments and points to an interview on SecurityFocus where Dan Kaminsky discusses security at Microsoft. There's also a Slashdot thread on the interview. I haven't had a chance to digest it all, yet.

Win2K Update Rollup Hiccups

My colleague Mary Jo Foley has the details on some compatibility problems being caused by the Windows 2000 "Update Rollup" that Microsoft shipped last month-end.

There's a Microsoft KB article explaining the bugs that are affecting products from Sophos, Panda, Internet Security Systems (ISS) and Citrix.

From the story, it appears that the infamous MS05-019 security bulletin, first released in April and re-released in June because it was breaking some applications, is causing more problems again.

Also of note, the blocking tool to delay the automatic download of Windows Server 2003 SP1 will only be available for a few more days. If you need it, hurry and get it.

Wednesday, July 20, 2005

US-CERT Weekly Windows Security Summary

Summary of security items affecting the Windows operating system from July 13 through July 19, 2005.

80 Super Security Tips

PC Mag's Larry Seltzer has published a long list of super security tips he has put together over the years. This is worth bookmarking.

Acquisitive Microsoft

Microsoft is busy on the acquisition/licensing front. First the announcement that a minority equity stake in Finjan formed part of a security patent licensing deal. Then, we learned that Frontbridge is the has been acquired outright.

What’s The Use of Security Advisories?

Donna Buenaventura explains why pre-patch security advisories should be seen as valuable resources to protect end users.

* When Microsoft adds an RSS feed to its security advisories, it'll be close to perfect.

Tuesday, July 19, 2005

AOL's IE Browser

Nate Mook at BetaNews is reporting that America Online (AOL) has released the final version of AOL Explorer, an alternative IE-based browser. AOL claims it has shored up security by fixing some IE flaws Microsoft has yet to patch.

* That's a bit of a stretch, innit?

Windows Anti-Spy Refresh

Microsoft has refreshed the Windows AntiSpyware software, fixing an issue with the signature update mechanism and improving the way the app provides information to the user about processes running on a PC.

Spyware at Cingular Store

Via Lifehacker:

"At the Cingular store this weekend signing up for a plan, I watched the clerk enter my information into a point-of-service web app running inside Internet Explorer. On the second screen, a window with a picture of a palm tree-studded beach appeared, interrupting him. “Damn popups,” he said, clicking the window closed."

* Can you smell the risk?

Monday, July 18, 2005

Support for Industry Patch Day

Larry Seltzer: "Competitors are increasingly hiding behind Microsoft's patch releases; why not do it openly and in the right way?"

Advisory/Workarounds for RDP Flaw

Microsoft has issued a security advisory with pre-patch workarounds for the publicly reported Remote Desktop vulnerability. More importantly, it clears up the conflicting reports on the severity of the flaw, as explained further by the MSRC's Stephen Toulouse.

Friday, July 15, 2005

Explaining Premature Disclosure for IE Flaw

Michal Zalewski discovers another image rendering bug that crashes Internet Explorer. says the flaw could be exploited by an attacker with a specially crafted JPEG picture to trigger a buffer overflow (code execution).

This portion of Zalewski's post is rather instructive:

"It is my experience that reporting and discussing security problems with Microsoft is a needlessly lengthy process that puts too much burden and effort on the researcher's end, especially if you just have a crash case, not a working exploit; hence, they did not get an advance notice."

XP SP2 Zero-Day?

Microsoft has acknowledged it is working on a fix for a denial-of-service flaw in XP SP2, fully patched. Some people think it could lead to code execution attacks. There is already chatter about zero-day exploits. Sounds like the ingredients for a security advisory.

Dell, Spyware and My Way

Dell says the "My Way Speedbar" isn't spyware. Google offers a different interpretation.

SWI Team May Start Blogging

Richie Lai, guest blogging on the MSRC Blog says the Secure Windows Initiative (SWI) team may consider delivering future research on its own blog. This comes one day after Robert Hensing explained what goes on behind the scenes when security flaw discoveries are being investigated.

This new level of openness is refreshing but I have this nagging feeling it's driven more by PR considerations than by a legitimate attempt to openly discuss security at Redmond. If I'm wrong, that's a good thing.

Thursday, July 14, 2005

Pre-Patch Investigations Explained

Robert Hensing, a Softie who recently joined the Secure Windows Initiative (SWI) defense team, dishes some details on what goes into patch-creation process at Microsoft, especially the investigative work that is done long before the product team starts coding the fix.

He describes the work done to create workarounds for the javaprxy.dll issue ahead of the full patch and while he recommends the use of temporary workarounds, Hensing made it clear they should "never be used indefinitely in place of the security update."

Schneier on Microsoft/Claria Hubbub

Security guru Bruce Schneier weighs in on the Microsoft/Claria downgrade hubbub with a simple piece of advice: "I recommend using a different anti-spyware program."

Patch Deluge Redux

Corey Nachreiner on this week's patch deluge: "Administrators already have a hard enough time trying to keep up when Microsoft releases 10 security patches on the same day. Now imagine trying to deal with that while also receiving updates from all your other software vendors. This scenario makes it too likely that an IT staffer will overlook that one, critical security patch within all the vendor noise received that day."

I just filed a news analysis for on this very topic. The recurring theme from my interviews with researchers and patch management experts is this: We don't mind a patch barrage but just let us know up front.

Still no RSS Feed for Advisories

It's been more than two months since Microsoft launched the excellent security advisories pilot. Based on everything I've seen so far, it's serving the purpose very well but the absence of an RSS feed is a huge weakness in the delivery of this information. Does it really take this long to activate something as basic as an RSS feed?

Windows XP SP2 Remote Kernel DoS Flaw

SP Research Labs has found a denial-of-service vulnerability in Microsoft Windows XP SP2, fully patched with the firewall on. The company says it is working with Microsoft on a fix and that a patch will be part of the August security bulletins. Here's a screenshot of the crash.

Wednesday, July 13, 2005

Cybercrime *Not* Terrorism

From a thought-provoking interview with Bruce Schneier: "There are many possible Internet attacks, some of them affecting tens of thousands of computers. But they're not terrorism. We know what terrorism is. It's someone blowing himself up in a crowded restaurant, or flying an airplane into a skyscraper. It's not infecting computers with viruses, forcing air traffic controllers to route planes manually, or shutting down a pager network for a day. That spreads annoyance and irritation, not terror."

A Message for Microsoft

Scott Granneman: "Microsoft, I really thought you were improving. I honestly believed that you were going to use Windows AntiSpyware to improve the lives of your customers. Now I find out that it was all just manipulations and lies. You still have a chance to do the right thing, Microsoft. Don't buy Claria, or any other spyware company, and do tell users of your anti-spyware software the truth about the garbage ruining their computers. It's the only ethical, right thing to do. As for me, I'm going to hold off recommending your Windows AntiSpyware until you clarify matters."

Tuesday, July 12, 2005

MS/Claria Deal Dead

My buddy Zach Rodgers is reporting that the Microsoft/Claria deal is dead.

Why You Need Multiple AntiSpyware Apps

Over at Calendar of Updates, Donna Buenaventura does an excellent job of testing detections by several anti-spyware applications and concludes that end users need more than one utility to provide total protection.

Even Microsoft's Windows AntiSpyware tool fails to remove threats that it properly flagged. The screenshot evidence is eye-openeing.

It's Raining Patches

Today's Microsoft patches are out. Three bulletins, all rated critical. It's good to see a known vulnerability affecting IE users gets fixed in quickish time.

Oracle's 'quarterly critical patch update' is also out, addressing bugs in several database server products. One thing that needs mentioning, compared to Microsoft, Oracle does a terrible job of explaining what's being fixed.

Firefox 1.0.5 has also shipped. It is described as a "security update" but the release notes aren't reflecting the changes yet. My colleague Matt Hicks has the details.

Multiple Vendors Patching Today

It's no longer Microsoft's patch day. Just got word that Mozilla will release security updates for Firefox and Thunderbird today. Oracle also has a monster 'critical patch update' on tap.

Low Hopes for Anti Spyware Coalition

The Anti-Spyware Coalition has officially launched. Ed Bott seems to be cautiously optimistic. I'm not. Strict definitions provide end-arounds for spyware vendors and lead to these arguments.

Hacker Manifesto

Phrack is going away after 20 years.

From Volume One, Issue 7, Phile 3 of 10:

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

19 Deadly Sins of Software Security

Michael Howard, one of the creators of Microsoft's mandatory Security Development Lifecyle and author of 'Writing Secure Code', has a new book on sofware security.

"The 19 Deadly Sins of Software Security" is a collaboration between Howard, David LeBlanc and John Viega. The book, which will debut at Black Hat USA 2005 briefings later this month, is carved up into 19 chapters:

# Buffer Overflows
# Format String problems
# SQL injection
# Command injection
# Failure to handle errors
# Cross-site scripting
# Failing to protect network traffic
# Use of "magic" URLs and hidden forms
# Improper use of SSL
# Use of weak password-based systems
# Failing to store and protect data
# Information leakage
# Improper file access
# Integer range errors
# Trusting network address information
# Signal race conditions
# Unauthenticated key exchange
# Failing to use cryptographically strong random numbers
# Poor usability

Michael's blog has an announcement with more information. I'll look for a copy at Black Hat.

Monday, July 11, 2005

Momentum for MS AntiSpyware Rethink

Robert Scoble agrees with Ed Bott who agrees with Donna Buenaventura who agrees with Ben Edelman who shares the same line of thinking with Eric Howes.

* This is the good momentum that gets Microsoft to rethink its anti-spyware classifications. All for the greater good.

Lazy People and Default Settings

John Pescatore is pointing to a New York Times article that talks about how people tend to go with choices that have been pre-selected for them - the default. The Times writer points out that consumers are too lazy to make the choice themselves.

Apply that truism to the changes in Microsoft's anti-spyware "recommendations" and you see why the watchdogs are barking.

London Bombing Trojan

An e-mail purporting to offer a link to amateur video footage of the events on the London Underground in the aftermath of the bomb blast will install a Trojan on users' machines if they click on the attachment.

Talking a Lot, Saying Nothing

Mike Nash, one of the security bigwigs at Microsoft delivered a keynote at the partner conference on Sunday. He talked a lot but really didn't say much. Read for yourself.

Sunday, July 10, 2005

Unimpressed with Spyware Downgrade Explanation

Ben Edelman: "Microsoft's recently published response to questions about Claria defends Microsoft's treatment as the result of ordinary application of Microsoft's usual criteria, without any special exceptions. Perhaps. But if this Microsoft's criteria say to ignore a program known to be installed through fake-user interface ads on kids sites, showing a EULA only after installation, with a broken uninstaller, then Microsoft's criteria leave a lot to be desired."

* Amen.

Ed Bott on MSAS Claria Downgrades

Ed Bott: "The real story is that Microsoft has decided that high-profile adware makers who achieve a minimum threshold of disclosure (including Claria and WhenU) will be able to get an "Ignore" rating."

Saturday, July 09, 2005

eEye Spies More Windows Flaws

eEye has added another Microsoft vulnerability to its upcoming advisories list. It's an arbitrary code execution flaw in default installations of Windows 2000 SP4, Windows Server 2003 and possibly Windows XP.

Next Tuesday, July 12, is Microsoft patch day. Three bulletins are on tap, at least two of which will be rated "critical." Hopefully, the testing is done and we'll get an IE patch for the javaprxy.dll issue.

* Side note: Oracle's quarterly 'Critical Patch Update' is also due on Tuesday, July 12.

MS AntiSpyware Bordering on Irrelevance

I had very high hopes for the Microsoft Windows AntiSpyware product but the recent discovery that Claria and some other pesky adware applications have been downgraded to a recommended action of "ignore" can't be good news.

Microsoft has a responsibility to make the correct recommendations to the average mom-'n-pop users. The explanation being offered just doesn't cut it. Would Bill Gates "ignore" Claria or WhenU apps on his machine? Put 100 top security guys at Microsoft in a room and ask if they would recommend to family members that those adware apps be ignored. The answer certainly won't match Microsoft's actions, no matter what the "official" word is.

Eric Howes, posting a "eburger68", explains it best on this Broadband Reports thread.

Scoble nails it when he calls for the AntiSpyware team to start blogging in an honest, straightforward fashion.

Some Fatherly Advice for Sasser Sven

Stephen Toulouse, one of the more stand-up guys at the Microsoft Security Response Center (MSRC), writes an open letter to Sven Jaschan, the kid convicted for creating and unleashing Sasser, the last big Windows network worm:

Toulouse's advice to Jaschan:

"You've been given a second chance. I hope very sincerely that you use it to serve as a cautionary example, and speak out against the creation of these types of attacks. I know you just want to put all this behind you. But you have the opportunity to do a tremendous amount of good. Please use it, don't squander it. You've taken the first step by confessing and being honest about what you did. I respect that. Please don't waste the opportunity you have potentially been given to help some kid right now avoid your mistake and think twice before taking what seems to be a simple action, but that can impact so many people."