Thursday, July 21, 2005

MS05-036 Exploit Published

A proof of concept exploit has been posted for the "critical" Color Management Module vulnerability patched with MS05-036. The incident handlers at the SANS Internet Storm Center has raised the "patch now" alarm.

Kaminsky on Security at Redmond

Stephen Toulouse comments and points to an interview on SecurityFocus where Dan Kaminsky discusses security at Microsoft. There's also a Slashdot thread on the interview. I haven't had a chance to digest it all, yet.

Win2K Update Rollup Hiccups

My colleague Mary Jo Foley has the details on some compatibility problems being caused by the Windows 2000 "Update Rollup" that Microsoft shipped last month-end.

There's a Microsoft KB article explaining the bugs that are affecting products from Sophos, Panda, Internet Security Systems (ISS) and Citrix.

From the story, it appears that the infamous MS05-019 security bulletin, first released in April and re-released in June because it was breaking some applications, is causing more problems again.

Also of note, the blocking tool to delay the automatic download of Windows Server 2003 SP1 will only be available for a few more days. If you need it, hurry and get it.

Wednesday, July 20, 2005

US-CERT Weekly Windows Security Summary

Summary of security items affecting the Windows operating system from July 13 through July 19, 2005.

80 Super Security Tips

PC Mag's Larry Seltzer has published a long list of super security tips he has put together over the years. This is worth bookmarking.

Acquisitive Microsoft

Microsoft is busy on the acquisition/licensing front. First the announcement that a minority equity stake in Finjan formed part of a security patent licensing deal. Then, we learned that Frontbridge is the has been acquired outright.

What’s The Use of Security Advisories?

Donna Buenaventura explains why pre-patch security advisories should be seen as valuable resources to protect end users.

* When Microsoft adds an RSS feed to its security advisories, it'll be close to perfect.

Tuesday, July 19, 2005

AOL's IE Browser

Nate Mook at BetaNews is reporting that America Online (AOL) has released the final version of AOL Explorer, an alternative IE-based browser. AOL claims it has shored up security by fixing some IE flaws Microsoft has yet to patch.

* That's a bit of a stretch, innit?

Windows Anti-Spy Refresh

Microsoft has refreshed the Windows AntiSpyware software, fixing an issue with the signature update mechanism and improving the way the app provides information to the user about processes running on a PC.

Spyware at Cingular Store

Via Lifehacker:

"At the Cingular store this weekend signing up for a plan, I watched the clerk enter my information into a point-of-service web app running inside Internet Explorer. On the second screen, a window with a picture of a palm tree-studded beach appeared, interrupting him. “Damn popups,” he said, clicking the window closed."

* Can you smell the risk?

Monday, July 18, 2005

Support for Industry Patch Day

Larry Seltzer: "Competitors are increasingly hiding behind Microsoft's patch releases; why not do it openly and in the right way?"

Advisory/Workarounds for RDP Flaw

Microsoft has issued a security advisory with pre-patch workarounds for the publicly reported Remote Desktop vulnerability. More importantly, it clears up the conflicting reports on the severity of the flaw, as explained further by the MSRC's Stephen Toulouse.

Friday, July 15, 2005

Explaining Premature Disclosure for IE Flaw

Michal Zalewski discovers another image rendering bug that crashes Internet Explorer. says the flaw could be exploited by an attacker with a specially crafted JPEG picture to trigger a buffer overflow (code execution).

This portion of Zalewski's post is rather instructive:

"It is my experience that reporting and discussing security problems with Microsoft is a needlessly lengthy process that puts too much burden and effort on the researcher's end, especially if you just have a crash case, not a working exploit; hence, they did not get an advance notice."

XP SP2 Zero-Day?

Microsoft has acknowledged it is working on a fix for a denial-of-service flaw in XP SP2, fully patched. Some people think it could lead to code execution attacks. There is already chatter about zero-day exploits. Sounds like the ingredients for a security advisory.

Dell, Spyware and My Way

Dell says the "My Way Speedbar" isn't spyware. Google offers a different interpretation.

SWI Team May Start Blogging

Richie Lai, guest blogging on the MSRC Blog says the Secure Windows Initiative (SWI) team may consider delivering future research on its own blog. This comes one day after Robert Hensing explained what goes on behind the scenes when security flaw discoveries are being investigated.

This new level of openness is refreshing but I have this nagging feeling it's driven more by PR considerations than by a legitimate attempt to openly discuss security at Redmond. If I'm wrong, that's a good thing.

Thursday, July 14, 2005

Pre-Patch Investigations Explained

Robert Hensing, a Softie who recently joined the Secure Windows Initiative (SWI) defense team, dishes some details on what goes into patch-creation process at Microsoft, especially the investigative work that is done long before the product team starts coding the fix.

He describes the work done to create workarounds for the javaprxy.dll issue ahead of the full patch and while he recommends the use of temporary workarounds, Hensing made it clear they should "never be used indefinitely in place of the security update."

Schneier on Microsoft/Claria Hubbub

Security guru Bruce Schneier weighs in on the Microsoft/Claria downgrade hubbub with a simple piece of advice: "I recommend using a different anti-spyware program."

Patch Deluge Redux

Corey Nachreiner on this week's patch deluge: "Administrators already have a hard enough time trying to keep up when Microsoft releases 10 security patches on the same day. Now imagine trying to deal with that while also receiving updates from all your other software vendors. This scenario makes it too likely that an IT staffer will overlook that one, critical security patch within all the vendor noise received that day."

I just filed a news analysis for on this very topic. The recurring theme from my interviews with researchers and patch management experts is this: We don't mind a patch barrage but just let us know up front.

Still no RSS Feed for Advisories

It's been more than two months since Microsoft launched the excellent security advisories pilot. Based on everything I've seen so far, it's serving the purpose very well but the absence of an RSS feed is a huge weakness in the delivery of this information. Does it really take this long to activate something as basic as an RSS feed?

Windows XP SP2 Remote Kernel DoS Flaw

SP Research Labs has found a denial-of-service vulnerability in Microsoft Windows XP SP2, fully patched with the firewall on. The company says it is working with Microsoft on a fix and that a patch will be part of the August security bulletins. Here's a screenshot of the crash.

Wednesday, July 13, 2005

Cybercrime *Not* Terrorism

From a thought-provoking interview with Bruce Schneier: "There are many possible Internet attacks, some of them affecting tens of thousands of computers. But they're not terrorism. We know what terrorism is. It's someone blowing himself up in a crowded restaurant, or flying an airplane into a skyscraper. It's not infecting computers with viruses, forcing air traffic controllers to route planes manually, or shutting down a pager network for a day. That spreads annoyance and irritation, not terror."

A Message for Microsoft

Scott Granneman: "Microsoft, I really thought you were improving. I honestly believed that you were going to use Windows AntiSpyware to improve the lives of your customers. Now I find out that it was all just manipulations and lies. You still have a chance to do the right thing, Microsoft. Don't buy Claria, or any other spyware company, and do tell users of your anti-spyware software the truth about the garbage ruining their computers. It's the only ethical, right thing to do. As for me, I'm going to hold off recommending your Windows AntiSpyware until you clarify matters."

Tuesday, July 12, 2005

MS/Claria Deal Dead

My buddy Zach Rodgers is reporting that the Microsoft/Claria deal is dead.

Why You Need Multiple AntiSpyware Apps

Over at Calendar of Updates, Donna Buenaventura does an excellent job of testing detections by several anti-spyware applications and concludes that end users need more than one utility to provide total protection.

Even Microsoft's Windows AntiSpyware tool fails to remove threats that it properly flagged. The screenshot evidence is eye-openeing.

It's Raining Patches

Today's Microsoft patches are out. Three bulletins, all rated critical. It's good to see a known vulnerability affecting IE users gets fixed in quickish time.

Oracle's 'quarterly critical patch update' is also out, addressing bugs in several database server products. One thing that needs mentioning, compared to Microsoft, Oracle does a terrible job of explaining what's being fixed.

Firefox 1.0.5 has also shipped. It is described as a "security update" but the release notes aren't reflecting the changes yet. My colleague Matt Hicks has the details.

Multiple Vendors Patching Today

It's no longer Microsoft's patch day. Just got word that Mozilla will release security updates for Firefox and Thunderbird today. Oracle also has a monster 'critical patch update' on tap.

Low Hopes for Anti Spyware Coalition

The Anti-Spyware Coalition has officially launched. Ed Bott seems to be cautiously optimistic. I'm not. Strict definitions provide end-arounds for spyware vendors and lead to these arguments.

Hacker Manifesto

Phrack is going away after 20 years.

From Volume One, Issue 7, Phile 3 of 10:

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

19 Deadly Sins of Software Security

Michael Howard, one of the creators of Microsoft's mandatory Security Development Lifecyle and author of 'Writing Secure Code', has a new book on sofware security.

"The 19 Deadly Sins of Software Security" is a collaboration between Howard, David LeBlanc and John Viega. The book, which will debut at Black Hat USA 2005 briefings later this month, is carved up into 19 chapters:

# Buffer Overflows
# Format String problems
# SQL injection
# Command injection
# Failure to handle errors
# Cross-site scripting
# Failing to protect network traffic
# Use of "magic" URLs and hidden forms
# Improper use of SSL
# Use of weak password-based systems
# Failing to store and protect data
# Information leakage
# Improper file access
# Integer range errors
# Trusting network address information
# Signal race conditions
# Unauthenticated key exchange
# Failing to use cryptographically strong random numbers
# Poor usability

Michael's blog has an announcement with more information. I'll look for a copy at Black Hat.

Monday, July 11, 2005

Momentum for MS AntiSpyware Rethink

Robert Scoble agrees with Ed Bott who agrees with Donna Buenaventura who agrees with Ben Edelman who shares the same line of thinking with Eric Howes.

* This is the good momentum that gets Microsoft to rethink its anti-spyware classifications. All for the greater good.

Lazy People and Default Settings

John Pescatore is pointing to a New York Times article that talks about how people tend to go with choices that have been pre-selected for them - the default. The Times writer points out that consumers are too lazy to make the choice themselves.

Apply that truism to the changes in Microsoft's anti-spyware "recommendations" and you see why the watchdogs are barking.

London Bombing Trojan

An e-mail purporting to offer a link to amateur video footage of the events on the London Underground in the aftermath of the bomb blast will install a Trojan on users' machines if they click on the attachment.

Talking a Lot, Saying Nothing

Mike Nash, one of the security bigwigs at Microsoft delivered a keynote at the partner conference on Sunday. He talked a lot but really didn't say much. Read for yourself.

Sunday, July 10, 2005

Unimpressed with Spyware Downgrade Explanation

Ben Edelman: "Microsoft's recently published response to questions about Claria defends Microsoft's treatment as the result of ordinary application of Microsoft's usual criteria, without any special exceptions. Perhaps. But if this Microsoft's criteria say to ignore a program known to be installed through fake-user interface ads on kids sites, showing a EULA only after installation, with a broken uninstaller, then Microsoft's criteria leave a lot to be desired."

* Amen.

Ed Bott on MSAS Claria Downgrades

Ed Bott: "The real story is that Microsoft has decided that high-profile adware makers who achieve a minimum threshold of disclosure (including Claria and WhenU) will be able to get an "Ignore" rating."

Saturday, July 09, 2005

eEye Spies More Windows Flaws

eEye has added another Microsoft vulnerability to its upcoming advisories list. It's an arbitrary code execution flaw in default installations of Windows 2000 SP4, Windows Server 2003 and possibly Windows XP.

Next Tuesday, July 12, is Microsoft patch day. Three bulletins are on tap, at least two of which will be rated "critical." Hopefully, the testing is done and we'll get an IE patch for the javaprxy.dll issue.

* Side note: Oracle's quarterly 'Critical Patch Update' is also due on Tuesday, July 12.

MS AntiSpyware Bordering on Irrelevance

I had very high hopes for the Microsoft Windows AntiSpyware product but the recent discovery that Claria and some other pesky adware applications have been downgraded to a recommended action of "ignore" can't be good news.

Microsoft has a responsibility to make the correct recommendations to the average mom-'n-pop users. The explanation being offered just doesn't cut it. Would Bill Gates "ignore" Claria or WhenU apps on his machine? Put 100 top security guys at Microsoft in a room and ask if they would recommend to family members that those adware apps be ignored. The answer certainly won't match Microsoft's actions, no matter what the "official" word is.

Eric Howes, posting a "eburger68", explains it best on this Broadband Reports thread.

Scoble nails it when he calls for the AntiSpyware team to start blogging in an honest, straightforward fashion.

Some Fatherly Advice for Sasser Sven

Stephen Toulouse, one of the more stand-up guys at the Microsoft Security Response Center (MSRC), writes an open letter to Sven Jaschan, the kid convicted for creating and unleashing Sasser, the last big Windows network worm:

Toulouse's advice to Jaschan:

"You've been given a second chance. I hope very sincerely that you use it to serve as a cautionary example, and speak out against the creation of these types of attacks. I know you just want to put all this behind you. But you have the opportunity to do a tremendous amount of good. Please use it, don't squander it. You've taken the first step by confessing and being honest about what you did. I respect that. Please don't waste the opportunity you have potentially been given to help some kid right now avoid your mistake and think twice before taking what seems to be a simple action, but that can impact so many people."