Racing Against the (WMF) Clock

The last time Microsoft was notified of a remote code execution bug in the rendering of WMF (Windows Metafile) images, it took 7+ months before a patch was made available.

At the time, the MSRC's Stephen Toulouse explained the lengthy delay:

"The graphics rendering system is an extremely important component of the operating system. It's critical to functioning of operating system. Any time you make a change to such an important component, you absolutely have to ensure you're not introducing new problems."

I can't imagine the MSRC having that kind of luxury this time around.

Most Vulnerable OS

According to US-CERT statistics, the operating system with the most vulnerabilities in 2005 was not Windows.

98% Unsafe

Bruce Schneier: "Internet Explorer sucks."

MSRT vs Hacker Defender

holy_father, the creator of the Hacker Defender rootkit, claims the MSRT (Microsoft Software Removal Tool) cannot successfully detect newer versions of the offensive rootkit:

"Microsoft claims that Windows Malicious Software Removal Tool for XP/2000/2003 (MSRT) can detect Hacker Defender. I always test the latest MSRT with Hacker Defender, and the latest MSRT does not even detect the latest public version of Hacker Defender (hxdef 1.0.0 revisited), which was published weeks ago and is available for download to everyone, with full source code."

Home Office Security Checklist

Here's an excellent home office security checklist from Microsoft that's worth sharing with everyone you know.

When Silent Fixes Backfire

On the SecuriTeam Blog, Matthew Murphy provides an extreme example of why it's important for software vendors like Microsoft to be totally transparent about the way security vulnerabilities are handled and fixed.

He explains how a security bug in a Visual Studio was reported to Microsoft in 2002 but remained unfixed for a long time. Eventually, Micosoft silently fixed the flaw but declined to provide information on the fix to customers or partners. That caused anti-virus vendor Trend Micro to unwittingly use the vulnerable code in its products, putting its customers at risk of code execution attacks.

Trend Micro, at the end of 2005, claims it has "recently become aware" of the flaw which Murphy says he reported to Microsoft in July 2002.

The lesson:

"While this is an extreme example, it goes to show just how important information is in shaping response. Security fixes cannot simply be made and forgotten: they need effective distribution and uptake to have real-world impact. It wasn't the lack of a fix, but poor distribution and uptake of a security patch that enabled Blaster to infect 25 million Windows PCs, and bring entire networks to their knees. And… what better way is there to cripple uptake rates than to simply not inform users of the availability of a fix?

We can only hope Microsoft has learned its lesson... if approaches like this remain the norm there, we’re going to be dealing with more viruses, more sleepless nights, and more pounding headaches for quite a while before they ever get it right."

Password Strength Guidance Redux

Microsoft's Stephen Toulouse corrects my inference that the company's guidance on passwords is conflicting and offers some thoughts of his own on the issue:

"No one should be saying "always write your passwords down", just as no one should be saying "never write your passwords down" because there is no absolute guidance for all users on that point. You have to pick what works for you, balancing the risks in creating complex passwords. If you have no need to keep a password system in your head, then it makes sense to write things down if that's the only way you can do complexity. Just be aware that while you are reducing your risk of a single password being cracked and compromising everything, you are increasing your risk that anyone who finds the paper (or papers if you are smart) has the complete keys to the kingdom. If you take careful enough precautions with the paper then on the balance writing it down can carry less risk because of the gain in randomness and complexity."

On a related note, I don't think Microsoft's password strength checker is working properly. It's telling me that passphrases of more then 50 characters are 'weak' passwords.

Protect Your PC Pledge

Microsoft has started a "Protect Your PC in 2006" pledge as a "fun, informal way to get more people actively thinking about online security without getting intimidated."

URL Typo-Squatting Data

Here is the raw data from Microsoft Research on the URL typo-squatting scheme that Google continues to deftly ignore.

Jesper's Other PC

I snapped this shot of Jesper Johansson's laptop cover at Microsoft's Security Summit East in Washington, DC.

Zotob and Windows 2000

I wonder if Microsoft knows (and if they do, if they'd tell us) how many Zotob infections occured on Windows 2000 SP3.

2 Bulletins, 5 Flaws and Keeping Count

As expected, Microsoft's security train dropped off two bulletins with patches for five holes -- in IE and in the Windows kernel.

As I noted in an earlier entry on counting vulnerabilities, Microsoft's PR machine loves to use the number of bulletins to boast of software securitiy improvements but if you go back and count the number of vulnerabilities fixed in the 55 bulletins released in 2005, you'll get a better picture of just how many fixes are coming out of Redmond.

And that's just those they tell us about. Remember, the MSRC has repeatedly told us that the patch-creation process involves a healthy dose of code auditing to find -- and fix -- additional things related to the bug reported by an external researcher.

A quick aside on today's patch day: I'm told that the IE update does fix the drive-by exploit vector but does appear to be quite buggy. The attack (exploit) seems to hang the machine even though it's not getting through. It takes a few minutes for the hang to go away.

MS Password Checker

Microsoft has set up a useful site to help uses test the strength of passwords. Enter a password into the box and the password checker will help determine its strength as you type.

It's strange to see Microsoft's own advice on the actual strength of passwords clash with the advice from Jesper Johansson, a well-respected security strategist at Microsoft.

Jesper recommends that passwords should be as complicated as possible and written down on a piece of paper and stored in a safe place. However, this guidance from Microsoft goes against that bit of advice.

"Random combinations of letters, numbers, and symbols that must be written down to be remembered, can be misplaced, or found by others and used."

A Year of Agony

The computer security calendar for 2004.

* Via Emergent Chaos.

Why can't Microsoft just patch everything?

George Ou: "If smaller software companies can patch all of their bugs serious or minor, why can't Microsoft just patch all of their vulnerabilities with their massive army of programmers and massive budget?"

Spyware Has Won

Wired: "The spyware wars are over - and spyware has won."