Vulnerability in DHCP Client Service Could Allow Remote Code Execution. That's a fun one seeing as almost everyone uses DHCP so people don't have to manually reconfigure to switch networks. Now not only can you redirect and capture all of someones traffic by issuing responses, but run code so they're still yours when they leave. At least the same switch protections that prevent rogue DHCP servers should prevent this from working.
So yesterday was the second Tuesday of the month, and Microsoft released it's monthly bunch of patches. In the middle of the list of security and other software downloads, was a link to Interview Worksheets. There's also Microsoft Standards of Business Conduct. I thought maybe these were supposed to be internal but they weren't flagged properly, but the one says "modified from the original version distributed to our employees" and "to facilitate communications from the public at large", so it's intentional. It'll be interesting to see if this is part of a larger campaign or just a general trend to be more open. Of course that's as they just added the needing a live account to view the support site this week...
One thing that's sorta funny/odd is the supported Operating Systems on the business conduct document are HP-UX and Windows XP. No other versions of Windows are even listed.
Microsoft Football Scoreboard 1.0, as apparently published Tuesday. It's nice to know Microsoft has time to build things like this. 3.5MB for something that could be a web app in a little browser window though? From the description it's basically an RSS reader and world clock.
Aaron Margosis posted an interesting thought on Anti-Virus vs Non-Admin (LUA). Basically with what's out there and the assumptions it makes, it's currently better to just run LUA (not as an Administrator) without any anti-virus or anti-malware than to run as admin because the protection software breaks otherwise.
I didn't realize there was such broken "security" software for Windows. They didn't name names in the articles though. Does anyone know which they are so I can avoid them when others ask me?
Yesterday Microsoft released the Microsoft Standard User Analyzer, a tool designed to evaluate whether a given piece of software is able to run properly without administrative access. The awesome part of this is that it's put right out there as an integrated analysis, and not just a list of requirements or anything. This means that it can easily be included as a requirement in purchase policies (a department wishing to purchase software can fully test it where IT may not understand all features) and external RFPs ("must have no problems running as a standard user as evaluated by Microsoft Standard User Analyzer v1.0"). If all software can be pulled under the requirement, it'd be much harder to justify giving out admin access for people who shouldn't be installing software but need it to run some program. That means fewer computers to fix because junk was installed. It should be interesting to see how fast this is adopted. Hopefully it'll be seen by software companies as a required feature to list SUA compliance quickly.
Jesper Johansson posted the entry Windows Firewall: the best new security feature in Vista? He explains in detail why host-based outbound firewalls are worthless for what people expect them to do (stop/slow malware) as admin access means it can just be bypassed anyways, and actually create more problems by desensitizing people to security dialogs. Anyone who still thinks they're a good idea for the average user's computer should read it. A couple good quotes:
"Putting protective measures on a compromised asset and asking it not to compromise any other assets simply does not work."
"A plethora of dialogs, particularly ones devoid of any information that helps an ordinary mortal make a security decision, are simply another fast clicking exercise. We need to reduce the number of meaningless dialogs, not increase them, and outbound filtering firewalls do not particularly help there."
The naked dancing pigs analogy is way too accurate too. The people who would benefit the most from it are the most likely to click to get around it.
He does somewhat explain where they help (in a general sense on limited non-admin accounts). Apparently it's being added in Vista because they're implementing sub-user SIDs so even two services running under the same user won't have access to the the data or resources of the other. Assuming they don't have admin access either, one could be limited from using the network.
Reuters explains a Microsoft European antitrust trial concept by using a Chinese restaurant menu analogy. Interesting way to get non-tech people to understand it.
They released lots of security patches to help make your computer all nice and "secure" (at least until next month). Only big ones noted. First on the list is MS06-007, also known as TCP/IP DOS vulnerability. It's IGMP based, and the Windows firewall will block unicast attacks. Sounds great, except IGMP relates to multicasting, so it's vulnerable to multicast attacks, and the Windows firewall won't stop those. So basically you can attack the entire network easier than you can attack a single machine. Fun.
Second fun one is that the WebDAV client is remotely exploitable. One wonders why a client is accessible remotely over SMB ports, but it's not too surprising.
Third is not only is PowerPoint bad for you, but now it's also bad for your data security (at least viewing it embedded in web sites is). This one's sorta cheating because it's IE only.
There were more, but of course they're IE and Windows Media Player related. I say those don't count anymore since they seem to get major patches almost every cycle - if you're still using them you're just asking for trouble.
Advisory 913333 was published yesterday, it being another remote WMF vulnerability (just get the user's computer to display it). This one requires <IE 6 on 2000 SP4 or ME though, IE6 (and thus XP and 2003) aren't affected. My guess is there won't be a patch, as the recommendation is just to download and install IE6. Fun.
As a semi-related note, Advisory 914457 gives another reason to upgrade XP/2003 to the latest service pack.
So I'm a couple days behind on my /. reading... I was reading and came across a link to how Microsoft passes GUIDs between domains. At first I wasn't too concerned. The authentication system I built has very similar behavior in how it passes identity information between servers. The key difference is that my system uses it to transfer credentials, which are unique per site and only given to trusted sites or less trusted after verifying it's OK with the user. The scary part is a GUID is shared everywhere, and Microsoft will give it to anyone who asks. For example if you go here you'll get right back to my site but you'll note your GUID in the URL. And of course in my web server logs... Fun, huh? The explanation about that URL is at the very bottom of the page at that first link.
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)
