Yesterday Microsoft released the Microsoft Standard User Analyzer, a tool designed to evaluate whether a given piece of software is able to run properly without administrative access. The awesome part of this is that it's put right out there as an integrated analysis, and not just a list of requirements or anything. This means that it can easily be included as a requirement in purchase policies (a department wishing to purchase software can fully test it where IT may not understand all features) and external RFPs ("must have no problems running as a standard user as evaluated by Microsoft Standard User Analyzer v1.0"). If all software can be pulled under the requirement, it'd be much harder to justify giving out admin access for people who shouldn't be installing software but need it to run some program. That means fewer computers to fix because junk was installed. It should be interesting to see how fast this is adopted. Hopefully it'll be seen by software companies as a required feature to list SUA compliance quickly.
They released lots of security patches to help make your computer all nice and "secure" (at least until next month). Only big ones noted. First on the list is MS06-007, also known as TCP/IP DOS vulnerability. It's IGMP based, and the Windows firewall will block unicast attacks. Sounds great, except IGMP relates to multicasting, so it's vulnerable to multicast attacks, and the Windows firewall won't stop those. So basically you can attack the entire network easier than you can attack a single machine. Fun.
Second fun one is that the WebDAV client is remotely exploitable. One wonders why a client is accessible remotely over SMB ports, but it's not too surprising.
Third is not only is PowerPoint bad for you, but now it's also bad for your data security (at least viewing it embedded in web sites is). This one's sorta cheating because it's IE only.
There were more, but of course they're IE and Windows Media Player related. I say those don't count anymore since they seem to get major patches almost every cycle - if you're still using them you're just asking for trouble.
Advisory 913333 was published yesterday, it being another remote WMF vulnerability (just get the user's computer to display it). This one requires <IE 6 on 2000 SP4 or ME though, IE6 (and thus XP and 2003) aren't affected. My guess is there won't be a patch, as the recommendation is just to download and install IE6. Fun.
As a semi-related note, Advisory 914457 gives another reason to upgrade XP/2003 to the latest service pack.
These things are getting old. We have a week and 3 days to figure this one out. Summary and some other info.
In case you somehow haven't heard, Microsoft released the WMF patch early rather than waiting until the normal 2nd Tuesday. Those using Windows should probably hit Windows Update to manually update right away rather than waiting for Automatic Updates to get it. Unfortunately it does want a restart. Of course at least having AU download and notify if not install should already be set anyways. Unfortunately it's not considered critical for 98 and ME, so anyone using those OSes has to make due with the third-party one or upgrade to something newer or not Microsoft.
Oh yea, on the topic of images and exploits, anyone have an ATI video card?
I don't know how many people have noticed this because of the WMF stuff, but there are also vulnerabilitys for DOS and Code Execution on BES (Blackberry Enterprise Server) when attempting to handle TIFF and PNG images for the Blackberrys connected to it. Basically special image files emailed to a Blackberry and there's issues.
Back on the WMF thing, it looks like email isn't a direct attack vector - one has to click a link in an email. Most people will click links in email without thinking, but at least it's something. That link also mentions no problems with the patch which is false. There's IE issues and printing issues. The latter is sorta scary, since the vulnerability is linked to printing, so it appears poorly designed/outdated drivers could be broken by a real patch too.
My favorite workaround so far is probably unregistering the DLL as Microsoft suggests, but also changing ACLs to prevent shimgvw.dll from reloading.
In other news, a good summary is available from SANS ISC, which mentions that DEP available in XP SP2 could help with the right system. "However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit."
Also, there's an interesting writeup on the whole issue with image file vulnerabilities (which have been found in pretty much every OS in the last year or two, although not as a designed in feature like WMF).
Jesper Johansson, a security guy at Microsoft, has a good analysis (his, not official Microsoft opinion) of the benefits and drawbacks, both technical and procedural, of different ways of dealing with the WMF Exploit before an official patch is available.
There's now a worm spreading the exploit around on MSN. If you have no clue what I'm talking about, you can read about the exploit. I'm not sure about the worm specifically, but there is some nasty code out there for this. Basically it takes advantage of Windows looking at the content and not the extension to send it as a .jpg, it splits it over the Ethernet MTU (biggest a single packet can be on the network, 1500 bytes, actually a bit less actual data after IP and TCP) so sniffers that don't reassemble streams can't detect it, plus the usual random size/name/method of implementation. This should be a fun one...
Unfortunately Microsoft says the only fix at this point is to unregister a dll, but the problem is really in gdi and not that one, so if many people do that there'll just be modifications made. Windows users may want to take appropriate action.
I just saw this. The video (13MB, about 4 minutes long). Apparently the marketing guy paid for it, but it sounds like he did it because he thought it'd be cool and likes Vista that much, and they didn't pay him to get it or anything.
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)
