Wed, Dec 17 2008 19:27
bradley
So how can they get me?
So the question was asked.. how do we know that this zero day vulnerability isn't some farce to get us to patch and the patch actually opens up a security hole? When one goes to GRC.com and does a shields up test, it says it's all stealth there so how can it be that my system is vulnerable if no ports are open?
If my ports are all closed, how can they attack me when there's no ports that they can reach me with?
http://computer.howstuffworks.com/web-page.htm
http://computer.howstuffworks.com/web-server2.htm
In general what's going on is something that was devised up a long time ago. It was thought best to have web servers do some of the work and then workstations do some more work. When you connect to a web site, your system is connected to that web servers' port 80. It has it's port open to accept your request. Once you make the handshake (using this ack response stuff under the hood) the packets start flowing back and forth between that servers' port 80 and your system.
When you sit there with a running computer with no ports open, bad guys can't go after you. But we don't just buy computers to sit there and warm our houses. No, we use computers to do things. And it's when we take the system from an idling box that is secure, to one that is out doing things is when we introduce this risk.
When WE go to a web site, we are the ones opening the door to the bad guys. We go surfing to a page that was designed to do bad things to us. If we have a system that has settings that allow the bad site to do bad deeds, then it's our action of going to that web site that opens up the door to vulnerabilities.
So default in every browser is a set of settings that tells it how it's going to handle web sites. For IE7 a good listing is here:
Invisible Denizen: Default IE7 Settings for XP SP3 and Server 2003 SP1:
http://blog.invisibledenizen.org/2008/12/default-ie7-settings-for-xp-sp3-and.html
That's Vista's but you get the idea. What occurs is that all those settings are there to 'share the load' with the web server. Some of the processing is done by the web server, some is done by your computer. When there is something in the browser software that is done incorrectly that the software designers did not intend to do, sometimes these flaws end up failing in a manner that dumps the web seirver in a position to do bad things. That's an oversimplification of the explanation from here: http://blogs.technet.com/swi/archive/2008/12/12/Clarification-on-the-various-workarounds-from-the-recent-IE-advisory.aspx but bottom line, the browser is doing something that the software developers didn't realize it was going to do and the bad web sites are taking advantage of this.
When I go to CNN.com from my workstation, the traffic/request flows from my machine through my server to the router out to Pacbell/Yahoo's DSL across the name servers/backbone/and all that yadda yadda to CNN's web servers somewhere in the world. The web server gets my request and then they tunnel back down the pipe, down the backbone, down to Pacbell/Yahoo, down to my router, down to my server and back to me.
There's a handshake that goes on.
Here's the thing... as Steve Riley is apt to pronounce at various security conferences... the TCP/IP protocol was built without security in mind. We make that handshake with that web server and it's like shaking hands with a stranger that has a head cold and he's just wiped his nose. Eeeewwww you say, right? Well you really don't know what that web server has done before you connect to it do you? You don't know their security posture, do you? You don't know if it just got owned by an attacker, or the banner ad in the top of the site is malicious, do you? But yet on a regular basis we click to web sites without thinking of THEIR security posture.
Microsoft often says "don't surf to untrusted web sites", but I'd argue we shouldn't be trusting ANY web site really.
Any site does have the potential to send us a handshake and infect us with the Computer version of the common cold.
So what to do, you ask? Again I'll refer to my last post about how we have to accept a bit of risk on the Internet. http://msmvps.com/blogs/bradley/archive/2008/12/17/and-now-we-re-going-to-live-happily-ever-after-right.aspx Just like in Cold and Flu season one can get a flu shot and prevent the worst of it, Software patching is a monthly flu shot. Having antivirus and antimalware is Vitamin C. Being aware of the web sites that have a potential for being hacked into to be made malicious is another (gambling, p_rn, gaming, etc). Just like when you avoid people that have obvious colds, use services like www.opendns.com to filter out the potential for computer germs. Running your computer without administrator rights is equivalent in my book to walking around with a mask and rubber gloves on when you shake hands with web sites.
But make no mistake, this isn't the security industry opening up more holes in our system, this is Microsoft ensuring that we just gotten another booster to our flu shot.
Filed under: Security
![[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.]](http://www.sbslinks.com/images/headertop.png "There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not!")