Spyware Sucks : Vulnerabilities, viruses and exploits, Security, safety and privacy on the Internet, Internet Explorer 7

ALERT: Out of band security patch to be released tomorrow, 17 December at 10.00am Pacific time

sandi — Tue, 16 Dec 2008 21:14:56 GMT

Announcement here:
http://blogs.technet.com/msrc/archive/2008/12/16/advance-notification-for-december-2008-out-of-band-release.aspx

The patch resolves the actively exploited vulnerability that has been in the press so much in recent days, and which is the subject of this Security Advisory:
http://www.microsoft.com/technet/security/advisory/961051.mspx

Internet Explorer Protected Mode and other stuff...

sandi — Sun, 06 Aug 2006 03:46:00 GMT

For your viewing pleasure.. an excellent video from TechEd

Windows Vista System Integrity Technologies
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=223

Steve Riley is a fun presenter... messy blonde hair, sneakers, red pants, blue shirt, shell fragment necklace, leather wrist bands with tassels and earring

My primary interest, when looking at this video with a mind to highlighting it on my blog, was its relevance to IE7. That being said, there are a lot of gems in Steve's presentation.

I do recommend, if you are technically inclined, that you watch the entire video (but be warned, its more than an hour long). If you don't want to sit through the entire thing, you can jump straight to the section where Steve explains how Protected Mode for Internet Explorer in Windows Vista helps protect users from the bad guys when they are surfing the internet.

Basically, a user will have to approve up to *three* different dialogue boxes for programmes sourced from the Internet. He or she will have to say:

1) Yes, I want to run that programme...
2) Yes, I trust the Web site that I got the programme from...
3) Yes, I want to give that application Full (User) Privileges...

Steve says "what is the problem that we're trying to solve here... when somebody downloads some attachment and it has some sexually formatted subjectline "click here to see the dancing pigs".. those dancing pigs will win every time won't they... people don't know how to be secure so we have to do it for them..."

As much as I *dislike* the phrase, there are people out there who just want to see the "dancing pigs" and will say yes to anything and everything to obtain access to said pigs. For them, three prompts will not be enough to stop them from infecting their machines. Heck, they may even complain about the inconvenience. But you know what? MS can only go so far to protect people from themselves.

After years of very vocal "Windows is too insecure" complaints there are some who complain about how much harder Vista makes things for developers and users - for example:
http://www.msgpluslive.net/news/2006/08/05/opinions-on-windows-vistas-release-date/

Its a little ironic that Patchou is complaining about difficulties when working in Vista, considering the ongoing battle to stop malware being distributed via his sponsor programme (stopping the spread of malware being one of the primary reasons behind the tightening up security in Vista).

I disagree with Patchou... I say bring on Vista. Reality is that malware pushers are not going to go away voluntarily, nor will people stop trying to earn an income from the pop-ups or banner ads that are used as a conduit to computers by the malware pushers. The bad guys are not going to give up their income stream willingly, and they will continue to look for ways to get their wares on to as many machines as possible, including by deceiving those selling pop-up and banner advertising space. There are people who need to generate an income via pop-ups and sponsors and who have every intention of refusing malware pushers access to their advertising space, but reality is the bad guys are getting in there anyway.

Attempted malware download via MP Sponsor Programme generated popups:
http://msmvps.com/blogs/spywaresucks/archive/2006/06/30/103407.aspx

The bad guys use a myspace banner ad to spread malware:
http://msmvps.com/blogs/spywaresucks/archive/2006/07/21/105450.aspx

Myspace again - this time its embedded videos and Zango:
http://www.vitalsecurity.org/2006/07/interview-with-zango-myspace-affiliate.html

During Steve's presentation he talks about how he did not reduce the privileges granted to his wife's user account, which was a local administrator account, and how his wife's computer was therefore vulnerable to, and ended up being infected by, malware ... Steve mentions that Jesper makes his wife and children run as guest), but Jesper's willingness to lock down his systems is an exception, rather than standard operating procedure out there in the world.
http://blogs.technet.com/jesper_johansson/archive/2006/06/22/438316.aspx

We have to get used to UAC and no longer being King on our computers. As Steve said, there is no such thing as perfect, hack proof or impenetrable (tell that to some of the Linux/Firefox apologists). He also says "For every way you can think of to stop a bad guy the bad guy will think of another way. You can't. You cannot know everything that is bad. But what do you know? You know everything that is good... So why not make a statement of what you allow based on what you know is good and then by default block everything else."

His comments remind me of Peter Tippett and what he said years ago (Peter Tippett, by the way, apparently developed the product that eventually became Norton Antivirus).

Back in May 2005 I reported on an magazine article about Peter in which Peter said:

"The first version I produced stopped any virus that could be produced. 'No updates required' was the byline. It recorded the state of all software on your system and anything new just wouldn't run ... As an afterthought we added virus signature scanner and sold it to Symantec. ... Symantec felt that nobody could understand the generic new software-blocking stuff, so that feature quietly dropped away.”

http://msmvps.com/blogs/spywaresucks/archive/2005/05/05/45762.aspx

We have now reached the stage where needing to stop the bad guys outweighs the need to make things easy for those who cannot understand the "generic new software-blocking stuff" or want to be King on their computer.

Thanks Ian! I enjoyed the giggle :)

sandi — Fri, 23 Jun 2006 00:00:00 GMT

One of my loyal readers pointed me to this site, coincidentally after reading my blogpost about the Bit9 assessment which placed Firefox 1.0.7 as the most dangerous non-malicious software out there:
http://www.cweiske.de/

It seems the owner/author doesn't like IE and is blocking access to IE users. That's his prerogative but its awfully short sighted. Why? Because IE7 is a massive improvement in security and CSS compliance - because Firefox is becoming a bigger target and the bad guys are targetting it more often and if not kept right up to date leaves its users at risk - because even Opera is exploited (recent example)

On further thought, although I did giggle when I first saw the page, now that I've thought further about it the giggling has stopped.

The author says Opera and Firefox are "better" - how are they better? Better CSS compliance? IE7 has taken great strides in addressing that problem. Are the alternative browsers "safer"? No they are not. As has been said in the past, all the bad guys need is *one* exploit. Firefox and Opera can be and have been targeted - in fact just recently there was a hostile circulating that was targetting IE *and* Firefox exploits.

It is dangerous to tell somebody to stop using IE because it is a "paradise for virus programmers" and point them to Opera and Firefox without also warning them to regularly check for security updates for those browsers and practice safe hex. Firefox and Opera are also subject to exploits and vulnerabilities - it concerns me when I see sites that forget to mention that fact. At least with Internet Explorer, if you have Automatic Updates enabled you will be notified of the latest security updates.

The fanboys need to stop saying "use this - its better". They need to say "use this - its better - but make sure you check back regularly for security updates and patches, and always practice safe hex". Windows Update does not patch Firefox or Opera or any other alternative browser. You have to look after yourself. Remember that. If your friends are using an older version of Firefox, especially one that does not have an inbuilt update ability, warn them that they have to go out and get those updates.

Fix: Internet Explorer freezes when using the drop-down address bar list when the fix described in KB908531 is installed

sandi — Fri, 14 Apr 2006 05:28:00 GMT

Note, HP and Kerio are NOT the only software affected by the problems described in the KB article 918165. Older NVIDIA software is also implicated, and as the KB article states, there may be other third party COM controls or shell extensions causing a problem. In short, don't assume that just because you don't have NVIDIA, HP or Kerio that you'll be safe or that your problems can't be caused by the MS06-015 update. I have personal experience of people being hit by this problem who have none of that software:
http://support.microsoft.com/kb/918165

(I have no idea why Stephen ***'s surname doesn't appear properly - all I see is three stars instead of a surname...)

Stephen *** of Microsoft has posted to ie6.browser newsgroup regarding a known problem with MS06-15 / KB908531 wherein Internet Explorer may freeze when you attempt to use the drop-down list in the Address Bar. MS have tracked down the cause of the problem, and it is wide spread enough to be deserving of publicity. I am sure Stephen will forgive me for quoting him verbatim rather than sending you off to the newgroup via Outlook Express or the Communities Web Interface.

<quote> We've determined that the majority of the issues people are having with MS06-015 / KB908531 are due to a bad interaction between the security update and a software component included with various HP hardware devices, including but not limited to printers, scanners, and cameras.

Here are two fixes which should fix problems caused by the interaction with the HP software:

Option 1 - Modify the registry
------------------------------

- (If you have multiple user accounts set up) Log onto the computer using an account with Administrator privileges

- Click the Start button, then click Run and type "regedit" at the prompt, without the quotes; this will start Registry Editor

- Locate the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached key in Registry Editor

- Right click on the key and select New / DWORD Value

- Rename the resulting value "{A4DF5659-0801-4A60-9607-1C48695EFDA9} {000214E6-0000-0000-C000-000000000046} 0x401", without the quotes

- Right click the value, select Modify, and type "1" into the Value Data field

- Close Registry Editor

Option 2 - Kill the HP process
------------------------------

- Wait until Internet Explorer, Windows Explorer, or whichever component is encountering problems is in an unresponsive state

- Click the Start button, then select Run and type "taskmgr" at the prompt, without the quotes; this will start Task Manager

- Locate any instances of hpgs2wnd.exe or hpgs2wnf.exe in Task Manager, then right click on them and select End Process

(Note: Option 2 this may disable some HP device-specific functionality until you restart your computer.)

If your computer is not currently unresponsive, you should only have to do Option 1 or Option 2, not both. If your computer is currently unresponsive, you should be fixed by doing Option 2.

I'm very sorry about the inconvenience this has caused you all; hopefully this will get things back on track. Please note that MS06-015 fixes a critical security vulnerability, so it's very important that you reinstall it as soon as possible if you've uninstalled it. Please also keep in mind that disabling Auto Update will leave your computer unprotected even after we release security updates. I understand that this experience has been very frustrating for many of you, but I really must still strongly recommend that you leave Auto Update enabled for your own safety. </quote>

Addendum: <quote> Actually, it appears that I spoke too soon. Option 2 will correct the problem for the logged-in user, but not for all users on a computer with multiple user accounts. For that reason, Option 1 is the preferred option. </quote>

The eEye hack for the createTextRange vulnerability

sandi — Tue, 28 Mar 2006 23:25:00 GMT

Summary: My advice? Don't install it.

(Please forgive any grammatical or logical flow errors - I'm running real short of time but wanted to get this live before starting my work day).

Two MS security bloggers have mentioned the eEye "patch" that protects against the createTextRange vulnerability.

http://blogs.technet.com/msrc/default.aspx
http://blogs.technet.com/ms_schweiz_security_blog/default.aspx

Both bloggers recommend that the patch not be installed.

Ok, I admit - the vulnerability is being exploited. That's bad. But, at the same time we need to have a realistic look at what is going on and compare risk to reward. On balance, after considering all the information I'm privy to (public and private) I have to say that I agree - do not install the third party patch.

Historically, third party patches and hacks have been problematic. Let's look at a couple of recent examples.

WMF Exploit hack
The WMF exploit patch was messy - to get the file to stick you had to mess around with cached copies of the file (gdi32.dll is protected by Windows File Protection). The changed file was also causing Windows Update to offer old security patches. Deregistering shimgvw.dll stopped Windows Picture and Fax Viewing from working.

The IE6/IE7 side by side hack
The IE6/IE7 side by side hack caused various symptoms, including opening a browser window that promptly hangs IE, opening links that render blank, and multiple windows opening when initiating a browser session.

The eEye hack (I refuse to call it a patch) doesn't fix the CreateTextRange vulnerability... it messes around with how Windows works. We have no way of knowing what may be broken by this change.

"Ah, but at least I'll be safe" I hear you say. "Safe from what?" says I. Let me explain.

First, according to http://www.microsoft.com/technet/security/advisory/917077.mspx "Antivirus companies indicate that attacks that exploit this vulnerability are being effectively mitigated by antivirus software with up-to-date signatures". The antivirus companies that have confirmed they provide protection against known vectors include:

Symantec
Computer Associates
McAfee
F-Secure Corporation
Panda Software International
Aladdin
Sophos
Eset Software
Trend Micro
Windows Live OneCare

Do you have up-to-date antivirus? Does it detect files that attempt to exploit the vulnerability? If so, why take the risk with a third party hack?

Second, sure there are lists going around warning that there are hundreds of sites that are taking advantage of the exploit. But, actually hitting one of those sites is needle-in-a-haystack stuff. Seriously. I've seen real-world, whats-actually-happening statistics that convince me that the risk of being hit by the exploit is not sufficient to risk damage that may be caused to a system's operation by the eEye changes.

On balance, considering the fact that MS and law enforcement have been very proactive in getting exploit sites shut down, considering the fact that there are not "hundreds" of sites out there (the number is far lower than that), considering the list of antivirus programmes that protect against known vectors, considering the fact that you'll have to be *real* unlucky to hit one of the sites that is still live without being taken by the hand and shown how to get there, and considering there are safer ways to protect yourself against the risk of exploit (disable active scripting or set to prompt), I say don't install the patch.

BTW, SANS Internet Storm Centre agrees - not with me per se, but with the risk assessment that the eEye patch shouldn't be installed:
http://www.incidents.org/diary.php?storyid=1226

Confirmed: createTextRange vulnerability is being exploited

sandi — Sat, 25 Mar 2006 11:21:00 GMT

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FDLOADER%2EBXR&VSect=P

I do note on the diagram that it stipulates that only the "January edition" of Internet Explorer 7 Beta 2 Preview is vulnerable.

There has been a lot of confusion about whether the March build (that is, 5335.5) is vulnerable to the createTextRange exploit because, despite the MS Security Blog and the Technet article noting that IE7 Beta 2 Preview Mix06 Build is not affected, other sites stated that the IE7 Beta 2 Preview was affected without stipulating build, and some stated IE7 Beta 2 (not the Preview) was vulnerable ... umm, guys... IE7 Beta 2 hasn't been released to the public yet.

Now, if only MS would update their own advisory (http://www.microsoft.com/technet/security/advisory/917077.mspx) which, although it states that IE7 build released on March 20 is not affected, does not list earlier versions of IE7 in the "Related Software" list.