Coffeehouse Thread

61 posts

Microsoft Security Alert, here's where to go

Back to Forum: Coffeehouse
  • User profile image
    jonathanh

    "Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk."

    (from http://www.microsoft.com/security/incident/download_ject.mspx)

  • User profile image
    Mike Dimmick

    phunky_avocado wrote:
    Point of fact:  In this thread Microsoft is getting bashed because they have not put out a patch fast enough after the exploit was released; yet, in the not-so-distant-past when it is discovered after a patch is released that Microsoft has known about the exploit that the patch fixes for a couple of months, guess what?  People scream and complain about "how could you let this thing go on for so long without letting anyone know?"!

    Damned if you do, damned if you don't.


    The other thing that happens if MS release a patch like MS04-011 and an incompatibility with some drivers is found, people (and the gutter press) panic and don't apply it. This current problem is occurring partly because website administrators didn't apply 04-011, because they were scared off from doing so by extensive reports of failing servers. Microsoft are then condemned for not doing enough testing!

    MS04-011 is accused of being too large. However, the fixes to different vulnerabilities affected the same binaries. Modifying the kernel (Windows 2000 and NT 4.0 needed new NTOSKRNL.EXE builds) can require the libraries and processes which interface directly with the kernel to be rebuilt and rereleased. Example: win32k.sys, the kernel side of the Win32 USER and GDI stack directly exports system services through user->kernel traps (rather than through device-driver interfaces) was rebuilt for Windows 2000, presumably because the kernel modules need to be kept as a matched set.

    04-011 has had a knock-on effect in another direction: PSS is backed up. It took a couple of weeks for us to get a hotfix for another 'security' issue: the Telephony server in Windows Server 2003 is a bit too secure for Windows XP clients, it won't allow them to connect. The hotfix changes how the clients connect. We submitted an online support request to the UK support website, having identified the hotfix required (824692). Our request ended up in a queue in China, got batted back to the UK queue, which was backed up, got redirected to the US queue and finally officially got the hotfix from UK 10 working days after asking for it - for Windows 2000, not XP.

    What was worst about this incident was the complete silence from PSS on the issue, and when I tried phoning, I got very little help (getting an engineer who said he couldn't help because the case wasn't assigned to him!). However, I have a contact in Exchange PSS who helped a lot, getting me the right hotfix unofficially within four working days (actually only a day after escalating it). Support shouldn't rely on personal favours! I found out about the constant queue movement through my contact, not through official channels.

  • User profile image
    jsrfc58

    Charles wrote:

    You want a 100% secure browser, 100% secure operating system, 100% secure Internet? Well, then don't connect to the Internet. That said, in the future this will not necessarily be the case as users will have become more educated and systems made more secure, but the sad fact remains: there will always be bad people out there working tirelessly to figure out ways to hurt as many people as possible, even if only in abstract or virtual ways. 

    Charles 



    Some days I can't believe these arguments even happen.  To run against the grain and risk a lot of wrath, my only reply to the above comment is "how true".  Why?  Well, hackers have been around for decades.  And so has software piracy.  And so have people who are intent on breaking things or breaking into things.  You can put up a hundred types of defense, but as long as there is somebody out there intent on breaking in, they are probably going to find a way.  Nobody wants to reinstall an operating system after an attack or spend hours hunting down and removing malicious files.  But like it or not, that is the inherent risk you take by connecting to the internet in the first place. Funny, nobody seems to remember that even back in the eighties, well before IE, a big issue was software piracy...every time a game manufacturer would try to come up with a new technique to protect their games from being copied (by using half tracks, missing disk sectors, whatever) somebody would come up with a way to break in.  Odd, too, was the fact that makers of certain copying programs would figure this out and add it to their list of programs you could copy with their software (Copy II Plus comes immediately to mind).  Of course the copy programs would clearly state this was for "personal use" only.  Oh, wait, that was an APPLE issue, not a PC problem (yeah, right).  But Apple never has problems, or so some people would like to believe.

    The targets are now much more visible, much more public (and personal), and yes, the risks are more substanital when you are talking about stolen credit card numbers.  I've had my checking account hit before (not through online banking), so yes, I know what it is like to deal with identity theft and affidavits of forgery, etc.  I was angry when it happened to me, and my perception at that time was that the bank could not move fast enough.  But anybody who believes that software is going to ultimately protect them 100% of the time is kidding themselves.  And there is always going to be somebody out there to complain that this company or that company is not reacting fast enough.  Nobody is going to like it when they connect up to a trusted site, only to find themselves getting attacked. Plain and simple it is theft--and it has been there since the beginning of time, except now it manifests itself in a different, more widespread form.

    Just my $.02.

    P.S. Oh and be sure to send the IE staff several cans of coffee and some chains so they can shackle themselves to their desks until everything is fixed.  I'm sure their families will completely understand.

  • User profile image
    Karim

    jonathanh wrote:

    "Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk."

    (from http://www.microsoft.com/security/incident/download_ject.mspx)


    This is a perfect example of a security fix, which Microsoft thinks is not ready for public consumption (DO NOT INSTALL SP2 RC2 ON PRODUCTION SYSTEMS!!!  CAUTION, BETA SOFTWARE!!!  DANGER WILL ROBINSON!!!) but which turns out to be perfectly acceptable to most non-Microsoft people who just don't want their computers hacked.

    I don't understand why Microsoft hasn't even published a simple utility or .REG file that closes up the vulnerability.  (See http://www.eeye.com/html/research/alerts/AL20040610.html)

    Sure, it might break .HTAs or the Help System, but you can tell people that when you offer it to them.  More choices about how to react is almost always better than less choices, and there will be a lot of people who will choose a temporarily broken Help system over having to worry about whether each and every URL they visit is going to instantly infect their computer.

  • User profile image
    Charles

    Charles wrote:
    You want a 100% secure browser, 100% secure operating system, 100% secure Internet? Well, then don't connect to the Internet.


    Clint_Hill said:
    This is the comment that sent me down the road I went. And to be very clear, I am in no way trying to be the ungrateful end-user. I was simply trying to point out that comments like the one above can get really twisted (obviously as I am victim).

    That comment is actually a general truth, an axiom even, in the software security field. It's most certainly not a slam on end users of Microsoft products. Again, my apologies if I offended or misled. It was not my intention.

    As to the notion of "stupid end users", I'm not a big fan of such thinking. I've actually not met anybody around here who thinks of our customers in this way. If I do hear somebody expressing that sentiment, I'll be sure to pass a long a "up yours!" for you. 


    Keep on posting,

    Charles

  • User profile image
    amg

    Karim wrote:


    I don't understand why Microsoft hasn't even published a simple utility or .REG file that closes up the vulnerability.  (See http://www.eeye.com/html/research/alerts/AL20040610.html)

    Sure, it might break .HTAs or the Help System, but you can tell people that when you offer it to them.


    I agree that it's mystifying as to why patchs take to long to be released...but a super compelling reason would be to avoid litigation.  Patchs that fix holes can't go around breaking other things... 

    ...which is why I majorly disagree with your concept of patchs being released that may cause other components to fail, but informing people of the failure.  That's not how commercial software works...not anything remotely good anyways...

    The bigger they are, the slower they are...5,000 people or 5...the patchs will take longer than you or I think they should.

  • User profile image
    Karim

    amg wrote:


    I agree that it's mystifying as to why patchs take to long to be released...but a super compelling reason would be to avoid litigation.  Patchs that fix holes can't go around breaking other things... 

    ...which is why I majorly disagree with your concept of patchs being released that may cause other components to fail, but informing people of the failure.  That's not how commercial software works...not anything remotely good anyways...


    I don't have any problems with how long "patches" take to be released.  They take as long as they take, and I know some folks in Redmond are busting their asses trying to get this one out the door.

    The reason why I specifically did not use the word "patch" is because releasing a utility or .REG file (such as the one provided by eEye) does not "patch" (i.e. replace source code in) Internet Explorer.  In this case, it could simply eliminate a huge vulnerability, at the cost of breaking some things that not everyone uses every day.  This would be a temporary measure until the "patch" for IE is released.

    I think a sense of perspective needs to be maintained about this.  This vulnerability allows execution of ANY SOURCE CODE, ANY APPLICATION on your PC, simply by loading a web page into your browser.  Think about that.  You don't think that lots of people would choose to temporarily break the Windows Help System in order to close that hole?

    Sure, lots of people need the Windows Help System, and they don't have to install the utility.  Anyone who values compatibility over security doesn't have to install the temporary fix.  My point is that Microsoft should be offering people the choice.

    Your point about "avoiding litigation" only made me laugh.  You do realize we are talking about Microsoft?  They could change the colors in the Windows logo from red/green/yellow/blue to red/yellow/green/blue and some dickhead somewhere would file a billion-dollar class-action lawsuit as a result.  The amount of money and human effort that goes into suing Microsoft probably exceeds that of the Apollo Moon Program and I don't see that changing any time soon.

  • User profile image
    Karim

    pacelvi wrote:
    Dude, that was John Lithgow on the plane (his movie debue). 

    Though you if you want to stick with Shatner, I think Airplane II The Sequel should provide a good story.

    Dude that was so NOT John Lithgow on the original television series airing of the episode, which happened in 1963, which was probably before you were born.  (Kids today!  Sheesh!)  It was William Shatner before he became Captain Kirk.

    http://karimalim.com/shat-ie2.jpg

    The movie was a rehash of some of the better TV episodes.  You really should see Shatner in the "Nightmare at 20,000 Feet" role... words cannot describe it.

    LOL Shatner was in Airplane II: The Sequel?  Surely you must be joking....

  • User profile image
    pacelvi

    Ah.. I was thinking of the Twilight Zone movie.. they must have remade the episode you were talking about into the last segment they did, as you say.

    And I'm not and dont call me Shirley.

  • User profile image
    Charles

    I am very happy to announce that the Microsoft Security Response Center has just updated the www.microsoft.com/downloadject web page to reflect some of the feedback they have received from this thread and other internal threads as well as some of the results of their own investigations. It's a start and will only get better going forward.

    Thank you all for the outstanding feedback. Please keep it coming. We are listening.


    Keep on posting,

    Charles

  • User profile image
    Karim

    "Microsoft teams have confirmed a report of a security issue known as Download.Ject affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows."

    We confirmed this by reading all the press from AP, Reuters, the New York Times, Forbes and CNN, who had actually confirmed this last week.

    "The second [issue with Internet Explorer] is a recently discovered issue that Microsoft is currently investigating in order to provide a solution."

    Mostly, we are stymied because we still haven't come up with a good name for this issue yet.

    "Customers who are already following our safe browsing guidance significantly reduce their risk from this type of attack."

    In this particular case, "safe browsing" means not typing the URL of a well-respected Fortune 500 company in your browser.  We would direct you to the URL of our safe browsing guidelines, but doing so would actually violate our safe browsing guidelines.

    "Microsoft has established with its partners that this attack is not a "worm" or virus-in other words, this attack is a targeted manual attack by individuals or entities towards a specific server."

    Of course, if you happen to visit that infected server using IE, you would be instantly infected as well, along with everyone who visited the site.  But you can rest assured knowing that when the Russian Mafia starts using the credit card numbers that you've typed into your computer, it was not the result of a "worm" per se.

    Also, we checked the dictionary, and turning your computer into a open proxy server so that it can be used to deliver spam or break into your corporate network -- well, that really isn't really a "virus" either.  So rest easy!

    "Microsoft also has confirmed that this attack exploited a vulnerability in Internet Explorer to deliver malicious code to visitors of an affected Web site. Microsoft has been working with Internet service provider partners to shut down the malicious URLs."

    Some have suggested that we also repair the vulnerability in Internet Explorer.  But we're having much more fun playing whack-a-mole shutting down malicious URLs as they pop up across the Internet.

    "In addition, MSN is scanning for and blocking malicious URLs."

    If you don't use MSN, though, you're kind of screwed.

    "Customers using Internet Explorer should be sure that they have installed the latest security updates by visiting Windows Update at: http://windowsupdate.microsoft.com."

    Not that it will help protect you from this threat, though.

    "Customers running Windows XP SP2 Release Candidate 2 are already protected from this threat."

    We hope the other 99.9995% of you are using MSN.

    Oh, and you can ignore all those dire warnings about not installing SP2 RC2 on "production" systems.  We were only joking about that!


  • User profile image
    Charles

    Damn, Karim. You're harsh, but honest. Gotta love that.

    This update is only the beginning. MS Security et al are open to changing their ways and they are trying.  We'll get better at this. In the meantime, keep up the great feedback. It doesn't go unnoticed... 

    EDIT: I do think that MSRC deserves a little slack here. They made a change to their status delivery process in about 72 hours. Not that shabby given how hard it is to develop effective messaging not to mention the challenge of getting a large and vocal team to come to a reasonable consensus. I'm not making excuses or playing PR. I Just wanted to get that off my chest.

    Love your comments, Karim. Keep 'em coming. 


    Charles

  • User profile image
    LazyCoder

    Yeah, looks like we're back to KB article # 833786 _ "The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. "

    I wrote some about it here

    Who else but a large corporation would come with the a solution like that?

  • User profile image
    Charles

    The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them.

    I'm not sure a counter argument can be made against this statement. It's certianly always the case that you can't be harmed by something if you never spend any time with it...

    That said, yeah, give me a little more.


    Keep on posting,


    Charles

  • User profile image
    Shining Arcanine

    Karim wrote:
    jonathanh wrote:

    "Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk."

    (from http://www.microsoft.com/security/incident/download_ject.mspx)


    This is a perfect example of a security fix, which Microsoft thinks is not ready for public consumption (DO NOT INSTALL SP2 RC2 ON PRODUCTION SYSTEMS!!!  CAUTION, BETA SOFTWARE!!!  DANGER WILL ROBINSON!!!) but which turns out to be perfectly acceptable to most non-Microsoft people who just don't want their computers hacked.

    I don't understand why Microsoft hasn't even published a simple utility or .REG file that closes up the vulnerability.  (See http://www.eeye.com/html/research/alerts/AL20040610.html)

    Sure, it might break .HTAs or the Help System, but you can tell people that when you offer it to them.  More choices about how to react is almost always better than less choices, and there will be a lot of people who will choose a temporarily broken Help system over having to worry about whether each and every URL they visit is going to instantly infect their computer.


    It is not Beta software or even Gamma software, it is Release Candiate software and is almost ready to be declared Gold.

    Edit: Infact, I used to run RC1. That was before Microsoft sent me a patch via Autoupdate that completely destablized Windows. I had to "upgrade" to Windows XP to fix the problem. But I can say that it was as stable as a rock until that point.

    Charles wrote:
    I am very happy to announce that the Microsoft Security Response Center has just updated the www.microsoft.com/downloadject web page to reflect some of the feedback they have received from this thread and other internal threads as well as some of the results of their own investigations. It's a start and will only get better going forward.

    Thank you all for the outstanding feedback. Please keep it coming. We are listening.


    Keep on posting,

    Charles


    That is great news.

  • User profile image
    manickernel

    As I have indicated elsewhere, I have found the Eeye solution my best course of action at the moment by deploying the IESecurityRegFixer to client workstations to disable the adodb.stream linkage.

    This does not disable Windows Help or more importantly, Windows Explorer (a fact that was not mentioned in the MS suggestion for Local Machine Zone restrictions). I do appreciate the Microsoft suggestion though, 'cause it has led me down another interesting path...

    I am not so concerned with the current exploit, it is the next one that may take down our 911 system (and yes, it is "sandboxed", but still part of our AD..so)

    Hey.. for some really great videos go to www.thebroken.org

    ...thermite in a laptop, now that is data protection;)

  • User profile image
    orcmid

    Hi Robert. I love this thread, and something happened where I can now get in to comment, even though I now have even trusted zones running in high security and I have to keep giving permission for the Channel 9 scripts to run. 

    I wanted to confirm that, with my raised threat defenses (until the patch is out and confirmed), channel 9 works better under condition orange than it seemed to the other day.  I don't know if the site update caught it or what, but I am pleased that it is safer to contact Microsoft and Channel 9 (though MSDN is a * right now, accessing with shields up) under conditions of heightened IE threat precautions.

    With regard to the new Button problem, disclosed last night, I and my pals in the Security Engineering class just had a "oh, oh" about all of the security software and anonymizing software that puts buttons and menu bars in software that would allow them to see password entries before they hit SSL/TLS. Time to get some more transparency from those guys.  Now I even worry about NewsGator, which basically has access to my Outlook and an independent access to the internet. Geez, who can a girl trust these days? [;<).  And how can we tell that the guy really is safe?   

  • User profile image
    pacelvi

    I've spent this whole weekend looking at my system (XP Pro SP2 RC2), trying to figure out what's legit and what isn't and have come to the conclusion it's a complete *-up.

    One tool will find crack A but not B. another will find B but not A, none of them will see Crack's C through XXY.

    Task manager is completely useless, Tasklist is useless. The Zones theory might be nice but the implentation sucks. Having to retype portions of domain names and putting the * there, complete waste of my time (plus it's not so easy to do).  The registry is like that crazy woman's house in San Jose.

    Domain accounts and NTFS are basically useless as security measures.

    I'm going to assume that if Linux or Mac or whatnot had the market share that MS does that their stuff is probably just as vulnerable but since I'm using MS's stuff I'll have to be pissed at them.

    For the amount of time I waste making sure i'm not being victimized I am now very offended by product activation.. as far as i'm concerned, i'm owed a few free copies of an OS.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.