A WinSCP security flaw that would allow remote command execution on Windows machines where the WinSCP program had been installed as the protocol handler for sftp:// or scp:// links has been fixed in the new version 3.8.2. All users are encourage to update.
Archive | Security
Security is not a feature; it’s a process. Notes on issues, patches and essays on security.
RealVNC Server exploit
eWeek reports: Highly Critical RealVNC Flaw Fixed “A “highly critical” flaw in RealVNC's virtual network computing software could allow malicious hackers to access a remote system without a password, according to a published advisory.”
It's last month's news, but I didn't notice it when it went by. An associate told me of witnessing a machine being taken over by it. If you have RealVNC up and running as a server, make sure to update from the older 4.1.1 or earlier to the new 4.1.2 patched version
Microsoft: Block Excel Attachments
eWEEK.com Messaging and Collaboration reports Microsoft Posts Excel 'Zero-Day' Flaw Workarounds. “Redmond's security response center is recommending that businesses block Excel spreadsheet attachments at the e-mail gateway to avoid targeted zero-day attacks.”
FoxPro developers recall that Microsoft Outlook security patches block attached Visual FoxPro programs because “they could contain malicious code” — provided the recipient downloads the code to disk, runs Visual FoxPro to compile the program file and then runs the resultant file. Outlook, however, will allow through Excel or Word documents containing malicious code with no objection.
People need to get over the binary view of “documents” versus “executables.” Web “pages” contain executable Javascript, ActiveX controls, Java and more. PDF files can run code – they are made out of Postscript, a programming language. HTML Help files include executable features. Screensavers are programs, not pictures. Some people like to send around “slideshows” of pictures, oftentimes a PPS (PowerPointShow) file that could run VBA scripts.
1. Don't open attachments from untrusted sources.
2. There are no trusted sources.
It is no longer safe to start your computer…
Vulnerability found in Microsoft Excel.
(InfoWorld) – “A new vulnerability has been found in Microsoft's Excel spreadsheet program, just a few days after the company fixed problems with several of its applications in its monthly patch distribution.”
“One customer reported an attack using the vulnerability, which comes from an e-mail with a malicious Excel document attached, wrote Mike Reavey, Microsoft Security Program Manager, on the company's security blog.”
1. Do not open attachments from untrusted sources.
2. There are no trusted sources.
Brian Livingston: Genuine Advantage is Microsoft spyware
Brian Livingston minces no words in his weekly Windows Secrets newsletter lead article, “Genuine Advantage is Microsoft spyware .” He goes on to say:
No PC-using company that values security and reliability can allow a program like WGA to send data to a distant server, download additional software, morph its behavior, or remotely change the functionality of Windows (as I describe below). I don't believe individuals should put up with this, either.”
This isn't a frothing-at-the-mouth, I-hate-Bill, Anything-But-Microsoft lunatic writing these words, rather it's someone who makes his living supporting Microsoft software.
Deep fixes in Microsoft's monthly security bulletin
Microsoft shipped its monthly security updates, and these are not superficial patches, but deep fixes, likely with ramifications for everyone using these products. Anticipate serious perturbations to your systems if you are depending on the behavior of these applications as part of your customer solutions. Microsoft ships patched code it classifies as “Critical” for:
MS06-021 – Cumulative Security Update for Internet Explorer (916281): this is supposed to include patches addressing the ActiveX behaviors in the Eolas suit. This is a good time to abandon ActiveX controls and IE if you are still supporting them.
MS06-022 – Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439)
MS06-023 – Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344): JScript? Are they still making that?
MS06-024 – Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734)
MS06-025 – Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
MS06-026 – Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (918547)
MS06-027 – Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336)
MS06-028 – Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (916768)
“Important,” perhaps less critical patches include:
MS06-029 – Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442)
MS06-030 – Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389)
MS06-032 – Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)
One “Moderate” patch rounds out the bunch:
MS06-031 – Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736
In addition, MS06-011 Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798) has been re-released as version 2.0 with new patching information.
It's the 24th week of the year, and Microsoft is up to 31 patches.
UVCIA Panel 21 June: FOSS: Are there options for your business?
I'll be speaking on a panel next week at the Upper Valley Computer Industry Association. The panel is entitled “FOSS: Are there options for your business? How can the use of FOSS software supercharge your enterprise” and will be moderated by Bill McGonigle. Here's the blurb:
“Please join a panel of local Free/Open Source Software (FOSS) experts for a discussion of what's new in the field. Each panelist will briefly describe how he uses FOSS software to supercharge his enterprise. After that, the panel will discuss a series of issues that are frequently asked about Free/Open Source Software, and will help the audience understand these questions:
- What is Free/Open Source Software?
- Why would I want to use Free/Open Source Software?
- How can I improve my profits by using Free/Open Source Software?
- What's changed in the past few years?
“The panel will then switch to a Q&A session, answering questions and engaging discussion with the audience members.”
The other panelists include:
- David Clifton, Systems Administrator, Fluent Inc, Lebanon, NH
- Scott Helper, Web Developer
- Jonathan Linowes, Principal, ParkerHill Technology, Lyman, NH
- Ted Roche, Technical Lead, Ted Roche & Associates, LLC, Contoocook, NH
- Todd Underwood, Chief Operations and Security Officer, Renesys, Hanover, NH
The meeting will be on Wednesday, June 21, 2006, 7:30am – 10:00am, at The Fireside Inn. Admission costs $45, which includes breakfast. Details at http://www.uvcia.org — hope to see you there!
Ow. Too late.
House Rejects Net Neutrality Rules. The US House of Representatives definitively rejected the concept of Net neutrality on Thursday, dealing a bitter blow to Internet companies like Amazon.com, eBay and Google that had engaged in a last-minute lobbying campaign to support it. By a 269-152 vote that fell largely along party lines, the House Republican leadership mustered enough votes to reject a Democrat-backed amendment that would have enshrined stiff Net neutrality regulations into federal law and prevented broadband providers from treating some Internet sites differently from others. [OSNews]
Microsoft Genuine Advantage phones home daily.
OSNews posts Microsoft Plans Better Disclosures of Tool. “Microsoft acknowledged Wednesday that it needs to better inform users that its tool for determining whether a computer is running a pirated copy of Windows also quietly checks in daily with the software maker.” Ya think?
The article goes on to quote: “It's kind of a safety switch,” said David Lazar, who directs the Windows Genuine Advantage program.”
Is this Trustworthy Computing?
Daily Windows swipe…
Microsoft Watch from Mary Jo Foley reports Another Windows Vista Bites the Dust. “Microsoft has cut PC-to-PC synchronization from Vista. Vista Beta 2, which is slated to go to as many as two million testers, does not include the P2P synchronization technology. Quality is the reason for the latest cut, Microsoft officials said.”
Meanwhile, Computerworld Breaking News reports Microsoft to tweak key Vista security feature. “Microsoft will change a key security feature in the Windows Vista User Account Control to make it less cumbersome for users.”
Amazingly, this will appear in “Release Candidate 1” which has slipped to August 25th. I'm astounded that they could get to this level with features as clumsy as this.