eWEEK.com Messaging and Collaboration is reporting Microsoft Confirms New Word Zero-Day Attack. “Malicious attackers are exploiting a new, undocumented flaw in Word 2000 to load back-door Trojans on Windows machines.” … “Security alerts aggregator Secunia rates the flaw as “extremely critical” and urged Word users to avoid opening Word documents from untrusted sources.”
Archive | Security
Security is not a feature; it’s a process. Notes on issues, patches and essays on security.
And, remember, be careful out there!
I pointed out the article on NX Server on Ed Leafe's ProFox list, and member Tracy Pearson pointed to a great article on Informit.com on Mitigating the Security Risks of SSH. Remember, just because you sprinkle the magic pixie dust of ssh on a solution, it is not necessarily secure. Security is still a process, not a feature.
Internet Explorer a Monster No More? I don't think so.
Thom Holward posts this article on OSNews, linking to the this ZDNet blog post where Richard MacManus interviews Microsoft's Chris Wilson. I've read the article and I can't see where Thom's conclusion comes from. Chris says…
“…IE7 is going to be an important update in the automatic updates feature. This means it'll actually show up for everyone's [Windows] computer. It won't automatically install behind the scenes or anything, because it is going to change your user experience of the Internet quite a bit.”
I really can't see that anything has changed.
Windows su or sudo?
Garrett followed up on my recent post about creating a root shell by point to Aaron Margosis' post with a “MakeMeAdmin.cmd” batch file. My one-liner solution created a shell as an admin user. Aaron's is more extensive and adds the current user temporarily to the administrators group (requiring the admin password), then requires the current logged-in user to log in again for the shell session.
I'm not sure of the security implications of each, or whether one is better than the other. In a sense, my script is similar to “su” where the shell is in the context of another administrator, where Aaron's is closer to “sudo” in the sense that the current user can temporarily execute super user commands. It sure would be nice if the script could go one step further and persist a list of users with sudo capabilities, so you only had to do one login. In either case, it seems that the security context doesn't “leak” outside of the shell in which it is executed.
Run a root shell in Windows while LPU
When running Windows, you should always run as the “Least Priviledged User” to do the tasks you need. If your user context doesn’t have the rights to mess with most of the system settings, some evildoing script in the compromised javascript, jpeg, word doc, html page, worm, virus, trojan or other Windows nastie won’t have those rights either.
However, sometimes you need to run a simple command that requires system priviledges. Logging in and out or switching users is too much hassle. For this, I created a shortcut on the desktop and labeled it “RootShell.” (Bear in mind when you run commands from this shell that you have nearly complete control of the machine. With great power comes great responsibility.) The shortcut links to a batch file with the command:
runas /noprofile /env /user:MyMachine/MyAdmin cmd
UPDATE: There ought to be a backslash between MyMachine and MyAdmin. My blogging software helpfully deleted it. Grrr.
This batch file runs the command interpreter (cmd) as user “MyAdmin.” (Supply your own settings for ‘MyMachine’ and ‘MyAdmin’. In domain- and ActiveDirectory-controlled networks, the syntax will be slightly different for specifying the user. Type HELP RUNAS at a command shell for guidance.)
Double-clicking the icon opens a command shell and prompts for the administrator’s password. Get it correct, and the shell runs yet another shell in which you can type the commands you need to run. Get it wrong and it closes.
Handy and quick.
MS06-040 exploited, a few days
Slashdot post: Botnet Herders Attack MS06-040 Worm Hole. “Laljeetji writes “eweek reports that the first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets. The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker. On the MSRC blog, Microsoft is calling it a very small, targeted attack that does not (yet?) have an auto-spreading mechanism. LURHQ has a detailed analysis of the backdoor.”
Sounds nasty. An auto-spreading mechanism will turn this one into an epidemic. Patch now, if you haven't already.
OpenOffice.org security flaws identified, some patched
Robert McMillan of InfoWorld: Top News reports OpenOffice.org security 'insufficient'. “With Microsoft Corp.'s Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses… “The general security of OpenOffice is insufficient,” the researchers wrote in a paper entitled “In-depth analysis of the viral threats with OpenOffice.org documents.” … “This suite is up to now still vulnerable to many potential malware attacks,” they wrote.”
Despite the negative tone of the beginning of this article, it's more good news for OO.o than bad. First, the one major flaw that was found has been patched – yeah, Open Source! – and you'll want to ensure you're running the latest OpenOffice.org. The second positive spin of the article is the tone: governments and companies are seriously evaluating OpenOffice.org as a replacement for their current office products. I wonder if this change in the tone has to do with the acceptance of the Office Document Format as a recognized international standard.
But don't just take my word for it…
Microsoft Watch from Mary Jo Foley reports Patch Windows Now, Homeland Security Warns. “The Department of Homeland Security has spoken. Apply the patches in the MS06-040 security bulletin for Windows, which Microsoft released on August 8, the agency is warning users.”
Microsoft's Monthly Security Patches for August 2006
I received the “Microsoft Security Bulletin Summary for August, 2006” in my inbox this morning. You'll want to sign up on the Microsoft site if you don't get this email and have responsibility for supporting and protecting Windows machines. You can find the bulletin here.
Nearly all the 12 items were rated critical and resulted in “Remote Code Execution” – in other words, someone else taking over your machine. Every version of Windows – those still supported – Windows 2000 SP4 through Windows Server 2003 – are affected. Individual applications getting patched include all the Office products, VBA-enabled products, and nearly anything with HTML: Internet Explorer, HTML Help, Microsoft Management Console. Get patching!
MS06-040 – Vulnerability in Server Service Could Allow Remote Code Execution (921883)
MS06-041 – Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
MS06-042 – Cumulative Security Update for Internet Explorer (918899)
MS06-043 – Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
MS06-044 – Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)
MS06-046 – Vulnerability in HTML Help Could Allow Remote Code Execution (922616)
MS06-047 – Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)
MS06-048 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
MS06-051 – Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)
MS06-045 – Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)
MS06-049 – Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)
MS06-050 – Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)
We're up to 51 patches on the 32nd week of the year. It's pretty apparent that whatever Trustworthy Computing brings us, it won't be a static thing.
Microsoft to ship a dozen on Patch Tuesday
Microsoft Watch from Mary Jo Foley is reporting Windows Fixes to Dominate Patch Day Dozen. “Expect from Microsoft a dozen new security bulletins, with plenty of Windows patches [^] a number of which will be deemed “critical,” on August 8.”
Pencil in some time Tuesday or Wednesday for patching and rebooting.