Bluemini.comBluemini.com

MS Robert Hensing

Bluehat V8: Mitigations Unplugged

posted: 02 Dec 2008

I first got to see Matt Miller speak in person a few Bluehat's ago when he was talking about 'Temporal return addresses' . . . ah yes - the talk was entitled "Temporal Chronomancy" according to Mr. Shostack's blog and it was all the way back in 2005.  The basic premise behind the talk was that there are various counters / timers etc. that reside in a processes memory space that at specific dates and times become interesting 'op-codes' that can be used by exploit writers to do interesting things . . . IF they performed their exploit at exactly the right time . . . the talk freaking blew my mind . . . it was perhaps the best / most memorable Bluehat talk I've ever seen.

Anyways - I told you that story to set some precedent for this one.  Matt Miller works at Microsoft now - on my extended team and he recently spoke again at Bluehat v8 (didn't get to attend sadly) and he delivered a talk on Mitigations Unplugged where he goes into GS / DEP / ASLR etc. etc.  You'll have to trust me that these are topics that he's more than qualified to speak about. :)  I haven't watched the video yet (it's 45 minutes) but I plan on making some time this week - if you have more free time than me - you should definitely check it out: http://technet.microsoft.com/en-us/security/dd285253.aspx

TIP:  Be on the lookout for future blog posts from Matt over on the SVRD blog . . .

Interesting stuff and the end is near (for my blog

posted: 19 Nov 2008

First off - OneCare is dead - long live . . . OneCare . . . err Morro?
http://news.cnet.com/8301-1009_3-10101582-83.html?tag=newsLeadStoriesArea.1

Next up - Zune 3.1 is out - download it - love it.
http://www.engadget.com/2008/11/18/zune-3-1-update-out-today-now-featuring-sudoku/
Also - the flash memory based Zunes are getting price chopped from $10 - $30 in time for Christmas:
http://www.engadget.com/2008/11/18/microsoft-ratchets-down-pricing-on-flash-based-zunes/

Things I loved about the 3.1 update are the new games (Checkers, etc.) and the ability to play with other players wirelessly.  My 8 year old kicked my ass in Checkers last night playing wirelessly from his Zune 30.  I was both proud and embarassed at being outsmarted by an 8 year old. :)  I was too scared to try my luck at NLHE against him (yes he already knows how to play Poker - I'm not proud of that b.t.w.)

Also came across a new commerical I hadn't seen yet for the 360 today: http://www.xbox.com/NR/rdonlyres/79EB42A4-BB6F-4CDE-9DA1-1759D3EE8A18/0/vidxboxtvadgh3hi.asx

Finally - all good things must come to an end - and my blog is no exception. :)

I'll probably be done blogging real soon now . . . security (which unfortunately is one of my favorite topics) is a topic full of blog-landmines . . . only they move around frequently . . . and after stepping on them - they reset so you can step on them again, and again if you have short term memory problems and a learning problem. :)  Not to mention it's time consuming when done properly and I've been busy as hell lately working on work - and overclocking my car (installed a piggyback EMU and self-tuned it a bit, installing some stage 2 cams this weekend - wish me luck - you may find a used overclocked 2001 IS300 on eBay Monday in need of a new engine with a low low reserve!).

So that said - my farewell post will probably be an explanation of why I have 'El Conquistador' in my display name since it's probably the most frequently asked question I get. :)

This week's Fail Open Goat Award goes to - Credit

posted: 02 Nov 2008

http://www.veracode.com/blog/2008/10/credit-cards-failing-open/

Microsoft SideSight?

posted: 29 Oct 2008

Looks cool: http://www.gearlog.com/2008/10/microsofts_sidesight_something.php

SmoothHD

posted: 29 Oct 2008

Akamai / IIS7 / SilverLight 2.0 / VC-1 == HD over broadband happiness.  It's sort of cool - the video started off a tad blurry and then got sharper after a few seconds and I didn't have a single glitch. 
Pretty impressive stuff: http://www.smoothhd.com/
Also see: http://www.akamai.com/smoothhd

Out of band security update planned for today (MS0

posted: 23 Oct 2008

Updated 10/23/2008 @ 1:17pm EST
We have pushed the update live - here's the direct link to the bulletin:http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx (if it doesn't work for you - keep trying - it will be live real soon now).
Also n
ote that the Microsoft Malware Protection Center also has generic detection for the malware dropped in the targeted attacks!
You can read more about it at the MMPC blog: http://blogs.technet.com/mmpc/archive/2008/10/23/get-protected-now.aspx
Finally my team has released a blog post with an interesting .C file linked at the end - for those who like to compile stuff and play around with ACLs: http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx
--------------------------------------------- 

The MSRC, SWI and some Windows product team folks have been working really hard to get a critical security update out the door this week and they just pushed the advanced notification thing live early this morning (EST).

http://blogs.technet.com/msrc/archive/2008/10/22/advance-notification-for-out-of-band-release.aspx

http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

It's likely that by the time many of you read this - the update will already be available for download via WU/MU/WSUS etc. 
Be sure to go out and grab it - especially if you are running Windows XP or lower operating systems (as you can tell by the severity ratings in the advance notification thinger - it's critical on that platform).

As always we apologize in advance if this ruins anyone's weekend plans - I personally blame the miscreants. :)

P.S.  Keep an eye on my team's blog later today for more technical information: http://blogs.technet.com/swi

Out of band security update planned for today

posted: 23 Oct 2008

The MSRC, SWI and some Windows product team folks have been working really hard to get a critical security update out the door this week and they just pushed the advanced notification thing live early this morning (EST).

http://blogs.technet.com/msrc/archive/2008/10/22/advance-notification-for-out-of-band-release.aspx

http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

It's likely that by the time many of you read this - the update will already be available for download via WU/MU/WSUS etc. 
Be sure to go out and grab it - especially if you are running Windows XP or lower operating systems (as you can tell by the severity ratings in the advance notification thinger - it's critical on that platform).

As always we apologize in advance if this ruins anyone's weekend plans - I personally blame the miscreants. :)

P.S.  Keep an eye on my team's blog later today for more technical information: http://blogs.technet.com/swi

Mass SQL Injection : The Chinese Way

posted: 23 Oct 2008

The blog pretty much speaks for itself: http://www.circleid.com/posts/20081022_sql_injection_attacks_chinese_way/

Client-side browser vulns are of little use without an effective way of spreading them to the victims - unfortunately - it's still relatively easy for the miscreants to spread them around using tools like this.
Interesting the comment about SQL injection via cookies . . .

Flash 10 & IE8b2 Per Site ActiveX

posted: 22 Oct 2008

So I've got IE8b2 installed on all of my machines and I've noticed that since installing Flash 10 that all web sites now prompt me before running Flash 10!  The new gold bar experience users will see when they install Flash 10 on IE8 is described here (thanks to Eric Lawrence for the URL: http://blogs.msdn.com/ie/archive/2008/05/07/ie8-security-part-ii-activex-improvements.aspx).

Some people may hate this - I actually like that I can now selectively control which sites get to use Flash and that it defaults to OFF for all web sites.  As long as you don't select to allow ALL web sites to run the ActiveX control - it will continue to be blocked behind a gold bar for every web site that wants to instantiate the control.  You'll find that within hours of installing Flash 10 on IE8b2 that pretty much EVERY site on the entire Interwebs wants to instantiate Flash (mostly for supporting annoying ads) and you'll also find that having it blocked behind a gold bar really isn't so annoying.  I personally plan on leaving the Flash 10 AX configured to run on a per-site basis (i.e. I won't be configure it to run on all web sites) since this makes me feel a bit more warm and fuzzy only allowing certain sites to run the control.  I imagine the vast majority of users will choose to allow all web sites to run the control and that's fine with me - as long as *I* don't have to allow all web sites to run the control - I'm a happy camper.

 

 

Flash 10 is out - install it like . . . yesterday.

posted: 18 Oct 2008

If I were a bad guy and I wanted to pwn lots of people via the web - I'd probably focus my efforts on ubiquitous software guaranteed to give me a lot of bang for my buck (like Flash and Acrobat).  Software like Flash would seem like a good target given that it's installed on just about everything these days.  Adobe released Flash 10 recently and I'm just guessing it's got some security bug fixes in it that would probably be good to have.  I'd install it ASAP.

Oh and has anyone else noticed that Acrobat 9 still:

  1. Opens PDFs by default in a browser *without prompting* the user

  2. Runs JavaScript by default (I'm sure it's 'sandboxed' - whatever - i still disable this by default on all my boxes).

And does this remind anyone of Office circa 2000 when we let VBA macros run by default and didn't prompt users before opening documents via the web?  How is it possible that in 2008 this still happens with our competitors?

iPhone running WM 6.1?

posted: 15 Oct 2008

Okay - I'm not sure if this is real or not - but the interview itself is hilarious - the questions the woman asks at the end and the kid's responses are hysterical: http://wmpoweruser.com/?p=1330

 

Shostack on "Threat Modeling"

posted: 15 Oct 2008

Adam Shostack is incredibly smart - and he also happens to be responsible for managing the threat modeling aspect of the SDL these days.  Here's got a nice 10 page paper here on threat modeling - very much worth the read if you're into that sort of thing. http://blogs.msdn.com/sdl/archive/2008/10/08/experiences-threat-modeling-at-microsoft.aspx

DayCon II / OSU Security Day / SafeCode

posted: 15 Oct 2008

Welp - just got back from speaking at a couple of events in Dayton, OH.  First up was THE Ohio State University security day . . . I delivered my 'targeted attacks' presentation which I've been doing for over 2 years now (everything's the same - only the malware changes. :).  I got to take a tour of the OSU campus (freaking huge) and meet some of the defenders of the OSU network which was nice.  Next up was my presentation at DayCon II on Friday night at the Crowne Plaza in downtown Dayton.  I met some real interesting people there (most seemed to be reverse engineers working at the base, and random other security people) and only ONE academic type in the crowd tried to bust my chops at the end with the typical anti-Microsoft rants - first it was Open XML and the fact that it still supports 'binary parts' and then after I addressed those concerns it was "Microsoft is so far behind the Unix world with respect to security - why weren't you programming securely 10-15 years ago?" type arguments.  I believe he mentioned he was a professor with a PhD (possibly from Wright State - a college I dropped out of when I joined Microsoft and was forced to move) . . . I pointed out that we do the vast majority of our hiring (if not all of our hiring) for developers from accredited universities and institutions of higher learning and that if there was bad code being written by our folks - it certainly wasn't "below the standard" of what was being taught at universities 10 or 15 years ago - because we like every other company - hired those universities graduates!!  I also pointed out that I had recently attended a C++ refresher course at CPCC (local community college) and was none to surprised to find that the PhD professor I had teaching the class was not at all familiar with buffer overruns (well that's not true - he knew what they were just not that they could lead to code execution!!) or heap overruns, or fuzzing, or any other interesting aspects of secure coding (but he knew his sorting algorithms and could talk in depth about compilers!).  In fact he had me at one point lecture the class for him with respect to things like our own SDL, banned APIs, why they are banned, fuzzing, etc.  It was surreal.  This was in 2006.  I was really glad I went back to school to see how things had changed since I had last taken a programming class (they hadn't!!).

And having said all of that, it's a nice segue into this: http://blogs.msdn.com/michael_howard/archive/2008/10/08/safecode-releases-fundamental-practices-for-secure-software-development-document.aspx

MAPP + Exploitability Index == Protected Customers

posted: 15 Oct 2008

Today we officially launched our MAPP program (http://www.microsoft.com/security/msrc/mapp/partners.mspx) and at the same time we also started providing exploitability information about our vulnerabilities to the world.  These two things are pretty huge.  The idea behind the exploitability index is to help customers understand which updates they should deploy immediately vs. which ones we don't think are as likely to be epxloited or exploited reliably (trivia:  Did you know that only about 30% of all of our vulns ever have exploit code written for them?). 

You can see the exploitability index for the October release here: http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

Here's the breakout of the numbering system used for the exploitability index - it uses 3 numbers - simple - like me: http://technet.microsoft.com/en-us/security/cc998259.aspx

Code monkey very simple man.

Win7 to officially be called . . . Win7?

posted: 15 Oct 2008

I actually for once - LOVE that we are keeping the name of the OS simple and leaving it at Win7.  I will admit - I was somewhat disappointed when XP's name was announced internally (internally it was known as Whistler) and I was downright horrified when we decided to call Longhorn "Vista" (my friends call it "Veesta").  Longhorn sounds cool . . . manly . . . Vista is pretty much the exact opposite in my mind . . . it sounds serene and 'pretty'.

Anyhoo - we seem to be doing all the right things with Win7 (you'll know why I'm saying that soon enough <G>): http://windowsvistablog.com/blogs/windowsvista/archive/2008/10/14/why-7.aspx

Wish I could tell you more about it - but I can't.  All I can say is that it freaking rocks.  I already use it as my daily driver OS at work and can't wait until it's out in the public for testing (which it will be very soon at PDC / WinHec next week).

SkyFire?!?!?!

posted: 30 Sep 2008

OMG - how is it possible that I JUST today found out about this?

http://www.skyfire.com

What is it?  It's a new FREE (for now) browser for WM phones . . . that doesn't absolutely positively suck.  I just installed it on my Q9 smartphone and it rendered www.microsoft.com perfectly and it even rendered the flash animations?!  So to test that theory out I went to Youtube and it played a Youtube video!!  This is freaking insane . . . I finally have a full fledged browser for my phone that doesn't suck.  I encourage all WM users  to go check it out if you have iPhone / Safari / Android / Chrome envy!!

I'm a PC and I fight for the users . . .

posted: 22 Sep 2008

Tron Guy makes a cameo in our "I'm a PC" video wall: http://media.lifewithoutwalls.com/ugc/t/r/o/tronguy/tronguy_336_252.wmv

Here's the algorithm for finding direct links to videos based on user name: http://media.lifewithoutwalls.com/ugc/[1st letter of username]/[2nd letter of username]/[3rd letter of username]/[username]/username]_336_252.wmv (thanks for the tip Jiri)

I sort of like the video wall (and no the irony of having a video wall for a 'Life without walls' campaign has not escaped me) . . . its fun watching some of the videos and it reminds me a bit of DeepLOL (zoom in with the mouse wheel or by clicking with the mouse on the pic)

Extreme Ad Makeover - We are now entering "the 2nd

posted: 18 Sep 2008

You know, I have one simple request.  And that is if we are to have an ad campaign with sharks, that we have sharks with frickin’ laser beams attached to their heads!

http://www.nytimes.com/2008/09/18/business/media/18adco.html?pagewanted=1&_r=1&ei=5040&partner=MOREOVERFEATURES

Zune 3.0 - Using wifi to download songs right from

posted: 18 Sep 2008

Today a friend asked me how fast downloading songs / albums from the ZMP was and I had to admit - I wasn't sure.  The day the firmware came out I immediately hooked up my Zune to my wifi network at home and then connected to the marketplace and then started playing a newly released song and it started playing nearly instantly - there was maybe a 3-4s delay between the time I clicked and the time it started playing on my Zune - but it seemed very reasonable and the song played without a single hiccup or buffering issues. 

But the cool thing about the ability to access the ZMP wirelessly is that you don't have to stream the songs - you can add them to your 'cart' on the Zune and then this downloads them locally to the Zune vs. simply streaming them (when you stream I don't believe they are left behind when the song is over).  Theoretically if I was at a friends house and wanted to download random songs that I didn't already have on my Zune for later playback on his 360 - this is what I'd have to do - I'd have to find the songs / albums, add them to the cart on the Zune and then once they were done downloading - plug my Zune into the 360 and start playing them (if you are downloading content or streaming when you plug the Zune into the 360 it stops).

So I decided to do a speed test - tonight I found a newly released album - it was a Buckcherry album that showed up right on the main 'New Releases' part of the marketplace on the Zune.  I clicked to add it to the cart and it started downloading . . . and it was slow.  The Zune gives you a % complete number - but not a throughput number . . . but the throughput didn't seem all that great.  In fact as I have typed this blog post I've only gotten to 95% complete with the album - and I've been downloading it for at least 10 minutes.  So I wanted to know what my average download speed was so I logged into my DD-WRT router and pulled up the bandwidth monitoring interface in FireFox (it uses VML - this is the ONLY reason I have FF3.0 installed) and looked at my wifi (since my Zune is the only wifi device on it right now - these are fairly accurate numbers). 

Welp - a picture is worth a thousand words - it looks like at around 7pm EST on 9/17/2008 my Zune 80 could only achieve an average of about 650kbps download speeds from the ZMP which is slower than the ~2-3Mbps I have clocked it at when doing a wireless sync to my PC.

After the download was over though - I noticed that my wifi utilization was still bouncing between 100kbps and 200kbps . . . but I had nothing queued up and nothing was downloading . . . I disabled the wifi on the Zune and the utilization immediately dropped back  down to 0%.  I then fired up the wifi on the Zune again and logged in to the marketplace again and the utilizaiton hovered near 0 (the thumbnails and stuff that it downloads are barely enough to register).  So then I decided to time one song to see how long that would take to download (and to see if the utilization would stay at 100kbps to 200kbps after the download finished).  I chose the artist 'Gym Class Heroes' and the song was a rather amusingly named 'Drnk Txt Rmeo' ('cause who HASN'T txt'd while drnk? :) . . . it's a 3:25s song - fairly representative . . . I started that song downloading and it was done approx 50 seconds later (give or take 2-3s) and here's what the bandwidth graph looked like for that download - notice that I hit peaks of up to 1.5mbps but the average is about the same probably between 600-700kbps

Welp - those are my numbers - YMMV . . .

UPDATE:  So after I published this I started downloading that whole Gym Class Heroes album and I had a very different network utilization graph from this download - I averaged closer to 1.5Mbps with bursts of up to 3Mbps.  I also noticed that you can use the back arrow to do other things while a song / album is downloading in the background (i.e. you can listen to music while downloading from the ZMP - but you don't seem to be able to play a game - games seem to disconnect you - BUT - it will resume downloading where it left off after you re-connect to the ZMP after you're done with the game - you don't have to start all over)

 So then I decided to do see if the Zune would be smart enough to push the content that I downloaded directly to the Zune back up to my PC and I decided to do that wirelessly as well to see how fast the wireless sync is with the new firmware (since I haven't tested it in a while). 

Well - I'm pleased to report that not only did it push the downloaded content back to my PC (as one would expect) - but it also averaged about 5Mbps while doing it! 
That's up about 50% faster than the last time I tested (with the last version of the firmware I averaged about 2 - 2.5Mbps).

 

So it looks like what we've learned is:

  1. The Zune 3.0 firmware can download / upload at about 5mbps - and this is much faster than the Zune 2.0 and older firmwares
  2. Download speeds from the ZMP range from 600kbps to 3Mbps depending on time of day, color of shirt, album downloaded etc.

Zune 3.0 - Insanely great creamy goodness from the

posted: 17 Sep 2008

So I have a Zune 80 (black) and I freaking love it.  The Zune software kicks the living crap out of anything Apple has ever released in terms of quality and functionality and ease of use.  The software just works, the Zune just works - it's probably the best entertainment device we make that no one knows about or has (sigh).  Well, yesterday we released the Zune 3.0 software and firmware for all the Zunes (yes even if you have the first gen brown Zune-brick you get the updated firmware).  So what's cool with the new softawre/firmware?  Well at long last you can connect up to ANY wifi network via your Zune's wifi capability and you can use that Internet access to connect up to the Zune Market Place (ZMP).  It even works on WPA2 networks with passphrases (I connected up to mine yesterday) - but that only works on the Zune80's and newer (Zune30's support WPA1 and WEP though).

Okay so what's the big deal with being able to connect to any Wifi network?  Well imagine that you have a Zunepass (as I do) for $15/month . . . you can download as much music as you want to your PC or your Zune . . . well imagine that I'm heading to a friends house to play poker and we want to play some music while we play - but he doesn't have a Zune or a Zune pass.  I can bring my Zune, plug it into say his Xbox 360 which is connected to his home entertainment system and then I can connect to the Zune marketplace via his wifi network to download / stream *any* music that I want . . . so the Zune is on wifi downloading content from the ZMP while plugged into his 360 via USB playing the songs through his home audio system.

Basically I have access to the entire ZMP anywhere I go that has wifi now . . . so even if I haven't downloaded the songs to my Zune from the PC, that doesn't matter - I can still get them . . . anywhere.  This is insanely cool (for me) because I can't tell you how many times I've been on a trip with my Zune sans my home PC with the Zune software installed and I've wanted to grab some new content from the ZMP but can't until I get home (you can only pair the Zune to so many PCs).

Also there is FM tagging which I will probably never use - but basically the Zune will use RDS info (if its present - un-surprisingly many of the radio stations here in the south have yet to opt-in to this exciting technology of the last century) to figure out what song you're listening to and it allows you to tag it so that you can download it later from the ZMP if you like.

What else is cool?  Well games - I now have Hexic and NLHE poker on my Zune (two of my favorite games - what are the odds?).

I dunno man . . . the Zune is finally a seriously, "insanely great" entertainment device . . . the fact that we give the new hotness to even the original Zune 30 owners is IMHO very impressive - you don't see our competition doing anything like that.

Welcome to the social.

GOVCERT.NL and German authorities recommend agains

posted: 12 Sep 2008

It was only a matter of time - the first few days worth of bugs were so bad I gave up covering them / reading them and one *has* to question Google's commitment and ability to write secure code: http://www.computerworld.co.ke/articles/2008/09/09/security-agencies-rally-against-google-chrome  After reading their security architecture whitepaper - it really is pretty unbelievable how many vulns were found in such a short period of time and how bad they were.

Shrugs - definitely using IE8b2 on all my machines now. :) 

6 on 6? (Hot IE on WM action)

posted: 12 Sep 2008

Whoa . . . a full fledged browser on my Smartphone!  Yes please!

http://news.cnet.com/8301-13860_3-10039152-56.html?tag=newsLeadStoriesArea.0

Don't get me wrong - the browser on WM6.1 is nice . . . but it's still not all that great - lots of pages with complex script cause my browser to hang, other pages still don't render properly etc.  It's a hit or miss afair surfing the web on my phone which is disappointing becuase the 3G speed is there and makes it doable.  Oh and being able to watch Flash videos on my phone?  Can't wait . . .

New Microsoft Ad with Bill and Jerry - it's actual

posted: 12 Sep 2008

And holy crap - it's 4.5 minutes long!!!

You can watch the ad in better definition than you can on Youtube by going here (and it looks like down on the timeline we'll have them all up there soon): http://www.microsoft.com/windows/

Okay - I have to admit - I officially think this ad campaign is sort of cool now . . . I see where they're going with it and well . . . it's not bad. ;)

 

It begins . . .

posted: 05 Sep 2008

Our $300MM ad campaign featuring Seinfeld: http://www.techcrunch.com/2008/09/04/first-bill-gatesjerry-seinfeld-advertisement-wheres-the-microsoft/

I was left wanting so much more . . . Apple's probably breathign a collective sigh of relief right about now . . .

Why I'm not running Chrome anymore (back to IE8 be

posted: 05 Sep 2008

http://www.milw0rm.com/exploits/6367
Long strings leading to stack overruns?  Really Google?  Srsly?  I guess I have the answer to my questions about whether they have an SDL / or the notion of banned APIs / or automated code scanning stuff . . . I mean long strings in an HTML tag is like . . . silly fuzzing 101 type stuff . . . the vulns we're fixing in IE these days are pretty insane and are usually pretty complicated / obscure . . . like usually they are some really complicated DOM manipulation stuff that is waaaaaayyyyy beyond simple 'overly long strings in a tag' type stuff.  I can't *wait* to see what happens when people start doing really advanced DOM fuzzing against Chrome. :)

Another interesting read is how they implemented some of their 'enhanced' BIBA security model stuff to prevent the read-up (from Low to Medium or higher) stuff that Low IL on Vista still allows: http://gynvael.coldwind.pl/?id=49

Function patching?  Really?  Wow.  Just . . . wow.

It's pretty obvious that the code quality just isn't there . . . this browser is not ready for prime time on anyone's machine IMHO.

 

Breaking out of the Chrome sandbox - 2 interesting

posted: 03 Sep 2008

So it hasn't even been out 24 hours yet but Chrome is, as predicted, getting scrutinized heavily and well . . . it's falling down at a pretty alarming rate (as say compared to say - IE8 beta 2 which has been out longer :))
So yesterday Aviv Raff discovered that Chrome is vulnerable to the Safari carpet bomb issue as reported here: http://blogs.zdnet.com/security/?p=1843.  This is actually a download and execute / remote code execution bug which is about as bad as it gets!  I verified that the PoC downloads a .JAR file to my IE downloads folder and then attempts to execute it (I got a file open dialog since I don't have Java installed).

Then this morning we have a new, more interesting (IMHO) crash that was posted here: http://evilfingers.com/advisory/google_chrome_poc.php
So, I slapped WinDBG on both processes to see what's going on - and I visited the PoC site from my Vista++ machine and this is what I observed in the debugger attached to the medium IL kernel process:
0:022> g

(1078.fe4): Break instruction exception - code 80000003 (first chance)

eax=553a2ff0 ebx=0024e238 ecx=553a2ff0 edx=775cea74 esi=0024e238 edi=00000002

eip=553a2ff3 esp=0024e180 ebp=0024e180 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for D:\Users\rhensing\AppData\Local\Google\Chrome\Application\0.2.149.27\chrome.dll -

chrome_553a0000+0x2ff3:

553a2ff3 cc              int     3

0:000> ub eip

chrome_553a0000+0x2fe3:

553a2fe3 56              push    esi

553a2fe4 e8d5dc5d00      call    chrome_553a0000!ChromeMain+0x5ddb99 (55980cbe)

553a2fe9 59              pop     ecx

553a2fea 8bc6            mov     eax,esi

553a2fec 5e              pop     esi

553a2fed c20400          ret     4

553a2ff0 55              push    ebp

553a2ff1 8bec            mov     ebp,esp

Why is this crash interesting?  Because it crashes the medium IL 'kernel' process and not the low IL 'sandbox / rendering engine' process (though that process does exit when the parent process dies)!!  Why is that interesting?  Because it points to protocol handler abuse as a potential way to bypass the protection measures of the low IL rendering engine sandboxes! 

Overall - I have to admit - I am in love with Chrome - the UI is fantastic, the rendering is pretty fast, and it's very intuitive and clutter free . . . that said - I'm very concerned about the code quality given that in less than 24 hours we've got one confirmed remote code execution vuln (one that was already patched by Apple in the same source code weeks ago!) and one 'interesting' discovery / crash - that is certainly going to draw attention to fuzzing protocol handlers and maybe lead to the discovery of something even more interesting.

Welp - the ball has been resoundingly slammed back over the net at Google - and it will be interesting to see how they respond.  Will they release a blog detailing what's going on with the protocol handler debug break above?  Will they release an update soon that corrects these two issues?  Will they talk about how these issues were missed and what they're doing to ensure there aren't variations all over the place?

On Chromium and Practical Windows Sandboxing

posted: 03 Sep 2008

So tonight a friend sent me this URL which offers a bit more technical detail on how Google's new 'Chrome' browser implements its 'sandbox' for the rendering engine processes: http://crypto.stanford.edu/websec/chromium/chromium-security-architecture.pdf

If you read up on the sandbox you will discover that Google is doing essentially the following things:

  1. Using the CreateRestrictedtoken API and AdjustTokenPrivileges to lock down the token the rendering process is running with.
  2. Using a Job object to place limitations on what the rendering process can do
  3. Running the rendering process on a separate desktop to prevent window message abuse.

Hmmm . . . this all sounds familair . . . where have I read about this type of sandbox before?  Oh that's RIGHT . . . on David LeBlanc's blog:
http://blogs.msdn.com/david_leblanc/archive/2007/07/27/practical-windows-sandboxing-part-1.aspx <-- CreateRestrictedToken
http://blogs.msdn.com/david_leblanc/archive/2007/07/27/practical-windows-sandboxing-part-2.aspx <-- Job Object
http://blogs.msdn.com/david_leblanc/archive/2007/07/27/practical-windows-sandboxing-part-3.aspx <-- Locking down a process on a different desktop to prevent WM abuse.

Now obviously his blog posts are over a year old . . . Chrome just released today along with the whitepaper I linked to above (the create date on the PDF was 9/2/2008 so this doesn't appear to be something old that I'm just now reading) - but in the "references" section - I didn't see any acknowledgement of Dave's work on building the MOICE sandbox (which clearly seems to have given the Google Chrome team some inspiration?  Or perhaps great minds just think alike).  Dave also presented this at Blackhat last year I believe.

Having said all of that - this does appear on the surface to be a rather well thought out browser / sandbox . . . what I find interesting is how . . . "quaint" the new Chrome browser makes FireFox 3.0 look! :)  I mean FireFox 3.0 was touted for its "security" and is heavily hyped as being the most secure browser by people not grounded in reality.  In reality that browser offers even less protection / mitigation against web exploits than IE7 on Vista and of course it has had quite a few vulns in its short lifetime (9 CVEs so far?).  Now we have Chrome which seems to be over the top with respect to protection technology that Windows can offer - possibly even going above and beyond what we have planned for IE8? 

All I can say is - "dang". :)

So the only concerns I have left are:

  1. Does Google have an SDL?  Are they using any banned / dangerous Windows APIs?  Do they have any sort of automated code analysis that is occuring looking for defects as its checked in?  Are they compiling with the latest C compiler and opt-ing in to things like /GS, /SafeSEH, /NXCOMPAT, /DYNAMICBASE etc.?  Clearly they are open sourcing this - but are qualified eyeballs being paid to review the code and look for weakness or are they just assuming that someone will . . . for free?  They clearly seem to have threat modeled and pen-tested which is important - but at the same time they seem to have started from an older version of WebKit which Apple has already patched in a recent Safari build . . . this causes some concern.
  2. How strong is the sandbox?  Will catastrophic jail breaks be discovered that are challenging or architecturally impossible to fix rendering them useless against some future Metasploit module? :)

I for one don't run FireFox 3.0 . . . I don't consider it even a worthy challenger (though it sure is fast) to IE7 let alone IE8 (due to lack of protection / mitigation technologies, the vuln counts etc.), but I AM going to install Chrome and give props to the folks over at Google for impressing me - this is definitely no "Google Safari 3" or "Google FireFox 3" like I was expecting. :)

 

 

Google Chrome coming today? Launch early and iter

posted: 02 Sep 2008

UPDATE:  Reading the Google chrome comic that I received offline - man, I have to admit, this does sound pretty hot.  Lots of interesting things - but first and foremost the one that security geeks will care about most - they have in some way ACL'd the tab processes to make them like a 'jail' or 'sandbox'.  They seem to have not only disabled write access to the file system ala low rights IE (no write-up policy) but seem to have taken the low IL concept a step farther even!  In the comic they explicitly call out our BIBA-like implementation of integrity levels and talk about how low IL processes can read up to a higher IL, but they can't write-up (i.e. low IL can't write to Medium IL but it CAN read medium IL data which may still be sensitive) . . . in their model they are claiming that low rights processes can't even read up unless some action is explicitly taken by the user.  If true, that's huge and a compelling win over FireFox right there in and of itself . . . and may even give them an edge over IE8 on Vista?  We'll have to see how strong that sandbox is . . .  Whoa . . . I also like the Task Manager for Chrome that lets you track CPU usage / memory consumption by tab.  The updated JVM sounds interesting as well . . . looks like they have written their own JVM from the ground up and focused on speed and making garbage collection work right.  Also it appears you'll be able to move tabs from the main UI to their own separate window - so you could have one tab on one LCD and another tab on another . . . also what they are calling the 'Omnibox' (the URL bar) is described in a downright Steve Jobs like fashion as being "perfectly, aesthetically, non-distracting", and heh - they also have a 'porn mode' where nothing gets saved locally just like IE8  . . . man . . . I have to admit - I'm probably going to have to install this and play with it (though not because of porn mode. :)).  Finally - the comic also does call out that they have at least done fuzzing (cute picture of presumably infinite monkeys hammering away at infinite keyboards) and they even go into some of the automated testing they do with the daily builds to make sure they can render the most popular pages right etc.  All very interesting stuff!

-----------------------------------------------------------------------------------------

Man - between vacation and working on special projects - I've been pretty busy for the last month and haven't had any time to blog about stuff.  Probably won't be any reprieve in the near future but here's a quickie.
Sooo . . . last night I heard about Google Chrome from a friend . . . which I believe is being released for Windows today?

http://blogoscoped.com/archive/2008-09-01-n47.html
http://googleblog.blogspot.com/2008/09/fresh-take-on-browser.html <-- Official blog

At first glance - this seems cool - they have adopted the tab per process model like we have with IE8 to help isolate web apps running in tabs . . . but then they have added a new feature that will let web pages be launched without "chrome" (well - what we used to call chrome heh) . . . that would be the address bar and toolbar etc.  If you remember we actually worked hard to *prevent* web sites from being able to do this sort of stuff in IE6 on XPSP2 after realizing it was a bad idea (go here: http://www.microsoft.com/technet/prodtechnol/ie/reskit/6/appendix.mspx?mfr=true click on 'Window Restrictions') due to phishing attacks and other nefarious things that malicious web sites could do to try and trick users.  Here's hoping Google has thought of this and is not re-living the mistakes of the past like Apple seems to be with Safari. :)

I'm actually pretty excited about this . . . I know the IE team has been working super hard on making IE8 not only fast - but extremely secure.  We've already seen FireFox 3 getting beat up pretty badly with the first vulns appearing just hours after its release - and Safari is pretty bad from a security PoV it would seem based on all of the vuln reports and stupid old-school "too many chars in a tag" type bugs that were present at launch.  So I'm excited to not only have yet more browser competition but I'm also excited to see how seriously the Google developers actually take secure coding (I'm sure we'll find out soon if they launch Chrome today).  From their blog, their mantra of "launch early and iterate" (if I understand the meaning properly) seems a bit dangerous in this day and age . . . hmm - speaking of iterating - I wonder how well their auto-update mechanism will work for Chrome . . . and whether it will be MITM'able like other 3rd party vendors or whether it will work on Vista as a standard user . . .

It will also be interesting to see who's market share Chrome eats into . . . I bet it hurts FireFox more than IE. :)

RedHat Package Signing Server - Pwnd

posted: 22 Aug 2008

EDIT: Holy crap: http://rhn.redhat.com/errata/RHSA-2008-0855.html
"In connection with the incident, the intruder was able to sign a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only). As a precautionary measure, we are releasing an
updated version of these packages, and have published a list of the
tampered packages and how to detect them at
http://www.redhat.com/security/data/openssh-blacklist.html"

Original blurb which sort of contradicts the above burb . . . wow . . .just . . . wow:
Oh . . . My . . . God: https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

Will anyone pay attention to this?  Does anyone care?  Probably not . . . I can't imagine what the fallout would be if our WU / MU / AU servers got pwnd like this.  It's like . . . the package signing server and stuff.  At least they seem to be doing the right thing and are going to issue new signing keys etc. and will hopefully revoke the old ones.  Wow.

Been a busy two weeks - been on the road - working till 2am - thus the lack of blog material.  I heard from someone very clueful that I should give Microsoft a FOGA for the .NET stuff Dowd and Sotirov found and demo'd at Blackhat . . . still haven't read that paper . . . I swear I will on the plane home. :(

Happy Patch Tuesday - Random thoughts

posted: 13 Aug 2008

The SnapShot Viewer 0-day that has seen limited exploitation in the wild is now patched - here's an interesting write-up with some things you may not have known about it.  Here's the deal - IE Protected Mode, while not a true defendable security boundary - is awesome and this particular vulnerability proves its worth.  This vuln allowed a bad guy to write an arbitrary file to an arbitrary location on disk without having to run shellcode or perform heap spray.  That's about as bad as it gets vuln-wise because there's little or no risk of crashing the browser and the victim may not even realize what's happened.  On Windows XP with IE6 this is all fail, all the time - because your mom running IE6 on Windows XP is likely running with admin rights - which means not only is she NOT going to get a gold bar prompt blocking the instantiation of the buggy AX (we introduced that in IE7), but since she's also running as admin - the AX can write the malware anywhere it wants (like to any of the known auto-start entry points (ASEPS) that are available to admins.  On Vista the exploit would be full of fail.  Why?  Well for starters if the AX control has never been used by IE before - it will be blocked from being loaded behind a gold bar vs. just running silently.  If the user decided to trust the AX and allow it to run (it is after all a Microsoft AX) the bad guys would probably assume they could write their malware to say the Windows directory or if they were more sophisticated the users startup folder (which would work for non-admins) - but on Vista - even THAT would be full of fail due to Protected Mode IE.  PMIE is on by default (along with UAC which is what makes it possible) and it means that IEXPLORE.EXE is running at "Low" integrity.  This means that the only folders that the IEXPLORE.EXE process can write to are ones that have a Low IL label.  How do you know which folders have a "Low" integrity label allowing processes running at Low IL to write to them?  Let me show you:

C:\Users\rhensing\AppData>dir
 Volume in drive C has no label.
 Volume Serial Number is 3E4D-4005

 Directory of C:\Users\rhensing\AppData

08/12/2008  04:51 PM    <DIR>          Local
08/01/2008  06:10 PM    <DIR>          LocalLow
06/23/2008  09:19 AM    <DIR>          Roaming
               0 File(s)              0 bytes
               3 Dir(s)   5,155,340,288 bytes free

C:\Users\rhensing\AppData>icacls LocalLow
LocalLow NORTHAMERICA\rhensing:(F)
         NORTHAMERICA\rhensing:(OI)(CI)(IO)(F)
         NT AUTHORITY\SYSTEM:(F)
         NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
         BUILTIN\Administrators:(F)
         BUILTIN\Administrators:(OI)(CI)(IO)(F)
         Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)  <---- Lookie here!

Successfully processed 1 files; Failed processing 0 files

The AppData\LocalLow folder is, I believe, the only folder that's writeable by a Low IL process.  And it's not an ASEP so assuming the bad guys adjusted their exploits to start dropping their malware in that folder - they'd have to still find a way to get it to execute (i.e. chain this vulnerability with some other one that allows you to run a program from a known location).

Let's see, what else is interesting this month . . . OH we released a blog on how we can use the programmable 010 hex editor from Sweetscape to detect malicious Word documents that attempt to exploit vulnerabilities.  If you're interested in the gory details of that you can read about it here.  Essentially if you know the binary file format - you can teach this hex editor how to parse the file and then you can inspect the various bytes of data you read from the various meaningful offsets in the file to determine whether they represent an attempt to exploit a known vulnerability - it's pretty cool stuff.

 

The truth about the Dowd / Sotirov Vista memory pr

posted: 13 Aug 2008

Good short interview with Sotirov who clarifies what actually happened at Blackhat for some folks: http://blogs.zdnet.com/Bott/?p=513

He mentions some interesting stuff - like how they worked with us, we gave them feedback, worked with the other vendors etc.  I haven't had time to read their whitepaper yet (though I will this weekend). :(

VMWare Fail Closed Goat Award

posted: 12 Aug 2008

Here's one for the schadenfreude files - VMWare users running ESX 3.5.x Update 2 will be unable to power on their machines today / tomorrow / everafter until a fix is released by VMWare to correct a licensing bug that causes legit copies of the software to expire on August 12th: http://kb2.vmware.com/kb/1006716.html.  Looks like it's already hit some Aussie users and other assorted folks who live in the future.

Oops.

Sometimes - I guess - it's better to fail open. :)

p.s. - love the "roll the clock backwards" workaround mentioned in the VMWare forums.

OpenID Fail Open Goat Award

posted: 09 Aug 2008

Really interesting that CRL checks aren't baked into a lot of open source OpenID providers:

http://www.links.org/files/openid-advisory.txt

Sun has already updated their web site with this disclaimer:

Security Issues

OpenID is an untrusted protocol. Sun has no liability for what happens to any information you give to a third-party web site using this service. Most OpenID-enabled sites are genuine but some may be phishers or other rogues. Sun currently has no way of distinguishing the good sites from the bad. Do not use the OpenID@Work service for any high-value, critical, or Sun proprietary information.

Be aware of DNS poisoning, which has been in the news a lot in 2008. We recommend that you test your connection, for example using the tests at DoxPara Research, to be sure that the site you think you are connecting to, and trusting with your identity, is in fact the right site. You could also consider using Sun's VPN for all browsing as the Sun systems are not affected by the DNS poisoning problem.

 

Wow . . . just . . . wow.

SQL injection is teh suck . . .

posted: 03 Aug 2008

So do something about it: http://blogs.technet.com/swi/archive/2008/06/24/new-tools-to-block-and-eradicate-sql-injection.aspx

We give you 3 different ways to combat SQL injection on our platform above including an update to one of my all time favorite tools - URLScan!
Here's a blog post from a senior IIS dev-dude (Wade Hilmo) on the new URLScan and some of the new features: http://blogs.iis.net/wadeh/archive/2008/06/24/urlscan-v3-0-beta-release.aspx

Dino secretly wants Apple to release 64bit Vista

posted: 03 Aug 2008

Interesting article from Dino: http://blogs.zdnet.com/security/?p=1325

Vista x64 has like . . . 4.5 out of 5 of things he wants.  Love the comment in there about making the heap non-executable. :)

 

Today's FOGA goes to Google for (implicitly) admit

posted: 03 Aug 2008

Man - not sure why this didn't grab the media's attention until today: http://www.pcworld.com/businesscenter/article/147503/group_says_google_a_top_source_of_badware.html

March was apparently a bad month for the Google properties: http://blogs.stopbadware.org/articles/2008/04/05/infections-stats-for-march-2008 (wasn't this also around the time the bad guys figured out they could XSS various high profile web sites that were accepting tainted search result data from Google without sanitizing it?)

Google's response: http://blogs.stopbadware.org/articles/2008/04/07/commentary-on-top-infection-stats

Also of note is the Badware.org response to Naraine's blog calling Apple to task for distributing potentially un-wanted products with Safari security updates: http://blogs.stopbadware.org/articles/2008/06/24/naraine-apple-software-update-still-badware

We're going for an Olympic Silver(light)

posted: 01 Aug 2008

Sort of an interesting story on how it came to be that Microsoft Silverlight was chosen to broadcast the Olympics via the series of interconnecting tubes: http://news.cnet.com/8301-13860_3-10003752-56.html?tag=nefd.lede

I'm guessing Silverlight supports our VC-1 codec which rules them all . . . I recently used Expression Encoder 2.0 to encode a 1 hour DVR-MS file (an MPEG 2 stream) from 1.6GB down to 550Mb with litle to no loss in quality - it's amazing . . . it's the mirrors.

Today's Fail Open Goat Award goes to: Insecure 3rd

posted: 29 Jul 2008

You'll notice Microsoft's auto-updaters (Windows Update / Microsoft Update / Automatic Updates) are not on the list.  Why?  Because we're paranoid, and we anticipated this type of threat years ago and mitigated it by signing all of our binaries and only allowing our updater to install binaries signed by us.  I guess other vendors didn't get the memo. :)

Excerpt:

'....A security research outfit in Argentina has released a malcode distribution toolkit capable of launching man-in-the-middle attacks against popular products that use insecure update mechanisms.

The first version of the toolkit ships with exploit modules for several widely deployed software, including Apple’s Mac OS X and iTunes, WinZip, Winamp, OpenOffice and Sun Java.

A demo video provides a scary look at how a sophisticated blended attack can be used to target millions of Windows users.

In the video, Evilgrade uses HD Moore’s recent DNS exploit in tandem with Sun’s Java update mechanims to execute code and hijack a fully patched Windows machine......'

To read the complete article see:
http://blogs.zdnet.com/security/?p=1576
http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt

 

2% of a big number, is a big number

posted: 24 Jul 2008

Don't be evil.
http://blogs.pcmag.com/securitywatch/2008/07/google_blogger_hosts_2_of_worl.php

 

Microsoft Mojave

posted: 24 Jul 2008

"We are here in San Francisco, where we've secretly replaced the fine operating system these people usually use with Windows Vista, Let's see if anyone can tell the difference!"

http://news.cnet.com/8301-13860_3-9998336-56.html?tag=nefd.lede

Antivirus fail . . .

posted: 24 Jul 2008

Lately I'm not a big fan of AV and it amazes me that AV hasn't been beaten up more badly than it has given how it runs on pretty much every desktop in the civilized world and how critical writing solid, secure code is these days. 
It looks like .Nruns is speaking out: http://www.prweb.com/releases/aps-av/nruns/prweb1134004.htm

At a presentation at Blackhat Federal last year the guys from Immunity talked about how most / all of the AV engines out there are compiled with old / crusty compilers that don't support things like stack cookies or ASLR or DEP etc. which makes exploiting the engine all the more easy if there's a vulnerability in it.

Well I can tell you there is at least ONE AV engine (ours) that is written not only to the highest secure coding standards, but it's also compiled with a modern compiler and so it supports all of our latest mitigation technologies making it harder to exploit should one find a vulnerability in our parser.  Over it's life - I think there's only been 2 vulnerabilities in our parser - and I think one of them was only a DoS type vuln.  We may not have the best detection rates compared to our competitors but I all but guarantee ours is the least dangerous engine to run - as such I wouldn't feel dirty running it myself or recommending it to friends / family because I'm pretty sure you're not going to get owned by our AV engine.

DNS Fail Open Goat Award

posted: 24 Jul 2008

Kaminsky's flaw has a metasploit module: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

On the Internet - no one hears your screams.

Pwnie Awards - Vista nominated for . . .

posted: 22 Jul 2008

Most Epic Fail: http://pwnie-awards.org/2008/awards.html#fail

Gee . . . I hope we . . . win?  No . . . wait . . .

Windows Vista for proving that security does not sell

$100,000,000 invested in security and what does Microsoft have to show for it? Customers are revolting against Windows Vista and nobody who has a choice is chosing to upgrade. It doesn't matter that Vista really is the most secure Microsoft operating system ever made, all customers care about is the annoyance of the UAC prompts, the confusing user interface and the insane hardware requirements.

The good thing about the Vista debacle is that no other vendor will care to do such a security push, which means that we'll be able to easily own any piece of software for the foreseeable future.

Chris Rohlf joins Matasano

posted: 13 Jul 2008

I have mad respect for Matasano and I can't believe a friend of mine now works there!
http://www.matasano.com/log/1088/hello-a-self-introduction-by-chris-rohlf/

Congrats dude!

Dan's DNS checker - We need a new ship!

posted: 13 Jul 2008

Heres' an interesting, somewhat reflective blog from Kaminsky on security researcher drama, and how in an ideal world lots of trusted peers would get to review your vulns and fix plans before the patches ship: http://www.doxpara.com/?p=1164  Sadly - in the real world it doesn't always get to work that way for a lot of interesting reasons but I'm glad everyone worked it out and is happy again.

I also love the DNS checker on the right side of his blog.  Dan allowed me to discover that Bellsouth apparently doesn't patch in a timely fashion (and I suspect - AT ALL) . . . not that it matters to me - it's not like DNS is a secure sort of protocol anyways or was ever intended to be one (I mean - just grep through a DNS RFC like this one: http://www.faqs.org/rfcs/rfc1035.html looking for the word 'secure' or 'security') . . . so I don't really trust that even with all of the latest DNS security update creamy goodness applied that there would be no ways for nefarious types to have fun with DNS at my expense . . . so thus while I find Dan's vuln to be pretty cool in a scientific sort of way, at a macroscopic / real world level, with respect to how data travels through the series of interconnecting tubes, it sort of seems to me a bit like the crew of a strafed, torpedoed and badly listing ship which is heading towards an underwater minefield responding to and patching the bullet holes in the hull . . . it may give them something to do and make them feel better temporarily, but at the end of the day it just doesn't matter - that ship is still going down.  You needn't worry about plugging those holes as the battle to save the ship has already been lost - clearly what is needed at that point - is a new, more secure ship.

So with that said - I always find it sort of amusing (and sad) at how fundamentally insecure communications on the Internets are to this day (with respect to spoofing, tampering and other S.T.R.I.D.E. type threats) and most of my ire is focused on DNS and lower level protocols which I still can't believe are in use to this day in the year 2008 . . . but DNS is really just one insecure protocol riding on and trusting other insecure protocols so at the end of the day when I wax all philosophical I have to wonder - "does yet another DNS update really matter, when there are so many other problems with the way we convey packets on the Internet today?".

Well of course it matters but I mean think about it . . . let's start at the bottom with the lowest level protocol that I have a beef with:  ARP.  We still to this day rely on it, errantly and against our better judgement, to begin the process of conveying information from one machine to another, and so to this day it's being exploited for nefariousness: http://blogs.zdnet.com/security/?p=1242.  Again - this is happening in the year 2008!

Work your way up the stack - there are many other by design vulnerabilities at each layer that require new more secure versions of the protocols (that likely already exist or have been proposed) to resolve . . . but yet they aren't widely deployed or used on the Internets - so I guess that's why I find it sort of silly to get all worked up about DNS.  Yeah it's important - but so are other lots of other minor things like ARP or IP which also seem pretty bad (to me).

Um, captain?  Can we like . . . get a new ship pleaze?  OKTHXBAI!

(p.s. - Forgive the bad warship analogies - I'm finally getting around to reading Cryptonomicon which is largely centered around fictitious events of WWII so submarines, warships, bullet holes etc. are very much on my mind. . . )

Adobe Acrobat 9 - Creamy Security Goodness (on Vis

posted: 03 Jul 2008

So I noticed yesterday that Adobe had quietly released Acrobat 9 to the web.  I decided to download it and check it out to see if they had finally gotten a copy of memo (it's just that we're putting cover sheets on all of our TPS reports now) and decided to start opting in to some of the exploit prevention technologies we provide on Vista / WS2008 (like Apple has with QuickTime). 

Well folks - I am super pleased to report - Adobe has finally gotten serious and released a version of Acrobat that supports not only DEP in permanent mode - but also ASLR!  (Now if we could just convince people that Vista isn't all the suck that the media hypes it up to be so that they would install it and get the benefit of ASLR).

So a huge round of applause for Adobe please - even though opting in to these features involves just a couple of additional linker switches - it's certainly not that easy in reality and could have involved switching compilers, performing lots of additional testing, working with 3rd parties to make sure their additions / plug-ins still work or will work, etc. etc.

Anyhoo - here's the gory details from the linker:
C:\Program Files (x86)\Adobe\Reader 9.0\Reader>dumpbin /headers AcroRd32.exe

Microsoft (R) COFF/PE Dumper Version 9.00.21022.08

Copyright (C) Microsoft Corporation.  All rights reserved.

 

 

Dump of file AcroRd32.exe

 

PE signature found

 

File Type: EXECUTABLE IMAGE

 

FILE HEADER VALUES

             14C machine (x86)

               5 number of sections

        4850F0A3 time date stamp Thu Jun 12 05:47:15 2008

               0 file pointer to symbol table

               0 number of symbols

              E0 size of optional header

             102 characteristics

                   Executable

                   32 bit word machine

 

OPTIONAL HEADER VALUES

             10B magic # (PE32)

            8.00 linker version

            4000 size of code

           4F000 size of initialized data

               0 size of uninitialized data

            4054 entry point (00404054)

            1000 base of code

            5000 base of data

          400000 image base (00400000 to 00453FFF)

            1000 section alignment

            1000 file alignment

            4.00 operating system version

            0.00 image version

            4.00 subsystem version

               0 Win32 version

           54000 size of image

            1000 size of headers

           56920 checksum

               2 subsystem (Windows GUI)

             140 DLL characteristics

                   Dynamic base // ASLR! W00T!!!

                   NX compatible // DEP (Permanent) W00T!!!

          100000 size of stack reserve

            1000 size of stack commit

          100000 size of heap reserve

            1000 size of heap commit

               0 loader flags

              10 number of directories

               0 [       0] RVA [size] of Export Directory

            795C [      8C] RVA [size] of Import Directory

            A000 [   48F54] RVA [size] of Resource Directory

               0 [       0] RVA [size] of Exception Directory

           54000 [    1568] RVA [size] of Certificates Directory

           53000 [     69C] RVA [size] of Base Relocation Directory

            5270 [      1C] RVA [size] of Debug Directory

               0 [       0] RVA [size] of Architecture Directory

               0 [       0] RVA [size] of Global Pointer Directory

               0 [       0] RVA [size] of Thread Storage Directory

            71E0 [      40] RVA [size] of Load Configuration Directory

               0 [       0] RVA [size] of Bound Import Directory

            5000 [     234] RVA [size] of Import Address Table Directory

               0 [       0] RVA [size] of Delay Import Directory

               0 [       0] RVA [size] of COM Descriptor Directory

               0 [       0] RVA [size] of Reserved Directory

 

 

Memory dumpers for Windows

posted: 03 Jul 2008

So I still get IR related questions on occasion . . . one of which being 'what is the best way to dump memory on Windows'.  I honestly am hopelessly out of touch - I haven't done IR in many years now - but I came across some intersting tools that seem to have released recently that I thought I'd share for the IR folks:

First up - Suiche - of 'Sandman' fame released a memory dumping tool: http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/

Next up is the ManTech Memory DD tool: http://www.mantech.com/msma/MDD.asp

Vulnerable Web Browser Study - Full of Fail

posted: 01 Jul 2008

So came across an interesting report today from various security folks (including Gunter Ollmann from ISS): http://www.techzoom.net/papers/browser_insecurity_iceberg_2008.pdf

I can appreciate what they are trying to do - and I believe they were probably trying to be as un-biased and scientific as they possibly could given the nebulous goal of the study but it was, unfortunately, full of fail (at least with respect to the IE results).  What they seem to have done is combed the Google logs looking at the user-agent strings over a 1.5 year period to gather major + minor version information for the browsers they studied. The only problem?  IE doesn't send minor version information, so there's no way to determine IE patch levels from the user-agent string.  Oops.

So to compensate for that they:

  1. Threw out all IE 5.x and 6.x major version info for some reason - they say it's because IE7 is the most secure version.  While that is true - it is quite possible to be running fully patched IE 5.x or IE 6.x and be just as protected as a user running fully patched IE 7.x.  Why?  Because we will patch and support IE 5.x for as long as Windows 2000 is supported and IE 6.x for as long as XP is supported.  This makes the major version of IE much less interesting than say for Mozilla FireFox which as near as I can tell only supports the previous major version for 'up to 6 months' after the current major version is released.  I can imagine if we only supported IE 5.x and IE 6.x for 6 months after IE 7.x was released you'd see a lot more uptake on IE7 than we have - but alas - most businesses won't deploy new major versions unless they *have* to and with IE - they don't *have* to.
  2. They looked at a *completely different data set* for IE minor version info!!!  So for everything but Internet Explorer - they examined the Google logs, but for IE they relied on voluntary installs of the Secunia software inspector thing which is (I believe) a client-side app that will scan your machine and figure out the patch levels for various things and upload the results to Secunia.  Secunia claims about half a million installs so it's not insignificant - but it's also not comparable to combing the Google logs either (IMHO - but I'm not a statistician and wouldn't even try to play one on TV) and since it's not even the same set of data - I can't fathom why they felt it was scientifically valid to include along side the other browser results!

For these simple facts - I really don't think it was wise to add IE to the mix . . . they should have (in my opinion) stuck to examining the Google logs - and stuck to examining the user-agent strings for browsers that report minor version information.  Apples to Oranges comparisons aren't very good.