Microsoft Zero Day security holes being exploited

[cquirke (MVP Windows shell/user)]

On Tue, 26 Sep 2006 07:46:22 -0400, "karl levinson, mvp"

All operating systems do that. They are designed to launch code at boot
time by reading registry values, text files, etc. Because those registry
values are protected from unauthorized access by permissions, someone would
have to already own your system to modify those values, wouldn't they?

Sure, but the wrong entities come to own systems all the time.
Defense in depth means planning for how you get your system back; you
don't just faint in shock and horror that you're owned, and destroy
the whole system as the only way to kill the invader.

It's tougher for pro-IT, because they've long been tempted into
breaking the rule about never letting anything trump the user at the
keyboard. By now, they need remote access and admin, as well as
automation that can be slid past the user who is not supposed to have
the power to block it, in terms of the business structure.

But the rest of us don't have to be crippled by pro-IT's addiction to
central and remote administration, any more than a peacetime urban
motorist needs an 88mm cannon in a roof-top turret. We need to be
empowered to physically get into our systems, and identify and rip out
every automated or remotely-intruded PoS that's got into the system.

It's absolutely pathetic to have to tell posters "well, maybe you have
'difficult' (i.e., compitently-written) malware; there's nothing you
can do, 'just' wipe and re-install" because our toolkit is bare.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[imhotep]

Who said anything at al about popularity ?
Scale of potential implacts/disruptions in simply a feel obtained
from the dependancy tree size, etc all as previously outlined but
apparently not comprehended by yourself.

Because your comments make no sense....

That then explains some of your blind spots

Well, one of us is....

 

[imhotep]

You are completely delusional of you think that ANY OS never has patch
problems.

I have over 12 years running misc Unix OSes (Sun/Solaris, Linux and
FreeBSD). In this time, I have NEVER been burned. Not once. Installing a
patch just works...

You do the math, kid.

Imhotep

 

[imhotep]

Check it again, if you actually look, not all patches are quick and not
all patches are without problems.

All I can say is this. I have been using UNIX (Sun/Solaris, Linux and
FreeBSD) for over 12 years. I HAVE NEVER BEEN BURNED BY INSTALLING A PATCH.
Not once. So you can read whatever third hand information you wish, but I
have 12 years of first hand information.

Again, in 12 years I have not been burned (with UNIX). Not once....the
patches just work. There is no excuse for Microsoft's screw up with
patches. If other people can do it, why can't Microsoft???

Im

 

[Dan]

On Tue, 26 Sep 2006 07:46:22 -0400, "karl levinson, mvp"


Sure, but the wrong entities come to own systems all the time.
Defense in depth means planning for how you get your system back; you
don't just faint in shock and horror that you're owned, and destroy
the whole system as the only way to kill the invader.

It's tougher for pro-IT, because they've long been tempted into
breaking the rule about never letting anything trump the user at the
keyboard. By now, they need remote access and admin, as well as
automation that can be slid past the user who is not supposed to have
the power to block it, in terms of the business structure.

But the rest of us don't have to be crippled by pro-IT's addiction to
central and remote administration, any more than a peacetime urban
motorist needs an 88mm cannon in a roof-top turret. We need to be
empowered to physically get into our systems, and identify and rip out
every automated or remotely-intruded PoS that's got into the system.

It's absolutely pathetic to have to tell posters "well, maybe you have
'difficult' (i.e., compitently-written) malware; there's nothing you
can do, 'just' wipe and re-install" because our toolkit is bare.



Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

Exactly, Chris! The school computers (XP Pro. ones -- the school also
has 98SE computers) where I work were all configured by someone who did
not know what they were doing. They are have the remote assistance
boxes checked and that is like saying to everyone "come on in to this
machine and welcome to the party" This setting is just asking for
trouble and yet the person or people who originally set up these
machines configured them in this manner.

 

[cquirke (MVP Windows shell/user)]

cquirke (MVP Windows shell/user) wrote:

The school computers (XP Pro. ones -- the school also has 98SE
computers) where I work were all configured by someone who did
not know what they were doing. They are have the remote assistance
boxes checked and that is like saying to everyone "come on in to this
machine and welcome to the party" This setting is just asking for
trouble and yet the person or people who originally set up these
machines configured them in this manner.

All your setup dudes did wrong was to install the OS while leaving MS
duhfaults in place. By duhfault, XP will:
- full-share everything on all HDs to networks (Pro, non-null pwds)
- perform no "strength tests" on account passwords (see above)
- disallow Recovery Console from accessing HDs other than C:
- disallow Recovery Console from copying files off C:
- wave numerous services e.g. RPC, LSASS at the Internet
- do so with no firewall protection (fixed in SP2)
- allow software to disable firewall
- automatically restart on all system errors, even during boot
- automatically restart on RPC service failures
- hide files, file name extensions and full directory paths
- always apply the above lethal defaults in Safe Mode
- facilitate multiple integration points into Safe Mode
- allow dangerous file types (.EXE, etc.) to set their own icons
- allow hidden content to override visible file type cues
- dump incoming messenger attachments in your data set
- dump IE downloads in your data set
- autorun code on CDs, DVDs, USB storage and HD volumes
- allow Remote Desktop and Remote Assistance through firewall
- allow unsecured WiFi
- automatically join previously-accepted WiFi networks
- wastes huge space on per-user basis for IE cache
- duplicates most of the above on a per-account basis
- provides no way to override defaults in new account prototype

Every time one "just" reinstalls Windows (especially, but not always
only, if one formats and starts over), many or all of the above
settings will fall back to default again. Couple that with a loss of
patches, and you can see why folks who "just" format and re-install,
end up repeating this process on a regular basis.

Also, every time a new user account is created, all per-account
settings start off with MS defaults and you have to re-apply your
settings all over again. If you limit the account rights, as we are
urged to do, then often these settings lip back to MS defaults and
remain there - so I avoid multiple and limited user accounts
altogether, and prefer to impose my own safety settings.

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[Dan]

Great Job, Chris!

I will copy and paste your reply to assist me in hardening all XP Pro.
computers. Do you have similar advice for the hardening of all the 98
Second Edition computers as well --- they are connected to the Internet
as my machine is and also are connected to the school's domain.

BTW, what are the advantages and disadvantages of connecting my machine
to the school's domain and if the school's domain is down will my
machine be down from the Internet as well if I use their domain? Thanks
and what I really need besides your advice on domains is a good article
about domains that I can read when I get a chance since I know so little
about them.

 

[cquirke (MVP Windows shell/user)]

I will copy and paste your reply to assist me in hardening all XP Pro.
computers. Do you have similar advice for the hardening of all the 98
Second Edition computers as well --- they are connected to the Internet
as my machine is and also are connected to the school's domain.

I wrote up hardening Win9x a while ago... let's see... ah:

http://cquirke.mvps.org/9x/riskfix.htm

In those days, no-one here had any kind on broadband, and ICS was
rarely used - so there was no need for TCP/IP on the LAN at all.

Avoiding TCP/IP on the LAN card has two advantages in Win9x; no DHCP
prompts, and better separation of LAN and Internet. You'd have (say)
File and Print Sharing (F&PS) on NetBEUI on LAN card, and no F&PS on
TCP/IP on DUN. The two would be well air-gapped, unless malware
established a bridge-head on one PC and re-entered the LAN from there.

Then folks wanted shared Internet access, either via ICS on DUN or via
LAN through an ADSL router. The strategy changed to; F&PS on NetBEUI
on LAN, no-F&PS on TCP/IP on LAN, and no F&PS on TCP/IP on DUN.

This worked brilliantly; most firewall software wouldn't tangle F&PS
because that wasn't on TCP/IP at all.

Then along came XP, which broke NetBEUI and IPX when it came to doing
F&PS across mixed Win9x and XP peer-to-peer networks. Believe me, I
tried getting IPX to work, as well as applying the "not supported"
NetBEUI from the XP CD. Typically, all the Win9x systems would see
each other and all the XP systems would see each other, but you
couldn't traverse the two tribes via F&PS.

So I was obliged to use the same TCP/IP protocol on both DUN and LAN,
and do F&PS on this protocol as well. Ungood.

BTW, what are the advantages and disadvantages of connecting my machine
to the school's domain and if the school's domain is down will my
machine be down from the Internet as well if I use their domain? Thanks

I'm under-experienced with domains, because I don't do server-based
LANs at all. That's a whole 'nother world ;-)

AFAIK, XP Home and Win9x can't operate as effective domain clients,
which is the main purpose of XP Pro. You can log Win9x into a domain,
but there's far less control that the domain can impose on Win9x.

This is why commentators claim that Win9x has "no security".

and what I really need besides your advice on domains is a good article
about domains that I can read when I get a chance since I know so little
about them.

That info is out there; in fact, it's the main thrust of most formal
MS tech training etc. It's really powerful but very detailed stuff,
with a fair number of cotchas and complications. For example, what
happens to a system that has domain control over its settings, when it
isn't connected to the domain?

------------ ----- --- -- - - - -

Drugs are usually safe. Inject? (Y/n)

 

[Karl Levinson, mvp]

Great Job, Chris!

I will copy and paste your reply to assist me in hardening all XP Pro.
computers. Do you have similar advice for the hardening of all the 98
Second Edition computers as well --- they are connected to the Internet as
my machine is and also are connected to the school's domain.

Windows 98 was never designed for security.

Many of the things on Chris' list were either fixed in the default settings
in Windows XP SP2, or aren't the biggest risk you need to be worrying about.
People consider XP SP2 default settings fairly secure. You can spend a lot
of time and money on lots of tweaks to the default settings, without gaining
a lot of real security.

 

[Karl Levinson, mvp]

Sure, but the wrong entities come to own systems all the time.

My point is that this one example here doesn't seem to be a vulnerability if
it requires another vulnerability in order to use it. This isn't a case of
combining two vulnerabilities to compromise a system; it's a case of one
unnamed vulnerability being used to compromise a system, and then the
attacker performs some other action, specifically changing registry values.
If this is a vulnerability, then the ability of Administrators to create new
user accounts, change passwords etc. would also be a vulnerability.

Defense in depth means planning for how you get your system back; you
don't just faint in shock and horror that you're owned, and destroy
the whole system as the only way to kill the invader.

That's a different issue than the one we were discussing. The statement
was, winlogon using registry values to execute code at boot time is a
vulnerability. I'm arguing that it is not.

Besides, it's a relatively accepted truism that once an attacker has root,
system or administrator privileges on any OS, it is fairly futile to try to
restrict what actions s/he can perform. Anything a good administrator can
do, a bad administrator can undo.

 

[Dan W.]

I wrote up hardening Win9x a while ago... let's see... ah:

http://cquirke.mvps.org/9x/riskfix.htm

In those days, no-one here had any kind on broadband, and ICS was
rarely used - so there was no need for TCP/IP on the LAN at all.

Avoiding TCP/IP on the LAN card has two advantages in Win9x; no DHCP
prompts, and better separation of LAN and Internet. You'd have (say)
File and Print Sharing (F&PS) on NetBEUI on LAN card, and no F&PS on
TCP/IP on DUN. The two would be well air-gapped, unless malware
established a bridge-head on one PC and re-entered the LAN from there.

Then folks wanted shared Internet access, either via ICS on DUN or via
LAN through an ADSL router. The strategy changed to; F&PS on NetBEUI
on LAN, no-F&PS on TCP/IP on LAN, and no F&PS on TCP/IP on DUN.

This worked brilliantly; most firewall software wouldn't tangle F&PS
because that wasn't on TCP/IP at all.

Then along came XP, which broke NetBEUI and IPX when it came to doing
F&PS across mixed Win9x and XP peer-to-peer networks. Believe me, I
tried getting IPX to work, as well as applying the "not supported"
NetBEUI from the XP CD. Typically, all the Win9x systems would see
each other and all the XP systems would see each other, but you
couldn't traverse the two tribes via F&PS.

So I was obliged to use the same TCP/IP protocol on both DUN and LAN,
and do F&PS on this protocol as well. Ungood.


I'm under-experienced with domains, because I don't do server-based
LANs at all. That's a whole 'nother world ;-)

AFAIK, XP Home and Win9x can't operate as effective domain clients,
which is the main purpose of XP Pro. You can log Win9x into a domain,
but there's far less control that the domain can impose on Win9x.

This is why commentators claim that Win9x has "no security".


That info is out there; in fact, it's the main thrust of most formal
MS tech training etc. It's really powerful but very detailed stuff,
with a fair number of cotchas and complications. For example, what
happens to a system that has domain control over its settings, when it
isn't connected to the domain?



Drugs are usually safe. Inject? (Y/n)

Thanks for the great replies as usual. I hope someone can answer your
question since I do not know. I really appreciate all the knowledge you
have provided me over the years, Chris and I see you as an awesome
person. Please accept my heartfelt and warm thanks for continuing to
help me in my endevers to help secure computers that are connected to
the Internet. I saved the information on securing the XP Pro. computers
and printed it all out for reference when securing the XP Pro. computers
at school. Apparently, they have some powerful security tied in with
the domain but it would be just great if I could help secure the systems
slowly but surely which I am doing at the site level. BTW, yesterday I
was working on a machine for a couple of hours that had been messed with
big time. I removed some spyware such as cool web junk and wild tangent
junk. The antivirus scanner did not even work -- it had been messed
with. Spybot -- Search and Destroy actually was the only scanner that
removed and detected the junk out of all of them I used but that might
have just been because of the order that I ran the scanners in. I also
installed AVG and proceeded to do a complete scan for viruses in the
system. The system froze up once and I had to pull out the power cord
and reinsert to force a reset -- oh by the way this was an XP
Professional machine --- and guess what -- error at the BIOS level.
Dang, I needed to get into the BIOS and the machine did not want to let
me into the BIOS settings. Okay, I had to leave and get information
from another member of the security computer team at our school. I got
it and returned after praying of course and bingo the BIOS screen was
showing. Thank goodness --- Yes success --- I was in and the fix was
easy from there --- just apply the proper BIOS settings that someone had
messed with and bingo the machine booted up without issue. I ended up
leaving the machine running a full anti-virus scan with AVG because it
was taking forever and the teacher of the classroom and myself needed to
go home --- it was 5pm and we were both scheduled just until 4pm. It is
amazing how time flies when you are working on computer(s).

 

[Dan W.]

Windows 98 was never designed for security.

Many of the things on Chris' list were either fixed in the default settings
in Windows XP SP2, or aren't the biggest risk you need to be worrying about.
People consider XP SP2 default settings fairly secure. You can spend a lot
of time and money on lots of tweaks to the default settings, without gaining
a lot of real security.

Yes, 98SE edition computers are not designed for security but are more
safe than XP Professional computers when regarding outside attacks.
Please see the following secunia advisories for proof of concept:

Microsoft Windows Shell Code Execution Vulnerability Advisory
Available in Danish

Secunia Advisory: SA22159
Release Date: 2006-09-28
Last Update: 2006-09-29

Critical:
Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2006-3730 (Secunia mirror)


Description:
H D Moore has discovered a vulnerability in Microsoft Windows, which can
be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the Windows Shell and is
exposed via the "setSlice()" method in the WebViewFolderIcon ActiveX
control (webvw.dll). This can e.g. be exploited via Internet Explorer by
a malicious website to corrupt memory by passing specially crafted
arguments to the "setSlice()" method.

Successful exploitation allows execution of arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerability is confirmed on a fully patched system with Internet
Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be
affected.

Solution:
Set the kill bit for the "WebViewFolderIcon" ActiveX control (see
Microsoft advisory for details).

Only allow trusted websites to run ActiveX controls.

Provided and/or discovered by:
H D Moore

Changelog:
2006-09-29: Added additional information provided by Microsoft. Added
link to Microsoft advisory and updated "Solution" section. Updated
affected software.

Original Advisory:
H D Moore:
http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html

Microsoft:
http://www.microsoft.com/technet/security/advisory/926043.mspx


Please note: The information that this Secunia Advisory is based on
comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports
issued by security research groups, vendors, and others.


190 Related Secunia Security Advisories, displaying 10

1. Microsoft Vector Graphics Rendering Library Buffer Overflow
2. Microsoft Windows Indexing Service Cross-Site Scripting
3. Microsoft Windows Pragmatic General Multicast Code Execution
4. Microsoft Windows Two Vulnerabilities
5. Windows Kernel Privilege Escalation Vulnerability
6. Microsoft Management Console Cross-Site Scripting
7. Windows DNS Resolution Code Execution Vulnerabilities
8. Windows Server Service Buffer Overflow Vulnerability
9. Microsoft Windows WMF File Handling Denial of Service
10. Microsoft Windows Server Driver Denial of Service Vulnerability

Show all related advisories


Send Feedback to Secunia

If you have new information regarding this Secunia advisory or a product
in our database, please send it to us using either our web form or email
us at (e-mail address removed).

Ideas, suggestions, and other feedback are most welcome.









Learn more about our solutions

Secunia Poll

What is the worst type of attack that has affected your systems?

System Access (23%)
Denial of Service (16%)
Cross Site Scripting (7%)
Security Bypass (7%)
Other Impact (7%)
Never Been Affected (40%)

Old Polls

Most Popular Advisories

1.
Microsoft Windows Shell Code Execution Vulnerability
2.
Microsoft PowerPoint Code Execution Vulnerability
3.
Microsoft Vector Graphics Rendering Library Buffer Overflow
4.
Internet Explorer daxctle.ocx "KeyFrame()" Method Vulnerability
5.
OpenSSH Signal Handling Vulnerability
6.
Mozilla Firefox Multiple Vulnerabilities
7.
Microsoft Word Malformed Object Pointer Vulnerability
8.
Slackware update for openssl
9.
Google Mini Search Appliance Path Disclosure Weakness
10.
Mac OS X Security Update Fixes Multiple Vulnerabilities






Terms & Conditions - Copyright 2002-2006 Secunia - Compliance - Contact
Secunia

http://secunia.com/advisories/22159/

What the heck is going on. It seems like new critical security
advisories are being posted daily.

Vendor Microsoft

Product Link N/A

Affected By 154 Secunia advisories

Unpatched 19% (29 of 154 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Windows
XP Professional, with all vendor patches applied, is rated Extremely
critical

http://secunia.com/product/22/

http://secunia.com/product/13/

Vendor Microsoft

Product Link N/A

Affected By 32 Secunia advisories

Unpatched 9% (3 of 32 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Windows
98 Second Edition, with all vendor patches applied, is rated Less critical

http://secunia.com/product/11/

Vendor Microsoft

Product Link View Here (Link to external site)

Affected By 106 Secunia advisories

Unpatched 18% (19 of 106 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Internet
Explorer 6.x, with all vendor patches applied, is rated Extremely critical

http://secunia.com/product/102/

Vendor Microsoft

Product Link View Here (Link to external site)

Affected By 21 Secunia advisories

Unpatched 29% (6 of 21 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Outlook
Express 6, with all vendor patches applied, is rated Moderately critical


http://secunia.com/product/4227/

Vendor Mozilla Organization

Product Link View Here (Link to external site)

Affected By 36 Secunia advisories

Unpatched 8% (3 of 36 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Mozilla Firefox
1.x, with all vendor patches applied, is rated Less critical

http://secunia.com/product/4652/

Vendor Mozilla Organization

Product Link View Here (Link to external site)

Affected By 4 Secunia advisories

Unpatched 0% (0 of 4 Secunia advisories)

Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when
all vendor patches are applied.

This one was for Mozilla Thunderbird. I am going to try and add the 98
general newsgroup since this involves them as well.

 

[Dan W.]

My point is that this one example here doesn't seem to be a vulnerability if
it requires another vulnerability in order to use it. This isn't a case of
combining two vulnerabilities to compromise a system; it's a case of one
unnamed vulnerability being used to compromise a system, and then the
attacker performs some other action, specifically changing registry values.
If this is a vulnerability, then the ability of Administrators to create new
user accounts, change passwords etc. would also be a vulnerability.

Everyone needs to know that all computers are somewhat vulnerable if
they are connected to the Internet no matter what the defense protocol
procedures that are used to safeguard the system(s) and the network(s).

That's a different issue than the one we were discussing. The statement
was, winlogon using registry values to execute code at boot time is a
vulnerability. I'm arguing that it is not.

Besides, it's a relatively accepted truism that once an attacker has root,
system or administrator privileges on any OS, it is fairly futile to try to
restrict what actions s/he can perform. Anything a good administrator can
do, a bad administrator can undo.

It is indeed a good idea to have user accounts that have less privileges
than the admin. accounts do. If a Classic series of 9x came out that
worked well with older Windows 3.1 and DOS programs which I and the
school that I work with has a great deal of titles accumulated over the
years then it would be just great. This new 9x machine that is a
successor to 98 Second Edition would have Admin. accounts and User
accounts just like in XP but still has the overall system security of 9x
as I have provided in great detail in an above post on system
vulnerabilities in the two operating systems. The real deal is that 98
Second Edition has been out since 1999 while 98 came out in 1998 and I
think ME which was the last of the series came out in 2000. Like Chris
Quirke, has said ME introduced a lot of new concepts like System Restore
and you had the ability of drivers that did not need to be updated for a
particular system device like in 98 Second Edition. The problem was ME
started to get away from the compatibility roots that 98SE had and did
not have a resource kit like 98SE had so businesses and others did not
take it seriously. In addition, the easy exit to MS-DOS (Microsoft Disk
Operating System) was removed and the only way to DOS was through a boot
disk. The NT (New Technology) source code was flawed from the beginning
according to early Microsoft engineers in a text that I have read all
about Microsoft and its early days to present time. The early Microsoft
software engineers nicknamed it the Not There code since it did not have
the type of maintenance operating system that Chris Quirke, MVP fondly
talks about in regards to 98 Second Edition. Anyway, there was the 9x
line and the NT line and Microsoft wanted to eliminate one line of code
to allow for the focus to be on just one line of code. The problem is
that at the bare bones level the source code of 9x is actually more
secure --- I know that this is a RADICAL and hard to swallow statement
but it is TRUE!!! Windows NT (New Technology) that comes in flavors of
Windows NT, Windows 2000, Windows XP, and soon to be Windows Vista is
very secure because it has strong defenses. If you strip away the
defenses and compare the base lines of code in NT and 9x then you will
see that it is completely conclusive that 9x is more secure at the base
foundation of the kernel. This is an amazing concept. It would not
actually surprise me if Microsoft does indeed release this Classic
Series of 9x operating systems for the older software and as another
choice for consumers, businesses and governments. This Classic series
would be aimed at consumers and schools who have the need and desire of
great legacy compatibility.

Anyway, I digress and I wanted to see that System Administrators need to
learn how to edit and manually customize the registry in order to stop
the attacks that are coming in an ever increasing wave at a super fast pace.




<in-line> <afterwards too>

 

[karl levinson, mvp]

Yes, 98SE edition computers are not designed for security but are more
safe than XP Professional computers when regarding outside attacks. Please
see the following secunia advisories for proof of concept:

Maybe if you're only counting number of vulnerabilities found. But on the
other hand, there are and always will be more unpatched vulnerabilities for
Windows 98, because Microsoft is not providing patches for all Windows 98
vulnerabilities. Windows 98 lacks any ability to set ACL permissions on
files and registry values via NTFS, and you can log into Windows simply by
clicking the "cancel" button at the logon screen. On multi-user systems,
all users can read and modify all files belonging to all other users and to
the operating system. NTFS and the ability to log in as limited user
accounts has been shown to drastically reduce the amount of spyware and
adware that gets installed on a system. And availability can be an issue on
old and unsupported software like Windows 98.

Regarding hardening XP, the hardening guides from
www.microsoft.com/technet/security are very good. NSA worked with Microsoft
during their development, and as a result, NSA no longer publishes their own
hardening guides for XP, instead simply linking their web site to
Microsoft's guides.

 

[karl levinson, mvp]

Everyone needs to know that all computers are somewhat vulnerable if they
are connected to the Internet no matter what the defense protocol
procedures that are used to safeguard the system(s) and the network(s).
Agreed.

This new 9x machine that is a successor to 98 Second Edition would have
Admin. accounts and User accounts just like in XP but still has the
overall system security of 9x as I have provided in great detail in an
above post on system vulnerabilities in the two operating systems.

Fewer vulnerabilities are being reported for Windows 98 because Windows 98
is old and less commonly used, and vulns found for it get you less fame and
glory. New vulns found tend to go down as software ages and matures. A new
version of 98 would quickly be attacked and vulns found.

The real deal is that 98 Second Edition has been out since 1999 while 98
came out in 1998 and I think ME which was the last of the series came out
in 2000. Like Chris Quirke, has said ME introduced a lot of new concepts
like System Restore

Didn't XP expand on and improve the system restore feature to a level not
currently in 98 or ME?

about Microsoft and its early days to present time. The early Microsoft
software engineers nicknamed it the Not There code since it did not have
the type of maintenance operating system that Chris Quirke, MVP fondly
talks about in regards to 98 Second Edition.

If the MOS being discussed for Win 98 is the system boot disk floppy, that
was a very basic MOS and it still works on Windows XP just as well as it
ever did on Windows 98. [Sure, you either have to format your disk as FAT,
or use a third party DOS NTFS driver.] I think Chris really wants not that
kind of MOS but a much bigger and better one that has never existed. XP
also comes with a number of restore features such as Recovery Console and
the Install CD Repair features. I never use those or find them very useful
for security, but they're way more functional and closer to an MOS than the
Win98 recovery floppy or anything Win98 ever had. 98 never had a registry
editor or a way to modify services like the XP Recovery Console.

that at the bare bones level the source code of 9x is actually more
secure --- I know that this is a RADICAL and hard to swallow statement but
it is TRUE!!! Windows NT (New Technology) that comes in flavors of
Windows NT, Windows 2000, Windows XP, and soon to be Windows Vista is very
secure because it has strong defenses. If you strip away the defenses and
compare the base lines of code in NT and 9x then you will see that it is
completely conclusive that 9x is more secure at the base foundation of the
kernel.

It depends on what you consider security. Win98 was always crashing and
unstable, because there was no protection of memory space from bad apps or
bad attackers. Many environments like government consider the "strong
defenses" absolutely essential and wouldn't consider evaluating the security
of an OS that didn't have them.

Win98 doesn't have some features that some customers and people require. If
Microsoft was to release a new 98, Microsoft would probably be forced to add
those extra features and extra code that are in XP that you feel make it
less secure.

This is an amazing concept. It would not actually surprise me if
Microsoft does indeed release this Classic Series of 9x operating systems
for the older software and as another choice for consumers, businesses and
governments. This Classic series would be aimed at consumers and schools
who have the need and desire of great legacy compatibility.

Microsoft's security problems have largely been because of backwards
compatibility with Windows 9x, DOS and Windows NT 4.0. They feel, and I
agree, that Microsoft security would be a lot better if they could abandon
that backwards compatibility with very old niche software, as they have been
doing gradually.

 

[cquirke (MVP Windows shell/user)]

"cquirke (MVP Windows shell/user)" wrote in

The weakness here is that anything that runs during the user's session
is deemed to have been run with the user's intent, and gets the same
rights as the user. This is an inappropriate assumption when there
are so many by-design opportunities for code to run automatically,
whether the user intended to do so or not.

My point is that this one example here doesn't seem to be a vulnerability if
it requires another vulnerability in order to use it.

Many vulnerabilities fall into that category, often because the extra
requirement was originally seen as sufficient mitigation.
Vulnerabilities don't have to fascilitate primary entry to be
significant; they may escalate access after entry, or allow the active
malware state to persist across Windows sessions, etc.

This isn't a case of combining two vulnerabilities to compromise a
system; it's a case of one unnamed vulnerability being used to
compromise a system, and then the attacker performs some other
action, specifically changing registry values.

If this is a vulnerability, then the ability of Administrators to create new
user accounts, change passwords etc. would also be a vulnerability.

OK, now I'm with you, and I agree with you up to a point. I dunno
where the earlier poster got the notion that Winlogin was there to act
as his "ace in the hole" for controlling malware, as was implied.

That's a different issue than the one we were discussing. The statement
was, winlogon using registry values to execute code at boot time is a
vulnerability. I'm arguing that it is not.

I agree with you that it is not - the problem is the difficulty that
the user faces when trying to regain control over malware that is
using Winlogin and similar integration points.

The safety defect is that:
- these integration points are also effective in Safe Mode
- there is no maintenance OS from which they can be managed

We're told we don't need a HD-independent mOS because we have Safe
Mode, ignoring the possibility that Safe Mode's core code may itself
be infected. Playing along with that assertion, we'd expect Safe Mode
to disable any 3rd-party integration, and would provide a UI through
which these integration points can be managed.

But this is not the case - the safety defect is that once software is
permitted to run on the system, the user lacks the tools to regain
control from that software. Couple that with the Windows propensity
to auto-run material either be design or via defects, and you have
what is one of the most common PC management crises around.

Besides, it's a relatively accepted truism that once an attacker has root,
system or administrator privileges on any OS, it is fairly futile to try to
restrict what actions s/he can perform. Anything a good administrator can
do, a bad administrator can undo.

That's a safety flaw right there.

You're prolly thinking from the pro-IT perspective, where users are
literally wage-slaves - the PC is owned by someone else, the time the
user spends on the PC is owned by someone else, and that someone else
expects to override user control over the system.

So we have the notion of "administrators" vs. "users". Then you'd
need a single administrator to be able to manage multiple PCs without
having to actually waddle over to all those keyboards - so you design
in backdoors to facilitate administration via the network.

Which is fine - in the un-free world of mass business computing.

But the home user owns thier PCs, and there is no-one else who should
have the right to usurp that control. Creditors and police do not
have the right to break in, search, or sieze within the user's home.

So what happens when an OS designed for wage-slavery is dropped into
free homes as-is? Who is the notional "administrator"? Why is the
Internet treated as if it were a closed and professionally-secured
network? There's no "good administratrors" and "bad administrators"
here; just the person at the keyboard who should have full control
over the system, and other nebulous entities on the Internet who
should have zero control over the system.

Whatever some automated process or network visitationb has done to a
system, the home user at the keyboard should be able to undo.

Windows XP Home is simply not designed for free users to assert thier
rights of ownership, and that's a problem deeper than bits and bytes.

------------------ ----- ---- --- -- - - - -

The rights you save may be your own

 

[98 Guy]

(posting this again due to 3-group posting limitation)

Maybe if you're only counting number of vulnerabilities found.

Well isin't that the point?

But on the other hand, there are and always will be more
unpatched vulnerabilities for Windows 98,

Care to provide some evidence that there are currently MORE unpatched
vulnerabilities for 98 vs XP?

because Microsoft is not providing patches for all Windows 98
vulnerabilities.

Only Since July 11. And how many vulnerabilities discovered since
then are really for IE?

And are you aware that the 2K versions of the patched files made
available since July 11 can be used on Win-98?

Windows 98 lacks any ability to set ACL permissions

Privilege escalation vulnerabilities exist for NT-based OS's like XP.
Many systems are configured (for ease of use) for single-user systems
to logon as administrator or have admin rights. ACL permissions are
primarily designed for servers on multi-user networks, not really for
single-user desktop / home computer use.

and you can log into Windows simply by clicking the
"cancel" button at the logon screen. On multi-user systems...

You are talking about "political security" which pertains to
untrustworthy users. The context of this conversation pertains to
unintended or malicious code execution that results in access to the
system through the network and not the local keyboard.

Many large organizations configure their infrastructure so that no
personal or organizational files or data exist on local desktop
machines, and where a correct login name/PW must be used to gain
access to the network. That strategy can be used all the way down to
a 2-desktop network.

all users can read and modify all files belonging to all other
users and to the operating system.

Irrelevant in the context of malware vulnerability. If you have users
of shared systems that seek out private information or intentionally
plant malware on their own system, then you have an HR problem.

NTFS and the ability to log in as limited user accounts has
been shown to drastically reduce the amount of spyware and
adware that gets installed on a system.

A solution that is only viable in institutional/corporate settings and
not for single-user home use.

And availability can be an issue on old and unsupported
software like Windows 98.

Availability of what?

Of new patches and fixes?

Maybe we should wait and see what new vulnerabilities come down the
pipe that are proven to affect 98. Until then, the "not supported"
argument is a red herring.

Regarding hardening XP, the hardening guides from
www.microsoft.com/technet/security are very good.

Too bad that from it's introduction in 2002 until SP2 was belatedly
released in late 2004 that XP systems were practically garanteed to
become infected via direct network exploits and a myriad of other ways
and that many XP systems in residential settings are never updated or
patched by their owners.

 

[cquirke (MVP Windows shell/user)]

Everyone needs to know that all computers are somewhat vulnerable if
they are connected to the Internet no matter what the defense protocol
procedures that are used to safeguard the system(s) and the network(s).

Until someone runs something on the system that initiates traffic,
there's no reason why they should be, unless there's an exploitable
surface in whatever first receives raw TCP/IP packets.

The trouble is, NT is designed to treat the Internet as a network, in
the sense that if you wave the correct credentials, you'd be able to
log in or otherwise interact with the system from "outside". That
adds additional exploitable surfaces.

I can think of NO circumstances where I'd want any Internet entity
that I had not initiated interaction with, to log onto to my PC,
access file shares, or make RPC calls - so why expose those services
at all? There's no "right" credentials to get in because I don't want
*anyone* to get in, so why even process such attempts?

It is indeed a good idea to have user accounts that have less privileges
than the admin. accounts do.

I'd rather have zero possible access from the Internet, be it as admin
or as limited user. The per-user model just isn't that useful,
especially where there is only one user. Why should I pretend to be a
staff of different job descriptions just to use my own PC?

The really sad thing - sadder even than all those games and accounting
apps that won't run unless you're admin - is that end users have no
control over how new user accounts are born. For me, that absolutely
kills the usefullness of user accounts.

I don't feel at all safe when half the files on the system are hidden
from me, where I can't easily tell if I'm in C:\TEMP, C:\D&S...\Temp
or \\BossPC\Windows\Temp, and where I'm expected to "open" files
without any visible cue as to what they will do.

Yet that is the state I'm forced to live with on any newly-created
user account - frankly, I feel safer as admin and "open eyes".

------------ ----- --- -- - - - -

Drugs are usually safe. Inject? (Y/n)

 

[cquirke (MVP Windows shell/user)]

Thanks for the great replies as usual. I hope someone can answer your
question since I do not know.

AFAIK, what happens is that a copy of the domain's settings are kept
locally, and are used whenever the domain is unreachable. I guess
this copy would be updated whenever the domain is there.

There's also a lot of detail and granularity when different
permissions are combined. Whereas *NIX uses the same structure for
both directory location and permissions, the NT security model does
not - while files within a subtree start with permissions of the
parent (AFAIK), you can change this on a file-by-file basis.

There are easy ways to get really painted into a corner with this
stuff, and one of the common mistakes is to assign rights to
particular users, rather than to a group. It's better to create a
group, set the rights for that group, and then add your user(s) as
members of that group (yes, even if there's only one member). That
way, if you fire Fred and employ Brad, you just drop Fred from the
group and add Brad to it.

Often there will be contexts where different sets of permissions are
simultaneously applied. For example, there are machine permissions,
network permissions, user permissions, etc. so what really happens is
a resultant of these, prompting the question; what trumps what?

In many ways, a sysamin's job is as much about managing users via
Active Directory as it is about managing network resources such as
domain servers. Most businesses large enough to be using AD and
domains will insist on certification (MCSE etc.) before anyone can
touch this stuff. So when this security model is dropped into
consumerland, it's tough... consumers understand physical security
very well, but have zero intuition on business and staff security.

And why should they?

I was working on a machine for a couple of hours that had been messed
big time. I removed some spyware such as cool web junk and wild tangent
junk. The antivirus scanner did not even work -- it had been messed

Yup. I use Bart for those... the learning curve (OK, small wall) is
tougher than one would like, but if you do a lot of this stuff, it's
effort well spent. I expect malware to assume control over the system
I'm trying to clean, and start "from orbit" with Bart, concentrating
on the heavies, before tip-toeing in via Safe Cmd etc.

Safe Cmd is to XP what DOS mode is to Win9x, but there's a far higher
risk of malware being active in Safe Cmd than there is in DOS mode.

Spybot -- Search and Destroy actually was the only scanner that
removed and detected the junk out of all of them I used but that might
have just been because of the order that I ran the scanners in.

Could be... I use 7 av scanners and the usual 2 anti-"spyware"
scanners, then HiJackThis, then I de-bulk the usual malware hangouts
(loose code in C:\, all TIF, Temp), then I drop tools in place and run
'em when I enter Safe Cmd. The av scans shoot to kill, but the
initial anti-"spyware" and HiJackThis are usually look-don't-touch.

Once in Safe Cmd, I re-run SysClean (as some tests don't run when in
Bart), AdAware and Spybot, and this time I let the anti-"spyware"
scanners kill what they find. Then I add Ewido 4 and run that, do a
HiJackThis again, and look for mismatches that suggest a rootkit.

Next is normal Windows, which means I can install tools that require
the Windows Installer, e.g. BitDefender 8 and MS Defender. I add
BitDefender 8 if there's been a lot of traffic and/or the resident av
can't be updated. If the resident av is broken, expired or missing, I
add AVG 7. The I harden settings, set a clean baseline restore point,
and purge all older restore points (Disk Cleanup).

Then I check firewall, and go online to update the scanners and
non-scanning tools that need it (e.g. Spyware Blaster, Ewido,
BitDefender). Before going online, I'd have killed off old Java
versions and rreplaced the latest JRE, ditto Firefox, etc.

installed AVG and proceeded to do a complete scan for viruses in the
system. The system froze up once and I had to pull out the power cord
and reinsert to force a reset -- oh by the way this was an XP
Professional machine --- and guess what -- error at the BIOS level.

What sort of error?

Malware isn't the only thing that can bonk PCs; I didn't mention it,
but every Bart session starts with HD Tune to check physical HD, and
before that comes a few hours in MemTest86.

------------ ----- --- -- - - - -

Drugs are usually safe. Inject? (Y/n)

 

[cquirke (MVP Windows shell/user)]

Hard to respond to that without examples, but I certainly agree; SP2's
a worthwhile step forward. Anything older is stone dead if connected
as-is, because the firewall's off and both LSASS and RPC are unpatched
(yes, even in SP1a). In this respect, there's no safe-out-the-box
Win2000 at all - I dunno if the last Win2000 SP had fixes for LSASS
and RPC, but there's no firewall built-in.

I'm after safety. I want no "admin shares" whatsoever, I want to see
what I'm dealing with when I work on files, and I don't want the PC
resetting every time there's a system crash or RPC falls over.

The vulnerability is caused due to an error in the Windows Shell and is
exposed via the "setSlice()" method in the WebViewFolderIcon ActiveX
control (webvw.dll). This can e.g. be exploited via Internet Explorer by
a malicious website to corrupt memory by passing specially crafted
arguments to the "setSlice()" method.

I would kill off "View As Web Page" on sight, and thus not be exposed
to this exploit (which I see as a barnacle on a whale of bad design...
why would I want the ability to autorun scripts dropped in any
directory?). WinME does this properly, but Win98xx is slippery and
can fall back to "Web View" so I might kill off the .DLL that operates
the web view "feature", as well as Active Desktop of course.

I'm not sure if XP is using the "Web View" facility or not, as there's
no UI to specifically control it.

Solution:
Set the kill bit for the "WebViewFolderIcon" ActiveX control (see
Microsoft advisory for details).

It seems like new critical security advisories are being posted daily.

Yup. Software complexity meets automated exploit search.

------------ ----- --- -- - - - -

Drugs are usually safe. Inject? (Y/n)