MS issued advisory, current exploit potential

[Dan W.]

From: "MowGreen" <[email protected]>

| I'm sorry for posting that trite media hype. " Massive malware run " my
| butt. At least those who frequent seedy pRon sites were aware of the
issue.
|
| As Roger and Karl have pointed out there was/is potential for this
| vulnerability to be exploited still, even though MS did a fine job in
| getting the update out in a timely manner.
|
| The only thing massive about the vuln was the shrill hype coming from
| the so-called "Tech media". The "regular" media just follow along since
| the sensational always is good for ratings and sells papers.
|
| Mowa culpa
|
| MowGreen [MVP 2003-2006]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============
|


Sorry guys, I just got a report of a US Gov't. computer get infected via
this Exploit while
access a US Gov't. web site.

I am not at liberty, in public, to disclose the infected site and the
infector site.

No need to be sorry about anything Dave.
The dust will probably be settling out for some time, especially if the
reports about the cPanel exploited, perpetrator sites is accurate.
MS has over the past couple years done an amazing job at driving
up patch coverage and driving down time to patch, but millions are
likely not in the loop in any timely way.

Roger

Good point, Roger. The only thing that I could see helping is always
have notification(s) of patches on Microsoft's main web site which I
think Microsoft already always does and for the mainstream media to get
the word out that it is time to patch your computers. I was certainly
relieved that Microsoft did not wait for the second Tuesday of the month
with this patch --- it certainly looks like it is shaping up to be
potentially really terrible if users do not update their system(s).

 

[Dan W.]

From: "Roger Abell [MVP]" <[email protected]>


| No need to be sorry about anything Dave.
| The dust will probably be settling out for some time, especially if the
| reports about the cPanel exploited, perpetrator sites is accurate.
| MS has over the past couple years done an amazing job at driving
| up patch coverage and driving down time to patch, but millions are
| likely not in the loop in any timely way.
|
| Roger
|

Today I got an update. This was a TARGETED attack. A US Gov't. site apperas to have been
hacked wit the VML in HTML exploit installed with installable malware. Users were sent
emails to go to said site. Being a Gov't. installation receiving email that purported to be
from the Gov't. entity indicating they should vist the compramised Gov't. web site. I was
told 70 Gov't. computers were thusly compramised !

Additionally, the same (nameless) Gov't. installation has been receiving targeted PowerPoint
Exploits in PowerPoint slides. Symantec has been calling them "Trojan.Dropper" and
"Trojan.PPDropper".

It is getting really BAD out there, David. The bad people are stepping
up their efforts to hit all machines especially those connected with
broadband. Take a look at my post where I was briefly compromised and
this has not happened to me in a long time except for a bit of Adware a
little while ago. I want and need a solution to start hitting the bad
people's sites ASAP. An Active and Powerful Firewall that has Offensive
Capabilities must be provided to as many users as possible ASAP. War
has been declared by the hackers (crackers) and we must start hitting
them even harder then they are hitting us now. It is the only solution,
I am afraid that we must start engaging in cyber-warfare with these
machines and not just sit back with this now flawed only purely
defensive strategy. What are the options for the attack vectors, David
and please lead us in the charge to reclaim the Internet for all users.

 

[Dan W.]

From: "karl levinson, mvp" <[email protected]>


|
| Yes, absolutely there is SOME real risk.
|
| But on the other hand, I bet that agency was aware of and accepted that
| risk.
|
| I'm guessing that computer was probably not running antivirus with the
| latest definitions.
|
| And the vulnerability used to compromise the web site is probably not
| anything new.
|

No. There is ZERO Acceptable Risk.
Productivity takes a backseat to security.

The computers were up-to-date. See my other reply.

I see them David and can we take the attacks to the enemy now please. I
am sure we can work this out with the National Security Agency,
Department of Defense, the United States Justice Department and
Microsoft and f. up the crackers (hackers) up so bad (their computers I
am referring to -- smile) in comparison to their hits on our machines
that they regret the day they starting hitting computers.

 

[David H. Lipman]

From: "karl levinson, mvp" <[email protected]>

|
| |
|>> Yes, absolutely there is SOME real risk.
|>>
|>> But on the other hand, I bet that agency was aware of and accepted that
|>> risk.
|>>
|>> I'm guessing that computer was probably not running antivirus with the
|>> latest definitions.
|>>
|>> And the vulnerability used to compromise the web site is probably not
|>> anything new.
|>>|
| Wouldn't you have to be inside the agency to know what risk they had and had
| not accepted?


Sorry, I will NOT answer that one


< snip >

| There are times when security measures, such as removing a system
| that is vital to a mission or that whose absence could jeapordize human
| life, could conflict with the success of the mission.


I repeat. Productivity takes a backseat to security.

 

[Dan W.]

Wouldn't you have to be inside the agency to know what risk they had and had
not accepted?

Am I misunderstanding? There aren't too many places where productivity
really takes a back seat to security in actual practice. I doubt there is
anywhere on the face of the planet where management does everything that
computer security personnel advise. I'm not sure it's possible to get to
zero acceptable risk, there's always risk, and that risk needs to be
accepted. And some countermeasures increase the risk of other security
issues, like loss of availability at the expense of confidentiality. There
are other countermeasures, such as manually re-configuring millions of
computers, that are possible in theory, but prohibitively expensive to the
point of jeopardizing the mission. The end goal is almost never security
for security's sake, but security that is appropriate to the success of the
mission. There are times when security measures, such as removing a system
that is vital to a mission or that whose absence could jeapordize human
life, could conflict with the success of the mission. There are times when
taking a security measure reveals or validates information that should not
be revealed or validated.


But there were workarounds from Microsoft that an organization that serious
about security could choose to implement.

True, Microsoft is very good at providing security providing the user(s)
can understand the technical nature of security and the importance and
need of many users to start implementing ASAP the multi-layered defense
strategy that Microsoft talks about on TechNet.

(I have to include the 98 general newsgroup on this since there are some
really smart people in that group as well and this issue does indeed
encompass all of Microsoft Windows)

 

[Dan W.]

From: "karl levinson, mvp" <[email protected]>

|
| |
|>> Yes, absolutely there is SOME real risk.
|>>
|>> But on the other hand, I bet that agency was aware of and accepted that
|>> risk.
|>>
|>> I'm guessing that computer was probably not running antivirus with the
|>> latest definitions.
|>>
|>> And the vulnerability used to compromise the web site is probably not
|>> anything new.
|>>
|
| Wouldn't you have to be inside the agency to know what risk they had and had
| not accepted?


Sorry, I will NOT answer that one


< snip >

| There are times when security measures, such as removing a system
| that is vital to a mission or that whose absence could jeapordize human
| life, could conflict with the success of the mission.


I repeat. Productivity takes a backseat to security.

Thank Goodness for that and a true reason the 9x source code needs to
continue as well since it may not currently be as secure as the NT
source code but it is safe. Chris Quirke, MVP has talked about this and
it is well-documented from the secunia.com website and I have added my
feedback as well.

 

[David H. Lipman]

From: "Dan W." <[email protected]>


| Thank Goodness for that and a true reason the 9x source code needs to
| continue as well since it may not currently be as secure as the NT
| source code but it is safe. Chris Quirke, MVP has talked about this and
| it is well-documented from the secunia.com website and I have added my
| feedback as well.

You are in denial. Win9x/ME would have been just as vulnerable in this case and woul NOT
have afforded any more protection nor less.

 

[Dan W.]

From: "Dan W." <[email protected]>


| Thank Goodness for that and a true reason the 9x source code needs to
| continue as well since it may not currently be as secure as the NT
| source code but it is safe. Chris Quirke, MVP has talked about this and
| it is well-documented from the secunia.com website and I have added my
| feedback as well.

You are in denial. Win9x/ME would have been just as vulnerable in this case and woul NOT
have afforded any more protection nor less.

If you say so but the solution is a tri-source code based upon 9x, NT
(New Technology) and open source technology that may be released in a
Windows Classic series to allow people to fully run their older computer
games, educational programs and other software. I am currently in
discussions with Microsoft about this and the feasibility of it and if
you want this then please let Microsoft know about it. I have the
support of the Albuquerque public schools for who I work for and hope
soon to get the support of all the public schools in the United States
since many of the schools run 98 Second Edition and XP Professional and
need a 98 Second Edition replacement to run all of their educational
programs for the children. Ladies and gentlemen, I implore you to do
the right thing and support this Classic series and let Microsoft know
you want it for the good of all your children and to help the public
schools save money on replacing all of our older software that is needed
for teaching your children.

 

[karl levinson, mvp]

If you say so but the solution is a tri-source code based upon 9x, NT (New
Technology) and open source technology that may be released in a Windows
Classic series to allow people to fully run their older computer games,
educational programs and other software. I am currently in discussions
with Microsoft about this and the feasibility of it and if you want this
then please let Microsoft know about it. I have the support of the
Albuquerque public schools for who I work for and hope soon to get the
support of all the public schools in the United States since many of the
schools run 98 Second Edition and XP Professional and need a 98 Second
Edition replacement to run all of their educational programs for the
children. Ladies and gentlemen, I implore you to do the right thing and
support this Classic series and let Microsoft know you want it for the
good of all your children and to help the public schools save money on
replacing all of our older software that is needed for teaching your
children.

Sorry, I think it's a terrible idea. Microsoft's security problems are in
part due to the time, trouble and money it costs them to support so many
different software variations. The customers are much better off if
Microsoft picks one code base and runs with it. Windows 98 is only more
secure if you focus on just one very narrow definition of security... and a
new release of Win98 with RPC/DCOM and other things added, who knows how
secure that might be. I don't believe Win98 will make shared lab computers
in public schools more secure. A significant problem for such environments
is insider attacks and privilege escalation attacks. While XP is far from
perfect in this area, at least it tries; Win98 has zero defenses here. The
main advantage of Win98 was the lower cost, but that's not a security
feature. If Win98 is attacked less often, it's because it's becoming less
common. A new release of Win98 would become a popular target of attack.

 

[David H. Lipman]

From: "karl levinson, mvp" <[email protected]>


|
| Sorry, I think it's a terrible idea. Microsoft's security problems are in
| part due to the time, trouble and money it costs them to support so many
| different software variations. The customers are much better off if
| Microsoft picks one code base and runs with it. Windows 98 is only more
| secure if you focus on just one very narrow definition of security... and a
| new release of Win98 with RPC/DCOM and other things added, who knows how
| secure that might be. I don't believe Win98 will make shared lab computers
| in public schools more secure. A significant problem for such environments
| is insider attacks and privilege escalation attacks. While XP is far from
| perfect in this area, at least it tries; Win98 has zero defenses here. The
| main advantage of Win98 was the lower cost, but that's not a security
| feature. If Win98 is attacked less often, it's because it's becoming less
| common. A new release of Win98 would become a popular target of attack.
|

I am in total agreement with all that you stated Karl.

 

[Roger Abell [MVP]]

Sorry, I think it's a terrible idea. Microsoft's security problems are in
part due to the time, trouble and money it costs them to support so many
different software variations. The customers are much better off if
Microsoft picks one code base and runs with it. Windows 98 is only more
secure if you focus on just one very narrow definition of security... and
a new release of Win98 with RPC/DCOM and other things added, who knows how
secure that might be. I don't believe Win98 will make shared lab
computers in public schools more secure. A significant problem for such
environments is insider attacks and privilege escalation attacks. While
XP is far from perfect in this area, at least it tries; Win98 has zero
defenses here. The main advantage of Win98 was the lower cost, but that's
not a security feature. If Win98 is attacked less often, it's because
it's becoming less common. A new release of Win98 would become a popular
target of attack.

Although I am a server and infrastructure person fundementally, I do have
a hand in running parts of the student accessible Windows resources at the
largest university in the US, and from that perspective I am

totally in agreement with you comments Karl

 

[Roger Abell [MVP]]

From: "Roger Abell [MVP]" <[email protected]>


| No need to be sorry about anything Dave.
| The dust will probably be settling out for some time, especially if the
| reports about the cPanel exploited, perpetrator sites is accurate.
| MS has over the past couple years done an amazing job at driving
| up patch coverage and driving down time to patch, but millions are
| likely not in the loop in any timely way.
|
| Roger
|

Today I got an update. This was a TARGETED attack. A US Gov't. site
apperas to have been
hacked wit the VML in HTML exploit installed with installable malware.
Users were sent
emails to go to said site. Being a Gov't. installation receiving email
that purported to be
from the Gov't. entity indicating they should vist the compramised Gov't.
web site. I was
told 70 Gov't. computers were thusly compramised !

Additionally, the same (nameless) Gov't. installation has been receiving
targeted PowerPoint
Exploits in PowerPoint slides. Symantec has been calling them
"Trojan.Dropper" and
"Trojan.PPDropper".

Quite the harbinger of the world we have entered Dave.
We, and other countries, too often appear far too ill-prepared
for an "all fronts" encounter (sorry Karl) with a technically
advanced adversary.

Roger

 

[Roger Abell [MVP]]

From: "MowGreen" <[email protected]>

| I'm sorry for posting that trite media hype. " Massive malware run "
my
| butt. At least those who frequent seedy pRon sites were aware of the
issue.
|
| As Roger and Karl have pointed out there was/is potential for this
| vulnerability to be exploited still, even though MS did a fine job in
| getting the update out in a timely manner.
|
| The only thing massive about the vuln was the shrill hype coming from
| the so-called "Tech media". The "regular" media just follow along
since
| the sensational always is good for ratings and sells papers.
|
| Mowa culpa
|
| MowGreen [MVP 2003-2006]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============
|


Sorry guys, I just got a report of a US Gov't. computer get infected via
this Exploit while
access a US Gov't. web site.

I am not at liberty, in public, to disclose the infected site and the
infector site.

No need to be sorry about anything Dave.
The dust will probably be settling out for some time, especially if the
reports about the cPanel exploited, perpetrator sites is accurate.
MS has over the past couple years done an amazing job at driving
up patch coverage and driving down time to patch, but millions are
likely not in the loop in any timely way.

Roger

Good point, Roger. The only thing that I could see helping is always have
notification(s) of patches on Microsoft's main web site which I think
Microsoft already always does and for the mainstream media to get the word
out that it is time to patch your computers. I was certainly

They tried leveraging that in the early days of Windows Update.
IMO it turned out terribly with overly sensational alerts on the
morning business and nightly news, even just to the release of
the schedule monthly round of patching.
There needs perhaps to be a mechanism between what runs
risks of "cry wolf" syndrome and what relies on self-subscription.

Roger

 

[Dan W.]

From: "MowGreen" <[email protected]>

| I'm sorry for posting that trite media hype. " Massive malware run "
my
| butt. At least those who frequent seedy pRon sites were aware of the
issue.
|
| As Roger and Karl have pointed out there was/is potential for this
| vulnerability to be exploited still, even though MS did a fine job in
| getting the update out in a timely manner.
|
| The only thing massive about the vuln was the shrill hype coming from
| the so-called "Tech media". The "regular" media just follow along
since
| the sensational always is good for ratings and sells papers.
|
| Mowa culpa
|
| MowGreen [MVP 2003-2006]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============
|


Sorry guys, I just got a report of a US Gov't. computer get infected via
this Exploit while
access a US Gov't. web site.

I am not at liberty, in public, to disclose the infected site and the
infector site.


No need to be sorry about anything Dave.
The dust will probably be settling out for some time, especially if the
reports about the cPanel exploited, perpetrator sites is accurate.
MS has over the past couple years done an amazing job at driving
up patch coverage and driving down time to patch, but millions are
likely not in the loop in any timely way.

Roger

Good point, Roger. The only thing that I could see helping is always have
notification(s) of patches on Microsoft's main web site which I think
Microsoft already always does and for the mainstream media to get the word
out that it is time to patch your computers. I was certainly

They tried leveraging that in the early days of Windows Update.
IMO it turned out terribly with overly sensational alerts on the
morning business and nightly news, even just to the release of
the schedule monthly round of patching.
There needs perhaps to be a mechanism between what runs
risks of "cry wolf" syndrome and what relies on self-subscription.

Roger

relieved that Microsoft did not wait for the second Tuesday of the month
with this patch --- it certainly looks like it is shaping up to be
potentially really terrible if users do not update their system(s).

I agree and thanks for your views Roger.

Dan W.
Computer User

 

[Dan W.]

Sorry, I think it's a terrible idea. Microsoft's security problems are in
part due to the time, trouble and money it costs them to support so many
different software variations. The customers are much better off if
Microsoft picks one code base and runs with it. Windows 98 is only more
secure if you focus on just one very narrow definition of security... and a
new release of Win98 with RPC/DCOM and other things added, who knows how
secure that might be. I don't believe Win98 will make shared lab computers
in public schools more secure. A significant problem for such environments
is insider attacks and privilege escalation attacks. While XP is far from
perfect in this area, at least it tries; Win98 has zero defenses here. The
main advantage of Win98 was the lower cost, but that's not a security
feature. If Win98 is attacked less often, it's because it's becoming less
common. A new release of Win98 would become a popular target of attack.

I am referring to a release that combined the elements of the three
source codes into one. If this could be accomplished and leveraged in
order to provide legacy support for Windows 3.1 programs and DOS
programs then this would be great. Chris Quirke, talks about the
problems with the NT technology code base.

 

[Dan W.]

Although I am a server and infrastructure person fundementally, I do have
a hand in running parts of the student accessible Windows resources at the
largest university in the US, and from that perspective I am

totally in agreement with you comments Karl

Well, I have the support of the Albuquerque public schools and we need a
solution that is more secure and allows the schools to run older
software despite what you say. It deprives the schools of much needed
funds to have to replace all the older software that works great in
teaching our children. I am following through with Microsoft on this
but thanks anyway.

 

[Roger Abell [MVP]]

Well, I have the support of the Albuquerque public schools and we need a
solution that is more secure and allows the schools to run older software
despite what you say. It deprives the schools of much needed funds to
have to replace all the older software that works great in teaching our
children. I am following through with Microsoft on this but thanks
anyway.

Dan,

What I simply cannot buy into is your repeated comment that
Win 9x is a secure solution. From all I know that is simply not
a supportable claim as Win 9x is an OS without any security
model implemented in it.

If you cannot run the suite of applications on which you rely
within an application compatibility mode, then perhaps you
could within a virtual environment (given that the virtual products
are now free from VMWare and from Microsoft).

I do not see how there could be the hybrid OS that you seem
to be trying to obtain, since the DOS family and the NT family
are fundementally different as their very roots, so one would
have to select one way or the other of rooting onto the hardware.

Roger

 

[Dan W.]

Dan,

What I simply cannot buy into is your repeated comment that
Win 9x is a secure solution. From all I know that is simply not
a supportable claim as Win 9x is an OS without any security
model implemented in it.

If you cannot run the suite of applications on which you rely
within an application compatibility mode, then perhaps you
could within a virtual environment (given that the virtual products
are now free from VMWare and from Microsoft).

I do not see how there could be the hybrid OS that you seem
to be trying to obtain, since the DOS family and the NT family
are fundementally different as their very roots, so one would
have to select one way or the other of rooting onto the hardware.

Roger

Well, if it cannot be a hybrid operating system then just make it
Windows 98 Second Edition and combine the good aspects of Windows
Millennium and add some extra features and you have a Windows Classic
Edition that will appeal to the schools with their old software and the
consumers who want to buy newer machines but still want to play their
old DOS games and programs. I think this is the main reason why Windows
98/98SE continues to have such a large market share. If I had been
smarter, I would have just skipped over XP Professional and waited for
Vista like PCR of the 98 general newsgroup is doing. I know supporting
2 lines of code NT (New Technology) and 9x is expensive for Microsoft
but if they release the Classic Edition of Windows correctly and it
really is good and supports the older Windows 3.1 programs and DOS
programs then it will have selling potential. The school in Albuquerque
is really excited about this as are higher ups in the Albuquerque Public
School District. It is a chance for us to continue to use older
software that still works well and have a new operating system that will
not compete with Vista because it has a different mission and purpose.
I really think Microsoft was stupid for trying to eliminate 9x source
code since people still want to use their older programs that will not
run or run poorly on Vista. Security is not as necessary a requirement
in a school as in a cooperation and anyway the domain is able to stop
many attacks before they even reach the individual computers so it would
not even matter if their was only one all purpose account there anyway.
I plan to continue supporting all the Windows 98 Second Edition
computers at our school for as long as possible. I will even branch out
to start fixing 98SE computers at other schools as needed. I feel that
passionate about the importance of providing a good education for our
children and lots of the older educational software that is for Windows
3.1 refuses to run on XP but will run on 98SE. Since Microsoft decided
to end support on July 11, 2006 for 98SE then the public schools are now
fighting for this Classic Edition since they need the older software
that will not run on XP computers. Lesson Plans have been created
incorporating these older programs. I guess no one can understand
unless they are a teacher or perhaps a parent that sends their children
to the public schools.

 

[Gerry Hickman]

Hi Dan W.,

True, Microsoft is very good at providing security providing the user(s)
can understand the technical nature of security and the importance and
need of many users to start implementing ASAP the multi-layered defense
strategy that Microsoft talks about on TechNet.

Well said.

 

[Gerry Hickman]

Hi Roger,

I'd be interested to know if the "70 computers compromised" were running
with Admin rights? I work in this sector too and we certainly don't
allow it.